Upgrading AquaLogic Interaction Identity Service - Active Directory
Active Directory IDS 6.3 continues to use the GUID as the unique name for users and groups. This simplifies the migration process and does not require any database scripts.
No work is needed to upgrade from versions 5.0.2 or 6.x.x to version 6.3. After running the 6.3 installer, the virtual directory adaws will have been updated to point to the 6.3 directory. To uninstall the previous version, simply delete the physical directory associated with that installation. Do not delete the virtual directory adaws.
When you install version 6.3, a new Web.config is installed. If you have previously edited the sessionstate timeout value, you will need to edit it again.
Upgrading the Active Directory AWS 1.0 or 5.0.1 Authentication Source to Active Directory IDS 6.3
If you are going to install Active Directory IDS 6.3 on the same remote server as the previous version, remove the previous installation:
Run the uninstall executable that came with the install.
If the previous installation was version 1.0, you should delete the virtual directory ActiveDirectoryAWS. If the previous version was 5.0.1, the installation of 6.3 will have updated the virtual directory adaws to point to the 6.3 directory. Do not delete this virtual directory.
Open the authentication source you have been using for Active Directory AWS 1.0 or 5.0.1. On the Remote Active Directory Agent Configuration page you must make these changes:
Active Directory AWS 1.0 does not let you set the User Authentication Attribute. It uses distinguishedName. Active Directory AWS 5.0.1 does let you set this attribute, but defaults to distinguishedName. For 6.3, it is recommended you enter userPrincipalName. See product release notes for more information.
Set the URL for authentication service to: http://<RemoteServer>/adaws/AuthProviderSoapBindingRpc.asmx.
Set the URL for synchronization to: http://<RemoteServer>/adaws/SyncProviderSoapBindingRpc.asmx.
You will also need to re-enter the authentication password. Each installation of the Active Directory IDS encrypts this password using a different key.
Run the synchronization job associated with this authentication source.
Note:
The first time you run the job, the job log will report that every user's name appears to have changed because userPrincipalName is being used instead of the distinguishedName for authentication. This attribute is changed for every user. However, this value is hidden from the user and is only used behind the scenes. Users should continue to log in with the same name they have been. No users are deleted during this process.
Migrating Users from a Native Active Directory Authentication Source to a Remote Active Directory Authentication Source
For each native Active Directory authentication source in use in your portal, perform the following steps:
Create a remote Active Directory authentication source to replace your native Active Directory authentication source:
Set the SOAP timeout to a high number of seconds, at least 540.
Set the Authentication Source Prefix to a temporary category/prefix that is not otherwise used in any other authentication source in the system.
Set all Active Directory LDAP parameters identically to the corresponding native Active Directory authentication source.
Set the synchronization settings to Full Synchronization.
Run the remote authentication source. This should synchronize the same users and groups as the native authentication source. If your native authentication source uses partial synchronization, the remote authentication source may have additional users and groups. However, the native authentication source should never include users and groups that are not included in the remote authentication source.
Make sure that you can log in to the portal as a user imported from the remote authentication source.
Back up the portal database.
Edit both upgrade SQL script templates (located in <install_dir>/ptadaws/6.3/usermigration/sql/<mssql or oracle>/) by inserting the appropriate object ID numbers on the lines “DEF oldid” and “DEF newid”.
Run <install_dir>/ptadaws/6.3/usermigration/sql/<mssql or oracle>/adaws.sql against the portal database.
If the script output indicates that there are native authentication source users or groups that are not in the remote authentication source, verify that the remote authentication source parameters are correct and identical to the native authentication source parameters. If they are not, correct the problems and run the remote authentication source job again. If they are correct and identical, either manually delete the excess users and groups from the native authentication source or run the native authentication source job to drop the excess users and groups.
Run <install_dir>/ptadaws/6.3/usermigration/sql/<mssql or oracle>/adaws2.sql against the portal database.
Make sure that you can log in to the portal as with the original user account information.
Verify that the authentication source prefix of the remote authentication source has been changed (by the scripts) from the temporary prefix to the same prefix as the native authentication source.
Delete the temporary users and groups imported through the remote authentication source. These users and groups have the temporary prefix and are in the temporary category that was created when you first synchronized the remote authentication source.
Delete the native authentication source from the portal.
