Troubleshooting

If you encounter any of the following issues or errors, SailPoint recommends that you follow the guidance provided below to resolve the error before contacting SailPoint Support.

The following error message displays for any Windows Local application request:

Error returned from IQService:Unspecified Error

Resolution – Perform the following:

  1. Ensure that the managed system is up and accessible from IQService host.

  2. Ensure that the Username and Password provided in application configuration are correct.

  3. If the managed system is in a workgroup, the Guest Only option for Sharing and security model for local accounts in the local policy forces all incoming network file sharing connections to authenticate as Guest.

    To resolve this problem, complete the following:

    1. On the Windows Start menu, go to Start > Control Panel > Administrative Tools > Local Security Settings.

    2. In the left pane, expand Local Policies > Security options.

    3. In the right pane, double-click Network access: Sharing and security model for local accounts.

    4. Select Classic - local users authenticate as themselves and select OK.

  4. If the managed system is Windows Server 2003 Service Pack 2, then some Windows updates are missing from the system. Turn on Windows updates and install the latest updates.

  5. Ensure that exception for File and Printer Sharing in windows firewall is enabled.

  6. If the problem persists, restart IQService.

When the Remote registry service is not started on the Windows computer, the following error message displays:

Error returned from IQService: The network path was not found

Resolution – Ensure that Windows Service named, Remote Registry Service is started on the Windows managed system.

The following error message displays for any Windows Local connector operation after upgrading to the latest version from version 6.0 Patch 5 or below.

Unspecified Error

Resolution – Perform following:

  1. Go to: IdentityIQ Debug page.

  2. Select Application from the object browser.

  3. Select and open your application from the list.

  4. If a line exists with the following text as the starting text, then delete the line and save the application.

    "<entry key="domain""

The target Aggregation failed as one of the paths was not accessible.

Resolution – The continueOnError attribute must be set to true in the targetSource XML file to continue the target aggregation for other paths configured in the unstructured target configuration.

Provisioning operation fails with the following error when User Account Control (UAC) is enabled:

Access Denied

Resolution – Use one of the following options:

  • Turn off the user Account Control for Microsoft Windows Vista or later, by completing the following:

    1. For Microsoft Windows Vista, go to Control Panel > User Accounts > Turn User Account Control and change it to Off.

    2. For Microsoft Windows 7 onwards, go to Control Panel > User Accounts > User Accounts > Change User Account Control Settings, and set it to Never Notify.

  • For more granular control, without disabling the User Account Control, add the following entry in the Registry Editor with a key value of 1:

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy

IQService fails with the following error message when running an aggregation:

Attempted to read or write protected memory

Resolution – Perform one of the following solutions:

  • Solution 1 – Rename the app.config file from IQService installation directory to IQService.exe.config and add the following content in the file:

    Copy 
    <configuration>
    <runtime>
    <legacyCorruptedStateExceptionsPolicy enabled="true" />
    </runtime>
    </configuration>

    Save the file and restart IQService.

  • Solution 2 – This error message may also appear if Group Aggregation is performed and if the aggregated group has Foreign Security Principal as a member.

    Delete the group which has Foreign Security Principal as a member to complete the aggregation successfully.

Aggregation is getting successfully completed with 0 objects.

Resolution – Perform the following on your Windows Local managed system.

  1. Go to the group policy Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network access: Restrict clients allowed to make remote calls to SAM.

  2. Select Edit Security to configure the Security descriptor:.

  3. Add Administrators in Group or user names: if it is not already listed (this is the default).

  4. Select Administrators in Group or user names:.

  5. Select Allow for Remote Access in Permissions for Administrators.

  6. Click OK.

  7. The Security descriptor: must be populated with O:BAG:BAD:(A;;RC;;;BA) for the policy to be enforced.