8 Troubleshooting the Microsoft Active Directory User Management Connector
These are the solutions to problems you might encounter while using the Microsoft Active Directory User Management connector.
Note:
From release 12.2.1.3.0 onward, the IT Resource of CI-based mode is mapped to Basic Configuration of AOB. Similarly, the main configuration lookup definition of CI-based mode is mapped to Advanced Settings of AOB. All solutions described in this chapter are applicable to Users, Groups, and Organizational Units and been documented using the AOB terminology. Therefore, if you are referring to this table for solutions to any User operations, then consider the AOB terminology. If you are referring to this table for solutions to any Groups or Organizational Units operations, then replace the AOB terminology with the terminology for CI-based mode.Table 8-1 Troubleshooting for the Microsoft Active Directory User Management Connector
Problem | Solution |
---|---|
The following error is encountered: java.net.UnknownHostException: |
Ensure that the host name in the IT resource for the Connector Server is specified correctly. |
The following error is encountered: InvalidCredentialException: Remote framework key is invalid |
Ensure that the value of the Key parameter of the IT resource for the Connector Server is specified correctly. |
The following error is encountered: ConnectorException: java.net.ConnectException: Connection refused |
Ensure that the port number in the IT resource for the Connector Server is specified correctly. |
The following error is encountered in the reconciliation job: org.identityconnectors.framework.common.exceptions.ConnectorException: The server does not support the requested critical extension. |
The following are the possible reasons for the occurrence of this error:
|
While starting the Connector Server, the following exception is encountered: Unhandled Exception: System.Net.Sockets.SocketException: Only one usage of each socket address (protocol/network address/port) is normally permitted |
This exception is encountered because the Connector Server uses a port that has already been used (mostly by another instance of the Connector Server). You can fix this issue by performing one of the following steps:
|
The following error is encountered while running the Active Directory Target Reconciliation scheduled job: ADP ClassLoader failed to load: Script1 java.lang.ClassNotFoundException: ADP ClassLoader failed to load: Script1 |
Ensure that the value for the Filter syntax attribute of the scheduled job is specified correctly. See Performing Limited Reconciliation By Using Filters for more information. |
All reconciliation runs are successful, but the following error is encountered while running provisioning operations: Neither able to connect to Primary Domain Controller nor to any of Back up Domain Controllers. |
Ensure that the value of the LDAPHostName parameter of the IT resource is specified correctly. To determine the host name, on the computer hosting the target system, right-click My Computer and select Properties. On the Computer Name tab of the System Properties dialog box, the host name is specified as the value of the Full computer name field. |
The Connector Server throws an Out of Memory exception. |
A memory leak issue occurs in Microsoft .NET Framework 3.5. To fix this issue, you must apply the hotfix (listed in the following Web site) on the computer hosting the Connector Server: |
Unable to start the Connector Server after extracting the contents of the connector bundle into the CONNECTOR_SERVER_HOME directory. The following exception is encountered: ConnectorServer.exe Information: 0 : Starting connector server: C:\Program Files\Identity Connectors\Connector Server ConnectorServer.exe Error: 0 : Exception occurred starting connector server System.IO.FileNotFoundException: Could not load file or assembly 'System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' or one of its dependencies. The system cannot find the file specified. File name: 'System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' at Org.IdentityConnectors.Common.CollectionUtil.NewSet[T,U](IEnumerable`1 collection) Note: This error is encountered only if you use the command prompt to start the Connector Server. If you use services.msc to start the Connector Server, then the Connector Server stops soon after it started. |
This exception is encountered if the Microsoft .NET Framework is not present. You must install .NET Framework 3.5 or later on the computer that is hosting the Connector Server. Note: If you are installing .NET Framework 3.5, then ensure you install the following patch to avoid the memory leak issue: |
All connector operations such as reconciliation and provisioning operations fail and the following error is encountered: oracle.iam.connectors.icfcommon.exceptions.IntegrationException: Connector ConnectorKey( bundleName=ActiveDirectory.Connector bundleVersion=1.1.0.6380 connectorName=Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector) not found In addition, the same error message is written to the Connector Server log file. |
The following are the possible reasons for the occurrence of this error:
Perform the following steps to fix this issue:
|
The following error is encountered while performing any connector operation: A local error has occurred |
This error is encountered if you specify a value for the DirectoryAdminName IT resource parameter in an incorrect format. You must use only the following format to specify a value for this parameter: DOMAIN_NAME\USER_NAME See the "Admin User Name" row of Table 3-1 for more information. |
The computer hosting the Connector Server and target system is unavailable. Nothing works despite specifying a value for the Backup Host Names parameter of the Basic Configuration section. |
The computer hosting the Connector Server must be up and running always. Instead of deploying the Connector Server on PDC and BDC hosts, follow the following guidelines to avoid this error:
|
A target resource reconciliation run fails with the following error: Row index out of bounds However, users are brought into Oracle Identity Governance and are linked successfully. |
This issue is encountered when a scheduled job updates the usNChanged attribute of the target system. As a work around, create a new scheduled job and perform a reconciliation run. |
The following error is encountered in the Connector Server log file: org.identityconnectors.framework.common.exceptions.ConnectorException: java.net.ConnectException: Connection timed out |
The following are two of the possible reasons for the occurrence of this error:
|
Lookup field synchronization for groups and organizations, and reconciliation of groups run successfully. However, the following error is encountered when you perform reconciliation of organizations (in other words, run the Active Directory Organization Recon scheduled job): oracle.iam.reconciliation.exception.InvalidDataFormatException: Required column name RECON_ORGNAME4EAE4287 and value does not exist In addition, the following error is written to the log file of Oracle Identity Governance: Required column name RECON_ORGNAME<……> and value does not exist |
This error is encountered if value of the Configuration Lookup parameter of the Active Directory IT resource is set to To avoid this error, if you are performing organization reconciliation with the Xellerate User resource object, then ensure to set the value of the Configuration Lookup parameter of the Active Directory IT resource to |
While running the scheduled jobs for lookup field synchronization (groups and organizations), the following exception is encountered: Unable to get the Directory Entry In addition, the following error is written to the Connector Server log file: Org.IdentityConnectors.Framework.Common.Exceptions.ConnectorException: Unable to get the Directory Entry |
You can perform one of the following steps to determine the cause for this error:
The following are few of the possible reasons for the occurrence of this error:
|
The following error is encountered in the log file of Oracle Identity Governance while running reconciliation jobs: java.net.SocketException: Connection reset |
The following are two of the possible reasons for the occurrence of this error:
|
Any connector operation (reconciliation or provisioning) fails and the following exception is encounter: Domain Controller not found in the domain 'SAMPLEDOMAIN.com' In addition, the following error is written to the Connector Server log file: org.identityconnectors.framework.common.exceptions.ConnectorException: Domain controller not found in the domain |
The following are two of the possible reasons for the occurrence of this error:
|
The following error is encountered in the Connector Server log file: org.identityconnectors.framework.common.exceptions.ConnectorException: Neither able to connect to Primary Domain Controller nor to any of Back up Domain Controllers. |
This error is encountered if an incorrect value is specified for the LDAP Host Name parameter of the Basic Configuration section. To fix this issue, you must specify a correct value for the LDAP Host Name basic configuration parameter. To determine the correct value for this parameter, on the computer hosting the target system, right-click My Computer and select Properties. On the Computer Name tab of the System Properties dialog box, the host name is specified as the value of the Full computer name field. |
The following error is encountered in the Connector Server log file: System.IO.IOException: The handshake failed due to an unexpected packet format |
This error is encountered if Oracle Identity Governance is not set for SSL. In other words, the UseSSL parameter in the IT resources of the target system and Connector is set to To fix this issue, ensure to set the value of the UseSSL parameter in the IT resources of the target system and Connector Server to |
The following error is encountered in the Connector Server log file: System.DirectoryServices.ActiveDirectory.DomainController.FindOneWithCredentialValidation(DirectoryContext context, String siteName, LocatorOptions flag)(in connector server logs) |
This error is encountered if no value has been specified for the Domain Controller parameter of the Basic Configuration section. To fix this issue, specify a value for the Domain Controller basic configuration parameter. For more information about this parameter, see Basic Configuration Parameters. |
The Active Directory User Target Recon scheduled job for bulk users does not fetch all users from the target system. |
This issue is encountered if the reconciliation matching rule has changed. To fix this issue, create a reconciliation profile with the updated matching rule as follows:
|
No records are reconciled when the following filter is applied:
|
This issue is encountered because "memberOf" is a multivalued attribute in the target system. For applying filters on multivalued attributes, use the "containsAllValues" filter. |
The Group Display in the AD User child form is takes a long time to display all Groups. Therefore, adding the AD Group to AD User takes a significant amount of time. |
To reduce the delay is displaying the groups page, enable caching in Oracle Identity Governance. |
The following error is encountered in the Connector Server log file: System.NotSupportedException: The server mode SSL must use a certificate with the associated private key. |
This issue is encountered if you have exported the certificate with a private key (for example, .pfx file, while performing the instructions in Exporting the Certificate, but do not import it into the certificate store named 'sslstore' by using the MMC console. To avoid this issue, ensure to import the certificate into 'sslstore' by using the MMC console, if you have exported it with a private key (.pfx file). |
A provisioning operation (either create or update) fails and the following error is written to the Connector Server log file: The specified directory service attribute or value does not exist. |
This issue is encountered if the schema definition for your application contains an incorrect value in the Target Attribute column. Note that the Target Attribute column values in the schema definition are target system attribute names. To fix this issue, scrutinize the values on the schema definition and then update the value in the Target Attribute column with the correct target system attribute name. |
During a bulk provisioning operation, the following error might be encountered in the Connector Server log file: Max objects exceeded |
To fix this issue, increase the values of the Pool Max Size and Pool Max Wait parameters of the Advanced Settings section. For more information about these parameters, see Advanced Settings Parameters. |
OIG Users are not created after running the Active Directory User Trusted Recon scheduled job. The following message is displayed In the reconciliation event generated for the user: 'Data Validation Failed' as the current status and 'Invalid ManagerLogin : <Manager ID>' as Note. |
This issue is encountered due to the dependency of manager information of users. OIG User creation fails if the manager of the user is not already present in Oracle Identity Governance. To fix this issue, you must remove the manager field mapping, run the Active Directory User Trusted Recon scheduled job, and then add back the manager field mapping as follows: In Identity Self Service, remove the Manager field mapping as follows:
Run the Active Directory User Trusted Recon scheduled job. In Identity Self Service, add the manager field mapping as follows:
Clear the value in the latest token parameter of the Active Directory User Trusted Recon scheduled job and run it. |
The following error is encountered in the log file of the Connector Server during a provisioning operation: The remote procedure call failed and did not execute. (Exception from HRESULT: 0x800706BF) |
This issue is encountered when there are too many requests at the same time during a Create User or Password Update provisioning operation. For example, this issue can be encountered during an access policy-based provisioning operation where too many account creations are triggered. This error can occur on Microsoft Windows 2008, 2008 R2 or Windows 2012 domain controllers, which includes service packs as well. To fix this issue, you must contact Microsoft Support to apply the hotfix listed in the 2781049 article (DsAddSidHistory function fails when it is called by multiple threads in Windows Server 2008 R2 SP1) on the following Web site: You can do so by accessing the preceding URL and then searching for the 2781049 article. Note: Do not apply the hotfix without contacting Microsoft Support. |
The following error is encountered in the Active Directory API which is not meaningful: Encountered DirectoryServicesCOMException: A device attached to the system is not functioning. |
This error is encountered when the sAMAccount attribute in the target system (corresponding to the User Login field in Oracle Identity Governance) contains more than 20 characters. If you encounter this error for User objects, then the workaround is to write a Groovy-based code (see About Configuring Transformation and Validation of Data) on the User ID field during provisioning to check if it contains more than 20 characters or not and log an appropriate error log message. If you encounter this error for Groups or Organizational Unit Objects, then the workaround is to write a validation Java code (see Configuring Validation of Data During Reconciliation and Provisioning for Groups and Organizational Units) on the corresponding field during provisioning to check if it contains more than 20 characters or not and log an appropriate error log message. |