Troubleshooting the Microsoft Active Directory User Management Connector

This chapter provides solutions to problems you might encounter after you deploy or while using the Microsoft Active Directory User Management connector.

Table 5-1 Troubleshooting the Microsoft Active Directory User Management Connector

Problem Solution

Problem	Solution
The following error is encountered: java.net.UnknownHostException:	Ensure that the host name in the IT resource for the Connector Server is specified correctly.
The following error is encountered: InvalidCredentialException: Remote framework key is invalid	Ensure that the value of the Key parameter of the IT resource for the Connector Server is specified correctly.
The following error is encountered: ConnectorException: java.net.ConnectException: Connection refused	Ensure that the port number in the IT resource for the Connector Server is specified correctly.
The following error is encountered: oracle.iam.connectors.icfcommon.exceptions.OIMException: Thor.API.Exceptions.tcAPIException: Child tables only supported at account-level	Ensure that the value of the Configuration Lookup parameter of the target system IT resource is set to `Lookup.Configuration.ActiveDirectory` and not Lookup.Configuration.ActiveDirectory.Trusted.
The following error is encountered: oracle.iam.connectors.icfcommon.exceptions.OIMException: Thor.API.Exceptions.tcAPIException: oracle.iam.reconciliation.exception.InvalidDataFormatException: Required column name RECON_UNIQUEID575B37CA and value does not exist	Ensure that the value of the Configuration Lookup parameter of the target system IT resource is set to `Lookup.Configuration.ActiveDirectory` and not Lookup.Configuration.ActiveDirectory.Trusted.
The following error is encountered in the scheduled job: org.identityconnectors.framework.common.exceptions.ConnectorException: The server does not support the requested critical extension.	The following are the possible reasons for the occurrence of this error: If the connector is configured for Microsoft AD LDS, then none of the scheduled job attributes mention the attribute that is not present in the Microsoft AD LDS User Schema. For example, the sAMAccountName attribute is not a valid attribute on Microsoft AD LDS. Therefore, ensure that attributes that are not present on Microsoft AD LDS are not specified as values of scheduled job attributes such as Sort By. The number of records that are to be fetched are large in number. To fix this issue, remove the values specified for the Batch Size, Number of Batches, Batch Start, Sort Direction, and Sort By attributes of the scheduled jobs. You can always use the PageSize entry of the Lookup.Configuration.ActiveDirectory or Lookup.Configuration.ActiveDirectory.Trusted lookup definitions for granular-level setting. The connector uses the ICF Handler for sending data to Oracle Identity Manager, and the ICF and ICFINTG layers take care of processing the data and generating the reconciliation event. A multivalued field on the target system is mapped to a single-valued field on the AD User form in Oracle Identity Manager. To avoid encountering this issue, ensure that multivalued fields on the target system are mapped to the corresponding multivalued field on the AD User form.
While staring the Connector Server, the following exception is encountered: Unhandled Exception: System.Net.Sockets.SocketException: Only one usage of each socket address (protocol/network address/port) is normally permitted	This exception is encountered because the Connector Server uses a port that has already been used (mostly by another instance of the Connector Server). You can fix this issue by performing one of the following steps: If the Connector Server service is running, then stop it. Search for and open the ConnectorServer.exe.Config file, change the port value to `8758` or `8755,` and then start the Connector Server. The default location of the ConnectorServer.exe.Config file is C:\Program Files\Identity Connectors\Connector Server.
The following error is encountered while running the Active Directory Target Reconciliation scheduled job: ADP ClassLoader failed to load: Script1 java.lang.ClassNotFoundException: ADP ClassLoader failed to load: Script1	Ensure that the value for the Filter syntax attribute of the scheduled job is specified correctly. See Performing Limited Reconciliation By Using Filters for more information.
All reconciliation runs are successful, but the following error is encountered while running provisioning operations: Neither able to connect to Primary Domain Controller nor to any of Back up Domain Controllers.	Ensure that the value of the LDAPHostName parameter of the IT resource is specified correctly. To determine the host name, on the computer hosting the target system, right-click My Computer and select Properties. On the Computer Name tab of the System Properties dialog box, the host name is specified as the value of the Full computer name field.
The Connector Server throws an Out of Memory exception.	A memory leak issue occurs in Microsoft .NET Framework 3.5. To fix this issue, you must apply the hotfix (listed in the following Web site) on the computer hosting the Connector Server: `http://support.microsoft.com/kb/981575`
Unable to start the Connector Server after extracting the contents of the connector bundle into the CONNECTOR_SERVER_HOME directory. The following exception is encountered: ConnectorServer.exe Information: 0 : Starting connector server: C:\Program Files\Identity Connectors\Connector Server ConnectorServer.exe Error: 0 : Exception occurred starting connector server System.IO.FileNotFoundException: Could not load file or assembly 'System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' or one of its dependencies. The system cannot find the file specified. File name: 'System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' at Org.IdentityConnectors.Common.CollectionUtil.NewSet[T,U](IEnumerable`1 collection) Note: This error is encountered only if you use the command prompt to start the Connector Server. If you use services.msc to start the Connector Server, then the Connector Server stops soon after it started.	This exception is encountered if the Microsoft .NET Framework is not present. You must install .NET Framework 3.5 or later on the computer that is hosting the Connector Server. Note: If you are installing .NET Framework 3.5, then ensure you install the following patch to avoid the memory leak issue: `http://support.microsoft.com/kb/981575`
All connector operations such as reconciliation and provisioning operations fail and the following error is encountered: oracle.iam.connectors.icfcommon.exceptions.IntegrationException: Connector ConnectorKey( bundleName=ActiveDirectory.Connector bundleVersion=1.1.0.6380 connectorName=Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector) not found In addition, the same error message is written to the Connector Server log file.	The following are the possible reasons for the occurrence of this error: The connector bundle is not extracted in the CONNECTOR_SERVER_HOME directory. The Connector Server is started before you extract the contents of the connector bundle. Cache-related issue in Oracle Identity Manager. Perform the following steps to fix this issue: Stop the Connector Server. Extract the contents of the connector bundle into the CONNECTOR_SERVER_HOME directory. Start the Connector Server. Run the PurgeCache utility on the computer hosting Oracle Identity Manager. Restart Oracle Identity Manager.
The following error is encountered while performing any connector operation: A local error has occurred	This error is encountered if you specify a value for the DirectoryAdminName IT resource parameter in an incorrect format. You must use only the following format to specify a value for this parameter: DOMAIN_NAME\USER_NAME
The computer hosting the Connector Server and target system is unavailable. Nothing works despite specifying a value for the BDCHostNames parameter of the IT resource.	The computer hosting the Connector Server must be up and running always. Instead of deploying the Connector Server on PDC and BDC hosts, follow the following guidelines to avoid this error: Have a dedicated computer for the Connector Server. Note that you can specify a value for the BDCHostNames IT resource parameter even if the Connector Server is running on a dedicated computer. The computer hosting the Connector Server must be in the same domain as the target system. Deploy the Connector Server and configure the Active Directory Connector Server IT resource.
A target resource reconciliation run fails with the following error: Row index out of bounds However, users are brought into Oracle Identity Manager and are linked successfully.	This issue is encountered when a scheduled job updates the usNChanged attribute of the target system. As a work around, create a new scheduled job and perform a reconciliation run.
The following error is encountered in the Connector Server log file: org.identityconnectors.framework.common.exceptions.ConnectorException: java.net.ConnectException: Connection timed out	The following are two of the possible reasons for the occurrence of this error: The connection between the Connector Server and Oracle Identity Manager times out. To fix this issue, either set the value of the Timeout parameter of the Connector Server IT resource to `0,` or increase its existing value. The Connector Server port is blocked by the firewall. To fix this issue, by using the Telnet protocol, check whether the Connector Server is listening at the default port (8795). If the port is not open, then you can either open the port or choose another port for Connector Server. To change the port name, edit the ConnectorServer.exe.Config file by specifying a new port as mentioned in the following line and the restart the Connector Server: `<add key ="connectorserver.port" value="8759"/>`
User reconciliation fails with the following error in the log file of Oracle Identity Manager: Required column name RECON_OBJECTGUID and value does not exist	This error is encountered if the value of the Configuration Lookup parameter of the Active Directory IT resource is set to `Lookup.Configuration.ActiveDirectory.` To avoid this error, while performing trusted user reconciliation, ensure to set the value of the Configuration Lookup parameter of the Active Directory IT resource to `Lookup.Configuration.ActiveDirectory.Trusted.`
Lookup field synchronization for groups and organizations, and reconciliation of groups run successfully. However, the following error is encountered when you perform reconciliation of organizations (in other words, run the Active Directory Organization Recon scheduled job): oracle.iam.reconciliation.exception.InvalidDataFormatException: Required column name RECON_ORGNAME4EAE4287 and value does not exist In addition, the following error is written to the log file of Oracle Identity Manager: Required column name RECON_ORGNAME<……> and value does not exist	This error is encountered if value of the Configuration Lookup parameter of the Active Directory IT resource is set to `Lookup.Configuration.ActiveDirectory.` To avoid this error, if you are performing organization reconciliation with the Xellerate User resource object, then ensure to set the value of the Configuration Lookup parameter of the Active Directory IT resource to `Lookup.Configuration.ActiveDirectory.Trusted.`
While running the scheduled jobs for lookup field synchronization (groups and organizations), the following exception is encountered: Unable to get the Directory Entry In addition, the following error is written to the Connector Server log file: Org.IdentityConnectors.Framework.Common.Exceptions.ConnectorException: Unable to get the Directory Entry	You can perform one of the following steps to determine the cause for this error: Check for the error message in the log files of the Connector Server to find out the root cause. Check the Event Viewer. To open the Event Viewer, from the Start menu, select Control Panel, double-click Administrative Tools, and then double-click Event Viewer. The following are few of the possible reasons for the occurrence of this error: An incorrect value is specified for the DomainName IT resource parameter. To fix this issue, specify a correct value for the DomainName IT resource parameter. Note that you must use only the following format to specify a value for this parameter: DOMAIN_NAME\USER_NAME The computer hosting the Connector Server is not present in the AD domain. To fix this issue, ensure that the Connector Server is installed on a computer that is a part of the same AD domain.
The following error is encountered in the log file of Oracle Identity Manager while running scheduled jobs: java.net.SocketException: Connection reset	The following are two of the possible reasons for the occurrence of this error: LDAPS is not enabled on the domain controllers. To fix this issue, enable LDAPS. Oracle Identity Manager is not set for SSL. In other words, the UseSSL parameter in the IT resources of the target system and Connector is set to `no` and `false,` respectively). However, the Connector Server is SSL enabled. To fix this issue, ensure to set the value of the UseSSL parameter in the IT resources of the target system and Connector Server to `yes` and `true,` respectively.
Any connector operation (reconciliation or provisioning) fails and the following exception is encounter: Domain Controller not found in the domain 'SAMPLEDOMAIN.com' In addition, the following error is written to the Connector Server log file: org.identityconnectors.framework.common.exceptions.ConnectorException: Domain controller not found in the domain	The following are two of the possible reasons for the occurrence of this error: An incorrect value is specified for the DomainName IT resource parameter. To fix this issue, specify a correct value for the DomainName IT resource parameter. Note that you must use only the following format to specify a value for this parameter: DOMAIN_NAME\USER_NAME The computer hosting the Connector Server is not present in the AD domain. To fix this issue, ensure that the Connector Server is installed on a computer that is a part of the same AD domain.
During a provisioning operation, the following error is encountered in the log file of Oracle Identity Manager: java.lang.IllegalArgumentException: Parameter 'lookupName' must not be blank	This error is encountered if the value of the Configuration Lookup parameter of the Active Directory IT resource is set to `Lookup.Configuration.ActiveDirectory.Trusted` or left blank. To fix this issue, set the value of the Configuration Lookup parameter of the Active Directory IT resource to `Lookup.Configuration.ActiveDirectory.`
The following error is encountered in the Connector Server log file: org.identityconnectors.framework.common.exceptions.ConnectorException: Neither able to connect to Primary Domain Controller nor to any of Back up Domain Controllers.	This error is encountered if an incorrect value is specified for the LDAPHostName IT resource parameter. To fix this issue, you must specify a correct value for the LDAPHostName IT resource parameter. To determine the correct value for this parameter, on the computer hosting the target system, right-click My Computer and select Properties. On the Computer Name tab of the System Properties dialog box, the host name is specified as the value of the Full computer name field.
The following error is encountered in the Connector Server log file: System.IO.IOException: The handshake failed due to an unexpected packet format	This error is encountered if Oracle Identity Manager is not set for SSL. In other words, the UseSSL parameter in the IT resources of the target system and Connector is set to `no` and `false,` respectively). However, the Connector Server is SSL enabled. To fix this issue, ensure to set the value of the UseSSL parameter in the IT resources of the target system and Connector Server to `yes` and `true,` respectively.
The following error is encountered in the Connector Server log file: System.DirectoryServices.ActiveDirectory.DomainController.FindOneWithCredentialValidation(DirectoryContext context, String siteName, LocatorOptions flag)(in connector server logs)	This error is encountered if no value has been specified for the SyncDomainController parameter of the target system IT resource. To fix this issue, specify a value for the SyncDomainController IT resource parameter.
The Active Directory User Target Recon scheduled job for bulk users does not fetch all users from the target system.	This issue is encountered if the reconciliation matching rule has changed. To fix this issue, create a reconciliation profile with the updated matching rule as follows: Log in to the Design Console. Expand Resource Management and then double-click Resource Objects. Search for and open the AD User resource object. On the Object Reconciliation tab, click Create Reconciliation Profile to generate the reconciliation profile will all the latest updates.
No records are reconciled when the following filter is applied: contains('memberOf','PGMGroup')	This issue is encountered because "memberOf" is a multivalued attribute in the target system. For applying filters on multivalued attributes, use the "containsAllValues" filter.
The Group Display in the AD User child form is takes a long time to display all Groups. Therefore, adding the AD Group to AD User takes a significant amount of time.	To reduce the delay is displaying the groups page, enable caching in Oracle Identity Manager.
The following error is encountered in the Connector Server log file: System.NotSupportedException: The server mode SSL must use a certificate with the associated private key.	This issue is encountered if you have exported the certificate with a private key (for example, .pfx file, but not imported it into the certificate store named 'sslstore' by using the MMC console. To avoid this issue, ensure to import the certificate into 'sslstore' by using the MMC console, if you have exported it with a private key (.pfx file).
A provisioning operation (either create or update) fails and the following error is written to the Connector Server log file: The specified directory service attribute or value does not exist.	This issue is encountered if the Lookup.ActiveDirectory.UM.ProvAttrMap lookup definition contains an incorrect decode value. Note that decode values in this lookup definition are target system attribute names. To fix this issue, scrutinize the Lookup.ActiveDirectory.UM.ProvAttrMap lookup definition and then update the decode value with the correct target system attribute name.
During a bulk provisioning operation, the following error might be encountered in the Connector Server log file: Max objects exceeded	To fix this issue, increase the values of the Max Pool Size and Pool Max Wait connection pooling properties.
OIM Users are not created after running the Active Directory User Trusted Recon scheduled job. The following message is displayed In the reconciliation event generated for the user: 'Data Validation Failed' as the current status and 'Invalid ManagerLogin : <Manager ID>' as Note.	This issue is encountered due to the dependency of manager information of users. OIM User creation fails if the manager of the user is not already present in Oracle Identity Manager.To fix this issue: Log in to the Design Console and remove the manager field mapping as follows: Search for and open the AD User Trusted process definition. On the Reconciliation Field Mappings tab, remove the mapping for the Manager ID field Search for and open the AD User Trusted resource object. On the Object Reconciliation tab, delete the Manager ID field. Search for and open the Lookup.ActiveDirectory.UM.ReconAttrMap.Trusted lookup definition. Delete the entry with code key 'Manager ID' and decode value 'Manager Id'. Run the Active Directory User Trusted Recon scheduled job. Log in to the Design Console and add the manager field mapping as follows: Search for and open the AD User Trusted process definition. On the Reconciliation Field Mappings tab, add the field mapping by specifying `Manager ID` as the Field Name and `Manager Login` as the User Attribute. Search for and open the AD User Trusted resource object. On the Object Reconciliation tab, add the Manager ID field of type string. Search for and open the Lookup.ActiveDirectory.UM.ReconAttrMap.Trusted lookup definition. Add an entry with code key value `Manager ID` and decode key value `Manager Id.` Clear the value in the latest token attribute of the Active Directory User Trusted Recon scheduled job and run it.
The following error is encountered in the log file of the Connector Server during a provisioning operation: The remote procedure call failed and did not execute. (Exception from HRESULT: 0x800706BF)	This issue is encountered when there are too many requests at the same time during a Create User or Password Update provisioning operation. For example, this issue can be encountered during an access policy-based provisioning operation where too many account creations are triggered. This error can occur on Microsoft Windows 2003, 2008, 2008 R2 or Windows 2012 domain controllers, which includes service packs as well. To fix this issue, you must contact Microsoft Support to apply the hotfix listed on the following Web site: `http://support.microsoft.com/kb/2781049` Note: Do not apply the hotfix without contacting Microsoft Support.
The following error is encountered in the Active Directory API which is not meaningful: Encountered DirectoryServicesCOMException: A device attached to the system is not functioning.	Encountered DirectoryServicesCOMException: A device attached to the system is not functioning. This error is encountered when the sAMAccount attribute in the target system (corresponding to the User Loging field in Oracle Identity Manager) contains more than 20 characters. Workaround is to write a validation java code (see Configuring Validation of Data During Reconciliation and Provisioning) on the User ID field during provisioning to check if it contains more than 20 characters or not and log an appropriate error log message.

The following error is encountered:

java.net.UnknownHostException:

Ensure that the host name in the IT resource for the Connector Server is specified correctly.

The following error is encountered:

InvalidCredentialException: Remote framework key is invalid

Ensure that the value of the Key parameter of the IT resource for the Connector Server is specified correctly.

The following error is encountered:

ConnectorException: java.net.ConnectException: Connection refused

Ensure that the port number in the IT resource for the Connector Server is specified correctly.

The following error is encountered:

oracle.iam.connectors.icfcommon.exceptions.OIMException: Thor.API.Exceptions.tcAPIException: Child tables only supported at account-level

Ensure that the value of the Configuration Lookup parameter of the target system IT resource is set to Lookup.Configuration.ActiveDirectory and not Lookup.Configuration.ActiveDirectory.Trusted.

The following error is encountered:

oracle.iam.connectors.icfcommon.exceptions.OIMException: Thor.API.Exceptions.tcAPIException: oracle.iam.reconciliation.exception.InvalidDataFormatException: Required column name RECON_UNIQUEID575B37CA and value does not exist

Ensure that the value of the Configuration Lookup parameter of the target system IT resource is set to Lookup.Configuration.ActiveDirectory and not Lookup.Configuration.ActiveDirectory.Trusted.

The following error is encountered in the scheduled job:

org.identityconnectors.framework.common.exceptions.ConnectorException: The server does not support the requested critical extension.

The following are the possible reasons for the occurrence of this error:

If the connector is configured for Microsoft AD LDS, then none of the scheduled job attributes mention the attribute that is not present in the Microsoft AD LDS User Schema. For example, the sAMAccountName attribute is not a valid attribute on Microsoft AD LDS.

Therefore, ensure that attributes that are not present on Microsoft AD LDS are not specified as values of scheduled job attributes such as Sort By.
The number of records that are to be fetched are large in number.

To fix this issue, remove the values specified for the Batch Size, Number of Batches, Batch Start, Sort Direction, and Sort By attributes of the scheduled jobs.

You can always use the PageSize entry of the Lookup.Configuration.ActiveDirectory or Lookup.Configuration.ActiveDirectory.Trusted lookup definitions for granular-level setting. The connector uses the ICF Handler for sending data to Oracle Identity Manager, and the ICF and ICFINTG layers take care of processing the data and generating the reconciliation event.
A multivalued field on the target system is mapped to a single-valued field on the AD User form in Oracle Identity Manager.

To avoid encountering this issue, ensure that multivalued fields on the target system are mapped to the corresponding multivalued field on the AD User form.

While staring the Connector Server, the following exception is encountered:

Unhandled Exception: System.Net.Sockets.SocketException: Only one usage of each socket address (protocol/network address/port) is normally permitted

This exception is encountered because the Connector Server uses a port that has already been used (mostly by another instance of the Connector Server). You can fix this issue by performing one of the following steps:

If the Connector Server service is running, then stop it.
Search for and open the ConnectorServer.exe.Config file, change the port value to 8758 or 8755, and then start the Connector Server. The default location of the ConnectorServer.exe.Config file is C:\Program Files\Identity Connectors\Connector Server.

The following error is encountered while running the Active Directory Target Reconciliation scheduled job:

ADP ClassLoader failed to load: Script1 java.lang.ClassNotFoundException: ADP ClassLoader failed to load: Script1

Ensure that the value for the Filter syntax attribute of the scheduled job is specified correctly. See Performing Limited Reconciliation By Using Filters for more information.

All reconciliation runs are successful, but the following error is encountered while running provisioning operations:

Neither able to connect to Primary Domain Controller nor to any of Back up Domain Controllers.

Ensure that the value of the LDAPHostName parameter of the IT resource is specified correctly.

To determine the host name, on the computer hosting the target system, right-click My Computer and select Properties. On the Computer Name tab of the System Properties dialog box, the host name is specified as the value of the Full computer name field.

The Connector Server throws an Out of Memory exception.

A memory leak issue occurs in Microsoft .NET Framework 3.5. To fix this issue, you must apply the hotfix (listed in the following Web site) on the computer hosting the Connector Server:

http://support.microsoft.com/kb/981575

Unable to start the Connector Server after extracting the contents of the connector bundle into the CONNECTOR_SERVER_HOME directory. The following exception is encountered:

ConnectorServer.exe Information: 0 : Starting connector server: C:\Program Files\Identity Connectors\Connector Server

ConnectorServer.exe Error: 0 : Exception occurred starting connector server

System.IO.FileNotFoundException: Could not load file or assembly 'System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' or one of its dependencies. The system cannot find the file specified.

File name: 'System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' at Org.IdentityConnectors.Common.CollectionUtil.NewSet[T,U](IEnumerable`1 collection)

Note: This error is encountered only if you use the command prompt to start the Connector Server. If you use services.msc to start the Connector Server, then the Connector Server stops soon after it started.

This exception is encountered if the Microsoft .NET Framework is not present. You must install .NET Framework 3.5 or later on the computer that is hosting the Connector Server.

Note: If you are installing .NET Framework 3.5, then ensure you install the following patch to avoid the memory leak issue:

http://support.microsoft.com/kb/981575

All connector operations such as reconciliation and provisioning operations fail and the following error is encountered:

oracle.iam.connectors.icfcommon.exceptions.IntegrationException: Connector ConnectorKey( bundleName=ActiveDirectory.Connector bundleVersion=1.1.0.6380 connectorName=Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector) not found

In addition, the same error message is written to the Connector Server log file.

The following are the possible reasons for the occurrence of this error:

The connector bundle is not extracted in the CONNECTOR_SERVER_HOME directory.
The Connector Server is started before you extract the contents of the connector bundle.
Cache-related issue in Oracle Identity Manager.

Perform the following steps to fix this issue:

Stop the Connector Server.
Extract the contents of the connector bundle into the CONNECTOR_SERVER_HOME directory.
Start the Connector Server.
Run the PurgeCache utility on the computer hosting Oracle Identity Manager.
Restart Oracle Identity Manager.

The following error is encountered while performing any connector operation:

A local error has occurred

This error is encountered if you specify a value for the DirectoryAdminName IT resource parameter in an incorrect format. You must use only the following format to specify a value for this parameter:

DOMAIN_NAME\USER_NAME

The computer hosting the Connector Server and target system is unavailable. Nothing works despite specifying a value for the BDCHostNames parameter of the IT resource.

The computer hosting the Connector Server must be up and running always. Instead of deploying the Connector Server on PDC and BDC hosts, follow the following guidelines to avoid this error:

Have a dedicated computer for the Connector Server. Note that you can specify a value for the BDCHostNames IT resource parameter even if the Connector Server is running on a dedicated computer.
The computer hosting the Connector Server must be in the same domain as the target system.
Deploy the Connector Server and configure the Active Directory Connector Server IT resource.

A target resource reconciliation run fails with the following error:

Row index out of bounds

However, users are brought into Oracle Identity Manager and are linked successfully.

This issue is encountered when a scheduled job updates the usNChanged attribute of the target system. As a work around, create a new scheduled job and perform a reconciliation run.

The following error is encountered in the Connector Server log file:

org.identityconnectors.framework.common.exceptions.ConnectorException: java.net.ConnectException: Connection timed out

The following are two of the possible reasons for the occurrence of this error:

The connection between the Connector Server and Oracle Identity Manager times out.

To fix this issue, either set the value of the Timeout parameter of the Connector Server IT resource to 0, or increase its existing value.
The Connector Server port is blocked by the firewall.

To fix this issue, by using the Telnet protocol, check whether the Connector Server is listening at the default port (8795). If the port is not open, then you can either open the port or choose another port for Connector Server. To change the port name, edit the ConnectorServer.exe.Config file by specifying a new port as mentioned in the following line and the restart the Connector Server:

<add key ="connectorserver.port" value="8759"/>

User reconciliation fails with the following error in the log file of Oracle Identity Manager:

Required column name RECON_OBJECTGUID and value does not exist

This error is encountered if the value of the Configuration Lookup parameter of the Active Directory IT resource is set to Lookup.Configuration.ActiveDirectory.

To avoid this error, while performing trusted user reconciliation, ensure to set the value of the Configuration Lookup parameter of the Active Directory IT resource to Lookup.Configuration.ActiveDirectory.Trusted.

Lookup field synchronization for groups and organizations, and reconciliation of groups run successfully. However, the following error is encountered when you perform reconciliation of organizations (in other words, run the Active Directory Organization Recon scheduled job):

oracle.iam.reconciliation.exception.InvalidDataFormatException: Required column name RECON_ORGNAME4EAE4287 and value does not exist

In addition, the following error is written to the log file of Oracle Identity Manager:

Required column name RECON_ORGNAME<……> and value does not exist

This error is encountered if value of the Configuration Lookup parameter of the Active Directory IT resource is set to Lookup.Configuration.ActiveDirectory.

To avoid this error, if you are performing organization reconciliation with the Xellerate User resource object, then ensure to set the value of the Configuration Lookup parameter of the Active Directory IT resource to Lookup.Configuration.ActiveDirectory.Trusted.

While running the scheduled jobs for lookup field synchronization (groups and organizations), the following exception is encountered:

Unable to get the Directory Entry

In addition, the following error is written to the Connector Server log file:

Org.IdentityConnectors.Framework.Common.Exceptions.ConnectorException: Unable to get the Directory Entry

You can perform one of the following steps to determine the cause for this error:

Check for the error message in the log files of the Connector Server to find out the root cause.
Check the Event Viewer. To open the Event Viewer, from the Start menu, select Control Panel, double-click Administrative Tools, and then double-click Event Viewer.

The following are few of the possible reasons for the occurrence of this error:

An incorrect value is specified for the DomainName IT resource parameter.

To fix this issue, specify a correct value for the DomainName IT resource parameter. Note that you must use only the following format to specify a value for this parameter:

DOMAIN_NAME\USER_NAME
The computer hosting the Connector Server is not present in the AD domain.

To fix this issue, ensure that the Connector Server is installed on a computer that is a part of the same AD domain.

The following error is encountered in the log file of Oracle Identity Manager while running scheduled jobs:

java.net.SocketException: Connection reset

The following are two of the possible reasons for the occurrence of this error:

LDAPS is not enabled on the domain controllers.

To fix this issue, enable LDAPS.
Oracle Identity Manager is not set for SSL. In other words, the UseSSL parameter in the IT resources of the target system and Connector is set to no and false, respectively). However, the Connector Server is SSL enabled.

To fix this issue, ensure to set the value of the UseSSL parameter in the IT resources of the target system and Connector Server to yes and true, respectively.

Any connector operation (reconciliation or provisioning) fails and the following exception is encounter:

Domain Controller not found in the domain 'SAMPLEDOMAIN.com'

In addition, the following error is written to the Connector Server log file:

org.identityconnectors.framework.common.exceptions.ConnectorException: Domain controller not found in the domain

The following are two of the possible reasons for the occurrence of this error:

An incorrect value is specified for the DomainName IT resource parameter.

To fix this issue, specify a correct value for the DomainName IT resource parameter. Note that you must use only the following format to specify a value for this parameter:

DOMAIN_NAME\USER_NAME
The computer hosting the Connector Server is not present in the AD domain.

To fix this issue, ensure that the Connector Server is installed on a computer that is a part of the same AD domain.

During a provisioning operation, the following error is encountered in the log file of Oracle Identity Manager:

java.lang.IllegalArgumentException: Parameter 'lookupName' must not be blank

This error is encountered if the value of the Configuration Lookup parameter of the Active Directory IT resource is set to Lookup.Configuration.ActiveDirectory.Trusted or left blank.

To fix this issue, set the value of the Configuration Lookup parameter of the Active Directory IT resource to Lookup.Configuration.ActiveDirectory.

The following error is encountered in the Connector Server log file:

org.identityconnectors.framework.common.exceptions.ConnectorException: Neither able to connect to Primary Domain Controller nor to any of Back up Domain Controllers.

This error is encountered if an incorrect value is specified for the LDAPHostName IT resource parameter.

To fix this issue, you must specify a correct value for the LDAPHostName IT resource parameter. To determine the correct value for this parameter, on the computer hosting the target system, right-click My Computer and select Properties. On the Computer Name tab of the System Properties dialog box, the host name is specified as the value of the Full computer name field.

The following error is encountered in the Connector Server log file:

System.IO.IOException: The handshake failed due to an unexpected packet format

This error is encountered if Oracle Identity Manager is not set for SSL. In other words, the UseSSL parameter in the IT resources of the target system and Connector is set to no and false, respectively). However, the Connector Server is SSL enabled.

To fix this issue, ensure to set the value of the UseSSL parameter in the IT resources of the target system and Connector Server to yes and true, respectively.

The following error is encountered in the Connector Server log file:

System.DirectoryServices.ActiveDirectory.DomainController.FindOneWithCredentialValidation(DirectoryContext context, String siteName, LocatorOptions flag)(in connector server logs)

This error is encountered if no value has been specified for the SyncDomainController parameter of the target system IT resource.

To fix this issue, specify a value for the SyncDomainController IT resource parameter.

The Active Directory User Target Recon scheduled job for bulk users does not fetch all users from the target system.

This issue is encountered if the reconciliation matching rule has changed.

To fix this issue, create a reconciliation profile with the updated matching rule as follows:

Log in to the Design Console.
Expand Resource Management and then double-click Resource Objects.
Search for and open the AD User resource object.
On the Object Reconciliation tab, click Create Reconciliation Profile to generate the reconciliation profile will all the latest updates.

No records are reconciled when the following filter is applied:

contains('memberOf','PGMGroup')

This issue is encountered because "memberOf" is a multivalued attribute in the target system. For applying filters on multivalued attributes, use the "containsAllValues" filter.

The Group Display in the AD User child form is takes a long time to display all Groups. Therefore, adding the AD Group to AD User takes a significant amount of time.

To reduce the delay is displaying the groups page, enable caching in Oracle Identity Manager.

The following error is encountered in the Connector Server log file:

System.NotSupportedException: The server mode SSL must use a certificate with the associated private key.

This issue is encountered if you have exported the certificate with a private key (for example, .pfx file, but not imported it into the certificate store named 'sslstore' by using the MMC console. To avoid this issue, ensure to import the certificate into 'sslstore' by using the MMC console, if you have exported it with a private key (.pfx file).

A provisioning operation (either create or update) fails and the following error is written to the Connector Server log file:

The specified directory service attribute or value does not exist.

This issue is encountered if the Lookup.ActiveDirectory.UM.ProvAttrMap lookup definition contains an incorrect decode value. Note that decode values in this lookup definition are target system attribute names.

To fix this issue, scrutinize the Lookup.ActiveDirectory.UM.ProvAttrMap lookup definition and then update the decode value with the correct target system attribute name.

During a bulk provisioning operation, the following error might be encountered in the Connector Server log file:

Max objects exceeded

To fix this issue, increase the values of the Max Pool Size and Pool Max Wait connection pooling properties.

OIM Users are not created after running the Active Directory User Trusted Recon scheduled job. The following message is displayed In the reconciliation event generated for the user:

'Data Validation Failed' as the current status and 'Invalid ManagerLogin : <Manager ID>' as Note.

This issue is encountered due to the dependency of manager information of users. OIM User creation fails if the manager of the user is not already present in Oracle Identity Manager.To fix this issue:

Search for and open the AD User Trusted process definition. On the Reconciliation Field Mappings tab, remove the mapping for the Manager ID field
Search for and open the AD User Trusted resource object. On the Object Reconciliation tab, delete the Manager ID field.
Search for and open the Lookup.ActiveDirectory.UM.ReconAttrMap.Trusted lookup definition. Delete the entry with code key 'Manager ID' and decode value 'Manager Id'.

Run the Active Directory User Trusted Recon scheduled job.

Search for and open the AD User Trusted process definition. On the Reconciliation Field Mappings tab, add the field mapping by specifying Manager ID as the Field Name and Manager Login as the User Attribute.
Search for and open the AD User Trusted resource object. On the Object Reconciliation tab, add the Manager ID field of type string.
Search for and open the Lookup.ActiveDirectory.UM.ReconAttrMap.Trusted lookup definition. Add an entry with code key value Manager ID and decode key value Manager Id.

Clear the value in the latest token attribute of the Active Directory User Trusted Recon scheduled job and run it.

The following error is encountered in the log file of the Connector Server during a provisioning operation:

The remote procedure call failed and did not execute. (Exception from HRESULT: 0x800706BF)

This issue is encountered when there are too many requests at the same time during a Create User or Password Update provisioning operation.

For example, this issue can be encountered during an access policy-based provisioning operation where too many account creations are triggered.

This error can occur on Microsoft Windows 2003, 2008, 2008 R2 or Windows 2012 domain controllers, which includes service packs as well.

To fix this issue, you must contact Microsoft Support to apply the hotfix listed on the following Web site:

http://support.microsoft.com/kb/2781049

Note: Do not apply the hotfix without contacting Microsoft Support.

The following error is encountered in the Active Directory API which is not meaningful:

Encountered DirectoryServicesCOMException: A device attached to the system is not functioning.

Encountered DirectoryServicesCOMException: A device attached to the system is not functioning. This error is encountered when the sAMAccount attribute in the target system (corresponding to the User Loging field in Oracle Identity Manager) contains more than 20 characters.

Workaround is to write a validation java code (see Configuring Validation of Data During Reconciliation and Provisioning) on the User ID field during provisioning to check if it contains more than 20 characters or not and log an appropriate error log message.