Problem
When the IQ Service component used for AD Provisioning was migrated from on-premise servers to AWS Cloud Platform, the After Create Rule which was used for mailbox creation process was FAILING with “Timed Out” Exception. As soon as, we rolled back the IQ Service configuration to on-premise server, the After Create Rule worked as expected.
Diagnosis
In the AD Source configuration, we perform the configurations in the following 3 pages for connecting with AD Domain Controller through IQ Service.
- Forest Settings.
- Domain Settings
- IQ Service Settings
In the customer setup, they had 2 domain controllers and name of domain controllers were as “DomainController1” and “DomainController2”. Both the domain controllers were having sync enabled so that data b/w the two is as expected without any discrepancies.
In the Forest Settings and Domain Settings Page, we had host details of “DomainController1” configured on SailPoint ISC UI and in the After Create Rule, there was Get User command which we were executing to fetch the details of users and then create Primary SMTP Address from it. The command details are.
$user=Get-ADUser $dn -server “DomainController2” | Select GivenName, Surname, samAccountName
Now, when we migrated the IQ Service to AWS cloud and completed all the installations and configurations, we changed the IQ Service Host details in “IQ Service Settings” page of Active Directory source and tested the provisioning, we noticed that After Create Rule was getting Timed Out and eventually the mailbox creation was FAILING. When we rollback to Old IQ Service Host, the Mailbox Creation worked as expected with same DomainController configurations.
Then, post adding the loggers in After Create Rule and Analysis, we found that while connecting from AWS box, there was a delay that we were facing while fetching the data from “DomainController2” due to which the script was getting timed out. So, when we executed the after after nearly 40 seconds, it would work as expected. Hence, it was an issue with internal sync b/w 2 domain controllers and delay while fetching the users in AWS instance. Refer the below diagram for better understanding of configuration setup.
Solution
In the SailPoint ISC configurations, the domain controller to which we were pointing was “DomainController1”. We configured DomainController1 in :
- Forest Settings.
- Domain Settings
Hence, we changed After Create Rule a bit and “Get-ADUser” command was updated in the script. In the Old Version of the script, the command was written as .
$user=Get-ADUser $dn -server “DomainController2” | Select GivenName, Surname, samAccountName
Now, in the new version of the script, the command was written as.
$user=Get-ADUser $dn -server “DomainController1” | Select GivenName, Surname, samAccountName
Hence, as you can see, we pointed the After Create Rule to fetch the data from same domain controller where the provisioning from SailPoint ISC was getting place.
Hence, by doing the same, we resolved the issue and provisioning through new IQ Service hosted on AWS cloud was working as expected.
Refer the below diagram with new configuration setup to resolve the After Create Rule issue.
