AD account aggregation failed

Which IIQ version are you inquiring about?

Version 8.4

Share all details related to your problem, including any error messages you may have received.

Hello Experts,

I am working on AD account aggregation and failing with below error. Can you please help me to fix this issue or suggest us.

Exception during aggregation of Cn=xxx,ou=xxx etc , Reason : failed to find the connection settings for the dc=xxxx, dc=com

Thanks

@niket345

In your AD Application looks like Domain Configuration is missing for this domain, please recheck once.

I have checked that Domain Configuration is there in Application. i noticed that only 2 groups are failing out of 236. Any suggestion.

Hi @niket345,

Looks like the domain connection is missing at the same time your filter might be missing the entire DN of you object in domain Cn=xxx,ou=xxx, try using full DN in filter Cn=xxx,ou=xxx,dc=xxxx, dc=com or ou=xxx,dc=xxxx, dc=com.

In addition make sure the service account you are using have the read account and group permission on the domain.

If its still fails after these configurations try it without IQservice config and test.

@gbagari Okay also can you please confirm that Service account have access to read the group on domain individually or can access all the groups as I checked that only 2 groups are failed and other 234 groups are configured correctly in SailPoint

@niket345 Service account should have the permission to read the groups in filtered group OU you have configured if your organisation have restricted access. Otherwise, service account will have a top level (full domain) access to read the groups.

Looks like in your case you might not have configured filter on groups to read from specific OU or these groups might have explicit permissions to read.

Check with your domain team to get the configuration : A domain Admin permission on service account wil have permission to read all accounts and groups

@gbagari Yes, I checked that we have given all the filters in group DN and facing same issue. also these two groups coming under the Top domain. Can service account needs permission to access those 2 groups if that service account have access to other groups in same Top Domain.

@niket345
Is there any patch upgrade happened on your environment.

@iamksatish I believe yes, team mates did the patches into the environment.

@niket345

Most probably you are running into the same issue as in below thread

AD Group Aggregation: Failed to find connection settings for… - Compass (sailpoint.com)

try to apply this below mentioned in the thread

Since the domain that this is failing on is in the same forest as our main domain, I have found that creating a second Domain Configuration entry in the connector config for the “other” domain allows the group in question to be pulled in to the entitlements with no errors. Since I didn’t add that other domain to the group search scope, it doesn’t pull in all groups from the other domain

@niket345 Do you have Previous version of AD Application ? Check the difference that gets added during 8.4 upgrade ?

if it’s working in 8.3 then it should not be permission issue of service account.

I tried all the things. also i am worried that if i add additional domain configuration but that group is comes under same TOP domain.

@niket345 Check if it’s Issue: During aggregation cross domain group memberships of a user are not aggregated

check below doc that has details.

Active Directory Connector - FAQ and troubleshooting - Compass (sailpoint.com)

1 Like