Troubleshooting

Error occurred while authentication user: Xyz

Unable to use PTA with SASL

Resolution: Check the UPN name being used.

Kerberos Authentication requires userPrincipalName as the primary requirement, and due to differences in the domain for userPrincipalName, the PTA authentication is failing. You must use the correct domain.

For example, if you have two domains:

Abc.com

xyz.abc.com

and you want to perform PTA for users present at xyz.abc.com, the format should be username@xyz.abc.com.

For Active Directory source, to avoid getting referrals during account aggregation, use the API. Set up the ldapExtendedControls attribute with a value such as sample_ldapExtendedControls_value

These values can be taken from those available at the following URL: https://msdn.microsoft.com/en-us/library/cc223320.aspx

Note
Multiple extended LDAP control can also be set using above entry.

You may see the following error during exchange provisioning:

Errors returned from IQService: Connecting to remote server <<Exchange HostName>> failed with the following error message: The WinRM client cannot process the request. Basic Authentication is currently disabled in the client configuration. Change the client configuration and try the request again.

Resolution: Complete the following:

1. Check whether the Windows Remote Management service is installed on both the IQService and exchange server machine, and service is up and running. To validate more on this, open the PowerShell as an administrator and execute the following commands, before exchange provisioning:

   winrm qc

   winrm e winrm/config/listener

2. Ensure that the internal firewall is turned off.

3. If he steps mentioned above are unable to resolve the error, complete the following for the exchange server:

   1. Open a PowerShell prompt as an administrator and run:

      winrm get winrm/config/client

   2. If the Basic auth is set to false, then run the following command to set it to true:

      winrm set winrm/config/client/auth '@{Basic="true"}'

Create Account operation fails, with the following error:

Errors returned from IQService. Failed to update attributes. There is no such object on the server.

Although the account gets created on Active Directory, some attributes are not configured.

Resolution: If the manager attribute is present in AccountRequest (of the provisioning plan), confirm that the value of this attribute contains the distinguished name of manager, instead of the name strings.

Error message:

Error occurred while setting password for the account. Exception has been thrown by the target of an invocation. One or more input parameters are invalid.

The above issue is observed for following versions of Microsoft Windows Servers:

• Microsoft Windows Server 2016

• Microsoft Windows Server 2012 R2 with KB 4012219 installed

• Microsoft Windows Server 2012 with KB 4012220 installed

• Microsoft Windows Server 2008 R2 with KB 4012218 installed

Resolution: Ensure that the following Local Security Policy is set to Not Defined, or if it is enabled then ensure that the Local Security Policy contains the service account which is configured on Active Directory source:

Network access: Restrict clients allowed to make remote calls to SAM

For Local Security Policy, go to Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.

Active Directory source delta aggregation may fail with the following error:

javax.naming.NoPermissionException: [LDAP: error code 50 - 00002105: LdapErr: DSID-0C0909F1, comment: Error processing control, data 0, v2580; remaining name 'dc=XX,dc=XXX,dc=XXX'

Resolution: Add the 'replicating directory changes' permission on the service account. Alternatively add the service account in a security group that has the 'replicating directory changes' permission.

If you make a change to an OU which contains accounts or groups, such as renaming or moving it, a delta aggregation doesn't pick up the changes. This is a limitation in Microsoft DirSync Control explained here: https://docs.microsoft.com/en-us/windows/win32/ad/polling-for-changes-using-the-dirsync-control.

Resolution: Perform a full aggregation to capture the changes and update the child objects. You might have to do this regularly to ensure the data is up to date.

The following are the PowerShell cmdlets used by the Active Directory source:

• For Exchange(Mail Contact): All provisioning operations are performed through IQService. Contacts are created using ADSI APIs, and are mail-enabled using the Enable-MailContact PowerShell cmdlet if externalEmailAddress is provided in the plan.

  Other cmdlets used for Contacts (cmdlets run remotely on exchange server itself using WinRM) are as follows:

  • Get-MailContact

  • Disable-MailContact

  • Set-MailContact

• Skype related operations: Skype cmdlets (all Skype cmdlets run locally on IQService machine that require administrative tools installed on the machine:

  • Get-CsUser

  • Get-CsClientPinInfo

  • Set-CsUser

  • Move-CsUser

  • Enable-CsUser

  • Disable-CsUser

  • Set-CsClientPin

  • Lock-CsClientPin

  • Unlock-CsClientPin

  • Grant-Cs<PolicyType>

  • Remove-Cs<PolicyType>

Note
The source user for provisioning of Exchange Server must be Remote shell enabled. To enable remote Shell for a user, set the RemotePowerShellEnabled parameter to $True on the Set-User cmdlet. For example, Set-User UserName -RemotePowerShellEnabled $True

Test connection for the Active Directory source fails when TLS is on.

Resolution: Ensure that the correct AD DC certificate has been imported in VA certificates folder in case of Identity Security Cloud. Verify whether it is a valid certificate before putting on VA:

Perform the test connection on port 636 for the intended certificate on LDAP browser. If the test connection is successful for SSL connection, it indicates that the certificate is from correct domain, and you can import it in the certificate folder on the VA server.

Error message:

LDAP: error code 12 - 00000057: LdapErr: DSID-0C090AFA, comment: Error processing control error in Active Directory full account aggregation

Resolution: Complete the following:

1. Add the disableSort attribute using the Identity Security Cloud REST API. Set up the disableSort attribute with a value such as true.

2. Change the server order in the domain. If there is only one entry in the servers list, try adding some other servers present in the domain. This can be done on the UI by setting the Servers field, or by editing the "servers" element in the source XML as provided in the following example:

   Copy

   <entry key="servers">
       <value>
           <List>
               <String>Server1</String>
               <String>Server2</String>
           </List>
       </value>
   </entry>

3. Change the value of pageSize (If it is set to 100 then change it to 1000 and vise-versa) and verify the aggregation result.

Active Directory Password change fails with the following error message:

Caught exception in bind for server

Resolution: Verify if the service account used in the source has required permissions mentioned in the Service Account Permissions section.