Duplicate CN Handling Issue for Identities with Same Name in ISC (AD Birthright Provisioning)

ashwinVnair · April 7, 2026, 8:47am

Hi everyone,

I’m facing an issue in ISC while onboarding two identities that have the same first name and last name (e.g., Test User).

We have a birthright role configured using role assignment criteria, which provisions accounts in Active Directory. The CN/DN naming convention is defined as:
$(firstname)$(lastname)$(uniqueCounter)

For the first identity, the account gets created successfully (e.g., testuser)
For the second identity:
- Provisioning fails with an “object already exists” error as it tries to create account with same CN (e.g., testuser for both)
- The system does not retry with an incremented uniqueCounter
- No alternate CN (like testuser1) is attempted by System on failing even though Role is still assigned to failed identity.

What i was expecting was that both identities should be provisioned successfully with unique CNs, such as:

testuser
testuser1

It seems that even though $(uniqueCounter) is part of the naming logic, ISC is not handling CN conflicts dynamically or retrying with an incremented value when a duplicate is detected in AD.

Has anyone encountered this behavior before?

Is there a way to enable retry or auto-increment logic for uniqueCounter?
Do we need to implement a before-provisioning rule to handle CN uniqueness manually?
Are there any best practices for handling duplicate names in AD provisioning via ISC?

baoussounda · April 7, 2026, 8:51am

Hi @ashwinVnair

This happen only when you try to create to identity with the same name at the same time ?

ashwinVnair · April 7, 2026, 8:54am

Yes, Only when both identities have same name and onboarded at same time. I was testing if it would create accounts for both with distinguish CN/DN

baoussounda · April 7, 2026, 8:55am

@ashwinVnair by default ISC work with multithread and things are doing in parralel, so if he try to check uniqueness as accounts are not created, the existence of the unique CN will not detected that’s why may be he try to create those accounts with the same CN.

It’s possible to create a retry logic as mentionned here : Configuring Retry Errors

You can use api to update the configuration or directly upadate your configure using VSCode plugin.

phil_awlings · April 7, 2026, 10:46am

Is the process only failing at the 1st instance, and is the account being successfully created on the retry event?

j_place · April 7, 2026, 11:02am

Hi @ashwinVnair Could you share the transform which is failing?

Tursun · April 7, 2026, 3:22pm

Hi @ashwinVnair

I would try usernameGenerator transform with sourceCheck: true This checks the target system directly at the moment of the provisioning.

Topic		Replies	Views
AC_NewName Generating CN Before Provisioning Rule ISC Discussion and Questions rules , identity-security-cloud , provisioning	5	166	November 7, 2025
ISC insist on creating AD account when identity already has ISC Discussion and Questions identity-security-cloud , provisioning , connectors	11	226	July 28, 2025
Active Directory Provisioning Error via IQService – ENTRY_EXISTS for CN/DN, but the user does not exist in AD ISC Discussion and Questions rules , identity-security-cloud , provisioning , connectors	7	62	March 24, 2026
ISC is trying to create AD accounts multiple times for a new hire and fails as the account is created in that same minute! ago ISC Discussion and Questions identity-security-cloud , provisioning , connectors	6	130	November 27, 2025
AD Create Account - sAMAccountName not unique ISC Discussion and Questions identity-security-cloud , provisioning	13	365	August 14, 2025

Duplicate CN Handling Issue for Identities with Same Name in ISC (AD Birthright Provisioning)

Related topics