Reset Search



KB40939 - "Server unwilling to perform" error occurs with option "Enable Attribute Update" in LDAP server instance

« Go Back


Last Modified Date9/23/2017 3:24 AM
This article explains why the LDAP attribute "lastLogon" used with the "Enable Attribute Update" option in an LDAP server instance cause the error "Attribute setting failed" and how to resolve it.
Problem or Goal

When trying to update the lastLogon attribute for the user under Update Attribute at Active Directory Server on Successful User Login, the following error occurs:

Attribute setting failed for userDN (dn details go here) for attrribute lastLogon with error: Server is unwilling to perform.

User-added image

This error can occur if the attribute being used is controlled by the Local Security Authority in Active Directory.  The attribute 'lastLogon' is one such attribute that cannot be updated by the PCS device because it is controlled by the Local Security Authority.  
There are many attributes which are controlled by the Local Security Authority in Active Directory that cannot be modified by the PCS device.  

Follow the steps below  to configure a custom attribute that can be used in place of lastLogon time. 
  1. In Active Directory, install the Schema snap-in by clicking Start > Run and type regsvr32 schmmgmt.dll.User-added image

  2. Go to Start > Run and type MMC and press Enter.
  3. Go to File > Add/Remove Snap-in > click Add > Select Active Directory Schema and click Add.
User-added image
  1. Expand the Active Directory Schema then right-click Attributes and select Create Attribute.
User-added image
  1. The New Attribute form will open.  For the Common Name and LDAP Display Name enter loginstring. 
User-added image
  1. Leave the Create New Attribute window open and follow the next steps to generate a Unique x500 Object ID.
  2. Click here to generate an object identifier from Microsoft's Script Center. 
  3. Copy the text in the Visual Basic section and paste it to a text file then save the file with .vbs as the file extension.
User-added image
  1. Double-click the file to run the script.  This will generate a unique OID value each time so it can also be used when creating additional attributes in the future.
User-added image
  1. Copy the Root OID string from the Object Generator and paste it to the loginstring properties panel for the x500 OID value.  Click OK to save and close the loginstring properties panel.
  2. Expand the classes section then right-click on user class and select properties.

User-added image
  1. From the dialog box, select the attributes tab.
  2. Click add and select the newly created attribute loginstring then click OK.
  3. Click Apply and click OK.  If an error pops up it can be ignored.
  4. Navigate to services.msc and restart the active directory domain services.
  5. Navigate to the attribute editor of the user account it was created for and confirm that the newly created LDAP attribute is listed there.

User-added image
  1. Now the attribute can be used in the LDAP auth server on the PCS device.  Add the attribute as shown below:

User-added image
  1. Verify the attribute is working by recording a user login with a Policy Trace.  Verify that a value for loginTime is being generated as per the below entry:

User-added image
  1. The same can be verified in Active Directory for the user login entry:

User-added image

Related Links
Attachment 1 
Created ByVignesh Ramanan



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255