Identity Broker Forum
Welcome to the community forum for Identity Broker.
Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.
Account Expired due to Excessive Failed Sign On
Hi,
I recentley change my Password for the Workday Agent Account, and it keeps locking the Workday Account as excessive logins.
Is this something that was change recentley to Workday, i still rememer only changing it in 1 place and then it would not lock the account again, not sure if this might have changed, even left it for 24hr to propegate and it still locks the account.
I also notice that the Active Connections goes to about 12 then back to 2.
Here are the versions that i am Running.
Workday Connector Identity Broker | 5.0.0.5 V 5.0.4 |
Nothing has changed in the connector code. I'd recommend contacting our support as it sounds like Workday have broken something again - and at the very least would require some analysis of what's going on.
Thanks.
KeyNotFoundException on Sharepoint Org export
Error being encountered exporting data to Sharepoint org connector
System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary.
at System.Collections.Generic.Dictionary`2.get_Item(TKey key)
at Unify.Product.IdentityBroker.SharePoint2010Utilities.ConvertAttributeToValues(KeyValuePair`2 attribute, IDictionary`2 profileTypes, IValueAdapter`2 referenceValueToUserProfileNameAdapter, UserProfileNameToStringAdapter userProfileToNameAdapter)
at Unify.Product.IdentityBroker.SharePoint2010OrganizationProfileConnector.<ConvertConnectorEntityToOrganizationProfileData>b__34_3(<>f__AnonymousType4`2 <>h__TransparentIdentifier1)
at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
at System.Linq.Buffer`1..ctor(IEnumerable`1 source)
at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source)
at Unify.Product.IdentityBroker.SharePoint2010OrganizationProfileConnector.ConvertConnectorEntityToOrganizationProfileData(IConnectorEntity connectorEntity)
at Unify.Product.IdentityBroker.SharePoint2010OrganizationProfileConnector.UpdateEntity(IConnectorEntity entity, ISharePoint2010OrganisationProfileService communicatorChannel, ISaveEntityResults`2 results)
Perfect, thanks for that!
This should fix it: Unify.Connectors.Microsoft.SharePoint.dll
Unable to write data to the transport connection
The above exception was logged earlier this morning in the IdB log. I only noticed this because the adapter was RED on the IdB dashboard during an export operation, and I decided to search the logs. Initially my search for "exception" found nothing, but a subsequent search for "error" returned this from 3:25 am this morning:
Handling of LDAP change log request. Handling of LDAP change log request from user MIM_IDBMA on connection 127.0.0.1:65355 failed with error "Unable to write data to the transport connection: An established connection was aborted by the software in your host machine.". Duration: 00:08:13.5165781.
I was actually following up on another older error from November, and otherwise would not have noticed this problem. Interestingly there was evidence an hour earlier of a data inconsistency in the CORP AD forest which since seems to have been resolved (AD enforces uniqueness of UPN, so I can't understand how the IdB adapter could be complaining of duplicate DNs when the DN is derived from an enforced unique attribute - unless there is a timing issue due to the processing of deltas such that there is a problem after a rename until the next connector full import removes a duplicate):
Handling of LDAP change log request. Handling of LDAP change log request from user MIM_IDBMA on connection 127.0.0.1:60870 failed with error "Found multiple entities with the distinguished name 'CN=servicio@pr.qbe.com,OU=LicensedUsers,DC=IdentityBroker'.". Duration: 00:00:01.2500019.
I am only speculating that this export error had something to do with the adapter integrity issue which appears to be due to a shortcoming of the delta processing logic.
I am also now wondering if this exception may be leading to others as a result of compromised integrity.
Extract from log as follows:
20170612,17:25:02,UNIFY Identity Broker,Adapter,Information,"Request to reflect change entities of the adapter. Request to reflect change entities of the AAD User Licensing (03228c30-2401-41a9-9977-57a75423829c) adapter completed with 0 adds, 31 updates and 0 deletes across 1 pages. Duration: 00:05:07.2662214",Normal 20170612,17:25:02,UNIFY Identity Broker,LDAP engine,Error,"Handling of LDAP change log request. Handling of LDAP change log request from user MIM_IDBMA on connection 127.0.0.1:65355 failed with error ""Unable to write data to the transport connection: An established connection was aborted by the software in your host machine."". Duration: 00:08:13.5165781.",Normal 20170612,17:25:02,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP change log request. Handling of LDAP change log request from user MIM_IDBMA on connection 127.0.0.1:65534 completed successfully. Added: 0. Modified: 0. Renamed: 0. Deleted: 1. Total: 1. Duration: 00:03:01.7347333.",Normal 20170612,17:25:03,UNIFY Identity Broker,Change detection engine,Information,"Change detection engine import changes started. Change detection engine import changes for connector CORP AD Group started.",Normal 20170612,17:25:03,UNIFY Identity Broker,Connector,Information,"Request to import changes from connector. Request to import changes from connector CORP AD Group.",Normal 20170612,17:25:03,UNIFY Identity Broker,Connector,Information,"Import changes from connector completed. Import changes from connector CORP AD Group reported 0 changes. Duration: 00:00:00",Normal 20170612,17:25:03,UNIFY Identity Broker,Change detection engine,Information,"Change detection engine import changes completed. Change detection engine import changes for connector CORP AD Group returned 0 possible changes. Duration: 00:00:00.5000092",Normal 20170612,17:25:05,UNIFY Identity Broker,Adapter,Information,"Request to reflect change entities of the adapter. Request to reflect change entities of the AAD User Licensing (03228c30-2401-41a9-9977-57a75423829c) adapter completed with 0 adds, 21 updates and 0 deletes across 1 pages. Duration: 00:00:00.2967598",Normal
Using: UNIFY Identity Broker Management Studio, v5.0.5 Revision #0
Using Plugin:
| Microsoft Active Directory | 5.0.1.2 |
Hi Bob,
The error
Handling of LDAP change log request from user MIM_IDBMA on connection 127.0.0.1:65355 failed with error "Unable to write data to the transport connection: An established connection was aborted by the software in your host machine.". Duration: 00:08:13.5165781.
indicates that upon completing the handling of a changelog request, Identity Broker found that the LDAP connection was dropped by the client. Given that the duration of the operation is over 8 minutes, I'm assuming that this is exceeding your timeout.
The long duration could be caused by high activity on the Identity Broker server. You could try increasing the timeout, but if the issue is resolving itself (activity dropping and subsequent imports succeeding) then perhaps leaving the connections to timeout is the best solution to prevent the client blocking downstream processing during these busy periods.
I don't believe this is related to the duplicate DNs. Have you checked the entity context, from the UI or from SQL, to check for the duplicate DNs?
System.FormatException: Guid should contain 32 digits with 4 dashes (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx).
The above exception was thrown when searching for a DN in the adapter space.
3 issues:
- While perfectly reasonable that such a search is nonsensical at a low enough level, the user experience is horrible. No error should be thrown at all, just no results returned. If, however, an error has to be returned it should be in the form of a user friendly message on the page (or in the old days this would have been in a dialog) - without the ugly stack trace.
- It is not clear from the search page how one should search for the DN of an object that appeared in the logs. The alignment of the data grid with the column header was skewed and I incorrectly guessed that the column header for IdBId might have been the DN header.
- I was unable to clear the adapter entity search filter after this error.
Using: UNIFY Identity Broker Management Studio v5.0.5 Revision #0
Full error message as follows:
System.FormatException: Guid should contain 32 digits with 4 dashes (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx). at System.Guid.GuidResult.SetFailure(ParseFailureKind failure, String failureMessageID, Object failureMessageFormatArgument, String failureArgumentName, Exception innerException) at System.Guid.TryParseGuidWithNoStyle(String guidString, GuidResult& result) at System.Guid.TryParseGuid(String g, GuidStyles flags, GuidResult& result) at System.Guid.Parse(String input) at Unify.Connect.Web.GuidIdentifierEntitySearchUtility`1.<.ctor>b__3(AdapterEntityValueCollectionKey schemaKey, String value, IDictionary`2 schema) at Unify.Connect.Web.OperatorEntitySearchUtility`1.EntityConversion(AdapterEntityValueCollectionKey schemaKey, String value, IDictionary`2 schemaConfiguration) at Unify.Connect.Web.IdentifierEntitySearchUtilityBase`1.GenerateSearchFunction(IIdentifierEntitySearchInformation searchInformation, IDictionary`2 schema) at Unify.Connect.Web.IdentifierEntitySearchUtility`2.GenerateSearchFunction(IIdentifierEntitySearchInformation searchInformation, IDictionary`2 schema) at Unify.Connect.Web.EntitySearchContainerContext`1.<>c__DisplayClass8.<Evaluate>b__2(IQueryable`1 entity) at Unify.Connect.Web.AndEntitySearchContainerOperatorContext`1.Evaluate(IQueryable`1 leftSideQuery, IQueryable`1 rightSideQuery, EntityEvaluator`2 innerQueryableEvalution) at Unify.Connect.Web.EntitySearchContainerContext`1.GenerateQueryableFunction(String contextDescriptor, String operator, IQueryable`1 leftSideQuery, EntityEvaluator`2 queryableEvaluation, IQueryable`1 outerQuery) at Unify.Connect.Web.EntitySearchContainerContext`1.Evaluate(IEntitySearchContainerInformation contextInformation, IDictionary`2 schema, IQueryable`1 innerQuery, IQueryable`1 outerQuery) at Unify.Connect.Web.EntitySearchContainerContext`1.<>c__DisplayClass4.<>c__DisplayClass6.<Evaluate>b__1(IQueryable`1 queryable) at Unify.Connect.Web.AndEntitySearchContainerOperatorContext`1.Evaluate(IQueryable`1 leftSideQuery, IQueryable`1 rightSideQuery, EntityEvaluator`2 innerQueryableEvalution) at Unify.Connect.Web.EntitySearchContainerContext`1.GenerateQueryableFunction(String contextDescriptor, String operator, IQueryable`1 leftSideQuery, EntityEvaluator`2 queryableEvaluation, IQueryable`1 outerQuery) at Unify.Connect.Web.EntitySearchContainerContext`1.<>c__DisplayClass4.<Evaluate>b__0(IEntitySearchContainerInformation innerContainer) at Unify.Framework.Visitor.Visit[T](IEnumerable`1 visitCollection, Action`2 visitor) at Unify.Connect.Web.EntitySearchContainerContext`1.Evaluate(IEntitySearchContainerInformation contextInformation, IDictionary`2 schema, IQueryable`1 innerQuery, IQueryable`1 outerQuery) at Unify.Connect.Web.IdentityBrokerEntitySearchController.CurrentBusinessEntities[TInEntity,TOutEntity](IQueryable`1 source, EntityRetrievalInformation information, IDictionary`2 valueSearchUtility, IDictionary`2 entityOrderFunctions, IEntitySearchContainerContext`2 searchContainerContext) at Unify.Connect.Web.IdentityBrokerEntitySearchController.CurrentEntities(EntityRetrievalInformation information) at Unify.Connect.Web.IdentityBrokerEntitySearchController.SearchEntities(Guid partitionId, Nullable`1 pageSize, Nullable`1 pageNumber, String groupColumn, Nullable`1 ascending, String searchContext) at Unify.Connect.Web.AdapterController.SearchEntities(Guid partitionId, Nullable`1 pageSize, Nullable`1 pageNumber, String groupColumn, Nullable`1 ascending, String searchContext) at lambda_method(Closure , ControllerBase , Object[] ) at System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary`2 parameters) at System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary`2 parameters) at System.Web.Mvc.Async.AsyncControllerActionInvoker.<BeginInvokeSynchronousActionMethod>b__36(IAsyncResult asyncResult, ActionInvocation innerInvokeState) at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResult`2.CallEndDelegate(IAsyncResult asyncResult) at System.Web.Mvc.Async.AsyncControllerActionInvoker.AsyncInvocationWithFilters.<InvokeActionMethodFilterAsynchronouslyRecursive>b__3c() at System.Web.Mvc.Async.AsyncControllerActionInvoker.AsyncInvocationWithFilters.<>c__DisplayClass45.<InvokeActionMethodFilterAsynchronouslyRecursive>b__3e() at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c__DisplayClass30.<BeginInvokeActionMethodWithFilters>b__2f(IAsyncResult asyncResult) at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c__DisplayClass1e.<>c__DisplayClass28.<BeginInvokeAction>b__19() at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c__DisplayClass1e.<BeginInvokeAction>b__1b(IAsyncResult asyncResult)
Hey Bob,
Thanks for raising this one. The issue of clearing the search is fixed in 5.1 onwards, and the user experience of error messages has been improved for future versions of IDB.
Server too busy
After leaving IdB for an extended period of time (overnight for example), the Web Interface shows an error. After updating <customErrors mode="Off" /> in the Web.config to display errors, the error displayed is "Server Too Busy" as shown in the screenshot below.
No jobs are scheduled.
I believe this may be related to this previous issue, but not seeing the memory blow outs any more for some reason.
Will attach logs & config shortly.
Hi Matt,
After leaving IdB for an extended period of time
Do you mean that you left the browser open on one of the pages? Do you recall which page/s you left open?
I note that you are using the embedded web server option. Due to performance issues, we are deprecating the embedded web server as of Identity Broker v5.2. If the problem persists, I would suggest swapping to IIS - see Configuring Identity Broker for use with IIS for installation and configuration instructions.
Modify type returned by Time Offset Flag transformation.
The value output by the Time Offset Flag Transformation that FIM imports from IdB 3.x is interpreted as a boolean. There might be some automatic casting occurring based on selection of the attribute type in the Identity Broker FIM connector.
5.1 returns a string and the automatic casting is not available.
Is there any way to select the returned object type?
Hi Matt,
No, the type of the field generated by a Time Offset Flag transformation must be a string type and cannot currently be changed.
Reflection fails with "An item with the same key has already been added"
Accountname is a DistinguishedName attribute & is used in Sharepoint connector as the Key and also as the DN in adapter.
No key duplication errors are being seen.
Data can be imported without error with Adapter disabled.
When 'Generate Changes' is performed the error below is thrown. Is this the correct way to use a DN attribute as a DN? Not sure if this is a bug or misconfiguration.
<AdapterConfiguration AdapterId="4e96758c-06c5-44dd-9f32-557b3e75d16f" AdapterName="SharePoint Profiles" containerName="SPUsers" enabled="false" BaseConnectorId="770d9450-dcc8-41c9-b0b4-bc2d46fdc3ae" class="person"> <dn template="[AccountName]" /> <Groups /> <adapterEntityTransformationFactory name="Sequential"> <adapter name="Move" key="1bec7d3a-9384-49b6-ad4b-8266e5a286b0"> <Extended> <columnMappings> <columnMapping SourceAttribute="UserProfile_GUID" TargetAttribute="UserProfileGUID" /> </columnMappings> </Extended> </adapter> </adapterEntityTransformationFactory> </AdapterConfiguration>
20170605,07:13:28,UNIFY Identity Broker,Adapter,Error,"Request to reflect change entities of the adapter. Request to reflect change entities of the SharePoint Profiles (4e96758c-06c5-44dd-9f32-557b3e75d16f) adapter errored with message: An item with the same key has already been added.. Duration: 00:00:00.5937686 Error details: System.ArgumentException: An item with the same key has already been added. at System.ThrowHelper.ThrowArgumentException(ExceptionResource resource) at System.Collections.Generic.Dictionary`2.Insert(TKey key, TValue value, Boolean add) at System.Linq.Enumerable.ToDictionary[TSource,TKey,TElement](IEnumerable`1 source, Func`2 keySelector, Func`2 elementSelector, IEqualityComparer`1 comparer) at Unify.Product.IdentityBroker.Adapter.ConvertPageAndUpdateContainers(IEntity[] entities, Boolean updateContainers) at Unify.Product.IdentityBroker.Adapter.ReflectChangesInner() at Unify.Product.IdentityBroker.Adapter.ReflectChanges() at Unify.Product.IdentityBroker.AdapterAuditingDecorator.ReflectChanges() at Unify.Product.IdentityBroker.AdapterNotifierDecorator.ReflectChanges() at Unify.Product.IdentityBroker.ReflectAdapterOnChangeDueJob.<RunBase>b__9_0(IOperationalAdapter adapter)",Normal
Hi Matt,
I have identified the cause of the issue, and the following Unify.Framework.IO.LDIF.dll, when placed into the Services directory, should resolve this. This patch will be included in future versions of Identity Broker v5.1 and up.
The Connector Does not support anchor modification
Hi,
i dont find much documentation on error codes for the Identity Broker, but this anchor modification is a new error that i see in the exporting errors.
Can someone explain to me what this is, and how to fix this?
Hi Werner,
This is currently documented at Anchor Modification and Handling Renames. It means that the solution is attempting to update the value of the key field for the connector - for a connector that doesn't support the operation. The fix is to stop attempting these operations.
Thanks.
Query T001F065_ACTUAL_POSITION_NO in IdB 5.x Aurion Position query
Client DBA was able to determine that the Aurion position connector actually runs 3 queries in IDB version 3 and 5.
The first and third are identical but the second script is totally different.
In version 3, the position appears to be retrieved from "T001F065_ACTUAL_POSITION_NO" whereas in version 5 appears to try to determine position information from "T101F005_POSITION_NO".
Is it possible to have the position query retrieve data from "T001F065_ACTUAL_POSITION_NO" in IdB 5.x?
OK, It sounds as though there is a misalignment between dev & prod. Will ask them to update the environment.
Boolean Constant attribute appears as String in connector space
As shown in the image below, Boolean constant appears as a string in the Connector Space.
Without knowing what sharing exists in MIM between MAs for identical object types and attributes, it seems you have a bug on your hands. You've demonstrated that we are reporting the correct type to MIM and that MIM is capable of understanding the schema correctly, but for some reason with that name it's stuck thinking it's a string. You'll have to either raise a support ticket with Microsoft, or stick to the changed field name and move on.
Customer support service by UserEcho
