Error with AD account

Beatriz · October 27, 2021, 4:05pm

Hello experts,

Im working with IDN and I need your support on one issue I’m currently facing. After aggregating the authoritative source, I can see how the identities are created on IDN and also the AD accounts based on the identity profile. The problem is when I run the aggregation again of the Authoritative Source or AD, seems that the AD accounts disappear from the users and IDN tries to create a new one but the error is:

java.lang.RuntimeException : sailpoint.tools.GeneralException: Error running rule transform:sailpoint.tools.GeneralException: The application script threw an exception: java.lang.RuntimeException: java.lang.Exception: Unable to contact connector to generate unique value and is not retry-able. Action:UniqueAccountIdValidator: Calling getObject for objectType ‘account’ using id ‘CN=Ifs HR01PF3EMP352,OU=SailPoint,DC=xxxx,DC=xxxxx,DC=com’ and options ‘{cloudConfigOverrides={aggregateTimeout=30, disablePooling=true, timeout=30}}’ on source ‘Active Directory [source]’. Exception: sailpoint.connector.ConnectorException: java.lang.InterruptedException: Timeout waiting for response to message 1093 from client 988e01ab-16a7-444d-8784-c2e55d852f9d after 30 seconds. BSF info: Create Unique Account ID at line: 0 column: columnNo

Any idea?? Is just happening with the AD accounts created by Sailpoint IDN.

Regards,
Beatriz.

AnamicaShroti · October 28, 2021, 3:29pm

Hi @Beatriz ,
The account is not getting created on AD end. It is still in cloud layer & unable to generate the correct distinguishedName.
There is a space in CN Ifs HR01PF3EMP352, is this intentional? Are you able to create AD account manually with space?

Beatriz · October 28, 2021, 4:25pm

Hi Anamica,

Thank you for your reply. About the space, its a prerequisite of my client. The thing is that since 3 days ago, any provisioning activity is working but if I run an AD aggregation it works. Also, as far as I can see, the IQservice Server is up and running.

Thank you.

AnamicaShroti · November 1, 2021, 10:49am

@Beatriz Are you using any transform/generator to get this attribute. If yes, please share.

Beatriz · November 2, 2021, 3:35pm

Hi Anamica,

We have a transform rule to calculate the sAMAccountName, but is the one that cames with AD integration by default

Beatriz · November 2, 2021, 4:28pm

Please, see what I found in ccg logs:

{
  "stack": "ccg",
  "clientId": "492",
  "request_milliseconds": "3030",
  "source_host": "unknown",
  "pod": "stg02-eucentral1",
  "method": "log",
  "org": "XXXXX-sb",
  "level": "WARN",
  "clusterId": "177",
  "message": "Pipeline Response forwarding failed due to timeout or cancellation: HTTP response code 410 for URL https://XXXXX-sb.api.identitynow.com/hecate/pipeline/response?sub=9adf38fa-bf60-4e2f-877c-fec2a1eee12f&message=12717&pod=stg02-eucentral1&org=XXXX-sb",
  "buildNumber": "642",
  "apiUsername": "XXXXXXXXXXXXXXXXXX",
  "orgType": "staging",
  "@timestamp": "2021-10-31T01:38:33.927Z",
  "file": "LogUtil.java",
  "line_number": 215,
  "thread_name": "pool-19086-thread-1",
  "@version": 1,
  "logger_name": "sailpoint.gateway.service.ErrorLoggingService",
  "region": "eu-central-1",
  "request_id": "c7da20bb-29fa-420d-ab21-e5a19fa0ad47",
  "class": "com.sailpoint.utilities.LogUtil",
  "queue": "stg02-eucentral1-XXXXXXX-sb-cluster-177"
}

Beatriz · November 4, 2021, 4:23pm

Hi @AnamicaShroti Sorry to bother you but we are stuck here. All AD Task are Frozen so we can not run any test. More than 10k provision activy task are pending.
Any idea?

Thank you in advance.
Beatriz.

tom_bui · November 18, 2021, 4:49am

Hi @Beatriz,

Sounds like you’ll want to reach out to support to help clean up the backlog of 10,000 provisioning activities. Or you can wait for it to timeout by itself. Sounds like you’ll want to review your create profile and maybe start with static values before continue with a transform route to rule out the issue completely.

-Tbui

pkumar22 · August 24, 2022, 2:30am

Hi,

I am also getting the same issue. Please let me know how did you resolve the issue.

Thanks.

DharshanK · September 8, 2022, 3:07pm

Same here as well, started within the last week. Will be logging a ticket.

{
  "stack": "ccg",
  "pod": "prd01-eucentral1",
  "connector-logging": "145",
  "clusterId": "543",
  "buildNumber": "753",
  "apiUsername": "ommited",
  "orgType": "development",
  "file": "LogUtil.java",
  "encryption": "1266",
  "connector-bundle-identityiq": "173",
  "line_number": 215,
  "@version": 1,
  "logger_name": "sailpoint.gateway.service.**ErrorLoggingService**",
  "mantis-client": "1266",
  "class": "com.sailpoint.utilities.LogUtil",
  "clientId": "1690",
  "request_milliseconds": "127426",
  "source_host": "ommited",
  "method": "log",
  "org": "ommited",
  "level": "WARN",
  "IdentityIQ": "8.0 Build 2f61d76cf47-20220429-140148",
  "message": "Pipeline Response forwarding failed due to timeout or cancellation: HTTP response code 410 for URL https://ommited.api.identitynow.com/hecate/pipeline/response?sub=ae00338d-2ecf-429c-b1db-b3b77e32b181&message=97386&pod=prd01-eucentral1&org=pnp-retail",
  "pipeline": "1266",
  "@timestamp": "2022-09-08T12:38:18.566Z",
  "thread_name": "pool-5-thread-4819",
  "metrics": "1266",
  "region": "eu-central-1",
  "request_id": "666b0440-d9b4-4955-9764-b6b33808824e",
  "queue": "prd01-eucentral1-pnp-retail-cluster-543",
  "SCIM Common": "8.0 Build 00b1f252d1b-20200225-190809"
}

Stage: Refresh
Message:
trackingId: dc7ff37ba3904f6ba64b4e59b2f657b9 java.lang.RuntimeException: sailpoint.tools.GeneralException: Error running rule transform:sailpoint.tools.GeneralException: The application script threw an exception: java.lang.RuntimeException: java.lang.Exception: Unable to contact connector to generate unique value and is not retry-able. Action:UniqueAccountIdValidator: Calling getObject for objectType 'account' using id 'omitted' and options '{cloudConfigOverrides={aggregateTimeout=30, disablePooling=true, timeout=30}}' on source 'Azure AD [source]'. Exception: sailpoint.connector.ConnectorException: java.lang.InterruptedException: Timeout waiting for response to message 86 from client cf5b55da-d569-4dab-be88-636dc629d096 after 30 seconds. BSF info: Create Unique Account ID at line: 0 column: columnNo

gourab · September 16, 2022, 1:12pm

This can be a DNS issue, you may either add a domain controller on the AD source using either the IP or FQDN.
OR
You may troubleshoot DNS connectivity.

nathanwray · March 28, 2023, 7:10pm

We are running into a similar error in our sandbox environment. What was the solution for your issue?

Topic		Replies	Views
Getting error during AD creation ISC Discussion and Questions aggregation , identity-security-cloud	9	774	June 22, 2023
Pipeline Error when creating account on Active Directory ISC Discussion and Questions identity-security-cloud , connectors	10	360	March 10, 2024
Uniquely generated id using IDN Rule Util method conflicts during AD account creation ISC Discussion and Questions rules , provisioning	4	556	July 19, 2023
Getting error during create account for AD ISC Discussion and Questions transforms , identity-security-cloud , provisioning	10	112	April 22, 2024
Even after successful provisioning Create Account Operations are triggered ISC Discussion and Questions	12	4785	July 19, 2023

Error with AD account

Related Topics