Troubleshooting

If you encounter any of the following issues or errors, SailPoint recommends that you follow the guidance provided below to resolve the error before contacting SailPoint Support.

The following error message appears in many scenarios:

Exception while creating new PowerShell Session

Resolution: Perform the following:

  1. Ensure that IQService and SharePoint Server are in the same domain.

  2. Verify if maximum number of PowerShell users allowed for Application Users are not exceeded. Verify by executing the following command:

    Get-Item WSMan:\localhost\Shell\MaxShellsPerUser

    If the number is not adequate then increase the number. For example,

    Set-Item WSMan:\localhost\Shell\MaxShellsPerUser 50

  3. Application Account has enough privileges as described in Application Account Permissions.

  4. Allocate enough memory for PowerShell session. Verify memory space using the following command:

    Get-Item WSMan:\localhost\Shell\MaxMemoryPerShellMB

    If number is not adequate then increase the number. For example:

    Get-Item WSMan:\localhost\Shell\MaxMemoryPerShellMB 256

The following error message appears when the user has exceeded the maximum number of concurrent shells:

The WS-Management service cannot process the request. This user is
allowed a maximum number of 5 concurrent shells, which has been exceeded. Close the existing shells or raise the quota for this user.

Resolution: Verify if maximum number of PowerShell users allowed for Application User are not exceeded by executing the following command:

Get-Item WSMan:\localhost\Shell\MaxShellsPerUser

If number is not adequate increase it. For example:

Set-Item WSMan:\localhost\Shell\MaxShellsPerUser 50

Resolution: Verify the following:

  • If username and password are correctly entered.

  • If this application user has enough access on SharePoint Server.

Resolution: Verify if SharePoint Server is accessible through IQService. Verify if IP or hostname are resolving correctly.

Account aggregation fails with the following error message in IQService logs:

Site Collection Administrator for Site collection: is =>

Resolution: Run the following commands to get the user added as claim user:

$webapp=get-spwebapp -Identity "SITE_URL" $webapp.grantaccesstoprocessidentity(''DOMAIN\LOGON_USER")

The following error message appears while adding <account> into group - <group_name>:

The specified group does not exist.

Resolution: Ensure that the following points are satisfied in SharePoint Server environment:

  1. Verify if group (<group_name>) exists in SharePoint Server.

  2. If <group_name> exists, verify if it is residing in a subsite of a site collection and check prefix URL of <group_name> in entitlement catalog.

  3. If group is residing in a sub-site of site collection, correctly set up the Manage Subsites field.

Account or group aggregation fails with the following error message from IQService:

You can specify either include or exclude list of site collections but not both!

Resolution:

  • Ensure that you have selected only Include Site Collections or Exclude Site Collections.

  • Ensure that the application xml file has only one list of include or exclude site collections. If both lists are present then delete one of the lists and save the application xml file.

For successful aggregation, run account or group aggregation again.

Resolution: To avoid the data loss issue during account aggregation, user can change the default value of the pageSize as explained in the following example:

Current default Value of pageSize = 500 and userIndex = 5000 is set with formula as pageSize = 10% of userIndex, user can change the formula to pageSize = 5% of userIndex and observe the behavior.

Test connection or Account Aggregation fails with the following error:

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON

This issue can occur due to incorrect authentication settings or insufficient permissions for the service account running the aggregation process.

Resolution: From the IQService host, run the following command to check communication with the SharePoint server:

  1. Start a remote PowerShell session to a SharePoint server using default authentication and specified credentials.

    $t = New-PSSession "DNSnameOfSpServer" -Authentication Default -Credential "sp2k19\sp2k19"

  2. Run the following command on a remote PowerShell as if you were logged into it directly.

    Enter-PSSession -Session $t

  3. Add the SharePoint PowerShell snap-in to your current session to perform various administrative tasks.

    Add-PSSnapin Microsoft.SharePoint.PowerShell

  4. List all site collections or get details about a specific site collection.

    Get-SPSite

  5. If the command fails, try using -Authentication CredSSP instead of -Authentication Default. This allows you to run commands on a remote server that access resources on another remote server.

    In the application debug page, ensure that the authentication key is set to

    CredSSP: <Key="Authentication" value="CredSSP">

    The connector uses CredSSP authentication by default. If the authentication key was previously set to Default, it may cause the aggregation to fail.

  6. Verify that the service account under which the IQservice is running has sufficient permissions to execute the Get-SPSite command.

    If the service account does not have the necessary permissions, change the account's logon settings for the IQservice.

  7. Test the connection and perform account aggregation again.