Adaminstall.cmd fails with INSUFF_ACCESS_RIGHTS error.
Below procedure was tested using Windows Server 2012 R2 Datacenter and SSO 8.4.0
When upgrading SSO you must run adaminstall.cmd script with same user as originally installed the database. The users that have sufficient access rights for running adaminstall.cmd are listed in LDAP CN=Configuration,CN={993612A3-D948-4D4A-8690-125E5AFF0241},CN=Roles,CN=Administrators.
If those usernames are not known or not accessible you need to change the ownership to a new user. Running adaminstall.cmd with user that is not ADLDS administrator would result in errors like:
Importing directory from file "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\ldap\adam\.\schema\adam.applicationProcess.schema"
Loading entries.
Add error on entry starting on line 9: Insufficient Rights
The server side error is: 0x5 Access is denied.
The extended server error is:
00000005: SecErr: DSID-03152612, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Follow the steps below to find out which windows username is currently ADLDS administrator. You can also change ADLDS administrator account to a different windows account if using existing ADLDS administrator account is not possible or you want to change ADLDS Administrator account.
1. List instances you have present in the LDAP server and the ports they are using
c:\dsdbutil dsdbutil:list instances Instance Name: UbiloginDirectory Long Name: UbiloginDirectory LDAP Port: 389 SSL Port: 636 Install folder: C:\Windows\ Database file: C:\Program Files\Microsoft ADAM\UbiloginDirectory\data\adamntds.dit Log folder: C:\Program Files\Microsoft ADAM\UbiloginDirectory\data Service state: Running
2. Find out the configuration partition name using the port number 389 found in previous step. Configuration partition "CN=Configuration,CN={993612A3-D948-4D4A-8690-125E5AFF0241}" is listed first in the example below.
dsquery partition -s localhost:389
C:\>dsquery partition -s localhost:389
"CN=Configuration,CN={993612A3-D948-4D4A-8690-125E5AFF0241}"
"CN=Schema,CN=Configuration,CN={993612A3-D948-4D4A-8690-125E5AFF0241}"
"CN=Ubilogin,DC=juha-3"
Alternatively you can connect to the LDAP database with ex. ADSI edit using ubilogin webapp credentials from jndi.properties. Using the above details as example you would set connection point to
CN=Ubilogin,DC=juha-3 and use credentials from \Ubisecure\ubilogin-sso\tomcat\webapps\ubilogin\WEB-INF\jndi.properties. Attribute named objectCategory contains info like CN=Container,CN=Schema,CN=Configuration,CN={993612A3-D948-4D4A-8690-125E5AFF0241}.
3. Take ownership and set full access for yourself for the partition and its sub tree to be able to read and edit ADLDS Administrators group. When you have read / edit rights to configuration partition you can view current ADLDS administrator accounts and add new windows accounts to be ADLDS administrators. FIll in below <Domain>\<User> as per your environment.
dsacls \\localhost:389\CN=Configuration,CN={993612A3-D948-4D4A-8690-125E5AFF0241} /takeownership
dsacls \\localhost:389\CN=Configuration,CN={993612A3-D948-4D4A-8690-125E5AFF0241} /I:T /G <Domain>\<User>:GA
4. Use adsi edit to view username present in ADLDS Administrators group. You can use this user to run adaminstall.cmd. If using current admin is not possible or you want to start using different administrator name add your windows username to CN=Configuration,CN={993612A3-D948-4D4A-8690-125E5AFF0241},CN=Roles,CN=Administrators → Member → Add Windows Account...
adsiedit.msc
