AD After Create Connector Rule not executed

Identity Security Cloud (ISC) ISC Discussion and Questions
, , , , , ,
1

Hi everyone,

we have an issue with one of our “After Create” connector rule in the Active Directory source.

Since the 25th, the execution was fine, but after that, no sign of any execution in the logs.

We have TLS enabled with a self signed certificate and the connection with AD itself works fine.

The rule is correctly configured in the source configuration and it has been unchanged for 2 years.

We have been waiting for a month now for a resolution, but nothing so far; any ideas?

Thanks in advance :slight_smile:

2 Likes
2

check any non-tls ports are still enabled please, if yes delete/disable

IQService.exe -p 0

IQService.exe -p -1

2 Likes
3

Please check the version of the current IQServices and if it is May2025, then it is not supporting non-tls connection. Please refer here New Capability: Integration Service (IQService-May-2025) is now LIVE!

Since you already enabled the TLS, follow the link to disable the non-tls communication in the existing configuration.

1 Like
4

Hi, and thanks for the reply. All non TLS ports have been fully removed frtom the configuration.

5

IQService version is up to date

image
image446×317 11.7 KB

6

Hello @antonioantonelli1306,

Can you check the below?

  1. Whether Name of Native Rule is correctly configured on the AD source in ISC tenant?
  2. If its correct, check if the loggers are getting generated for your After Create.
  3. Also, check the IQService loggers.
  4. Check whether IQ Service is running on required service account using “Service“ window.
  5. Restart the IQ Service
  6. Try to remove the Non TLS port, restart the IQ Service and check again.
7

Hi, thanks for your input.

All these steps have been already executed with Sailpoint Customer Support, so yes

  • Rule name is correctly configured in the source configuration
  • Logs in the after create are NOT being generated
  • IQService logs show a WARN message saying “Exit code : 1 :”
  • IQService is installed as a service and is correctly running
  • We have restarted IQService multiple times, even resorting in a Windows reboot
  • All non TLS ports are not in the configuration anymore since the meeting we had with Sailpoint
8

Ok!

Is anywhere, in any session the log file is still open on IQ Service Box?

Also, have you added -Force option while generating the log file in IQ Service Machine?

I would also also recommend to put few sleeps before and after calling the Stand Alone Powershell script which your After Create rule would be executing.

Regards,

Rohit Wekhande.

9

I would suggest to check few more options,

  1. Exit Code:1 occurs majorly due to code syntax. Execute the PS script by using standalone PS command in the server and see whether it throws any error. If not, validate the connector rule by checking the syntax and un-escaping characters in it.
  2. Make sure to set the “run as” account for the IQService using svc account which has admin permission instead of just the “logged on” user in Windows Services.
  3. Make sure the above account which runs the IQServices have a required permission to create a directories and log files.
  4. Check whether Utils.dll file is blocked by right click on Utils.dll file in IQService folder and goto Properties. You may see the a checkbox to Unblock it if it is blocked. Click on the checkbox and Apply the changes.
  5. Verify the PS execution policy which may blocking the script execution.
  6. Check on recent changes on infra level like firewall which could also block the script execution.
1 Like
10

Ok, so

  • PS execution of the script on the Windows machine works flawlessly
  • The account running the IQService is Administrator and is an SVC
  • Same as above
  • Utils.dll was something we checked in the beginning since we had issues with another deployment, and no it’s not locked
  • Execution policy is RemotelySigned, but it is the same as Sandbox, but in there the script works
  • We are checking with infra :slight_smile:
1 Like
11

Any idea on what infra should check?

12

I can’t say exact details on it, usually something updated in the firewall rule or the PS execution policy might overridden by other rules. Since you are saying the scripts (Connector rule and PS scripts) are flawless on execution and same scripts running in sandbox, I assume it is mostly on infra level issue.

13

Hello,

just to inform everyone, the issue was resolved with Sailpoint this morning.

We had a meeting where we changed the user running the IQService from the “Services” on Windows, with the Admin user.

After that we copied the script from the API, re-escaped it using Free Online JSON Escape / Unescape Tool - FreeFormatter.com , and re-uploaded it as a rule using the API.

So if anyone is facing a similar issue, just change the user running the service and double check the escapes on the rule.

14

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.