IIQservice Powershell script execution failing to reach DC

pereiram · November 27, 2024, 10:55pm

Which IIQ version are you inquiring about?

Currently running 8.4p1 version

Please share any images or screenshots, if relevant.

Please share any other relevant files that may be required (for example, logs).

[Please insert files here, otherwise delete this section]

Share all details about your problem, including any error messages you may have received.

Basically we are getting an intermittent issue on IIQService machine that fails to execute a powershell script with the following error:

"11/27/2024 21:35:24 : ADConnectorServices [ Thread-24 ] ERROR : "Caught exception in Modify for identity [email protected],OU=Users,OU=Accounts,DC=asiapacific,DC=XXXX,DC=net. System.Exception: Failed to connect to the server for [email protected],OU=Users,OU=Accounts,DC=asiapacific,DC=XXXX,DC=net:The server is not operational. The server is not operational. . HRESULT:[0x8007203A]
   at sailpoint.services.ADConnectorServices.bind(String distinguishedName, Boolean isCrossForest, Boolean isCrossDomain, String serverToBind, Boolean isCrossDomainMove, Boolean bindForShadow)
   at sailpoint.services.ADConnectorServices.Modify(Boolean processExchangeAttributeUpdate, Boolean& atleastOneAttrReqFulfilled)".

We are currently authenticating into AD using a load balancer, our iiqservice machine is inside the domain Americas. When the acc request does not have a powershell script envolved, this error on trace does show up, but the retry mechanism on connector makes it work on the second attempt, i believe this is because we use a load balancer, so the second attempt falls into a different DC. This only becomes an issue when the error pops up during a powershell execution. I noticed that this happens more frequently for Asiapacific domain and at the same time this error pops up on the trace logs on the iiqservice machine, we see the image attached error inside the identityiq interface. The rule procedural execution stops at the error of the screenshoot and the lines where the code breaks is marked in yellow on picture.

try{
                    ruleObj = context.getObjectByName(Rule.class, ruleName);
                    applicationObj = context.getObjectByName(Application.class, appName);
                    if(ruleObj != null @and applicationObj != null){
                    data.put("postScript", ruleObj);
                    data.put("Request", modifyAccReq);
                    data.put("Application", applicationObj.getAttributes());

                    List iqServiceDetails = applicationObj.getAttributeValue("IQServiceConfiguration");
                    for(Map details : iqServiceDetails){
                      IQServiceServer = details.get("IQServiceHost");
                      IQServicePort = Util.atoi(details.get("IQServicePort"));
                      TLSIQService = details.get("useTLSForIQService");
                    }
                    log.error("3 " + idenName);
                    RPCService service = new RPCService(IQServiceServer, IQServicePort, false, TLSIQService);
                    service.setConnectorServices(new sailpoint.connector.DefaultConnectorServices());
                    RpcRequest request = new RpcRequest("ScriptExecutor", "runAfterScript", data);
                   //ERROR HAPPENS ON LINES BELOW
                    RpcResponse response = service.execute(request);
                    rpcResponseMap = response.getResultAttributes();
                    //return rpcResponseMap
                   
                   log.error(rpcResponseMap);
                        
                      
                    //return rpcResponseMap.getMap("requestProcessedOn");
                    //log.error("4 " + idenName);
                  }

Let me know if you guys have any ideas to fix or workaround on this. Thanks.

enistri_devo · November 27, 2024, 11:32pm

Hi @pereiram,

about the LB, where is located in your infrastructure? beween IIQ and AD?
and how do you have configured the connector\s?

this error appers when you cannot communicate with the server and could be due to a misconfiguration of connetor, of AD or on the nework.

I suggest to you review those point:

configuration of connector and checking the forest and list server.
configuration of the DCs on AD
connection test on each DCs(ping,telnet,traceroute,ecc…)
performance of the network

A wrong configuration on a DC or firewall or an excessive latency on communication can cause this problem

pereiram · November 29, 2024, 4:11pm

LB stays on the AD connector, we use the configuration on LB to manage all domains.
This is our configuration.

Thanks for the suggestions, will be reviewing and try to reach this out. I think the issue may be related to a DC that are failing to reach out and hes behind the AD load balancer.

enistri_devo · November 29, 2024, 4:19pm

ok, the problem could be on LB.

Can you try to configure the single domains and bypass the LB?

pereiram · December 11, 2024, 2:16pm

That i could not do in production and thats the only environment we have a load balancer unfortunately. So as workaround, i have enabled the After Modify native rule on connector, now the error is not occuring any longer because the After Modify makes sure the account request was sucesfully i believe and only tries to call powershell after the accountRequest got executed sucessfully even after retries. That was a workaround that is working fine now. Thank you for the help.