Troubleshooting

Resolution: Complete the following steps:

1. Copy the IQService.zip file to folder to extract it.

2. Right click the zip file and check properties.

3. Select Unblock/Trust this zip file.

4. Extract the zip file.

   

5. Verify the DLLs are trusted by checking the properties of the DLL files.

To enable debug logs, complete the following:

1. Open command prompt and navigate to IQService path.

2. Enable IQService logging: iqservice -l 3 -f "C:\Sailpoint\IQService\iqtrace.log" (replace path with your local IQService path).

3. Restart IQService: iqservice -t

Note
The IQService trace logging correctly rolls the logs when performing bulk operations, using the maxFileSize attribute.

The following are possible causes of the error and their respective resolutions:

• The After Provisioning Rule task does not work while upgrading to a new version of IQService.

  Resolution: Ensure that the properties of the following files of IQService are unblocked:

  • IQService.zip file

  • .dlls file

  • .exe file

• The After Provisioning rule is executed even if the provisioning operation failed.

  Resolution: The IQService always executes the After Provisioning rule, irrespective of provisioning operation result.

The following error message is displayed while performing IQService operations:

The given path's format is not supported

Resolution: Ensure that the tracefile registry key of IQService does not contain an extra double quote at the beginning or end of the key string.

After upgrading when a load balancer if configured, the following error is displayed:

Please check TLS configuration for IQService: java.security.cert.CertificateException: No subject alternative DNS name matching <fqdn > found

Resolution: Execute the following command: IQservice -m <fully qualified FQDN name for loadbalancer>

The IQService machine displays the following error:

Exception occurred in executing the script : The system cannot find the file specified

The following issues can cause this error to be displayed:

• The absolute path of the powershell.exe is not set as an environment variable on the IQService machine.

• The absolute path is provided but the file itself is missing.

• A dependent file that is used in the script is missing.

Resolution: Complete the following, moving down the list until you have resolved your issue:

• Check if the powershell.exe path is set in the environment variable on the IQService host machine.

• Try the operation by providing powershell.exe absolute path in the current rule.

• Verify you have all of the files associated with the script in place.

IQService configured port and IP should be allowed between the IIQ Server/VA and IQService host.

Resolution: IQService port (either Non-TLS or TLS) should be allowed via the firewall from the IdentityIQ Server or Virtual Appliance(VA) to the IQService to avoid the connection error with an IQService.

The following error occurred in IQTrace logs from Load Balancer:

ERROR : "An Exception occurred while accepting new client request from :10.51.135.252:51398. Error : An Exception occurred while accepting new client request :System.IO.IOException: Authentication failed because the remote party has closed the transport stream. at sailpoint.rpcserver.RpcHandler.AuthenticateServer(X509Certificate2 serverCertificate, SslProtocols sslprotocol, Boolean initialCall) at sailpoint.rpcserver.RpcHandler..ctor(Hashtable services, Hashtable registry, TcpClient client, String port, Boolean useTLS, String subject, String tlsVersion, String registeredClients)

This error usually occurs when TLS for IQService is load balanced via. Load Balancer.

Resolution : Run the following command as an Administrator from command prompt: IQService.exe -w 10.51.135.252 and restart the service using the command IQService.exe -t.

The following error is displayed when testing the connection: 

Client authentication failed with error - The filename or extension is too long.

Resolution:

1. Retrieve the current XML configuration:

   • Use GET API to get the current XML configuration: Get Source by ID

   • This will return the XML configuration for the Active Directory connector.

2. Update the XML configuration:

   • Copy the retrieved XML to a text editor.

   • Locate the line containing: "templateApplication": "Active Directory Template",

   • Immediately after this line, add the following new line: "encrypted": "forestAdminPassword,IQServicePassword",

3. Perform a PUT request:

   • Copy the entire edited XML to the body of a new API request.

   • Send PUT request to update the connector: Update Source

4. Verify the connection:

   • After updating the configuration, test the Active Directory connection again.

   • You should no longer see the error message: Client authentication failed with error - The filename or extension is too long.

   Note
   For more information on SailPoint's REST APIs, refer to Best Practices: REST API Authentication and REST API - Update Source (Partial) in the SailPoint Developer Community.

Resolution: Ensure that:

• The certificate is imported in the keystore which is getting referenced by IdentityIQ.

• The communication has been established between IQService computer and IdentityIQ and verify that the DNS settings are correct.

• The data for IQService Port field is added only when you select Use TLS for IQService checkbox.

• (For Windows Operating System) TLS 1.2 is enabled under registry editor (regedit) on the server where IQService is installed.

During aggregation, IQService fails with the following error message:

Attempted to read or write protected memory.

Resolution: Perform the following:

1. Rename the app.config file in the IQService installation directory to IQService.exe.config and add the following content in the file:

   <configuration>

   <runtime>

   <legacyCorruptedStateExceptionsPolicy enabled="true" />

   </runtime>

   </configuration>

2. Save the IQService.exe.config file and restart IQService.

The following error occurred in IQTrace logs from Load Balancer:

ERROR : "An Exception occurred while accepting new client request from :10.51.135.252:51398. Error : An Exception occurred while accepting new client request :System.IO.IOException: Authentication failed because the remote party has closed the transport stream. at sailpoint.rpcserver.RpcHandler.AuthenticateServer(X509Certificate2 serverCertificate, SslProtocols sslprotocol, Boolean initialCall) at sailpoint.rpcserver.RpcHandler..ctor(Hashtable services, Hashtable registry, TcpClient client, String port, Boolean useTLS, String subject, String tlsVersion, String registeredClients)"

This error usually occurs when TLS for IQService is load balanced via. Load Balancer.

Resolution: Run the following command as an Administrator from command prompt: IQService.exe -w 10.51.131.252 and restart the service using the command IQService.exe -t.

Resolution: Perform the following based on the following respective scenarios:

• If the IQService User is not registered, then ensure that you have registered IQService User on IQService computer using the following command: IQService -a username

• If the IQService User is registered, then ensure that the user has provided correct IQService User or Password and the Username registered in IQService and Application UI are in the same format.

The possibility could be that the password has expired for IQService User.

Resolution: Change the password for IQService User at next logon.

Resolution: Change the password for IQService User.

Resolution: Ensure that IQService user is not locked.

Resolution: Ensure that IQService User is not locked.

This error message appears when IQService User has enabled logon hours and the user is trying to perform operation beyond the defined logon hours.

Resolution: Ensure that the logon hours are correctly configured.