Identity Broker Forum
Welcome to the community forum for Identity Broker.
Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.
Switching base connector causes change triggers to fail
When switching from a PowerShell to C# connector for the same schema, the following error occurred when attempting to refresh the adapter (after Generate Changes):
Request to reflect change entities of the adapter.
Request to reflect change entities of the DotEE Company (1425b9d9-bdd2-4786-81ae-8c09272a0750) adapter errored with message: An error occurred retrieving the distinguished name component for field 'companyCode' of type CN. See inner exception for details.. Duration: 00:00:00.0937585
Error details:
Unify.Framework.UnifyDataException: An error occurred retrieving the distinguished name component for field 'companyCode' of type CN. See inner exception for details. ---> Unify.Framework.Collections.GroupedNameValueCollectionMissingFieldException: The entity does not contain a value for the companyCode field.
at Unify.Product.IdentityBroker.EntityBase`3.GetValueEntry(TKey key)
at Unify.Product.IdentityBroker.FieldTemplateDistinguishedNameComponentExecutor`2.Get(TEntity entity)
--- End of inner exception stack trace ---
at Unify.Product.IdentityBroker.FieldTemplateDistinguishedNameComponentExecutor`2.Get(TEntity entity)
at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
at System.Linq.Enumerable.<SelectManyIterator>d__17`2.MoveNext()
at System.Linq.Buffer`1..ctor(IEnumerable`1 source)
at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source)
at Unify.Framework.IO.DistinguishedName..ctor(IEnumerable`1 components)
at Unify.Product.IdentityBroker.TemplateDistinguishedNameExecutor`2.DistinguishedName(TEntity entity)
at Unify.Product.IdentityBroker.Adapter.<>c__DisplayClass120_0.<ConvertPageAndUpdateContainers>b__1(IEntity entity)
at System.Linq.Enumerable.ToDictionary[TSource,TKey,TElement](IEnumerable`1 source, Func`2 keySelector, Func`2 elementSelector, IEqualityComparer`1 comparer)
at Unify.Product.IdentityBroker.Adapter.ConvertPageAndUpdateContainers(IEntity[] entities, Boolean updateContainers)
at Unify.Product.IdentityBroker.Adapter.ReflectChangesInner()
at Unify.Product.IdentityBroker.Adapter.ReflectChanges()
at Unify.Product.IdentityBroker.AdapterAuditingDecorator.ReflectChanges()
at Unify.Product.IdentityBroker.AdapterNotifierDecorator.ReflectChanges()
at Unify.Product.IdentityBroker.ReflectAdapterOnChangeDueJob.<RunBase>b__9_0(IOperationalAdapter adapter)
Concurrency in UNIFYBroker
Hi Guys,
Couldn't find an existing ticket or knowledge ticket about this so I though I would start one.
In the past I have design schedules and exclusion groups around the idea that you could not import from an adapter and do an import on the relative connector at the same time as it would cause sluggishness within Broker. Additionally, reading from an adapter while UNIFYBroker is committing changes will also cause some sort of locking (whether it locks up entirely or whether it just take long while doing so).
So I was hoping you could tell me about how UNIFYBroker handles concurrency. More specifically what operations it can do at the same time. Eg:
- Can you import from two connectors at the same time (both if its a one to one adapter relationship or a many to one)?
- Can you import from the an adapter while an import is being run on the respective connector
- Can you do a import all and a delta import at the same time without anything locking up (not that I do this, but it happens from time to time)?
If you can let me know of any operations that couldn't be run at the same time that would be great, as it would be good to define a concrete way to schedule UNIFYBroker operations.
Thanks
Hi Hayden,
Broker can handle running connector imports, reflecting changes into adapters, and reading and writing adapter entities via a gateway concurrently. The only scenario Broker won't allow is doing two imports (ie full and delta) at the same time on the same connector.
That said, yes, this can cause these tasks to take longer to complete when multiple operations are competing for cpu and disk resources. Scheduling various operations might be a good strategy to improve performance, especially on machines which fall below the recommended system requirements and/or where system resources are shared between Broker, the database and other services, but it isn't something you need to always do.
A couple of installation nice to haves
After my recent experience with upgrading Identity Broker there are a couple of nice-to-haves in the installer that would make things easier. In both cases either a warning or a log would be helpful. Admittedly, both problems could be solved by stringent documentation however the scattered nature of documentation on sharepoint and having to find one line mentions in a host of project documentation is a challenge for professional services I believe so some checks and balances in the installer itself would alleviate the problem.
1. A notification that there are non-standard assembly redirects in the unify.service.connect.exe.config and which ones are non standard. (The only way to know now is through trial-and-error or rely on documentation.)
2. A notification of all .dlls that are found that are patches from previous installs. (the only way to find now is to uninstall rendering in place upgrade risky or relying on documentation.) This one is relevant to both UNIFYBroker and UNIFYNow.
Hi Dan,
The ideal scenario is that solution documentation is up-to-date and available, so any extra changes (binding redirects or patches) are outlined, and their usage documented.
In the scenario where this is not the case, there are a few ways that you can manually validate.
For idea 1 (binding assembly redirects), you can compare a fresh .exe.config for the same version, and see if there are any changes. This would give you some clues as to whether any redirects are required.
For idea 2 (patches), you can view a base UNIFY install directory to determine what normally ships in the directory. This will give you an insight into any service patches that have been added. Web patches are reliant on documentation, as the service isn't aware what has shipped with the core service vs what is a patch.
It would require a significant amount of work to make the installer contextually aware of any non-standard binding redirects or patches, especially between version updates. It is recommended that the documentation is up to date and stored correctly to ensure upgrades can go smoothly.
Request to reflect change entities failing after upgrade
Hello,
Recently updating UNIFYBroker from 5.0.4 to 5.3.2 and am now receiving this below error in the IdB logs.
Request to reflect change entities of the adapter. Request to reflect change entities of the FIMIDBStaff (5a2fed36-ecae-4f32-8878-2f01b1661c5d) adapter errored with message: Could not load type 'Unify.Product.IdentityBroker.ChangesItemContextFactory' from assembly 'Unify.IdentityBroker.ChangeLog.Repository.Sql, Version=5.0.0.0, Culture=neutral, PublicKeyToken=84b9288cb2633de4'.. Duration: 00:00:00 Error details: System.TypeLoadException: Could not load type 'Unify.Product.IdentityBroker.ChangesItemContextFactory' from assembly 'Unify.IdentityBroker.ChangeLog.Repository.Sql, Version=5.0.0.0, Culture=neutral, PublicKeyToken=84b9288cb2633de4'. at Unify.Product.IdentityBroker.ChangeLogEngine.<>c__DisplayClass11_0.<Initialize>b__0(XElement configurationElement) at Unify.Framework.Data.DataEngine.GetContextFactory[TFactory](XElement connectionElement) at Unify.Product.IdentityBroker.ChangeLogEngine.CreateComponent(IChangeLogContextFactoryInformation factoryInformation) at Unify.Product.IdentityBroker.ChangeLogNotifierDecorator.CreateComponent(IChangeLogContextFactoryInformation factoryInformation) at Unify.Product.IdentityBroker.ChangeLogEngineAccessor.CreateComponent(IChangeLogContextFactoryInformation factoryInformation) at Unify.Product.IdentityBroker.Adapter.CreateChangeLogContext() at Unify.Product.IdentityBroker.Adapter.ReflectChangesInner() at Unify.Product.IdentityBroker.Adapter.ReflectChanges() at Unify.Product.IdentityBroker.AdapterAuditingDecorator.ReflectChanges() at Unify.Product.IdentityBroker.AdapterNotifierDecorator.ReflectChanges() at Unify.Product.IdentityBroker.ReflectAdapterOnChangeDueJob.<RunBase>b__9_0(IOperationalAdapter adapter) |
I am also having issue updating the IdB maangement agents after the update. FIM is able to successfully retrieve the interfaces but when I click ok on the Connectivity Tab it give me the following error:
FIM also produces the following error in the log:
The extensible extension returned an unsupported error.
The stack trace is:
"Unify.Product.IdentityBroker.LdapOperationException: The server forcefully terminated the connection with the following reason: Internal Server Error #11: Unify.Product.IdentityBroker.UnifyLDAPException: Could not retrieve a valid last change number.
at Unify.Product.IdentityBroker.RootDSEGenerator.GetLastChangeNumber()
at Unify.Product.IdentityBroker.RootDSEGenerator.AddLastChangeNumber(IDictionary`2 resultAttributes)
at Unify.Product.IdentityBroker.RootDSEGenerator.BuildRootDseEntry(HashSet`1 attributes)
at Unify.Product.IdentityBroker.RootDSERequestHandler.HandleRequest(IRfcLdapMessage message, CancellationToken token, Action`1 postAction)
at Unify.Product.IdentityBroker.RequestHandlerAuditingDecorator.HandleRequest(IRfcLdapMessage message, CancellationToken token, Action`1 postAction)
at Unify.Product.IdentityBroker.LDAPConnection.d__35.MoveNext() - Result Code: Other ---> Unify.Product.IdentityBroker.LdapServerException: The server forcefully terminated the connection with the following reason: Internal Server Error #11: Unify.Product.IdentityBroker.UnifyLDAPException: Could not retrieve a valid last change number.
at Unify.Product.IdentityBroker.RootDSEGenerator.GetLastChangeNumber()
at Unify.Product.IdentityBroker.RootDSEGenerator.AddLastChangeNumber(IDictionary`2 resultAttributes)
at Unify.Product.IdentityBroker.RootDSEGenerator.BuildRootDseEntry(HashSet`1 attributes)
at Unify.Product.IdentityBroker.RootDSERequestHandler.HandleRequest(IRfcLdapMessage message, CancellationToken token, Action`1 postAction)
at Unify.Product.IdentityBroker.RequestHandlerAuditingDecorator.HandleRequest(IRfcLdapMessage message, CancellationToken token, Action`1 postAction)
at Unify.Product.IdentityBroker.LDAPConnection.d__35.MoveNext() - Result Code: Other
at Unify.Product.IdentityBroker.LdapConnection.GetMessage(Int32 messageId)
at Unify.Product.IdentityBroker.SearchRequest.Send(Func`2 send, Func`2 recv)
at Unify.Product.IdentityBroker.LdapConnection.SendRequest(ILdapRequest request)
--- End of inner exception stack trace ---
at Unify.Product.IdentityBroker.LdapConnection.SendRequest(ILdapRequest request)
at Unify.Product.IdentityBroker.LdapConnectionProxy.<.ctor>b__3_0()
at System.Lazy`1.CreateValue()
at System.Lazy`1.LazyInitValue()
at Unify.Product.IdentityBroker.LdapConnectionProxy.<>c__DisplayClass3_0.<.ctor>b__2()
at System.Lazy`1.CreateValue()
at System.Lazy`1.LazyInitValue()
at Unify.Product.IdentityBroker.LdapConnectionProxy.get_LdapSchema()
at Unify.Product.IdentityBroker.LdapConnectionProxy.get_Schema()
at Unify.Product.IdentityBroker.UnifyLdapConnectorTypeProxy.GetSchema(KeyedCollection`2 configParameters)
Forefront Identity Manager 4.1.3646.0"
Thanks
Entity Search taking long time for partitions that have a lot of entities
Hi Guys,
I've noticed with that latest version of UNIFYBroker v5.3 above that the Entity Search is slow for large partitions (both connectors and adapters that are usually around 300k-400k entities and about 20 or so attributes each record).
I am aware that some changes have been made to the entity search in recent versions and have raised tickets before about timeout that occur in some cases. I have noticed this occurring in both IIS and self hosted versions. The workaround for this currently is to increase the timeout value, but even when this is increase for larger connectors you can be waiting for 15~20 minutes or longer for the entity search to load. In previous versions of Broker (5.0) the old entity search would load the entities with 5~10 seconds.
So I'm proposing that the search doesn't necessarily need to be reverted but investigated as to why it take so long and to see if it can be improved. Let me know if you need any information on this, I'm happy to provide any information on environments this is currently affecting.
Thanks
Pre-Installation checks for UNIFYBroker Installer
Hi Guys,
Thought I would raise a feature request for this since over my last couple of upgrades of UNIFYBroker I have run into a couple of issues. Now that I have done a few installs I am now aware of a couple of these issues, but for those of us who may not be aware I think it would be a good idea to have a couple of checks in the installer (probably at the beginning like FIM Service installer has) before changes are made to UNIFYBroker.
The checks I wanted to raise are the following:
- Read/Write permissions to specific directories UNIFY Broker uses during the install (I haven't run into an issue with this but may be worth putting in)
- Account performing the install has DBOwner permissions to the UNIFYBroker database (I have been hurt by this issue a couple of times so I know it would be a great check to have)
- Check for correct version of .Net is installed on the machine
Of course all this is dependent on the installer used an how customization it is, but I think they would make a great addition.
Thanks
Error received while starting service after upgrade to v5.3.2
Hi Guys,
I have just tried to perform an upgrade of Identity Broker to the latest version (5.3.2) from 5.0.4. I have encounter a couple of errors along the way and am now stuck trying to start the UNIFYNow service. Please see my list of steps/errors below.
1. Tried to update the service using the automatic update option.
2. Encountered a database error while installing:
3. The Service installer attempted to rollback the install but failed leaving the original service uninstalled and services directory stripped of exe files (this isn't the first time this has happened to see ticket https://voice.unifysolutions.net/helpdesks/9/tickets/3720-failed-upgrade-from-idb-510-to-unifybroker-531)
At this stage I got some help to resolve this by installing the service again (manually this time) and manually ran the SQL update commands. We then came to the conclusion at this stage the the installer must be using the service all that is running the installer to execute the database commands where in both of these cases the account does not have permissions to do so, only to IDB service account has permissions to do so.
4. After manual install succeeded I attempted to start the service and it failed.
Please see the below attachments for errors and config.
Thanks
These binding are already included for newer versions, and the correct versions of these resources are embedded in Broker. Going to chalk this one up to a environmental issue regarding .NET and its resource loading.
FIM Delta Import Operations Timing Out on IDB
Hi Guys,
We are currently experiencing an issue about every one or two weeks, where all FIM operations that import from IdB just time out. IdB produces a few of errors and there is also one in the event log, please find all the errors below:
IDB Errors:
Handling of LDAP change log request.
Handling of LDAP change log request from user idBFull on connection 127.0.0.1:60915 requesting changelog records failed with error "This operation returned because the timeout period expired. (Exception from HRESULT: 0x800705B4)". Duration: 00:14:59.9875915.
An error occurred on client from 127.0.0.1:60915. More details:
Internal Server Error #11: System.ApplicationException: This operation returned because the timeout period expired. (Exception from HRESULT: 0x800705B4)
at System.Threading.ReaderWriterLock.AcquireReaderLockInternal(Int32 millisecondsTimeout)
at System.Threading.ReaderWriterLock.AcquireReaderLock(TimeSpan timeout)
at Unify.Framework.Data.LinqWhereQuery`5.GetEnumerator()
at Unify.Product.IdentityBroker.ChangeLogRequestHandler.<performsearch>d__4.MoveNext()
at Unify.Product.IdentityBroker.StoredSearchResults.MoveNext()
at Unify.Product.IdentityBroker.SearchRequestHandlerBase.<finalizesearchresults>d__13.MoveNext()
at Unify.Framework.Visitor.Visit[T](IEnumerable`1 visitCollection, Action`2 visitor)
at Unify.Product.IdentityBroker.LDAPConnection.<respondtomessageasync>d__33.MoveNext()</respondtomessageasync></finalizesearchresults></performsearch>
Adapter
Adapter 274fbf2d-9b71-4466-9c88-7ba6e789e279 page errored on page reflection. Duration: 00:20:16.5869103. Error: System.ApplicationException: This operation returned because the timeout period expired. (Exception from HRESULT: 0x800705B4)
at System.Threading.ReaderWriterLock.AcquireWriterLockInternal(Int32 millisecondsTimeout)
at System.Threading.ReaderWriterLock.AcquireWriterLock(TimeSpan timeout)
at Unify.Framework.Data.LinqContextConversionBase`4.SubmitChanges()
at Unify.Product.IdentityBroker.Adapter.ReflectChanges()
at Unify.Product.IdentityBroker.AdapterNotifierDecorator.ReflectChanges()
at Unify.Product.IdentityBroker.ReflectAdapterOnChangeDueJob.<runbase>b__10_0(IOperationalAdapter adapter).
Error details:
System.ApplicationException: This operation returned because the timeout period expired. (Exception from HRESULT: 0x800705B4)
at System.Threading.ReaderWriterLock.AcquireWriterLockInternal(Int32 millisecondsTimeout)
at System.Threading.ReaderWriterLock.AcquireWriterLock(TimeSpan timeout)
at Unify.Framework.Data.LinqContextConversionBase`4.SubmitChanges()
at Unify.Product.IdentityBroker.Adapter.ReflectChanges()
at Unify.Product.IdentityBroker.AdapterNotifierDecorator.ReflectChanges()
at Unify.Product.IdentityBroker.ReflectAdapterOnChangeDueJob.<runbase>b__10_0(IOperationalAdapter adapter)</runbase></runbase>
Request to reflect change entities of the adapter.
Request to reflect change entities of the LDAP Group (274fbf2d-9b71-4466-9c88-7ba6e789e279) adapter errored with message: This operation returned because the timeout period expired. (Exception from HRESULT: 0x800705B4). Duration: 00:20:16.7116713
Error details:
System.ApplicationException: This operation returned because the timeout period expired. (Exception from HRESULT: 0x800705B4)
at System.Threading.ReaderWriterLock.AcquireWriterLockInternal(Int32 millisecondsTimeout)
at System.Threading.ReaderWriterLock.AcquireWriterLock(TimeSpan timeout)
at Unify.Framework.Data.LinqContextConversionBase`4.SubmitChanges()
at Unify.Product.IdentityBroker.Adapter.ReflectChanges()
at Unify.Product.IdentityBroker.AdapterNotifierDecorator.ReflectChanges()
at Unify.Product.IdentityBroker.ReflectAdapterOnChangeDueJob.<runbase>b__10_0(IOperationalAdapter adapter)</runbase>
Event Log Error:
The extensible extension returned an unsupported error. The stack trace is: "Unify.Product.IdentityBroker.LdapOperationException: Operation timed out. at Unify.Product.IdentityBroker.LdapConnection.SendRequest(ILdapRequest request) at Unify.Product.IdentityBroker.LdapConnectionProxy.PartitionDeltaRequestPaged(String partitionDN, Int64 lastChangeNumber, Int32 pageSize) at System.Linq.Enumerable.d__14`2.MoveNext() at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext() at System.Linq.Enumerable.d__14`2.MoveNext() at Unify.Product.IdentityBroker.ExtensionMethods.Take[TSource](IEnumerator`1 source, Int32 count, IList`1& items) at Unify.Product.IdentityBroker.ExtensionMethods.d__0`1.MoveNext() at Unify.Product.IdentityBroker.ImportProxy.Import(GetImportEntriesRunStep importRunStep) Forefront Identity Manager 4.1.3646.0"
I haven't noticed any one particular operation failure or time that causes this. The resolution is to restart the IdB service, after which deltas work as normal. Details on the services are as follows:
Identity Broker: 5.0.4
FIM: 4.1.3646.0
Let me know if you need any further testing done.Though it may be some time between updates as I cannot recreate the issue.
Thanks
Adapter not calculating changes
Hi Guys,
I've been on a few calls recently with a client where they are report delta imports not working on their Aurion Personnel management agent in FIM. I have jumped in their environment and had a look and did the following steps to troubleshoot the issue:
IdB and FIM troubleshooting
* Got client to make changes in Aurion
* Ran an Import all on IdB connector to bring in change
* Ran Delta Import on Aurion Personnel MA . MA runs successfully with no error. Also no error present in IdB logs
* Ran a Full Import and change flows in as expected.
* Tried increasing the operation timeout on the MA run profile and still runs as success with no changes.
* Tried manually generating changed entities on the adapter and running a delta import and still no changes.
DB troubleshooting
* Viewed change log table and was able to see changed record for the Adapter in the log
* Viewed the changes table for the Adapter and was not able to see the change.
* Checked entity table for duplicates and no duplicates present for the Adapter.
This issue is only present on this particular MA and as mentioned produces no errors. It almost seems like IdB is do generating changes correct on the Adapter. Please see below the details for the environment and the see the comments for support documents.
UNIFYBroker: 5.3.1
Aurion Connector: 5.3.0
SQL: 2014
Let me know if you need any further information.
Thanks
Web console error after idle time
CASA advised at a recent health check that "... when IDB (v5.3) page is left open for some time, an error page is shown. A refresh returns to normal operation"
I can confirm this intermittent behaviour was common for v4 but it appears to be happening with v5.
Customer to provide further detail on return from leave.
Customer support service by UserEcho