Please share any other relevant files that may be required (for example, logs).
N/A
Share all details about your problem, including any error messages you may have received.
We have an AD connector that is configured with about 15 different AD forests and 21 different domains. We have one forest that has a single domain for which we are trying to remove from our system so that the AD domain can be decommissioned. We’ve removed the Account/Group settings successfully and aggregated. The aggregation successfully removed all accounts and groups from the system. When we try to delete the Domain/Forest configuration, the test connection is failing with the error in the above screenshot. Error details are below. Has anyone ever encountered a similar error?
Exception occurred while executing the RPCRequest: Errors returned from IQService. Object reference not set to an instance of an object.Object reference not set to an instance of an object.. HRESULT:[0x80004003], Object reference not set to an instance of an object.Object reference not set to an instance of an object.. HRESULT:[0x80004003], Object reference not set to an instance of an object.Object reference not set to an instance of an object.. HRESULT:[0x80004003], Object reference not set to an instance of an object.Object reference not set to an instance of an object.. HRESULT:[0x80004003], Object reference not set to an instance of an object.Object reference not set to an instance of an object.. HRESULT:[0x80004003], Object reference not set to an instance of an object.Object reference not set to an instance of an object.. HRESULT:[0x80004003], Object reference not set to an instance of an object.Object reference not set to an instance of an object.. HRESULT:[0x80004003], Object reference not set to an instance of an object.Object reference not set to an instance of an object.. HRESULT:[0x80004003], Object reference not set to an instance of an object.Object reference not set to an instance of an object.. HRESULT:[0x80004003], Object reference not set to an instance of an object.Object reference not set to an instance of an object.. HRESULT:[0x80004003], Object reference not set to an instance of an object.Object reference not set to an instance of an object.. HRESULT:[0x80004003], Object reference not set to an instance of an object.Object reference not set to an instance of an object.. HRESULT:[0x80004003], Object reference not set to an instance of an object.Object reference not set to an instance of an object.. HRESULT:[0x80004003], Object reference not set to an instance of an object.Object reference not set to an instance of an object.. HRESULT:[0x80004003], Object reference not set to an instance of an object.Object reference not set to an instance of an object.. HRESULT:[0x80004003], Object reference not set to an instance of an object.Object reference not set to an instance of an object.. HRESULT:[0x80004003], Object reference not set to an instance of an object.Object reference not set to an instance of an object.. HRESULT:[0x80004003], Object reference not set to an instance of an object.Object reference not set to an instance of an object.. HRESULT:[0x80004003], Object reference not set to an instance of an object.Object reference not set to an instance of an object.. HRESULT:[0x80004003], Object reference not set to an instance of an object.Object reference not set to an instance of an object.. HRESULT:[0x80004003], Object reference not set to an instance of an object.Object reference not set to an instance of an object.. HRESULT:[0x80004003]
That error (IQService … Object reference not set … 0x80004003) is a classic “connector config is now in an in-between state” problem, not “AD is down”.
In your case you already proved the domain is logically gone (accounts/groups removed by aggregation), but the Application still has a Forest/Domain object that’s either:
still referenced somewhere in the AD app’s internal attributes (even if the UI section looks removed), or
left behind as an empty/partial domain entry (no GC/DC values, missing required fields), which causes the IQService .NET codepath to throw a NullReference instead of returning a clean “can’t connect” message.
The steps should be follow to solve the issue
Confirm the failing “Test Connection” is hitting the domain you’re trying to remove
The AD “Test Connection” walks the configured GC/domain entries and stops on the first one that errors out. If the removed domain is still present as a stub, you’ll get exactly what you’re seeing.
Remove the Forest/Domain from the Application XML (bypass the UI validation)
Since the UI is forcing a test connection before saving/deleting, the clean workaround is:
Export the AD Application object XML
Remove the block for that Forest/Domain from the application attributes
Import it back (update/replace)
Restart IQService (and Tomcat if you want to be thorough)
This avoids the “can’t save because test connection fails” deadlock.
Do the cleanup you’ll otherwise trip over later
Even after accounts/groups are removed, you can still have:
Identity entitlements referencing old groups
Roles/Bundles referencing those entitlements
Clean those up, then run an Identity Refresh so the warehouse is consistent.
So
A pure connectivity/cert/port issue normally gives you a readable connect/bind failure. A repeated Object reference not set… coming back from IQService is almost always the connector trying to use a null/empty config entry.
Hi Everyone, thanks to my teammate we now have this resolved. Believe it or not, the issue was that we had to first remove the CredentialAssociation from our Credential Configuration object used for credential cycling. Leaving an orphaned CredentialAssociation in that configuration was the culprit. A bug in my view, I’ll see how far I get in having SailPoint recognize it as a bug to be fixed in a future release. The error in no way referenced “Hey dummy, go check your credential configuration for credential cycling”, but instead just threw a .NET NullPointerException (Object reference not set to instance of object). Hoping this may help someone out in the future.
