Azure AD Error: Invalid client secret provided

IdentityIQ (IIQ) IIQ Discussion and Questions
,
1

Which IIQ version are you inquiring about?

Version 8.2

Please share any other relevant files that may be required (for example, logs).

AzureAggregationFailure.log (5.51 KB)

Share all details related to your problem, including any error messages you may have received.

Hello all,

Our Azure AD account aggregation fails intermittently with the following error:

Exception during aggregation. Reason: java.lang.RuntimeException: Failed to Aggregate Error occurred while building object: {account name removed} Error: Exception occurred in processReadRequest. Error - javax.net.ssl.SSLException: java.net.SocketException: Connection reset

After looking at the logs we are seeing the connection reset is caused by the following Azure response:

OAuth2Exception [toString()=connector.common.oauth2.OAuth2Exception: Unable to generate access token. Response returned: {“error”:“invalid_client”,“error_description”:“AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app ‘REMOVED’. Trace ID: REMOVED Correlation ID: REMOVED Timestamp: 2023-11-27 21:00:21Z”,“error_codes”:[7000215],“timestamp”:“2023-11-27 21:00:21Z”,“trace_id”:“REMOVED”,“correlation_id”:“REMOVED”,“error_uri”:“https://login.microsoftonline.com/error?code=7000215”}]

We have worked with Microsoft and they are saying the AADSTS7000215 error is legitimate, meaning we are sending an incorrect client secret randomly during the aggregation. As I mentioned this error is intermittent and the aggregation actually works roughly half the time. There is no pattern to the failures, accounts that the failure occurs on, or server that the failure occurs on. Sometimes only one partition fails, sometimes multiple partitions on multiple servers fail.

Has anyone encountered this intermittent error while working with Azure Active Directory connector? We found one article that said to rotate the client secret so we tried that, but are still facing the same issue. I see the following post appears to be the same error, but no resolution was ever determined.

2

After looking into some compass articles, looks like this is a know issue happening with multiple people but don’t see any perfect root cause here, probably other experts can comment more but what I found is you can avoid this and continue aggregation with below configuration, please try adding below to application xml

 <entry key="retryableErrorsOnAgg">
<value>
<List>
<String>javax.net.ssl.SSLException: Connection reset</String>
</List>
</value>
</entry>

AzureAD Random SSL Errors - Compass (sailpoint.com)

Azure AD Aggregation Error: Failed to Aggregate Error occurred while building object: - Compass (sailpoint.com)

3

Could you please provide value of this 2 attributes from your App xml
msgraph-api-version
useMSGraphAPI

4

msgraph-api-version not present in app xml
useMSGraphAPI = true

5

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.