AD provisioning error

Which IIQ version are you inquiring about?

Version 8.3

Share all details related to your problem, including any error messages you may have received.

Scenario1 - If i create an identity from SailPoint which does not have any additional application links, and execute Ad provisioning, all the logs, approval workflows and Ad creation in disabled OU is working without an error.

Scneario2 - if for the same identity i add and application link , or use an identity which does not have an AD link , run the refresh, approval works, but none of predefined attributes like FN, LN, UserAccountControl, default password, none of them gets populated in AD and it creates as an active account in disabled OU. So basically what i have noticed is that any identity which does any additional app link, that works perfectly fine and does not if it has app links,

sample of printed logs:

2024-02-27T10:42:27,892 ERROR https-jsse-nio-8443-exec-9 sailpoint.provisioning.PlanEvaluator:2799 - Account created but some attributes are not updated properly.
2024-02-27T10:42:27,908 ERROR https-jsse-nio-8443-exec-9 sailpoint.provisioning.PlanEvaluator:2758 - Provisioning failure: Sail03 on Active Directory
2024-02-27T10:42:27,908 ERROR https-jsse-nio-8443-exec-9 sailpoint.provisioning.PlanEvaluator:2758 - Provisioning failure: Sail03 on Active Directory
2024-02-27T10:42:27,908 ERROR https-jsse-nio-8443-exec-9 sailpoint.provisioning.PlanEvaluator:2758 - Provisioning failure: Sail03 on Active Directory
2024-02-27T10:42:27,924 ERROR https-jsse-nio-8443-exec-9 sailpoint.provisioning.PlanEvaluator:2758 - Provisioning failure: Sail03 on Active Directory
2024-02-27T10:42:27,939 ERROR https-jsse-nio-8443-exec-9 sailpoint.provisioning.PlanEvaluator:2758 - Provisioning failure: Sail03 on Active Directory

Hi @sdhakalHUD,

Could you please provide the entire trace of the workflow?

AD_beforeProvRule.txt (6.8 KB)
scneario2-logs.txt (17.6 KB)
i have attached a scenario1 before so that works, but scenario2 doesnot work and i have attached the logs for that and beforeProvRule

2024-02-27T12:43:35,491 ERROR https-jsse-nio-8443-exec-1 sailpoint.provisioning.PlanEvaluator:2799 - Account created but some attributes are not updated properly.
2024-02-27T12:43:35,506 ERROR https-jsse-nio-8443-exec-1 sailpoint.provisioning.PlanEvaluator:2758 - Provisioning failure: [email protected] on Active Directory
2024-02-27T12:43:35,506 ERROR https-jsse-nio-8443-exec-1 sailpoint.provisioning.PlanEvaluator:2758 - Provisioning failure: [email protected] on Active Directory
2024-02-27T12:43:35,506 ERROR https-jsse-nio-8443-exec-1 sailpoint.provisioning.PlanEvaluator:2758 - Provisioning failure: [email protected] on Active Directory
2024-02-27T12:43:35,506 ERROR https-jsse-nio-8443-exec-1 sailpoint.provisioning.PlanEvaluator:2758 - Provisioning failure: [email protected] on Active Directory
2024-02-27T12:43:35,506 ERROR https-jsse-nio-8443-exec-1 sailpoint.provisioning.PlanEvaluator:2758 - Provisioning failure: [email protected] on Active Directory
2024-02-27T12:43:35,522 ERROR https-jsse-nio-8443-exec-1 sailpoint.provisioning.PlanEvaluator:2758 - Provisioning failure: [email protected] on Active Directory

Hi @sdhakalHUD,

The scenario_2 trace is incomplete, it only shows till manager approval, could you please attach the whole of the trace, from the start of the LCM provisioning workflow or whichever workflow you use?

scneario2.1-logs.txt (34.4 KB)
i have fixed the code, but you can see at the end of the log that an AD account gets created as an active account but none of the attributes are populated.

How are these attribute values generated and passed to the plan, specifically the CN and the account DN, are you manually passing them or generating them with a script?

Could you take a look at the values being generated and passed as the CN and and the account DN, please confirm if they are as expected?

Hi Sreeram,

After investigating further, i was able to resolve the issue. It was with couple of changes.

  1. Solved: To compare if an attribute start date is less than or equal to today’s date - Compass (sailpoint.com)
  2. I had issues with my Address details which was the root cause.
    I appreciate all the support