Oracle Waveset / Error When Provisioning To Exchange: "Insufficient access rights to perform the operation. Active directory response: 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0" (Doc ID 1551904.1)

Last updated on OCTOBER 14, 2016

Applies to:

Oracle Waveset - Version 8.1.1.7 and later
Information in this document applies to any platform.

Goal

The goal of this knowledge article is to explain a very common problem seen in Oracle Waveset when attempting to provision to Exchange using the Connector/Connector Server.

The customer is seeing the following permissions error while attempting to provision a mailbox via the Oracle Waveset application.

When the customer runs the same Powershell command (that we can see is being used in the below log) directly on the Powershell console, it creates the mailbox successfully. This proves that the command being issued from Oracle Waveset isn't the problem.

Here's the actual Powershell command that was pulled from the below log snip. This command is successful when run directly on the Powershell console. But, when executed from Oracle Waveset it results in the below exception regarding "insufficient access rights."

==========
Enable-Mailbox -Identity "cn=SRM95380 IDM95380 M,ou=DomainDODUsers,ou=UsersGroups,dc=accountslab,dc=rootlab,dc=lab" -Database "BLML4W12227\First Storage Group\Mailbox Database" -DomainController "BLMLABAD005.accountslab.rootlab.lab"
==========

4/29/2013 4:06:55 PM : Class-> PowerShellExchangeServiceImpl, Method -> InvokePipeline, Message -> PowerShell Command: Enable-Mailbox
4/29/2013 4:06:55 PM : Class-> PowerShellExchangeServiceImpl, Method -> InvokePipeline, Message -> Parameter: Identity Value:cn=SRM95380 IDM95380 M,ou=DomainDODUsers,ou=UsersGroups,dc=accountslab,dc=rootlab,dc=lab
4/29/2013 4:06:55 PM : Class-> PowerShellExchangeServiceImpl, Method -> InvokePipeline, Message -> Parameter: Database Value:BLML4W12227\First Storage Group\Mailbox Database
4/29/2013 4:06:55 PM : Class-> PowerShellExchangeServiceImpl, Method -> InvokePipeline, Message -> Parameter: DomainController Value:BLMLABAD005.accountslab.rootlab.lab
4/29/2013 4:06:57 PM : Class-> PowerShellExchangeServiceImpl Method -> Create, Message -> Error while creating UserMailbox for User cn=SRM95380 IDM95380 M,ou=DomainDODUsers,ou=UsersGroups,dc=accountslab,dc=rootlab,dc=lab. Message is Problem while PowerShell execution Org.IdentityConnectors.Framework.Common.Exceptions.ConnectorException: Active Directory operation failed on BLMLABAD005.accountslab.rootlab.lab. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

 at Org.IdentityConnectors.Exchange.RunSpaceInstance.CheckErrors(IList errors)
 at Org.IdentityConnectors.Exchange.RunSpaceInstance.InvokePipeline(Collection`1 commands)
 at Org.IdentityConnectors.Exchange.RunSpaceInstance.InvokePipeline(Command item)
 at Org.IdentityConnectors.Exchange.Service.Impl.PowerShellExchangeServiceImpl.InvokePipeline(Command cmd)

Finally, it is important to note that the customer is running the Connector Server on the same machine that hosts Exchange.

For the record, it's not required that the Connector Server be installed on the same physical machine as Exchange, but the two machines must be in the same domain, and the server where the Connector Server is installed must have the 'Exchange Management Tools' installed as well.

Please see the following related knowledge note for details on this point:


 

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms