Troubleshooting
If you encounter any of the following issues or errors, SailPoint recommends that you follow the guidance provided below to resolve the error before contacting SailPoint Support.
For more information, refer to the Active Directory Connector - FAQ and Troubleshooting document.
Authentication Error
Error occurred while authentication user: Xyz
Unable to use PTA with SASL
Resolution: Check the UPN name being used.
Kerberos Authentication requires userPrincipalName as the primary requirement, and due to differences in the domain for userPrincipalName, the PTA authentication is failing. You must use the correct domain.
For example, if you have two domains:
Abc.com
xyz.abc.com
and you want to perform PTA for users present at xyz.abc.com, the format should be username@xyz.abc.com.
Organizational Units (OU) Child Objects Don't Update Following a Delta Aggregation
If you make a change to an OU which contains accounts or groups, such as renaming or moving it, a delta aggregation doesn't pick up the changes. This is a limitation in Microsoft DirSync Control explained here: https://docs.microsoft.com/en-us/windows/win32/ad/polling-for-changes-using-the-dirsync-control.
Resolution: Perform a full aggregation to capture the changes and update the child objects. You might have to do this regularly to ensure the data is up to date.