First attempt to synchronize IM user with a provisioning role (containing Active Directory account template) reports account created: 0 and failures: 1:
Second synchronization attempt, however, reports that existing account is not correlated with a global user:
This may happen in when executing just one complex task, so we are sure an account does not exist in Active Directory, however the task tells us account exists but not correlated.
Release : 12.x, 14.x
Component : IdentityMinder(Identity Manager)
First synchronization attempt was a partial success: an account was created on an endpoint, but subsequent operation on endpoint, which is a part of account creation, failed.
This may indicate a problem with AD account template.
When such behavior is observed, analyze etatrans log file.
Look for 'Connector Server Add' operation and account name under question.
Below is an log sample that shows what happened - 'The account was created but certain control settings were not set':
20200922:151834:TID=be8b70:Add :S721:C718:S: Connector Server Add (eTADSAccountName=XXXXXX) Requested by User etaadmin - T
20200922:151834:TID=be8b70:Add :S721:C718:S:+enantNotSet
20200922:151834:TID=be8b70:Add :S721:C718:P: URL: ldaps://XXX.XXX.XXX.XXX:20411
20200922:151834:TID=be8b70:Add :S721:C718:P: dn: eTADSAccountName=XXXXXX,eTADSOrgUnitName=XXXXXX,eTADSDirectoryName=
20200922:151834:TID=be8b70:Add :S721:C718:P:+ XXXXXX,eTNamespaceName=ActiveDirectory,dc=im
20200922:151834:TID=be8b70:Add :S721:C718:P: eTPassword: ** NOT SHOWN **
20200922:151834:TID=be8b70:Add :S721:C718:P: eTSuspended: 1
20200922:151834:TID=be8b70:Add :S721:C718:P: eTADSobjectClass: user
20200922:151834:TID=be8b70:Add :S721:C718:P: eTADSuserPrincipalName: XXXXXX@XXXXXX
20200922:151834:TID=be8b70:Add :S721:C718:P: eTADSsAMAccountName: XXXXXX
20200922:151834:TID=be8b70:Add :S721:C718:P: eTADSgivenName: XXXXXX
20200922:151834:TID=be8b70:Add :S721:C718:P: eTADSsn: XXXXXX
20200922:151834:TID=be8b70:Add :S721:C718:P: eTADSdisplayName: XXXXXX XXXXXX
20200922:151834:TID=be8b70:Add :S721:C718:P: eTADSmail: XXXXXX@XXXXXX
20200922:151834:TID=be8b70:Add :S721:C718:P: eTADSdepartment: XXXXXX
20200922:151834:TID=be8b70:Add :S721:C718:P: eTADScompany: XXXXXX
20200922:151834:TID=be8b70:Add :S721:C718:P: eTADSaccountExpires: 0
20200922:151834:TID=be8b70:Add :S721:C718:P: eTADSpwdLastSet: -1
20200922:151834:TID=be8b70:Add :S721:C718:P: eTADSAccountName: XXXXXX
20200922:151834:TID=be8b70:Add :S721:C718:P: objectClass: eTADSAccount
20200922:151834:TID=be8b70:Add :S721:C718:P: eTADSuserAccountControl: 0000000332
20200922:151834:TID=be8b70:Add :S721:C718:F: FAILURE: Connector Server Add (eTADSAccountName=XXXXXX)
20200922:151834:TID=be8b70:Add :S721:C718:F: rc: 0x0050 (Unknown error)
20200922:151834:TID=be8b70:Add :S721:C718:F: msg: Connector Server Add failed: code 80 (OTHER-LdapNamingException): failed
20200922:151834:TID=be8b70:Add :S721:C718:F:+ to add entry eTADSAccountName=XXXXXX,eTADSOrgUnitName=XXXXXX,eTADSDirectoryN
20200922:151834:TID=be8b70:Add :S721:C718:F:+ame=XXXXXX,eTNamespaceName=ActiveDirectory,dc=im,dc=etasa: JCS@XXXXXX
20200922:151834:TID=be8b70:Add :S721:C718:F:+: JNDI: [LDAP: error code 70 - Added object: CN=XXXXXX,OU=XXXXXX,DC=XXXXX
20200922:151834:TID=be8b70:Add :S721:C718:F: Account control settings could not be set
20200922:151834:TID=be8b70:Add :S721:C718:F: Reason: Other
20200922:151834:TID=be8b70:Add :S721:C718:F: The account was created but certain control settings were not set. A possible re
20200922:151834:TID=be8b70:Add :S721:C718:F:+ason could be that the managed directory's native security policy requires accoun
20200922:151834:TID=be8b70:Add :S721:C718:F:+ts to have passwords. Because you are managing the directory using a non-secure c
20200922:151834:TID=be8b70:Add :S721:C718:F:+onnection, eTrust Admin creates accounts without passwords.]: failed to add eTADS
20200922:151834:TID=be8b70:Add :S721:C718:F:+AccountName=XXXXXX,eTADSOrgUnitName=XXXXXX,eTADSDirectoryName=XXXXXX,eTNa
20200922:151834:TID=be8b70:Add :S721:C718:F:+mespaceName=ActiveDirectory,dc=im,dc=etasa (ldaps://XXX.XXX.XXX.XXX:20411)
20200922:151834:TID=be8b70:Add :C718:C710:I: COMPLETED JOB 0: SendAddJob [eTADSAccountName=XXXXXX, rc=80(Connector Serve
20200922:151834:TID=be8b70:Add :C718:C710:I:+r Add failed: code 80 (OTHER-LdapNamingException): failed to add entry eTADSAccou
20200922:151834:TID=be8b70:Add :C718:C710:I:+ntName=XXXXXX,eTADSOrgUnitName=XXXXXX,eTADSDirectoryName=XXXXXX,eTNamespa
20200922:151834:TID=be8b70:Add :C718:C710:I:+ceName=ActiveDirectory,dc=im,dc=etasa: JCS@XXXXXX: JNDI: [LDAP: error cod
20200922:151834:TID=be8b70:Add :C718:C710:I:+e 70 - Added object: CN=XXXXXX,OU=XXXXXX,DC=kbankpocnet,DC=com
20200922:151834:TID=be8b70:Add :C718:C710:I: Account control settings could not be set
20200922:151834:TID=be8b70:Add :C718:C710:I: Reason: Other
20200922:151834:TID=be8b70:Add :C718:C710:I: The account was created but certain control settings were not set. A possible re
20200922:151834:TID=be8b70:Add :C718:C710:I:+ason could be that the managed directory's native security policy requires accoun
20200922:151834:TID=be8b70:Add :C718:C710:I:+ts to have passwords. Because you are managing the directory using a non-secure c
20200922:151834:TID=be8b70:Add :C718:C710:I:+onnection, eTrust Admin creates accounts without passwords.]: failed to add eTADS
20200922:151834:TID=be8b70:Add :C718:C710:I:+AccountName=XXXXXX,eTADSOrgUnitName=XXXXXX,eTADSDirectoryName=XXXXXX,eTNa
20200922:151834:TID=be8b70:Add :C718:C710:I:+mespaceName=ActiveDirectory,dc=im,dc=etasa (ldaps://XXX.XXX.XXX.XXX:20411))], stat
20200922:151834:TID=be8b70:Add :C718:C710:I:+us=ERROR
There are a few options to rectify this problem: