This document lists the FAQs and troubleshooting points to resolve the common errors encountered while setting up Active Directory application\source including IQService and Password Interceptor.
The FAQ's and troubleshooting points are categorized as follows in this document:
The following table provides the list of FAQ's for IdentityIQ, IdentityNow and common for IdentityIQ/IdentityNow:
A: The Active Directory Connector/Source uses the following default filter for account aggregation when the value for Iterate Search Filter in Account Search Scope is not provided: (sAMAccountType=805306368)
A: To aggregate users depending on the requirements, users can use the following values for searchScope:
A: The IQService is required to read certain Active Directory attributes from a user's entry and for all provisioning operations.
If you are not looking for any of the above, you do not need IQService. In this case, leave the IQService Host and Port fields blank when defining the application. Specifying incorrect values for these fields will cause the test connection of the Connector/Source to fail.
A: Following are the list of Powershell cmdlets used by Active Directory Connector/Source:
NOTE: For IdentityNow, the source user for provisioning of Exchange Server must be Remote shell enabled. To enable remote Shell for a user, set the RemotePowerShellEnabled parameter to $True on the Set-User cmdlet. For example, Set-User UserName -RemotePowerShellEnabled $True
A: The following attributes can be passed in the update provisioning plan to rename or move a user object in the directory.
For more information on this and other special provisioning (like remote desktop services) attributes see: AD Provisioning Tidbits
NOTE: The javax.naming.ldap.Rdn.escapeValue() can be used to properly escape LDAP cn or distinguishedName values that contain commas.
A: The provisioning field for pwdLastSet in Active Directory has a friendly name of "Change password at next logon" in the default provisioning policy for account creation.
For more detail on how pwdLastSet works with IQService and IdentityIQ/IdentityNow, see: Using pwdLastSet with IQService.
A: Extra Exchange attributes can be added to the Active Directory provisioning policies to be used in cmdlets.
A: For exchange server operations, ensure that:
A: The connector/source supports managing Microsoft Exchange 2007, 2010 and 2013. The older versions of Exchange have different integration mechanism and hence are not support via the connector/source. For the complete list of the latest supported versions, refer to the following documents:
A: To manage the Exchange, you need to have the following:
A: The connector/source supports the following Exchange operations:
A: You can assign more granular permissions using the following procedure:
A: Every time a user authenticates to a Windows Domain Controller their lastLogon attribute is updated with the last logon date/time in the integer8 format. Prior to Windows Server 2003 administrators had to query the lastLogon attribute on every server in the domain to determine the most recent logon of user or computer account. This process was time consuming, as the lastLogon attribute is NOT replicated.
In contrast the lastLogontimeStamp attribute is replicated every 14 days so all DC's have the same value for the attribute. Windows 2003 Active Directory introduced the lastLogontimeStamp attribute, which is in the same format as that of lastLogon. ms-DS-Logon-Time-Sync-Interval is an attribute of the domain NC and controls the granularity (in days) with which the lastLogontimeStamp attribute is updated. The default value is 14. The intended purpose of the lastLogontimeStamp attribute to help identify inactive computer and user accounts. The lastLogon attribute is not designed to provide real time logon information.
References:
Last Logon Attributes:
Converting to a Java Date Format:
The format of both attributes returned from Active Directory is in the integer8 format (e.g 130057437626726073). A customization rule can be used to convert the value to java date format during aggregation
Here is an example rule script to do this:
import java.util.Date;
if(object.getAttribute("lastLogonTimestamp") != null){
long llastLogonTimestamp = Long.parseLong(object.getAttribute("lastLogonTimestamp"));
Date lastLogon = new Date(127877417297554938L/10000-llastLogonTimestamp);
object.setAttribute("lastLogonTimestamp", lastLogon.toString());
}
return object;
The following table provides the list of troubleshooting points for IdentityIQ, IdentityNow and that are common for IdentityIQ/IdentityNow:
By default, pass-through authentication searches the entire DN. In some cases this can lead to referrals, which in turn can lead to errors or long delays during login.
Resolution:
Save the application definition.
In this case, it is assumed that Global Catalog details are configured under the forest settings:
<entry key="gcServer" value="ForestA:3268"/>
When passthrough authentication is configured using the global catalog configuration, not all of the attributes of an account are returned from the Active Directory, since the Global Catalog port only returns partial set of attributes. Because of this, the correlation rule (if configured) fails to correlate an account to the identity.
Per Microsoft guidelines, to preserve bandwidth and the size of the Active Directory database (known as NTDS.DIT) on each Global Catalog, only certain attributes have been selected by default to replicate to each Global Catalog.
Resolution: There are two possible solutions to this issue:
Remove the Global Catalog details from Forest Settings.
Per Microsoft guidelines, there is a provision for adding the required attributes to the Global Catalog database. For more information, see:
https://technet.microsoft.com/en-us/library/cc759007(v=ws.10).aspx
NOTE: Index the attribute on the Global Catalog to avoid a performance impact
NOTE: For multi-domain forests, this solution will work (per MSDN documentation) if you add the required attribute into the partial attribute lists.
When Exchange is installed in a forest having multiple domains, mail enabling of existing universal security group may fail with the following error:
The operation could not be performed because object '<object name>' could not be found on <domain name>
Resolution: If Exchange is deployed in a forest environment, then the configuration below is required on the Exchange server so that the scope of the search can be set to the entire forest.
Follow these steps:
Create mailbox is failing with the following error message:
Unable to find <domain controller host/IP> computer information in domain controller <domain controller host/IP> to perform the suitability check. Verify the fully qualified domain name
Resolution: This error is related to a DNS configuration issue. If the value of the Domain Controller is given as IP in the IdentityIQ application configuration/ Source configuration, then mapping of the fully qualified domain name (FQDN) to IP can be listed in the host file. Then the FQDN can be referenced in the IdentityIQ application configuration/ Source configuration.
The Active Directory Connector/Source is designed to aggregate and provision user and entitlement data from Microsoft Active Directory environments. The following materials are designed to help you with your deployment of this connector/source and answer planning questions.
Use the IdentityIQ Forums / IdentityNow Forums to ask additional questions about this connector/source. These forums are monitored by SailPoint Connector/Source subject matter experts.
Account aggregation does not resolve primaryGroupMembership for an account and retrieves only non-primaryGroupMembership.
Resolution: Add the following schema attribute into application configuration:
<AttributeDefinition name="primaryGroupID" type="string">
<Description>RID of users primary group</Description>
</AttributeDefinition>
<AttributeDefinition name="primaryGroupDN" type="string">
<Description>DN of users primary group</Description>
</AttributeDefinition>
Add the following entry in the respective searchDNs map, to define search scope for the primary group:
<entry key="primaryGroupSearchDN" value="DC=DevQA,DC=xyz,DC=local"/>
Resolution: During account aggregation to avoid getting referrals, perform the following:
POST <url>/api/source/update/<sourceID>
Where:
In the body of the POST, set form-data values as follows:
For more information about the other controls, see https://msdn.microsoft.com/en-us/library/cc223320.aspx
Resolution: To fetch the cross domain group memberships information, the Group Membership Search DN field must have cross domain details.
Resolution: Service account of domain (where FSP memberships belong to) must have Read memberOf permission. Perform the following to assign Read memberOf permissions on FSP OU:
Account Aggregation fails with the following error message:
LDAP: error code 12 - 00000057: LdapErr: DSID-0C090AFA, comment: Error processing control error in Active Directory full account aggregation.
Resolution: Perform the following steps in the application configuration XML file:
Where:
<url> is the URL for the customer's IdentityNow instance
<sourceID> is the Source ID (number) obtained through the UI
In the body of the POST, set form-data values as follows:
<url> is the URL for the customer's IdentityNow instance
If the above steps do not resolve the issue and are having large result set (more than 3 lac accounts) as a part of account aggregation, then enable the information level events for LDAP Interface Events as follows:
Open the Registry Editor.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics path and change the entry value of 16 LDAP Interface to 2.
NOTE: This being a registry change it must be performed it in the lower environment first with cautious.
Refer to the following link:
https://support.microsoft.com/en-us/help/314980/how-to-configure-active-directory-and-lds-diagnostic...
Run account aggregation and search for event ids 2898 and 2899 in Directory Service events logs on Active Directory Server. For more information, see https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/how-ldap-server-cookies-are-ha...
If any event id (2898 or 2899) is viewed in event logs, then perform the following steps:
Open ntdsutil.exe with administrator privilege.
At the ntdsutil.exe command prompt, type LDAP policies, and then press ENTER.
At the LDAP policy command prompt, type connections, and then press ENTER.
At the server connection command prompt, type connect to server DNS name of server, and then press ENTER to connect to the server that you are currently working with.
For example, server connection: connect to server “susdomain.local”
At the server connection command prompt, type q, and then press ENTER to return to the previous menu.
At the LDAP policy command prompt, type Show Values, and then press ENTER.
A display of the policies as they exist appears.
At the LDAP policy command prompt, execute the following command as per the event id:
For event id 2899:
Set MaxResultSetSize to 393216000
For event id: 2898
Set MaxResultSetsPerConn to 25
Commit Changes
When you finish, type q, and then press ENTER.
NOTE: Since the default Active Directory parameter would be changed hence it must be performed in the lower environment first with cautious.
For more information, see https://support.microsoft.com/en-in/help/315071/how-to-view-and-set-ldap-policy-in-active-directory-...
Delta aggregation fails with the following error:
javax.naming.NoPermissionException: [LDAP: error code 50 - 00002105: LdapErr: DSID-0C0909F1, comment: Error processing control, data 0, v2580; remaining name 'dc=XX,dc=XXX,dc=XXX'
Resolution: Add the replicating directory changes permission on the service account. Alternatively add the service account in security group that has the replicating directory changes permission.
Resolution: To aggregate the AcceptMessagesOnlyFrom attribute values, add the attribute as 'authOrig' in the Active Directory application's account schema.
The creation of Active Directory account can fail with the following exception when sAMAccountName provided for the creation of the account does not match the policy required by MSDN:
A device attached to the system is not functioning
Resolution: When providing sAMAccountName:
User receives the following error during Exchange Provisioning:
Errors returned from IQService: Connecting to remote server <<Exchange HostName>> failed with the following error message: The WinRM client cannot process the request. Basic Authentication is currently disabled in the client configuration. Change the client configuration and try the request again.
Resolution: Perform the following:
If the above steps do not resolve the error, perform the following on Exchange Server:
Resolution: IQService always executes after provisioning rule irrespective of provisioning operation result.
Provisioning operations fail with the following error message:
The server is unwilling to process the request
This is a generic error returned from Active Directory managed system while performing the provisioning operations. This issue occurs if any of the required mandatory attribute value not passed or the value is empty/improper in the provisioning plan.
For example, Domain Controller has password policy configured and if a user is created without a password field in provision plan, then the above mentioned error message is displayed.
Resolution: To analyze the issue for passed values,
Create account fails with the following error message:
System.DirectoryServices.DirectoryServicesCOMException (0x8007001F): A device attached to the system is not functioning
Resolution: Perform the following:
1. Ensure that sAMAccountName must be less than 20 characters.
2. Verify if the DC is out of disk space.
When setting a global catalog for SSL the following error message appears:
"Failed to discover domains. <somehostname>:3269; socket closed"
Resolution: It can be resolved by setting this in the application xml as described above:
<entry key="useSSLForGC" value="true"/>
User gets the following error when logging in to IdentityIQ or IdentityNow:
Your admin requires you to reset your password (passwords expired)
Resolution: Users may see this error from managed system in these situations:
Create New Account or Set Password operation fails with the following error message:
Error occurred while setting password for the account. Exception has been thrown by the target of an invocation. One or more input parameters are invalid.
The above issue is observed for following versions of Microsoft Windows Servers:
Resolution: Ensure that the following Local Security Policy is set to Not Defined or if it is enabled then ensure that the Local Security Policy contains the service account which is configured on Active Directory application:
Network access: Restrict clients allowed to make remote calls to SAM
The above Local Security Policy can be found under Local Computer Policy ==> Computer Configuration ==> Windows Settings ==> Security Settings ==> Local Policies ==> Security Options
Unable to move users from one OU to another OU in the same domain.
Resolution: Perform the following:
Active Directory Password change fails with the following error message:
Caught exception in bind for server
Resolution: Verify if the service account used in application is having the required permissions as mentioned in the respective version of Active Directory Connector Guides.
It was found that serviceAccount does not have read permission for userAccountControl attribute on managed system which is causing issue in setting correct accountFlags on identity.
Resolution: Contact the Active Directory administrator to set the correct permission on serviceAccount for reading userAccountControl for Active and InActive users.
Resolution: On the IQService machine, check what kind of user is being used. If the user used is any domain user, then change the IQService "Log On" user to "Local Account".
Resolution: Change the lifetime period of the old password by adding a DWORD entry called OldPasswordAllowedPeriod to the following registry subkey on a domain controller: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
To do this, complete the following:
Resolution: Depending on your environment, open iiq.sh or iiq.bat file and enter the following entry:
set JAVA_OPTS=-Xms128m -Xmx256m -Dsun.lang.ClassLoader.allowArraySyntax=true -Djavax.net.ssl.trustStore=<keystorefile> -Djavax.net.ssl.trustStorePassword=<password>
For example,
set JAVA_OPTS=-Xms128m -Xmx256m -Dsun.lang.ClassLoader.allowArraySyntax=true -Djavax.net.ssl.trustStore="C:\Program Files\Java\jdk1.8.0_162\jre\lib\security\cacerts" -Djavax.net.ssl.trustStorePassword="changeit"
When Active Directory is configured as a passthrough authentication application and a root DN is added in the list with few specified OUs in the Search DNs, the Forgot Password link on the login page throws a Multiple Matches error.
Resolution: Remove root DN from search DNs, or remove other configured list of OUs from the search DNs as root DN itself contains all the listed OUs.
NOTE: This issue occurs when there are multiple matches for the requested user: one entry in specified OUs, and other in root DN search DNs.
In this scenario, it is assumed that Full Group/Account Aggregation is run with Detect Deleted Options set to true.
When aggregation is run with the <entry key="useHasMoreElements" value="false"/>, exceptions will stop the process without deleting any accounts/groups. However, when <entry key="useHasMoreElements" value="true"/> is used, exceptions may not appear nor stop the process, and the aggregator will proceed as if the aggregation has completed successfully; after this, it starts deleting the accounts/groups.
Exceptions sometimes occur during aggregation in the following situations:
Some reasons for PartialResultException may be:
Resolution: Perform the following:
NOTE: Use of allowPartialResultException may lead to data loss.
When groups are members of each other, forming a cyclic relation, it is termed as cyclic group hierarchy. For example:
The cyclic links between the groups are resolved during the Group aggregation. If the depth of the hierarchy is too deep within the Groups, the performance can be impacted for aggregation.
Resolution: Add the following option to the TaskDefinition of the task through which aggregation is triggered from debug page.
<entry key="noGroupCycleDetection" value="True"/>
For example, in the case of transfers or terminations involving an OU change, the accounts are removed from the 'Manage Accounts' page.
Resolution: For any account that has been moved or renamed in Active Directory since the last aggregation, ensure that the change is aggregated before performing any provisioning operation on the account.
Create Provisioning Request displays the following error message:
Account created but some attributes are not updated properly
This message indicates that the account is created successfully on managed system but some of the attributes which are part of the provisioning plan and in schema are not updated properly.
Resolution: Verify the detailed attribute level result that displays what has failed and mentions the necessary steps to be performed.
Parent groups (ones that does not meet the LDAP criteria) are promoted as entitlements in the entitlement catalog-
Example:
Resolution: Remove memberOf from the Group Hierarchy Attribute textbox in the Active Directory application’s group schema (see image below). After this, the parent groups will not be promoted as entitlements during the next group aggregation, when only child groups match the filter criteria. All groups which satisfy the filter criteria will be aggregated in IdentityIQ.
The following error message appears during Active Directory account delta aggregation:
LDAP: error code 1 - 000020E6: SvcErr: DSID-03140488, problem 5012 (DIR_ERROR), data 2]; remaining name 'DC=xxx,DC=xxx,DC=xxx'
Resolution: Set the value of deltalterationMode attribute to DirSync in the Active Directory application configuration and run the delta aggregation.
During account aggregation, some of the associated memberships for an account are not displayed. This issue occurs when the values for Search DN and Iterate Search Filter fields for account are defined separately for Group Membership Search DN and Group Member Filter String fields for respective Search DN entry.
In such cases memberships only from first user search scope are fetched by the connector, while the memberships from second user search scope are ignored.
Resolution: SailPoint recommends to merge the search scopes to form the single entry where all the values of Group Membership Search DN can be separated by semicolon ( ; ) and Group Member Filter String can be combined with ' | ' (OR) operator/sign (where the values of Search DN and Iterate Search Filter are same).
Account aggregation fails with the following error message:
java.lang.RuntimeException: java.rmi.NoSuchObjectException: no such object in table at sailpoint.connector.DistributedCacheReplicator.isReady(DistributedCacheReplicator.java:xxx)
The error message appears when Active Directory application has enableCache=true and multiple task servers are configured.
Resolution: Set the value of enableCache to false in application configuration. To use cache functionality, ensure that cacheRmiPort and cacheRemoteObjectPort ports are open. The ports details can be verified in application configuration xml file. Default ports are 40001 and 40002 respectively.
Delta aggregation fails with the following error message:
javax.naming.NoPermissionException: [LDAP: error code 50 - 00002105: LdapErr: DSID-0C0909F1, comment: Error processing control, data 0, v2580; remaining name 'dc=XX,dc=XXX,dc=XXX'
Resolution: Add the replicating directory changes permission for the domain on service account explicitly or add the service account in security group which has replicating directory changes permission.
In IdentityIQ version 7.2, the default search filter for user accounts was changed from (&(objectClass=User)(objectCategory=Person)) to (sAMAccountType=805306368) based on the article published in the following link:
This caused the issue of trust domain users not getting aggregated as the SAMAccountType for trust domain users is 805306370.
Resolution: On IdentityIQ versions 7.2 or later applications, use the following filter in as Iterate Search Filter in application.xml file:
(&(objectClass=User)(objectCategory=Person))
This would aggregate their Trust Domain Users.
Resolution: Domain controller server entries (IP or FQDNs) must be passed individually in Servers field under Domain Configuration section of Active Directory application.
The corresponding servers map must be as follows:
<entry key="servers">
<value>
<List>
<String>dc1.example.com</String>
<String>dc2.example.com</String>
<String>dc3.example.com</String>
</List>
</value>
</entry>
When user objects are tried to be restored from recycle bin configured in IdentityIQ, the following error message appears:
Errors returned from IQService. Error occurred connecting to remote host:Connecting to remote server failed with the following error message : The WinRM client cannot process the request. Default authentication may be used with an IP address under the following conditions: the transport is HTTPS or the destination is in the TrustedHosts list, and explicit credentials are provided. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. For more information on how to set TrustedHosts run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
Resolution: Add IQservice host in trusted hosts list using the following command:
Set-Item wsman:localhost\client\trustedhosts -Value *
Resolution: Ensure that the following steps are performed:
Resolution: Strong Authentication (SASL) is supported in Apache Tomcat and Web logic Application Servers only.
Entitlements are present in Entitlement Catalog, but are missing for user in Identity Warehouse under Application Accounts.
Resolution: Run the Refresh Identity Cube task with the Refresh Identity Entitlements for all links option enabled.
The following invalid cache configuration error is displayed:
sailpoint.connector.ConnectorException: Invalid Cache Configuration :Expected Free Disk Space to be minimum 2GB
Resolution: When caching is enabled, ensure that the disk space where IdentityIQ Server is hosted is greater than 2GB.
Create Account operation fails with the following error when create account plan has manager attribute with value in non DN format:
Errors returned from IQService. Failed to update attributes. There is no such object on the server.
Although the account gets created on Active Directory, few attributes are not configured.
Resolution: If the manager attribute is present in AccountRequest (of provisioning plan), confirm that the value of this attribute contains the distinguished name of the manager instead of the name strings.
Test connection for the Active Directory source fails when TLS is on.
Resolution: Ensure that the correct Active Directory DC certificate has been imported in VA certificates folder in case of IdentityNow. Verify whether it is a valid certificate before putting on VA:
Perform the Test Connection on port 636 for the intended certificate on LDAP browser. If the test connection is successful for SSL connection, it indicates that the certificate is from correct domain and you can import it in the certificate folder on the VA server.
This section lists the following FAQ's and troubleshooting points that are specific to IQService:
A: The following error can occur during a change password or when provisioning a new account.
"Errors returned from IQService. Error occurred while setting password for the account. Exception has been thrown by the target of an invocation. One or more input parameters are invalid."
To correct this error:
A: IQService can be installed on any windows server that is accessible to both the Active Directory servers and IdentityIQ servers over the network.
A: During provisioning operations the IQService binds to domain controllers differently than the LDAP aggregation. Verify the following to correct this error:
A: The Active Directory connector has functionality in the IdentityIQ server and the IQService. Both versions of the software must match exactly.
A: Yes. IQService is an extremely lightweight stateless bridge between Java and Win32/.NET APIs. It is only used when the managed system does not provide client/server Java API's. Because of its stateless nature, the same instance of IQService can cater to multiple application of same or different type.
A: Yes, multiple instances of the IQService can be run on a single host, but listening of the different ports. Each IQService requires separate installation directory.
A: No. The IdentityIQ server provides a generic provisioning retry mechanism in those use cases that will allow for recovery of a temporary failure.
For more information about IQService and redundancy, see: Redundancy for IQService Agents and Synchronizing Encryption Keys
A: When the IQService.zip file is downloaded and all executable contest, may have execution restricted. When a "blocked" zip file is unzipped, it's contents may remain in a "blocked" state. Unblock the zip file (before unzipping it) by opening the file's Properties dialog box, and on the General tab, click the Unblock button. This Unblock button also appears in a similar fashion for other file types (that is, Utils.dll if already extracted).
Example shown here of a "blocked" zip file:
If you already have the files in place, you can use a tool like the Windows Sysinternals "Streams" program to unblock en masse: Streams
For example, if IQService was unzipped from a blocked zip file to C:\IQService, you could run streams.exe -s -d c:\IQService to delete all stream data and effectively "unblock" all files.
A: IQService is used for provisioning operations, server-less binding, aggregation (terminal services attributes/Skype attributes) and for the before/after scripts.
The service account defined in the IdentityIQ application that connects to IQService, is used for provisioning operations, aggregation (terminal services attributes/Skype attributes), and server-less binding.
However, the service account defined for the IQService Log On as account in Windows, is used for the following:
A: The following error message is displayed in the IQService logs when IQService is being accessed from other source other than IdentityIQ:
IQService: Error is logged in IQservice logs :System.FormatException: Input string was not in a correct format.
User gets the following error while creating the mailbox for AD user on Exchange 2013:
"Could not load file or assembly 'Microsoft.Exchange.ManagedLexRuntime.MPPGRuntime,Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. The system cannot find the file specified"
Resolution: To resolve this issue, verify if the Microsoft.Exchange.ManagedLexRuntime.MPPGRuntime.dll file is present in the following location (default) or not:
C:\Program Files\Microsoft\Exchange Server\V15\Bin\microsoft.exchange.managedlexruntime.mppgruntime.dll
If it is not present upgrade to Exchange server 2013 Cumulative Update 13 or higher Cumulative Update versions.
After upgrading IdentityIQ, IQService fails after upgrading .NET from version 4.0 to 4.5.2 and provisioning an Active Directory account with Exchange.
Resolution: Install .NET version 4.0 and perform provisioning.
The following error message appears during Test Connection where IQService (7.2 or later) is installed.
System.Exception: Decryption error, possible public key mismatch.System.Security.Cryptography.CryptographicException: Error occurred while decoding OAEP padding
Resolution: Perform the following:
When more than one Active Directory applications are configured in the same IQService Public Key Exchange Task, IQService Public Key Exchange Task fails with the following error message:
Error establishing a session with the IQService on [xxx.xxx.xxx.xxx]. The public/private keys may be out of sync. This server DOES NOT have a registered public/private key for this host. sailpoint.tools.GeneralException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
Resolution: Add only one application in IQService Public Key Exchange Task. If customer is using the load balancer, then RSA key and .dat file must be copied from one IQServcie (which handled the key exchange request) to other IQService (which is behind the same load balancer).
Host machine for IQService has a script execution policy-set that would permit the execution of Connector PowerShell scripts. If this policy is not set or is set to be restrictive (such as AllSigned) then Connector PowerShell script would not be executed. The IQService does not report any error when PowerShell script fails.
Resolution: Set the PowerShell Execution Policy on host machine manually as follows:
Resolution: Ensure that the properties of IQService.zip file, .dlls and .exe files of IQService are un-blocked.
Following error message is displayed when performing IQService operations:
The given path's format is not supported
Resolution: Ensure that the tracefile registry key of IQService does not contain any extra double quote at the beginning or end of the key string.
The following error message appears in IQService logs when running a connection test:
An Exception Occurred while accepting new client request :System.ComponentModel.Win32Exception (0x80004005): The credentials supplied to the package were not recognized.
Resolution: Complete the following:
Part of the article is outdated. The correct information is in the Getting Started Guide: https://community.sailpoint.com/t5/Connectors/Active-Directory-Getting-Started-Guide/ta-p/74663#toc-...
So, on the same host there is support for separate IQService ports and installs including separate windows registry keys, etc.
https://community.sailpoint.com/t5/Connectors/IdentityIQ-7-2-Connector-Enhancements/ta-p/76878#toc-h...
If you create an account with a random password. Who receives the password for this user account?.
Is it possible that the question "What Exchange operations does the connector/source support OOTB?" https://community.sailpoint.com/t5/Connector-Directory/Active-Directory-Connector-FAQ-and-Troublesho... contains an error:
Should "Disable Mailbox of a user (uses Enable-Mailbox cmdlet). To achieve this, the plan should have mailNickname attribute with no value." be replaced with "Disable Mailbox of a user (uses Disable-Mailbox cmdlet). To achieve this, the plan should have mailNickname attribute with no value."?
From what I can tell, provisioning mailNickname with an empty string ("") disables the mailbox.
I have concerns over this implementations. If your IIQ hosts reside outside of your domain. i.e linux hosts. Having both IIQ hosts, and the IQ Service both having keys to the AD kingdom is overkill, unnecessary, a security concern.
If IIQ hosts need read/provision permissions and IQService host needs similar or same permissions combine these two. It makes no sense to creat two security holes when only one is needed.
Also opening up GC, and ldap ports form IIQ hosts to every domain is another big secrurity hole. This should also be handled with IQService only, simpler configuration more secure communications and compromise in IIQ limits impact.
IQhost should do all talking to domain provisioning and aggregations, and since this host is managed by DC, all DC to IQ communication is under DC GPO control.
IIQ should only communicate with a restricted read-only service account for TLS communications only.
This may work with college campuses with small directories, and DC counts, but with dozens and dozens of DC the requirement to open all these ports (3268,3269,389,626) to every domain controller is unmanageable. Moving this all to the IQService host eliminate all of this management. This is handled through GP policy, domain membership and domain firewall policies.