Identity Broker Forum

Welcome to the community forum for Identity Broker.

Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.

+1
Answered

Entity in IdB connector and adapter but does not exist in target directory

Carol Wapshere 3 years ago in PowerShell connector • updated by anonymous 3 years ago 3

IdB 5, Powershell connector, target system is RedHat LDAP.


There are three objects which exist as entities in the IdB connector and adapter but do not exist in LDAP. FIM is trying to update them and we're getting "Object does not exist" errors back from LDAP.


Connector Full Imports have been run. I turned on the verbose logging I'd added to the script which lists the DN of every object found by the Import script and these objects are not listed. I can't see any errors in the IdB log and the Full Import appears to have completed successfully.


So the question is, if they were not imported in a connector full import, shouldn't the entities have been removed from IdB?

Answer
anonymous 3 years ago

Looking at the logs shows that there were exported entities during the full import. The import logic is designed to not delete entities that are added whilst an import is occurring, as it has no way of knowing whether the end system is omitting the entry because it was deleted immediately or because it’s just not available yet for the import (e.g. snapshot or read copy/write copy style systems).

0
Completed

Feature Request: Logging from PowerShell Connector

Bob Bradley 2 weeks ago in PowerShell connector • updated 2 weeks ago 2

The ability to write directly to the Identity Broker logs - such that any Broker log writer can be employed to pick this up apart from the default - is highly desirable.

Such a feature would avoid the need for the current practice of logging to custom log files using either custom code or various logging libraries.

Answer

Hi Bob, 

This is already available. See this knowledge page for details:

https://voice.unifysolutions.net/knowledge-bases/7/articles/2917-powershell-connector-logger

0
Under review

Feature Request: Debug Capability for PowerShell Connector

Bob Bradley 2 weeks ago in PowerShell connector • updated by Matthew Davis (Engineering Manager) 2 weeks ago 1

Presently debugging a PowerShell connector script requires extensive use of logging.

While the above is still going to be necessary, the ability to attach a PowerShell ISE session to a PowerShell process to allow step-throughs and breakpoints is highly desirable.

0
Fixed

Duplicate Error on DN in PowerShell script

Daniel Walters 4 weeks ago in PowerShell connector • updated by Beau Harrison 4 weeks ago 10

I have a PowerShell connector that is pulling two attributes, DN and another one. DN is the key and it's throwing errors saying "An item with the same key has already been added". This isn't possible because DN is unique. Here is the Import All script:

import-module ActiveDirectory

$server = "Dcbr2wdc1"

$searchBase = "ou=Users,ou=dams,dc=internaldmz-dev,dc=local"

$users = get-aduser -Server $server -SearchBase $searchBase -Properties DistinguishedName, msDS-UserPasswordExpiryTimeComputed -Filter {PasswordNeverExpires -eq $false}

foreach($user in $users)

{

$entity=$entities.Create()

$entity["ADDN"] = $user.DistinguishedName

$entity["ComputedPasswordExpiry"] = $user.'msDS-UserPasswordExpiryTimeComputed'

$entity.Commit()

}

and here is the schema

New-Field 'ADDN' 'string' $true $false $true;

New-Field 'ComputedPasswordExpiry' 'string' $false $false $false;

# name type key read-only required

I tried writing the DNs to a file in the script and just got a list of DNs, no obvious duplicate. Attached the log and connector config.

0
Answered

Import from connector failed with reason User Not Found. User: None

Tom Parker 3 months ago in PowerShell connector • updated by Beau Harrison 3 months ago 5

Hi is there any guidance on what this error means? I'm getting it on imports on a powershell connector. I assumed that it meant it's trying to commit an entity that's missing some attribute but the code seems to be correct. Snippet and error follow.

Only ID is a required attribute.

Relevant part of import.ps1


if ($msoluser.ImmutableID)

{

## Create or update IdB entity

$entity = $entities.Create()

$entity['ID'] = $msoluser.ImmutableID

$entity['UPN'] = $msoluser.UserPrincipalName

$entity['isLicensed'] = $msoluser.isLicensed

$entity['Alumni'] = $Alumni

$entity['UserStatus'] = $UserStatus

$entity['CheckLicense'] = $CheckLicense

$entity.Commit()

}

Error in IDB logs:

Import changes from connector Office 365 Student Connector failed with reason User Not Found.  User: none.. Duration: 00:45:45.8101253
Error details:
Microsoft.Online.Administration.Automation.MicrosoftOnlineException: User Not Found.  User: none.
   at Unify.Product.IdentityBroker.PowerShellConnector.d__30.MoveNext()
   at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
   at Unify.Framework.Collections.ActionOnExceptionEnumerator`1.MoveNext()
   at Unify.Framework.Collections.EnumerableExtensions.d__10`1.MoveNext()
   at System.Linq.Buffer`1..ctor(IEnumerable`1 source)
   at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source)
   at Unify.Product.IdentityBroker.ChangeDetectionEntityPollJob.RunBase()
   at Unify.Framework.DefinedScopeJobAuditTrailJobDecorator.Run()
   at Unify.Product.IdentityBroker.ConnectorJobExecutor.<>c__DisplayClass33_0.b__0()
   at Unify.Framework.AsynchronousJobExecutor.PerformJobCallback(Object state)",Normal
Answer
Beau Harrison 3 months ago

Hi Tom, based of the exception type it looks like an exception generated by the Microsoft code that's fetching a user.

Microsoft.Online.Administration.Automation.MicrosoftOnlineException: User Not Found.  User: none.

Using the PowerShell logger to add additional logging around keep parts of the script should help you confirm this and debug further.

0
Answered

Error occurs once per page "Cannot access destination table 'EntityValueOrigin'"

Tom Parker 6 months ago in PowerShell connector • updated 5 months ago 5

Once per page on export the following error occurs.There doesn't appear to be any impact from the error as the user is provisioned correctly by powershell and they also appear correctly in UNIFYBroker. They also appear in both the "adds" section of MIM and the "errors" section under "unexpected-error". The following stack trace appears in the Identity Broker logs.

We very recently upgraded from 5.0.3 but we are unsure if that's related.

UNIFYBroker Version: 5.1.0 Revision #2

MIM Version: 4.4.1749.0


System.InvalidOperationException: Cannot access destination table 'EntityValueOrigin'. ---> System.Data.SqlClient.SqlException: Invalid object name 'EntityValueOrigin'.
at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction)
at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose)
at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady)
at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
at System.Data.SqlClient.SqlBulkCopy.RunParser(BulkCopySimpleResultSet bulkCopyHandler)
at System.Data.SqlClient.SqlBulkCopy.CreateAndExecuteInitialQueryAsync(BulkCopySimpleResultSet& result)
at System.Data.SqlClient.SqlBulkCopy.WriteToServerInternalRestAsync(CancellationToken cts, TaskCompletionSource`1 source)
--- End of inner exception stack trace ---
at System.Data.SqlClient.SqlBulkCopy.WriteToServerInternalRestAsync(CancellationToken cts, TaskCompletionSource`1 source)
at System.Data.SqlClient.SqlBulkCopy.WriteToServerInternalAsync(CancellationToken ctoken)
at System.Data.SqlClient.SqlBulkCopy.WriteRowSourceToServerAsync(Int32 columnCount, CancellationToken ctoken)
at System.Data.SqlClient.SqlBulkCopy.WriteToServer(DataTable table, DataRowState rowState)
at Unify.Product.IdentityBroker.EntityValueOriginContext.InsertItems(ISet`1 addedItems, EntityValueOriginDataContext sourceContext, SqlConnection connection)
at Unify.Framework.Data.LinqContextConversionBase`4.SubmitChanges()
at Unify.Product.IdentityBroker.OriginInformationProcessor.RunBase()
at Unify.Framework.AsynchronousJobExecutor.PerformJobCallback(Object state)",Normal

Answer
Curtis Lusmore 6 months ago

Please run the Database upgrade script, located in the Database sub-directory of the Identity Broker installation directory.

0
Answered

Powershell Connector continuing to run script after MIM says run is complete

Tom Parker 6 months ago in PowerShell connector • updated by Bob Bradley 6 months ago 4

It looks like a Powershell MA's script is continuing to run well after the MA in MIM says the run has been completed. Is this a known thing which happens or is intended or is it a bug?

UNIFY Broker Version: v5.1.0 Revision #2
MIM Version 4.4.17849.0

AddUser powershell code: D:\ADProvisioning.Powershell\UserAdd.ps1

Note: The code was previously "& D:\ADProvisioning.Powershell\UserAdd.ps1" but I changed it because I didn't understand the intent of running it as a separate process and to simplify the problem solving process. The issue still occurred when


Before running the export:

No log in file explorer yet for the AD Provisioning Export.

After running the export

All the errors are ma-extension-error, which may be genuine as the script I'm writing is still being worked on.

Here's the number of users steadily increasing

Here's the export log continuing to be updated after the run has been finished.



I can make the script I'm running available on request.

Answer
Curtis Lusmore 6 months ago

The issue turned out to be that the MIM Agent is timing out. Please see https://voice.unifysolutions.net/knowledge-bases/7/articles/3364-unifybrokermicrosoft-identity-manager-configuration for details on configuring the timeout. Please note in particular that bulk exports use only a single request per page (the Page Size setting), so you will need to either decrease the page size, increase the timeout, or improve the performance of the PowerShell script.

0
Answered

All objects reported as changed on import

Boyd Bostock 8 months ago in PowerShell connector • updated by Matthew Davis (Engineering Manager) 2 months ago 9

When a Full Import on a Connecter is performed all entities are reported as having changed data every time the import is run. This is causing issues as processing time is longer than necessary and Adapter processing can queue up during peak times.

The Connector in question has a large number of attributes including several multivalued fields. All multivalued fields are sorted and uniqueness is enforced so I do not believe any attributes are changing.

I have cleared the Adapter and Connector and it still occurs, the same Connector and Adapter is run on another server and does not experience the same issue.

Is there a way to determine which attribute is being reported as changed?

0
Answered

PowerShell connector intermittently haning on Polling import

Carol Wapshere 8 months ago in PowerShell connector • updated by Beau Harrison 8 months ago 10

I have an intermittent problem with particular PowerShell connectors that intermittently hang on the Polling import - in that the connector displays as running the polling import for days, from the logs nothing is happening, and the only way to stop it is to restart the IDB service.

I have three connectors that connect to Exchange (two different Exchange environments), and we have seen the problem on all three connectors, in all three environments (dev, test, prod). I have other PowerShell connectors that do not have this problem. We have also never seen the problem on the Import All.

The three connectors run the same script, just with different parameters. I have added detailed logging for Polling runs and can't find a pattern - the log files stop at different places. Sometimes it's while collecting data from Exchange, but just as often it's after the script has closed the connection to Exchange and is looping through updating the entities in IDB.

Is there any way to enforce a timeout in the Powershell connector?

Answer
Curtis Lusmore 8 months ago

Hi Carol,

There isn't currently any way to enforce a timeout in the PowerShell connector. If the commands which hang don't have convenient timeout flags, you could try using Start-Job and Wait-Job.

0
Answered

The network path was not found

I suddenly have an error with a connector that is one of three identical Powershell connectors (same underlying scripts, just different parameters specifying target domain). The data gathering part of the script is working fine. The script is also getting through the entire entity creation loop (I have dropped detailed logs), but is then failing after that (ie at the end of the script) with 0 entities created.

This is the error reported in the IdB log:

Change detection engine import all items failed.
Change detection engine import all items for connector PowerShell HomeFolder Protected failed with reason One or more errors occurred.. Duration: 00:08:50.4965198
Error details:
System.AggregateException: One or more errors occurred. ---> System.ComponentModel.Win32Exception: The network path was not found
--- End of inner exception stack trace ---
at Unify.Product.IdentityBroker.PowerShellConnector.d__30.MoveNext()
at System.Linq.Buffer`1..ctor(IEnumerable`1 source)
at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source)
at Unify.Product.IdentityBroker.AuditReadingConnectorDecorator.GetAllEntities(IStoredValueCollection storedValues, CancellationToken cancellationToken)
at Unify.Product.IdentityBroker.EventNotifierReadingConnectorDecoratorBase`1.GetAllEntities(IStoredValueCollection storedValues, CancellationToken cancellationToken)
at Unify.Product.IdentityBroker.ChangeDetectionImportAllJob.ImportAllChangeProcess()
at Unify.Product.IdentityBroker.ChangeDetectionImportAllJob.RunBase()
at Unify.Framework.DefinedScopeJobAuditTrailJobDecorator.Run()
at Unify.Product.IdentityBroker.ConnectorJobExecutor.<>c__DisplayClass30_0.b__0()
at Unify.Framework.AsynchronousJobExecutor.PerformJobCallback(Object state)
---> (Inner Exception #0) System.ComponentModel.Win32Exception (0x80004005): The network path was not found<---

---> (Inner Exception #1) System.ComponentModel.Win32Exception (0x80004005): The network path was not found<---

---> (Inner Exception #2) System.ComponentModel.Win32Exception (0x80004005): The network path was not found<---

---> (Inner Exception #3) System.ComponentModel.Win32Exception (0x80004005): The network path was not found<---

---> (Inner Exception #4) System.ComponentModel.Win32Exception (0x80004005): The network path was not found<---

---> (Inner Exception #5) System.ComponentModel.Win32Exception (0x80004005): The network path was not found<---

---> (Inner Exception #6) System.ComponentModel.Win32Exception (0x80004005): The network path was not found<---

---> (Inner Exception #7) System.ComponentModel.Win32Exception (0x80004005): The network path was not found<---

---> (Inner Exception #8) System.ComponentModel.Win32Exception (0x80004005): The network path was not found<---

---> (Inner Exception #9) System.ComponentModel.Win32Exception (0x80004005): The network path was not found<---
Answer

Thanks for the update Carol. It is strange that it's saving the error until the end of the script - we'll do some investigation to see if we can work out why that's happening.