AD Provisioning Error - Incorrect DN referenced

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

I’m having an issue with AD provisioning and it looks like it’s due to a user having a different CN or being in a different OU than what’s expected.

The error in this case is a mismatch between the nativeIdentity and the DN of the actual user.

Error(s) reported back from the IQService - Failed to update attributes for identity CN=Jason N,OU=Users and Groups,DC=chkenergy,DC=net. Failed to connect to the server for CN=Jason N,OU=Users and Groups,DC=chkenergy,DC=net:There is no such object on the server

It looks like there is a mismatch between the nativeIdentity on the account activity and the actual DN of the account. I’ve included the account activity and the account itself. I’m not sure where to start on this.

From the Account

"nativeIdentity": "CN=Jason N,OU=Legal Hold,OU=Users and Groups,DC=chkenergy,DC=net"

From the Account Activity

{
    "completed": "2023-11-02T17:49:05.530Z",
    "completionStatus": "INCOMPLETE",
    "type": "Identity Refresh",
    "requesterIdentitySummary": {
        "id": "2c9180848047f65701804d137a07222e",
        "name": "SYSTEM"
    },
    "targetIdentitySummary": {
        "id": "2c91808680430836018047607abc610e",
        "name": "Jason N"
    },
    "errors": [
        "Error(s) reported back from the IQService - Failed to update attributes for identity CN=Jason N,OU=Users and Groups,DC=chkenergy,DC=net. Failed to connect to the server for CN=Jason N,OU=Users and Groups,DC=chkenergy,DC=net:There is no such object on the server. There is no such object on the server. 0000208D: NameErr: DSID-0310023C, problem 2001 (NO_OBJECT), data 0, best match of: \t'OU=Users and Groups,DC=chkenergy,DC=net' 0000208D: NameErr: DSID-0310023C, problem 2001 (NO_OBJECT), data 0, best match of: \t'OU=Users and Groups,DC=chkenergy,DC=net' . HRESULT:[0x80072030]Failed to connect to the server for CN=Jason N,OU=Users and Groups,DC=chkenergy,DC=net:There is no such object on the server. There is no such object on the server. 0000208D: NameErr: DSID-0310023C, problem 2001 (NO_OBJECT), data 0, best match of: \t'OU=Users and Groups,DC=chkenergy,DC=net' 0000208D: NameErr: DSID-0310023C, problem 2001 (NO_OBJECT), data 0, best match of: \t'OU=Users and Groups,DC=chkenergy,DC=net' . HRESULT:[0x80072030] Possible reasons for failure include a) The Domain Controller is currently not reachable b) The object has either been moved or renamed c) The object has been deleted \n Please Ensure the data has been aggregated before performing the operation "
    ],
    "warnings": null,
    "items": [
        {
            "id": "1f76f3cf23c246d7accfd722f9e0945e",
            "name": "1f76f3cf23c246d7accfd722f9e0945e",
            "requested": "2023-11-02T17:49:05.076Z",
            "approvalStatus": "FINISHED",
            "provisioningStatus": "FAILED",
            "requesterComment": null,
            "reviewerIdentitySummary": null,
            "reviewerComment": null,
            "operation": "ADD",
            "attribute": "memberOf",
            "value": "CN=secChatCHKUsers,OU=Security Groups,OU=Users and Groups,DC=chkenergy,DC=net",
            "nativeIdentity": "CN=Jason N,OU=Users and Groups,DC=chkenergy,DC=net",
            "sourceId": "2c9180877fdb6945017fe0b9ed8e5fef",
            "accountRequestInfo": null,
            "clientMetadata": null,
            "removeDate": null
        },
        {
            "id": "cf58038216314c9bbcf321f4323cd5f6",
            "name": "cf58038216314c9bbcf321f4323cd5f6",
            "requested": "2023-11-02T17:49:04.748Z",
            "approvalStatus": "PENDING",
            "provisioningStatus": "FINISHED",
            "requesterComment": null,
            "reviewerIdentitySummary": null,
            "reviewerComment": null,
            "operation": "ADD",
            "attribute": "assignedRoles",
            "value": "EMP [cloudRole-1650593597608]",
            "nativeIdentity": null,
            "sourceId": "IdentityNow",
            "accountRequestInfo": null,
            "clientMetadata": null,
            "removeDate": null
        }
    ],
    "executionStatus": "VERIFYING",
    "clientMetadata": null,
    "id": "eff46c490c054bb7b302acb1a3387e07",
    "name": "eff46c490c054bb7b302acb1a3387e07",
    "created": "2023-11-02T17:49:04.805Z",
    "modified": "2023-11-02T17:49:05.561Z"
}
2

In your Active Directory source - remove the “PREFER_UUID” feature string.

3

Can you help me understand what that does?

4

@KevinHarrington ok, it seems others are having this issue too… I’m going to open a support ticket. I can try your fix in a sub prod environment

5

Here’s my interpretation/educated guess based on various things I’ve read and conversations I’ve had:
SailPoint is in the process of migrating the AD connector to using the objectGUID or some other similarly immutable ID as the account id instead of distinguishedName. This issue was reported and according to this post Issues with Active Directory Connector - #13 by cstepp it is caused by a feature flag.

With those two pieces of information in mind, I’m jumping to the conclusion that there is a process in place to translate the objectGUID to the DN somewhere and that translation gets broken when an account’s DN changes (i.e. in an account move or rename). By removing the PREFER_UUID flag it reverts to using the actual DN as the key.

1 Like
6

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.