Identity Broker Forum

Welcome to the community forum for Identity Broker.

Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.

0
Completed

Install IdB MIM Adapter DLL to appropriate MIM directory

The MIM adapter currently installs to a Unify directory in Program Files, after which it needs to be moved manually into the appropriate MIM Directory.

The installer could install into the appropriate directory, which would result in better end user experience, both in the initial install and in repairs.

The FIM Sync base directory can be retrieved from the registry at: 

SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters\Path

as documented here.

After this \extensions needs to be added to the path value to find the location.

Answer

Will be included in the next adapter release.

0
Fixed

Unable to retrieve schema

Matthew Woolnough 7 years ago in UNIFYBroker/Microsoft Identity Manager updated by anonymous 7 years ago 15

MIMs IdB MA is unable to retrieve schema from IdB during implmentation. Error returned is:

-------------------------------------------
Synchronization Service Manager

Unable to retrieve schema. Error: Exception from HRESULT: 0x80231343
-------------------------------------------


Event Log contains the following:

-------------------------------------------

The extensible extension returned an unsupported error.
 The stack trace is:
 
 Unify.Product.IdentityBroker.LdapOperationException: Object reference not set to an instance of an object.
   at Unify.Product.IdentityBroker.LdapConnection.SendRequest(ILdapRequest request)
   at Unify.Product.IdentityBroker.LdapConnection.GetSchema(String schemaDn)
   at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
   at System.Linq.Enumerable.Aggregate[TSource](IEnumerable`1 source, Func`3 func)
   at Unify.Product.IdentityBroker.LdapConnectionProxy.get_Schema()
   at Unify.Product.IdentityBroker.UnifyLdapConnectorTypeProxy.GetSchema(KeyedCollection`2 configParameters)
Forefront Identity Manager 4.4.1459.0

-------------------------------------------



Answer
anonymous 7 years ago

Thanks Matt,

It looks like you have an entry in the [Container] table left over from an adapter with a container name of users. These should be removed automatically when you delete the adapter, or if you delete it directly from the xml config, at service startup. I'm not sure how it's managed to stay in there for you if you don't have any such adapter. You can manually delete the entry from the [Container] table where the [DistinguishedName] column has the value OU=users,DC=IdentityBroker to resolve this issue, and I'll re-raise this as bug in our backlog.

You should be able remove the patches supplied on this issue as well.

0
Not a bug

Missing object class in IdB 5.1

Matthew Woolnough 7 years ago in UNIFYBroker/Microsoft Identity Manager updated by anonymous 7 years ago 22

Configuring IdB5.1 for the first time with SharePoint connector and MIM. MIM does not see the object class that the Adapter is presenting, but it does see the container.

IdB for MIM 5.1 RC2 is the version I have installed.

Answer
anonymous 7 years ago

I forgot that the installer doesn't put the DLL into the right directory. 🤦

The 5.0 version was in an responding to requests. 

I'm getting a different error now, but will open a new issue for that one. 


0
Declined

Resync of IDB Adapter Entities with FIM MA without a Full Import

Richard Green 7 years ago in UNIFYBroker/Microsoft Identity Manager updated by anonymous 6 years ago 3

As discussed with Curtis:

Recently at DET (and at TAFE) we have experienced some issues with IDB where one or more entities in the Adapter get out of sync with the entity state on the associated MA in FIM. This results in a few error conditions:

Delta imports of entities in this state usually present with a staging-error on the MA.

eg.

Image 3731


Exporting changes to entities in this state usually results in an error similar to this:

Internal Server Error #9:
Unify.Product.IdentityBroker.LDAPModifyException: Cannot add the value 43-61-72-6D-65-6C to the existing,
non-multivalue field SAFE-MiddleName.


   at Unify.Product.IdentityBroker.LDAPModifyRequestToEntityConverter.HandleAttributeValueAdd(IModifyRequestOperation
op, IAdapterEntity entity, IEntitySchema schema)


   at
Unify.Product.IdentityBroker.LDAPModifyRequestToEntityConverter.Transform(IRfcModifyRequest
sourceValue, IAdapterEntity origEntity)


   at
Unify.Product.IdentityBroker.ModifyRequestHandler.InnerApplyTransformation(IHandleRequestCoreRequest
request, LDAPModifyRequestToEntityConverter converter)

The advice to-date on how to resolve this issue is "run a full import/full sync" or alternatively "clear the entity from IDB and re-import". While both of these actions usually work, they aren't always a valid/practical option in an operational environment. (Here at DET, running a Full Import/Sync on SAFE consumes most of the day, and block all other operations while it's running.)

I was discussing this issue with Curtis, and he suggested that a change to the FIM Adapter might be possible to address this. Essentially adding in some logic to identify and flag records that have failed with either a staging error on import, or specific IDB related export errors (Likely text file store in the MA data directory).

Then on the next delta import, any existing records that are flagged could be requested and supplied as a full object, in order to re-sync it's state with FIM.

Does this sound feasible?

Cheers

Richard

0
Not a bug

Not saving watermark leading to delta imports failing

Tom Parker 7 years ago in UNIFYBroker/Microsoft Identity Manager updated by anonymous 6 years ago 2

This is related to:

The Delta Import on an IDB 5.1 MA is failing and returning the following stack trace:

The extensible extension returned an unsupported error.

The stack trace is:
Unify.Product.IdentityBroker.LdapOperationException: Error during processing of SearchRequest targetting cn=changelog: Operation timed out while waiting for message queue with id of 10. ---> System.OperationCanceledException: Operation timed out while waiting for message queue with id of 10.</em> </div> <div><em> at Unify.Product.IdentityBroker.LdapConnection.GetMessage(Int32 messageId)</em> </div> <div><em> at Unify.Product.IdentityBroker.SearchRequest.Send(Func`2 send, Func`2 recv)</em> </div> <div><em> at Unify.Product.IdentityBroker.LdapConnection.SendRequest(ILdapRequest request)</em> </div> <div><em> --- End of inner exception stack trace ---</em> </div> <div><em> at Unify.Product.IdentityBroker.LdapConnection.SendRequest(ILdapRequest request)</em> </div> <div><em> at Unify.Product.IdentityBroker.LdapConnectionProxy.<SearchRequestPaged>d__8.MoveNext()</em> </div> <div><em> at Unify.Product.IdentityBroker.ImportProxy.<GetChangedEntriesPaged>d__30.MoveNext()</em> </div> <div><em> at System.Linq.Enumerable.<SelectManyIterator>d__14`2.MoveNext()</em> </div> <div><em> at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()</em> </div> <div><em> at System.Linq.Enumerable.<SelectManyIterator>d__14`2.MoveNext()</em> </div> <div><em> at Unify.Product.IdentityBroker.ExtensionMethods.Take[TSource](IEnumerator`1 source, Int32 count, IList`1& items)</em> </div> <div><em> at Unify.Product.IdentityBroker.ExtensionMethods.<Page>d__3`1.MoveNext()</em> </div> <div><em> at Unify.Product.IdentityBroker.ImportProxy.Import(GetImportEntriesRunStep importRunStep)</em> </div> <div><em>Forefront Identity Manager 4.3.2266.0


Previously this issue was under control by occasionally doing full imports but the delta imports are no longer functioning at all and failing on each run.

When the delta imports were running each run would have a number of staging errors from trying to recreate connectors that've already been created and we can see on other IDB MA's in the environment that each delta import is computing the same items each run.

Thanks,
Tom

Answer
anonymous 6 years ago

No response.

0
Not a bug

Invalid Change Log Format on Delta Import from IDB 5.1

Tom Parker 7 years ago in UNIFYBroker/Microsoft Identity Manager updated by anonymous 6 years ago 7

Getting an error on an IDB 5.1 MA in the production environment, all Delta Imports are failing and taking an extended period of time to fail. IDB logs indicate that data is being returned (as per screenshot below), however the MIM MA errors as per the below italicised text.

The extensible extension returned an unsupported error.
The stack trace is:

"Unify.Product.IdentityBroker.LdapOperationException: Invalid change log format.
at Unify.Product.IdentityBroker.LdapConnection.SendRequest(ILdapRequest request)
at Unify.Product.IdentityBroker.LdapConnectionProxy.<SearchRequestPaged>d__8.MoveNext()
at Unify.Product.IdentityBroker.ImportProxy.<GetChangedEntriesPaged>d__30.MoveNext()
at System.Linq.Enumerable.<SelectManyIterator>d__14`2.MoveNext()
at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
at System.Linq.Enumerable.<SelectManyIterator>d__14`2.MoveNext()
at Unify.Product.IdentityBroker.ExtensionMethods.Take[TSource](IEnumerator`1 source, Int32 count, IList`1& items)
at Unify.Product.IdentityBroker.ExtensionMethods.<Page>d__3`1.MoveNext()
at Unify.Product.IdentityBroker.ImportProxy.Import(GetImportEntriesRunStep importRunStep)
Forefront Identity Manager 4.3.2266.0"

Image 3689

Answer
anonymous 6 years ago

No response.

0
Not a bug

Office Connector Export fails with ma-extension-error - The dimage indicates an add attrib operation, but the attrib already exists on the object

Bob Bradley 7 years ago in UNIFYBroker/Microsoft Identity Manager updated by anonymous 7 years ago 5

Using

  • Identity Broker Service 5.0.5
  • Identity Broker for Office Enterprise 5.0.1.5
  • Identity Broker for FIM 5.1.0 DEV

The following 2 entries appeared this morning in the Application event log on an IMPORT from the License Assignments MA:

Log Name:      Application?Source:        FIMSynchronizationService?Date:          27/01/2017 9:09:34 AM?Event ID:      6301?Task Category: Server?Level:         Error?Keywords:      Classic?User:          N/A?Computer:      AUHBSMIMWP0001.corp.qbe.com?Description:?The server encountered an unexpected error in the synchronization engine:? ? "BAIL: MMS(28072): ..\tripleholo.cpp(2413): 0x8023030a (The dimage indicates an add attrib operation, but the attrib already exists on the object.)?BAIL: MMS(28072): ..\tower.cpp(1313): 0x8023030a (The dimage indicates an add attrib operation, but the attrib already exists on the object.)?BAIL: MMS(28072): ..\tower.cpp(12030): 0x8023030a (The dimage indicates an add attrib operation, but the attrib already exists on the object.)?<delta operation="update" dn="UID=GRS-GeneralInformation@us.qbe.com,OU=AADUsers,DC=IdentityBroker">? <anchor encoding="base64">iAAAAHUAaQBkAD0AZwByAHMALQBnAGUAbgBlAHIAYQBsAGkAbgBmAG8AcgBtAGEAdABpAG8AbgBAAHUAcwAuAHEAYgBlAC4AYwBvAG0ALABvAHUAPQBhAGEAZAB1AHMAZQByAHMALABkAGMAPQBpAGQAZQBuAHQAaQB0AHkAYgByAG8AawBlAHIAAAA=</anchor>? <primary-objectclass>Licensee</primary-objectclass>? <objectclass>?  <oc-value>Licensee</oc-value>? </objectclass>? <attr name="AADUserLicensingMail" operation="add" type="string" multivalued="false">?  <value>GRS-GeneralInformation@us.qbe.com</value>? </attr>? <attr name="AADUserLicensingUserPrincipalName" operation="replace" type="string" multivalued="false">?  <value>GRS-GeneralInformation@us.qbe.com</value>? </attr>? <attr name="accountEnabled" operation="replace" type="boolean" multivalued="false">?  <value>true</value>? </attr>?</delta>?<tower><unapplied-export><delta operation="none" dn="UID=GRS-GeneralInformation@us.qbe.com,OU=AADUsers,DC=IdentityBroker"><anchor encoding="base64">iAAAAHUAaQBkAD0AZwByAHMALQBnAGUAbgBlAHIAYQBsAGkAbgBmAG8AcgBtAGEAdABpAG8AbgBAAHUAcwAuAHEAYgBlAC4AYwBvAG0ALABvAHUAPQBhAGEAZAB1AHMAZQByAHMALABkAGMAPQBpAGQAZQBuAHQAaQB0AHkAYgByAG8AawBlAHIAAAA=</anchor></delta></unapplied-export><escrowed-export><delta operation="none" dn="UID=GRS-GeneralInformation@us.qbe.com,OU=AADUsers,DC=IdentityBroker"><anchor encoding="base64">iAAAAHUAaQBkAD0AZwByAHMALQBnAGUAbgBlAHIAYQBsAGkAbgBmAG8AcgBtAGEAdABpAG8AbgBAAHUAcwAuAHEAYgBlAC4AYwBvAG0ALABvAHUAPQBhAGEAZAB1AHMAZQByAHMALABkAGMAPQBpAGQAZQBuAHQAaQB0AHkAYgByAG8AawBlAHIAAAA=</anchor></delta></escrowed-export><unconfirmed-export><delta operation="none" dn="UID=GRS-GeneralInformation@us.qbe.com,OU=AADUsers,DC=IdentityBroker"><anchor encoding="base64">iAAAAHUAaQBkAD0AZwByAHMALQBnAGUAbgBlAHIAYQBsAGkAbgBmAG8AcgBtAGEAdABpAG8AbgBAAHUAcwAuAHEAYgBlAC4AYwBvAG0ALABvAHUAPQBhAGEAZAB1AHMAZQByAHMALABkAGMAPQBpAGQAZQBuAHQAaQB0AHkAYgByAG8AawBlAHIAAAA=</anchor></delta></unconfirmed-export><pending-import><delta operation="add" dn="UID=GRS-GeneralInformation@us.qbe.com,OU=AADUsers,DC=IdentityBroker"><anchor encoding="base64">iAAAAHUAaQBkAD0AZwByAHMALQBnAGUAbgBlAHIAYQBsAGkAbgBmAG8AcgBtAGEAdABpAG8AbgBAAHUAcwAuAHEAYgBlAC4AYwBvAG0ALABvAHUAPQBhAGEAZAB1AHMAZQByAHMALABkAGMAPQBpAGQAZQBuAHQAaQB0AHkAYgByAG8AawBlAHIAAAA=</anchor><primary-objectclass>Licensee</primary-objectclass><objectclass><oc-value>Licensee</oc-value></objectclass><attr name="AADUserLicensingMail" type="string" multivalued="false"><value>GRS-GeneralInformation@us.qbe.com</value></attr><attr name="AADUserLicensingUserPrincipalName" type="string" multivalued="false"><value>GRS-GeneralInformation@us.qbe.com</value></attr><attr name="accountEnabled" type="boolean" multivalued="false"><value>true</value></attr><attr name="dirSyncEnabled" type="boolean" multivalued="false"><value>true</value></attr><attr name="displayName" type="string" multivalued="false"><value>US-BOX-GRS-GeneralInformation</value></attr><attr name="immutableId" type="string" multivalued="false"><value>CSE8gkANXU2N9pcjqwbMgQ==</value></attr><attr name="mailNickname" type="string" multivalued="false"><value>GRS-GeneralInformati</value></attr><attr name="objectClass" type="string" multivalued="true"><value>Licensee</value></attr></delta></pending-import><synchronized-hologram></synchronized-hologram><anchor encoding="base64">iAAAAHUAaQBkAD0AZwByAHMALQBnAGUAbgBlAHIAYQBsAGkAbgBmAG8AcgBtAGEAdABpAG8AbgBAAHUAcwAuAHEAYgBlAC4AYwBvAG0ALABvAHUAPQBhAGEAZAB1AHMAZQByAHMALABkAGMAPQBpAGQAZQBuAHQAaQB0AHkAYgByAG8AawBlAHIAAAA=</anchor><connector>0</connector><connector-state>normal</connector-state><seen-by-import>1</seen-by-import><rebuild-in-progress>0</rebuild-in-progress><obsoletion>0</obsoletion><need-full-sync>0</need-full-sync><placeholder-parent>0</placeholder-parent><placeholder-link>0</placeholder-link><placeholder-delete>0</placeholder-delete><pending>1</pending><ref-retry>0</ref-retry><rename-retry>0</rename-retry><sequencers><current><batch-number>0</batch-number><sequence-number>0</sequence-number></current><unapplied><batch-number>0</batch-number><sequence-number>0</sequence-number></unapplied><original><batch-number>0</batch-number><sequence-number>0</sequence-number></original></sequencers><import-delta-operation>add</import-delta-operation><export-delta-operation>none</export-delta-operation></tower>BAIL: MMS(28072): d:\bt\48066\sources\dev\sync\server\sqlstore\csobj.h(1256): 0x8023030a (The dimage indicates an add attrib operation, but the attrib already exists on the object.)?BAIL: MMS(28072): ..\syncstage.cpp(2071): 0x8023030a (The dimage indicates an add attrib operation, but the attrib already exists on the object.)?BAIL: MMS(28072): ..\syncstage.cpp(665): 0x8023030a (The dimage indicates an add attrib operation, but the attrib already exists on the object.)?Forefront Identity Manager 4.3.2195.0"?Event Xml:?<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">?  <System>?    <Provider Name="FIMSynchronizationService" />?    <EventID Qualifiers="49152">6301</EventID>?    <Level>2</Level>?    <Task>3</Task>?    <Keywords>0x80000000000000</Keywords>?    <TimeCreated SystemTime="2017-01-26T22:09:34.000000000Z" />?    <EventRecordID>5451582</EventRecordID>?    <Channel>Application</Channel>?    <Computer>AUHBSMIMWP0001.corp.qbe.com</Computer>?    <Security />?  </System>?  <EventData>?    <Data>BAIL: MMS(28072): ..\tripleholo.cpp(2413): 0x8023030a (The dimage indicates an add attrib operation, but the attrib already exists on the object.)?BAIL: MMS(28072): ..\tower.cpp(1313): 0x8023030a (The dimage indicates an add attrib operation, but the attrib already exists on the object.)?BAIL: MMS(28072): ..\tower.cpp(12030): 0x8023030a (The dimage indicates an add attrib operation, but the attrib already exists on the object.)?<delta operation="update" dn="UID=GRS-GeneralInformation@us.qbe.com,OU=AADUsers,DC=IdentityBroker">? <anchor encoding="base64">iAAAAHUAaQBkAD0AZwByAHMALQBnAGUAbgBlAHIAYQBsAGkAbgBmAG8AcgBtAGEAdABpAG8AbgBAAHUAcwAuAHEAYgBlAC4AYwBvAG0ALABvAHUAPQBhAGEAZAB1AHMAZQByAHMALABkAGMAPQBpAGQAZQBuAHQAaQB0AHkAYgByAG8AawBlAHIAAAA=</anchor>? <primary-objectclass>Licensee</primary-objectclass>? <objectclass>?  <oc-value>Licensee</oc-value>? </objectclass>? <attr name="AADUserLicensingMail" operation="add" type="string" multivalued="false">?  <value>GRS-GeneralInformation@us.qbe.com</value>? </attr>? <attr name="AADUserLicensingUserPrincipalName" operation="replace" type="string" multivalued="false">?  <value>GRS-GeneralInformation@us.qbe.com</value>? </attr>? <attr name="accountEnabled" operation="replace" type="boolean" multivalued="false">?  <value>true</value>? </attr>?</delta>?<tower><unapplied-export><delta operation="none" dn="UID=GRS-GeneralInformation@us.qbe.com,OU=AADUsers,DC=IdentityBroker"><anchor encoding="base64">iAAAAHUAaQBkAD0AZwByAHMALQBnAGUAbgBlAHIAYQBsAGkAbgBmAG8AcgBtAGEAdABpAG8AbgBAAHUAcwAuAHEAYgBlAC4AYwBvAG0ALABvAHUAPQBhAGEAZAB1AHMAZQByAHMALABkAGMAPQBpAGQAZQBuAHQAaQB0AHkAYgByAG8AawBlAHIAAAA=</anchor></delta></unapplied-export><escrowed-export><delta operation="none" dn="UID=GRS-GeneralInformation@us.qbe.com,OU=AADUsers,DC=IdentityBroker"><anchor encoding="base64">iAAAAHUAaQBkAD0AZwByAHMALQBnAGUAbgBlAHIAYQBsAGkAbgBmAG8AcgBtAGEAdABpAG8AbgBAAHUAcwAuAHEAYgBlAC4AYwBvAG0ALABvAHUAPQBhAGEAZAB1AHMAZQByAHMALABkAGMAPQBpAGQAZQBuAHQAaQB0AHkAYgByAG8AawBlAHIAAAA=</anchor></delta></escrowed-export><unconfirmed-export><delta operation="none" dn="UID=GRS-GeneralInformation@us.qbe.com,OU=AADUsers,DC=IdentityBroker"><anchor encoding="base64">iAAAAHUAaQBkAD0AZwByAHMALQBnAGUAbgBlAHIAYQBsAGkAbgBmAG8AcgBtAGEAdABpAG8AbgBAAHUAcwAuAHEAYgBlAC4AYwBvAG0ALABvAHUAPQBhAGEAZAB1AHMAZQByAHMALABkAGMAPQBpAGQAZQBuAHQAaQB0AHkAYgByAG8AawBlAHIAAAA=</anchor></delta></unconfirmed-export><pending-import><delta operation="add" dn="UID=GRS-GeneralInformation@us.qbe.com,OU=AADUsers,DC=IdentityBroker"><anchor encoding="base64">iAAAAHUAaQBkAD0AZwByAHMALQBnAGUAbgBlAHIAYQBsAGkAbgBmAG8AcgBtAGEAdABpAG8AbgBAAHUAcwAuAHEAYgBlAC4AYwBvAG0ALABvAHUAPQBhAGEAZAB1AHMAZQByAHMALABkAGMAPQBpAGQAZQBuAHQAaQB0AHkAYgByAG8AawBlAHIAAAA=</anchor><primary-objectclass>Licensee</primary-objectclass><objectclass><oc-value>Licensee</oc-value></objectclass><attr name="AADUserLicensingMail" type="string" multivalued="false"><value>GRS-GeneralInformation@us.qbe.com</value></attr><attr name="AADUserLicensingUserPrincipalName" type="string" multivalued="false"><value>GRS-GeneralInformation@us.qbe.com</value></attr><attr name="accountEnabled" type="boolean" multivalued="false"><value>true</value></attr><attr name="dirSyncEnabled" type="boolean" multivalued="false"><value>true</value></attr><attr name="displayName" type="string" multivalued="false"><value>US-BOX-GRS-GeneralInformation</value></attr><attr name="immutableId" type="string" multivalued="false"><value>CSE8gkANXU2N9pcjqwbMgQ==</value></attr><attr name="mailNickname" type="string" multivalued="false"><value>GRS-GeneralInformati</value></attr><attr name="objectClass" type="string" multivalued="true"><value>Licensee</value></attr></delta></pending-import><synchronized-hologram></synchronized-hologram><anchor encoding="base64">iAAAAHUAaQBkAD0AZwByAHMALQBnAGUAbgBlAHIAYQBsAGkAbgBmAG8AcgBtAGEAdABpAG8AbgBAAHUAcwAuAHEAYgBlAC4AYwBvAG0ALABvAHUAPQBhAGEAZAB1AHMAZQByAHMALABkAGMAPQBpAGQAZQBuAHQAaQB0AHkAYgByAG8AawBlAHIAAAA=</anchor><connector>0</connector><connector-state>normal</connector-state><seen-by-import>1</seen-by-import><rebuild-in-progress>0</rebuild-in-progress><obsoletion>0</obsoletion><need-full-sync>0</need-full-sync><placeholder-parent>0</placeholder-parent><placeholder-link>0</placeholder-link><placeholder-delete>0</placeholder-delete><pending>1</pending><ref-retry>0</ref-retry><rename-retry>0</rename-retry><sequencers><current><batch-number>0</batch-number><sequence-number>0</sequence-number></current><unapplied><batch-number>0</batch-number><sequence-number>0</sequence-number></unapplied><original><batch-number>0</batch-number><sequence-number>0</sequence-number></original></sequencers><import-delta-operation>add</import-delta-operation><export-delta-operation>none</export-delta-operation></tower>BAIL: MMS(28072): d:\bt\48066\sources\dev\sync\server\sqlstore\csobj.h(1256): 0x8023030a (The dimage indicates an add attrib operation, but the attrib already exists on the object.)?BAIL: MMS(28072): ..\syncstage.cpp(2071): 0x8023030a (The dimage indicates an add attrib operation, but the attrib already exists on the object.)?BAIL: MMS(28072): ..\syncstage.cpp(665): 0x8023030a (The dimage indicates an add attrib operation, but the attrib already exists on the object.)?Forefront Identity Manager 4.3.2195.0</Data>?  </EventData>?</Event>
Log Name:      Application?Source:        FIMSynchronizationService?Date:          27/01/2017 9:09:34 AM?Event ID:      6301?Task Category: Server?Level:         Error?Keywords:      Classic?User:          N/A?Computer:      AUHBSMIMWP0001.corp.qbe.com?Description:?The server encountered an unexpected error in the synchronization engine:? ? "BAIL: MMS(28072): ..\tripleholo.cpp(2413): 0x8023030a (The dimage indicates an add attrib operation, but the attrib already exists on the object.)?BAIL: MMS(28072): ..\tower.cpp(1313): 0x8023030a (The dimage indicates an add attrib operation, but the attrib already exists on the object.)?BAIL: MMS(28072): ..\tower.cpp(12030): 0x8023030a (The dimage indicates an add attrib operation, but the attrib already exists on the object.)?<delta operation="update" dn="UID=GRS-AS-Impairment@us.qbe.com,OU=AADUsers,DC=IdentityBroker">? <anchor encoding="base64">fgAAAHUAaQBkAD0AZwByAHMALQBhAHMALQBpAG0AcABhAGkAcgBtAGUAbgB0AEAAdQBzAC4AcQBiAGUALgBjAG8AbQAsAG8AdQA9AGEAYQBkAHUAcwBlAHIAcwAsAGQAYwA9AGkAZABlAG4AdABpAHQAeQBiAHIAbwBrAGUAcgAAAA==</anchor>? <primary-objectclass>Licensee</primary-objectclass>? <objectclass>?  <oc-value>Licensee</oc-value>? </objectclass>? <attr name="AADUserLicensingMail" operation="add" type="string" multivalued="false">?  <value>GRS-AS-Impairment@us.qbe.com</value>? </attr>? <attr name="AADUserLicensingUserPrincipalName" operation="replace" type="string" multivalued="false">?  <value>GRS-AS-Impairment@us.qbe.com</value>? </attr>? <attr name="accountEnabled" operation="replace" type="boolean" multivalued="false">?  <value>true</value>? </attr>?</delta>?<tower><unapplied-export><delta operation="none" dn="UID=GRS-AS-Impairment@us.qbe.com,OU=AADUsers,DC=IdentityBroker"><anchor encoding="base64">fgAAAHUAaQBkAD0AZwByAHMALQBhAHMALQBpAG0AcABhAGkAcgBtAGUAbgB0AEAAdQBzAC4AcQBiAGUALgBjAG8AbQAsAG8AdQA9AGEAYQBkAHUAcwBlAHIAcwAsAGQAYwA9AGkAZABlAG4AdABpAHQAeQBiAHIAbwBrAGUAcgAAAA==</anchor></delta></unapplied-export><escrowed-export><delta operation="none" dn="UID=GRS-AS-Impairment@us.qbe.com,OU=AADUsers,DC=IdentityBroker"><anchor encoding="base64">fgAAAHUAaQBkAD0AZwByAHMALQBhAHMALQBpAG0AcABhAGkAcgBtAGUAbgB0AEAAdQBzAC4AcQBiAGUALgBjAG8AbQAsAG8AdQA9AGEAYQBkAHUAcwBlAHIAcwAsAGQAYwA9AGkAZABlAG4AdABpAHQAeQBiAHIAbwBrAGUAcgAAAA==</anchor></delta></escrowed-export><unconfirmed-export><delta operation="none" dn="UID=GRS-AS-Impairment@us.qbe.com,OU=AADUsers,DC=IdentityBroker"><anchor encoding="base64">fgAAAHUAaQBkAD0AZwByAHMALQBhAHMALQBpAG0AcABhAGkAcgBtAGUAbgB0AEAAdQBzAC4AcQBiAGUALgBjAG8AbQAsAG8AdQA9AGEAYQBkAHUAcwBlAHIAcwAsAGQAYwA9AGkAZABlAG4AdABpAHQAeQBiAHIAbwBrAGUAcgAAAA==</anchor></delta></unconfirmed-export><pending-import><delta operation="add" dn="UID=GRS-AS-Impairment@us.qbe.com,OU=AADUsers,DC=IdentityBroker"><anchor encoding="base64">fgAAAHUAaQBkAD0AZwByAHMALQBhAHMALQBpAG0AcABhAGkAcgBtAGUAbgB0AEAAdQBzAC4AcQBiAGUALgBjAG8AbQAsAG8AdQA9AGEAYQBkAHUAcwBlAHIAcwAsAGQAYwA9AGkAZABlAG4AdABpAHQAeQBiAHIAbwBrAGUAcgAAAA==</anchor><primary-objectclass>Licensee</primary-objectclass><objectclass><oc-value>Licensee</oc-value></objectclass><attr name="AADUserLicensingMail" type="string" multivalued="false"><value>GRS-AS-Impairment@us.qbe.com</value></attr><attr name="AADUserLicensingUserPrincipalName" type="string" multivalued="false"><value>GRS-AS-Impairment@us.qbe.com</value></attr><attr name="accountEnabled" type="boolean" multivalued="false"><value>true</value></attr><attr name="dirSyncEnabled" type="boolean" multivalued="false"><value>true</value></attr><attr name="displayName" type="string" multivalued="false"><value>US-BOX GRS-AS-Impairment</value></attr><attr name="immutableId" type="string" multivalued="false"><value>QfKC/JeKAUm1iIbIsMJivg==</value></attr><attr name="mailNickname" type="string" multivalued="false"><value>GRS-AS-Impairment</value></attr><attr name="objectClass" type="string" multivalued="true"><value>Licensee</value></attr></delta></pending-import><synchronized-hologram></synchronized-hologram><anchor encoding="base64">fgAAAHUAaQBkAD0AZwByAHMALQBhAHMALQBpAG0AcABhAGkAcgBtAGUAbgB0AEAAdQBzAC4AcQBiAGUALgBjAG8AbQAsAG8AdQA9AGEAYQBkAHUAcwBlAHIAcwAsAGQAYwA9AGkAZABlAG4AdABpAHQAeQBiAHIAbwBrAGUAcgAAAA==</anchor><connector>0</connector><connector-state>normal</connector-state><seen-by-import>1</seen-by-import><rebuild-in-progress>0</rebuild-in-progress><obsoletion>0</obsoletion><need-full-sync>0</need-full-sync><placeholder-parent>0</placeholder-parent><placeholder-link>0</placeholder-link><placeholder-delete>0</placeholder-delete><pending>1</pending><ref-retry>0</ref-retry><rename-retry>0</rename-retry><sequencers><current><batch-number>0</batch-number><sequence-number>0</sequence-number></current><unapplied><batch-number>0</batch-number><sequence-number>0</sequence-number></unapplied><original><batch-number>0</batch-number><sequence-number>0</sequence-number></original></sequencers><import-delta-operation>add</import-delta-operation><export-delta-operation>none</export-delta-operation></tower>BAIL: MMS(28072): d:\bt\48066\sources\dev\sync\server\sqlstore\csobj.h(1256): 0x8023030a (The dimage indicates an add attrib operation, but the attrib already exists on the object.)?BAIL: MMS(28072): ..\syncstage.cpp(2071): 0x8023030a (The dimage indicates an add attrib operation, but the attrib already exists on the object.)?BAIL: MMS(28072): ..\syncstage.cpp(665): 0x8023030a (The dimage indicates an add attrib operation, but the attrib already exists on the object.)?Forefront Identity Manager 4.3.2195.0"?Event Xml:?<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">?  <System>?    <Provider Name="FIMSynchronizationService" />?    <EventID Qualifiers="49152">6301</EventID>?    <Level>2</Level>?    <Task>3</Task>?    <Keywords>0x80000000000000</Keywords>?    <TimeCreated SystemTime="2017-01-26T22:09:34.000000000Z" />?    <EventRecordID>5451581</EventRecordID>?    <Channel>Application</Channel>?    <Computer>AUHBSMIMWP0001.corp.qbe.com</Computer>?    <Security />?  </System>?  <EventData>?    <Data>BAIL: MMS(28072): ..\tripleholo.cpp(2413): 0x8023030a (The dimage indicates an add attrib operation, but the attrib already exists on the object.)?BAIL: MMS(28072): ..\tower.cpp(1313): 0x8023030a (The dimage indicates an add attrib operation, but the attrib already exists on the object.)?BAIL: MMS(28072): ..\tower.cpp(12030): 0x8023030a (The dimage indicates an add attrib operation, but the attrib already exists on the object.)?<delta operation="update" dn="UID=GRS-AS-Impairment@us.qbe.com,OU=AADUsers,DC=IdentityBroker">? <anchor encoding="base64">fgAAAHUAaQBkAD0AZwByAHMALQBhAHMALQBpAG0AcABhAGkAcgBtAGUAbgB0AEAAdQBzAC4AcQBiAGUALgBjAG8AbQAsAG8AdQA9AGEAYQBkAHUAcwBlAHIAcwAsAGQAYwA9AGkAZABlAG4AdABpAHQAeQBiAHIAbwBrAGUAcgAAAA==</anchor>? <primary-objectclass>Licensee</primary-objectclass>? <objectclass>?  <oc-value>Licensee</oc-value>? </objectclass>? <attr name="AADUserLicensingMail" operation="add" type="string" multivalued="false">?  <value>GRS-AS-Impairment@us.qbe.com</value>? </attr>? <attr name="AADUserLicensingUserPrincipalName" operation="replace" type="string" multivalued="false">?  <value>GRS-AS-Impairment@us.qbe.com</value>? </attr>? <attr name="accountEnabled" operation="replace" type="boolean" multivalued="false">?  <value>true</value>? </attr>?</delta>?<tower><unapplied-export><delta operation="none" dn="UID=GRS-AS-Impairment@us.qbe.com,OU=AADUsers,DC=IdentityBroker"><anchor encoding="base64">fgAAAHUAaQBkAD0AZwByAHMALQBhAHMALQBpAG0AcABhAGkAcgBtAGUAbgB0AEAAdQBzAC4AcQBiAGUALgBjAG8AbQAsAG8AdQA9AGEAYQBkAHUAcwBlAHIAcwAsAGQAYwA9AGkAZABlAG4AdABpAHQAeQBiAHIAbwBrAGUAcgAAAA==</anchor></delta></unapplied-export><escrowed-export><delta operation="none" dn="UID=GRS-AS-Impairment@us.qbe.com,OU=AADUsers,DC=IdentityBroker"><anchor encoding="base64">fgAAAHUAaQBkAD0AZwByAHMALQBhAHMALQBpAG0AcABhAGkAcgBtAGUAbgB0AEAAdQBzAC4AcQBiAGUALgBjAG8AbQAsAG8AdQA9AGEAYQBkAHUAcwBlAHIAcwAsAGQAYwA9AGkAZABlAG4AdABpAHQAeQBiAHIAbwBrAGUAcgAAAA==</anchor></delta></escrowed-export><unconfirmed-export><delta operation="none" dn="UID=GRS-AS-Impairment@us.qbe.com,OU=AADUsers,DC=IdentityBroker"><anchor encoding="base64">fgAAAHUAaQBkAD0AZwByAHMALQBhAHMALQBpAG0AcABhAGkAcgBtAGUAbgB0AEAAdQBzAC4AcQBiAGUALgBjAG8AbQAsAG8AdQA9AGEAYQBkAHUAcwBlAHIAcwAsAGQAYwA9AGkAZABlAG4AdABpAHQAeQBiAHIAbwBrAGUAcgAAAA==</anchor></delta></unconfirmed-export><pending-import><delta operation="add" dn="UID=GRS-AS-Impairment@us.qbe.com,OU=AADUsers,DC=IdentityBroker"><anchor encoding="base64">fgAAAHUAaQBkAD0AZwByAHMALQBhAHMALQBpAG0AcABhAGkAcgBtAGUAbgB0AEAAdQBzAC4AcQBiAGUALgBjAG8AbQAsAG8AdQA9AGEAYQBkAHUAcwBlAHIAcwAsAGQAYwA9AGkAZABlAG4AdABpAHQAeQBiAHIAbwBrAGUAcgAAAA==</anchor><primary-objectclass>Licensee</primary-objectclass><objectclass><oc-value>Licensee</oc-value></objectclass><attr name="AADUserLicensingMail" type="string" multivalued="false"><value>GRS-AS-Impairment@us.qbe.com</value></attr><attr name="AADUserLicensingUserPrincipalName" type="string" multivalued="false"><value>GRS-AS-Impairment@us.qbe.com</value></attr><attr name="accountEnabled" type="boolean" multivalued="false"><value>true</value></attr><attr name="dirSyncEnabled" type="boolean" multivalued="false"><value>true</value></attr><attr name="displayName" type="string" multivalued="false"><value>US-BOX GRS-AS-Impairment</value></attr><attr name="immutableId" type="string" multivalued="false"><value>QfKC/JeKAUm1iIbIsMJivg==</value></attr><attr name="mailNickname" type="string" multivalued="false"><value>GRS-AS-Impairment</value></attr><attr name="objectClass" type="string" multivalued="true"><value>Licensee</value></attr></delta></pending-import><synchronized-hologram></synchronized-hologram><anchor encoding="base64">fgAAAHUAaQBkAD0AZwByAHMALQBhAHMALQBpAG0AcABhAGkAcgBtAGUAbgB0AEAAdQBzAC4AcQBiAGUALgBjAG8AbQAsAG8AdQA9AGEAYQBkAHUAcwBlAHIAcwAsAGQAYwA9AGkAZABlAG4AdABpAHQAeQBiAHIAbwBrAGUAcgAAAA==</anchor><connector>0</connector><connector-state>normal</connector-state><seen-by-import>1</seen-by-import><rebuild-in-progress>0</rebuild-in-progress><obsoletion>0</obsoletion><need-full-sync>0</need-full-sync><placeholder-parent>0</placeholder-parent><placeholder-link>0</placeholder-link><placeholder-delete>0</placeholder-delete><pending>1</pending><ref-retry>0</ref-retry><rename-retry>0</rename-retry><sequencers><current><batch-number>0</batch-number><sequence-number>0</sequence-number></current><unapplied><batch-number>0</batch-number><sequence-number>0</sequence-number></unapplied><original><batch-number>0</batch-number><sequence-number>0</sequence-number></original></sequencers><import-delta-operation>add</import-delta-operation><export-delta-operation>none</export-delta-operation></tower>BAIL: MMS(28072): d:\bt\48066\sources\dev\sync\server\sqlstore\csobj.h(1256): 0x8023030a (The dimage indicates an add attrib operation, but the attrib already exists on the object.)?BAIL: MMS(28072): ..\syncstage.cpp(2071): 0x8023030a (The dimage indicates an add attrib operation, but the attrib already exists on the object.)?BAIL: MMS(28072): ..\syncstage.cpp(665): 0x8023030a (The dimage indicates an add attrib operation, but the attrib already exists on the object.)?Forefront Identity Manager 4.3.2195.0</Data>?  </EventData>?</Event>

The delta import in MIM itself shows no errors on the Operations tab for the DI run profile, but the error was thrown to the event log at the exact time the DI operation completed.

The DI shows the 2 identities in the above XML error text in a delete/add scenario (3 adds and 2 deletes - where the 2 deletes appear as renamed user objects) as follows:

  • UID=GRS-AS-Impairment@QBE.onmicrosoft.com => UID=GRS-AS-Impairment@us.qbe.com
  • UID=GRS-GeneralImformati@QBE.onmicrosoft.com => UID=GRS-GeneralImformatiion@us.qbe.com

Both of the above renames look legitimate scenarios due to the way the AAD object is provisioned and subsequently an O365 mailbox is created as a part of the license assignment process. The cloud UPN was chosen as anchor for the FIM MA in lieu of the immutableId (Base64 of AD guid) for readibility reasons, and hence the delete/add scenario is not undesirable in this case. However there shouldn't be an exception being thrown here.

There are 27 instances of this error in the past 3 days - however there is no obvious impact on the MA in MIM (objects do not show as being in error) - hence I am assigning this a low priority.

Cross reference to JIRA issue QBE-73.

Answer
anonymous 7 years ago

Reopen if new information can be added.

0
Not a bug

Export to Identity Broker (Google Apps) failing

Boyd Bostock 7 years ago in UNIFYBroker/Microsoft Identity Manager updated by anonymous 7 years ago 5

Export to Identity Broker (Google Apps) failing with an error reported in MIM which stops all remaining exports. There is no error in reported in the Identity Broker logs and the change is made successfully in Google.

Problem may have been introduced with RC 5.0.5. Changes were made successfully prior to Identity Broker upgrade.

MIM Error

System.Exception: A Google API exception was thrown for call Users.MakeAdmin with message "Google.Apis.Requests.RequestErrorNot Authorized to access this resource/api [403]
Errors [
Message[Not Authorized to access this resource/api] Location[ - ] Reason[forbidden] Domain[global]
]
". See inner exception for details. Processing continued: False. ---> Google.GoogleApiException: Google.Apis.Requests.RequestError
Not Authorized to access this resource/api [403]
Errors [
Message[Not Authorized to access this resource/api] Location[ - ] Reason[forbidden] Domain[global]
]


at Google.Apis.Requests.ClientServiceRequest`1.Execute()
at Unify.Product.IdentityBroker.GoogleAgent.BackoffRetry[TResult](String logEvent, Boolean throwExceptions, Func`1 request, Action newClient, TResult& result, Int32 retries)
--- End of inner exception stack trace ---
at Unify.Product.IdentityBroker.GoogleAgent.<>c__DisplayClass111`1.<BackoffRetry>b__109()
at Unify.Product.IdentityBroker.GoogleAgent.ThrowIfPrimaryCall(Boolean primaryCall, Action throwException)
at Unify.Product.IdentityBroker.GoogleAgent.BackoffRetry[TResult](String logEvent, Boolean throwExceptions, Func`1 request, Action newClient, TResult& result, Int32 retries)
at Unify.Product.IdentityBroker.GoogleAgent.MakeUserAdmin(DirectoryService directoryService, IEntitySchema schema, User user, IConnectorEntity entity, Boolean throwExceptions)
at Unify.Product.IdentityBroker.GoogleAgent.<>c__DisplayClassc1.<UserUpdate>b__be(IConnectorEntity loopEntity)


Answer
anonymous 7 years ago

The export fails because there is a difference between the isAdmin value and what was returned by Google for the existing user values. Parts of the export work because the MakeAdmin call is separate from the other calls. Try removing the isAdmin field from the schema, or add the required scope to the service account.

0
Fixed

Password Synchronization not working for Google Apps

Boyd Bostock 7 years ago in UNIFYBroker/Microsoft Identity Manager updated by anonymous 7 years ago 3

Passwords are not being set for newly created users and not being synchronised for existing users.

Does Identity Broker need to be configured to use Secure LDAP to synchronise passwords?

I have attached a packet trace and believe the LDAP BIND requests are attempts to synchronize the password.


Answer
anonymous 7 years ago

Hi Boyd

I've created a patch that should fix this issue. Place it in the installDir\Services directory, restart the service and reattempt the password sync operations. Let me know if you have any issues.

Unify.IdentityBroker.LDAP.Engine.dll

0
Answered

Identity Broker 5.1 Export issues

Andrew Silcock 7 years ago in UNIFYBroker/Microsoft Identity Manager updated by anonymous 7 years ago 9

Troubleshooting some export errors creating accounts from MIM through Identity Broker and getting the below bolded message in the logs. The corresponding error in MIM is nothing more useful than "cd-error" and there are no errors in the Windows Event Log to assist.

The MIM export is set to a single export at a time for troubleshooting purposes, but I've noticed there is a long time (some ~70 seconds) between the message in bold and the unbind request that follows.

20/Dec/2016 08:18:07
  • Information
LDAP engineHandling of LDAP Bulk Start request.
Handling of LDAP Bulk Start request received from user D2L on connection 127.0.0.1:55287 completed successfully. Duration 00:00:00.0200000.

20/Dec/2016 08:18:07
  • Information
LDAP engineHandling of LDAP Bulk Update request.
Handling of LDAP Bulk Update request received from user D2L on connection 127.0.0.1:55287 was postponed as it was not the next expected bulk request. This request will be handled as part of a future request. Duration 00:00:00.4845852.
20/Dec/2016 08:19:21
  • Information
LDAP engineHandling of LDAP unbind request.
Handling of LDAP unbind request received on connection 127.0.0.1:55287 to connect as user D2L completed successfully. Duration: 00:00:00.0623072.