Incorrect native identity being picked during provision

IdentityIQ (IIQ) IIQ Discussion and Questions
, ,
1

Which IIQ version are you inquiring about?

8.4p2

Please share any images or screenshots, if relevant.

Master Plan

            <MasterPlan>
              <ProvisioningPlan>
                <AccountRequest application="Active Directory Forest" nativeIdentity="CN=Ryan XYZ,OU=Users,OU=Denver,OU=WUNA,OU=Locations,DC=QINTL1,DC=com" op="Disable">
                  <AttributeRequest name="AC_NewParent" op="Set" value="OU=IAM,OU=Disabled Objects,DC=QINTL1,DC=COM"/>
                </AccountRequest>
                <Attributes>
                  <Map>
                    <entry key="comments" value="To disable Leaver AD accounts."/>
                    <entry key="identityRequestId" value="0000100688"/>
                    <entry key="requester" value="spadmin"/>
                    <entry key="source" value="LCM"/>
                  </Map>
                </Attributes>
              </ProvisioningPlan>
            </MasterPlan>

Provision Plan

            <AccountRequest application="Active Directory Forest" nativeIdentity="CN=Ryan XYZ,OU=IAM,OU=Disabled Objects,DC=QINTL1,DC=com" op="Disable" targetIntegration="Active Directory Forest">
                <Attributes>
                  <Map>
                    <entry key="oldNativeIdentity" value="CN=Ryan XYZ,OU=Users,OU=Denver,OU=WUNA,OU=Locations,DC=QINTL1,DC=com"/>
                    <entry key="uuid" value="{befd2790-19c6-42e2-9cda-3e3f4b3d5521a}"/>
                  </Map>
                </Attributes>
                <AttributeRequest name="AC_NewParent" op="Set" value="OU=IAM,OU=Disabled Objects,DC=QINTL1,DC=COM"/>
                <ProvisioningResult>
                  <Errors>
                    <Message key="Error(s) reported back from the IQService - Error occurred while disabling the account CN=Ryan XYZ,OU=IAM,OU=Disabled Objects,DC=QINTL1,DC=comFailed to connect to the server for CN=Ryan XYZ,OU=IAM,OU=Disabled Objects,DC=QINTL1,DC=com:There is no such object on the server. There is no such object on the server. 0000208D: NameErr: DSID-0310028C, problem 2001 (NO_OBJECT), data 0, best match of: &#x9;&apos;OU=IAM,OU=Disabled Objects,DC=QINTL1,DC=com&apos; 0000208D: NameErr: DSID-0310028C, problem 2001 (NO_OBJECT), data 0, best match of: &#x9;&apos;OU=IAM,OU=Disabled Objects,DC=QINTL1,DC=com&apos; . HRESULT:[0x80072030]Failed to connect to the server for CN=Ryan XYZ,OU=IAM,OU=Disabled Objects,DC=QINTL1,DC=com:There is no such object on the server. There is no such object on the server. 0000208D: NameErr: DSID-0310028C, problem 2001 (NO_OBJECT), data 0, best match of: &#x9;&apos;OU=IAM,OU=Disabled Objects,DC=QINTL1,DC=com&apos; 0000208D: NameErr: DSID-0310028C, problem 2001 (NO_OBJECT), data 0, best match of: &#x9;&apos;OU=IAM,OU=Disabled Objects,DC=QINTL1,DC=com&apos; . HRESULT:[0x80072030] Possible reasons for failure include a) The Domain Controller is currently not reachable b) The object has either been moved or renamed c) The object has been deleted &#xA; Please Ensure the data has been aggregated before performing the operation " type="Error"/>
                  </Errors>
                </ProvisioningResult>
              </AccountRequest>

While we are trying to disable and move the AD account we are geeting the object does not exist error as in the provision plan we can see the native identity is not correct. Not sure from where its picking the incorrect one.

I am doubting on the native Identity charge event as we can see the oldNativeIdentity in the plan which is actually the correct one. Can you please help me to find from where and how this wrong native identity is being pick and how we can correct it?

Any pointer or insights regarding this would be really appreciated.

Regards
Ankush

2

Are you able to pull the logs from your IQService?

3

Please check the below points to identify and fix the issue:

  1. How are you disabling and moving the AD account?
  • Are you using Rapid Setup (Leaver – Move OU) option?
  • Or any Before Provisioning Rule / Provisioning Policy that sets the Disable OU or AC_NewParent?
  1. Verify IQService is running and reachable.
  2. Confirm the Disabled OU path is correct and exists in AD.
  3. Check if any Disable provisioning policies are configured at application.

Please review these and let me know your findings so we can narrow down the root cause.

1 Like
4

Yep,

In Error message, we can see

Error(s) reported back from the IQService - Error occurred while disabling the account CN=Ryan XYZ,OU=IAM,OU=Disabled Objects,DC=QINTL1,DC=com Failed to connect to the server for CN=Ryan XYZ,OU=IAM,OU=Disabled Objects,DC=QINTL1,DC=com:There is no such object on the server. There is no such object on the server.

native identity being sent to AD

CN=Ryan XYZ,OU=IAM,OU=Disabled Objects,DC=QINTL1,DC=com

but users actual native identity is

CN=Ryan XYZ,OU=Users,OU=Denver,OU=WUNA,OU=Locations,DC=QINTL1,DC=com
5

No rapid setup being used here.
we are setting the AC_NewParent attribute in while preapring the provision plan. you can refer the above provision plan. IQservice is running, disabled OU path is correct and no disable provisioning policy is configured on application.

My doubt is on the native identity change event as you can see in provision plan.

             <AccountRequest application="Active Directory Forest" nativeIdentity="CN=Ryan XYZ,OU=IAM,OU=Disabled Objects,DC=QINTL1,DC=com" op="Disable" targetIntegration="Active Directory Forest">
                <Attributes>
                  <Map>
                 //Here****
                    <entry key="oldNativeIdentity" value="CN=Ryan XYZ,OU=Users,OU=Denver,OU=WUNA,OU=Locations,DC=QINTL1,DC=com"/>
                    <entry key="uuid" value="{befd2790-19c6-42e2-9cda-3e3f4b3d5521a}"/>
                  </Map>
                </Attributes>
                <AttributeRequest name="AC_NewParent" op="Set" value="OU=IAM,OU=Disabled Objects,DC=QINTL1,DC=COM"/>
              </AccountRequest>
6

Yes, this is happening because AC_NewParent is being set while preparing the provisioning plan, which triggers a nativeIdentity change event. IIQ updates the nativeIdentity to the new DN before the account is actually moved, and the disable then fails with NO_OBJECT.

To avoid this issue, the recommended approach is to use Rapid Setup – Leaver configuration with the “Move OU” option.

Rapid Setup handles:

  • Correct sequencing (disable first, move after)
  • NativeIdentity updates internally
  • Prevents the DN from being changed too early

This removes the need to manually set AC_NewParent in the provisioning plan and avoids nativeIdentity mismatch issues.

I’d suggest configuring the Move OU in Rapid Setup for Leaver events and removing the custom AC_NewParent logic.

Thanks

1 Like
7

@shirbhatea Would also recommend to split your termination requests (if you have your own version of Leaver workflow) like one for disable and other for entitlement removal. In this way you are also making sure that if one operation fails, other’s will still try to go through. If you keep both in one request, then let’s say any failure on disable operation, it’ll fail to remove entitlement as well and it may lead to audit/security issues.

Note: Help the community by marking successful fixes as solutions. Feel free to react(:heart:, :+1:, etc.) with an emoji to show your appreciation or message me directly if your problem requires a deeper dive.

8

Create 2 seperate AccountRequest:

  1. Disable AccountRequest
  2. Modify AccountRequest → move OU

Make sure you disable first and move after. Try it

9

Disblae account request cannot set other attributes. Use “modify” account request and set “userAccountControl” as “514” to disable the account. In the same request use AC_NewParent to change the OU.