Identity Broker Forum

Welcome to the community forum for Identity Broker.

Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.

0
Answered

Two adapters with the same object class in UNIFYBroker 5

Adrian Corston 5 years ago updated by Beau Harrison (Senior Product Software Engineer) 5 years ago 1

I am migrating an Identity Broker 4 customer to UNIFYBroker 5, and they have two MIM-consumed adapters using the same object class "person".  UNIFYBroker 5 won't let me configure two adapters with the same object class, even is single schema mode is disabled.

Is this something that could be changed, to allow me to use the same object class on two adapters?  The object classes are hard-coded in the customer's MIM rules extensions, so it is preferable to keep them unchanged the way they were in Identity Broker 4.

Answer

Hi Adrian,

This is not possible. The LDAP specification requires all object types be uniquely named. The rules extension will need to be changed.

0
Fixed

Sequence contains more than one element

Hayden Gray 5 years ago updated by Beau Harrison (Senior Product Software Engineer) 5 years ago 4

Hi Guys,

Getting this error when trying to do DIDS operations in FIM. Issue started last night and all DI operaions appear to be failing now. I'm doing Full imports now as a work around for now.

Reading through a similar ticket I stumbled across this one Richard had raise quite a while ago:
https://voice.unifysolutions.net/communities/6/topics/474-delta-imports-from-idb-on-ldap-groups-consistently-fail-with-sequence-contains-more-than-one

The comments on this ticket say that this was resolved in v5.0.2 however the version in this environment is v5.0.4. For some additional imformation the version of FIM is 4.1.3646.0.

The extensible extension returned an unsupported error.
The stack trace is:
"Unify.Product.IdentityBroker.LdapOperationException: Internal Server Error #11: System.InvalidOperationException: Sequence contains more than one element
at System.Data.Linq.SqlClient.SqlProvider.Execute(Expression query, QueryInfo queryInfo, IObjectReaderFactory factory, Object[] parentArgs, Object[] userArgs, ICompiledSubQuery[] subQueries, Object lastResult)
at System.Data.Linq.SqlClient.SqlProvider.ExecuteAll(Expression query, QueryInfo[] queryInfos, IObjectReaderFactory factory, Object[] userArguments, ICompiledSubQuery[] subQueries)
at System.Data.Linq.SqlClient.SqlProvider.System.Data.Linq.Provider.IProvider.Execute(Expression query)
at System.Data.Linq.Table`1.System.Linq.IQueryProvider.Execute[TResult](Expression expression)
at Unify.Framework.Data.LinqQueryConversionProvider`5.ExecuteMethodCallExpression[TResult](MethodCallExpression methodCallExpression)
at Unify.Framework.Data.LinqQueryConversionProvider`5.Execute[TResult](Expression expression)
at System.Linq.Queryable.SingleOrDefault[TSource](IQueryable`1 source, Expression`1 predicate)
at Unify.Product.IdentityBroker.ChangeLogToLDAPEntryConverter.EntryUuidAttributeValue(IChangeLogItem sourceValue, IDictionary`2 partialAttributes)
at Unify.Product.IdentityBroker.ChangeLogToLDAPEntryConverter.Transform(IChangeLogItem sourceValue)
at Unify.Product.IdentityBroker.SearchRequestHandlerBase.d__13.MoveNext()
at Unify.Framework.Visitor.Visit[T](IEnumerable`1 visitCollection, Action`2 visitor)
at Unify.Product.IdentityBroker.LDAPConnection.d__33.MoveNext()
at Unify.Product.IdentityBroker.LdapConnection.GetMessage(Int32 messageId)
at Unify.Product.IdentityBroker.SearchRequest.Send(Func`2 send, Func`2 recv)
at Unify.Product.IdentityBroker.LdapConnection.SendRequest(ILdapRequest request)
at Unify.Product.IdentityBroker.LdapConnectionProxy.PartitionDeltaRequestPaged(String partitionDN, Int64 lastChangeNumber, Int32 pageSize)
at System.Linq.Enumerable.d__14`2.MoveNext()
at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
at System.Linq.Enumerable.d__14`2.MoveNext()
at Unify.Product.IdentityBroker.ExtensionMethods.Take[TSource](IEnumerator`1 source, Int32 count, IList`1& items)
at Unify.Product.IdentityBroker.ExtensionMethods.d__0`1.MoveNext()
at Unify.Product.IdentityBroker.ImportProxy.Import(GetImportEntriesRunStep importRunStep)
Forefront Identity Manager 4.1.3646.0"

This is current a high priority ticket so any help is greatly appreciated.

Thanks,

Hayden

0
Under review

Slow connector/adapter entity searches, neither SQL nor Unify.Service.Connect are consuming excessive CPU or memory

Adrian Corston 5 years ago updated by Matthew Davis (Technical Product Manager) 3 years ago 3

On various connectors and adapters with ~40,000 entities I see slow performance in the Entity Search screen - typically approximately 30 seconds to refresh and display 10 records.

This performance is consistent regardless of whether a filter is set or not - same speed even when showing just one record.

After stopped the Broker service and rebuilding all SQL table indexes there was no change in performance.

The SQL server and Broker service are on the same server, which is a VM with 4 vCPUs and 16GB of memory.  SQL is using 8GB of memory and Broker ranges from 200MB to 1GB depending on what it is processing at the time.  Entity Search performance is the same regardless of whether or not the Scheduler is enabled or disabled.

While the Entity Search screen is refreshing, SQL uses around 5-10% of CPU, and Unify.Service.Connect similarly uses around 5-10% of CPU, and the system CPU is mostly idle.  Disk activity jumps from a background maximum of around 100KB/sec to a consistent 10MB/sec while the Entity Search screen is refreshing, so this would appear to be at the root of the issue.

Do you have any suggestions how the system might be tuned to improve performance?

0
Under review

Request Identifier on log entries

Adrian Corston 5 years ago updated by Matthew Davis (Technical Product Manager) 3 years ago 4

When looking through the logs in UNIFYBroker, I find it difficult to associate all log messages that relate to one request that has been executed.  This is particularly difficult on a busy live system where multiple operations are happening in parallel and log entries are interleaved.

It would be very beneficial to include a request identifier on every log entry, to indicate which request the log entry relates to.  That way all the log entries for one request could be extracted and viewed separately, to give a convenient and complete picture of all of the logged outcomes of that request.  It would also make it possible to generate a high level request list summary, by extracting just the first log entry for each request.  This would be incredibly useful when investigating problems and logging voice tickets.

e.g.

TimestampRequest DescriptionRequest ID
2019-07-20 01:39:49Request to manually queue a baseline synchronization job on link started. Request to manually queue a baseline synchronization job on link Chris21 DET started.ae4dffd3-f857-4074-957b-5be0a10b201b
2019-07-20 01:47:40Request to sync adapter to locker started. Synchronization job started syncing 42942 changes on the 'Chris21 DET' link from the adapter to locker.017f4072-470e-47fd-83cb-13b9c9d03c90

There is a Job ID on some types of log entries, but most don't have it, which means it isn't really suitable for this purpose.

0
Answered

New deployment reporting "Request to retrieve adapter schema for adapter with id <x> failed with message A partition could not be found with id <x>"

Adrian Corston 5 years ago updated by Matthew Davis (Technical Product Manager) 5 years ago 2

During initial data load of a new environment I noticed one of my Adapters (for a Connector with 9,761 objects, with only one Transformation, a Time Offset Flag) had pending changes that were not processing.  There were no corresponding errors in the log for it, so I ran Clear Entities, watched the Pending Changes clear to 0, then ran Generate Changes.  At this time nothing was written to the log to indicate processing was under way, but the SQL Server was using 100% of one CPU.  After some time with no evident progress I stopped the UNIFYBroker service, and the SQL Server stopped using CPU.  I restarted the UNIFYBroker service, and the CPU usage returned to 100% of one CPU and this error was written in the log several times.  Since then, nothing has been written to the log and the Pending Changes counter has remained unchanged at 9,761.

Unify.Framework.UnifyEngineException: A partition could not be found with id ae6aa686-33ae-41ba-9462-5f26793f5216.
at Unify.Product.IdentityBroker.AdapterEngine.GetPartitionSchema(Guid partitionId)
at Unify.Product.IdentityBroker.AdapterEngineAuditingDecorator.GetPartitionSchema(Guid partitionId)
at Unify.Product.IdentityBroker.AdapterEngineNotifierDecorator.<>c__DisplayClass6_0.b__0()
at Unify.Framework.Notification.NotifierDecoratorBase.Notify[TResult,TFactory](TFactory notificationFactory, Func`1 action, Action`2 modifyFactory)
at Unify.Product.IdentityBroker.AdapterEngineNotifierDecorator.GetPartitionSchema(Guid partitionId)
at Unify.Product.IdentityBroker.AdapterEngineAccessor.GetPartitionSchema(Guid partitionId)
at Unify.Product.IdentityBroker.AdapterStatisticsEngine.GetEntityCount(Guid adapterId)",Normal
20190719,10:51:30,UNIFYBroker,Unify.Product.IdentityBroker.IEntitySchema GetPartitionSchema(System.Guid),Warning,"Unify.IdentityBroker.Adapter.Engine:
Unify.Framework.UnifyEngineException: A partition could not be found with id ae6aa686-33ae-41ba-9462-5f26793f5216.
at Unify.Product.IdentityBroker.AdapterEngine.GetPartitionSchema(Guid partitionId)
at Unify.Product.IdentityBroker.AdapterEngineAuditingDecorator.GetPartitionSchema(Guid partitionId)
at Unify.Product.IdentityBroker.AdapterEngineNotifierDecorator.<>c__DisplayClass6_0.b__0()
at Unify.Framework.Notification.NotifierDecoratorBase.Notify[TResult,TFactory](TFactory notificationFactory, Func`1 action, Action`2 modifyFactory)
at Unify.Product.IdentityBroker.AdapterEngineNotifierDecorator.GetPartitionSchema(Guid partitionId)
at Unify.Product.IdentityBroker.AdapterEngineAccessor.GetPartitionSchema(Guid partitionId)
at Unify.Product.IdentityBroker.AdapterStatisticsEngine.GetEntityCount(Guid adapterId)",Normal

Could you please suggest what the cause of the error might be, and tell me how to get UNIFYBroker to commence processing the pending changes?

UNIFYBroker v5.3.2 Revision #0
Microsoft Active Directory 5.3.0.0
Chris21 Connector 5.3.0.0
Sync Changes 5.3.0.2
Plus Change Tracking 5.3.0.2
Connections 5.3.0.2
Links 5.3.0.2
Link Statistics 5.3.0.2
Lockers 5.3.0.2
Locker Statistics 5.3.0.2
Provisioning 5.3.0.2
Plus 5.3.0.2

Windows Server 2016 Datacenter + SQL Server 2012 (both UNIFYBroker + SQL running on the same server)

Answer
anonymous 5 years ago

Resolution courtesy of Matt: stop the UNIFYBroker service and rebuild the highly fragmented UNIFYBroker database table indexes.

0
Answered

Connector Entity Search Screen Issue

Rizwan Ahmed 5 years ago updated by Beau Harrison (Senior Product Software Engineer) 5 years ago 5

On UNIFYBroker Service v5.3.2 RTM navigate to Connector Entity Search screen, click on any entity ID

Image 5285

The browser navigates back to the Connectors screen rather than presenting the full details of the record.

Image 5286

0
Answered

Binding UNIFYBroker endpoint/API to https

Paul Zelenewicz 5 years ago updated by Beau Harrison (Senior Product Software Engineer) 5 years ago 5

Hi team, 

Is it possible to bind the UNIFYBroker API/endpoint (http://servername:5999[0/1]) to https?

Answer

Hi Paul, we don't have it documented, but it is possible.

  1. Ensure you certificate is installed as a local machine certificate, not a user certificate.
  2. Follow these instructions To bind an SSL certificate to a port number. The appid can be any valid GUID.
  3. Update the configuration for the API. If you're modifying the default API, make sure you have a correctly configured web component ready to confirm the API changes.

Let me know if anything is incorrect or unclear. I'll turn these instructions into proper documentation based on your feedback.

0
Answered

Web Service Communicator over HTTPS

Daniel Walters 5 years ago updated by Adam van Vliet 5 years ago 2

What do I need to do with a web service URL that is https? I'm assuming I'll need a certificate installed somewhere. Do I just need to install it to the machine where broker is running? Is there anything else I need to do to communicate over https?

Answer
Daniel Walters 5 years ago

It looks like it has connected without a certificate... Was just trying to be prepared.

0
Answered

Is there now a recommendation to run on Broker on IIS?

Daniel Walters 5 years ago updated by Beau Harrison (Senior Product Software Engineer) 5 years ago 2

This page 

https://voice.unifysolutions.net/knowledge-bases/7/articles/2942-configuring-unifybroker-for-use-with-embedded-web-server

says that using the embedded server as of v5.2 is deprecated. Is this correct? If so, can we get some kind of company announcement about something like this because I've just installed without IIS at a client and told them we wouldn't be using IIS.

Answer

Yes this is correct. It was announced around the time v5.2 was first release. That would have been around May 2017.

In any case, its fine to use the embedded web server for now. It is still supported, but is no longer the recommended way of hosting Broker. Being deprecated means there are better options available and it is slated to be removed at some point so isn't a future-proof solution.

0
Answered

It seems the account that you run the installer needs...

Daniel Walters 5 years ago updated by Beau Harrison (Senior Product Software Engineer) 5 years ago 2

Converted to topic from comment on https://voice.unifysolutions.net/knowledge-bases/7/articles/2937-installing-the-unifybroker-service#

It seems the account that you run the installer needs permission to create the database. The installer does not use the service account to do this, even when you select the Service Account in the Authentication screen when attempting a new install of the database.

Answer

Hi Daniel

Yes, this is by design for security reasons. The service account is what the Broker service operates under and should have its assigned permissions limited appropriately. The installer runs under the signed in account (presumably an administrator) who can have the expanded permissions required to create and configure the new database.

This Installation Prerequisites page details what permissions the service account requires.