0
Answered

cd-error exporting to SharePoint Users

Matthew Woolnough 7 years ago in UNIFYBroker/Microsoft SharePoint updated by anonymous 7 years ago 19

I am receiving cd-errors when exporting users to Sharepoint.  I have found the following issue which is resolved by using adapter DN template of UID=@IdBID,however I am already using this config.

There is no other debugging information provided. How can I resolve this?

http://voice.unifysolutions.net/topics/2860-cd-error-exporting-to-idb/

Answer

Answered

Hi Matt,

Are all exports failing, or only some? Is there anything that the failing exports have in common, e.g. they are are all adds, or they are updates to the same field? Please make sure that all adds have values for all fields marked as required on the adapter schema, and since you are using IdBID in the distinguished name template, please also make sure you are exporting the entryUUID field.

You might also consider running an LDAP trace to view the raw error responses, if the error reporting in MIM is lacking.

All exports (over 500 in total) are failing. The majority are updates. There doesn't appear to be a common attribute.

The only required attribute is AccountName and it always has a value. 

We are no longer using IdBID in the DN & are instead using the AccountName which unfortunately has a backslash in it. Perhaps this is causing a problem?

CN=dev\\sajarr,OU=SPUsers,DC=IdentityBroker

It would be nice to have a clean value for AccountName in Sharepoint User Profile Connector for this purpose. 

I am not seeing anything odd in the LDAP WireShark trace. 



I did try to create a clean AccountName using a PS transformation, but it didn't work;

http://voice.unifysolutions.net/topics/3200-powershell-transformation-required-attribute/

I have a patched Unify.Framework.IO.LDIF.dll already. http://voice.unifysolutions.net/topics/3095-an-item-with-the-same-key-has-already-been-added

If I use this DLL, will I lose my fix for previous issue?



Actually the DLL from your linked issue should include this patch already.

The WireShark trace should include any error responses returned to the management agent by Identity Broker.

Attaching the LDAP trace for review.

cd-error.pcapng.gz

Hi Matt,

The stream appears to get cut off for me. The management agent uses Bulk Update requests to transmit export requests, and as such I would expect to see an entry with OID 1.3.6.1.1.17.5 and 1.3.6.1.1.17.6. Following the TCP trace, it appears to get cut off in the middle of a request.

If there were any errors internal to Identity Broker they would appear in the logs. Otherwise, the error is most likely environmental or in MIM. Is there nothing in the Event Viewer for MIM, or any other way to view the raw error responses in MIM?

I've attempted capture again.

cd-error is the only information provided within FIM & there is nothing in the Event Logs.


cd-error2.pcapng.gz


I've noticed an error: An active bulk transaction already exists on this connection...1.3.6.1.1.17.2


Hi Matt,

I note that in both traces, something interesting happens at the 90 second mark. In the first case, the client sends an unbind request, and in the second case it sends a second Start Bulk Update request. What do you have the Operation Timeout (s) and Timeout (seconds) configured to? See https://unifysolutions.jira.com/wiki/display/IDBFIM51/Run+Profiles

They're set using the defaults:

Timeout: 0

Operation Timeout: 60

Please try lowering the page size or increasing the timeout to allow the update request to complete within the timeout.

I've reduced the batch size from the default of 5000 to 20. 

MIM is now surfacing an error:

Internal Server Error #3: System.FormatException: Guid should contain 32 digits with 4 dashes (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx).
   at System.Guid.TryParseGuidWithNoStyle(String guidString, GuidResult& result)
   at System.Guid.TryParseGuid(String g, GuidStyles flags, GuidResult& result)
   at System.Guid..ctor(String g)
   at Unify.Product.IdentityBroker.LDAPAddRequestToEntityConverter.Transform(IRfcAddRequest addRequest)
   at Unify.Product.IdentityBroker.AddRequestHandler.InnerApplyTransformation(IHandleRequestCoreRequest request, IValueAdapter`2 conver


I am not exporting a guid however. The export is shown in the image below;



entryUUID is a name for some reason. Does it need to be populated? It's not actually configured in the attributes of the Connector.


entryUUID corresponds to the Identity Broker entity ID and only needs to be set if the Distinguished Name template uses @IdBID

Yes, that was my understanding. Thanks for confirming. I fixed the entryUUID issue, but now getting following error on all adds:


Add request failed as the converted DN CN=CN\=DEV\\\\dxlewi\,OU\=SPUsers\,DC\=IdentityBroker,OU=SPUsers,DC=IdentityBroker does not match the request DN CN=DEV\\dxlewi,OU=SPUsers,DC=IdentityBroker.

Note the additional "CN=" at start of 1st DN

and the following on updates:

System.ServiceModel.FaultException`1[System.ServiceModel.ExceptionDetail]: Invalid Property Value: Could not find SID corresponding to input account name. (Fault Detail is equal to An ExceptionDetail, likely created by IncludeExceptionDetailInFaults=true, whose value is:
Microsoft.Office.Server.UserProfiles.PropertyInvalidValueException: Invalid Property Value: Could not find SID corresponding to input account name.
   at Microsoft.Office.Server.UserProfiles.UserProfileGlobal.ValidatedPerson(Object value, UserFormat userFormat, UserProfileApplicationProxy userProfileApplicationProxy, Guid partitionID)
   at Microsoft.Office.Server.UserProfiles.UserProfileGlobal.ValidatedSingleValue(Object value, ProfileSubtypeProperty prop, PropertyDataType propDataType, UserFormat userFormat, UserProfileApplicationProxy userProfileApplicationProxy, Guid partitionID, SiteContext si)
   at Microsoft.Office.Server.UserProfiles.UserProfileGlobal.ValidatedValue(Object value, ProfileSubtypeProperty prop, PropertyDataType propDataType, UserFormat userFormat, UserProfileApplicationProxy userProfileApplicationProxy, Guid partitionID, SiteContext si)
   at Microsoft.Office.Server.UserProfiles.ProfileValueC...).


Add request failed as the converted DN CN=CN\=DEV\\\\dxlewi\,OU\=SPUsers\,DC\=IdentityBroker,OU=SPUsers,DC=IdentityBroker does not match the request DN CN=DEV\\dxlewi,OU=SPUsers,DC=IdentityBroker

What's the DN template and what value are you exporting for the field that is used in the DN template?

This error means that you are trying to add an entity with the DN CN=DEV\\dxlewi,OU=SPUsers,DC=IdentityBroker but based on your DN template and the value you have supplied for the field in the DN template, the entity should actually have the DN CN=CN\=DEV\\\\dxlewi\,OU\=SPUsers\,DC\=IdentityBroker,OU=SPUsers,DC=IdentityBroker. To me, this looks like your DN template is something like CN=[AccountName] and you are exporting AccountName = CN=DEV\\dxlewi,OU=SPUsers,DC=IdentityBroker. Is this your intention?

The values you suggest there are correct. 

I'm trying to export AccountName in the following format: 

CN=DEV\\dxlewi,OU=SPUsers,DC=IdentityBroker

The SharePoint connector uses this as the reference to user objects in group memberships. 

I need a clean export to be able to update all the AccountNames to this format, then I can remove the CN= section of the DN Template as it will be a valid DN on it's own. We then need to stop IdB from appending an additional OU\=SPUsers\,DC\=IdentityBroker on the end of the DN.  Is this possible? 


See other issue, the account name format you have here is incorrect.