Troubleshooting

The following error message appears in many scenarios:

Exception while creating new PowerShell Session

Resolution: Perform the following:

1. Ensure that IQService and SharePoint Server are in the same domain.

2. Verify if maximum number of PowerShell users allowed for Application Users are not exceeding. Verify by executing the following command:

   Get-Item WSMan:\localhost\Shell\MaxShellsPerUser

   If the number is not adequate then increase the number. For example,

   Set-Item WSMan:\localhost\Shell\MaxShellsPerUser 50

3. Application Account has enough privileges as described in Application Account Permissions.

4. Allocate enough memory for PowerShell session. Verify memory space using the following command:

   Get-Item WSMan:\localhost\Shell\MaxMemoryPerShellMB

   If number is not adequate then increase the number. For example:

   Get-Item WSMan:\localhost\Shell\MaxMemoryPerShellMB 256

The following error message appears when the user has exceeded the maximum number of concurrent shells:

The WS-Management service cannot process the request. This user is
allowed a maximum number of 5 concurrent shells, which has been exceeded. Close the existing shells or raise the quota for this user.

Resolution: Verify if maximum number of PowerShell users allowed for Application User are not exceeding by executing the following command:

Get-Item WSMan:\localhost\Shell\MaxShellsPerUser

If number is not adequate increase it. For example:

Set-Item WSMan:\localhost\Shell\MaxShellsPerUser 50

Resolution: Verify the following:

• If username and password are correctly entered.

• If this application user has enough access on SharePoint Server.

Resolution: Verify if SharePoint Server is accessible through IdentityIQ server through IQService. Verify if IP or hostname are resolving correctly.

Account aggregation fails with the following error message in IQService logs:

Site Collection Administrator for Site collection: is =>

Resolution: Run the following commands to get the user added as claim user:

$webapp=get-spwebapp -Identity "SITE_URL" $webapp.grantaccesstoprocessidentity(''DOMAIN\LOGON_USER")

The following error message appears while adding <account> into group - <group_name>:

The specified group does not exist.

Resolution: Ensure that the following points are satisfied in SharePoint Server environment:

1. Verify if group (<group_name>) exists in SharePoint Server.

2. If <group_name> exists, verify if it is residing in a subsite of a site collection and check prefix URL of <group_name> in entitlement catalog.

3. If group is residing in a subsite of site collection then set the following parameter in application debug page:

   <entry key="manageSubsites" value="true"/>

   Note
   After setting the manageSubsites parameter to true, SailPoint recommends performing account/group aggregation before performing any provisioning operation. For more information, refer to Additional Configuration Parameters.

Account or group aggregation fails with the following error message from IQService:

You can specify either include or exclude list of site collections but not both!

Resolution:

• Ensure that you have selected only Include Site Collections or Exclude Site Collections.

• Ensure that the application xml file has only one list of include or exclude site collections. If both lists are present then delete one of the lists and save the application xml file.

For successful aggregation, run account or group aggregation again.

Resolution: To avoid the data loss issue during account aggregation, user can change the default value of the pageSize as explained in the following example:

Current default Value of pageSize = 500 and userIndex = 5000 is set with formula as pageSize = 10% of userIndex, user can change the formula to pageSize = 5% of userIndex and observe the behavior.