2 Deploying the Connector

Deploying the connector involves the following steps:

• Step 1: Verifying Deployment Requirements

• Step 2: Configuring the Target System

• Step 3: Copying the Connector Files and External Code Files

• Step 4: Configuring the Oracle Identity Manager Server

• Step 5: Importing the Connector XML Files

• Step 6: Configuring SSL

Step 1: Verifying Deployment Requirements

The following table lists the deployment requirements for the connector.

Item	Requirement
Oracle Identity Manager	Oracle Identity Manager release 8.5.3 or later
Target systems	Microsoft Active Directory Server (Microsoft Windows 2000, 2003)
Target system host platforms	The target system host platform can be any one of the following: Microsoft Windows 2000 with Service Pack 4 Microsoft Windows 2003
Other software	Certificate Services
External code	JNDI LDAP Booster package (ldapsdk-4.1.jar)
Target system user account	Microsoft Windows 2000/2003 Server (Domain Controller) administrator You provide the credentials of this user account while performing the procedure in the "Defining IT Resources" section. If the specified user account is not used, then an authentication error message is displayed.

Step 2: Configuring the Target System

Configuring the target system involves performing the following procedures:

• Ensuring That the Parent Organization Exists in Microsoft Active Directory

• Enabling or Disabling Password Policies on Microsoft Active Directory

Ensuring That the Parent Organization Exists in Microsoft Active Directory

You must ensure that the parent organization exists in the target server installation. The parent organization is specified as the value of the Root Context parameter in the IT resource definition. Refer to the "Defining IT Resources" section for more information about this parameter.

Enabling or Disabling Password Policies on Microsoft Active Directory

On Microsoft Active Directory, the "Passwords must meet complexity requirements" policy setting is used to enable or disable password policies. You can choose whether or not you want to use SSL to secure communication between Oracle Identity Manager and Microsoft Active Directory.

Note:

The procedure to configure SSL is discussed later in this guide.

The procedure that you must perform depends on whether or not you configure SSL and enforce password policies.

If you do not configure SSL and try to provision a Microsoft Active Directory user through Oracle Identity Manager, then the user's password cannot be updated by using Oracle Identity Manager. Therefore, if the communication is not secured by SSL, then you must disable any existing password policies in Microsoft Active Directory. This is achieved by disabling the "Passwords must meet complexity requirements" policy setting.

If you configure SSL and you want to enforce both the default Microsoft Windows password policy and a custom password policy, then you must enable the "Passwords must meet complexity requirements" policy setting.

To enable or disable the "Passwords must meet complexity requirements" policy setting:

1. On the Microsoft Windows computer hosting the Active Directory domain controller on which you are installing the password synchronization module, start the Domain Security Policy application.

   To do this, on the Microsoft Windows computer, click the Start menu, Programs, Administrative Tools, and Domain Security Policy.

2. If you are using Microsoft Active Directory 2003, then directly proceed to the next step.

   If you are using Microsoft Active Directory 2000, then select Window Settings on the left pane of the Domain Security Policy application window and then proceed to the next step.

3. Select Security Settings, expand Account Policies, and then click Password Policy.

4. Double-click Passwords must meet complexity requirements.

5. In the Password Must Meet Complexity Requirements Properties dialog box, select Define this policy setting and then select:

   • Enabled, if you want to enable password policies

   • Disable, if you do not want to enable password policies

6. Click OK.

Step 3: Copying the Connector Files and External Code Files

The connector files to be copied and the directories to which you must copy them are given in the following table.

Note:

The directory paths given in the first column of this table correspond to the location of the connector files in the following directory on the installation media:

Directory Servers/Microsoft Active Directory/Microsoft Active Directory Base

Refer to the "Files and Directories That Comprise the Connector" section for more information about these files.

File in the Installation Media Directory	Destination Directory
lib/xliActiveDirectory.jar	OIM_home/xellerate/JavaTasks
Files in the resources directory	OIM_home/xellerate/connectorResources
Files in the scripts directory	OIM_home/xellerate/scripts After you copy the install.bat (or install.sh) file, use a text editor to open the file and specify the actual location of the JDK directory in the file.
Directories and files in the test directory	OIM_home/xellerate/test
Files in the xml directory	OIM_home/xellerate/XLIntegrations/ActiveDirectory/xml

To copy the ldapbp.jar and ldapsdk-4.1.jar files into the required directory:

1. Log on the Sun Web site at

   http://java.sun.com/products/jndi/downloads/index.html

2. Click the Download JNDI 1.2.1 & More button.

3. From the table on the page that is displayed, select and download the file containing the ldapbp.jar and ldapsdk-4.1.jar files.

4. Copy the ldapbp.jar and ldapsdk-4.1.jar files into the OIM_home/xellerate/JavaTasks directory on the Oracle Identity Manager server.

Note:

While installing Oracle Identity Manager in a clustered environment, you copy the contents of the installation directory to each node of the cluster. Similarly, you must copy the connectorResources directory and the JAR files to the corresponding directories on each node of the cluster.

Step 4: Configuring the Oracle Identity Manager Server

Note:

In this guide, the term Oracle Identity Manager server refers to the computer on which Oracle Identity Manager is installed.

Configuring the Oracle Identity Manager server involves performing the following procedures:

Note:

In a clustered environment, you must perform this step on each node of the cluster.

• Changing to the Required Input Locale

• Clearing Content Related to Connector Resource Bundles from the Server Cache

• Enabling Logging

Changing to the Required Input Locale

Changing to the required input locale (language and country setting) involves installing the required fonts and setting the required input locale.

You may require the assistance of the system administrator to change to the required input locale.

Clearing Content Related to Connector Resource Bundles from the Server Cache

While performing the instructions described in the "Step 3: Copying the Connector Files and External Code Files" section, you copy files from the resources directory on the installation media into the OIM_home/xellerate/connectorResources directory. Whenever you add a new resource bundle in the connectorResources directory or make a change in an existing resource bundle, you must clear content related to connector resource bundles from the server cache.

To clear content related to connector resource bundles from the server cache:

1. In a command window, change to the OIM_home/xellerate/bin directory.

   Note:

   You must perform Step 1 before you perform Step 2. If you run the command described in Step 2 as follows, then an exception is thrown:

   OIM_home/xellerate/bin/batch_file_name
   

2. Enter one of the following commands:

   • On Microsoft Windows:

     PurgeCache.bat ConnectorResourceBundle
     
     

   • On UNIX:

     PurgeCache.sh ConnectorResourceBundle
     

   Note:

   You can ignore the exception that is thrown when you perform Step 2.

   In this command, ConnectorResourceBundle is one of the content categories that you can remove from the server cache. Refer to the following file for information about the other content categories:

   OIM_home/xellerate/config/xlConfig.xml
   

Enabling Logging

When you enable logging, Oracle Identity Manager automatically stores in a log file information about events that occur during the course of provisioning and reconciliation operations. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:

• ALL

  This level enables logging for all events.

• DEBUG

  This level enables logging of information about fine-grained events that are useful for debugging.

• INFO

  This level enables logging of informational messages that highlight the progress of the application at coarse-grained level.

• WARN

  This level enables logging of information about potentially harmful situations.

• ERROR

  This level enables logging of information about error events that may still allow the application to continue running.

• FATAL

  This level enables logging of information about very severe error events that could cause the application to stop functioning.

• OFF

  This level disables logging for all events.

The file in which you set the log level and the log file path depend on the application server that you use:

• BEA WebLogic

  To enable logging:

  1. Add the following lines in the OIM_home/xellerate/config/log.properties file:

     log4j.logger.XELLERATE=log_level
     log4j.logger.XL_INTG.ACTIVEDIRECTORY=log_level
     
     

  2. In these lines, replace log_level with the log level that you want to set.

     For example:

     log4j.logger.XELLERATE=INFO
     log4j.logger.XL_INTG.ACTIVEDIRECTORY=INFO
     
     

  After you enable logging, the log information is written to the following file:

  WebLogic_home/user_projects/domains/domain_name/server_name/server_name.log
  
  

• IBM WebSphere

  To enable logging:

  1. Add the following lines in the OIM_home/xellerate/config/log.properties file:

     log4j.logger.XELLERATE=log_level
     log4j.logger.XL_INTG.ACTIVEDIRECTORY=log_level
     
     

  2. In these lines, replace log_level with the log level that you want to set.

     For example:

     log4j.logger.XELLERATE=INFO
     log4j.logger.XL_INTG.ACTIVEDIRECTORY=INFO
     
     

  After you enable logging, the log information is written to the following file:

  WebSphere_home/AppServer/logs/server_name/startServer.log
  
  

• JBoss Application Server

  To enable logging:

  1. In the JBoss_home/server/default/conf/log4j.xml file, locate or add the following lines:

     <category name="XELLERATE">
        <priority value="log_level"/>
     </category>
     
     

     <category name="XL_INTG.ACTIVEDIRECTORY">
        <priority value="log_level"/>
     </category>
     
     

  2. In the second XML code line of each set, replace log_level with the log level that you want to set. For example:

     <category name="XELLERATE">
        <priority value="INFO"/>
     </category>
     
     

     <category name="XL_INTG.ACTIVEDIRECTORY">
        <priority value="INFO"/>
     </category>
     
     

  After you enable logging, the log information is written to the following file:

  JBoss_home/server/default/log/server.log
  
  

• OC4J

  To enable logging:

  1. Add the following lines in the OIM_home/xellerate/config/log.properties file:

     log4j.logger.XELLERATE=log_level
     log4j.logger.XL_INTG.ACTIVEDIRECTORY=log_level
     
     

  2. In these lines, replace log_level with the log level that you want to set.

     For example:

     log4j.logger.XELLERATE=INFO
     log4j.logger.XL_INTG.ACTIVEDIRECTORY=INFO
     
     

  After you enable logging, the log information is written to the following file:

  OC4J_home/opmn/logs/default_group~home~default_group~1.log
  

Step 5: Importing the Connector XML Files

As mentioned in the "Files and Directories That Comprise the Connector" section, the connector XML files contains definitions of the components of the connector. By importing the connector XML files, you create these components in Oracle Identity Manager.

To import the connector XML files into Oracle Identity Manager:

1. Open the Oracle Identity Manager Administrative and User Console.

2. Click the Deployment Management link on the left navigation bar.

3. Click the Import link under Deployment Management. A dialog box for locating files is displayed.

4. Locate and open the xliADResourceObject.xml file, which is in the OIM_home/xellerate/XLIntegrations/ActiveDirectory/xml directory. Details of this XML file are shown on the File Preview page.

5. Click Add File. The Substitutions page is displayed.

6. Click Next. The Confirmation page is displayed.

7. Click Next. The Provide IT Resource Instance Data page for the AD Server IT resource is displayed.

8. Specify values for the parameters of the AD Server IT resource. Depending on whether the operating system is Microsoft Windows 2000 or Microsoft Windows 2003, refer to the appropriate table in the "Defining IT Resources" section for information about the values to be specified.

9. Click Next. The Provide IT Resource Instance Data page for a new instance of the AD Server IT resource type is displayed.

10. Click Skip to specify that you do not want to define another IT resource. The Confirmation page is displayed.

    See Also:

    If you want to define another IT resource, then refer to Oracle Identity Manager Tools Reference Guide for instructions.

11. Click View Selections.

    The contents of the XML file are displayed on the Import page. You may see a cross-shaped icon along with some nodes. These nodes represent Oracle Identity Manager entities that are redundant. Before you import the connector XML file, you must remove these entities by right-clicking each node and then selecting Remove.

12. Click Import. The connector file is imported into Oracle Identity Manager.

After you import the connector XML file, proceed to the "Step 6: Configuring SSL" section.

Defining IT Resources

This section provides IT resource parameter values for the following operating systems:

• Microsoft Windows 2000

• Microsoft Windows 2003

Microsoft Windows 2000

The following table provides values for the parameters of the AD Server IT resource, for Microsoft Windows 2000.

Parameter	Description
Admin FQDN	Fully qualified domain name corresponding to the administrator Format: cn=ADMIN_LOGIN,cn=Users,dc=DOMAIN Sample value: cn=administrator,cn=Users,dc=adomain
Admin Login	User ID of the administrator account that is used to create the OU/user
Admin Password	Password of the administrator account that is used to create the OU/user
Root Context	This is the fully qualified domain name of the parent or root organization. For example, the root suffix. Format: ou=ORGANIZATION_NAME,dc=DOMAIN Sample value: ou=Adapters, dc=adomain
Server Address	Host name or IP address of the target Microsoft Windows 2000 computer on which Microsoft Active Directory is installed Sample value: w2khost
Last Modified Time Stamp	Date and time at which the last AD User reconciliation run was completed The reconciliation engine automatically fills a value in this attribute each time it runs the AD User reconciliation. Default value: 0
Last Modified Time Stamp Group	Date and time at which the last AD Group reconciliation run was completed The reconciliation engine automatically fills a value in this attribute each time it runs AD Group reconciliation. Default value: 0
Use SSL	Specifies whether or not to use SSL to secure communication between Oracle Identity Manager and Microsoft Active Directory Default value: true See Also: The Known Issues list in Chapter 5 for information about a limitation arising from setting this parameter to false. Note: It is recommended that you enable SSL to secure communication with the target system.
SSL Port Number	Port at which SSL is running on the Microsoft Active Directory server Default value: 636
AtMap ADUser	Attribute map name for the Microsoft Active Directory user Default value: AtMap.AD
AtMap Group	Attribute map name for the Microsoft Active Directory group Default value: AtMap.ADGroup
Target Locale: Country	Country code Default value: US Note: You must specify the value in uppercase.
Target Locale: Language	Language code Default value: en Note: You must specify the value in lowercase.
CustomizedReconQuery	Specify the LDAP query that you want to use to customize reconciliation. The reconciliation engine uses this LDAP query to filter the records that must be fetched from the target system. Sample value: memberOf=cn=AcmeAdmin,cn=Users,dc=GLOBAL,dc=com Note: You can use this value in conjunction with the GroupObject attribute defined in the "User Reconciliation Scheduled Task" section.
ADDisableAttr Lookup Definition	Specify the name of the lookup table that lists the nonmandatory user attributes defined in Microsoft Active Directory. This attribute is used in conjunction with the Use Disable Attr parameter. Note: Nonmandatory attributes of Microsoft Active Directory can accept NULL values during provisioning. You must manually create the lookup definition containing the nonmandatory attributes of Microsoft Active Directory. For each attribute that you add to this lookup definition, you must ensure that both the code key and decode key values are set to the name of the attribute. Refer to Oracle Identity Manager Design Console Guide for information about creating the lookup definition.
Use Disable Attr	Specifies whether or not nonmandatory attributes defined in Microsoft Active Directory must be set to NULL when a user is disabled through a provisioning operation. The value of this parameter can be True or False. The default value is False. Note: You can use this parameter only if you specify a value for the ADDisableAttr Lookup Definition parameter.
AD Sync installed (yes/no)	If you are going to install and use the Microsoft Active Directory Password Synchronization module, then specify yes as the value of this parameter. Otherwise, specify no. The default value is no.
OIM User UDF	Specify the name of the user-defined field that you create in Oracle Identity Manager. You must specify a value for this parameter only if you specify yes as the value of the AD Sync installed (yes/no) parameter. Note: You must specify the column name and not the field label that you enter while adding the custom attribute in Oracle Identity Manager. For example, if you enter the label PWDCHANGEDINDICATION, then the column name that you must specify is USR_UDF_PWDCHANGEDINDICATION. Oracle Identity Manager adds the USR_UDF_ prefix while creating a column.
Custom Attribute Name	Specify the name of the custom attribute that you create in Microsoft Active Directory. You must specify a value for this parameter only if you specify yes as the value of the AD Sync installed (yes/no) parameter.

After you specify values for these IT resource parameters, proceed to Step 9 of the procedure to import connector XML files.

Microsoft Windows 2003

The following table provides values for the parameters of the AD Server IT resource, for Microsoft Windows 2003.

Parameter	Description
Admin FQDN	Fully qualified domain name corresponding to the administrator Format: ADMIN_LOGIN@DOMAIN Sample value: administrator@adomain.com
Admin Login	User ID of the administrator account that is used to create the OU/user
Admin Password	Password of the administrator account that is used to create the OU/user
Root Context	Usually, this is the fully qualified domain name of the parent or root organization. For example, the root suffix. Format: ou=ORGANIZATION_NAME,dc=DOMAIN Sample value: ou=Adapters,dc=adomain,dc=com
Server Address	Host name or IP address of the target Microsoft Windows 2000 computer on which Microsoft Active Directory is installed Sample value: w2003host
Last Modified Time Stamp	Date and time at which the last AD User reconciliation run was completed The reconciliation engine automatically fills a value in this attribute each time it runs the AD User reconciliation. Default value: 0
Last Modified Time Stamp Group	Date and time at which the last AD Group reconciliation run was completed The reconciliation engine automatically fills a value in this attribute each time it runs AD Group reconciliation. Default value: 0
Use SSL	Specifies whether or not to use SSL to secure communication between Oracle Identity Manager and Microsoft Active Directory Default value: true See Also: The Known Issues list in Chapter 5 for information about a limitation arising from setting this parameter to false. Note: It is recommended that you enable SSL to secure communication with the target system.
SSL Port Number	Port at which SSL is running on the Microsoft Active Directory server Default value: 636
AtMap ADUser	Attribute map name for the Microsoft Active Directory user Default value: AtMap.AD
AtMap Group	Attribute map name for the Microsoft Active Directory group Default value: AtMap.ADGroup
Country	Country code Default value: US Note: You must specify the value in uppercase.
Language	Language code Default value: en Note: You must specify the value in lowercase.
CustomizedReconQuery	Specify the LDAP query that you want to use to customize reconciliation. The reconciliation engine uses this LDAP query to filter the records that must be fetched from the target system. Sample value: memberOf=cn=AcmeAdmin,cn=Users,dc=GLOBAL,dc=com Note: You can use this value in conjunction with the GroupObject attribute defined in the "User Reconciliation Scheduled Task" section.
ADDisableAttr Lookup Definition	Specify the name of the lookup table that lists the nonmandatory user attributes defined in Microsoft Active Directory. This attribute is used in conjunction with the Use Disable Attr parameter. Note: Nonmandatory attributes of Microsoft Active Directory can accept NULL values during provisioning. You must manually create the lookup definition containing the nonmandatory attributes of Microsoft Active Directory. For each attribute that you add to this lookup definition, you must ensure that both the code key and decode key values are set to the name of the attribute. Refer to Oracle Identity Manager Design Console Guide for information about creating the lookup definition.
Use Disable Attr	Specifies whether or not nonmandatory attributes defined in Microsoft Active Directory must be set to NULL when a user is disabled through a provisioning operation. The value of this parameter can be True or False. Note: You can use this parameter only if you specify a value for the ADDisableAttr Lookup Definition parameter.
AD Sync installed (yes/no)	If you are going to install and use the Microsoft Active Directory Password Synchronization module, then specify yes as the value of this parameter. Otherwise, specify no. The default value is no.
OIM User UDF	Specify the name of the user-defined field that you create in Oracle Identity Manager. You must specify a value for this parameter only if you specify yes as the value of the AD Sync installed (yes/no) parameter. Note: You must specify the column name and not the field label that you enter while adding the custom attribute in Oracle Identity Manager. For example, if you enter the label PWDCHANGEDINDICATION, then the column name that you must specify is USR_UDF_PWDCHANGEDINDICATION. Oracle Identity Manager adds the USR_UDF_ prefix while creating a column.
Custom Attribute Name	Specify the name of the custom attribute that you create in Microsoft Active Directory. You must specify a value for this parameter only if you specify yes as the value of the AD Sync installed (yes/no) parameter.

After you specify values for these IT resource parameters, proceed to Step 9 of the procedure to import connector XML files.

Step 6: Configuring SSL

Note:

Although this is an optional step of the deployment procedure, it is recommended that you configure SSL communication between Microsoft Active Directory and Oracle Identity Manager.

To configure SSL connectivity between Oracle Identity Manager and the target Microsoft Active Directory server, you must perform the following tasks:

1. Installing Certificate Services

2. Enabling LDAPS

3. Setting Up the Microsoft Active Directory Certificate As a Trusted Certificate

Installing Certificate Services

The connector requires Certificate Services to be running on the host computer. To install Certificate Services:

1. Insert the operating system installation media into the CD-ROM or DVD drive.

2. Click Start, Settings, and Control Panel.

3. Double-click Add/Remove Programs.

4. Click Add/Remove Windows Components.

5. Select Certificate Services.

6. Follow the instructions to start Certificate Services.

Enabling LDAPS

The target Microsoft Active Directory server must have LDAP over SSL (LDAPS) enabled. To enable LDAPS, generate a certificate as follows:

Note:

Use the Enterprise CA option when you perform the following steps.

1. On the Active Directory Users and Computers console, right-click the domain node, and select Properties.

2. Click the Group Policy tab.

3. Select Default Domain Policy.

4. Click Edit.

5. Click Computer Configuration, Windows Settings, Security Settings, and Public Key Policies.

6. Right-click Automatic Certificate Request Settings, and then select New and Automatic Certificate Request. A wizard is started.

7. Use the wizard to add a policy with the Domain Controller template.

At the end of this procedure, the certificate is created and LDAP is enabled using SSL on port 636.

Setting Up the Microsoft Active Directory Certificate As a Trusted Certificate

If the Microsoft Active Directory certificate is not issued or certified by a certification authority (CA), then set it up as a trusted certificate. To do this, you first export the certificate and then import it into the keystore of the Oracle Identity Manager server as a trusted CA certificate.

Exporting the Microsoft Active Directory Certificate

To export the Microsoft Active Directory certificate:

1. Click Start, Programs, Administrative Tools, and Certification Authority.

2. Right-click the Certification Authority that you create, and then select Properties.

3. On the General tab, click View Certificate.

4. On the Details tab, click Copy To File.

5. Use the wizard to create a certificate (.cer) file using base-64 encoding.

Importing the Microsoft Active Directory Certificate

To import the Microsoft Active Directory certificate into the certificate store of the Oracle Identity Manager server:

Note:

In a clustered environment, you must perform this procedure on all the nodes of the cluster.

1. Copy the certificate to the Oracle Identity Manager server.

   If you use IBM WebSphere, then you must also copy the following files:

   • For a nonclustered configuration of IBM WebSphere:

     Copy the jsse.jar file into the WS_home/java/jre/lib/ext directory.

   • For a clustered configuration of IBM WebSphere:

     Copy the jnet.jar, jsse.jar, and jcert.jar files into the WS_home/java/jre/lib/ext directory.

   You can download these JAR files from the Sun Web site at

   http://java.sun.com/

2. Change to the directory where you copy the certificate file, and then enter a command similar to the following:

   keytool -import -alias alias  -file cer_file  -keystore my_cacerts -storepass password
   
   

   In this command:

   • alias is the alias for the certificate (for example, the server name)

   • cer_file is the full path and name of the certificate (.cer) file

   • my_cacerts is the full path and name of the certificate store (the default is cacerts)

     The path of the certificate store depends on the application server as shown in the following table.

     Application Server	Certificate Store Location
     JBoss Application Server	JBoss_home/jre/lib/security/cacerts
     BEA WebLogic	BEA_home/java/jre/lib/security/cacerts
     IBM WebSphere	For a nonclustered configuration of IBM WebSphere, you must import the files into the following certificate stores: WS_home/java/jre/lib/security/cacerts For a clustered configuration of IBM WebSphere, you must import the files into the following certificate stores on each node of the cluster: WS_home/java/jre/lib/security/cacerts WS_home/etc/DummyServerTrustFile.jks
     Oracle Containers for J2EE (OC4J)	OC4J_home/jdk/jre/lib/security/cacerts

     
     

   • password is the keystore password (the default is changeit)

   For example:

   keytool -import -alias thorADCert -file c:\thor\ActiveDir.cer -keystore C:\mydir\java\jre\lib\security\cacerts -storepass changeit
   
   

   Note:

   changeit is the default password for the cacerts file stored in the Sun JVM. This may change depending on the JVM that you are using.

3. In the command prompt window, when you are prompted to specify whether or not you want to trust this certificate, enter YES.

4. To confirm whether or not the certificate has been imported successfully, enter a command similar to the following:

   keytool -list -alias alias -keystore mycacerts -storepass password
   
   

   In the example given in Step 2, to confirm that the certificate has been successfully imported, use the following command and look for the certificate name, thorADCert, that you provide while importing the certificate into the keystore:

   keytool -list -alias thorADCert -keystore 
   C:\mydir\java\jre\lib\security\cacerts -storepass changeit
   
   
   

5. Perform this step only if you are registering the certificate file in a new certificate store.

   Add the following line in the jre\lib\security\java.security file:

   security.provider.N=com.sun.net.ssl.internal.ssl.Provider
   
   

   In this line, N is any number that is not used in the file.

6. Restart the application server.

   Note:

   The user password cannot be set unless 128-bit SSL is used. In addition, the computer on which Microsoft Active Directory is installed must have Microsoft Windows 2000 Service Pack 2 (or later) or Microsoft Windows 2003 running on it.