Go to main content
|
|
This chapter provides solutions to problems you might encounter after you deploy or while using the Microsoft Active Directory User Management connector.
Table 5-1 Troubleshooting the Microsoft Active Directory User Management Connector
Problem | Solution |
---|---|
The following error is encountered: java.net.UnknownHostException: |
Ensure that the host name in the IT resource for the Connector Server is specified correctly. |
The following error is encountered: InvalidCredentialException: Remote framework key is invalid |
Ensure that the value of the Key parameter of the IT resource for the Connector Server is specified correctly. |
The following error is encountered: ConnectorException: java.net.ConnectException: Connection refused |
Ensure that the port number in the IT resource for the Connector Server is specified correctly. |
The following error is encountered: oracle.iam.connectors.icfcommon.exceptions.OIMException: Thor.API.Exceptions.tcAPIException: Child tables only supported at account-level |
Ensure that the value of the Configuration Lookup parameter of the target system IT resource is set to |
The following error is encountered: oracle.iam.connectors.icfcommon.exceptions.OIMException: Thor.API.Exceptions.tcAPIException: oracle.iam.reconciliation.exception.InvalidDataFormatException: Required column name RECON_UNIQUEID575B37CA and value does not exist |
Ensure that the value of the Configuration Lookup parameter of the target system IT resource is set to |
The following error is encountered in the scheduled job: org.identityconnectors.framework.common.exceptions.ConnectorException: The server does not support the requested critical extension. |
The following are the possible reasons for the occurrence of this error:
|
While staring the Connector Server, the following exception is encountered: Unhandled Exception: System.Net.Sockets.SocketException: Only one usage of each socket address (protocol/network address/port) is normally permitted |
This exception is encountered because the Connector Server uses a port that has already been used (mostly by another instance of the Connector Server). You can fix this issue by performing one of the following steps:
|
The following error is encountered while running the Active Directory Target Reconciliation scheduled job: ADP ClassLoader failed to load: Script1 java.lang.ClassNotFoundException: ADP ClassLoader failed to load: Script1 |
Ensure that the value for the Filter syntax attribute of the scheduled job is specified correctly. See Performing Limited Reconciliation By Using Filters for more information. |
All reconciliation runs are successful, but the following error is encountered while running provisioning operations: Neither able to connect to Primary Domain Controller nor to any of Back up Domain Controllers. |
Ensure that the value of the LDAPHostName parameter of the IT resource is specified correctly. To determine the host name, on the computer hosting the target system, right-click My Computer and select Properties. On the Computer Name tab of the System Properties dialog box, the host name is specified as the value of the Full computer name field. |
The Connector Server throws an Out of Memory exception. |
A memory leak issue occurs in Microsoft .NET Framework 3.5. To fix this issue, you must apply the hotfix (listed in the following Web site) on the computer hosting the Connector Server: |
Unable to start the Connector Server after extracting the contents of the connector bundle into the CONNECTOR_SERVER_HOME directory. The following exception is encountered: ConnectorServer.exe Information: 0 : Starting connector server: C:\Program Files\Identity Connectors\Connector Server ConnectorServer.exe Error: 0 : Exception occurred starting connector server System.IO.FileNotFoundException: Could not load file or assembly 'System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' or one of its dependencies. The system cannot find the file specified. File name: 'System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' at Org.IdentityConnectors.Common.CollectionUtil.NewSet[T,U](IEnumerable`1 collection) Note: This error is encountered only if you use the command prompt to start the Connector Server. If you use services.msc to start the Connector Server, then the Connector Server stops soon after it started. |
This exception is encountered if the Microsoft .NET Framework is not present. You must install .NET Framework 3.5 or later on the computer that is hosting the Connector Server. Note: If you are installing .NET Framework 3.5, then ensure you install the following patch to avoid the memory leak issue: |
All connector operations such as reconciliation and provisioning operations fail and the following error is encountered: oracle.iam.connectors.icfcommon.exceptions.IntegrationException: Connector ConnectorKey( bundleName=ActiveDirectory.Connector bundleVersion=1.1.0.6380 connectorName=Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector) not found In addition, the same error message is written to the Connector Server log file. |
The following are the possible reasons for the occurrence of this error:
Perform the following steps to fix this issue:
|
The following error is encountered while performing any connector operation: A local error has occurred |
This error is encountered if you specify a value for the DirectoryAdminName IT resource parameter in an incorrect format. You must use only the following format to specify a value for this parameter: DOMAIN_NAME\USER_NAME |
The computer hosting the Connector Server and target system is unavailable. Nothing works despite specifying a value for the BDCHostNames parameter of the IT resource. |
The computer hosting the Connector Server must be up and running always. Instead of deploying the Connector Server on PDC and BDC hosts, follow the following guidelines to avoid this error:
|
A target resource reconciliation run fails with the following error: Row index out of bounds However, users are brought into Oracle Identity Manager and are linked successfully. |
This issue is encountered when a scheduled job updates the usNChanged attribute of the target system. As a work around, create a new scheduled job and perform a reconciliation run. |
The following error is encountered in the Connector Server log file: org.identityconnectors.framework.common.exceptions.ConnectorException: java.net.ConnectException: Connection timed out |
The following are two of the possible reasons for the occurrence of this error:
|
User reconciliation fails with the following error in the log file of Oracle Identity Manager: Required column name RECON_OBJECTGUID and value does not exist |
This error is encountered if the value of the Configuration Lookup parameter of the Active Directory IT resource is set to To avoid this error, while performing trusted user reconciliation, ensure to set the value of the Configuration Lookup parameter of the Active Directory IT resource to |
Lookup field synchronization for groups and organizations, and reconciliation of groups run successfully. However, the following error is encountered when you perform reconciliation of organizations (in other words, run the Active Directory Organization Recon scheduled job): oracle.iam.reconciliation.exception.InvalidDataFormatException: Required column name RECON_ORGNAME4EAE4287 and value does not exist In addition, the following error is written to the log file of Oracle Identity Manager: Required column name RECON_ORGNAME<……> and value does not exist |
This error is encountered if value of the Configuration Lookup parameter of the Active Directory IT resource is set to To avoid this error, if you are performing organization reconciliation with the Xellerate User resource object, then ensure to set the value of the Configuration Lookup parameter of the Active Directory IT resource to |
While running the scheduled jobs for lookup field synchronization (groups and organizations), the following exception is encountered: Unable to get the Directory Entry In addition, the following error is written to the Connector Server log file: Org.IdentityConnectors.Framework.Common.Exceptions.ConnectorException: Unable to get the Directory Entry |
You can perform one of the following steps to determine the cause for this error:
The following are few of the possible reasons for the occurrence of this error:
|
The following error is encountered in the log file of Oracle Identity Manager while running scheduled jobs: java.net.SocketException: Connection reset |
The following are two of the possible reasons for the occurrence of this error:
|
Any connector operation (reconciliation or provisioning) fails and the following exception is encounter: Domain Controller not found in the domain 'SAMPLEDOMAIN.com' In addition, the following error is written to the Connector Server log file: org.identityconnectors.framework.common.exceptions.ConnectorException: Domain controller not found in the domain |
The following are two of the possible reasons for the occurrence of this error:
|
During a provisioning operation, the following error is encountered in the log file of Oracle Identity Manager: java.lang.IllegalArgumentException: Parameter 'lookupName' must not be blank |
This error is encountered if the value of the Configuration Lookup parameter of the Active Directory IT resource is set to To fix this issue, set the value of the Configuration Lookup parameter of the Active Directory IT resource to |
The following error is encountered in the Connector Server log file: org.identityconnectors.framework.common.exceptions.ConnectorException: Neither able to connect to Primary Domain Controller nor to any of Back up Domain Controllers. |
This error is encountered if an incorrect value is specified for the LDAPHostName IT resource parameter. To fix this issue, you must specify a correct value for the LDAPHostName IT resource parameter. To determine the correct value for this parameter, on the computer hosting the target system, right-click My Computer and select Properties. On the Computer Name tab of the System Properties dialog box, the host name is specified as the value of the Full computer name field. |
The following error is encountered in the Connector Server log file: System.IO.IOException: The handshake failed due to an unexpected packet format |
This error is encountered if Oracle Identity Manager is not set for SSL. In other words, the UseSSL parameter in the IT resources of the target system and Connector is set to To fix this issue, ensure to set the value of the UseSSL parameter in the IT resources of the target system and Connector Server to |
The following error is encountered in the Connector Server log file: System.DirectoryServices.ActiveDirectory.DomainController.FindOneWithCredentialValidation(DirectoryContext context, String siteName, LocatorOptions flag)(in connector server logs) |
This error is encountered if no value has been specified for the SyncDomainController parameter of the target system IT resource. To fix this issue, specify a value for the SyncDomainController IT resource parameter. |
The Active Directory User Target Recon scheduled job for bulk users does not fetch all users from the target system. |
This issue is encountered if the reconciliation matching rule has changed. To fix this issue, create a reconciliation profile with the updated matching rule as follows:
|
No records are reconciled when the following filter is applied: contains('memberOf','PGMGroup') |
This issue is encountered because "memberOf" is a multivalued attribute in the target system. For applying filters on multivalued attributes, use the "containsAllValues" filter. |
The Group Display in the AD User child form is takes a long time to display all Groups. Therefore, adding the AD Group to AD User takes a significant amount of time. |
To reduce the delay is displaying the groups page, enable caching in Oracle Identity Manager. |
The following error is encountered in the Connector Server log file: System.NotSupportedException: The server mode SSL must use a certificate with the associated private key. |
This issue is encountered if you have exported the certificate with a private key (for example, .pfx file, but not imported it into the certificate store named 'sslstore' by using the MMC console. To avoid this issue, ensure to import the certificate into 'sslstore' by using the MMC console, if you have exported it with a private key (.pfx file). |
A provisioning operation (either create or update) fails and the following error is written to the Connector Server log file: The specified directory service attribute or value does not exist. |
This issue is encountered if the Lookup.ActiveDirectory.UM.ProvAttrMap lookup definition contains an incorrect decode value. Note that decode values in this lookup definition are target system attribute names. To fix this issue, scrutinize the Lookup.ActiveDirectory.UM.ProvAttrMap lookup definition and then update the decode value with the correct target system attribute name. |
During a bulk provisioning operation, the following error might be encountered in the Connector Server log file: Max objects exceeded |
To fix this issue, increase the values of the Max Pool Size and Pool Max Wait connection pooling properties. |
OIM Users are not created after running the Active Directory User Trusted Recon scheduled job. The following message is displayed In the reconciliation event generated for the user: 'Data Validation Failed' as the current status and 'Invalid ManagerLogin : <Manager ID>' as Note. |
This issue is encountered due to the dependency of manager information of users. OIM User creation fails if the manager of the user is not already present in Oracle Identity Manager.To fix this issue: Log in to the Design Console and remove the manager field mapping as follows:
Run the Active Directory User Trusted Recon scheduled job. Log in to the Design Console and add the manager field mapping as follows:
Clear the value in the latest token attribute of the Active Directory User Trusted Recon scheduled job and run it. |
The following error is encountered in the log file of the Connector Server during a provisioning operation: The remote procedure call failed and did not execute. (Exception from HRESULT: 0x800706BF) |
This issue is encountered when there are too many requests at the same time during a Create User or Password Update provisioning operation. For example, this issue can be encountered during an access policy-based provisioning operation where too many account creations are triggered. This error can occur on Microsoft Windows 2003, 2008, 2008 R2 or Windows 2012 domain controllers, which includes service packs as well. To fix this issue, you must contact Microsoft Support to apply the hotfix listed on the following Web site:
Note: Do not apply the hotfix without contacting Microsoft Support. |
The following error is encountered in the Active Directory API which is not meaningful: Encountered DirectoryServicesCOMException: A device attached to the system is not functioning. |
Encountered DirectoryServicesCOMException: A device attached to the system is not functioning. This error is encountered when the sAMAccount attribute in the target system (corresponding to the User Loging field in Oracle Identity Manager) contains more than 20 characters. Workaround is to write a validation java code (see Configuring Validation of Data During Reconciliation and Provisioning) on the User ID field during provisioning to check if it contains more than 20 characters or not and log an appropriate error log message. |