Active Directory – Exchange Provisioning errors in Sailpoint Identity IQ

Issue Description:

Active Directory Provisioning along with Exchange attributes failing with below error message.

Errors returned from IQService. Connecting to remote server win-g303o4860qk.enhcorp.com failed with the following error message: The username or password is incorrect. For more information, see the about_Remote_Troubleshooting Help topic.

 

 

Troubleshooting steps:

  • Verified the User/Password details by logging in to the Domain controller as Domain Admin (the user which was used in Active Directory Application Configuration)
  • Verified and restarted Exchange services which were failed to start by default.

  • Enabled logging for AD Connector and observed the below messages.
    • 2018-08-31 02:07:09,515 DEBUG Workflow Event Thread 1 sailpoint.connector.ADLDAPConnector:3503 – 1239254649 Entering handleObjectRequest2018-08-31 02:07:10,796 ERROR Workflow Event Thread 1 sailpoint.connector.ADLDAPConnector:3380 – 1239254649 Exception occurred in handling Object Request.sailpoint.tools.GeneralException: Errors returned from IQService. Connecting to remote server win-g303o4860qk.enhcorp.com failed with the following error message: The username or password is incorrect. For more information, see the about_Remote_Troubleshooting Help topic.
  • Launched Exchange Management Shell and observed below error messages
    • VERBOSE: Connecting to WIN-G303O4860QK.enhcorp.com.New-PSSession : [win-g303o4860qk.enhcorp.com] Connecting to remote server win-g303o4860qk.enhcorp.com failed with the following error message: WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits accesses to remote computers within the same local subnet. For more information, see the about_Remote_Troubleshooting Help topic.At line:1 char:1

      + New-PSSession -ConnectionURI “$connectionUri” -ConfigurationName Microsoft.Excha …

 

Resolution:

Active Directory-Direct connector reads Exchange Server attributes by connecting to the Active Directory.

But, for provisioning any Exchange attributes, connector needs access to remote Powershell via IQService.

Windows Remote Management (WinRM) is a feature of Windows that allows

administrators to remotely run management scripts. WinRM Service should be running and that

should also be set up for Remote Management using the Enable-PSRemoting -force.

 

Enable PowerShell remoting in the domain using below cmdlet in Exchange Management Shell.

>Enable-PSRemoting -Force

Solving problem SailPoint IdentityIQ “Mark Invalid Error”

Problem description 

When we try to correlate the accounts into SailPoint’s identityIQ using multiple authoritative sources the following
exception may arise.

Why this happens

The main reason for this error is ambiguity of accounts. After the account aggregation task completed when we try to run the task refresh identity cubes. Task is not running and error is displays as Task stopped by user. When you see the log file there a exception named Mark Invalid.

 

.erroe_scrn_sht

Case 1

The main cause for this error is, If you have added more than one authoritative sources marked for one identity. The following exception will arise. that means you have added two Authoritative sources representing the same data if run the aggregation task the accounts will be populated with their name then If we perform refresh identity cubes task the accounts will not linked its respective manager account because there will be an ambiguity between two accounts which has to be correlate as manager account.

Case 2

In other cases if you have any accounts or identities not properly deleted.

Solution

The solution I found is to get backup of the rules and application into a xml file using the console.Shutdown the application server and drop all the tables in database using the sql scripts provided by identityIQ then create the tables using the scripts. Import the init.xml using the iiq console.Then import the xml file which represents the application object. Then if you run the aggregation and correlation tasks you can see that all the identities and their managers are correlated in identity warehouse.

Using lists in Identity IQ workflows at approval steps

Sailpoint’s Identity IQ converts all the empty lists that go through an approval step in a workflow into NULL values. This does not hold the same with non-empty lists.

null diagram

For example, we have a global variable in the workflow which is an empty ArrayList ( [] ). It is going to be converted to ( NULL ) once it goes through an approval step. So in order that the lists work as per our need, we could provide a dummy value so that list is never converted to NULL when it goes through an approval.

Solving the problem with ‘&’ character while importing files into IdentityIQ

Sailpoint’s IdentityIQ uses xml files for importing various objects like applications, rules. If you have a script that uses a ‘logical and’ (&)  in your code , normally the import fails. This is because of the way in which normal xml files are read. This is one of the special characters.

To solve the problem replace all the ‘logical and’s which are represented by the character ‘&’ to ‘&’. This would make your import successful.

Kindly observe the following screenshot for reference:

ampersand in xml

Find related information at this link.

IdentityIQ Migration from MySQL to Oracle database

Sailpoint’s IdentityIQ migration from Oracle Database to MySQL could probably cause a problem with  work items, event logs, identity requests. Creation of work items, event logs, identity requests fail with the following error :

“unable to find the sequence”

The problem was caused because of migration to the Oracle database. Sailpoint’s IdentityIQ sql script for MySQL in IdentityIQ creates these sequences as tables and the same is translated into the Oracle database.

Here is how you solve the problem:-

IdentityIQ has 3 sequences in all.

  1. identityiq.spt_syslog_event_sequence.
  2. identityiq.spt_identity_request_sequence.
  3. identityiq.spt_work_item_sequence.

We can find the current values of these sequences by the following  queries on your new Oracle Database:

select * from spt_syslog_event_sequence

select * from spt_identity_request_sequence

select * from spt_work_item_sequence

Drop all these tables by the following queries:

drop table spt_syslog_event_sequence;

drop table spt_identity_request_sequence;

drop table spt_work_item_sequence;

Create the required sequences by the following queries:

create sequence identityiq.spt_syslog_event_sequence start with <current_sequence_value> increment by 1 nocache;

create sequence identityiq.spt_identity_request_sequence start with <current_sequence_value> increment by 1 nocache;

create sequence identityiq.spt_work_item_sequence start with <current_sequence_value> increment by 1 nocache;

Now that we have the sequences in place , creation of event logs,  work items, identity requests will be working fine.

Enabling group attributes with Delimited Files in IdentityIQ

It is very usual that delimited file applications can contain groups. Along with specifying group schema in configuration , we need to specify the group attribute i.e., the attribute which speaks about the membership of an account in a group.

In Sailpoint’s IdentityIQ 6.2 and previous versions, we have a GUI facility to mark such group attribute. From Sailpoint’s IdentityIQ 6.4, there is no such GUI facility to mark group attribute. This can be modified by modifying the definition in debug pages of IdentityIQ.

Here is how you mark group attribute:

  1.  Open the debugpages which are available at <iiqhostname>/debug
  2. Select Application as object Type and open the xml representing your application
  3. Go to the tag that defines schemas and then to the specific schema that represents your application accounts.
  4. Find the AttributeDefinition tag that represents your group attribute.
  5. Add the following attribute to that tag.

schemaObjectType=”group”

Please find the following screenshot for reference :-

schemaobjecttype

Run required aggregations to see that your group structure is intact.