Sophos has released a hotfix for the issue described below which has been found in SafeGuard Enterprise 18.104.22.168 Management Center and SafeGuard Enterprise 22.214.171.124 Server. It is recommended that you apply this as soon as possible in order to prevent this issue from occurring.
IMPORTANT: Please note that if you do not apply the hotfix and the error occurs on your system, you will need to contact Sophos Technical Support for help in fixing this issue. The hotfix will not fix the error once it has occurred.
SafeGuard Enterprise Active Directory synchronization fails with the following error message:
The import failed. Additional Information: Error on RecrypteAEKForNewParent
The reasons for a broken synchronization in this case is that Active Directory objects have been modified without having done a synchronization in between.
The tools were probably modified in the following way: an OU is moved to a new parent OU, the original parent OU is deleted, and the new parent OU is renamed, all before synchronising the AD with the SafeGuard Enterprise database. SafeGuard Enterprise is led to an error by referencing invalid cache data and is therefore unable to determine the object's parent key value when running a synchronization with the Active Directory.
Sophos product and version
SafeGuard Enterprise 126.96.36.199 Management Center
SafeGuard Enterprise 188.8.131.52 Server
All supported versions
What to do
Install the available hotfix. This will prevent Synchronization/RecrypteAEKForNewParent issues arising.
You will need to implement the updated
Utimaco.SafeGuard.DirectoryService.dll on all SafeGuard Enterprise Management Center computers and SafeGuard Enterprise Servers that are used to perform synchronization tasks with the Active Directory, whether manually within the Management Center or automated on the Server via API script.
To implement the fix:
- From the Sophos website download the file 110007KB.zip. Unzip it and extract the file Utimaco.SafeGuard.DirectoryService.dll
- Copy the file Utimaco.SafeGuard.DirectoryService.dll locally to the SafeGuard Enterprise Server / Management Center computer.
- Open the Microsoft Windows Global Assembly Cache (usual location is C:\Windows\Assembly)
- Use drag and drop to copy Utimaco.SafeGuard.DirectoryService.dll to C:\Windows\Assembly
Note that copying files to the Windows Global Assembly Cache does not give any visual feedback. There is also no context menu available. To make sure that the file has been copied to the assembly cache, check the ‘Last Modified’ property of Utimaco.SafeGuard.DirectoryService.dll, it should reflect the current date.
In the event that it is not possible to copy the hotfix directly to the Global Assembly Cache using drag and drop, you can use Global Assembly Cache tool (Gacutil.exe), a developer tool provided by the .NET Framework SDK, to copy Utimaco.SafeGuard.DirectoryService.dll to C:\Windows\Assembly.
If you have any questions regarding the hotfix or issues implementing it, please open a support request via firstname.lastname@example.org.
In the event that you have already experienced this issue, contact Sophos Technical Support who will provide you with a special tool and assist you in repairing the affected objects.