Caught Exception at Azure AD Driver Initialization

Identity Manager Azure Active Directory Driver - Caught Exception during Initialization


Situation


The following error is received when attempting to start the Azure AD driver.

DirXML: [11/30/18 11:46:33.46]: TRACE:  Azure AD_Azure: RESTSubscriptionShim.init()
DirXML: [11/30/18 11:46:33.46]: TRACE:  Azure AD: Caught exception during REST Channels initialization.
DirXML: [11/30/18 11:46:33.46]: TRACE:  Remote Loader: PublicationShim.init() returned:
DirXML: [11/30/18 11:46:33.46]: TRACE:  <nds dtdversion="4.x" ndsversion="8.x">
    <source>
        <product build="20171120_1044" instance="Azure AD" version="5.0.1.2">Identity Manager Driver for Azure AD and Office 365</product>
        <contact>NetIQ Corporation</contact>
    </source>
    <output>
        <status level="fatal" type="com.novell.nds.dirxml.driver.azure.StatusException"/>
    </output>
</nds>
DirXML: [11/30/18 11:46:33.46]: 
DirXML Log Event -------------------
    Driver  = \VAULT\novell\services\DriverSet\Azure AD
    Thread  = Publisher
    Level   = fatal
DirXML: [11/30/18 11:46:33.46]: 
DirXML Log Event -------------------
    Driver  = \VAULT\novell\services\DriverSet\Azure AD
    Thread  = Subscriber
    Level   = error
    Message = Fatal error returned from shim

Environment


  • Identity Manager Driver - Azure Active Directory version 5.0.1.2
  • Identity Manager 4.8.0


Resolution


The Application User password being used by the Identity Manager Azure Active Directory driver to authenticate into Azure Active Directory contained a special character in the password.   In this case a < character.


After removing the special character from the password, and saving the new application password for the application user on the driver properties, the driver was able to start successfully.

Active Directory to Identity Vault Group Synchronization is Limited to 5000 Members

Situation

Active Directory Groups that contain more than 5000 members cannot be published / synchronized to Identity Vault via Identity Manager's Active Directory Driver. They are truncated to 5000 members during the Publisher Channel polling cycle.

However, migrating the Group into the Identity Vault will temporarily sync up the member lists but any subsequent modification of the group in Active Directory will cause the group to again be truncated to 5000 members in the Identity Vault.

Search:  Users members being lost from large groups 


Environment

  • Novell Identity Manager 4.8
  • Novell Identity Manager Driver- Active Directory Driver


Resolution

Under the Driver Parameters > Advanced Options, set Enable DirSync Incremental Values to Yes.   This allows the driver to query and synchronize only modified users in the group (users being added or removed from the group) instead of the whole group. 


Additional Information

This issue occurs due to a limitation in Microsoft's DirSync API. Microsoft Active Directory limits the number of values returned in response to DirSync LDAP queries to 5000 values. This is an Active Directory hard limit and is not dependent on the MaxValRange parameter of the Domain Controller's LDAP Policy (see ntdsutil.exe)


For Active Directory whose Forest and domain are operating at or after "Windows Server 2003" domain functional levels, implementation of the DIRSYNC_LDAP_INCREMENTAL_VALUES control resolves this issue. This control was implemented since Identity Manager 3.5 Active Directory Driver Patch 1 - 20070601, now replaced by the Identity Manager 3.5.1 or later downloads.


The Incremental Values server control allows the Active Directory driver to ask for (and receive) only changed values of an attribute such as the member attribute on a group object preventing the need to continually sync the entire member list and hit the 5000 value DirSync limitation.


This parameter is already included in current versions of the Active Directory driver configuration (3.6 and higher)


<definition display-name="Enable DirSync Incremental Values" hide="false" id="115" name="enable-incremental-values" type="enum">

<description>Ordinarily the publisher will receive all member values of a group when one or more has changed. This option reports only the added or deleted member values during the poll interval. Requires 2003 Forest functional mode.</description>

<enum-choice display-name="Yes">yes</enum-choice>

<enum-choice display-name="No">no</enum-choice>

<value>yes</value>

</definition>

G-Suite IDM Driver v4.2 - Google API Quotas

 Google API Quotas


With the transition from the old Provisioning API to the Directory API via the Admin SDK, Google has introduced and exposed quotas on the various interfaces used by the G-Suite IDM Driver. Some people are seeing quota issues with their driver. This document details how to view your quotas, current usage levels, and how to request more quota from Google, should you need it.

Should you exceed your quota, your G-Suite driver will report this case to the trace log file and shutdown.


Managing Quotas


Your API quotas and current usage can be viewed at any time from your developer’s console: https://console.developers.google.com

Please note that Google can and does change their policies and web interfaces at any time without warning. The information provided here may no longer be correct or current, though we will attempt to keep it up to date.

TIP: Log in with the account used to create the project in the first place.

Select the project which created the credential used by the Google Driver. The overview will give you a snapshot of your usage overall.



From the APIs & Auth section, select APIs, then select Enabled APIs.


Select the Admin SDK. This API provides all services for the driver with the exception of Group Settings and Domain Shared Contacts. Selecting Usage will allow you to see a usage summary over time.


Select "Quotas" to see your current quotas and current remaining quota.




If you have exceeded your quota for requests per day, click the highlighted link to create a request to Google for more daily quota.

You can also go to this URL to directly access the Quota request form for the Admin SDK: https://support.google.com/code/contact/admin_sdk_quota

Clicking the "Change" button allows you to change your per-user limit of 15 requests per user per second, though it is unlikely that the driver will ever exceed this threshold.

For more information on the Admin SDK and quota limits, please see this Google documentation: https://developers.google.com/admin-sdk/directory/v1/limits

G-Suite IDM Driver v4.2 - Common Driver issues

 Common G-Suite Driver Issues



Issue Example and Notes
User Placement. Do not use a leading "\" to place users or Organization Units.

To place a user in the root container, the dest-dn should only contain the Username. If you are placing a user in the G-Suite Sales\Marketing container your dest-dn should look like:


<add class-name="User" dest-dn="Sales\Marketing\ ddare"/>

Organization Units use the same format for dest-dn.


Group Placement: Do not use a placement rule on groups as Google does not support placing groups in organizations.

Groups are not kept in a hierarchical structure. Placement is not relevant to group objects.

Unique naming: It is important that Nicknames, Group names and usernames be unique in the G Suite domain.


When developing a matching rule be sure to check for nicknames and usernames to ensure proper matching. 
Further, naming must be unique across all Google Organization units. 
It is not legal to have Sales\Marketing\myname and Engineering\myname since myname needs to be unique across the domain.


Driver Unable to Start

  1. Are the driver jar files installed and eDirectory restarted?
  1. Have you created the admin account in Google and logged into the web interface at least once?
  1. Examine a level 3 or higher trace log of the driver start up for errors.

Driver Exceeds Quota on requests to specific services.

Google has specific default quotas defined for the various services the driver uses. The quotas limit the total number of requests allowed in a given 24 hour period. 


Once these quotas are exceeded the driver will receive an HTTP 403: Forbidden error. 
Token Response Exception when using Gmail Settings Attributes


The trace will show something like this: 


DirXML Log Event -------------------
Driver: \GLOBAL-DOMINATION\system\driverset1\Google Apps
Status: Fatal
Message: <description>com.google.api.client.auth.oauth2.TokenResponseException: 401 Unauthorized</description>
<exception class-name="com.google.api.client.auth.oauth2.TokenResponseException">
<message>401 Unauthorized</message>
</exception>


This error is due to not authorizing the new Gmail scopes within the Security section of your G Suite domain. Please refer to the following guide to reset the authorized scopes for the service account.
Micro Focus Identity Manager Driver 4.8 : G-Suite Driver v4.2 - OAuth Update


GoogleJsonResponseException error 403 forbidden when accessing Gmail Settings attributes

The trace will show something like this: 


<status level="retry" type="app-connection">
<description>IOException: com.google.api.client.googleapis.json.GoogleJsonResponseException: 403 Forbidden
{
"code" : 403,
"errors" : [ {
"domain" : "usageLimits",
"message" : "Access Not Configured. Gmail API has not been used in project 1233 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/gmail.googleapis.com/overview?project=1233 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.", 

"reason" : "accessNotConfigured".

The Gmail API has not been enabled for your G Suite domain. Enable it in your service account's developers console project. 


G-Suite IDM Driver v4.2 - OAuth Update

Updating OAuth Authorizations for the 4.1.3.x release and later


The G Suite IDM connector (Google Driver) release version 4.2 requires updates to the authorized OAuth Scopes and enabled APIs for your service account to work properly.

Authorized Scope List


This is the complete authorized scope list as of this release:-


https://www.googleapis.com/auth/admin.directory.group
https://www.googleapis.com/auth/admin.directory.group.member
https://www.googleapis.com/auth/admin.directory.orgunit
https://www.googleapis.com/auth/admin.directory.user
https://www.googleapis.com/auth/admin.directory.user.alias
https://www.googleapis.com/auth/admin.directory.user.security
https://www.googleapis.com/auth/admin.directory.userschema
https://www.googleapis.com/auth/userinfo.profile
https://www.googleapis.com/auth/userinfo.email
http://www.google.com/m8/feeds
https://www.googleapis.com/auth/contacts.readonly
https://www.googleapis.com/auth/apps.groups.settings
https://www.googleapis.com/auth/admin.directory.rolemanagement
https://www.googleapis.com/auth/gmail.settings.basic
https://www.googleapis.com/auth/gmail.settings.sharing
https://www.googleapis.com/auth/gmail.labels

Deprecation for IDM Driver for Office365

Deprecation and migration plan for NetIQ Identity Manager Driver for Office 365


Micro Focus is deprecating the Office 365 driver for NetIQ Identity Manager. This driver has been superseded by the Azure AD driver, which is available at no extra cost to all Office 365 driver customers.

The Office 365 driver was developed at a time when Microsoft did not offer a comprehensive set of APIs to access Office 365. As the Azure platform evolved, Microsoft updated its API set to provide efficient and secure access to the platform. In response, Micro Focus developed the Azure Active Directory Driver: a faster, more scalable, and more secure driver that supports both Azure AD and Office 365.

Micro Focus have continued to support the older Office 365 driver to allow customers sufficient time for migration to the new Azure AD driver. However, Microsoft has announced that they are deprecating some of the underlying technology, which will make the driver non-functional in some scenarios.

As a result, Micro Focus are urging all Office 365 driver customers to migrate to the new Azure AD driver as soon as possible.

Micro Focus Named an Overall Leader in 2020 KuppingerCole Leadership Compass for IGA

Micro Focus Named an Overall Leader in 2020 KuppingerCole Leadership Compass for Identity Governance & Administration




Micro Focus has been named once again as an Overall Leader in the KuppingerCole Leadership Compass for Identity Governance and Administration. KuppingerCole has named Micro Focus a Leader in the categories of Product, Innovation, and Market, as well as an Overall Leader for its NetIQ Identity Governance and Administration offering.