Active Directory Connector - FAQ and Troubleshooting

Active Directory Connector - FAQ and Troubleshooting

This document lists the FAQs and troubleshooting points to resolve the common errors encountered while setting up Active Directory application\source including IQService and Password Interceptor.

The FAQ's and troubleshooting points are categorized as follows in this document:

Frequently Asked Questions

The following table provides the list of FAQ's for IdentityIQ, IdentityNow and common for IdentityIQ/IdentityNow:

Operations IdentityIQ Common for IdentityIQ and IdentityNow
Aggregation

 

Provisioning

 

Other How do I aggregate the last logon timestamp in a readable format?

 

IdentityIQ/IdentityNow FAQ

Q: What is default filter used during account aggregation?

A: The Active Directory Connector/Source uses the following default filter for account aggregation when the value for Iterate Search Filter in Account Search Scope is not provided: (sAMAccountType=805306368)

Q: How do I retrieve accounts during aggregation from the base OU only?

A: To aggregate users depending on the requirements, users can use the following values for searchScope:

  • To get users and groups from base OU only (Excluding child OUs): ONELEVEL_SCOPE
  • To get users and groups from complete OU (including child OUs): SUBTREE

Q: Can Active Directory Connector/Source be used only for reading data from Active Directory? Do I still require IQService?

A: The IQService is required to read certain Active Directory attributes from a user's entry and for all provisioning operations.

  • Reading Terminal Services attributes for accounts from Active Directory
  • Reading Lync Attributes for accounts from Active Directory
  • All provisioning operations

If you are not looking for any of the above, you do not need IQService. In this case, leave the IQService Host and Port fields blank when defining the application. Specifying incorrect values for these fields will cause the test connection of the Connector/Source to fail.

Q: Which of the Powershell cmdlets are used by the Active Directory Connector/Source for Exchange (Mail Contacts) and Skype related operations?

A: Following are the list of Powershell cmdlets used by Active Directory Connector/Source:

  • For Exchange(Mail Contact): All provisioning operations are performed through IQService. Contacts are created using ADSI APIs, and are mail-enabled using the Enable-MailContact PowerShell cmdlet if externalEmailAddress is provided in the plan.
    Other cmdlets used for Contacts (cmdlets run remotely on exchange server itself using WinRM) are as follows:
    • Get-MailContact
    • Disable-MailContact
    • Set-MailContact
  • Skype related operations: Skype cmdlets (all skype cmdlets run locally on IQService machine that require administrative tools installed on the machine:
    • Get-CsUser
    • Get-CsClientPinInfo
    • Set-CsUser
    • Move-CsUser
    • Enable-CsUser
    • Disable-CsUser
    • Set-CsClientPin
    • Lock-CsClientPin
    • Unlock-CsClientPin
    • Grant-Cs<PolicyType>
    • Remove-Cs<PolicyType>

NOTE: For IdentityNow, the source user for provisioning of Exchange Server must be Remote shell enabled. To enable remote Shell for a user, set the RemotePowerShellEnabled parameter to $True on the Set-User cmdletFor example, Set-User UserName -RemotePowerShellEnabled $True

Q: How do I change a user object's common name or organizational unit?

A: The following attributes can be passed in the update provisioning plan to rename or move a user object in the directory.

  • AC_NewName: String attribute to rename the user. For example, CN=abc
  • AC_NewParent: String attribute to move the user to new OU. For example, OU=xyz,DC=pqr,DC=com

For more information on this and other special provisioning (like remote desktop services) attributes see: AD Provisioning Tidbits

NOTE:  The javax.naming.ldap.Rdn.escapeValue() can be used to properly escape LDAP cn or distinguishedName values that contain commas.

Q: How do we force a password change at next login (or prevent one)?

A: The provisioning field for pwdLastSet in Active Directory has a friendly name of "Change password at next logon" in the default provisioning policy for account creation.

For more detail on how pwdLastSet works with IQService and IdentityIQ/IdentityNow, see: Using pwdLastSet with IQService.

Q: Can we set extra Exchange attributes in a create or update provisioning operation?

A: Extra Exchange attributes can be added to the Active Directory provisioning policies to be used in cmdlets.

  1. Add the additional attributes to the Application Schema prefixed with "Exch_"
  2. Attributes prefixed with "Exch_" will mark them as additional attributes to be passed to Exchange cmdlets
  3. See "Exch_AcceptMessagesOnlyFromDLMembers" example attribute below in the ProvisioningPlan
    <ProvisioningPlan>
    <AccountRequest application="ADRW2" op="Create" nativeIdentity="CN=testMailbox,OU=NewOU,DC=exch2007dc,DC=local" type="entitlement">
           <AttributeRequest op="Add" name="ObjectType" value="User" />
           <AttributeRequest op="Add" name="sAMAccountName" value="testMailbox" />
           <AttributeRequest op="Add" name="*password*" value="L9uvGWk6LbLxDpv0RZPDUA==" />
           <AttributeRequest name="IIQDisabled" op="Add" value="true"/>
           <AttributeRequest name="mailNickname" op="Add" value="Room5"/>
           <AttributeRequest name="homeMDB" op="Add" value="CN=Mailbox Database,CN=First Storage Group,CN=InformationStore,CN=VM-W2K8-01,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=exch2007dc,DC=local"/>
           <AttributeRequest name="Exch_AcceptMessagesOnlyFromDLMembers" op="Add">
               <Value>
                   <List>
                       <String>ExchGroup@exch2007dc.local</String>
                       <String>NGP434@exch2007dc.local</String>
                   </List>
               </Value>
           </AttributeRequest>
           <AttributeRequest name="Exch_PrimarySmtpAddress" op="Add" value="Equipment11@exch2007dc.local"/>
           <AttributeRequest name="Exch_Type" op="Add" value="Room"/>
           <AttributeRequest name="Exch_EmailAddressPolicyEnabled" op="Add">
           <Value>
           <Boolean>true</Boolean>
           </Value>
           </AttributeRequest>
           <AttributeRequest name="Exch_HiddenFromAddressListsEnabled" op="Add">
           <Value>
           <Boolean>true</Boolean>
           </Value>
           </AttributeRequest>
         </AccountRequest>
    </ProvisioningPlan>      

Q: Is exchange provisioning operation performed when IQService host resides in different forest other than the exchange server forest ?

A: For exchange server operations, ensure that:

  1. The forest (in which IQService host is present) must have at least one-way trust with forest (in which exchange server is in place).
  2. No network connectivity issues must exist between IQService Host and other domains.

Q: Which Exchange version does the connector/source support?

A: The connector/source supports managing Microsoft Exchange 2007, 2010 and 2013. The older versions of Exchange have different integration mechanism and hence are not support via the connector/source.  For the complete list of the latest supported versions, refer to the following documents:

Q: What are the connector/source requirements for managing Microsoft Exchange?

A: To manage the Exchange, you need to have the following:

  1. IQService deployed either on the Exchange server or on any machine in the domain which has the Exchange management tools installed.
  2. If the IQService is not running on the Exchange server, it needs to run with a context having administrative privileges on the Exchange for managing mailboxes.

Q: What Exchange operations does the connector/source support OOTB?

A: The connector/source supports the following Exchange operations:

  1. Create Mailbox for a user (uses Enable-Mailbox cmdlet). To achieve this, the plan should generally have homeMDB (Exchange database) and mailNickname (Exchange Alias).
    NOTE: The homeMDB is optional for Exchange 2010 and above. For instance, in an Exchange 2010+ scenario, a mailbox can be created with passing just a mailNickname.
  2. Disable Mailbox of a user (uses Enable-Mailbox cmdlet). To achieve this, the plan should have mailNickname attribute with no value.
  3. Update mailbox attributes (uses Set-Mailbox cmdlet). To update any mailbox attributes, the attribute name in the plan should be in the form Exch_<cmdletParameterName>, where cmdletParameterNameis the name of the parameter that Set-Mailbox cmdlet accepts.
  4. Move Mailbox to other database (uses New-MoveRequest cmdlet). To move the mailbox to the new database, add homeMDB to the plan with database DN as the value.
  5. Mail-enable an existing universal group (uses Enable-DistributionGroup cmdlet). To achieve this, the plan should have mailNickname (Exchange Alias).
  6. Remove mail capabilities from a mail-enabled distribution group (uses Disable-DistributionGroup cmdlet). To achieve this, the plan should have mailNickname attribute with no value.

IdentityIQ FAQ

Q: How do I aggregate the last logon timestamp in a readable format?

A: Every time a user authenticates to a Windows Domain Controller their lastLogon attribute is updated with the last logon date/time in the integer8 format. Prior to Windows Server 2003 administrators had to query the lastLogon attribute on every server in the domain to determine the most recent logon of user or computer account. This process was time consuming, as the lastLogon attribute is NOT replicated.

In contrast the lastLogontimeStamp attribute is replicated every 14 days so all DC's have the same value for the attribute. Windows 2003 Active Directory introduced the lastLogontimeStamp attribute, which is in the same format as that of lastLogon. ms-DS-Logon-Time-Sync-Interval is an attribute of the domain NC and controls the granularity (in days) with which the lastLogontimeStamp attribute is updated. The default value is 14. The intended purpose of the lastLogontimeStamp attribute to help identify inactive computer and user accounts. The lastLogon attribute is not designed to provide real time logon information.

References:

Last Logon Attributes:

  • lastLogon: is not replicated between domain controllers, is not accurate and only for the specific domain controller
  • lastLogonTimestamp is replicated between domain controllers but is only updated if the previous value is more than 14 days in the past (or defined by ms-DS-Logon-Time-Sync-Interval)

Converting to a Java Date Format:

The format of both attributes returned from Active Directory is in the integer8 format (e.g 130057437626726073). A customization rule can be used to convert the value to java date format during aggregation

Here is an example rule script to do this:

import java.util.Date;

if(object.getAttribute("lastLogonTimestamp") != null){
long llastLogonTimestamp = Long.parseLong(object.getAttribute("lastLogonTimestamp"));
Date lastLogon = new Date(127877417297554938L/10000-llastLogonTimestamp);
object.setAttribute("lastLogonTimestamp", lastLogon.toString());

}
return object; 

Troubleshooting

The following table provides the list of troubleshooting points for IdentityIQ, IdentityNow and that are common for IdentityIQ/IdentityNow:

Operations IdentityIQ IdentityNow Common for IdentityIQ and IdentityNow
Passthrough Authentication  
Aggregation  
Provisioning Create Account Operation Error
Upgrade    
Other Test Connection error for TLS

 

IdentityIQ/IdentityNow Troubleshooting

Issue: Delays or errors during passthrough authentication

By default, pass-through authentication searches the entire DN. In some cases this can lead to referrals, which in turn can lead to errors or long delays during login.

Resolution:

  1. During passthrough authentication connector aggregates all properties of the user including the membership details. If users group membership is distributed across multiple domains then it can be time consuming and hence the end user would experience delay in log in.
    To skip this, perform following: 
    1. Open the debug page and select Application in the object browser and open the Active Directory application.
    2. Add the following entry key to the application definition: <entry key="buildPartialROOnAuthentication" value="true"/>
    3. Save the application definition.

  2. Passthrough authentication time can be improved by keeping only the required authentication attributes in the authSearchAttributes list. This would speed up the user search process.
    For example, if only samAccountName is used for the login purpose then other attributes from the authSearchAttributes list can be removed as follows:
    <entry key="authSearchAttributes">
      <value>
        <List>
          <String>sAMAccountName</String>
        </List>
      </value>
    </entry>

Issue: During passthrough authentication, accounts are being uncorrelated from their identities when a correlation rule is used to correlate the accounts using one of the attributes (for example "employeeNumber")

In this case, it is assumed that Global Catalog details are configured under the forest settings:

<entry key="gcServer" value="ForestA:3268"/>

When passthrough authentication is configured using the global catalog configuration, not all of the attributes of an account are returned from the Active Directory, since the Global Catalog port only returns partial set of attributes. Because of this, the correlation rule (if configured) fails to correlate an account to the identity.

Per Microsoft guidelines, to preserve bandwidth and the size of the Active Directory database (known as NTDS.DIT) on each Global Catalog, only certain attributes have been selected by default to replicate to each Global Catalog.

Resolution: There are two possible solutions to this issue:

  1. Add the following application configuration attribute:
    <entry key="useDomainControllerForAuthentication" value="true"/>
    This ensures that connector uses Domain Controller for authenticating user instead of the Global Catalog server.

  2. Remove the Global Catalog details from Forest Settings.

  3. Per Microsoft guidelines, there is a provision for adding the required attributes to the Global Catalog database. For more information, see:

    https://technet.microsoft.com/en-us/library/cc759007(v=ws.10).aspx

    https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/10/global-catalogs-and-the-pa...

    NOTE: Index the attribute on the Global Catalog to avoid a performance impact

NOTE: For multi-domain forests, this solution will work (per MSDN documentation) if you add the required attribute into the partial attribute lists.

Issue: When Exchange is installed in a forest having multiple domains, mail enabling of existing universal security group may fail with an error

When Exchange is installed in a forest having multiple domains, mail enabling of existing universal security group may fail with the following error: 

The operation could not be performed because object '<object name>' could not be found on <domain name>

Resolution: If Exchange is deployed in a forest environment, then the configuration below is required on the Exchange server so that the scope of the search can be set to the entire forest.

Follow these steps:

  1. Open the Exchange Management Shell.
  2. Run this command:
    Set-ADServerSettings -ViewEntireForest $True

Issue: Create mailbox is failing with an error

Create mailbox is failing with the following error message:

Unable to find <domain controller host/IP> computer information in domain controller <domain controller host/IP> to perform the suitability check. Verify the fully qualified domain name

Resolution: This error is related to a DNS configuration issue. If the value of the Domain Controller is given as IP in the IdentityIQ application configuration/ Source configuration, then mapping of the fully qualified domain name (FQDN) to IP can be listed in the host file. Then the FQDN can be referenced in the IdentityIQ application configuration/ Source configuration.

The Active Directory Connector/Source is designed to aggregate and provision user and entitlement data from Microsoft Active Directory environments. The following materials are designed to help you with your deployment of this connector/source and answer planning questions.

Use the IdentityIQ Forums / IdentityNow Forums to ask additional questions about this connector/source. These forums are monitored by SailPoint Connector/Source subject matter experts.

Issue: Account aggregation fails to get the primaryGroupMemberships

Account aggregation does not resolve primaryGroupMembership for an account and retrieves only non-primaryGroupMembership.

Resolution: Add the following schema attribute into application configuration:

<AttributeDefinition name="primaryGroupID" type="string">
  <Description>RID of users primary group</Description>
</AttributeDefinition>
<AttributeDefinition name="primaryGroupDN" type="string">
  <Description>DN of users primary group</Description>
</AttributeDefinition>

Add the following entry in the respective searchDNs map, to define search scope for the primary group:
<entry key="primaryGroupSearchDN" value="DC=DevQA,DC=betfair,DC=local"/>

Issue: PartialResult Exception during aggregation

Resolution: During account aggregation to avoid getting referrals, perform the following:

  • (For IdentityNowUse the following API:

    POST <url>/api/source/update/<sourceID>
    Where:

    • <url> is the URL for the customer's IdentityNow instance
    • <sourceID> is the Source ID (number) obtained through the UI
  • In the body of the POST, set form-data values as follows:

    • key - key name of the entry. Use connector_ldapExtendedControls
    • value - the value of the key. Values are: sample_ldapExtendedControls_value

For more information about the other controls, see https://msdn.microsoft.com/en-us/library/cc223320.aspx

Issue: During aggregation cross domain group memberships of a user are not aggregated

Resolution: To fetch the cross domain group memberships information, the Group Membership Search DN field must have cross domain details.

Issue: During account aggregation the FSP memberships are not visible when service account is not a part of the 'account operators'

Resolution: Service account of domain (where FSP memberships belong to) must have Read memberOf permission. Perform the following to assign Read memberOf permissions on FSP OU:

  1. Open ADSIEdit.msc ==>right click on CN=ForeignSecurityPrincipals and open the Properties dialog box.
  2. Navigate to Security tab ==> Advanced ==> Add and add service account as principal.
  3. In Applies to section, select descendant Foreign Security Principal objects.
  4. In Permissions section select Read memberOf checkbox and click OK.
  5. Save the settings

Issue: Account Aggregation fails with an error message

Account Aggregation fails with the following error message:

LDAP: error code 12 - 00000057: LdapErr: DSID-0C090AFA, comment: Error processing control error in Active Directory full account aggregation.

Resolution: Perform the following steps in the application configuration XML file:

  1. Perform the following:
    • (For IdentityIQ) Add the following entry key:
      <entry key="disableSort" value="true"/>
    • (For IdentityNowAdd the disableSort attribute using the IdentityNow REST API:
      POST <url>/api/source/update/<sourceID>

      Where:

      • <url> is the URL for the customer's IdentityNow instance

      • <sourceID> is the Source ID (number) obtained through the UI
        In the body of the POST, set form-data values as follows:
        <url> is the URL for the customer's IdentityNow instance

          • key - Use connector_disableSort
          • value - true

         

  2. Change the server order in the domain; if there is only one entry in the servers list, try adding some other servers present in the domain.
    This can be done through the UI vy navigating to Settings ==> Servers tabs of the Application Definition configuration, or by editing the "servers" element in the application XML as provided in the following example:
    <entry key="servers">
        <value>
            <List>
                <String>Server1</String>
                <String>Server2</String>
            </List>
        </value>
    </entry>
  3. Change the value of pageSize (If it is set to 100 then change it to 1000 and vise-versa) and verify the aggregation result.
  4. If the above steps do not resolve the issue and are having large result set (more than 3 lac accounts) as a part of account aggregation, then enable the information level events for LDAP Interface Events as follows:

    1. Open the Registry Editor.

    2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics path and change the entry value of 16 LDAP Interface to 2.

      NOTE: This being a registry change it must be performed it in the lower environment first with cautious.
      Refer to the following link:
      https://support.microsoft.com/en-us/help/314980/how-to-configure-active-directory-and-lds-diagnostic...

      Run account aggregation and search for event ids 2898 and 2899 in Directory Service events logs on Active Directory Server.  For more information, see 
      https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/how-ldap-server-cookies-are-ha...

      If any event id (2898 or 2899) is viewed in event logs, then perform the following steps:

      1. Open ntdsutil.exe with administrator privilege.

      2. At the ntdsutil.exe command prompt, type LDAP policies, and then press ENTER.

      3. At the LDAP policy command prompt, type connections, and then press ENTER.

      4. At the server connection command prompt, type connect to server DNS name of server, and then press ENTER to connect to the server that you are currently working with.
        For example, server connection: connect to server “susdomain.local”

      5. At the server connection command prompt, type q, and then press ENTER to return to the previous menu.

      6. At the LDAP policy command prompt, type Show Values, and then press ENTER.

      7. A display of the policies as they exist appears.

      8. At the LDAP policy command prompt, execute the following command as per the event id:
        For event id 2899:
        Set MaxResultSetSize to 393216000
                    For event id: 2898
        Set MaxResultSetsPerConn to 25

        Enter the following command to save the changes:
        Commit Changes

      9. When you finish, type q, and then press ENTER.

        NOTE: Since the default Active Directory parameter would be changed hence it must be performed in the lower environment first with cautious. 
        For more information, see https://support.microsoft.com/en-in/help/315071/how-to-view-and-set-ldap-policy-in-active-directory-...

Issue: Delta aggregation error 

Delta aggregation fails with the following error:

javax.naming.NoPermissionException: [LDAP: error code 50 - 00002105: LdapErr: DSID-0C0909F1, comment: Error processing control, data 0, v2580; remaining name 'dc=XX,dc=XXX,dc=XXX'

Resolution Add the replicating directory changes permission on the service account. Alternatively add the service account in security group that has the replicating directory changes permission.

Issue: Unable to aggregate Exchange attribute AcceptMessagesOnlyFrom

Resolution To aggregate the AcceptMessagesOnlyFrom attribute values, add the attribute as 'authOrig' in the Active Directory application's account schema. 

Issue: “A device attached to the system is not functioning” exception occurs during provisioning

The creation of Active Directory account can fail with the following exception when sAMAccountName provided for the creation of the account does not match the policy required by MSDN:

A device attached to the system is not functioning

Resolution: When providing sAMAccountName:

  • The length of attribute must be 20 characters or less
  • This attribute must not end with period(.)
  • The attribute cannot contain any of these characters
    "/ \ [ ] : ; | = , + * ? < >

Issue: User receives error during Exchange Provisioning

User receives the following error during Exchange Provisioning:

Errors returned from IQService: Connecting to remote server <<Exchange HostName>> failed with the following error message: The WinRM client cannot process the request. Basic Authentication is currently disabled in the client configuration. Change the client configuration and try the request again.

Resolution: Perform the following:

  1. Ensure that the Windows Remote Management service is installed on IQService and Exchange Server machine and the service is up and running.
    To validate this, open PowerShell as an administrator and execute the following commands before Exchange Provisioning:
    winrm qc
    winrm e winrm/config/listener
  2. Ensure that the internal firewall is turned OFF.

If the above steps do not resolve the error, perform the following on Exchange Server:

  1. Open a PowerShell prompt as an administrator and run the following:
    winrm get winrm/config/client
  2. If the Basic authorization is set to false, then run the following command to set it to true:
    winrm set winrm/config/client/auth '@{Basic="true"}'

Issue: Provisioning rule executes even if provisioning operation fails

Resolution: IQService always executes after provisioning rule irrespective of provisioning operation result.

Issue: Provisioning operations fail with an error message

Provisioning operations fail with the following error message:

The server is unwilling to process the request

This is a generic error returned from Active Directory managed system while performing the provisioning operations. This issue occurs if any of the required mandatory attribute value not passed or the value is empty/improper in the provisioning plan.

For example, Domain Controller has password policy configured and if a user is created without a password field in provision plan, then the above mentioned error message is displayed.

Resolution: To analyze the issue for passed values,

  1. Add the following entry key in the application debug page and perform the provisioning operations:
    <entry key="setAttributeLevelResult" value="true"/>
  2. Verify the attribute level result in order to identify if the passed attribute is problematic and verify the same at the managed system end by passing the same value for that attribute.
  3. If this error is displayed for Enable provisioning operation, then verify if the account was created with password. If it was not created with the password then correct the create account provisioning operation and add password while creating account and perform Enable provisioning operation.

Issue: Create account fails with an error message

Create account fails with the following error message:

System.DirectoryServices.DirectoryServicesCOMException (0x8007001F): A device attached to the system is not functioning

Resolution: Perform the following:
1.
Ensure that sAMAccountName must be less than 20 characters.
2. Verify if the DC is out of disk space.

Issue: When setting a global catalog for SSL an error message appears

When setting a global catalog for SSL the following error message appears:

"Failed to discover domains. <somehostname>:3269; socket closed"

Resolution: It can be resolved by setting this in the application xml as described above:

<entry key="useSSLForGC" value="true"/>

Issue: User gets an error when logging in to IdentityIQ or IdentityNow

User gets the following error when logging in to IdentityIQ or IdentityNow:

Your admin requires you to reset your password (passwords expired)

Resolution: Users may see this error from managed system in these situations:

  1. If value of the PwdLastSet attribute is set to 0 on Active Directory, then the user needs to change his/her password on next login; once the user changes the password, the value of this attribute is overwritten with the current time.
  2. If pwdMaxAge + pwdLastSet <=now (Current date and time), then Active Directory will give a password expired error, and the user must change his/her password.
    The pwdMaxAge (Max Password Age ) value is set in the password policy, and the pwdLastSet value is in the Active Dierctory attributes list.
  3. If the password has changed with “User need to change password in next Login” flag set as true on the managed system, then user will get password expired error.

Issue: Create New Account or Set Password operation fails with an error

Create New Account or Set Password operation fails with the following error message:

Error occurred while setting password for the account. Exception has been thrown by the target of an invocation. One or more input parameters are invalid.

The above issue is observed for following versions of Microsoft Windows Servers:

  • Microsoft Windows Server 2016
  • Microsoft Windows Server 2012 R2 with KB 4012219 installed
  • Microsoft Windows Server 2012 with KB 4012220 installed
  • Microsoft Windows Server 2008 R2 with KB 4012218 installed

Resolution: Ensure that the following Local Security Policy is set to Not Defined or if it is enabled then ensure that the Local Security Policy contains the service account which is configured on Active Directory application:

Network access: Restrict clients allowed to make remote calls to SAM

The above Local Security Policy can be found under Local Computer Policy ==> Computer Configuration ==> Windows Settings ==> Security Settings ==> Local Policies ==> Security Options

Issue: Failing to move OU with AC_NewParent

Unable to move users from one OU to another OU in the same domain.

Resolution: Perform the following:

  1. Perform Windows update on the Server where IdentityIQ and IQService are installed.
  2. Navigate to Network security: LAN Manager authentication level on the server as follows:
    Press (window+r) ==> gpedit.msc ==> Computer Configuration ==> Windows settings ==> Security settings ==> Local Policies ==> Security Options
  3. Modify the Network security: LAN Manager authentication level to match what is there on the domain controller. The value of Network security: LAN Manager authentication level on server must be either higher or equal to that from the DC server.

Issue: Password change fails with an error message

Active Directory Password change fails with the following error message:

Caught exception in bind for server

Resolution: Verify if the service account used in application is having the required permissions as mentioned in the respective version of Active Directory Connector Guides.

Issue: Account is displayed as Enabled though it is disabled in Managed System

It was found that serviceAccount does not have read permission for userAccountControl attribute on managed system which is causing issue in setting correct accountFlags on identity.

Resolution: Contact the Active Directory administrator to set the correct permission on serviceAccount for reading userAccountControl for Active and InActive users.

Issue: Reset password or provisioning operation fails

Resolution: On the IQService machine, check what kind of user is being used. If the user used is any domain user, then change the IQService "Log On" user to "Local Account".

IdentityIQ Troubleshooting

Issue: Unable to access Passthrough Authentication from IdentityIQ Console

Resolution: Depending on your environment, open iiq.sh or iiq.bat file and enter the following entry:

set JAVA_OPTS=-Xms128m -Xmx256m -Dsun.lang.ClassLoader.allowArraySyntax=true -Djavax.net.ssl.trustStore=<keystorefile> -Djavax.net.ssl.trustStorePassword=<password>

For example,
set JAVA_OPTS=-Xms128m -Xmx256m -Dsun.lang.ClassLoader.allowArraySyntax=true -Djavax.net.ssl.trustStore="C:\Program Files\Java\jdk1.8.0_162\jre\lib\security\cacerts" -Djavax.net.ssl.trustStorePassword="changeit"

Issue: Forgot password link throws Multiple Matches error

When Active Directory is configured as a passthrough authentication application and a root DN is added in the list with few specified OUs in the Search DNs, the Forgot Password link on the login page throws a Multiple Matches error.

Resolution: Remove root DN from search DNs, or remove other configured list of OUs from the search DNs as root DN itself contains all the listed OUs.

NOTE: This issue occurs when there are multiple matches for the requested user: one entry in specified OUs, and other in root DN search DNs.

Issue: The useHasMoreElements configuration does not always show or act on exceptions, which can cause the deletion of accounts/groups on aggregation when the “Detect Deleted Options” set to true

In this scenario, it is assumed that Full Group/Account Aggregation is run with Detect Deleted Options set to true.

When aggregation is run with the <entry key="useHasMoreElements" value="false"/>, exceptions will stop the process without deleting any accounts/groups. However, when <entry key="useHasMoreElements" value="true"/> is used, exceptions may not appear nor stop the process, and the aggregator will proceed as if the aggregation has completed successfully; after this, it starts deleting the accounts/groups.

Exceptions sometimes occur during aggregation in the following situations:

  • Primary domain controller goes down.
  • VPN gets disconnected.

Some reasons for PartialResultException may be:

  • The DNS is not configured properly.
  • The root domain is configured as SearchDN. Note that you can configure a specific OU as the SearchDN instead of the root domain instead.

Resolution: Perform the following:

  1. Set the Threshold value Maximum deleted accounts to avoid mass deletion of account aggregation in case of any errors or exceptions.
  2. If a PartialResultException is observed, set <entry key="allowPartialResultException" value="true"/> and <entry key="useHasMoreElements" value="false"/>.

NOTE: Use of allowPartialResultException may lead to data loss.

Issue: Pruning cyclical group hierarchy warning message for group aggregation

When groups are members of each other, forming a cyclic relation, it is termed as cyclic group hierarchy. For example:

  • GroupA is member of GroupB
  • GroupB is member if GroupC
  • GroupC is member of GroupA

The cyclic links between the groups are resolved during the Group aggregation. If the depth of the hierarchy is too deep within the Groups, the performance can be impacted for aggregation.

Resolution: Add the following option to the TaskDefinition of the task through which aggregation is triggered from debug page.

<entry key="noGroupCycleDetection" value="True"/>

Issue: An account which is moved or renamed in Active Directory is removed from the 'Manage Accounts' page

For example, in the case of transfers or terminations involving an OU change, the accounts are removed from the 'Manage Accounts' page.

Resolution: For any account that has been moved or renamed in Active Directory since the last aggregation, ensure that the change is aggregated before performing any provisioning operation on the account.

Issue: Create Provisioning Request displays an error message

Create Provisioning Request displays the following error message:

Account created but some attributes are not updated properly

This message indicates that the account is created successfully on managed system but some of the attributes which are part of the provisioning plan and in schema are not updated properly.
Resolution: Verify the detailed attribute level result that displays what has failed and mentions the necessary steps to be performed.

Issue: "iterateSearchFilter" is not respecting Group Inheritance during group aggregation

Parent groups (ones that does not meet the LDAP criteria) are promoted as entitlements in the entitlement catalog-

Example:

  • Group A is a member of Group B.
  • Group A meets the LDAP criteria, Group B does not.
  • Both group A and B are promoted as request-able and non-request-able Entitlements respectively.

Resolution: Remove memberOf from the Group Hierarchy Attribute textbox in the Active Directory application’s group schema (see image below). After this, the parent groups will not be promoted as entitlements during the next group aggregation, when only child groups match the filter criteria. All groups which satisfy the filter criteria will be aggregated in IdentityIQ.

image.png

Issue: An error appears during account delta aggregation

The following error message appears during Active Directory account delta aggregation:

LDAP: error code 1 - 000020E6: SvcErr: DSID-03140488, problem 5012 (DIR_ERROR), data 2]; remaining name 'DC=xxx,DC=xxx,DC=xxx'

Resolution: Set the value of deltalterationMode attribute to DirSync in the Active Directory application configuration and run the delta aggregation.

Issue: During account aggregation associated memberships for an account are not displayed

During account aggregation, some of the associated memberships for an account are not displayed. This issue occurs when the values for Search DN and Iterate Search Filter fields for account are defined separately for Group Membership Search DN and Group Member Filter String fields for respective Search DN entry.

In such cases memberships only from first user search scope are fetched by the connector, while the memberships from second user search scope are ignored.

Resolution: SailPoint recommends to merge the search scopes to form the single entry where all the values of Group Membership Search DN can be separated by semicolon ( ; ) and Group Member Filter String can be combined with ' | ' (OR) operator/sign (where the values of Search DN and Iterate Search Filter are same).

Issue: Account aggregation fails with an error message

Account aggregation fails with the following error message:

java.lang.RuntimeException: java.rmi.NoSuchObjectException: no such object in table at sailpoint.connector.DistributedCacheReplicator.isReady(DistributedCacheReplicator.java:xxx)

The error message appears when Active Directory application has enableCache=true and multiple task servers are configured.

Resolution: Set the value of enableCache to false in application configuration. To use cache functionality, ensure that cacheRmiPort and cacheRemoteObjectPort ports are open. The ports details can be verified in application configuration xml file. Default ports are 40001 and 40002 respectively.

Issue: Delta aggregation fails with an error message

Delta aggregation fails with the following error message:

javax.naming.NoPermissionException: [LDAP: error code 50 - 00002105: LdapErr: DSID-0C0909F1, comment: Error processing control, data 0, v2580; remaining name 'dc=XX,dc=XXX,dc=XXX'

Resolution: Add the replicating directory changes permission for the domain on service account explicitly or add the service account in security group which has replicating directory changes permission.

Issue: After upgrading IdentityIQ to version 7.2 and later, the Active Directory aggregation is not picking up Trust Domain Users

In IdentityIQ version 7.2, the default search filter for user accounts was changed from (&(objectClass=User)(objectCategory=Person)) to (sAMAccountType=805306368) based on the article published in the following link:

https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filter....

This caused the issue of trust domain users not getting aggregated as the SAMAccountType for trust domain users is 805306370.

Resolution: On IdentityIQ versions 7.2 or later applications, use the following filter in as Iterate Search Filter in application.xml file:

(&(objectClass=User)(objectCategory=Person))

This would aggregate their Trust Domain Users.

Issue: After upgrading IdentityIQ and when creating a new application definition the server key did not split the DCs into separate strings

Resolution: Domain controller server entries (IP or FQDNs) must be passed individually in Servers field under Domain Configuration section of Active Directory application.

The corresponding servers map must be as follows:

<entry key="servers">
  <value>
    <List>
      <String>dc1.example.com</String>
      <String>dc2.example.com</String>
      <String>dc3.example.com</String>
    </List>
  </value>
</entry>

Issue: Trusted host list error appears when user objects are tried to be restored from recycle bin in IdentityIQ

When user objects are tried to be restored from recycle bin configured in IdentityIQ, the following error message appears:

Errors returned from IQService. Error occurred connecting to remote host:Connecting to remote server failed with the following error message : The WinRM client cannot process the request. Default authentication may be used with an IP address under the following conditions: the transport is HTTPS or the destination is in the TrustedHosts list, and explicit credentials are provided. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. For more information on how to set TrustedHosts run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.

Resolution: Add IQservice host in trusted hosts list using the following command:

Set-Item wsman:localhost\client\trustedhosts -Value *

Issue: Issue with Strong Authentication (SASL) configuration

Resolution: Ensure that the following steps are performed:

  1. For applications using strong authentication, the DNS entry must match with the server name (if used). There must be a DNS entry for the server (if used) which is used in the application. The FQDN name of the server must match with the actual name of the server which is configured in the application.
  2. The Do not require kerberos preauthentication option must not be enabled for Service account.

Issue: Strong Authentication (SASL) is not supported on JBOSS and WebSphere Web/Application Servers

Resolution: Strong Authentication (SASL) is supported in Apache Tomcat and Web logic Application Servers only.

Issue: User entitlements missing in Identity Warehouse

Entitlements are present in Entitlement Catalog, but are missing for user in Identity Warehouse under Application Accounts.

Resolution: Run the Refresh Identity Cube task with the Refresh Identity Entitlements for all links option enabled.

Issue: Invalid Cache Configuration error is displayed

The following invalid cache configuration error is displayed:

sailpoint.connector.ConnectorException: Invalid Cache Configuration :Expected Free Disk Space to be minimum 2GB

Resolution: When caching is enabled, ensure that the disk space where IdentityIQ Server is hosted is greater than 2GB.

IdentityNow Troubleshooting

Issue: Create account operation error

Create Account operation fails with the following error when create account plan has manager attribute with value in non DN format:

Errors returned from IQService. Failed to update attributes. There is no such object on the server.

Although the account gets created on Active Directory, few attributes are not configured.

Resolution:  If the manager attribute is present in AccountRequest (of provisioning plan), confirm that the value of this attribute contains the distinguished name of the manager instead of the name strings.

Issue: Test connection error for TLS

Test connection for the Active Directory source fails when TLS is on.

Resolution: Ensure that the correct Active Directory DC certificate has been imported in VA certificates folder in case of IdentityNow. Verify whether it is a valid certificate before putting on VA:

Perform the Test Connection on port 636 for the intended certificate on LDAP browser. If the test connection is successful for SSL connection, it indicates that the certificate is from correct domain and you can import it in the certificate folder on the VA server.

IQService

This section lists the following FAQ's and troubleshooting points that are specific to IQService:

IQService FAQ

Q: What do the various errors received from IQService mean? 

A: The following error can occur during a change password or when provisioning a new account.

"Errors returned from IQService. Error occurred while setting password for the account. Exception has been thrown by the target of an invocation. One or more input parameters are invalid."

To correct this error:

  1. Verify that the password policy in IdentityIQ is compatible with the one enabled on Active Directory. When setting or changing a password in IdentityIQ, this error can occur if the password IdentityIQ passes to Active Directory does not meet Active Directory's policy.

  2. The user value may be wrongly specified as CN=user1,OU=User,DC=domain,DC=local

    Check the user attribute description in the Configuring Domain Settings section in the attached documents of Active Directory Connector. The user attribute must meet the documented requirements:
    "User of the domain in “Domain\User” format with appropriate rights required to read and provision."

    When you configure an application in IdentityIQ for Active Directory, you must provide the administrator and user details in a DOMAIN\USER format as shown below:

     
    neelam_futane_4-1598513887460.png

  3. Check the event logs. If the reason of failure is due to Schannel error then enable TLS configuration for the Active Directory application.

Q: Where should the IQService be installed?

A: IQService can be installed on any windows server that is accessible to both the Active Directory servers and IdentityIQ servers over the network. 

Q: What does this error mean: Provisioning Errors from IQService: Error occurred while XXXX for the account. The server is not operational.?

A: During provisioning operations the IQService binds to domain controllers differently than the LDAP aggregation. Verify the following to correct this error:

  1. The Domain Controller server mentioned in the application is accessible from the IQService host
  2. The test connection from application is successful. The test connection confirms both LDAP connections and IQServer host and port connection to the domain controller.
  3. Is Active Directory and the IdentityIQ application configured to communicate on SSL?
    1. If yes, the SSL certificate needs to be installed on the IQService host machine. See IQService architecture - Network ports and Firewalls for more details.

Q: After upgrading, provisioning and aggregation operations from IdentityIQ, IQService stopped working. What is the problem?

A: The Active Directory connector has functionality in the IdentityIQ server and the IQService. Both versions of the software must match exactly. 

Q: Can one IQService be used to process requests from multiple applications of the same or different types?

A: Yes. IQService is an extremely lightweight stateless bridge between Java and Win32/.NET APIs. It is only used when the managed system does not provide client/server Java API's. Because of its stateless nature, the same instance of IQService can cater to multiple application of same or different type.

Q: Can multiple IQService instances run on a single host?

A: Yes, multiple instances of the IQService can be run on a single host, but listening of the different ports. Each IQService requires separate installation directory.

Q: Does IQService support failover?

A: No. The IdentityIQ server provides a generic provisioning retry mechanism in those use cases that will allow for recovery of a temporary failure.

  • Because of the IQService's stateless nature, you can install multiple instances of IQService. The mechanism to monitor requests between the IdentityIQ servers and the next available IQService instance must be implemented externally to IdentityIQ.

For more information about IQService and redundancy, see: Redundancy for IQService Agents and Synchronizing Encryption Keys

Q: When does the "Utils.dll not found" error for IQService is displayed?

A: When the IQService.zip file is downloaded and all executable contest, may have execution restricted. When a "blocked" zip file is unzipped, it's contents may remain in a "blocked" state. Unblock the zip file (before unzipping it) by opening the file's Properties dialog box, and on the General tab, click the Unblock button. This Unblock button also appears in a similar fashion for other file types (that is, Utils.dll if already extracted).

Example shown here of a "blocked" zip file:

 
 

image.png

If you already have the files in place, you can use a tool like the Windows Sysinternals "Streams" program to unblock en masse: Streams

For example, if IQService was unzipped from a blocked zip file to C:\IQService, you could run streams.exe -s -d c:\IQService to delete all stream data and effectively "unblock" all files.

Q: What is the difference between IQService and Service Account?

A: IQService is used for provisioning operations, server-less binding, aggregation (terminal services attributes/Skype attributes) and for the before/after scripts.

The service account defined in the IdentityIQ application that connects to IQService, is used for provisioning operations, aggregation (terminal services attributes/Skype attributes), and server-less binding.

However, the service account defined for the IQService Log On as account in Windows, is used for the following:

  • There are before/after scripts where power-shell is being used , the power-shell session is opened under the service account credentials of IQService.
  • For managing Exchange Server, the Service Account must be a member of Recipient Management group. For Microsoft Skype for Business Server user management, service account must be a member of RTCUniversalServerAdmins and CSAdministrator domain groups. The account must also be a member of local Administrator group on the system running IQService.

Q: Why do I receive the following error message in IQService logs?

A: The following error message is displayed in the IQService logs when IQService is being accessed from other source other than IdentityIQ:

IQService: Error is logged in IQservice logs :System.FormatException: Input string was not in a correct format.

IQService Troubleshooting

Issue: Unable to find/load the Microsoft.Exchange.ManagedLexRuntime.MPPGRuntime.dll file 

User gets the following error while creating the mailbox for AD user on Exchange 2013: 

"Could not load file or assembly 'Microsoft.Exchange.ManagedLexRuntime.MPPGRuntime,Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. The system cannot find the file specified" 

Resolution: To resolve this issue, verify if the Microsoft.Exchange.ManagedLexRuntime.MPPGRuntime.dll file is present in the following location (default) or not:

C:\Program Files\Microsoft\Exchange Server\V15\Bin\microsoft.exchange.managedlexruntime.mppgruntime.dll

If it is not present upgrade to Exchange server 2013 Cumulative Update 13 or higher Cumulative Update versions.

 

Issue: IQService fails after upgrading .NET from version 4.0 to 4.5.2

After upgrading IdentityIQ, IQService fails after upgrading .NET from version 4.0 to 4.5.2 and provisioning an Active Directory account with Exchange.

Resolution: Install .NET version 4.0 and perform provisioning.

Issue: An error appears after upgrade of IQService and while connecting to IQService during test connection operation

The following error message appears during Test Connection where IQService (7.2 or later) is installed.

System.Exception: Decryption error, possible public key mismatch.System.Security.Cryptography.CryptographicException: Error occurred while decoding OAEP padding

Resolution: Perform the following:

  1. Navigate to application debug page and select Configuration and delete the record 'IQServiceRPCConfiguration'.
  2. A file with random name is generated at C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys directory after execution of IQService Public Key Exchange Task.
    Navigate to C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys directory and execute the following command using the command prompt:
    findstr "IQService Transmission Keys" *
    This would find the file name which would be generated during the task execution.Take back up of these files and delete them from the current location.
  3. During the task execution process, IQServiceConfig.dat file is generated in the directory where IQService.exe is present. Take a backup of that file and delete it from the existing location.
  4. Delete all the entries in the registry associated with previous version of IQService.
  5. After performing all the above steps, install the IQService using installation steps.
  6. Enable the logs by using the following command:
    IQService -l 3
  7. Start the IQService.
  8. Execute the IQService Public Key Exchange Task.

Issue: IQService Public Key Exchange Task fails with an error message

When more than one Active Directory applications are configured in the same IQService Public Key Exchange Task, IQService Public Key Exchange Task fails with the following error message:

Error establishing a session with the IQService on [xxx.xxx.xxx.xxx]. The public/private keys may be out of sync. This server DOES NOT have a registered public/private key for this host. sailpoint.tools.GeneralException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.

Resolution: Add only one application in IQService Public Key Exchange Task. If customer is using the load balancer, then RSA key and .dat file must be copied from one IQServcie (which handled the key exchange request) to other IQService (which is behind the same load balancer).

Issue: By default, some of the PowerShell script do not run on IQService host machine

Host machine for IQService has a script execution policy-set that would permit the execution of Connector PowerShell scripts. If this policy is not set or is set to be restrictive (such as AllSigned) then Connector PowerShell script would not be executed. The IQService does not report any error when PowerShell script fails.

Resolution: Set the PowerShell Execution Policy on host machine manually as follows:

  1. Open the PowerShell command with administrative rights and run the following command:
    set-executionpolicy -scope LocalMachine -executionPolicy UnRestricted
  2. On prompt on the next screen, enter Yes.

Issue: The After Provisioning Rule task does not work when upgrading to new version of IQService

Resolution: Ensure that the properties of IQService.zip file, .dlls and .exe files of IQService are un-blocked.

Issue: Error returned from IQService “The given path's format is not supported”

Following error message is displayed when performing IQService operations:

The given path's format is not supported

Resolution: Ensure that the tracefile registry key of IQService does not contain any extra double quote at the beginning or end of the key string.

Issue: Test connection operation fails when IQService is running over TLS and configured with service account context

The following error message appears in IQService logs when running a connection test:

An Exception Occurred while accepting new client request  :System.ComponentModel.Win32Exception (0x80004005): The credentials supplied to the package were not recognized.

Resolution: Complete the following:

  1. Open the Certificate Manager by opening Run and entering certmgr.msc
  2. Go to Personal > Certificates
  3. Select the IQService host certificate. Right-click and go to All Tasks >Manage Private Keys.
  4. Add the desired service account and provide full control and read permissions for this account.
  5. Click Apply and then OK.
  6. Restart IQService.

 

Labels (1)
Comments

Part of the article is outdated.  The correct information is in the Getting Started Guide: https://community.sailpoint.com/t5/Connectors/Active-Directory-Getting-Started-Guide/ta-p/74663#toc-...

So, on the same host there is support for separate IQService ports and installs including separate windows registry keys, etc.
https://community.sailpoint.com/t5/Connectors/IdentityIQ-7-2-Connector-Enhancements/ta-p/76878#toc-h...

If you create an account with a random password. Who receives the password for this user account?.

Is it possible that the question "What Exchange operations does the connector/source support OOTB?" https://community.sailpoint.com/t5/Connector-Directory/Active-Directory-Connector-FAQ-and-Troublesho... contains an error:

Should "Disable Mailbox of a user (uses Enable-Mailbox cmdlet). To achieve this, the plan should have mailNickname attribute with no value." be replaced with "Disable Mailbox of a user (uses Disable-Mailbox cmdlet). To achieve this, the plan should have mailNickname attribute with no value."?

From what I can tell, provisioning mailNickname with an empty string ("") disables the mailbox.

I have concerns over this implementations.  If your IIQ hosts reside outside of your domain.  i.e linux hosts.  Having both IIQ hosts, and the IQ Service both having keys to the AD kingdom is overkill, unnecessary, a security concern.  

If IIQ hosts need read/provision permissions and IQService host needs similar or same permissions combine these two.   It makes no sense to creat two security holes when only one is needed.  

Also opening up GC, and ldap ports form IIQ hosts to every domain is another big secrurity hole.   This should also be handled with IQService only, simpler configuration more secure communications and compromise in IIQ limits impact.

IQhost should do all talking to domain provisioning and aggregations, and since this host is managed by DC, all DC to IQ communication is under DC GPO control.  

IIQ should only communicate with a restricted read-only service account for TLS communications only.  

 

This may work with college campuses with small directories, and DC counts, but with dozens and dozens of DC the requirement to open all these ports (3268,3269,389,626) to every domain controller is unmanageable.  Moving this all to the IQService  host eliminate all of this management.  This is handled through GP policy, domain membership and domain firewall policies.  

Version history
Revision #:
43 of 43
Last update:
‎May 12, 2022 10:37 AM
Updated by: