Identity Broker Forum
Welcome to the community forum for Identity Broker.
Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.
It seems the account that you run the installer needs...
Converted to topic from comment on https://voice.unifysolutions.net/knowledge-bases/7/articles/2937-installing-the-unifybroker-service#
It seems the account that you run the installer needs permission to create the database. The installer does not use the service account to do this, even when you select the Service Account in the Authentication screen when attempting a new install of the database.
Hi Daniel
Yes, this is by design for security reasons. The service account is what the Broker service operates under and should have its assigned permissions limited appropriately. The installer runs under the signed in account (presumably an administrator) who can have the expanded permissions required to create and configure the new database.
This Installation Prerequisites page details what permissions the service account requires.
Named Pipes requirement
At a customer site there's a problem with the IDB Requirement for Name Pipes protocol in SQL. Named Pipes doesn't support some of the High Availability stuff they're doing and they're also critical of Named Pipes being a 2008 technology that has been superseded by TCP/IP. They want to at least turn named pipes off after installation. Is this supported? IdB seems to be functioning with Named Pipes turned off post installation.
How do I set sAMAccountName from Broker/Plus when provisioning, but then flow it back in from AD thereafter?
I need to set a user's account name when provisioning via Broker/Plus, but then flow that value back in from AD subsequently (so the value is picked up when joining to an existing AD account, and so that if the username can be changed in AD it will be automatically updated in Broker).
Can you please confirm whether or not the approach below will work, and advise if there is a better way to do it?
1. Set the Link mapping on the AD->Locker to Bidirectional for the AD username field
2. Set a value for the attribute in the Outgoing Pre-Provisioning Task
Hi Adrian
Your approach is correct, however you won't need to set username field as bidirectional on the AD->Locker link. Values set by pre-provisioning task aren't affected by the mapping rules, so Adapter to Locker is fine.
On CheckFieldUniqueness, yes that function is available in outgoing pre-provisioning tasks.
Exporting to SharePoint Orgs results in cd-error after incorrect Parent Org calculation
Hi There,
Current client is implementing a new HR system which is also authoritative for Org objects.
The Org objects are flowing through to SharePoint and were previously being sourced by Aurion.
During the deployment, the Parent Org calculation was incorrect and exported to SharePoint pointing to the incorrect parent Org. This resulted in a some MIM errors as you would expect (cd-error) - No further Event Viewer logs/info
As a result, the idMParentProfileReference attribute in IdentityBroker used to provide the Parent Org is now NULL for some objects. The good thing is that the Org structure does not look it has been updated or changed at this point.
We now have the correct Parent Org structure in MIM ready to export but the SharePoint Org exports continue to fail with a cd-error.
Referencing the idB for SharePoint prerequisites KB, it sounds as if these need to be filled manually the first time for these exports to succeed.
Example screenshot of before and after attached.
Before
After
I understand that the idMParentProfileReference needs to be filled in order for the Org structure to be managed as shown the example from the Prerequisites KB: Example below:
In order to manage SharePoint 2010 organization profiles, a field must be manually added to the SharePoint schema, and populated for any users who exist prior to enabling Identity Broker. This is required because SharePoint uses its own internal Record Id for resolving the parent reference with SharePoint, and this field cannot be set externally unless the corresponding SharePoint identifier for the parent profile is used. This is typically an organization unit code or identifier. This field should be either a string, integer, or distinguished name type in SharePoint, and will need to be appropriately configured in the Microsoft SharePoint 2010 Organization Profile Connector schema. The default connector configuration assumes a name of IdmProfileReference for this field.
In order to successfully provision and update hierarchy information for organization profiles, the connector requires this field containing the value of profile's reference in the identity management solution, and an additional field containing the profile's parent reference in a DN format (which does not need to be added to SharePoint). Refer to Microsoft SharePoint 2010 Organization Profile Connector for more information.
Does the idM Profile Reference need to be filled manually the first time / if it is NULL?
OR
Is it expected that MIM can write to it freely?
I'm just trying to get an understanding of why SharePoint wont accept the structure i'm exporting.
I have ensured that the DN format is correct and written as it was previously - I believe this has to do with the fact that incorrect parent Org DNs were exported in the first instance.
Imports of a test connector (Copy of the original connector) Show the following in Logs:
Request to import all entities from connector SP TEST.",Normal
20190620,00:39:51,UNIFY Identity Broker,Connector,Information,"Import all entities from connector completed.
Import all entities from connector SP TEST return 868 entities. Duration: 00:00:00",Normal
20190620,00:39:51,UNIFY Identity Broker,Connector Processor,Information,"Connector Processing started.
Connector Processing started for connector SP TEST (page 1)",Normal
20190620,00:39:51,UNIFY Identity Broker,Connector engine,Information,"Request to get the enabled state of the selected connector.
Request to get the enabled state of the 8955f94f-4373-424e-a502-e8d8bc2c1fd4 connector started.",Verbose
20190620,00:39:51,UNIFY Identity Broker,Connector engine,Information,"Request to get the enabled state of the selected connector.
Request to get the enabled state of the 8955f94f-4373-424e-a502-e8d8bc2c1fd4 connector completed. Duration: 00:00:00",Verbose
20190620,00:39:51,UNIFY Identity Broker,Connector Processor,Information,"Connector processing failed.
Connector Processing page 1 for connector SP TEST failed with reason The key has been duplicated.. Duration: 00:00:00.1875685.
Error details:
System.ArgumentException: The key has been duplicated.
at Unify.Product.IdentityBroker.EntityRepositoryExtensions.DuplicateKeyBase(MultiKeyValue`1 arg1)
at Unify.Framework.Collections.EnumerableExtensions.ToDictionaryWithKeyClashError[TKey,TValue,TOriginal](IEnumerable`1 originalEnumerable, Func`2 keySelector, Func`2 valueSelector, Action`3 duplicateAction)
at Unify.Product.IdentityBroker.EntityRepositoryExtensions.ConvertConnectorEntitiesWithRepositoryEntities(IEnumerable`1 connectorEntities, IMultiKey`1 schemaKey, Func`2 retrieveEntities, Guid connectorId, IEnumerable`1 originalEntities, IHashSet`1 seenKeys)
at Unify.Product.IdentityBroker.EntityRepositoryExtensions.ConvertConnectorEntitiesWithRepositoryEntities(IEnumerable`1 connectorEntities, IMultiKey`1 schemaKey, IKnownEntityContextBase`3 context, Guid connectorId, IEnumerable`1 originalEntities, IHashSet`1 seenKeys)
at Unify.Product.IdentityBroker.RepositoryChangeDetectionWorkerBase.PerformChangeDetectionOnConnectorEntityPage(IEnumerable`1 connectorEntities, Int32& index, Int32 entitiesProcessedSoFar, IEntityChangesReportGenerator`2 reportGenerator, IHashSet`1 seenKeys)
at Unify.Product.IdentityBroker.RepositoryChangeDetectionWorkerBase.<>c__DisplayClass11_0.b__0(IEnumerable`1 page)
at Unify.Framework.Visitor.ThreadsafeVisitorEvaluator`1.ThreadsafeItemEvaluator.Evaluate()",Normal
20190620,00:39:51,UNIFY Identity Broker,Change detection engine,Error,"Change detection engine import all items failed.
Change detection engine import all items for connector SP TEST failed with reason An error occurred while evaluating a task on a worker thread. See the inner exception details for information.. Duration: 00:00:11.2399393
Error details:
Unify.Framework.EvaluatorVisitorException: An error occurred while evaluating a task on a worker thread. See the inner exception details for information. ---> System.ArgumentException: The key has been duplicated.
at Unify.Product.IdentityBroker.EntityRepositoryExtensions.DuplicateKeyBase(MultiKeyValue`1 arg1)
at Unify.Framework.Collections.EnumerableExtensions.ToDictionaryWithKeyClashError[TKey,TValue,TOriginal](IEnumerable`1 originalEnumerable, Func`2 keySelector, Func`2 valueSelector, Action`3 duplicateAction)
at Unify.Product.IdentityBroker.EntityRepositoryExtensions.ConvertConnectorEntitiesWithRepositoryEntities(IEnumerable`1 connectorEntities, IMultiKey`1 schemaKey, Func`2 retrieveEntities, Guid connectorId, IEnumerable`1 originalEntities, IHashSet`1 seenKeys)
at Unify.Product.IdentityBroker.EntityRepositoryExtensions.ConvertConnectorEntitiesWithRepositoryEntities(IEnumerable`1 connectorEntities, IMultiKey`1 schemaKey, IKnownEntityContextBase`3 context, Guid connectorId, IEnumerable`1 originalEntities, IHashSet`1 seenKeys)
at Unify.Product.IdentityBroker.RepositoryChangeDetectionWorkerBase.PerformChangeDetectionOnConnectorEntityPage(IEnumerable`1 connectorEntities, Int32& index, Int32 entitiesProcessedSoFar, IEntityChangesReportGenerator`2 reportGenerator, IHashSet`1 seenKeys)
at Unify.Product.IdentityBroker.RepositoryChangeDetectionWorkerBase.<>c__DisplayClass11_0.b__0(IEnumerable`1 page)
at Unify.Framework.Visitor.ThreadsafeVisitorEvaluator`1.ThreadsafeItemEvaluator.Evaluate()
--- End of inner exception stack trace ---
at Unify.Framework.Visitor.ThreadsafeVisitorEvaluator`1.CheckForException()
at Unify.Framework.Visitor.ThreadsafeVisitorEvaluator`1.WaitForCompletedThreads()
at Unify.Framework.Visitor.ThreadsafeVisitorEvaluator`1.Visit()
at Unify.Framework.Visitor.VisitEvaluateOnThreadPool[T](IEnumerable`1 visitCollection, Action`2 visitor, Int32 maxThreads)
at Unify.Product.IdentityBroker.RepositoryChangeDetectionWorkerBase.PerformChangeDetection(IEnumerable`1 connectorEntities)
at Unify.Product.IdentityBroker.ChangeDetectionImportAllJob.ImportAllChangeProcess()
at Unify.Product.IdentityBroker.ChangeDetectionImportAllJob.RunBase()
at Unify.Framework.DefinedScopeJobAuditTrailJobDecorator.Run()
at Unify.Product.IdentityBroker.ConnectorJobExecutor.<>c__DisplayClass30_0.b__0()
at Unify.Framework.AsynchronousJobExecutor.PerformJobCallback(Object state)",Normal
20190620,00:39:51,UNIFY Identity Broker,Void CheckForException(),Error,"Unify.Framework.DesignPatterns:
Unify.Framework.EvaluatorVisitorException: An error occurred while evaluating a task on a worker thread. See the inner exception details for information. ---> System.ArgumentException: The key has been duplicated.
at Unify.Product.IdentityBroker.EntityRepositoryExtensions.DuplicateKeyBase(MultiKeyValue`1 arg1)
at Unify.Framework.Collections.EnumerableExtensions.ToDictionaryWithKeyClashError[TKey,TValue,TOriginal](IEnumerable`1 originalEnumerable, Func`2 keySelector, Func`2 valueSelector, Action`3 duplicateAction)
at Unify.Product.IdentityBroker.EntityRepositoryExtensions.ConvertConnectorEntitiesWithRepositoryEntities(IEnumerable`1 connectorEntities, IMultiKey`1 schemaKey, Func`2 retrieveEntities, Guid connectorId, IEnumerable`1 originalEntities, IHashSet`1 seenKeys)
at Unify.Product.IdentityBroker.EntityRepositoryExtensions.ConvertConnectorEntitiesWithRepositoryEntities(IEnumerable`1 connectorEntities, IMultiKey`1 schemaKey, IKnownEntityContextBase`3 context, Guid connectorId, IEnumerable`1 originalEntities, IHashSet`1 seenKeys)
at Unify.Product.IdentityBroker.RepositoryChangeDetectionWorkerBase.PerformChangeDetectionOnConnectorEntityPage(IEnumerable`1 connectorEntities, Int32& index, Int32 entitiesProcessedSoFar, IEntityChangesReportGenerator`2 reportGenerator, IHashSet`1 seenKeys)
at Unify.Product.IdentityBroker.RepositoryChangeDetectionWorkerBase.<>c__DisplayClass11_0.b__0(IEnumerable`1 page)
at Unify.Framework.Visitor.ThreadsafeVisitorEvaluator`1.ThreadsafeItemEvaluator.Evaluate()
--- End of inner exception stack trace ---
at Unify.Framework.Visitor.ThreadsafeVisitorEvaluator`1.CheckForException()
at Unify.Framework.Visitor.ThreadsafeVisitorEvaluator`1.WaitForCompletedThreads()
at Unify.Framework.Visitor.ThreadsafeVisitorEvaluator`1.Visit()
at Unify.Framework.Visitor.VisitEvaluateOnThreadPool[T](IEnumerable`1 visitCollection, Action`2 visitor, Int32 maxThreads)
at Unify.Product.IdentityBroker.RepositoryChangeDetectionWorkerBase.PerformChangeDetection(IEnumerable`1 connectorEntities)
at Unify.Product.IdentityBroker.ChangeDetectionImportAllJob.ImportAllChangeProcess()
at Unify.Product.IdentityBroker.ChangeDetectionImportAllJob.RunBase()
at Unify.Framework.DefinedScopeJobAuditTrailJobDecorator.Run()
at Unify.Product.IdentityBroker.ConnectorJobExecutor.<>c__DisplayClass30_0.b__0()
at Unify.Framework.AsynchronousJobExecutor.PerformJobCallback(Object state)",Diagnostic
I'm not sure if this is directly related to this issue but this looks as though a NULL key has been added and may need to fixed up at the source.
Config copy attached
Any assistance would be appreciated.
Ryan
Hi Matt,
This ticket can now be closed - The issue here was directly related to the target system data locking the object and not allowing reference attributes to be exported correctly.
Active Directory connector doesn't support AD move operation (dn change) even though UNIFYAssure-Aurion-Sample uses it
UNIFYAssure-Aurion-Sample attempts to move AD user object by modifying the 'dn' attribute on the AD connector, but when it tries to do so this error appears in the log:
Here's the error I see in the UI:
Here's the PowerShell code from UNIFYAssure-Aurion-Sample:
Here are the Adapter config excerpts:
It might be that this wasn't a use case for the sample configuration. The DN can be changed during the update operation by instead using objectGUID as the key.
UNIFYAssure-Aurion-Sample install reports that field names are reserved after restart
I just restarted my Broker instance (to try to clear a Link baseline sync that appeared unwilling to stop) and now I see this error in the dashboard. My install is a UNIFYAssure-Aurion-Sample with few changes other than a 'Request Schema' from AD and addition of a handful of other fields in Links and Lockers.
What should I do about it?
Hey Adrian,
Thanks for the suggestion. At this time, after some discussion we've concluded that it would potentially confuse people more if the connector schema was to automatically un-tick the box next to fields reserved by the LDAP specification.
The reason for this, is that it's perfectly acceptable to have these fields in the connector schema, and they will only be an issue when subsequently exposed on the adapter. However, it is a normal use case for a connector to not be exposed to an adapter directly; rather to be joined and aggregated on an existing adapter. In this case, the reserved field names would not be exposed down to the gateway so wouldn't cause any problems.
Documentation of supported Date and Timestamp field values in Broker CSV files
Could you please document the supported and recommended Date and Timestamp field values that can be used in Broker CSV connector data files?
Beau says he normally uses yyyy'-'MM'-'dd'T'HH':'mm':'ss'Z' (e.g. "2019-06-01T12:34:56Z").
Thanks Adrian. I've added it to our backlog to improve the documentation based on the above comments.
Broker/Plus Locker entity search Origin Info information is not clear or sufficient
I am a new Broker/Plus user and want to see where a Locker is getting its field values from, so I clicked on the Entity Id and then on Origin Info. This is the screen I see:
This doesn't tell me which Adapter contributed the current value for the sAMUsername field. I tried searching the Extensibility files for the Entity Id and Partition Id, but neither told me which Adapter the field value came from.
Could you please add the name of the Adapter that contributed the field value somewhere on this popup?
Also, it's not clear what the Type information here means. What does it mean that my 'sAMUsername' field is of type 'PlugIn'?
This has been implemented and is available in the release of UNIFYConnect V6, which will be made available shortly.
Contribution Type still shows as "PlugIn", however the partition friendly name will display.
Authentication details have not been provided
Full imports for all 3 connectors, as well as polling imports for the employees connector are now all working. However polling imports are failing with a "Authentication details have not been provided" error for both Position and Position Occupancy as follows:
Change detection engine import changes for connector _KB_JadeStar Position Connector failed with reason The content type application/soap+xml; charset=utf-8 of the response message does not match the content type of the binding (text/xml; charset=utf-8). If using a custom encoder, be sure that the IsContentTypeSupported method is implemented properly. The first 676 bytes of the response were: '<?xml version="1.0" encoding="UTF-8"?> <soap:envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"> <soap:body> <soap:fault> <soap:code> <soap:value>soap:Sender</soap:value> </soap:code> <soap:reason> <soap:text xml:lang="en">Error 1000 - Authentication details have not been provided.</soap:text> </soap:reason> <soap:detail> <tns:faultdetails xmlns:tns="urn:JadeWebServices/WebServiceZ2/"> <errorcode>1000</errorcode> <erroritem></erroritem> <errortext>Authentication details have not been provided.</errortext> </tns:faultdetails> </soap:detail> </soap:fault> </soap:body> </soap:envelope> '.. Duration: 00:00:00.2343790
Is it possible that the polling messages could be malformed for 2 connectors but OK for another?
The same exception is occurring for both v4 and v5 Broker connectors talking to the same endpoint.
Thanks
Voice doesn't have a category for tickets that apply to the Broker base product
Voice doesn't have a category for tickets that apply to the Broker base product. There are numerous options for agents and other things, but seemingly none for the Broker base product itself... unless that's what UNIFYCore is?
There also isn't a category for reporting bugs in Voice.
Hi Adrian, since this Broker forum there is not need for a Broker subcategory. Uncategorized is where you should post.
Customer support service by UserEcho
