Identity Broker Forum

Welcome to the community forum for Identity Broker.

Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.

0
Under review

Active Directory User Connector Failed to Import at Monash Health

Rizwan Ahmed 3 months ago in UNIFYBroker/Microsoft Active Directory updated by Adrian Corston 3 months ago 8

Hi, 

Monash Health  reported an issue with AD user creation. 

Following is the product installed, there have been no recent changes to the configuration.

UNIFYBroker v5.3.2 Revision #0

Plug-in Version Details
Plugin Key Version
Microsoft Active Directory 5.3.0.0
Chris21 Connector 5.3.0.0
Sync Changes 5.3.0.2
Plus Change Tracking 5.3.0.2
Connections 5.3.0.2
Links 5.3.0.2
Link Statistics 5.3.0.2
Lockers 5.3.0.2
Locker Statistics 5.3.0.2
Provisioning 5.3.0.2
Plus 5.3.0.2

0
Fixed

When an AD rename failes with "UpdErr: DSID-031B0E6F, problem 5012 (DIR_ERROR)" the AD connector aborts and doesn't attempt to save any other updates in the batch

After an AD record rename fails (in my case due to an invalid OU) the entire batch of all other AD updates is aborted:

20211201,02:01:06,UNIFYBroker,Connector,Warning,"Update entities to connector failed.
Update entities [Count:1336] to connector AD User failed with reason A task faulted. See inner exception for details.. Duration: 00:00:00.0903295
Error details:
System.Exception: A task faulted. See inner exception for details. ---> System.Exception: Received error code Other for item with dn CN=Customer User,OU=Location Name,OU=Customer Locations,OU=Users,OU=Customer Name,DC=customer,DC=com. Message: 00002089: UpdErr: DSID-031B0E6F, problem 5012 (DIR_ERROR), data 2
---> System.DirectoryServices.Protocols.DirectoryOperationException: An unknown error occurred.

Server stack trace:
at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Object[]& outArgs)
at System.Runtime.Remoting.Messaging.StackBuilderSink.AsyncProcessMessage(IMessage msg, IMessageSink replySink)

Exception rethrown at [0]:
at System.DirectoryServices.Protocols.LdapConnection.EndSendRequest(IAsyncResult asyncResult)
at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Unify.Connectors.AD.ADAgent.d__24`1.MoveNext()
--- End of inner exception stack trace ---
at Unify.Connectors.AD.ADAgent.ErrorCheckResponse(String dn, DirectoryResponse response, String operationName, Exception originalException)
at Unify.Connectors.AD.ADAgent.d__24`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Unify.Connectors.AD.ADAgent.d__21.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Unify.Connectors.AD.ADConnector.d__24.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Unify.Product.IdentityBroker.ConnectorToUpdatingAsyncConnectorBridge.d__8.MoveNext()
--- End of inner exception stack trace ---
at Unify.Framework.Auditing.AuditingExtensions.<>c__DisplayClass4_0.b__0(Task t)
at System.Threading.Tasks.Task.Execute()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Unify.Product.IdentityBroker.EventNotifierUpdatingAsyncConnectorDecorator.d__3.MoveNext()",Normal
20211201,02:01:10,UNIFYBroker,EntitySaver,Error,The entity 143471 (b9e8dea3-2aa0-4edc-bc8f-b40ab0a95250) for the adapter AD User (c80b76c8-40e9-4e4e-a7ff-00c4cc5b919f) failed to update for the following reasons: A task faulted. See inner exception for details.,Normal
20211201,02:01:10,UNIFYBroker,EntitySaver,Error,The entity 145095 (a14daa52-6c57-4fd3-aa8a-f73be5d47301) for the adapter AD User (c80b76c8-40e9-4e4e-a7ff-00c4cc5b919f) failed to update for the following reasons: A task faulted. See inner exception for details.,Normal
20211201,02:01:10,UNIFYBroker,EntitySaver,Error,The entity 142960 (297f0bbf-ec3a-46b8-a355-90cb4520af4b) for the adapter AD User (c80b76c8-40e9-4e4e-a7ff-00c4cc5b919f) failed to update for the following reasons: A task faulted. See inner exception for details.,Normal
20211201,02:01:10,UNIFYBroker,EntitySaver,Error,The entity 145766 (68f36cfa-0a5b-4211-8150-df9196331bbc) for the adapter AD User (c80b76c8-40e9-4e4e-a7ff-00c4cc5b919f) failed to update for the following reasons: A task faulted. See inner exception for details.,Normal
20211201,02:01:10,UNIFYBroker,EntitySaver,Error,The entity 145919 (1f57b3db-c2b2-4bd5-8d08-95083976e8f3) for the adapter AD User (c80b76c8-40e9-4e4e-a7ff-00c4cc5b919f) failed to update for the following reasons: A task faulted. See inner exception for details.,Normal
20211201,02:01:10,UNIFYBroker,EntitySaver,Error,The entity 1883 (5b8886d7-ce77-4714-b634-e4175554c660) for the adapter AD User (c80b76c8-40e9-4e4e-a7ff-00c4cc5b919f) failed to update for the following reasons: A task faulted. See inner exception for details.,Normal
20211201,02:01:10,UNIFYBroker,EntitySaver,Error,The entity 145395 (602ca35a-d708-40e4-99a2-15b666810a8a) for the adapter AD User (c80b76c8-40e9-4e4e-a7ff-00c4cc5b919f) failed to update for the following reasons: A task faulted. See inner exception for details.,Normal
20211201,02:01:10,UNIFYBroker,EntitySaver,Error,The entity 144904 (95260bbc-9344-49e4-994d-8ca1fd1a3442) for the adapter AD User (c80b76c8-40e9-4e4e-a7ff-00c4cc5b919f) failed to update for the following reasons: A task faulted. See inner exception for details.,Normal
20211201,02:01:10,UNIFYBroker,EntitySaver,Error,The entity 144060 (f11080cc-95dc-4375-9f09-65b8f8c55227) for the adapter AD User (c80b76c8-40e9-4e4e-a7ff-00c4cc5b919f) failed to update for the following reasons: A task faulted. See inner exception for details.,Normal
20211201,02:01:10,UNIFYBroker,EntitySaver,Error,The entity 145692 (f7883a73-ab23-442d-b388-6b0006288506) for the adapter AD User (c80b76c8-40e9-4e4e-a7ff-00c4cc5b919f) failed to update for the following reasons: A task faulted. See inner exception for details.,Normal
20211201,02:01:10,UNIFYBroker,EntitySaver,Error,The entity 144767 (6603418a-e7c2-4b33-951b-3eb4417e1ac5) for the adapter AD User (c80b76c8-40e9-4e4e-a7ff-00c4cc5b919f) failed to update for the following reasons: A task faulted. See inner exception for details.,Normal
20211201,02:01:10,UNIFYBroker,EntitySaver,Error,The entity 143176 (7fd6ee8f-43f2-42e8-a7a0-ea40cd1a0e56) for the adapter AD User (c80b76c8-40e9-4e4e-a7ff-00c4cc5b919f) failed to update for the following reasons: A task faulted. See inner exception for details.,Normal
20211201,02:01:10,UNIFYBroker,EntitySaver,Error,The entity 145666 (de6101ca-d184-4bf0-88b3-eea6c48edba7) for the adapter AD User (c80b76c8-40e9-4e4e-a7ff-00c4cc5b919f) failed to update for the following reasons: A task faulted. See inner exception for details.,Normal
20211201,02:01:10,UNIFYBroker,EntitySaver,Error,The entity 145112 (33b23a3f-f82c-46c0-bcaf-278c1a2e3a39) for the adapter AD User (c80b76c8-40e9-4e4e-a7ff-00c4cc5b919f) failed to update for the following reasons: A task faulted. See inner exception for details.,Normal
20211201,02:01:10,UNIFYBroker,EntitySaver,Error,The entity 141673 (21a3cd55-616c-4559-8385-a4b407209d68) for the adapter AD User (c80b76c8-40e9-4e4e-a7ff-00c4cc5b919f) failed to update for the following reasons: A task faulted. See inner exception for details.,Normal
20211201,02:01:10,UNIFYBroker,EntitySaver,Error,The entity 145668 (e34a0f5e-18cc-40d0-bd44-027adbd49e1f) for the adapter AD User (c80b76c8-40e9-4e4e-a7ff-00c4cc5b919f) failed to update for the following reasons: A task faulted. See inner exception for details.,Normal

(etc etc)

In this instance after the one AD record update fails all the other updates should still be attempted, since the error on this one record has no relevance to the other record updates which are likely to succeed.

This is impacting my customer since no changes to AD are currently being synchronised.  As a workaround I will correct the OU on the impacted user.

0
Not a bug

AD connector Import Changes doesn't pick up changes to multivalued attribute (Import All does) for AD object type 'group' attribute 'member'

With the following AD connector configured:

When I use AD Users & Computers to change the DN of one of the objects in the 'member' attribute of a group and then run Import Changes the corresponding connector entity's member field is not updated and the old DN value is retained.

When I run Import All, the member attribute updates correctly with the new DN value.

0
Not a bug

Inconsistent import/export treatment of accountExpires AD attribute values

When I import accountExpires for an AD user object as a Date field type the value I see matches the value in AD Users & Computers:

However when I export a value to that field (from a locker via a link in UNIFYBroker/Plus) it is set to the previous date in AD:

The Import and Export behaviours should match, or else there will be a repeated set/read/set/read loop of the value because the value read back on import won't ever match the value set on export.

For reference, for most HR systems the "end date" or "termination date" is the last date on which an employee has access, which matches the behaviour seen here for Import.

Answer

Using Timestamp is the best approach.  It must be in UTC to work correctly, however.  To achieve this, I had to import my date field as a string, then use the following adapter transform to generate EndDate (for use in Time Offset Flag transforms) and EndTimestampUTC (for mapping to accountExpires on an AD connector):

foreach ($Entity in $entities)
{
    $EndDateString = $Entity["EndDateString"].Value
    $EndDate = $Null
    $EndTimestamp = $Null
    if ($EndDateString) {
        # EndDate is a [DateTime] object of kind "Unspecified"
        # Its value is midnight at the start of the last day of the employee's access, as interpreted in the local timezone
        # Note: Adjust this if $EndDateString is not in m/d/yyyy format.
        $EndDate = [DateTime]::ParseExact($EndDateString, "M/d/yyyy", [System.Globalization.CultureInfo]::InvariantCulture)

        # EndTimestamp is a [DateTime] object of kind "Utc"
        # Its value is the UTC (GMT) representation of the exact second when the user account should be disabled -
        # in this case midnight in the local timezone at the start of the day after the End Date. If you need access to be terminated earlier than this
        # (e.g. 5pm in the local timezone on their last day) then change the .AddDays(1) accordingly.
        # Make sure the timezone specified is correct for the End Date specified.
        $EndTimestampUTC = [TimeZoneInfo]::ConvertTimeToUtc($EndDate, [TimeZoneInfo]::FindSystemTimeZoneById('AUS Eastern Standard Time')).AddDays(1)
    }
    $Entity["EndDate"] = $EndDate
    $Entity["EndTimestampUTC"] = $EndTimestampUTC
}

0
Answered

Error on AD group provisioning: System.ArgumentOutOfRangeException: Index was out of range. Must be non-negative and less than the size of the collection

The following error is occuring when I provision an AD group using the Active Directory connector.  The group provisions just fine, but the following error is logged:

I will put the UNIFYConnect customer environment details in the next message, for access to the log files and config.

Answer

Hi Adrian

You'll need to set the Primary Object Class configuration on the connector to "Group", instead of "User". This field is used in the filter of a confirmation search request made after an entity is added to AD.

0

AD Agent default destination port should be 636 if SSL is selected

In the ActiveDirectory agent the default destination port is 389.  This can be overridden by appending a colon and an explicit port to the Server configuration.

In AD, port 389 is conventionally used for non-SSL traffic and port 636 is used for SSL traffic.  The default port should reflect the SSL setting, in order to avoid confusion and reduce the risk of inadvertent configuration error.

0
Answered

Managing AD user account distinguished name/organisational unit from UNIFYBroker (The connector does not support anchor modification)

Using UNIFYBroker and the Active Directory agent/connector I can set a new user account's organisational unit via their distinguishedName during account creation, but when I subsequently try to modify it this error is logged:

UnifyLog20201207.csv:14572:System.AggregateException: One or more errors occurred. ---> System.AggregateException: One or more errors occurred. ---> System.NotSupportedException: The connector AD Users does not support anchor modification.

My customer's solution requires that an employee's OU be managed.  Do you have any suggestions how I could achieve this?

Answer

Hi Adrian

The "anchor" in the error message is in reference to the connector schema field/s which are marked as Key. Use a different, unique field which doesn't change as the connector key instead. Moving a user between OUs with the AD connector works, and has been done a lot in the past, so there should be plenty of PS resources you can reference.

0
Answered

Multiple DC server support for the AD Agent

A client has asked that we configure UNIFYConnect to round-robin through a number of DC IP addresses.  I can't find an explicit way to do this in the Agent documentation.

How can I meet this requirement?  Create my own DNS entry with multiple IP addresses?

Answer

Hi Adrian,

There's no explicit support for multiple server entries in the AD Agent. As you've pointed out, the easiest way is to use a DNS entry which contains multiple IP addresses - either on the service side or the customer side.

0
Fixed

Ad Connector Imports fail with: Object reference not set to an instance of an object

Stephen Nguyen 3 years ago in UNIFYBroker/Microsoft Active Directory updated by Andrew Grant 3 years ago 1

The connector is able to push data to AD, but throws an error when performing a change/all import from AD.

Has anyone run into this issue on imports?

20191210,04:34:48,UNIFY Identity Broker,Change detection engine,Information,"Change detection engine import all items started.
Change detection engine import all items for connector Active Directory Connector started.",Normal
20191210,04:34:54,UNIFY Identity Broker,Change detection engine,Error,"Change detection engine import all items failed.
Change detection engine import all items for connector Active Directory Connector failed with reason One or more errors occurred.. Duration: 00:00:05.5141233
Error details:
System.AggregateException: One or more errors occurred. ---> System.AggregateException: One or more errors occurred. ---> System.NullReferenceException: Object reference not set to an instance of an object.
   at Unify.Connectors.AD.ADConnector.TransformEntry(ADAgent agent, SearchResultEntry searchResultEntry, Int64& uSNChangedToken)
   at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
   at Unify.Framework.Collections.EnumerableExtensions.<actiononlast>d__10`1.MoveNext()
   at System.Linq.Buffer`1..ctor(IEnumerable`1 source)
   at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source)
   at Unify.Product.IdentityBroker.AuditReadingAsyncConnectorDecorator.<>c__DisplayClass1_0.<getallentitiesasync>b__0()
   at System.Threading.Tasks.Task`1.InnerInvoke()
   at System.Threading.Tasks.Task.Execute()
   --- End of inner exception stack trace ---
   at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
   at Unify.Framework.Auditing.AuditingExtensions.<>c__DisplayClass7_0`1.<createandsendlogentryasync>b__0(Task`1 t)
   at Unify.Framework.Auditing.AuditingExtensions.<>c__DisplayClass5_0`1.<taskcontinuewithexceptionpassthough>b__0(Task`1 t)
   at System.Threading.Tasks.ContinuationResultTaskFromResultTask`2.InnerInvoke()
   at System.Threading.Tasks.Task.Execute()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Unify.Product.IdentityBroker.EventNotifierReadingAsyncConnectorDecoratorBase`1.<getallentitiesasync>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Unify.Product.IdentityBroker.ChangeDetectionImportAllAsyncJob.<importallchangeprocess>d__6.MoveNext()
   --- End of inner exception stack trace ---
   at System.Threading.Tasks.Task.Wait(Int32 millisecondsTimeout, CancellationToken cancellationToken)
   at Unify.Product.IdentityBroker.ChangeDetectionImportAllAsyncJob.RunBase()
   at Unify.Framework.DefinedScopeJobAuditTrailJobDecorator.Run()
   at Unify.Product.IdentityBroker.ConnectorJobExecutor.<>c__DisplayClass30_0.<run>b__0()
   at Unify.Framework.AsynchronousJobExecutor.PerformJobCallback(Object state)
---> (Inner Exception #0) System.AggregateException: One or more errors occurred. ---> System.NullReferenceException: Object reference not set to an instance of an object.
   at Unify.Connectors.AD.ADConnector.TransformEntry(ADAgent agent, SearchResultEntry searchResultEntry, Int64& uSNChangedToken)
   at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
   at Unify.Framework.Collections.EnumerableExtensions.<actiononlast>d__10`1.MoveNext()
   at System.Linq.Buffer`1..ctor(IEnumerable`1 source)
   at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source)
   at Unify.Product.IdentityBroker.AuditReadingAsyncConnectorDecorator.<>c__DisplayClass1_0.<getallentitiesasync>b__0()
   at System.Threading.Tasks.Task`1.InnerInvoke()
   at System.Threading.Tasks.Task.Execute()
   --- End of inner exception stack trace ---
   at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
   at Unify.Framework.Auditing.AuditingExtensions.<>c__DisplayClass7_0`1.<createandsendlogentryasync>b__0(Task`1 t)
   at Unify.Framework.Auditing.AuditingExtensions.<>c__DisplayClass5_0`1.<taskcontinuewithexceptionpassthough>b__0(Task`1 t)
   at System.Threading.Tasks.ContinuationResultTaskFromResultTask`2.InnerInvoke()
   at System.Threading.Tasks.Task.Execute()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Unify.Product.IdentityBroker.EventNotifierReadingAsyncConnectorDecoratorBase`1.<getallentitiesasync>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Unify.Product.IdentityBroker.ChangeDetectionImportAllAsyncJob.<importallchangeprocess>d__6.MoveNext()
---> (Inner Exception #0) System.NullReferenceException: Object reference not set to an instance of an object.
   at Unify.Connectors.AD.ADConnector.TransformEntry(ADAgent agent, SearchResultEntry searchResultEntry, Int64& uSNChangedToken)
   at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
   at Unify.Framework.Collections.EnumerableExtensions.<actiononlast>d__10`1.MoveNext()
   at System.Linq.Buffer`1..ctor(IEnumerable`1 source)
   at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source)
   at Unify.Product.IdentityBroker.AuditReadingAsyncConnectorDecorator.<>c__DisplayClass1_0.<getallentitiesasync>b__0()
   at System.Threading.Tasks.Task`1.InnerInvoke()
   at System.Threading.Tasks.Task.Execute()<---
<---
",Normal
</getallentitiesasync></actiononlast></importallchangeprocess></getallentitiesasync></taskcontinuewithexceptionpassthough></createandsendlogentryasync></getallentitiesasync></actiononlast></run></importallchangeprocess></getallentitiesasync></taskcontinuewithexceptionpassthough></createandsendlogentryasync></getallentitiesasync></actiononlast>

0
Not a bug

After the key of an object is changed polling creates a new object but doesn't delete the old one

Adrian Corston 3 years ago in UNIFYBroker/Microsoft Active Directory updated by Adam van Vliet 3 years ago 1

When using polling with the AD connector, a new record is created for objects where any attribute that is part of the key has been changed, and the old object is not removed.  This either means that the polling functionality is not useful, or else the connector cannot be usefully used with any key other than objectGUID.

If this behaviour can't be improved then it really should be mentioned in the documentation for the connector since it's quite important.

Answer
Adam van Vliet 3 years ago
Depending on the specification of the target system we are not always able to retrieve deletions during polling import. This is one of the reasons full imports are scheduled and not just relying on polling. This is unfortunately the case with this connector, as it uses the uSNChanged method, which doesn't surface deletions. I will take a note to update the documentation. Thanks.