Attribute DistinguishedNamedoes not contain expected character

krigney · November 6, 2024, 3:48pm

I have created a second Active Directory connector to handle the creation of Administrative accounts. The new connector base ou does not overlap with the normal user create Ad connector. I created 3 new attributes AdminDN, AdminSam, and AdminUPN and on the create account on the connector have mapped attributes to SamAccountName, UPN and DN. In the Details of the user account the attributes are correct, but I keep getting the following error “[“Exception occurred while executing the RPCRequest:
Errors returned from IQService.
"Attribute DistinguishedNamedoes not contain expected character
,. Value supplied : RabittBAttribute DistinguishedNamedoes not contain expected character ,.
Value supplied : RabittB. HRESULT:[0x80131500]"”]”

I have set up a multiple Account Options on my AP for normal accounts that says memberof Does not Equal XGroup so the account will ignore the normal Ad connector. Trying to figure out what I missed

shaileeM · November 6, 2024, 4:40pm

Hi @krigney ,

Have you verified if the accounts are created successfully on the AD? Do you see any special characters for distinguishedName attribute being passed to AD in IQ service logs during the provisioning request? As per Distinguished Names | Microsoft Learn, there is a list of reserved characters that needs to be prefixed with a backslash (\)

Another way is, you can try creating a new AD connector and see if the same issue happens.

HTH

krigney · November 6, 2024, 4:55pm

The accounts fail creation due to the error. The DN is correct it is set via a transform for the identity attribute of ADMINDN (cn=RabittB,ou=Privileged,ou=Users,ou=Admin,dc=test,dc=nintendo,dc=com) which shows correct in the attributes of the user accounts

jesvin90 · November 6, 2024, 4:55pm

Hi @krigney,

Looks like the DN value being passed is RabittB instead of the actual DN.

Here are some of the steps you can follow :

Try checking for the user in search and see what value is being passed for distinguishedName during the account creation (Under Account Activities). You can also check the IQservice logs for more info.
Try giving a static value for distinguishedName in the create profile and see how it behaves.
Delete the distinguishedName attribute in the create profile and re-create it with the mapping.

j_place · November 6, 2024, 5:13pm

Hi @krigney - Are you mapping the common name (cn) as well? What’s the value in there?

krigney · November 6, 2024, 6:17pm

I was able to figure it out. I needed to add CN to the create and change the schema so that Distingushedname was the accountID

Topic		Replies	Views
Active Directory Provisioning Error ISC Discussion and Questions identity-security-cloud , provisioning	7	132	September 12, 2024
Issues on Provisioning All Attributes to AD ISC Discussion and Questions identity-security-cloud , provisioning	7	1323	November 20, 2023
Active Directory Create Account failing because of undefined required string attribute 'User' ISC Discussion and Questions identity-security-cloud , provisioning	15	1186	April 26, 2024
Error with Active Directory User creation IIQ Discussion and Questions identityiq , provisioning	6	1020	October 27, 2023
IQService - Fails to update attributes ISC Discussion and Questions identity-security-cloud	8	442	December 11, 2023

Attribute DistinguishedNamedoes not contain expected character

Related topics