I am investigating an Active Directory provisioning error through IQService and would like to understand whether anyone has encountered this scenario before or has any recommended approach.
In my current flow, there is a script/rule that validates conflicts for sAMAccountName and userPrincipalName by checking existing accounts before creation. This part is intended to avoid login/UPN conflicts.
However, the AD object CN is built by another rule, which concatenates:
displayName
a unique identifier
Example:
displayName: Abid Hounchell da oliveira
Unique ID: ABID.623
Final CN: Abid Hounchell da oliveira - ABID.623
The error being returned is:
Exception occurred while executing the RPCRequest: Errors returned from IQService.
"The object already exists. The object already exists.
00000524: UpdErr: DSID-031A11FA, problem 6005 (ENTRY_EXISTS), data 0
00000524: UpdErr: DSID-031A11FA, problem 6005 (ENTRY_EXISTS), data 0.
HRESULT:[0x80071392]
For identity:
CN=Marina Costa Pereira - MCPR.417,OU=Colaboradores,OU=SP01,DC=empresa,DC=local"
Based on my analysis so far, this error seems to be more related to a CN/DN collision in AD than to a sAMAccountName or userPrincipalName conflict.
Another important point is that, after validation, this user does not actually exist in Active Directory. In addition, IQService is installed on a different server than the host mapped in the Source, which may also be influencing the provisioning behavior.
Hi @henriqueoliveira2026 It’s failing on sAMAccountName or UPN uniqueness. Your script/rule isn’t generating a unique value. Maybe share the config for those attribute values?
I implemented a before script on the Active Directory source that retrieves the sAMAccountName and validates the UPN against the Azure AD source via API, checking the upn attribute.
Currently, this process is working as expected: the script updates the value when needed and returns it to SailPoint successfully. However, despite this validation, I am still encountering a duplicate error, as shown in the image below.
I implemented a before script on the Active Directory source that retrieves the sAMAccountName and validates the UPN against the Azure AD source via API, checking the upn attribute.
Currently, this process is working as expected: the script updates the value when needed and returns it to SailPoint successfully. However, despite this validation, I am still encountering a duplicate error, as shown in the image below.
Yes, I’m using the PowerShell rule Before Create; in this case, I’m not using the provisioning plan. What I find strange is that IQService indicates a duplicate object, but there’s nothing in Active Directory, and when I remove the rule, it works normally. I’ve noticed that this only happens with some accounts; for others, creation occurs normally.
My understanding is it’s not necessarily IQ Service generating the error, even though the message implies it. I’m not sure what you mean by not using the provisioning plan? I’m pretty confident the duplicate object error is caused by the not unique sAMAccountName name or UPN because the unique DN is being used for native identity
