Identity Broker Forum
Welcome to the community forum for Identity Broker.
Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.
Exporting to SharePoint Orgs results in cd-error after incorrect Parent Org calculation
Hi There,
Current client is implementing a new HR system which is also authoritative for Org objects.
The Org objects are flowing through to SharePoint and were previously being sourced by Aurion.
During the deployment, the Parent Org calculation was incorrect and exported to SharePoint pointing to the incorrect parent Org. This resulted in a some MIM errors as you would expect (cd-error) - No further Event Viewer logs/info
As a result, the idMParentProfileReference attribute in IdentityBroker used to provide the Parent Org is now NULL for some objects. The good thing is that the Org structure does not look it has been updated or changed at this point.
We now have the correct Parent Org structure in MIM ready to export but the SharePoint Org exports continue to fail with a cd-error.
Referencing the idB for SharePoint prerequisites KB, it sounds as if these need to be filled manually the first time for these exports to succeed.
Example screenshot of before and after attached.
Before
After
I understand that the idMParentProfileReference needs to be filled in order for the Org structure to be managed as shown the example from the Prerequisites KB: Example below:
In order to manage SharePoint 2010 organization profiles, a field must be manually added to the SharePoint schema, and populated for any users who exist prior to enabling Identity Broker. This is required because SharePoint uses its own internal Record Id for resolving the parent reference with SharePoint, and this field cannot be set externally unless the corresponding SharePoint identifier for the parent profile is used. This is typically an organization unit code or identifier. This field should be either a string, integer, or distinguished name type in SharePoint, and will need to be appropriately configured in the Microsoft SharePoint 2010 Organization Profile Connector schema. The default connector configuration assumes a name of IdmProfileReference for this field.
In order to successfully provision and update hierarchy information for organization profiles, the connector requires this field containing the value of profile's reference in the identity management solution, and an additional field containing the profile's parent reference in a DN format (which does not need to be added to SharePoint). Refer to Microsoft SharePoint 2010 Organization Profile Connector for more information.
Does the idM Profile Reference need to be filled manually the first time / if it is NULL?
OR
Is it expected that MIM can write to it freely?
I'm just trying to get an understanding of why SharePoint wont accept the structure i'm exporting.
I have ensured that the DN format is correct and written as it was previously - I believe this has to do with the fact that incorrect parent Org DNs were exported in the first instance.
Imports of a test connector (Copy of the original connector) Show the following in Logs:
Request to import all entities from connector SP TEST.",Normal
20190620,00:39:51,UNIFY Identity Broker,Connector,Information,"Import all entities from connector completed.
Import all entities from connector SP TEST return 868 entities. Duration: 00:00:00",Normal
20190620,00:39:51,UNIFY Identity Broker,Connector Processor,Information,"Connector Processing started.
Connector Processing started for connector SP TEST (page 1)",Normal
20190620,00:39:51,UNIFY Identity Broker,Connector engine,Information,"Request to get the enabled state of the selected connector.
Request to get the enabled state of the 8955f94f-4373-424e-a502-e8d8bc2c1fd4 connector started.",Verbose
20190620,00:39:51,UNIFY Identity Broker,Connector engine,Information,"Request to get the enabled state of the selected connector.
Request to get the enabled state of the 8955f94f-4373-424e-a502-e8d8bc2c1fd4 connector completed. Duration: 00:00:00",Verbose
20190620,00:39:51,UNIFY Identity Broker,Connector Processor,Information,"Connector processing failed.
Connector Processing page 1 for connector SP TEST failed with reason The key has been duplicated.. Duration: 00:00:00.1875685.
Error details:
System.ArgumentException: The key has been duplicated.
at Unify.Product.IdentityBroker.EntityRepositoryExtensions.DuplicateKeyBase(MultiKeyValue`1 arg1)
at Unify.Framework.Collections.EnumerableExtensions.ToDictionaryWithKeyClashError[TKey,TValue,TOriginal](IEnumerable`1 originalEnumerable, Func`2 keySelector, Func`2 valueSelector, Action`3 duplicateAction)
at Unify.Product.IdentityBroker.EntityRepositoryExtensions.ConvertConnectorEntitiesWithRepositoryEntities(IEnumerable`1 connectorEntities, IMultiKey`1 schemaKey, Func`2 retrieveEntities, Guid connectorId, IEnumerable`1 originalEntities, IHashSet`1 seenKeys)
at Unify.Product.IdentityBroker.EntityRepositoryExtensions.ConvertConnectorEntitiesWithRepositoryEntities(IEnumerable`1 connectorEntities, IMultiKey`1 schemaKey, IKnownEntityContextBase`3 context, Guid connectorId, IEnumerable`1 originalEntities, IHashSet`1 seenKeys)
at Unify.Product.IdentityBroker.RepositoryChangeDetectionWorkerBase.PerformChangeDetectionOnConnectorEntityPage(IEnumerable`1 connectorEntities, Int32& index, Int32 entitiesProcessedSoFar, IEntityChangesReportGenerator`2 reportGenerator, IHashSet`1 seenKeys)
at Unify.Product.IdentityBroker.RepositoryChangeDetectionWorkerBase.<>c__DisplayClass11_0.b__0(IEnumerable`1 page)
at Unify.Framework.Visitor.ThreadsafeVisitorEvaluator`1.ThreadsafeItemEvaluator.Evaluate()",Normal
20190620,00:39:51,UNIFY Identity Broker,Change detection engine,Error,"Change detection engine import all items failed.
Change detection engine import all items for connector SP TEST failed with reason An error occurred while evaluating a task on a worker thread. See the inner exception details for information.. Duration: 00:00:11.2399393
Error details:
Unify.Framework.EvaluatorVisitorException: An error occurred while evaluating a task on a worker thread. See the inner exception details for information. ---> System.ArgumentException: The key has been duplicated.
at Unify.Product.IdentityBroker.EntityRepositoryExtensions.DuplicateKeyBase(MultiKeyValue`1 arg1)
at Unify.Framework.Collections.EnumerableExtensions.ToDictionaryWithKeyClashError[TKey,TValue,TOriginal](IEnumerable`1 originalEnumerable, Func`2 keySelector, Func`2 valueSelector, Action`3 duplicateAction)
at Unify.Product.IdentityBroker.EntityRepositoryExtensions.ConvertConnectorEntitiesWithRepositoryEntities(IEnumerable`1 connectorEntities, IMultiKey`1 schemaKey, Func`2 retrieveEntities, Guid connectorId, IEnumerable`1 originalEntities, IHashSet`1 seenKeys)
at Unify.Product.IdentityBroker.EntityRepositoryExtensions.ConvertConnectorEntitiesWithRepositoryEntities(IEnumerable`1 connectorEntities, IMultiKey`1 schemaKey, IKnownEntityContextBase`3 context, Guid connectorId, IEnumerable`1 originalEntities, IHashSet`1 seenKeys)
at Unify.Product.IdentityBroker.RepositoryChangeDetectionWorkerBase.PerformChangeDetectionOnConnectorEntityPage(IEnumerable`1 connectorEntities, Int32& index, Int32 entitiesProcessedSoFar, IEntityChangesReportGenerator`2 reportGenerator, IHashSet`1 seenKeys)
at Unify.Product.IdentityBroker.RepositoryChangeDetectionWorkerBase.<>c__DisplayClass11_0.b__0(IEnumerable`1 page)
at Unify.Framework.Visitor.ThreadsafeVisitorEvaluator`1.ThreadsafeItemEvaluator.Evaluate()
--- End of inner exception stack trace ---
at Unify.Framework.Visitor.ThreadsafeVisitorEvaluator`1.CheckForException()
at Unify.Framework.Visitor.ThreadsafeVisitorEvaluator`1.WaitForCompletedThreads()
at Unify.Framework.Visitor.ThreadsafeVisitorEvaluator`1.Visit()
at Unify.Framework.Visitor.VisitEvaluateOnThreadPool[T](IEnumerable`1 visitCollection, Action`2 visitor, Int32 maxThreads)
at Unify.Product.IdentityBroker.RepositoryChangeDetectionWorkerBase.PerformChangeDetection(IEnumerable`1 connectorEntities)
at Unify.Product.IdentityBroker.ChangeDetectionImportAllJob.ImportAllChangeProcess()
at Unify.Product.IdentityBroker.ChangeDetectionImportAllJob.RunBase()
at Unify.Framework.DefinedScopeJobAuditTrailJobDecorator.Run()
at Unify.Product.IdentityBroker.ConnectorJobExecutor.<>c__DisplayClass30_0.b__0()
at Unify.Framework.AsynchronousJobExecutor.PerformJobCallback(Object state)",Normal
20190620,00:39:51,UNIFY Identity Broker,Void CheckForException(),Error,"Unify.Framework.DesignPatterns:
Unify.Framework.EvaluatorVisitorException: An error occurred while evaluating a task on a worker thread. See the inner exception details for information. ---> System.ArgumentException: The key has been duplicated.
at Unify.Product.IdentityBroker.EntityRepositoryExtensions.DuplicateKeyBase(MultiKeyValue`1 arg1)
at Unify.Framework.Collections.EnumerableExtensions.ToDictionaryWithKeyClashError[TKey,TValue,TOriginal](IEnumerable`1 originalEnumerable, Func`2 keySelector, Func`2 valueSelector, Action`3 duplicateAction)
at Unify.Product.IdentityBroker.EntityRepositoryExtensions.ConvertConnectorEntitiesWithRepositoryEntities(IEnumerable`1 connectorEntities, IMultiKey`1 schemaKey, Func`2 retrieveEntities, Guid connectorId, IEnumerable`1 originalEntities, IHashSet`1 seenKeys)
at Unify.Product.IdentityBroker.EntityRepositoryExtensions.ConvertConnectorEntitiesWithRepositoryEntities(IEnumerable`1 connectorEntities, IMultiKey`1 schemaKey, IKnownEntityContextBase`3 context, Guid connectorId, IEnumerable`1 originalEntities, IHashSet`1 seenKeys)
at Unify.Product.IdentityBroker.RepositoryChangeDetectionWorkerBase.PerformChangeDetectionOnConnectorEntityPage(IEnumerable`1 connectorEntities, Int32& index, Int32 entitiesProcessedSoFar, IEntityChangesReportGenerator`2 reportGenerator, IHashSet`1 seenKeys)
at Unify.Product.IdentityBroker.RepositoryChangeDetectionWorkerBase.<>c__DisplayClass11_0.b__0(IEnumerable`1 page)
at Unify.Framework.Visitor.ThreadsafeVisitorEvaluator`1.ThreadsafeItemEvaluator.Evaluate()
--- End of inner exception stack trace ---
at Unify.Framework.Visitor.ThreadsafeVisitorEvaluator`1.CheckForException()
at Unify.Framework.Visitor.ThreadsafeVisitorEvaluator`1.WaitForCompletedThreads()
at Unify.Framework.Visitor.ThreadsafeVisitorEvaluator`1.Visit()
at Unify.Framework.Visitor.VisitEvaluateOnThreadPool[T](IEnumerable`1 visitCollection, Action`2 visitor, Int32 maxThreads)
at Unify.Product.IdentityBroker.RepositoryChangeDetectionWorkerBase.PerformChangeDetection(IEnumerable`1 connectorEntities)
at Unify.Product.IdentityBroker.ChangeDetectionImportAllJob.ImportAllChangeProcess()
at Unify.Product.IdentityBroker.ChangeDetectionImportAllJob.RunBase()
at Unify.Framework.DefinedScopeJobAuditTrailJobDecorator.Run()
at Unify.Product.IdentityBroker.ConnectorJobExecutor.<>c__DisplayClass30_0.b__0()
at Unify.Framework.AsynchronousJobExecutor.PerformJobCallback(Object state)",Diagnostic
I'm not sure if this is directly related to this issue but this looks as though a NULL key has been added and may need to fixed up at the source.
Config copy attached
Any assistance would be appreciated.
Ryan
Hi Matt,
This ticket can now be closed - The issue here was directly related to the target system data locking the object and not allowing reference attributes to be exported correctly.
Active Directory connector doesn't support AD move operation (dn change) even though UNIFYAssure-Aurion-Sample uses it
UNIFYAssure-Aurion-Sample attempts to move AD user object by modifying the 'dn' attribute on the AD connector, but when it tries to do so this error appears in the log:
Here's the error I see in the UI:
Here's the PowerShell code from UNIFYAssure-Aurion-Sample:
Here are the Adapter config excerpts:
It might be that this wasn't a use case for the sample configuration. The DN can be changed during the update operation by instead using objectGUID
as the key.
UNIFYAssure-Aurion-Sample install reports that field names are reserved after restart
I just restarted my Broker instance (to try to clear a Link baseline sync that appeared unwilling to stop) and now I see this error in the dashboard. My install is a UNIFYAssure-Aurion-Sample with few changes other than a 'Request Schema' from AD and addition of a handful of other fields in Links and Lockers.
What should I do about it?
Hey Adrian,
Thanks for the suggestion. At this time, after some discussion we've concluded that it would potentially confuse people more if the connector schema was to automatically un-tick the box next to fields reserved by the LDAP specification.
The reason for this, is that it's perfectly acceptable to have these fields in the connector schema, and they will only be an issue when subsequently exposed on the adapter. However, it is a normal use case for a connector to not be exposed to an adapter directly; rather to be joined and aggregated on an existing adapter. In this case, the reserved field names would not be exposed down to the gateway so wouldn't cause any problems.
Documentation of supported Date and Timestamp field values in Broker CSV files
Could you please document the supported and recommended Date and Timestamp field values that can be used in Broker CSV connector data files?
Beau says he normally uses yyyy'-'MM'-'dd'T'HH':'mm':'ss'Z' (e.g. "2019-06-01T12:34:56Z").
Thanks Adrian. I've added it to our backlog to improve the documentation based on the above comments.
Broker/Plus Locker entity search Origin Info information is not clear or sufficient
I am a new Broker/Plus user and want to see where a Locker is getting its field values from, so I clicked on the Entity Id and then on Origin Info. This is the screen I see:
This doesn't tell me which Adapter contributed the current value for the sAMUsername field. I tried searching the Extensibility files for the Entity Id and Partition Id, but neither told me which Adapter the field value came from.
Could you please add the name of the Adapter that contributed the field value somewhere on this popup?
Also, it's not clear what the Type information here means. What does it mean that my 'sAMUsername' field is of type 'PlugIn'?
Authentication details have not been provided
Full imports for all 3 connectors, as well as polling imports for the employees connector are now all working. However polling imports are failing with a "Authentication details have not been provided" error for both Position and Position Occupancy as follows:
Change detection engine import changes for connector _KB_JadeStar Position Connector failed with reason The content type application/soap+xml; charset=utf-8 of the response message does not match the content type of the binding (text/xml; charset=utf-8). If using a custom encoder, be sure that the IsContentTypeSupported method is implemented properly. The first 676 bytes of the response were: '<?xml version="1.0" encoding="UTF-8"?> <soap:envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"> <soap:body> <soap:fault> <soap:code> <soap:value>soap:Sender</soap:value> </soap:code> <soap:reason> <soap:text xml:lang="en">Error 1000 - Authentication details have not been provided.</soap:text> </soap:reason> <soap:detail> <tns:faultdetails xmlns:tns="urn:JadeWebServices/WebServiceZ2/"> <errorcode>1000</errorcode> <erroritem></erroritem> <errortext>Authentication details have not been provided.</errortext> </tns:faultdetails> </soap:detail> </soap:fault> </soap:body> </soap:envelope> '.. Duration: 00:00:00.2343790
Is it possible that the polling messages could be malformed for 2 connectors but OK for another?
The same exception is occurring for both v4 and v5 Broker connectors talking to the same endpoint.
Thanks
Voice doesn't have a category for tickets that apply to the Broker base product
Voice doesn't have a category for tickets that apply to the Broker base product. There are numerous options for agents and other things, but seemingly none for the Broker base product itself... unless that's what UNIFYCore is?
There also isn't a category for reporting bugs in Voice.
Hi Adrian, since this Broker forum there is not need for a Broker subcategory. Uncategorized is where you should post.
Adapter edit UI displays 'System.MissingMethodException: Method not found: 'Void Unify.Connect.Web.Client.AdapterClient..ctor(System.String)'' error in Broker 5.3.1.4
When I attempt to access an Adapter in the web UI in Broker 5.3.1.4 the following error screen appears. This happens for all existing Adapters, and as the last step when creating a new Adapter (which is written to the Extensibility config file just fine). The Agents, Connectors and other UI screens work just fine. I am using IIS on the same server as the Broker Service is installed, and Plus and a number of other agents are also installed (see below for details). The Extensibility files are based on a fresh install of all Broker packages.
The text is:
Error
System.MissingMethodException: Method not found: 'Void Unify.Connect.Web.Client.AdapterClient..ctor(System.String)'.
at Unify.Connect.Web.PlusControllerBase.get_AdapterClient()
at Unify.Connect.Web.LockerControllerFactory.<CreateComponent>b__0_0(HtmlHelper html, AdapterDetailsProviderInformation info)
at Unify.Connect.Web.AdapterDetailsProvider.WriteAll(HtmlHelper helper, AdapterDetailsProviderInformation adapterDetails)
at ASP._Page_Views_Adapter_AdapterDetails_cshtml.Execute() in c:\Program Files\UNIFY Solutions\Identity Broker\Web\Views\Adapter\AdapterDetails.cshtml:line 152
at System.Web.WebPages.WebPageBase.ExecutePageHierarchy()
at System.Web.Mvc.WebViewPage.ExecutePageHierarchy()
at System.Web.WebPages.StartPage.ExecutePageHierarchy()
at System.Web.WebPages.WebPageBase.ExecutePageHierarchy(WebPageContext pageContext, TextWriter writer, WebPageRenderingBase startPage)
at System.Web.Mvc.ViewResultBase.ExecuteResult(ControllerContext context)
at System.Web.Mvc.ControllerActionInvoker.InvokeActionResultFilterRecursive(IList`1 filters, Int32 filterIndex, ResultExecutingContext preContext, ControllerContext controllerContext, ActionResult actionResult)
at System.Web.Mvc.ControllerActionInvoker.InvokeActionResultFilterRecursive(IList`1 filters, Int32 filterIndex, ResultExecutingContext preContext, ControllerContext controllerContext, ActionResult actionResult)
at System.Web.Mvc.ControllerActionInvoker.InvokeActionResultWithFilters(ControllerContext controllerContext, IList`1 filters, ActionResult actionResult)
at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c__DisplayClass1e.<BeginInvokeAction>b__1b(IAsyncResult asyncResult)
The error refers to line 152 of c:\Program Files\UNIFY Solutions\Identity Broker\Web\Views\Adapter\AdapterDetails.cshtml which reads as follows:
AdapterDetailsProvider.Instance.WriteAll(Html, adapterDetailsProviderInformation);
Here are details of the install:
UNIFYBroker
About: | UNIFYBroker v5.3.1 Revision #4 © 2004 - 2018 UNIFY Solutions Pty. Ltd. |
Support: | https://voice.unifysolutions.net/forums/6-identity-broker-forum/ |
Plug-in Version Details
Plugin Key | Version |
Microsoft Active Directory | 5.3.0.0 |
Aurion API connector | 5.3.0.0 |
Sync Changes | 5.3.0.2 |
Plus Change Tracking | 5.3.0.2 |
Connections | 5.3.0.2 |
Links | 5.3.0.2 |
Link Statistics | 5.3.0.2 |
Lockers | 5.3.0.2 |
Locker Statistics | 5.3.0.2 |
Provisioning | 5.3.0.2 |
Plus | 5.3.0.2 |
Here is a snapshot of the folder containing the file reported in the error:
Here are the Adapter Extensibility file entries that were created successfully:
Please let me know if there is any more information that you require.
Timeout on Chris 21 Connectors
I'm getting timeouts on some Chris21 connectors. They seem to be intermittent, sometimes it works fine. Using v4.1.x Identity Broker and Chris21 connector. The error I get is as follows:
Are there any settings I can tweak on the IdB side to resolve this or is this Chris21 ending the connection early? I think there's a batch size setting or something similar but IdB is so slow to load with this customer I can't check again.
Chris21 Connector Failing - no status attribute
From the looks of things it's the exact same issue at the same customer. I don't know if Jerry ever resolved it. I've attached the log entry that's showing the error. It's using Idb and Chris 21 versions 4.1.x. Their Chris21 instance is version 8.16.17.
Adam suggested running some Chris 21 query as a resolution but I'm not sure where that query should be run. Is this likely to be a misconfiguration of Chris21 or something with IdB? This is in a test environment.
Please let me know if you need any more information.
Customer support service by UserEcho