Even after successful provisioning Create Account Operations are triggered

Hi Team,

We have an use-case wherein 7 days prior hire date, we are creating accounts in different Active Directory sources and one service now source. But we are facing 2 types of issues in this scenario,

  1. IDN triggering create account operation within seconds after the successful provisioning of the target system. Due to this duplicate accounts were being provisioned for a single identity. This is happening for AD and service now sources. It will be really helpful if we can control these create account operations even after successful provisioning.

  2. IDN is encountering failures during creating account in AD but the account reflects in target AD system. Because of this failure, IDN is triggering multiple create operations until the AD accounts created on failure were correlated back to the identity. The error that was thrown during the provisioning is “sailpoint.connector.ConnectorException: java.lang.InterruptedException: Timeout waiting for response to message 278 from client 422c7c33-6f06-42fc-8f7b-e5252370aae9 after 90 seconds.” Can anyone help us resolve this error and also can we add any connector attribute to the AD source for example rollback Account Created On Error and value as true which will delete the account in the target system that got created on error.

Thank you.

Hi @shanmukh.gali Welcome to the forums!

For the first issue, i’m not sure I understand the flow here - can you elaborate on which target system is first updated, and what the process flow should look like?

For the second issue:

Can you verify that the that you can ping the machine where IQService is installed, from your virtual appliance (VA) ? Do you have any (inbound) blocked ports on the IQService machine?

According to the documentation, the Active Directory source type should support adding the flag “rollbackCreatedAccountOnError”. I’d suggest setting this value to ‘true’ and testing again. You should be able to do this using the IDN API’s for modifying sources - SailPoint - SaaS API

Hi @shanmukh.gali ,

  1. Are you using roles to provision these accounts (Active Directory and ServiceNow) by chance? Are they dependent on any attribute calculation at the identity level by chance?

  2. Are you using any powershell scripts by chance? You can try increasing your provisioning timeout

curl --location -g --request PATCH 'https://tenantApi.identitynow.com/beta/sources/{{externalID}}' \ --header 'Authorization: Bearer eyJBCoCg' \ --header 'Content-Type: application/json-patch+json' \ --data-raw '[ { "op": "replace", "path": "/connectorAttributes/provisioningTimeout", "value": 600 } ]'

Hope that helps.
-Tbui

Hi @tom_bui ,

I’m working on the same project with @shanmukh.gali . For your queries the answers are as follows:

  1. Yes actually the provisioning is performed when a role membership is qualified and we have two roles out of which one role is to provision accounts onto two Active Directory Sources and one role for ServiceNow account provisioning. And yes they are dependent on identity attribute calculation of cloudLifecyclestate and a custom identity attribute which compare the hireDate of the user with the day we went live with IdentityNow if the date is post live it qualifies else it does not.
  2. We have the following powershell scripts in place:
    i. Active Directory Source I :
    There is are 2 native rule which triggers the After-Create and After-Modify powershell scripts post that based on the operation type being create further 4 powershell scripts are triggered.
    ii. Active Directory Source II:
    There is a total of two native rules which triggers an after-create script and a custom script in total.

Thank You

-amankumar.singh

Ad Account creation is 2 phase process. Initial account gets created with basic attributes like dn and few others and then other attributes are populated. There is possible aftercreate and after modify scripts are failing but if this issue is only in create then aftermodify is not in picture.

You can enable flag which will delete the account on AD side if whole provisioning is not successful.

Rollback of Created Account

The Active Directory source supports rollback of created account in case provisioning of one or more requested attribute/s fails during the provisioning operation. Set the rollbackCreatedAccountOnError attribute as True.

You need to use PATCH api and put this under connectorAttributes map.

For Servicenow I do not think we have this option but I have rarely seen this happening this kind of issues on SNOW create operations.

Hi Chirag,

Thanks for the reply. We have added the rollbackCreatedAccountOnError connector attribute as true. We will monitor whether IDN is able to prune the AD accounts if any account created during unsuccessful provisioning. Although if we add this connector attribute and IDN is encountering errors while creating ad account for a single identity then will that identity ever get an AD account created?

Also for service now, provisioning was not failing but the create events was getting triggered within seconds. We are provisioning to service now only when the ad accounts are created. Requesting you to please help us understand whether this is a implementation issue or product issue.

Thank you.

Hey Shanmukh,
If you have marked rollbackCreatedAccountOnError as true then it only comes into affect whenever there is any error. Connector removes the account which was created but not with all attributes.
About specific question: . Although if we add this connector attribute and IDN is encountering errors while creating ad account for a single identity then will that identity ever get an AD account created?
Yeah, IdentityNow provisioning will see that there is role assigned to the identity but the underlying access is not assigned to identity so it will try again as part of refresh job. This can differ based on how you are provisioning.

“Also for service now, provisioning was not failing but the create events was getting triggered within seconds.”

For this one you need to create support ticket as this would need detailed investigation. If the provisioning plan is coming back as committed from end source and the overall create is still trying again on IdentityNow side then it needs detailed investigation. I also see you mentioned 2 create at same time, this also needs investigation from support team.

Hi Chirag,

Thanks for the quick responses. We will closely monitor the service now source and if this issue persists then we will open a support ticket with SailPoint.

Regarding the AD issue, any suggestion on how can we avoid these timeout errors even if we encounter after increasing it to maximum time which is not recommended by SailPoint as it effects the overall provisioning performance. We have also observed another error like "After Script returned non-zero exit code: ". Although this issue is intermittent and we have verified the after scripts as well but sometimes we are facing these type of issues. Requesting you to please provide your valuable insights on this.

Thank you.

Sounds like your powershell script is not completing properly based on the error. I would evaluate your powershell script. Maybe put the IQService in Console mode and you’ll see red if there is an error.

"After Script returned non-zero exit code: "

Recommendation:

  1. Input an idea with Sailpoint’s Idea portal to do some role evaluation before trigger the next role creation. Have the community to vote on it to be included into the product. Basically, check for the existence of Role1 before granting Role2 etc… Ran into this issue and had to force fail creating of some accounts within Active Directory i.e. DN, sAMAccountName, Password constraints.
  2. You can add additional criteria within the role to look for a value within AD Source I i.e. mail attribute before creating AD Source II accounts. This ensure that at least one of them completed before kicking off the second account creation.

Hope that helps.

-Tbui

1 Like

Hey Shanmukh,
As Thomas said , afterCreate script seems issue here at least in few cases. Timeout can be because of so many reasons and all of them are dependent on your environment and configuration.

Can you confirm what you are doing in your afterCreate script. Is there any code which uses sleep method.

Hi @chirag.patel ,

The accounts still got created even though it encountered error from the Connector and that too in 3 duplicate accounts for the same user. And I have checked the attribute rollbackCreatedAccountOnError it is enabled for the affected AD source. Can you please provide us some insight as in why were the accounts created were not reverted back.

The error is: [“sailpoint.connector.ConnectorException: java.lang.InterruptedException: Timeout waiting for response to message 8 from client 7ac3c1fc-e1a4-462d-b424-630a4b93c43d after 90 seconds.”]

Thank You.

Hey Aman, This would need formal investigation and you might want to open up a case for this.

1 Like