Skip to main content

Provisioning Failures

Provisioning failures arise when IDHub is unable to successfully create or update user accounts in Active Directory.

Name in Password Error

One frequently encountered issue is a password policy violation related to the inclusion of user names in the generated password.

Error Message:

yaml SvcErr: DSID-031A126A, problem 5003 (WILL_NOT_PERFORM)

Cause:

Active Directory enforces a strict password policy that disallows the inclusion of the user’s first or last name within the password. If the generated password contains any part of the user's name, the provisioning request is rejected. For example, if the account schema generates a password that includes a substring (e.g., "john") which matches the user's first or last name ("John" or "JOHN"), the domain controller will block the provisioning attempt.

Solution:

  • Update Password Schema: Update the default password schema in the AD connector's Account Schema to ensure that the user’s first and last names are not embedded in the password.
  • Compliance Check: Verify that the new schema complies with AD’s password policies to prevent future provisioning errors.

Checking Provisioning Failures

To determine why a user provisioning operation failed, follow these steps in the IDHub User App:

  1. Navigate to Search within the User App module.
  2. Locate the user in question.
  3. Open the User Applications section.
  4. Sort by Provisioning Failed.
  5. Click the info (ℹ️) icon associated with the failed application to view detailed error information provided by Active Directory.

These steps allow you to quickly diagnose issues and correlate them with the troubleshooting guidelines provided above.