ISC insist on creating AD account when identity already has

Hi! We are dealing with a weird problem on a production environment. In this tenant, we have 2 LCS, one that enable AD accounts for identities coming Active:

image1752×808 48.2 KB

and other that disables AD Account for identities becoming Inactive:

image1739×770 49.1 KB

Also, we have some roles that grants AD groups when onboarding.

Overall behaviour is fine, but we are seeing a lot of Create Account Failed events for AD account, on many disabled users:

image1791×689 60.9 KB

Error is:
[“Exception occurred while executing the RPCRequest: Errors returned from IQService. "The object already exists. The object already exists. 00000524: UpdErr: DSID-031A11FA, problem 6005 (ENTRY_EXISTS), data 0 00000524: UpdErr: DSID-031A11FA, problem 6005 (ENTRY_EXISTS), data 0 . HRESULT:[0x80071392] For identity: CN\u003dXXXXXXXXXX"”]

which make sense, because user already has AD account:

image1742×807 64.2 KB

Any clue about what can be triggering the AD account creation?

Do you have any Access Profiles in the LCS? Do you have any beforeProvisioning Rules setup, that might move AD accounts to a different OU based on if the account is active or disabled?

Hi Carl! No Access Profiles, only entitlements and roles, and no beforeProvisioniong rules. This turned even more weird, filtering events by Create Account Failed, we have 3301 tries only for one identity (whith already has AD Account):

image1778×911 115 KB

In Search, can you find these Create Account requests in Account Activity? The Account Activity should tell you the Attributes Requested, look to see what "Add memberOf: " shows.

Then search for what roles contain the memberOf entitlements.

Result from search shows always a request to add a group and several attributes.

image967×872 66.3 KB

Weird is that this identity already has AD account, and also already has requested ad group.

Seems like something is stuck. I would recommend opening a support ticket.

Otherwise, you could Reset the Identity. Or Delete and Recreate the Identity.

Thanks Carl, in paralel I just opened a case because many identities are the same way. When some solution is provided will come back and post it here.

Hi @jsosa,

Could you please confirm whether the user’s identity is already linked to an Active Directory (AD) account?

• If it is, the system should not attempt to create a new account.
• If it isn’t, please verify the correlation logic that’s currently defined.

The error indicates that the system is attempting to create an AD account with a sAMAccountName or Distinguished Name (DN) that likely already exists.

In our environment, we ran into the same problem—intermittent, easily reproducible duplicate account creations. Some account creation failed like yours due to account already in place, but lot end up getting duplicate account. SailPoint determined it was caused by multiple aggregation jobs running concurrently, triggering refresh, and causing account creation request. The issue was resolved by enabling a feature flag that prevents duplicate account creation. You may be encountering the same issue; hopefully SailPoint Support can offer you a similar workaround.

Hi @UjjwalJain ! Thans for responding! Yes, this is very werid, identity as an AD account linked to identity. It appears that ISC get stuk tried to add a group that identity also has on AD, and this operation comes with a create account that fails, because indeed account already exists.

We are seeing the same issue where an identity is created and a Create Account request is sent to AD and provisions successfully. However, within seconds, another Create Account request is sent to AD attempting the same operation, which fails (expected in our case bc we’ve set samAccountName to not use a uniqueCounter).