Identity Broker Forum
Welcome to the community forum for Identity Broker.
Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.
Broker Plus Incompletes in sync from adapter to locker
I'm getting this in the log files
Request to sync adapter to locker completed.
Sychronization job completed syncing 524 changes on the 'Active Directory to Person' link from the adapter to the locker. Delayed: 0 Incomplete :524 Denied: 0 Job ID <guid> Duration <time>
What does the incomplete status mean?
Looks like that link is not configured to provision. Is your locker empty? If the link doesn't provision and there is nothing to join onto, then that will also count as incomplete.
"Active Directory User to Person" Link is processing a Locker and creating an Outgoing Change even though there is no corresponding linked (or able to be linked) Adapter object and Outgoing Provisioning is disabled
I am using Broker/Plus to only join to objects from Aurion to AD, and not to provision (i.e. Outgoing Provisioning is disabled). For a user in Aurion (with corresponding Locker record) where there is no corresponding AD record (i.e. the join criteria are not met for any existing AD adapter objects) the Link still reports an Outgoing Change for that object.
I have 7 Lockers:
I have four users in AD:
When I run a Baseline Synchronization on the AD Link, I see this:
Note that there are 7 Outgoing Changes, even though there are only 4 objects in the AD Adapter, and Provisioning is disabled so it should not be provisioning new ones.
Log file attached:
Hi Adrian,
This is the intended behaviour. As the information message states
... Ensure that either the field/s used in the join rules are correctly mapped or, if this link is not responsible for provisioning, the joining entities already exist. ...
Meaning that of the 7 entities being synchronized, 4 were OK since the mapped adapter entities existed. The remaining 3 have no mapped adapter entities, and cannot provision them since that is disabled, so are considered incomplete and not processed.
As long as the intended behaviour is for those three entities to not be synchronized, then you can ignore that information message.
Outgoing Provisioning tasks run even when Outgoing Provisioning is disabled
In Broker/Plus, outgoing provisioning tasks are run even when the outgoing provisioning flag is disabled.
That task can be used for out of band provisioning operations. Since the configuration flag only turns off object provisioning via the target adapter (and not any out-of-band provisioning activities that the task performs) the flag isn't as useful as it could be and the flag operates in a manner that may be contrary to user expectations.
Broker/AD fails to create new user objects with error "UnwillingToPerform ... Message: 0000052D: SvcErr: DSID-031A1254, problem 5003 (WILL_NOT_PERFORM)"
I will attach the Extensibility files. This used to work, but some configuration change has caused it to stop working now. Reverting is not an option as there have been many changes and this project is under time constraints to deliver ASAP.
Was confirmed to be an issue with the outgoing entity data.
Configuration help populating manager attribute in AD in UNIFYAssure for Aurion
In my Broker/Plus environment (based on UNIFYAssure for Aurion) I am trying to synchronise the manager attribute to AD but seeing the following error:
My configuration has an Aurion connector/adapter -> Link -> Locker -> Link -> AD connector/adapter in a standard setup.
The Manager attribute in the Aurion adapter is calculated via a DN join:
Here's an example, looks correct.
I synchronise the Manager attribute from the Aurion Adapter to the Locker:
It looks correct in the Locker:
Then from the Locker to the AD Adapter:
Here's the AD Adapter configuration:
When I attempt a Baseline Synchronisation on the AD Link this is what I see, and the error above appears in the log file:
Can you please tell me what I need to do to get the synchronisation of the manager attribute to work correctly from the Locker to the AD Adapter?
You can construct the appropriate DN in powershell, either a transformation on the aurion adapter or as a synchronization task.
Provide more information in the log file for Provisioning Task failures
When a provisioning task fails in a Broker Plus Link due to a PowerShell error, the information written doesn't indicate which provisioning task failed, which line the error occurred on, or which entity was being processed.
It would be extremely helpful for debugging to know which provisioning task is the source of the error and which line is executing when the error occurs.
It would also be helpful to know which entity is being processed, but given that the PowerShell script loops over objects internally this information is not automatically available to the calling engine. In order to help with this I suggest adding a function which allows the PowerShell script to (optionally) indicate when it starts and finishes processing an entity, in order to allow Broker to include that information in the log entry.
i.e.
foreach ($joinedEntity in $joinedEntities)
{
# Tell Broker which entity we're working on $personNumber = $SourceEntity["PersonNumber"].Value
$username = $SourceEntity["sAMUsername"].Value
$logger.setIdentifier("Person $personNumber ($username)")
# Process the entity $isTerminated = $joinedEntity.SourceEntity["Terminated"].Value
$joinedEntity.TargetEntity["isTerminated"] = $isTerminated -eq "True"
# Tell Broker we're finished processing the entity
$logger.resetIdentifier()
}
How do I set sAMAccountName from Broker/Plus when provisioning, but then flow it back in from AD thereafter?
I need to set a user's account name when provisioning via Broker/Plus, but then flow that value back in from AD subsequently (so the value is picked up when joining to an existing AD account, and so that if the username can be changed in AD it will be automatically updated in Broker).
Can you please confirm whether or not the approach below will work, and advise if there is a better way to do it?
1. Set the Link mapping on the AD->Locker to Bidirectional for the AD username field
2. Set a value for the attribute in the Outgoing Pre-Provisioning Task
Hi Adrian
Your approach is correct, however you won't need to set username field as bidirectional on the AD->Locker link. Values set by pre-provisioning task aren't affected by the mapping rules, so Adapter to Locker is fine.
On CheckFieldUniqueness, yes that function is available in outgoing pre-provisioning tasks.
Broker/Plus Locker entity search Origin Info information is not clear or sufficient
I am a new Broker/Plus user and want to see where a Locker is getting its field values from, so I clicked on the Entity Id and then on Origin Info. This is the screen I see:
This doesn't tell me which Adapter contributed the current value for the sAMUsername field. I tried searching the Extensibility files for the Entity Id and Partition Id, but neither told me which Adapter the field value came from.
Could you please add the name of the Adapter that contributed the field value somewhere on this popup?
Also, it's not clear what the Type information here means. What does it mean that my 'sAMUsername' field is of type 'PlugIn'?
Difference Report on Pending Changes for Full Sync
As part of an upgrade activity on an MA, we were required to deliver a difference report on the data as it would appear pre vs post synchronisation of the upgrade MA. This was done to better understand and review what attributes would be updated when a full sync of the upgraded MA would occur in PROD.
We were able to achieve this deliverable by exporting two csv's of the data pre & post synchronisation, and doing a data comparison in a third party app. This could be simplified if Identity Broker Plus could generate a difference report for full syncs to ensure that the MA update is producing clean data.
This report could vary in detail, but as a first pass being able to see a count of the new and updated identities and attributes would be preferable.
Baseline sync error: Execution Timeout Expired
Keep getting the below error for link's baseline outgoing sync to AD. I have tried to restart IdB service but no improvement. I don't have DB Admin right as it is PROD env and Shared SQL cluster. Just wonder what can I do to troubleshoot it?
Synchronization job failed syncing 40800 changes on the 'AD Link' link from the locker to adapter with the reason Execution Timeout Expired. The timeout period elapsed prior to completion of the operation or the server is not responding.. Job ID: e6165705-b8bf-4e86-953e-c1394ae692c8 Duration: 00:16:54.3542205
Error details:
System.Data.SqlClient.SqlException (0x80131904): Execution Timeout Expired. The timeout period elapsed prior to completion of the operation or the server is not responding. ---> System.ComponentModel.Win32Exception (0x80004005): The wait operation timed out
at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction)
at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose)
at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady)
at System.Data.SqlClient.SqlDataReader.TrySetMetaData(_SqlMetaDataSet metaData, Boolean moreInfo)
at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady)
at System.Data.SqlClient.SqlDataReader.TryConsumeMetaData()
at System.Data.SqlClient.SqlDataReader.get_MetaData()
at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString, Boolean isInternal, Boolean forDescribeParameterEncryption)
at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async, Int32 timeout, Task& task, Boolean asyncWrite, Boolean inRetry, SqlDataReader ds, Boolean describeParameterEncryptionRequest)
at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, TaskCompletionSource`1 completion, Int32 timeout, Task& task, Boolean& usedCache, Boolean asyncWrite, Boolean inRetry)
at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method)
at System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior, String method)
at System.Data.Linq.SqlClient.SqlProvider.Execute(Expression query, QueryInfo queryInfo, IObjectReaderFactory factory, Object[] parentArgs, Object[] userArgs, ICompiledSubQuery[] subQueries, Object lastResult)
at System.Data.Linq.SqlClient.SqlProvider.ExecuteAll(Expression query, QueryInfo[] queryInfos, IObjectReaderFactory factory, Object[] userArguments, ICompiledSubQuery[] subQueries)
at System.Data.Linq.SqlClient.SqlProvider.System.Data.Linq.Provider.IProvider.Execute(Expression query)
at System.Data.Linq.DataQuery`1.System.Collections.Generic.IEnumerable<T>.GetEnumerator()
at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
at System.Linq.Buffer`1..ctor(IEnumerable`1 source)
at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source)
at Unify.Framework.Data.LinqWhereQuery`5.GetEnumerator()
at Unify.Framework.QueryableExtensions.<AutoStream>d__2`1.MoveNext()
at System.Linq.Lookup`2.Create[TSource](IEnumerable`1 source, Func`2 keySelector, Func`2 elementSelector, IEqualityComparer`1 comparer)
at System.Linq.Enumerable.ToLookup[TSource,TKey,TElement](IEnumerable`1 source, Func`2 keySelector, Func`2 elementSelector)
at Unify.Framework.QueryableExtensions.StreamToLookup[TKey,TElement](IOrderedQueryable`1 collection, Func`2 keySelector, Int32 pageSize)
at Unify.Product.Plus.JoinExecutor`2.Execute(IEnumerable`1 sourceEntities, IQueryable`1 targetEntities)
at Unify.Product.Plus.LinkSynchronizer`2.JoinAndMap(IEnumerable`1 filterResult, IDictionary`2 changesDict)
at Unify.Product.Plus.Link.SynchronizeLockerChanges(IEnumerable`1 changes)
at Unify.Framework.Notification.NotifierDecoratorBase.Notify[TResult](ITaskNotificationFactory notificationFactory, Func`1 function)
at Unify.Product.Plus.LinkAuditingDecorator.SynchronizeLockerChanges(IEnumerable`1 changes)
at Unify.Product.Plus.LockerToAdapterSynchronizationJob.RunBase()
at Unify.Product.Plus.SynchronizationJobExecutor.<ThreadAction>d__8.MoveNext()
ClientConnectionId:e4b00f30-9b86-4cae-a54c-a96f2f4dc552
Error Number:-2,State:0,Class:11",Normal
20180904,07:19:04,UNIFY Identity Broker,"Void OnError(System.Data.SqlClient.SqlException, Boolean, System.Action`1[System.Action])",Error,".Net SqlClient Data Provider:
System.Data.SqlClient.SqlException (0x80131904): Execution Timeout Expired. The timeout period elapsed prior to completion of the operation or the server is not responding. ---> System.ComponentModel.Win32Exception (0x80004005): The wait operation timed out
at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction)
at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose)
Queuing a baseline synchronization job requires generating sync changes for all entities on both sides of the link, which again is a SQL-heavy operation. Do you know the hardware specifications of the SQL Server cluster or any of its configuration settings that might impact SQL performance? Do you know of any differences between how it's configured between this environment and the previous environment?
Customer support service by UserEcho