Below procedure was tested using Windows Server 2012 R2 Datacenter and SSO 8.4.0
When upgrading SSO you must run adaminstall.cmd script with same user as originally installed the database. The users that have sufficient access rights for running adaminstall.cmd are listed in LDAP CN=Configuration,CN={993612A3-D948-4D4A-8690-125E5AFF0241},CN=Roles,CN=Administrators.
If those usernames are not known or not accessible you need to change the ownership to a new user. Running adaminstall.cmd with user that is not ADLDS administrator would result in errors like:
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
dsquery partition -s localhost:389
C:\>dsquery partition -s localhost:389
"CN=Configuration,CN={993612A3-D948-4D4A-8690-125E5AFF0241}"
"CN=Schema,CN=Configuration,CN={993612A3-D948-4D4A-8690-125E5AFF0241}"
"CN=Ubilogin,DC=juha-3" |
Alternatively you can connect to the LDAP database with ex. ADSI edit using ubilogin webapp credentials from jndi.properties. Using the above details as example you would set connection point to
CN=Ubilogin,DC=juha-3 and use credentials from \Ubisecure\ubilogin-sso\tomcat\webapps\ubilogin\WEB-INF\jndi.properties. Attribute named objectCategory contains info like CN=Container,CN=Schema,CN=Configuration,CN={993612A3-D948-4D4A-8690-125E5AFF0241}.
3. Take ownership and set full access for yourself for the partition and its sub tree to be able to read and edit ADLDS Administrators group. When you have read / edit rights to configuration partition you can view current ADLDS administrator accounts and add new windows accounts to be ADLDS administrators. FIll in below <Domain>\<User> as per your environment.
...