Use Keycloak as IAM

While trying to change a password in Keycloak, the following message appears:

  • In Keycloak: Could not modify attribute for DN [CN=xxxx,OU=Users,OU=xxxx,DC=xxxx,DC=xxxx,DC=com] (I replaced sensitive values by xxxx, for security-reasons)
  • In AD (eventviewer): Password propagation is not done. Either default encryption key is configured or no UNIX hosts configured to propagate password

The bind username/password are from an admin-account, with full admin-rights in AD.
The LDAP edit-mode is set to ‘WRITABLE’. I’ve tried with Sync Registrations OFF and ON, both with the same result.
Does anyone know how to solve this?