We’re having an issue with Active Directory after rules where we create so many users at once and for some the script works and for others it doesn’t. The error is the following:
Error(s) reported back from the IQService - Before Script returned non-zero exit code : -1073741502
After some research, we realised that the IQService supports only 100 concurrent executions so anything above 100 is terminated with that status code.
The question that we have is the following : since we onboard at least 400 users regularly, and we are including more and more populations into our IGA platform, is there a way to handle the AD script automatically by SailPoint without this 100 concurrency issue? Did anyone perform mass integrations before with a successful AD scripts executions?
Note: the current process allows only for mass integrations, and we can’t change it, as it’s a business decision that can’t be changed.
You could change your design so the After-Create script only writes down the created user somewhere like AWS SQS or some DB or a file. Then schedule a script that would run and process them and delete the entry if done successfully. Processing could happen on another server entirely to separate load spikes.
The issue isn’t that the code takes long but it’s the limit itself.
We have tried to execute 5 lines of codes (just the imports and logging) and we still get the error. ISC sends all requests at once and they process (100 success and rest goes to error) and they don’t get retried (because it’s a rule ofc).
Without limiting the number of users onboarded at the same time I’m not sure how you can prevent this issue. I looked into balancing IQService servers but that would only work if the first server has a connectivity issue (specifically if it fails to accept TCP traffic).
You might have to get rid of the after create script and write a PowerShell script separate from ISC that gets a list of the newly created users and iterates through them performing the tasks you mentioned (reset password, email manager, create mailbox).
Hi @WhiteBat can you describe the process that is provisioning AD accounts?
If you are launching a workflow for each user, then you may be able to push the workflows into the background. The Request Processor could then manage running a moderate number of them in parallel at a time.
The non-zero exit code error occurs due to various reasons like syntax error in the script, high CPU utilization, long running scripts and if you are really sure about it is due to concurrent execution limit, I would suggest to catch the non-zero exception error and add a random wait time in the code and try to call the script again in the exception block to re-execute it for few times like 2 or 3 times. If you still get an error after it ran multiple times, look into the script and try to do some optimization if possible.
You can use round robin network load balancer, that sits before the IQ Service machines. Based on the documentation, this should work fine. So if you have 2 or 3 iq service machines, the load balancer would just send traffic to each one in a rotation. Seems like the only workaround for now.
