Overview:
On the evening of June 16, SailPoint failed to provision Active Directory (AD) accounts for four newly hired users. The failures were split into two distinct error types:
- Two users encountered the following error:
“Unable to generate a unique value for ‘User1’, action UniqueAccountIdValidator[…] is not retry-able due to InterruptedException: Timeout waiting for response to message […] after 30 seconds.”
- Two other users encountered this error:
“Failed to connect to IQService. Please check TLS configuration for IQService: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.”
Things to Note:
• Several dozen other users provisioned successfully during the same batch.
• Manual reprocessing of the four failed identities succeeded immediately.
• One SailPoint Virtual Appliance (VA) was down due to a missing root certificate, and the other was pending an upgrade at the time of the failures.
• The TLS-related error was resolved the next day by installing the required root certificate on the affected VA.
Our Analysis (And Questions):
• The UniqueAccountIdValidator timeout error occurs when SailPoint attempts to validate that a new account’s nativeIdentity (e.g., CN or sAMAccountName) is unique in the target system—Active Directory in this case. I assume, based on the error given, this validation step requires a timely response from the AD connector via the VA. If the VA is unresponsive or overloaded, the validator times out and the provisioning step is marked as non-retryable, requiring manual intervention.
- Is this behavior consistent with known SailPoint provisioning patterns where infrastructure latency or connector unavailability can cause failures that are not automatically retried?
- Has anyone heard of or experienced something similar?
• The TLS certificate error (PKIX path building failed) directly points to a missing or untrusted root certificate on the VA. This prevented secure communication with IQService, which is required for provisioning AD accounts. Once the certificate was installed, the issue was resolved.
Evidence:
User 1 and 2 Error:
[“Failed to connect to IQService. Please check TLS configuration for IQService: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target”]
This error is related to our VA01 not having the root CA installed at the time.
User 3 and 4 Error:
“Unable to generate a unique value for ‘User 3’, action UniqueAccountIdValidator[nativeIdentity=CN=User 3s Name,OU=_New Users,OU=Users,OU=OAC,DC=corp,DC=theoceanac,DC=com,app=Corp.theoceanac.com AD] is not retry-able due to InterruptedException: Timeout waiting for response to message 0 from client ad4b2439-7733-49e1-9e03-a672efda54fe after 30 seconds.”
While an easy solution was found in simple reprocessing the identities, I want to know if this is simply related to the state of the Virtual Appliances at the time, or if it’s something I should worry about happening with future new hires. We tend to hire in large batches and catching these occurences may prove difficult.