Enterprise App Provisioning Errors - Successfactor to Active Directory User Provisioning

Question

Hi,

I have encountered the error issue on Azure provisioning agents, it is not able to create the user from SuccessFactors to Active Direcotory.

Audit logs error message :
Status reason / User 'XXXXXXXXXX' will be skipped. UpdateForUnconnectedEntry

Provisioning Logs error message :
Error code / SystemForCrossDomainIdentityManagementBulkOperationResponseError

Error message
{"Exceptions":[{"SerializedExceptionString":"{\"ClassName\":\"System.InvalidOperationException\",\"Message\":\"Could not calculate the distinguished name\",\"Data\":null,\"InnerException\":null,\"HelpURL\":null,\"StackTraceString\":\" at Microsoft.ActiveDirectory.SynchronizationAgent.ActiveDirectory.ScimToActiveDirectoryTranslator.CalculateDistinguishedName(DynamicResource payload)\r\n at Microsoft.ActiveDirectory.SynchronizationAgent.ActiveDirectory.ScimToActiveDirectoryTranslator.ToAddRequest(Resource payload)\r\n at Microsoft.ActiveDirectory.SynchronizationAgent.ActiveDirectory.ActiveDirectoryProvider.CreateAsync(IActiveDirectoryEntryAccumulator processingContext, IBulkCreationOperationContext operationContext)\",\"RemoteStackTraceString\":null,\"RemoteStackIndex\":0,\"ExceptionMethod\":\"8\nCalculateDistinguishedName\nAADConnectProvisioningAgent.Runtime, Version=1.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35\nMicrosoft.ActiveDirectory.SynchronizationAgent.ActiveDirectory.ScimToActiveDirectoryTranslator\nSystem.String CalculateDistinguishedName(Microsoft.SystemForCrossDomainIdentityManagement.DynamicResource)\",\"HResult\":-2146233079,\"Source\":\"AADConnectProvisioningAgent.Runtime\",\"WatsonBuckets\":null}","SerializedExceptionType":"InvalidOperationException"}],"ErrorCode":null,"Message":null,"Version":0}. This operation was retried 4 times. It will be retried again after this date: 2021-10-25T06:02:02.4828335Z UTC

Answer 1

Hi sikumars-msft,

Thanks for your prompt response.

However, I get another error after updated of your mention about "DisplayName" mapping field.

Error code / SystemForCrossDomainIdentityManagementBulkOperationResponseError
Error message :
{"Exceptions":[{"SerializedExceptionString":"{\"ClassName\":\"Microsoft.ActiveDirectory.SynchronizationAgent.Contract.SerializableDirectoryOperationException\",\"Message\":\"A value in the request is invalid.\",\"Data\":null,\"InnerException\":null,\"HelpURL\":null,\"StackTraceString\":null,\"RemoteStackTraceString\":null,\"RemoteStackIndex\":0,\"ExceptionMethod\":null,\"HResult\":-2146233088,\"Source\":null,\"WatsonBuckets\":null,\"ResponseResultCode\":\"ConstraintViolation\",\"ResponseErrorMessage\":\"00000057: LdapErr: DSID-0C091027, comment: Error in attribute conversion operation, data 0, v3839\",\"SerializedException\":\"Details:\r\nType: System.DirectoryServices.Protocols.DirectoryOperationException\r\nA value in the request is invalid.\r\nStack trace:\r\n\r\nServer stack trace: \r\n at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)\r\n at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Object[]& outArgs)\r\n at System.Runtime.Remoting.Messaging.StackBuilderSink.AsyncProcessMessage(IMessage msg, IMessageSink replySink)\r\n\r\nException rethrown at [0]: \r\n at System.DirectoryServices.Protocols.LdapConnection.EndSendRequest(IAsyncResult asyncResult)\r\n at System.Threading.Tasks.TaskFactory1.FromAsyncCoreLogic(IAsyncResult iar, Func2 endFunction, Action1 endAction, Task1 promise, Boolean requiresSynchronization)\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n at Microsoft.ActiveDirectory.SynchronizationAgent.ActiveDirectory.LdapConnectionExtensions.

Answer 2

Hello @ChrisPo 布錦聲 ,

Thanks for reaching out.

This error could not calculate the distinguished name will affect accounts that have not been matched to existing objects in Active Directory, when the users enter the scope the engine determines they don't have an identity on-premises and proceeds to send the request to create the new user in AD.

As a part of this process the DistinguishedName is calculated based on the CN and default OU you had defined when configuring the app.

Troubleshooting DistinguishedName calculation

Confirm the following details:

• The default OU provided is valid.
• The mapping configured for the cn attribute.

If the default OU is valid, it is necessary to determine the source attribute or logic used on the cn mapping. As of now the default mapping uses the displayname attribute from SuccessFactors:

Many users do not populate the displayname attribute in SuccessFactors, instead they rely on the firstname and lastname attributes, in order to avoid editing every single user in the source system an alternative that can be used is changing this default mapping so that is uses the following expression:

Join(" ",[firstName],[lastName])

This is an example of how the mapping should be configured:

Hope this helps.

------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.