Active Directory account has not previously been correlated to this global user
search cancel

Active Directory account has not previously been correlated to this global user

book

Article ID: 200248

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite

Issue/Introduction

First attempt to synchronize IM user with a provisioning role (containing Active Directory account template) reports account created: 0 and failures: 1:

Second synchronization attempt, however, reports that existing account is not correlated with a global user:

This may happen in when executing just one complex task, so we are sure an account does not exist in Active Directory, however the task tells us account exists but not correlated.

Environment

Release : 12.x, 14.x

Component : IdentityMinder(Identity Manager)

Cause

First synchronization attempt was a partial success: an account was created on an endpoint, but subsequent operation on endpoint, which is a part of account creation, failed.

This may indicate a problem with AD account template.

Resolution

When such behavior is observed, analyze etatrans log file.
Look for 'Connector Server Add' operation and account name under question.

Below is an log sample that shows what happened - 'The account was created but certain control settings were not set':

20200922:151834:TID=be8b70:Add       :S721:C718:S: Connector Server Add (eTADSAccountName=XXXXXX) Requested by User etaadmin - T
20200922:151834:TID=be8b70:Add       :S721:C718:S:+enantNotSet
20200922:151834:TID=be8b70:Add       :S721:C718:P:     URL: ldaps://XXX.XXX.XXX.XXX:20411
20200922:151834:TID=be8b70:Add       :S721:C718:P:     dn:  eTADSAccountName=XXXXXX,eTADSOrgUnitName=XXXXXX,eTADSDirectoryName=
20200922:151834:TID=be8b70:Add       :S721:C718:P:+    XXXXXX,eTNamespaceName=ActiveDirectory,dc=im
20200922:151834:TID=be8b70:Add       :S721:C718:P:     eTPassword:  ** NOT SHOWN **
20200922:151834:TID=be8b70:Add       :S721:C718:P:     eTSuspended:  1
20200922:151834:TID=be8b70:Add       :S721:C718:P:     eTADSobjectClass:  user
20200922:151834:TID=be8b70:Add       :S721:C718:P:     eTADSuserPrincipalName:  XXXXXX@XXXXXX
20200922:151834:TID=be8b70:Add       :S721:C718:P:     eTADSsAMAccountName:  XXXXXX
20200922:151834:TID=be8b70:Add       :S721:C718:P:     eTADSgivenName:  XXXXXX
20200922:151834:TID=be8b70:Add       :S721:C718:P:     eTADSsn:  XXXXXX
20200922:151834:TID=be8b70:Add       :S721:C718:P:     eTADSdisplayName:  XXXXXX XXXXXX
20200922:151834:TID=be8b70:Add       :S721:C718:P:     eTADSmail:  XXXXXX@XXXXXX
20200922:151834:TID=be8b70:Add       :S721:C718:P:     eTADSdepartment:  XXXXXX
20200922:151834:TID=be8b70:Add       :S721:C718:P:     eTADScompany:  XXXXXX
20200922:151834:TID=be8b70:Add       :S721:C718:P:     eTADSaccountExpires:  0
20200922:151834:TID=be8b70:Add       :S721:C718:P:     eTADSpwdLastSet:  -1
20200922:151834:TID=be8b70:Add       :S721:C718:P:     eTADSAccountName:  XXXXXX
20200922:151834:TID=be8b70:Add       :S721:C718:P:     objectClass:  eTADSAccount
20200922:151834:TID=be8b70:Add       :S721:C718:P:     eTADSuserAccountControl:  0000000332
20200922:151834:TID=be8b70:Add       :S721:C718:F: FAILURE: Connector Server Add (eTADSAccountName=XXXXXX)
20200922:151834:TID=be8b70:Add       :S721:C718:F:     rc:  0x0050 (Unknown error)
20200922:151834:TID=be8b70:Add       :S721:C718:F:     msg: Connector Server Add failed: code 80 (OTHER-LdapNamingException): failed
20200922:151834:TID=be8b70:Add       :S721:C718:F:+ to add entry eTADSAccountName=XXXXXX,eTADSOrgUnitName=XXXXXX,eTADSDirectoryN
20200922:151834:TID=be8b70:Add       :S721:C718:F:+ame=XXXXXX,eTNamespaceName=ActiveDirectory,dc=im,dc=etasa: JCS@XXXXXX
20200922:151834:TID=be8b70:Add       :S721:C718:F:+: JNDI: [LDAP: error code 70 - Added object: CN=XXXXXX,OU=XXXXXX,DC=XXXXX
20200922:151834:TID=be8b70:Add       :S721:C718:F: Account control settings could not be set
20200922:151834:TID=be8b70:Add       :S721:C718:F: Reason: Other
20200922:151834:TID=be8b70:Add       :S721:C718:F: The account was created but certain control settings were not set.  A possible re
20200922:151834:TID=be8b70:Add       :S721:C718:F:+ason could be that the managed directory's native security policy requires accoun
20200922:151834:TID=be8b70:Add       :S721:C718:F:+ts to have passwords. Because you are managing the directory using a non-secure c
20200922:151834:TID=be8b70:Add       :S721:C718:F:+onnection, eTrust Admin creates accounts without passwords.]: failed to add eTADS
20200922:151834:TID=be8b70:Add       :S721:C718:F:+AccountName=XXXXXX,eTADSOrgUnitName=XXXXXX,eTADSDirectoryName=XXXXXX,eTNa
20200922:151834:TID=be8b70:Add       :S721:C718:F:+mespaceName=ActiveDirectory,dc=im,dc=etasa (ldaps://XXX.XXX.XXX.XXX:20411)
20200922:151834:TID=be8b70:Add       :C718:C710:I: COMPLETED   JOB 0: SendAddJob [eTADSAccountName=XXXXXX, rc=80(Connector Serve
20200922:151834:TID=be8b70:Add       :C718:C710:I:+r Add failed: code 80 (OTHER-LdapNamingException): failed to add entry eTADSAccou
20200922:151834:TID=be8b70:Add       :C718:C710:I:+ntName=XXXXXX,eTADSOrgUnitName=XXXXXX,eTADSDirectoryName=XXXXXX,eTNamespa
20200922:151834:TID=be8b70:Add       :C718:C710:I:+ceName=ActiveDirectory,dc=im,dc=etasa: JCS@XXXXXX: JNDI: [LDAP: error cod
20200922:151834:TID=be8b70:Add       :C718:C710:I:+e 70 - Added object: CN=XXXXXX,OU=XXXXXX,DC=kbankpocnet,DC=com
20200922:151834:TID=be8b70:Add       :C718:C710:I: Account control settings could not be set
20200922:151834:TID=be8b70:Add       :C718:C710:I: Reason: Other
20200922:151834:TID=be8b70:Add       :C718:C710:I: The account was created but certain control settings were not set.  A possible re
20200922:151834:TID=be8b70:Add       :C718:C710:I:+ason could be that the managed directory's native security policy requires accoun
20200922:151834:TID=be8b70:Add       :C718:C710:I:+ts to have passwords. Because you are managing the directory using a non-secure c
20200922:151834:TID=be8b70:Add       :C718:C710:I:+onnection, eTrust Admin creates accounts without passwords.]: failed to add eTADS
20200922:151834:TID=be8b70:Add       :C718:C710:I:+AccountName=XXXXXX,eTADSOrgUnitName=XXXXXX,eTADSDirectoryName=XXXXXX,eTNa
20200922:151834:TID=be8b70:Add       :C718:C710:I:+mespaceName=ActiveDirectory,dc=im,dc=etasa (ldaps://XXX.XXX.XXX.XXX:20411))], stat
20200922:151834:TID=be8b70:Add       :C718:C710:I:+us=ERROR

There are a few options to rectify this problem:

  • Re-explore. Run explore and correlate for the organizational unit that contains the account under question.
    Can be easily done using Provisioning Manager UI, without a need to create a new explore definition.
  • Enable automatic correlation in the Provisioning Server. In the Provisioning Manager select System > Domain Configuration > Synchronization > Automatic Correlation
  • Remove the account in AD, fix the account template that likely caused partial success in the first place, and synchronize user with provisioning roles again.
Powered by Wolken Software