Error Saving Identity Service Configuration
When configuring third party identity services (e.g. Duo, Okta, Verify, PingID, Symantec VIP) you may encounter an error after saving the configuration in the Identity Services section of the Specops Authentication Admin Web
That shouldn’t happen
Something went wrong, an unexpected error occurred on your organization’s server.
If you check the Specops event log under Applications and Services in the Windows event viewer, you will also find the following error:
Log Name: Specops Source: Authentication Gatekeeper (Specops) Event ID: 2005 Level: Error Keywords: Classic User: N/A Description: An error occurred during invocation of Specops.Authentication.CommunicationBackendToGatekeeper.ISystemDataController.Save. Specops.ActiveDirectory.SpecopsAccessDeniedActiveDirectoryException: 'An Active Directory operation (ModifyRequest) on 'CN=SystemData,CN=SpecopsAuthentication,CN=Specops,CN=System,DC=contoso,DC=local' running as user 'CONTOSO\SGkSRV1$' against domain controller 'DC1.contoso.local' failed (50): '00002098: SecErr: DSID-03150F93, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 ' 00002098: SecErr: DSID-03150F93, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 '
This can occur because of incorrect permissions on the SystemData container in your active directory. To correct this:
- Launch Active Directory Users and Computers as a user with domain admin permissions
- Select the View menu and ensure Advanced Features is checked
- Navigate to the SystemData container in the path specified in the event log message (domain/System/Specops/SpecopsAuthentication/SystemData)
- Right click system data and select properties
- Go to the security tab and click ‘advanced’
- Click disable inheritance and then remove all inherited permissions
- The permissions entries should now be blank. Add three new entries, granting each full control of this object and all descendant objects
- Domain Admins
- Specops Authentication Gatekeepers
- Press Apply/OK to save. You should now be able to save the identity services configurations in the Admin Web.