Account Creation Success but Attribute Update Failure in AD: "The attribute syntax specified to the directory service is invalid"

Unable to notify, no email address for: spadmin

Account created but failed to modify : Failed to update attributes for identity CN=sikhar.tambe,OU=IAM Joiner,OU=ActiveUsers,OU=ABC Corporate Users,DC=ABCD,DC=EGV,DC=AB. The attribute syntax specified to the directory service is invalid.

Account created but some attributes are not updated properly.
I am getting an error during provisioning.

Hi @Viraj The error message seems self-explanatory. What investigations have you done?

Hi @viraj257 Could you please share the error message you’re encountering?

If you can share the provisioning plan for the provisioning request it would be easy to check what attributes may have failed provisioning due to invalid attribute syntax/value.
The request details from the identity request object that shows under My Work → Access Requests will also contain the details about what attributes were successfully updated and what failed which may help find out the main issue.

import sailpoint.object.ProvisioningPlan;
 
import sailpoint.object.ProvisioningPlan.AccountRequest;
 
import sailpoint.object.ProvisioningPlan.AttributeRequest;
 
import sailpoint.object.Identity;
 
import java.text.SimpleDateFormat;
 
import java.util.TimeZone;
 
Identity identity = context.getObjectByName(Identity.class, identityName);
 
String id = identity.getName();
 
ProvisioningPlan plan = new ProvisioningPlan();
 
String enddateStr = workflow.getString("endDate");
 
String mobileNumber = workflow.getString("mobileNumber");
 
String firstname= workflow.getString("firstname");
 
String lastname= workflow.getString("lastname");
 
// Convert endDate to Windows FileTime
 
Long windowsFileTime = null;
 
try {
 
    SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd");
 
    sdf.setTimeZone(TimeZone.getTimeZone("UTC")); // Ensure no timezone skew
 
    Date endDate = sdf.parse(enddateStr);
 
    long millisSince1970 = endDate.getTime();
 
    // Windows FileTime = (milliseconds since 1970 + offset to 1601) * 10,000
 
    windowsFileTime = (millisSince1970 + 11644473600000L) * 10000L;
 
    log.error("Converted endDate to Windows FileTime: " + windowsFileTime);
 
} catch (Exception e) {
 
    log.error("Failed to convert endDate: " + e);
 
    windowsFileTime = 0L;  // Use 0 for "never expire" if conversion fails
 
}
 
// AD Account Creation
 
AccountRequest accountRequest = new AccountRequest();
 
accountRequest.setApplication("Active Directory - PHC");
 
accountRequest.setOperation(AccountRequest.Operation.Create);
 
accountRequest.setNativeIdentity("CN=" + id + ",OU=ABC Joiner,OU=ActiveUsers,OU=ABC Corporate Users,DC=ABC,DC=GOV,DC=AA");
 
//accountRequest.add(new AttributeRequest("sn", ProvisioningPlan.Operation.Set, lastname));
 
//accountRequest.add(new AttributeRequest("givenName", ProvisioningPlan.Operation.Set, firstname));
 
accountRequest.add(new AttributeRequest("cn", ProvisioningPlan.Operation.Set, id));
 
accountRequest.add(new AttributeRequest("sAMAccountName", ProvisioningPlan.Operation.Set, id));
 
accountRequest.add(new AttributeRequest("accountExpires", ProvisioningPlan.Operation.Set, windowsFileTime));
 
accountRequest.add(new AttributeRequest("mobile", ProvisioningPlan.Operation.Set, mobileNumber));
 
plan.add(accountRequest);
 
plan.setIdentity(identity);
 
log.error("Provisioning plan built successfully for: " + identityName);
 
log.error("Final plan XML: " + plan.toXml());
 
return plan;

pls check some threads

Provisioning Active directory account (Account Creation) using a rule - IdentityIQ (IIQ) / IIQ Discussion and Questions - SailPoint Developer Community

also why sn and givenname commented in your code. have you checked when enable it ?

Are you check IQservice logs? It would be possible provide these logs?

Hi @Viraj Following up @pravin_ranjan sn is a mandatory attribute in AD, might need to uncomment it.

We started getting this same error when creating Active Directory accounts. Accounts were creating fine before 7/16/2025, but new accounts are not getting the following attributes updated: mail, mailNickname, userPrincipalName, proxyAddresses

Wondering if the the “Bulk Attribute Synch” issue (https://status.sailpoint.com/incidents/dqnvcg3kw8jl) was causing this issue too?

@Viraj are you still experiencing this issue? Our new AD accounts still run into this error, and we have opened a ticket with support.

Initially there were 4 attributes failing for our new AD accounts: mail, mailNickaname, userPrincipalName and proxyAddresses. Looking in the logs we found that the create account provisioning plan is adding a comma after the SMTP address we were trying to add to proxyAddresses. The comma is not in the Create Account field, and appears to have started on 7/16.

We temporarily removed proxyAddresses from our create account provisioning plan. Today we were able to create an AD account without any issues without the proxyAddress attribute.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.