question

ChrisPo-8007 avatar image
0 Votes"
ChrisPo-8007 asked ChetanDesai-4206 commented

Enterprise App Provisioning Errors - Successfactor to Active Directory User Provisioning

Hi,

I have encountered the error issue on Azure provisioning agents, it is not able to create the user from SuccessFactors to Active Direcotory.

Audit logs error message :
Status reason / User 'XXXXXXXXXX' will be skipped. UpdateForUnconnectedEntry

Provisioning Logs error message :
Error code / SystemForCrossDomainIdentityManagementBulkOperationResponseError

Error message
{"Exceptions":[{"SerializedExceptionString":"{\"ClassName\":\"System.InvalidOperationException\",\"Message\":\"Could not calculate the distinguished name\",\"Data\":null,\"InnerException\":null,\"HelpURL\":null,\"StackTraceString\":\" at Microsoft.ActiveDirectory.SynchronizationAgent.ActiveDirectory.ScimToActiveDirectoryTranslator.CalculateDistinguishedName(DynamicResource payload)\\r\\n at Microsoft.ActiveDirectory.SynchronizationAgent.ActiveDirectory.ScimToActiveDirectoryTranslator.ToAddRequest(Resource payload)\\r\\n at Microsoft.ActiveDirectory.SynchronizationAgent.ActiveDirectory.ActiveDirectoryProvider.CreateAsync(IActiveDirectoryEntryAccumulator processingContext, IBulkCreationOperationContext operationContext)\",\"RemoteStackTraceString\":null,\"RemoteStackIndex\":0,\"ExceptionMethod\":\"8\\nCalculateDistinguishedName\\nAADConnectProvisioningAgent.Runtime, Version=1.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35\\nMicrosoft.ActiveDirectory.SynchronizationAgent.ActiveDirectory.ScimToActiveDirectoryTranslator\\nSystem.String CalculateDistinguishedName(Microsoft.SystemForCrossDomainIdentityManagement.DynamicResource)\",\"HResult\":-2146233079,\"Source\":\"AADConnectProvisioningAgent.Runtime\",\"WatsonBuckets\":null}","SerializedExceptionType":"InvalidOperationException"}],"ErrorCode":null,"Message":null,"Version":0}. This operation was retried 4 times. It will be retried again after this date: 2021-10-25T06:02:02.4828335Z UTC

azure-ad-connectazure-ad-user-provisioning
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi

This may not be related, but we had the same error, in our case we did not receive the firstname, lastname, displayname from SuccessFactors. Look at the first step's details/info when doing ondemand provisioning and make sure you get all the details you expect to map into AD. This was due to permission issues on the SuccessFactors API user ID. Thus the account could not be created in AD.

Looking at the second error you posted, it is still not getting data it expects or the AD provisioning agent have issues communicating with the DC. you will have to check the logs of the provisioning agent in event viewer and the usual AD logs to see if there is an issue with the agent and DC communications. In this case we found there were issues with our AD environment that we resolved first.

Hope this help someone

Arno

0 Votes 0 ·
ChrisPo-8007 avatar image
0 Votes"
ChrisPo-8007 answered ChetanDesai-4206 commented

Hi sikumars-msft,

Thanks for your prompt response.

However, I get another error after updated of your mention about "DisplayName" mapping field.

Error code / SystemForCrossDomainIdentityManagementBulkOperationResponseError
Error message :
{"Exceptions":[{"SerializedExceptionString":"{\"ClassName\":\"Microsoft.ActiveDirectory.SynchronizationAgent.Contract.SerializableDirectoryOperationException\",\"Message\":\"A value in the request is invalid.\",\"Data\":null,\"InnerException\":null,\"HelpURL\":null,\"StackTraceString\":null,\"RemoteStackTraceString\":null,\"RemoteStackIndex\":0,\"ExceptionMethod\":null,\"HResult\":-2146233088,\"Source\":null,\"WatsonBuckets\":null,\"ResponseResultCode\":\"ConstraintViolation\",\"ResponseErrorMessage\":\"00000057: LdapErr: DSID-0C091027, comment: Error in attribute conversion operation, data 0, v3839\",\"SerializedException\":\"Details:\\r\\nType: System.DirectoryServices.Protocols.DirectoryOperationException\\r\\nA value in the request is invalid.\\r\\nStack trace:\\r\\n\\r\\nServer stack trace: \\r\\n at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)\\r\\n at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Object[]& outArgs)\\r\\n at System.Runtime.Remoting.Messaging.StackBuilderSink.AsyncProcessMessage(IMessage msg, IMessageSink replySink)\\r\\n\\r\\nException rethrown at [0]: \\r\\n at System.DirectoryServices.Protocols.LdapConnection.EndSendRequest(IAsyncResult asyncResult)\\r\\n at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)\\r\\n--- End of stack trace from previous location where exception was thrown ---\\r\\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\\r\\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\\r\\n at Microsoft.ActiveDirectory.SynchronizationAgent.ActiveDirectory.LdapConnectionExtensions.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@ChrisPo-8007 The above error usually occurs if some attribute from the source (in this case SuccessFactors) is empty and the provisioning service attempts to set empty/null value in AD. See this link for guidance on how to handle this error - https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/hr-user-creation-issues#creation-fails-due-to-null--empty-values

1 Vote 1 ·
sikumars avatar image
0 Votes"
sikumars answered

Hello @ChrisPo-8007,

Thanks for reaching out.

This error could not calculate the distinguished name will affect accounts that have not been matched to existing objects in Active Directory, when the users enter the scope the engine determines they don't have an identity on-premises and proceeds to send the request to create the new user in AD.

As a part of this process the DistinguishedName is calculated based on the CN and default OU you had defined when configuring the app.

Troubleshooting DistinguishedName calculation

Confirm the following details:

  • The default OU provided is valid.

  • The mapping configured for the cn attribute.

If the default OU is valid, it is necessary to determine the source attribute or logic used on the cn mapping. As of now the default mapping uses the displayname attribute from SuccessFactors:

143392-image.png

Many users do not populate the displayname attribute in SuccessFactors, instead they rely on the firstname and lastname attributes, in order to avoid editing every single user in the source system an alternative that can be used is changing this default mapping so that is uses the following expression:

Join(" ",[firstName],[lastName])

This is an example of how the mapping should be configured:

143353-image.png

Hope this helps.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


image.png (27.5 KiB)
image.png (25.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.