SV-IAM error, users cannot authenticate -Cannot insert duplicate key in object 'dbo.KEYCLOAK_GROUP'
search cancel

SV-IAM error, users cannot authenticate -Cannot insert duplicate key in object 'dbo.KEYCLOAK_GROUP'


Article ID: 144955


Updated On:


CA Cloud Test Mobile CA Application Test


IAM is configured for LDAP,  the connections are working fine. and we are able to see the first page when we view users. 
But when you click on the second page. 
 The error message in IAM: Error! An unexpected server error has occurred. Please review the Identity and Access Manager log file for details.- shows when all users "next" button is created. We had a new user register yesterday, and we can see them via search but cannot see in the IAM website b/c of the error. Attaching the IAM server log.  

2020-02-03 08:16:31,155 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-44) Violation of UNIQUE KEY constraint 'SIBLING_NAMES'. Cannot insert duplicate key in object 'dbo.KEYCLOAK_GROUP'. The duplicate key value is (service_virtualization, <NULL>, CIA/EDG-CLT).
2020-02-03 08:16:31,155 INFO  [org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl] (default task-44) HHH000010: On release of batch it still contained JDBC statements
2020-02-03 08:16:31,171 ERROR [] (default task-44) Uncaught server error: org.keycloak.models.ModelDuplicateException: javax.persistence.PersistenceException: org.hibernate.exception.ConstraintViolationException: could not execute statement
	at org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(
	at org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(
	at com.sun.proxy.$Proxy67.flush(Unknown Source)



Release : 10.6 and up

Component : CA Service Virtualization


Ldap Group changed and had a Slash added to the name.  "/" is a reserved character.

Many URL schemes reserve certain characters for a special meaning: their appearance in the scheme-specific part of the URL has a designated semantics. If the character corresponding to an octet is reserved in a scheme, the octet must be encoded. The characters:
are the characters which may be reserved for special meaning within a scheme. No other characters may be reserved within a scheme.

Usually a URL has the same interpretation when an octet is represented by a character and when it encoded. However, this is not true for reserved characters: encoding a character reserved for a particular scheme may change the semantics of a URL.,quotation%20mark%2C%20ASCII%2034).

        at org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(
        at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(
        ... 89 more

Examples of poorly formed LDAP groups.

BA/SA MRP Training Phase 1 Participants
Bluecat DHCP/DNS Systems


As the logs says : The duplicate key value is (service_virtualization, <NULL>, CIA/EDG-CLT). Its trying to add the group again in IAM database under 'dbo.KEYCLOAK_GROUP'..

Try to delete the CIA/EDG-CLT  from the  Group Setting-  Go to View Groups  and select this particular group name and delete it.

This should resolve the issue.