Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon
No ratings
sudeshjaiswal
Saviynt Employee
Saviynt Employee

Use Case

Error in creating Service Account using ADSI connector when the user is trying to create a new service account task using the ADSI connector.

 

Error:2020-03-31 17:36:13,575 [quartzScheduler_Worker-2] DEBUG services.ArsTaskService - Validating tasks for Securitysystem - ADSI Dev

2020-03-31 17:36:13,578 [quartzScheduler_Worker-2] DEBUG services.ArsTaskService - new account , accountName = testserviceaccount , taskType = 3
2020-03-31 17:36:13,580 [quartzScheduler_Worker-2] DEBUG services.ArsTaskService - account qry = Select acc from Accounts acc where acc.name =:name and acc.endpointkey.id = :endpoint and acc.status in ( 'Manually Provisioned' , '1')
2020-03-31 17:36:13,583 [quartzScheduler_Worker-2] DEBUG services.SaviyntCommonUtilityService - Enter getProvLimitJSONMap
2020-03-31 17:36:13,583 [quartzScheduler_Worker-2] DEBUG services.SaviyntCommonUtilityService - Exit getProvLimitJSONMap
2020-03-31 17:36:13,583 [quartzScheduler_Worker-2] DEBUG services.SaviyntCommonUtilityService - ProvLimitJSONMap=[:]
2020-03-31 17:36:13,583 [quartzScheduler_Worker-2] DEBUG services.ArsTaskService - Task Type = 3 , total tasks = 1
2020-03-31 17:36:13,583 [quartzScheduler_Worker-2] DEBUG services.ArsTaskService - tasktypeStr = NEWACCOUNT , provLimitStr = 5000
2020-03-31 17:36:13,583 [quartzScheduler_Worker-2] DEBUG services.ArsTaskService - tasktypeStr = NEWACCOUNT , provlimit = 5000
2020-03-31 17:36:13,585 [quartzScheduler_Worker-2] DEBUG services.ArsTaskService - Calling createAccountADSI with Sec System - ADSI Dev and tasklist - [testserviceaccount:[com.saviynt.ecm.task.ArsTasks : 286582]]
2020-03-31 17:36:13,589 [quartzScheduler_Worker-2] DEBUG adsi.SaviyntGroovyADSIService - EndpointEntMap - [:]
2020-03-31 17:36:13,591 [quartzScheduler_Worker-2] DEBUG adsi.SaviyntGroovyADSIService - password policyRule: com.saviynt.ecm.policyrule.PolicyRule : 1
2020-03-31 17:36:13,591 [quartzScheduler_Worker-2] DEBUG rest.RestProvisioningService - Validating Password Policy and setting defaults...
2020-03-31 17:36:13,604 [quartzScheduler_Worker-2] DEBUG adsi.SaviyntGroovyADSIService - CreateAccount - Binding map is..[ServiceAccountOwnerMap:[ServiceAccountFlag:true, USEROWNERS:[ALL:[com.saviynt.ecm.identitywarehouse.domain.Users : 4], 1:[com.saviynt.ecm.identitywarehouse.domain.Users : 4], 2:[], 3:[], 4:[], 5:[]], USERGROUPOWNERS:[:], ServiceAccountType:service account],password:****,task:com.saviynt.ecm.task.ArsTasks : 286582,manager:com.saviynt.ecm.identitywarehouse.domain.Users : 1,user:com.saviynt.ecm.identitywarehouse.domain.Users : 1,account:testserviceaccount,managerAccount:null,]
2020-03-31 17:36:13,620 [quartzScheduler_Worker-2] DEBUG adsi.SaviyntGroovyADSIService - debugEnabled = false
2020-03-31 17:36:13,620 [quartzScheduler_Worker-2] DEBUG adsi.SaviyntGroovyADSIService - url : http://xx.xx.xx.xxx:xxxx/api/v1/objects
2020-03-31 17:36:13,620 [quartzScheduler_Worker-2] DEBUG adsi.SaviyntGroovyADSIService - httpHeaders : [Authorization:Basic xxxxxxxxxxxxx==, Content-Type:application/json]
2020-03-31 17:36:13,620 [quartzScheduler_Worker-2] DEBUG adsi.SaviyntGroovyADSIService - httpMethod : POST
2020-03-31 17:36:13,620 [quartzScheduler_Worker-2] DEBUG adsi.SaviyntGroovyADSIService - httpContentType : application/json
2020-03-31 17:36:13,620 [quartzScheduler_Worker-2] DEBUG services.HttpClientUtilityService - getHttpClient - sslParams : null
2020-03-31 17:36:13,620 [quartzScheduler_Worker-2] DEBUG services.HttpClientUtilityService - getHttpClient - proxyParams : null
2020-03-31 17:36:13,620 [quartzScheduler_Worker-2] DEBUG services.HttpClientUtilityService - getHttpClient - sslSocketFactory : null
2020-03-31 17:36:13,621 [quartzScheduler_Worker-2] DEBUG services.HttpClientUtilityService - getHttpClient - HttpClientBuilder.create().build() called.
2020-03-31 17:36:15,059 [quartzScheduler_Worker-2] DEBUG adsi.SaviyntGroovyADSIService - Error in API response : {
  "status": "Failure",
  "failedObjects": [
    {
      "id": "OU=Users,OU=SH,DC=DEVSH,DC=xxxxxxxx,DC=COM",
      "status": "Failure",
      "message": "Failed to create object of given objectClasses",
      "messageCodes": "OBJ_ERR_00001",
      "errorDetails": "OBJ_ERR_00001 : -2147016651 : The server is unwilling to process the request. : 8009000D: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0\n"
    }
  ],
  "connectionString": "LDAP://xxxxxx.xxxxx.xxxxxxxx.COM:636"
}
2020-03-31 17:36:15,060 [quartzScheduler_Worker-2] DEBUG adsi.SaviyntGroovyADSIService - accountResponse : null
2020-03-31 17:36:15,063 [quartzScheduler_Worker-2] DEBUG services.ArsTaskService - Inside updateProvisioningTries..
 

Pre-requisites

 

N/A
 

Applicable Version(s)

All
 
 

Solution

  • Check the create account JSON. 

CreateServiceAccountJSON: 

 
{
"objects": [
{
"objectClasses": [
"msDS-GroupManagedServiceAccount",
         "user",
         "top",
         "Person",
         "OrganizationalPerson"
],
"baseDn": "OU=Users,OU=SH,DC=DEVSH,DC=xxxxxxxx,DC=COM",
"password": "${password}",
"attributes": {
"sAMAccountName": "grp_En4",
"cn":"grp_En4",
"msDS-ManagedPasswordInterval": "10",
"userAccountControl": 4096
}
}
]
}

It was failing because of the "msDS-GroupManagedServiceAccount" object class. We don't need that object class as per our current Service Account Configuration in production.

 


References

https://docs.saviyntcloud.com/bundle/ADSI-v2020x/page/Content/Configuring-the-Integration-for-Provis... 

Version history
Last update:
‎04/04/2024 09:15 AM
Updated by: