Troubleshooting the Microsoft Active Directory User Management Connector

8 Troubleshooting the Microsoft Active Directory User Management Connector

These are the solutions to problems you might encounter while using the Microsoft Active Directory User Management connector.

Note:

From release 12.2.1.3.0 onward, the IT Resource of CI-based mode is mapped to Basic Configuration of AOB. Similarly, the main configuration lookup definition of CI-based mode is mapped to Advanced Settings of AOB. All solutions described in this chapter are applicable to Users, Groups, and Organizational Units and been documented using the AOB terminology. Therefore, if you are referring to this table for solutions to any User operations, then consider the AOB terminology. If you are referring to this table for solutions to any Groups or Organizational Units operations, then replace the AOB terminology with the terminology for CI-based mode.

Table 8-1 Troubleshooting for the Microsoft Active Directory User Management Connector

Problem Solution

Problem	Solution
The following error is encountered: `java.net.UnknownHostException:`	Ensure that the host name in the IT resource for the Connector Server is specified correctly.
The following error is encountered: `InvalidCredentialException: Remote framework key is invalid`	Ensure that the value of the Key parameter of the IT resource for the Connector Server is specified correctly.
The following error is encountered: `ConnectorException: java.net.ConnectException: Connection refused`	Ensure that the port number in the IT resource for the Connector Server is specified correctly.
The following error is encountered in the reconciliation job: `org.identityconnectors.framework.common.exceptions.ConnectorException: The server does not support the requested critical extension.`	The following are the possible reasons for the occurrence of this error: If the connector is configured for Microsoft AD LDS, then none of the reconciliation job parameters mention the parameter that is not present in the Microsoft AD LDS User Schema. For example, the sAMAccountName attribute is not a valid attribute on Microsoft AD LDS. Therefore, ensure that attributes that are not present on Microsoft AD LDS are not specified as values of reconciliation job parameters such as Sort By. The number of records that the connector must fetch are large in number. To fix this issue, remove the values specified for the Batch Size, Number of Batches, Batch Start, Sort Direction, and Sort By parameters of the reconciliation jobs. You can always use the Page Size parameter of the Advanced Settings section for granular-level setting. The connector uses the ICF Handler for sending data to Oracle Identity Governance, and the ICF and ICFINTG layers take care of processing the data and generating the reconciliation event. A multivalued field on the target system is mapped to a single-valued field on the AD User form in Oracle Identity Governance. To avoid encountering this issue, ensure that multivalued fields on the target system are mapped to the corresponding multivalued field on the AD User form.
While starting the Connector Server, the following exception is encountered: `Unhandled Exception: System.Net.Sockets.SocketException: Only one usage of each socket address (protocol/network address/port) is normally permitted`	This exception is encountered because the Connector Server uses a port that has already been used (mostly by another instance of the Connector Server). You can fix this issue by performing one of the following steps: If the Connector Server service is running, then stop it. Search for and open the ConnectorServer.exe.Config file, change the port value to `8758` or `8755,` and then start the Connector Server. The default location of the ConnectorServer.exe.Config file is C:\Program Files\Identity Connectors\Connector Server.
The following error is encountered while running the Active Directory Target Reconciliation scheduled job: `ADP ClassLoader failed to load: Script1 java.lang.ClassNotFoundException: ADP ClassLoader failed to load: Script1`	Ensure that the value for the Filter syntax attribute of the scheduled job is specified correctly. See Performing Limited Reconciliation By Using Filters for more information.
All reconciliation runs are successful, but the following error is encountered while running provisioning operations: `Neither able to connect to Primary Domain Controller nor to any of Back up Domain Controllers.`	Ensure that the value of the LDAPHostName parameter of the IT resource is specified correctly. To determine the host name, on the computer hosting the target system, right-click My Computer and select Properties. On the Computer Name tab of the System Properties dialog box, the host name is specified as the value of the Full computer name field.
The Connector Server throws an `Out of Memory` exception.	A memory leak issue occurs in Microsoft .NET Framework 3.5. To fix this issue, you must apply the hotfix (listed in the following Web site) on the computer hosting the Connector Server: `http://support.microsoft.com/kb/981575`
Unable to start the Connector Server after extracting the contents of the connector bundle into the CONNECTOR_SERVER_HOME directory. The following exception is encountered: `ConnectorServer.exe Information: 0 : Starting connector server: C:\Program Files\Identity Connectors\Connector Server` `ConnectorServer.exe Error: 0 : Exception occurred starting connector server` `System.IO.FileNotFoundException: Could not load file or assembly 'System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' or one of its dependencies. The system cannot find the file specified.` File name: 'System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' at Org.IdentityConnectors.Common.CollectionUtil.NewSet[T,U](IEnumerable`1 collection) Note: This error is encountered only if you use the command prompt to start the Connector Server. If you use services.msc to start the Connector Server, then the Connector Server stops soon after it started.	This exception is encountered if the Microsoft .NET Framework is not present. You must install .NET Framework 3.5 or later on the computer that is hosting the Connector Server. Note: If you are installing .NET Framework 3.5, then ensure you install the following patch to avoid the memory leak issue: `http://support.microsoft.com/kb/981575`
All connector operations such as reconciliation and provisioning operations fail and the following error is encountered: `oracle.iam.connectors.icfcommon.exceptions.IntegrationException: Connector ConnectorKey( bundleName=ActiveDirectory.Connector bundleVersion=1.1.0.6380 connectorName=Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector) not found` In addition, the same error message is written to the Connector Server log file.	The following are the possible reasons for the occurrence of this error: The connector bundle is not extracted in the CONNECTOR_SERVER_HOME directory. The Connector Server is started before you extract the contents of the connector bundle. Cache-related issue in Oracle Identity Governance. Perform the following steps to fix this issue: Stop the Connector Server. Extract the contents of the connector bundle into the CONNECTOR_SERVER_HOME directory. Start the Connector Server. Run the PurgeCache utility on the computer hosting Oracle Identity Governance. Restart Oracle Identity Governance.
The following error is encountered while performing any connector operation: `A local error has occurred`	This error is encountered if you specify a value for the DirectoryAdminName IT resource parameter in an incorrect format. You must use only the following format to specify a value for this parameter: DOMAIN_NAME\USER_NAME See the "Admin User Name" row of Table 3-1 for more information.
The computer hosting the Connector Server and target system is unavailable. Nothing works despite specifying a value for the Backup Host Names parameter of the Basic Configuration section.	The computer hosting the Connector Server must be up and running always. Instead of deploying the Connector Server on PDC and BDC hosts, follow the following guidelines to avoid this error: Have a dedicated computer for the Connector Server. Note that you can specify a value for the Backup Host Names parameter of the Basic Configuration section even if the Connector Server is running on a dedicated computer. The computer hosting the Connector Server must be in the same domain as the target system. Deploy the Connector Server and configure the Active Directory Connector Server IT resource. For more information about the IT resource, see Configuring the IT Resource for the Connector Server.
A target resource reconciliation run fails with the following error: `Row index out of bounds` However, users are brought into Oracle Identity Governance and are linked successfully.	This issue is encountered when a scheduled job updates the usNChanged attribute of the target system. As a work around, create a new scheduled job and perform a reconciliation run.
The following error is encountered in the Connector Server log file: `org.identityconnectors.framework.common.exceptions.ConnectorException: java.net.ConnectException: Connection timed out`	The following are two of the possible reasons for the occurrence of this error: The connection between the Connector Server and Oracle Identity Governance times out. To fix this issue, either set the value of the Timeout parameter of the Connector Server IT resource to `0,` or increase its existing value. The Connector Server port is blocked by the firewall. To fix this issue, by using the Telnet protocol, check whether the Connector Server is listening at the default port (8795). If the port is not open, then you can either open the port or choose another port for Connector Server. To change the port name, edit the ConnectorServer.exe.Config file by specifying a new port as mentioned in the following line and the restart the Connector Server: `<add key ="connectorserver.port" value="8759"/>`
Lookup field synchronization for groups and organizations, and reconciliation of groups run successfully. However, the following error is encountered when you perform reconciliation of organizations (in other words, run the Active Directory Organization Recon scheduled job): `oracle.iam.reconciliation.exception.InvalidDataFormatException: Required column name RECON_ORGNAME4EAE4287 and value does not exist` In addition, the following error is written to the log file of Oracle Identity Governance: `Required column name RECON_ORGNAME<……> and value does not exist`	This error is encountered if value of the Configuration Lookup parameter of the Active Directory IT resource is set to `Lookup.Configuration.ActiveDirectory.` To avoid this error, if you are performing organization reconciliation with the Xellerate User resource object, then ensure to set the value of the Configuration Lookup parameter of the Active Directory IT resource to `Lookup.Configuration.ActiveDirectory.Trusted.`
While running the scheduled jobs for lookup field synchronization (groups and organizations), the following exception is encountered: `Unable to get the Directory Entry` In addition, the following error is written to the Connector Server log file: `Org.IdentityConnectors.Framework.Common.Exceptions.ConnectorException: Unable to get the Directory Entry`	You can perform one of the following steps to determine the cause for this error: Check for the error message in the log files of the Connector Server to find out the root cause. Check the Event Viewer. To open the Event Viewer, from the Start menu, select Control Panel, double-click Administrative Tools, and then double-click Event Viewer. The following are few of the possible reasons for the occurrence of this error: An incorrect value is specified for the DomainName IT resource parameter. To fix this issue, specify a correct value for the DomainName IT resource parameter. Note that you must use only the following format to specify a value for this parameter: DOMAIN_NAME\USER_NAME The computer hosting the Connector Server is not present in the AD domain. To fix this issue, ensure that the Connector Server is installed on a computer that is a part of the same AD domain.
The following error is encountered in the log file of Oracle Identity Governance while running reconciliation jobs: `java.net.SocketException: Connection reset`	The following are two of the possible reasons for the occurrence of this error: LDAPS is not enabled on the domain controllers. To fix this issue, enable LDAPS as described in Configuring SSL Between Connector Server and Microsoft Active Directory. Oracle Identity Governance is not set for SSL. In other words, the UseSSL parameter of the Basic Configuration section and Connector Server IT resource is set to `no` and `false,` respectively). However, the Connector Server is SSL enabled. To fix this issue, ensure to set the value of the UseSSL parameter of the Basic Configuration section and Connector Server IT resource to `yes` and `true,` respectively.
Any connector operation (reconciliation or provisioning) fails and the following exception is encounter: Domain Controller not found in the domain 'SAMPLEDOMAIN.com' In addition, the following error is written to the Connector Server log file: org.identityconnectors.framework.common.exceptions.ConnectorException: Domain controller not found in the domain	The following are two of the possible reasons for the occurrence of this error: An incorrect value is specified for the DomainName IT resource parameter. To fix this issue, specify a correct value for the DomainName IT resource parameter. Note that you must use only the following format to specify a value for this parameter: DOMAIN_NAME\USER_NAME The computer hosting the Connector Server is not present in the AD domain. To fix this issue, ensure that the Connector Server is installed on a computer that is a part of the same AD domain.
The following error is encountered in the Connector Server log file: `org.identityconnectors.framework.common.exceptions.ConnectorException: Neither able to connect to Primary Domain Controller nor to any of Back up Domain Controllers.`	This error is encountered if an incorrect value is specified for the LDAP Host Name parameter of the Basic Configuration section. To fix this issue, you must specify a correct value for the LDAP Host Name basic configuration parameter. To determine the correct value for this parameter, on the computer hosting the target system, right-click My Computer and select Properties. On the Computer Name tab of the System Properties dialog box, the host name is specified as the value of the Full computer name field.
The following error is encountered in the Connector Server log file: `System.IO.IOException: The handshake failed due to an unexpected packet format`	This error is encountered if Oracle Identity Governance is not set for SSL. In other words, the UseSSL parameter in the IT resources of the target system and Connector is set to `no` and `false,` respectively). However, the Connector Server is SSL enabled. To fix this issue, ensure to set the value of the UseSSL parameter in the IT resources of the target system and Connector Server to `yes` and `true,` respectively.
The following error is encountered in the Connector Server log file: `System.DirectoryServices.ActiveDirectory.DomainController.FindOneWithCredentialValidation(DirectoryContext context, String siteName, LocatorOptions flag)(in connector server logs)`	This error is encountered if no value has been specified for the Domain Controller parameter of the Basic Configuration section. To fix this issue, specify a value for the Domain Controller basic configuration parameter. For more information about this parameter, see Basic Configuration Parameters.
The Active Directory User Target Recon scheduled job for bulk users does not fetch all users from the target system.	This issue is encountered if the reconciliation matching rule has changed. To fix this issue, create a reconciliation profile with the updated matching rule as follows: Log in to the Design Console. Expand Resource Management and then double-click Resource Objects. Search for and open the AD User resource object. On the Object Reconciliation tab, click Create Reconciliation Profile to generate the reconciliation profile will all the latest updates.
No records are reconciled when the following filter is applied: `contains('memberOf','PGMGroup')`	This issue is encountered because "memberOf" is a multivalued attribute in the target system. For applying filters on multivalued attributes, use the "containsAllValues" filter.
The Group Display in the AD User child form is takes a long time to display all Groups. Therefore, adding the AD Group to AD User takes a significant amount of time.	To reduce the delay is displaying the groups page, enable caching in Oracle Identity Governance.
The following error is encountered in the Connector Server log file: `System.NotSupportedException: The server mode SSL must use a certificate with the associated private key.`	This issue is encountered if you have exported the certificate with a private key (for example, .pfx file, while performing the instructions in Exporting the Certificate, but do not import it into the certificate store named 'sslstore' by using the MMC console. To avoid this issue, ensure to import the certificate into 'sslstore' by using the MMC console, if you have exported it with a private key (.pfx file).
A provisioning operation (either create or update) fails and the following error is written to the Connector Server log file: `The specified directory service attribute or value does not exist.`	This issue is encountered if the schema definition for your application contains an incorrect value in the Target Attribute column. Note that the Target Attribute column values in the schema definition are target system attribute names. To fix this issue, scrutinize the values on the schema definition and then update the value in the Target Attribute column with the correct target system attribute name.
During a bulk provisioning operation, the following error might be encountered in the Connector Server log file: `Max objects exceeded`	To fix this issue, increase the values of the Pool Max Size and Pool Max Wait parameters of the Advanced Settings section. For more information about these parameters, see Advanced Settings Parameters.
OIG Users are not created after running the Active Directory User Trusted Recon scheduled job. The following message is displayed In the reconciliation event generated for the user: `'Data Validation Failed' as the current status and 'Invalid ManagerLogin : <Manager ID>' as Note.`	This issue is encountered due to the dependency of manager information of users. OIG User creation fails if the manager of the user is not already present in Oracle Identity Governance. To fix this issue, you must remove the manager field mapping, run the Active Directory User Trusted Recon scheduled job, and then add back the manager field mapping as follows: In Identity Self Service, remove the Manager field mapping as follows: Log in to Identity Self Service. Search for and open the Authoritative application corresponding to your target system for editing. From the Schema page, delete the row corresponding to the Manager Login display name. Apply the changes. Run the Active Directory User Trusted Recon scheduled job. In Identity Self Service, add the manager field mapping as follows: Log in to Identity Self Service. Search for and open the Authoritative application corresponding to your target system for editing. From the Schema page, add a new row by specifying `Manager Login` as the Display Name and `Manager ID` as the Target Attribute. For more information about schema attribute mappings, see Attribute Mappings for an Authoritative Application. Apply the changes. Clear the value in the latest token parameter of the Active Directory User Trusted Recon scheduled job and run it.
The following error is encountered in the log file of the Connector Server during a provisioning operation: `The remote procedure call failed and did not execute. (Exception from HRESULT: 0x800706BF)`	This issue is encountered when there are too many requests at the same time during a Create User or Password Update provisioning operation. For example, this issue can be encountered during an access policy-based provisioning operation where too many account creations are triggered. This error can occur on Microsoft Windows 2008, 2008 R2 or Windows 2012 domain controllers, which includes service packs as well. To fix this issue, you must contact Microsoft Support to apply the hotfix listed in the 2781049 article (DsAddSidHistory function fails when it is called by multiple threads in Windows Server 2008 R2 SP1) on the following Web site: `http://support.microsoft.com/` You can do so by accessing the preceding URL and then searching for the 2781049 article. Note: Do not apply the hotfix without contacting Microsoft Support.
The following error is encountered in the Active Directory API which is not meaningful: `Encountered DirectoryServicesCOMException: A device attached to the system is not functioning.`	This error is encountered when the sAMAccount attribute in the target system (corresponding to the User Login field in Oracle Identity Governance) contains more than 20 characters. If you encounter this error for User objects, then the workaround is to write a Groovy-based code (see About Configuring Transformation and Validation of Data) on the User ID field during provisioning to check if it contains more than 20 characters or not and log an appropriate error log message. If you encounter this error for Groups or Organizational Unit Objects, then the workaround is to write a validation Java code (see Configuring Validation of Data During Reconciliation and Provisioning for Groups and Organizational Units) on the corresponding field during provisioning to check if it contains more than 20 characters or not and log an appropriate error log message.

The following error is encountered:

java.net.UnknownHostException:

Ensure that the host name in the IT resource for the Connector Server is specified correctly.

The following error is encountered:

InvalidCredentialException: Remote framework key is invalid

Ensure that the value of the Key parameter of the IT resource for the Connector Server is specified correctly.

The following error is encountered:

ConnectorException: java.net.ConnectException: Connection refused

Ensure that the port number in the IT resource for the Connector Server is specified correctly.

The following error is encountered in the reconciliation job:

org.identityconnectors.framework.common.exceptions.ConnectorException: The server does not support the requested critical extension.

The following are the possible reasons for the occurrence of this error:

If the connector is configured for Microsoft AD LDS, then none of the reconciliation job parameters mention the parameter that is not present in the Microsoft AD LDS User Schema. For example, the sAMAccountName attribute is not a valid attribute on Microsoft AD LDS.

Therefore, ensure that attributes that are not present on Microsoft AD LDS are not specified as values of reconciliation job parameters such as Sort By.
The number of records that the connector must fetch are large in number.

To fix this issue, remove the values specified for the Batch Size, Number of Batches, Batch Start, Sort Direction, and Sort By parameters of the reconciliation jobs.

You can always use the Page Size parameter of the Advanced Settings section for granular-level setting. The connector uses the ICF Handler for sending data to Oracle Identity Governance, and the ICF and ICFINTG layers take care of processing the data and generating the reconciliation event.
A multivalued field on the target system is mapped to a single-valued field on the AD User form in Oracle Identity Governance.

To avoid encountering this issue, ensure that multivalued fields on the target system are mapped to the corresponding multivalued field on the AD User form.

While starting the Connector Server, the following exception is encountered:

Unhandled Exception: System.Net.Sockets.SocketException: Only one usage of each socket address (protocol/network address/port) is normally permitted

This exception is encountered because the Connector Server uses a port that has already been used (mostly by another instance of the Connector Server). You can fix this issue by performing one of the following steps:

If the Connector Server service is running, then stop it.
Search for and open the ConnectorServer.exe.Config file, change the port value to 8758 or 8755, and then start the Connector Server. The default location of the ConnectorServer.exe.Config file is C:\Program Files\Identity Connectors\Connector Server.

The following error is encountered while running the Active Directory Target Reconciliation scheduled job:

ADP ClassLoader failed to load: Script1 java.lang.ClassNotFoundException: ADP ClassLoader failed to load: Script1

Ensure that the value for the Filter syntax attribute of the scheduled job is specified correctly. See Performing Limited Reconciliation By Using Filters for more information.

All reconciliation runs are successful, but the following error is encountered while running provisioning operations:

Neither able to connect to Primary Domain Controller nor to any of Back up Domain Controllers.

Ensure that the value of the LDAPHostName parameter of the IT resource is specified correctly.

To determine the host name, on the computer hosting the target system, right-click My Computer and select Properties. On the Computer Name tab of the System Properties dialog box, the host name is specified as the value of the Full computer name field.

The Connector Server throws an Out of Memory exception.

A memory leak issue occurs in Microsoft .NET Framework 3.5. To fix this issue, you must apply the hotfix (listed in the following Web site) on the computer hosting the Connector Server:

http://support.microsoft.com/kb/981575

Unable to start the Connector Server after extracting the contents of the connector bundle into the CONNECTOR_SERVER_HOME directory. The following exception is encountered:

ConnectorServer.exe Information: 0 : Starting connector server: C:\Program Files\Identity Connectors\Connector Server

ConnectorServer.exe Error: 0 : Exception occurred starting connector server

System.IO.FileNotFoundException: Could not load file or assembly 'System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' or one of its dependencies. The system cannot find the file specified.

File name: 'System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' at Org.IdentityConnectors.Common.CollectionUtil.NewSet[T,U](IEnumerable`1 collection)

Note: This error is encountered only if you use the command prompt to start the Connector Server. If you use services.msc to start the Connector Server, then the Connector Server stops soon after it started.

This exception is encountered if the Microsoft .NET Framework is not present. You must install .NET Framework 3.5 or later on the computer that is hosting the Connector Server.

Note: If you are installing .NET Framework 3.5, then ensure you install the following patch to avoid the memory leak issue:

http://support.microsoft.com/kb/981575

All connector operations such as reconciliation and provisioning operations fail and the following error is encountered:

oracle.iam.connectors.icfcommon.exceptions.IntegrationException: Connector ConnectorKey( bundleName=ActiveDirectory.Connector bundleVersion=1.1.0.6380 connectorName=Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector) not found

In addition, the same error message is written to the Connector Server log file.

The following are the possible reasons for the occurrence of this error:

The connector bundle is not extracted in the CONNECTOR_SERVER_HOME directory.
The Connector Server is started before you extract the contents of the connector bundle.
Cache-related issue in Oracle Identity Governance.

Perform the following steps to fix this issue:

Stop the Connector Server.
Extract the contents of the connector bundle into the CONNECTOR_SERVER_HOME directory.
Start the Connector Server.
Run the PurgeCache utility on the computer hosting Oracle Identity Governance.
Restart Oracle Identity Governance.

The following error is encountered while performing any connector operation:

A local error has occurred

This error is encountered if you specify a value for the DirectoryAdminName IT resource parameter in an incorrect format. You must use only the following format to specify a value for this parameter:

DOMAIN_NAME\USER_NAME

See the "Admin User Name" row of Table 3-1 for more information.

The computer hosting the Connector Server and target system is unavailable. Nothing works despite specifying a value for the Backup Host Names parameter of the Basic Configuration section.

The computer hosting the Connector Server must be up and running always. Instead of deploying the Connector Server on PDC and BDC hosts, follow the following guidelines to avoid this error:

Have a dedicated computer for the Connector Server. Note that you can specify a value for the Backup Host Names parameter of the Basic Configuration section even if the Connector Server is running on a dedicated computer.
The computer hosting the Connector Server must be in the same domain as the target system.
Deploy the Connector Server and configure the Active Directory Connector Server IT resource. For more information about the IT resource, see Configuring the IT Resource for the Connector Server.

A target resource reconciliation run fails with the following error:

Row index out of bounds

However, users are brought into Oracle Identity Governance and are linked successfully.

This issue is encountered when a scheduled job updates the usNChanged attribute of the target system. As a work around, create a new scheduled job and perform a reconciliation run.

The following error is encountered in the Connector Server log file:

org.identityconnectors.framework.common.exceptions.ConnectorException: java.net.ConnectException: Connection timed out

The following are two of the possible reasons for the occurrence of this error:

The connection between the Connector Server and Oracle Identity Governance times out.

To fix this issue, either set the value of the Timeout parameter of the Connector Server IT resource to 0, or increase its existing value.
The Connector Server port is blocked by the firewall.

To fix this issue, by using the Telnet protocol, check whether the Connector Server is listening at the default port (8795). If the port is not open, then you can either open the port or choose another port for Connector Server. To change the port name, edit the ConnectorServer.exe.Config file by specifying a new port as mentioned in the following line and the restart the Connector Server:

<add key ="connectorserver.port" value="8759"/>

Lookup field synchronization for groups and organizations, and reconciliation of groups run successfully. However, the following error is encountered when you perform reconciliation of organizations (in other words, run the Active Directory Organization Recon scheduled job):

oracle.iam.reconciliation.exception.InvalidDataFormatException: Required column name RECON_ORGNAME4EAE4287 and value does not exist

In addition, the following error is written to the log file of Oracle Identity Governance:

Required column name RECON_ORGNAME<……> and value does not exist

This error is encountered if value of the Configuration Lookup parameter of the Active Directory IT resource is set to Lookup.Configuration.ActiveDirectory.

To avoid this error, if you are performing organization reconciliation with the Xellerate User resource object, then ensure to set the value of the Configuration Lookup parameter of the Active Directory IT resource to Lookup.Configuration.ActiveDirectory.Trusted.

While running the scheduled jobs for lookup field synchronization (groups and organizations), the following exception is encountered:

Unable to get the Directory Entry

In addition, the following error is written to the Connector Server log file:

Org.IdentityConnectors.Framework.Common.Exceptions.ConnectorException: Unable to get the Directory Entry

You can perform one of the following steps to determine the cause for this error:

Check for the error message in the log files of the Connector Server to find out the root cause.
Check the Event Viewer. To open the Event Viewer, from the Start menu, select Control Panel, double-click Administrative Tools, and then double-click Event Viewer.

The following are few of the possible reasons for the occurrence of this error:

An incorrect value is specified for the DomainName IT resource parameter.

To fix this issue, specify a correct value for the DomainName IT resource parameter. Note that you must use only the following format to specify a value for this parameter:

DOMAIN_NAME\USER_NAME
The computer hosting the Connector Server is not present in the AD domain.

To fix this issue, ensure that the Connector Server is installed on a computer that is a part of the same AD domain.

The following error is encountered in the log file of Oracle Identity Governance while running reconciliation jobs:

java.net.SocketException: Connection reset

The following are two of the possible reasons for the occurrence of this error:

LDAPS is not enabled on the domain controllers.

To fix this issue, enable LDAPS as described in Configuring SSL Between Connector Server and Microsoft Active Directory.
Oracle Identity Governance is not set for SSL. In other words, the UseSSL parameter of the Basic Configuration section and Connector Server IT resource is set to no and false, respectively). However, the Connector Server is SSL enabled.

To fix this issue, ensure to set the value of the UseSSL parameter of the Basic Configuration section and Connector Server IT resource to yes and true, respectively.

Any connector operation (reconciliation or provisioning) fails and the following exception is encounter:

Domain Controller not found in the domain 'SAMPLEDOMAIN.com'

In addition, the following error is written to the Connector Server log file:

org.identityconnectors.framework.common.exceptions.ConnectorException: Domain controller not found in the domain

The following are two of the possible reasons for the occurrence of this error:

An incorrect value is specified for the DomainName IT resource parameter.

To fix this issue, specify a correct value for the DomainName IT resource parameter. Note that you must use only the following format to specify a value for this parameter:

DOMAIN_NAME\USER_NAME
The computer hosting the Connector Server is not present in the AD domain.

To fix this issue, ensure that the Connector Server is installed on a computer that is a part of the same AD domain.

The following error is encountered in the Connector Server log file:

org.identityconnectors.framework.common.exceptions.ConnectorException: Neither able to connect to Primary Domain Controller nor to any of Back up Domain Controllers.

This error is encountered if an incorrect value is specified for the LDAP Host Name parameter of the Basic Configuration section.

To fix this issue, you must specify a correct value for the LDAP Host Name basic configuration parameter. To determine the correct value for this parameter, on the computer hosting the target system, right-click My Computer and select Properties. On the Computer Name tab of the System Properties dialog box, the host name is specified as the value of the Full computer name field.

The following error is encountered in the Connector Server log file:

System.IO.IOException: The handshake failed due to an unexpected packet format

This error is encountered if Oracle Identity Governance is not set for SSL. In other words, the UseSSL parameter in the IT resources of the target system and Connector is set to no and false, respectively). However, the Connector Server is SSL enabled.

To fix this issue, ensure to set the value of the UseSSL parameter in the IT resources of the target system and Connector Server to yes and true, respectively.

The following error is encountered in the Connector Server log file:

System.DirectoryServices.ActiveDirectory.DomainController.FindOneWithCredentialValidation(DirectoryContext context, String siteName, LocatorOptions flag)(in connector server logs)

This error is encountered if no value has been specified for the Domain Controller parameter of the Basic Configuration section.

To fix this issue, specify a value for the Domain Controller basic configuration parameter. For more information about this parameter, see Basic Configuration Parameters.

The Active Directory User Target Recon scheduled job for bulk users does not fetch all users from the target system.

This issue is encountered if the reconciliation matching rule has changed.

To fix this issue, create a reconciliation profile with the updated matching rule as follows:

Log in to the Design Console.
Expand Resource Management and then double-click Resource Objects.
Search for and open the AD User resource object.
On the Object Reconciliation tab, click Create Reconciliation Profile to generate the reconciliation profile will all the latest updates.

No records are reconciled when the following filter is applied:

contains('memberOf','PGMGroup')

This issue is encountered because "memberOf" is a multivalued attribute in the target system. For applying filters on multivalued attributes, use the "containsAllValues" filter.

The Group Display in the AD User child form is takes a long time to display all Groups. Therefore, adding the AD Group to AD User takes a significant amount of time.

To reduce the delay is displaying the groups page, enable caching in Oracle Identity Governance.

The following error is encountered in the Connector Server log file:

System.NotSupportedException: The server mode SSL must use a certificate with the associated private key.

This issue is encountered if you have exported the certificate with a private key (for example, .pfx file, while performing the instructions in Exporting the Certificate, but do not import it into the certificate store named 'sslstore' by using the MMC console. To avoid this issue, ensure to import the certificate into 'sslstore' by using the MMC console, if you have exported it with a private key (.pfx file).

A provisioning operation (either create or update) fails and the following error is written to the Connector Server log file:

The specified directory service attribute or value does not exist.

This issue is encountered if the schema definition for your application contains an incorrect value in the Target Attribute column. Note that the Target Attribute column values in the schema definition are target system attribute names.

To fix this issue, scrutinize the values on the schema definition and then update the value in the Target Attribute column with the correct target system attribute name.

During a bulk provisioning operation, the following error might be encountered in the Connector Server log file:

Max objects exceeded

To fix this issue, increase the values of the Pool Max Size and Pool Max Wait parameters of the Advanced Settings section. For more information about these parameters, see Advanced Settings Parameters.

OIG Users are not created after running the Active Directory User Trusted Recon scheduled job. The following message is displayed In the reconciliation event generated for the user:

'Data Validation Failed' as the current status and 'Invalid ManagerLogin : <Manager ID>' as Note.

This issue is encountered due to the dependency of manager information of users. OIG User creation fails if the manager of the user is not already present in Oracle Identity Governance. To fix this issue, you must remove the manager field mapping, run the Active Directory User Trusted Recon scheduled job, and then add back the manager field mapping as follows:

In Identity Self Service, remove the Manager field mapping as follows:

Log in to Identity Self Service.
Search for and open the Authoritative application corresponding to your target system for editing.
From the Schema page, delete the row corresponding to the Manager Login display name.
Apply the changes.

Run the Active Directory User Trusted Recon scheduled job.

In Identity Self Service, add the manager field mapping as follows:

Log in to Identity Self Service.
Search for and open the Authoritative application corresponding to your target system for editing.
From the Schema page, add a new row by specifying Manager Login as the Display Name and Manager ID as the Target Attribute. For more information about schema attribute mappings, see Attribute Mappings for an Authoritative Application.
Apply the changes.

Clear the value in the latest token parameter of the Active Directory User Trusted Recon scheduled job and run it.

The following error is encountered in the log file of the Connector Server during a provisioning operation:

The remote procedure call failed and did not execute. (Exception from HRESULT: 0x800706BF)

This issue is encountered when there are too many requests at the same time during a Create User or Password Update provisioning operation.

For example, this issue can be encountered during an access policy-based provisioning operation where too many account creations are triggered.

This error can occur on Microsoft Windows 2008, 2008 R2 or Windows 2012 domain controllers, which includes service packs as well.

To fix this issue, you must contact Microsoft Support to apply the hotfix listed in the 2781049 article (DsAddSidHistory function fails when it is called by multiple threads in Windows Server 2008 R2 SP1) on the following Web site:

http://support.microsoft.com/

You can do so by accessing the preceding URL and then searching for the 2781049 article.

Note: Do not apply the hotfix without contacting Microsoft Support.

The following error is encountered in the Active Directory API which is not meaningful:

Encountered DirectoryServicesCOMException: A device attached to the system is not functioning.

This error is encountered when the sAMAccount attribute in the target system (corresponding to the User Login field in Oracle Identity Governance) contains more than 20 characters.

If you encounter this error for User objects, then the workaround is to write a Groovy-based code (see About Configuring Transformation and Validation of Data) on the User ID field during provisioning to check if it contains more than 20 characters or not and log an appropriate error log message.

If you encounter this error for Groups or Organizational Unit Objects, then the workaround is to write a validation Java code (see Configuring Validation of Data During Reconciliation and Provisioning for Groups and Organizational Units) on the corresponding field during provisioning to check if it contains more than 20 characters or not and log an appropriate error log message.