This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
No ratings

How To - Fix error in creating Service Account for the ADSI Connector

sudeshjaiswal
Saviynt Employee
Saviynt Employee

on ‎03/30/2023 12:19 PM

Use Case

Error in creating Service Account using ADSI connector when the user is trying to create a new service account task using the ADSI connector.

 

Error:2020-03-31 17:36:13,575 [quartzScheduler_Worker-2] DEBUG services.ArsTaskService - Validating tasks for Securitysystem - ADSI Dev

2020-03-31 17:36:13,578 [quartzScheduler_Worker-2] DEBUG services.ArsTaskService - new account , accountName = testserviceaccount , taskType = 3
2020-03-31 17:36:13,580 [quartzScheduler_Worker-2] DEBUG services.ArsTaskService - account qry = Select acc from Accounts acc where acc.name =:name and acc.endpointkey.id = :endpoint and acc.status in ( 'Manually Provisioned' , '1')
2020-03-31 17:36:13,583 [quartzScheduler_Worker-2] DEBUG services.SaviyntCommonUtilityService - Enter getProvLimitJSONMap
2020-03-31 17:36:13,583 [quartzScheduler_Worker-2] DEBUG services.SaviyntCommonUtilityService - Exit getProvLimitJSONMap
2020-03-31 17:36:13,583 [quartzScheduler_Worker-2] DEBUG services.SaviyntCommonUtilityService - ProvLimitJSONMap=[:]
2020-03-31 17:36:13,583 [quartzScheduler_Worker-2] DEBUG services.ArsTaskService - Task Type = 3 , total tasks = 1
2020-03-31 17:36:13,583 [quartzScheduler_Worker-2] DEBUG services.ArsTaskService - tasktypeStr = NEWACCOUNT , provLimitStr = 5000
2020-03-31 17:36:13,583 [quartzScheduler_Worker-2] DEBUG services.ArsTaskService - tasktypeStr = NEWACCOUNT , provlimit = 5000
2020-03-31 17:36:13,585 [quartzScheduler_Worker-2] DEBUG services.ArsTaskService - Calling createAccountADSI with Sec System - ADSI Dev and tasklist - [testserviceaccount:[com.saviynt.ecm.task.ArsTasks : 286582]]
2020-03-31 17:36:13,589 [quartzScheduler_Worker-2] DEBUG adsi.SaviyntGroovyADSIService - EndpointEntMap - [:]
2020-03-31 17:36:13,591 [quartzScheduler_Worker-2] DEBUG adsi.SaviyntGroovyADSIService - password policyRule: com.saviynt.ecm.policyrule.PolicyRule : 1
2020-03-31 17:36:13,591 [quartzScheduler_Worker-2] DEBUG rest.RestProvisioningService - Validating Password Policy and setting defaults...
2020-03-31 17:36:13,604 [quartzScheduler_Worker-2] DEBUG adsi.SaviyntGroovyADSIService - CreateAccount - Binding map is..[ServiceAccountOwnerMap:[ServiceAccountFlag:true, USEROWNERS:[ALL:[com.saviynt.ecm.identitywarehouse.domain.Users : 4], 1:[com.saviynt.ecm.identitywarehouse.domain.Users : 4], 2:[], 3:[], 4:[], 5:[]], USERGROUPOWNERS:[:], ServiceAccountType:service account],password:****,task:com.saviynt.ecm.task.ArsTasks : 286582,manager:com.saviynt.ecm.identitywarehouse.domain.Users : 1,user:com.saviynt.ecm.identitywarehouse.domain.Users : 1,account:testserviceaccount,managerAccount:null,]
2020-03-31 17:36:13,620 [quartzScheduler_Worker-2] DEBUG adsi.SaviyntGroovyADSIService - debugEnabled = false
2020-03-31 17:36:13,620 [quartzScheduler_Worker-2] DEBUG adsi.SaviyntGroovyADSIService - url : http://10.14.65.240:8090/api/v1/objects
2020-03-31 17:36:13,620 [quartzScheduler_Worker-2] DEBUG adsi.SaviyntGroovyADSIService - httpHeaders : [Authorization:Basic c211bGFtQGRldnJjY2wuY29tOlJveWFsIzEyMw==, Content-Type:application/json]
2020-03-31 17:36:13,620 [quartzScheduler_Worker-2] DEBUG adsi.SaviyntGroovyADSIService - httpMethod : POST
2020-03-31 17:36:13,620 [quartzScheduler_Worker-2] DEBUG adsi.SaviyntGroovyADSIService - httpContentType : application/json
2020-03-31 17:36:13,620 [quartzScheduler_Worker-2] DEBUG services.HttpClientUtilityService - getHttpClient - sslParams : null
2020-03-31 17:36:13,620 [quartzScheduler_Worker-2] DEBUG services.HttpClientUtilityService - getHttpClient - proxyParams : null
2020-03-31 17:36:13,620 [quartzScheduler_Worker-2] DEBUG services.HttpClientUtilityService - getHttpClient - sslSocketFactory : null
2020-03-31 17:36:13,621 [quartzScheduler_Worker-2] DEBUG services.HttpClientUtilityService - getHttpClient - HttpClientBuilder.create().build() called.
2020-03-31 17:36:15,059 [quartzScheduler_Worker-2] DEBUG adsi.SaviyntGroovyADSIService - Error in API response : {
  "status": "Failure",
  "failedObjects": [
    {
      "id": "OU=Users,OU=SH,DC=DEVSH,DC=DEVRCCL,DC=COM",
      "status": "Failure",
      "message": "Failed to create object of given objectClasses",
      "messageCodes": "OBJ_ERR_00001",
      "errorDetails": "OBJ_ERR_00001 : -2147016651 : The server is unwilling to process the request. : 8009000D: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0\n"
    }
  ],
  "connectionString": "LDAP://DEVADC202.DEVNA.DEVRCCL.COM:636"
}
2020-03-31 17:36:15,060 [quartzScheduler_Worker-2] DEBUG adsi.SaviyntGroovyADSIService - accountResponse : null
2020-03-31 17:36:15,063 [quartzScheduler_Worker-2] DEBUG services.ArsTaskService - Inside updateProvisioningTries..
 

Pre-requisites

 

N/A
 

Applicable Version(s)

All
 
 

Solution

  • Check the create account JSON. 

CreateServiceAccountJSON: 

 
{
"objects": [
{
"objectClasses": [
"msDS-GroupManagedServiceAccount",
         "user",
         "top",
         "Person",
         "OrganizationalPerson"
],
"baseDn": "OU=Users,OU=SH,DC=DEVSH,DC=DEVRCCL,DC=COM",
"password": "${password}",
"attributes": {
"sAMAccountName": "grp_En4",
"cn":"grp_En4",
"msDS-ManagedPasswordInterval": "10",
"userAccountControl": 4096
}
}
]
}

It was failing because of the "msDS-GroupManagedServiceAccount" object class. We don't need that object class as per our current Service Account Configuration in production.

 


References

https://docs.saviyntcloud.com/bundle/ADSI-v2020x/page/Content/Configuring-the-Integration-for-Provis... 

Labels:
0 Kudos
Version history
Last update:
‎03/30/2023 12:19 PM
Updated by:
Saviynt Employee
Copyright © 2023 Khoros, LLC