Troubleshooting

If you encounter any of the following issues or errors, SailPoint recommends that you follow the guidance provided below to resolve the error before contacting SailPoint Support.

The test connection fails and displays the following error:

Error returned from IQService. One or more errors occurred

Resolution: Complete the following:

  1. Verify that all of the prerequisites for the Microsoft Exchange Online Mailbox attributes are in place. For more information, refer to Prerequisites.

  2. Once you have verified the prerequisites have been met, run the following PowerShell command on the IQService machine to verify connectivity.

    Connect-ExchangeOnline -UserPrincipalName <userPrincipalName>

While adding a Service Principal Name to a user, the add entitlement request fails with the following error message:

Response Code - 400 Error - Permission being assigned was not found on application

Resolution: Verify if the user already has the Service Principal Name added in entitlements.

Test Connection fails with the following error message when Microsoft Entra ID application is checked for ‘SAML Bearer Assertion’ Grant Type:

OAuth2Exception [toString()=connector.common.oauth2.OAuth2Exception: Unable to generate access token. Response returned:

{"error":"invalid_grant","error_description":"AADSTS50008: The SAML token is invalid.\r\nTrace ID: a74df376-3ede-4c17-ba34-b352079e3300\r\nCorrelation ID: f8c370ec-4ef6-48a4-a393-0297a5ce3b20\r\nTimestamp: 2020-05-04 05:58:16Z","error_codes":[50008],"timestamp":"2020-05-04 05:58:16Z","trace_id":"a74df376-3ede-4c17-ba34-b352079e3300","correlation_id":"f8c370ec-4ef6-48a4-a393-0297a5ce3b20","error_uri":"https://login.microsoftonline.com/error?code=50008"}

]

Resolution: Verify if the time zone of ADFS machine is in synchronize with Azure time zone, that is, UTC. If not, change the ADFS machine time and re-start the ADFS services.

Test Connection/ Account Aggregation fails with the following error message when Microsoft Entra ID application is checked for SAML Bearer Assertion Grant Type:

Error - invalid_grant: AADSTS5000811: Unable to verify token signature. The signing key identifier does not match any valid registered keys.

Resolution: Microsoft recommends to execute the following command from PowerShell running on ADFS server to manually renew token signing certificates:

Update-MSOLFederatedDomain –DomainName <domain>

Provisioning of Exchange attribute fails if account aggregation is in progress. Exchange online module supports maximum three sessions per user hence limiting the parallel operations in execution.

Resolution: Connector uses all the three sessions while performing aggregation. Hence to improve the aggregation performance no other operation must be performed using the configured user.

When new attributes are added in account schema, Get Object / Account Aggregation fails with the following error message:

Error - 501 This operation target is not yet supported

Resolution: Microsoft Graph API supports some of the following attributes only for retrieving single user:

  • aboutMe

  • birthday

  • hireDate

  • interests

  • mySite

  • pastProjects

  • preferredName

  • responsibilities

  • schools

  • skills

  • mailboxSettings

The addition of these attributes while retrieving collection of users leads to aggregation failure. Verify if the newly added attributes are in the list of these attributes and remove them from the schema.

Update account fails for new attribute additions in the provisioning policy.

Resolution: Due to API limitations following are some of the attributes that are not applicable for updating user properties, fetching the attributes for a user through Account Aggregation or Get Account operation:

Attributes: birthday, mySite, interests, pastProjects, preferredName, responsibilities, schools, skills and mailboxSettings

An unexpected 'PrimitiveValue' node was found when reading from the JSON reader. A 'StartArray' node was expected.

Or

Invalid value for the Property

Resolution: Ensure that the data type of the attribute is added correctly to the provisioning policy. For more information, refer to the Microsoft Documentation.

Note
For update account operation, the businessPhones attribute accepts only single value with the data type as String collection.

In cases where the entitlement attributes (like groups, roles, and servicePrincipals) are present in the account schema, add the following entry in the application Debug page max-thread-account-membership with a value of 6, 8, or 10 in accordance with your requirements. The default value is 4.

Note
This entry is not valid/used during delta aggregation.

For example:

<entry key="max-thread-account-membership" value="8"/>

Resolution: If SharedMailbox displays Globally Unique Identifier (GUID) value instead of a readable DisplayName, add the useDisplayNameForSharedMailbox entry to the application XML  and set the value to true.

Copy 
<entry key="useDisplayNameForSharedMailbox">
  <value>
    <Boolean>true</Boolean>
  </value>
</entry>

When managing users and Service Principal Names (SPNs) as accounts under a single source, if the displayName attribute of the Account Schema is set to UserPrincipalName, you may encounter numeric values for SPN accounts instead of readable names.
Resolution: To display the correct SPN displayName, ensure that the mapSPNDisplayNameToUPN entry is set to true in the source XML configuration.