Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
No ratings

AD Import Failures due to timeout issues

davindersingh
Saviynt Employee
Saviynt Employee

‎12/20/2022 12:06 PM - edited ‎01/12/2023 12:29 PM

Symptoms

AD Import failure due to system errors like Deadlock, timeouts causes accounts to be Suspended. Because of connection timeout the import inferences number of accounts that are received from AD is way less than the # of total actual accounts.
This causes currently active accounts marked Deleted and in next successful Import a new entry is made in accounts and account_entitlements1 table.

Diagnosis

For applications using OOB configuration under Endpoint this will cause accounts to be appearing as Out of Band (since arstaskkey under account_entitlements1 resets to NULL due to new entry) in reports which becomes a False Positive case.

Solution

During accounts import FULL, the job needs to be terminated with no action and respond as Connection timeout error on SAVRESPONSE, we need to include a configuration under connection> IMPORTJSON defined as:
{ 'envproperties' : {
'com.sun.jndi.ldap.connect.timeout': '10000',
'com.sun.jndi.ldap.read.timeout': '50000' } }

Additionally, You can configure a High-Availability Connection as described below, more details on https://docs.saviyntcloud.com/bundle/AD-v2021x/page/Content/Preparing-for-Integration.htm

You can configure a high-availability connection to Active Directory. To support high-availability, the connector uses the domain controller (DC) locator process to locate an active domain controller. To leverage static domain controller locater feature, specify URLs of domain controllers as comma-separated values in the URL connection parameter of EIC. If the first DC is not active, EIC checks for the next available DC in the list. If the DC is active, EIC uses it for connecting to Active Directory. For more information, see DC Locator

Example: LDAPS://winServerDC01.abc.mycompany.com:636,LDAPS://winServerDC02.abc.mycompany.com:636,LDAPS://winServerDC03.abc.mycompany.com:636

Alternatively, use the Win-PS connector for dynamically discovering domain controllers. For more information, see the Win-PS Connector Guide.

There will be default time out settings added in all connectors out of the box in near future.

The new configurations have also been introduced in the latest versions (SP3.15 and v2022.0.2 onwards). 

List of connectionTimeoutConfig attributes:
1. connectionTimeout- Connection timeout in seconds for import and provisioning
2. readTimeout- Read timeout in seconds for import
3. writeTimeout- Read timeout in seconds for import for provisioning
4. retryWait - Initial time in seconds the connector will wait before retrying for import
5. retryCount- Maximum number of retries before failing the network call for import

Sample Json:

{
"connectionTimeoutConfig": {
"connectionTimeout": 10,
"readTimeout": 50,
"writeTimeout": 50,
"retryWait": 2,
"retryCount": 3
}
}

Version history
Last update:
‎01/12/2023 12:29 PM
Updated by:
Saviynt Employee
Contributors
Copyright © 2024 Khoros, LLC