Identity Broker Forum

Welcome to the community forum for Identity Broker.

Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.

0
Answered

SID Mapping errors

Matthew Woolnough 8 years ago in UNIFYBroker/Microsoft SharePoint updated by anonymous 8 years ago 28

This is a pre-existing issue, so could very well be environmental.  We're not meant to be fixing pre-existing issues, but if it's something simple it should be addressed.  

Any idea what might be causing this?


IdB5.x

System.ServiceModel.FaultException`1[System.ServiceModel.ExceptionDetail]: No mapping between account names and security IDs was done (Fault Detail is equal to An ExceptionDetail, likely created by IncludeExceptionDetailInFaults=true, whose value is:
System.ComponentModel.Win32Exception: No mapping between account names and security IDs was done
   at Microsoft.Office.Server.Utilities.Win32.AdvApi.LookupAccountName(String lpSystemName, String lpAccountName, IntPtr Sid, Int32& cbSid, StringBuilder ReferencedDomainName, Int32& cchReferencedDomainName, SID_NAME_USE& peUse)
   at Microsoft.Office.Server.UserProfiles.UserProfileGlobal.GetSidFromAccount(String strAccountName, SID_NAME_USE[] IntendedAccountType, SID_NAME_USE& sidUse)
   at Microsoft.Office.Server.UserProfiles.UserProfileGlobal.GetSidFromAccount(String strAccountName, Int32 nMaxLengh)
   at Microsoft.Office.Server.UserProfiles.UserProfileGlobal.GetSidFromAccount(UserProfileApplicationProxy proxy, Guid partitionID, String strAccountName, Boolean isWindowsAccount)
   at Microsoft.Office.Server.UserProfiles.UserProfile..ctor(UserProfileManager objManager, String strAccountName, String strPreferredName)
...).


IdB3.x

System.ServiceModel.FaultException`1[System.ServiceModel.ExceptionDetail]: Invalid Property Value: Could not find SID corresponding to input account name. (Fault Detail is equal to An ExceptionDetail, likely created by IncludeExceptionDetailInFaults=true, whose value is:
Microsoft.Office.Server.UserProfiles.PropertyInvalidValueException: Invalid Property Value: Could not find SID corresponding to input account name.
   at Microsoft.Office.Server.UserProfiles.UserProfileGlobal.ValidatedPerson(Object value, UserFormat userFormat, UserProfileApplicationProxy userProfileApplicationProxy, Guid partitionID)
   at Microsoft.Office.Server.UserProfiles.UserProfileGlobal.ValidatedSingleValue(Object value, ProfileSubtypeProperty prop, PropertyDataType propDataType, UserFormat userFormat, UserProfileApplicationProxy userProfileApplicationProxy, Guid partitionID, SiteContext si)
   at Microsoft.Office.Server.UserProfiles.UserProfileGlobal.ValidatedValue(Object value, ProfileSubtypeProperty prop, PropertyDataType propDataType, UserFormat userFormat, UserProfileApplicationProxy userProfileApplicationProxy, Guid partitionID, SiteContext si)
   at Microsoft.Office.Server.UserProfiles.ProfileValueC...).


Answer
anonymous 8 years ago

I'd recommend speaking with the SharePoint and/or sys admin, as this error is pretty low down in the SharePoint stack and is calling into native API's (advapi32.dll LookupAccountName).

0
Fixed

User profile provisioning: System.Collections.Generic.KeyNotFoundException

Matthew Woolnough 8 years ago in UNIFYBroker/Microsoft SharePoint updated by anonymous 8 years ago 3

Provisioning users to SharePoint for the 1st time on IdB 5.1 and encountered the following error.


System.Collections.Generic.KeyNotFoundException: The key 0799C19A00044B368A7D06D9AE23CC07 could not be found in the list of known profile types. The known types are UserProfile_GUID, SID, ADGuid, AccountName, FirstName, SPS-PhoneticFirstName, LastName, SPS-PhoneticLastName, PreferredName, SPS-PhoneticDisplayName, WorkPhone, Department, Title, SPS-JobTitle, Manager, AboutMe, PersonalSpace, PictureURL, UserName, QuickLinks, WebSite, PublicSiteRedirect, SPS-DataSource, SPS-MemberOf, SPS-Dotted-line, SPS-Peers, SPS-Responsibility, SPS-SipAddress, SPS-MySiteUpgrade, SPS-DontSuggestList, SPS-ProxyAddresses, SPS-HireDate, SPS-DisplayOrder, SPS-ClaimID, SPS-ClaimProviderID, SPS-ClaimProviderType, SPS-LastColleagueAdded, SPS-OWAUrl, SPS-SavedAccountName, SPS-SavedSID, SPS-ResourceSID, SPS-ResourceAccountName, SPS-ObjectExists, SPS-MasterAccountName, SPS-DistinguishedName, SPS-SourceObjectDN, SPS-LastKeywordAdded, WorkEmail, CellPhone, Fax, HomePhone, Office, SPS-Location, SPS-TimeZone, Assistant, SPS-PastProjects, SPS-Skills, SPS-School, SPS-Birthday, SPS-StatusNotes, SPS-Interests, SPS-EmailOptin, ResponsibleSupervisorEntities, AnalysisEntities, RoleLevel, CostCentre, Company, DaysAtOffice, StaffType, usrDivision, Team, GroupOrg, Branch, Floor, RoleDescriptionUrl
   at Unify.Product.IdentityBroker.SharePoint2010Utilities.ConvertAttributeToValues(KeyValuePair`2 attribute, IDictionary`2 profileTypes, IValueAdapter`2 referenceValueToUserProfileNameAdapter, UserProfileNameToStringAdapter userProfileToNameAdapter)
   at Unify.Product.IdentityBroker.SharePoint2010UserProfileConnector.<ConvertConnectorEntityToPropertyData>b__22_1(<>f__AnonymousType3`2 <>h__TransparentIdentifier0)
   at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
   at System.Linq.Buffer`1..ctor(IEnumerable`1 source)
   at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source)
   at Unify.Product.IdentityBroker.SharePoint2010UserProfileConnector.ConvertConnectorEntityToPropertyData(IEnumerable`1 entity)
   at Unify.Product.IdentityBroker.SharePoint2010UserProfileConnector.AddEntity(IConnectorEntity entity, ISharePoint2010UserProfileService communicatorChannel)
   at Unify.Product.IdentityBroker.SharePoint2010UserProfileConnector.<>c__DisplayClass7_1.<AddEntities>b__1(IConnectorEntity entity)
   at Unify.Framework.Visitor.Visit[T](IEnumerable`1 visitCollection, Action`2 visitor)
   at Unify.Product.IdentityBroker.SharePoint2010UserProfileConnector.<>c__DisplayClass7_0.<AddEntities>b__0(ISharePoint2010UserProfileService channel)
   at Unify.Product.IdentityBroker.SharePointWCFAgent.Execute[TService](WcfCommunicatorFactory`1 serviceFactory, Action`1 service, Int32 maxItemsInObjectGraph)
   at Unify.Product.IdentityBroker.SharePoint2010UserProfileConnector.AddEntities(IEnumerable`1 entities, ISaveEntityResults`2 results)
   at Unify.Product.IdentityBroker.AuditAddingConnectorDecorator.AddEntities(IEnumerable`1 entities, ISaveEntityResults`2 results)
   at Unify.Product.IdentityBroker.EventNotifierAddingConnectorDecorator.AddEntities(IEnumerable`1 entities, ISaveEntityResults`2 results)


Answer
anonymous 8 years ago

I'll fix this up, it's the same as organisation.

0
Completed

Add Ability to include query parameters

Currently the default query for Import All is "*"

In TRIM, you can drill this down, such as "login:*" to get all users with a populated login attribute.

Would it be possible to add the ability to fill in a query string on the connector page, which - when filled, would override the "*" sent to the endpoint? 


I've tested this with the REST v8 and confirmed it works. Personally I need this for v4.1 but can see it being useful for newer connectors also.

Answer
anonymous 8 years ago

Feature implementation complete and is included in the following releases:

  • v4.1.1 RC3
  • v5.0.1 RC3
  • v5.1.0 RC6
  • v5.2.0 RC4
0
Answered

Restrict access to IIS

Matthew Woolnough 8 years ago in UNIFYBroker/Microsoft Identity Manager updated by anonymous 8 years ago 4

I have configured IdB to use IIS, but there is nothing in the doco to suggest that it should be restricted. 

http://voice.unifysolutions.net/topics/2943-configuring-identity-broker-for-use-with-iis/

Leaving access open to any authenticated user is potentially a security risk.  

I have configured IIS to only listed on 127.0.0.1, but presumably there is something else in IdB to perform this role. 

How can IdB be restricted when using IIS?

Answer
anonymous 8 years ago

Hi Matt,

We removed the IDB auth settings from 5.0 as it was unmaintanable. From 5.2 onwards, we provide auth settings through Owin (as seen on this page.)

For 5.0 and 5.1, auth settings can be restricted in IIS through groups etc, using examples such as this one or settings found here. Up to the consultant and client how the restrictions look in line with what the requirements are.

0
Answered

Adapter Transformation Trigger Behaviour

Daniel Walters 8 years ago updated by anonymous 8 years ago 3

Question about what triggers an adapter transformation to recalculate. Say I have a PowerShell adapter transformation that calculates the DN of a manager. Will that transformation only run again if the underlying connector is updated? If not, will an Import All on the connector trigger the adapter transformation to fire even on objects with no change in the connector?

Answer
anonymous 8 years ago

Hi Daniel,

All transformations run when an entity is determined to have changed, see Change Detection for details. PowerShell transformations do not participate in the change detection process. However if you are calculating a manager DN based on another attribute on the adapter entity (e.g. the manager's detnumber or name), then the change to that attribute itself would trigger a change.

If the manager's details are retrieved via a Join Transformation, then any change to the attributes in the Join Criteria of both the entity in the base connector or to any entity in the relational connector which would join to the base entity will trigger a change.

The only issue you should encounter with changes not being automatically triggered for a PowerShell transformation would be if you are actually retrieving information from an external system as part of the transformation. There is currently no way for a PowerShell transformation to monitor external systems for changes.

Please let me know if you need further clarification.

0
Answered

Organisations: Object reference not set to an instance of an object.

Matthew Woolnough 8 years ago in UNIFYBroker/Microsoft SharePoint updated by anonymous 8 years ago 12

I am exporting Organisations to Sharepoint.  As can be seen in the image below, the IdMParentProfileReference is being updated to include the full DN. 


the following error is being thrown:

System.ServiceModel.FaultException`1[System.ServiceModel.ExceptionDetail]: Object reference not set to an instance of an object. (Fault Detail is equal to An ExceptionDetail, likely created by IncludeExceptionDetailInFaults=true, whose value is:
System.NullReferenceException: Object reference not set to an instance of an object.
   at Unify.Connectors.SharePoint.SharePoint2010WCFService.UNIFYIdentityBrokerService.SharePoint2010OrganizationProfileService.<>c__DisplayClass29.<PopulateProfile>b__22(PropertyDataContract property)
   at Unify.Connectors.SharePoint.SharePoint2010WCFService.UNIFYIdentityBrokerService.EnumeratorExtensions.Visit[T](IEnumerable`1 enumerable, Action`1 action)
   at Unify.Connectors.SharePoint.SharePoint2010WCFService.UNIFYIdentityBrokerService.SharePoint2010OrganizationProfileService.PopulateProfile(OrganizationProfileData organizationProfile, OrganizationProfile profile, IEnumerable`1 schemaValueNames)
   at Unify.Connectors.SharePoint.SharePoint2010WCFService.UNIFYIdentityBrokerService.SharePoint2010OrganizationProfileService.UpdateOrganizationProfile(OrganizationProfileData organizationProfile, String[] schemaValueNames)
   at S...).


The IdMProfileReference is a reference between objects, so is set by the DN of the Parent Object. 

Do I need to configure the IdMProfileReference to the full DN, or should the adapter be converting?


Image 4344


Answer
anonymous 8 years ago
0
Fixed

"The method or operation is not implemented" during reflection

Matthew Woolnough 8 years ago updated by anonymous 8 years ago 6
20170622,04:40:15,UNIFY Identity Broker,Adapter,Error,"Adapter
Adapter d68b1c92-f699-4484-b543-328a0607375a page errored on page reflection. Duration: 00:00:01.6547524. Error: System.NotImplementedException: The method or operation is not implemented.
   at Unify.Product.IdentityBroker.EntityIdBIDTemplateDistinguishedNameComponentExecutor.GetKey()
   at System.Linq.Enumerable.<selectmanyiterator>d__16`2.MoveNext()
   at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
   at System.Linq.Enumerable.<selectmanyiterator>d__16`2.MoveNext()
   at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
   at System.Linq.Enumerable.WhereEnumerableIterator`1.MoveNext()
   at System.Linq.Buffer`1..ctor(IEnumerable`1 source)
   at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source)
   at Unify.Product.IdentityBroker.KnownEntityBase`3.GetBaseKeysIter(TKey key)
   at Unify.Product.IdentityBroker.KnownEntityBase`3.GetValueOriginInformation(TKey key)
   at Unify.Product.IdentityBroker.EntityToEntityValueOriginsAdapter`2.<>c__DisplayClass3_0.<transform>b__0(GroupedNameValueCollectionKey schemaKey)
   at System.Linq.Enumerable.<selectmanyiterator>d__16`2.MoveNext()
   at System.Linq.Enumerable.<selectmanyiterator>d__16`2.MoveNext()
   at System.Linq.Buffer`1..ctor(IEnumerable`1 source)
   at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source)
   at Unify.Product.IdentityBroker.Adapter.WriteReflectionPageAdapterChanges(IAdapterEntityPartitionUpdatableContext adapterContext, IDictionaryTwoPassDifferenceReport`4 report, IAdapterEntity[] newAdapterEntities)
   at Unify.Product.IdentityBroker.Adapter.ReflectChangesInner()
   at Unify.Product.IdentityBroker.Adapter.ReflectChanges()
   at Unify.Product.IdentityBroker.AdapterAuditingDecorator.ReflectChanges()
   at Unify.Product.IdentityBroker.AdapterNotifierDecorator.ReflectChanges()
   at Unify.Product.IdentityBroker.ReflectAdapterOnChangeDueJob.<runbase>b__9_0(IOperationalAdapter adapter).
Answer
anonymous 8 years ago

Please try placing the following file Unify.IdentityBroker.Entity.Schema.dll into the Services directory and restarting the service.

0
Fixed

An error occurred at the adapter level, before the entity was exported to the connector.

Matthew Woolnough 8 years ago in UNIFYBroker/Microsoft SharePoint updated by anonymous 8 years ago 11

Error exporting users to Sharepoint:

Unify.Framework.UnifyDataException: An error occurred at the adapter level, before the entity was exported to the connector. Check the logs for any exceptions related to the export.
   at Unify.Product.IdentityBroker.Adapter.<>c.<.ctor>b__24_5
Answer
anonymous 8 years ago

Hi Matt, Please replace the following DLL: Unify.Connectors.Microsoft.SharePoint.dll and re-request the schema - the RecordId field should swap to not required.

0
Answered

Connector Test Harness Not Working v5.1.0 with IdB Plus

Daniel Walters 8 years ago updated by anonymous 8 years ago 7

I've attempted to install the Connector Test Harness . I unzipped the folder and placed the files in the web bin as directed. After a restart of the service there is no PlugIns link in the menu bar. I navigated manually to http://localhost:8008/plugin and it served a page but with just a title saying PlugIns and nothing else.

Installed components:

  • Identity Broker 5.1.0
  • Identity Broker Plus 5.1.0
  • Identity Broker for Chris21 5.1.0
  • Identity Broker for Active Directory 5.1.0
Answer
anonymous 8 years ago

Hi Daniel,

Can you please remove Unify.IdentityBroker.Connector.TestHarness.dll from the Web\bin directory and instead add Unify.Connect.Web.Connector.TestHarness.dll

0
Answered

Add request failed as the converted DN blah does not match the request DN otherBlah

Matthew Woolnough 8 years ago in UNIFYBroker/Microsoft SharePoint updated by anonymous 8 years ago 9

Seeing the error below in exporting users to Sharepoint. 

Is there a DN requirement in Sharepoint?


Add request failed as the converted DN UID=18df1b3e-7787-429b-b0a0-ddad2ed4b1a4,OU=SPUsers,DC=IdentityBroker does not match the request DN CN=wxli,OU=SPUsers,DC=IdentityBroker.
Answer
anonymous 8 years ago

Hi Matt,

This error indicates that the DN that you are generating in your IDM platform differs from the DN generated by Identity Broker based on the Distinguished Name Template for your adapter. You'll need to reconfigure one or the other so that they match. Just a note that if you use @IdBID in the DN template, you will also need to supply a value for the entryUUID field as part of your add requests.