-
Title
ODMAD Discovery fails when service account is in Protected Users Group -
Description
An environment configured months ago, which till today was working flawlessly, ends with "failed" when discovered. The user (quest-svc) in the discovered env. that was used in the env. is domain admin and is in protected users group. When I take quest-svc from the protected users group, discovery runs again. Given quest-svc is a domain admin, it NEEDS to be a protected user. On a domain controller, I can see that auth attempt is done with NTLM (which is contradictory to Protected Users membership), it obviously fails and right after that, Kerberos auth is tried instead. That Kerberos auth succeeds.
-
Cause
Service account credentials are stored in dirsync agent's registry in encrypted format (RC4 hash). During authentication, they're decrypted and sent to DC using NTLM first.
-
Resolution
Right now it's not possible to keep dirsync service account in the Protected Users Group (PUG) because credentials are stored locally in RC4-encrypted form, which PUG does not support.
Please make sure that service accounts are out of PUG. This is affecting current domain service account as well as account used for the source SIDHistory migration.