CA Identity ManagerCA Identity GovernanceCA Identity Portal
Issue/Introduction
Trying set AD attribute accountExpires using PolicyXpress. I've tried to set value as Microsoft stated: 100-nanosecond intervals since January 1, 1601 (UTC). It works when I'm trying to update the value in Provisioning Directory, but if I do it from PolicyXpress, it fails. I set value 131832504000000000 in PolicyXpress and I see in Provisioning Server logs that it's trying to set the value: 44754350606095032320000
ERROR MESSAGE: Failed to execute ModifyActiveDirectoryAccount. ERROR MESSAGE: Active Dir. Account '' on 'Tipsport AD' modification failed: Connector Server Modify failed: code 21 (INVALID_ATTRIBUTE_SYNTAX): failed to modify entry: eTADSAccountName=xxx,eTADSOrgUnitName=yyy OU,eTADSDirectoryName=zzz,eTNamespaceName=ActiveDirectory,dc=im,dc=etasa: JCS@idm-test: JNDI: [LDAP: error code 21 - Invalid Syntax]
Environment
Release: Component: IDMGR
Cause
This is a "front-end" format in PX not the "back-end" one. One approach is to set an Account expires date from IM Provisioning Manager and from IM User Console via a PX to get this value. Here is a sample of what you can get: "2018-10-28T23:00:00.000" which is dealing in this case with 28th October 2018.
Resolution
Change your Policy Xpress definition to set a value as "yyyy-mm-ddT23:00:00.000".