AnsweredAssumed Answered

CR Verification not working

Question asked by Julian Di Pietrantonio on Mar 23, 2017
Latest reply on Mar 31, 2017 by Olivier Cheron

Like • Show 0 Likes0
Comment • 16

I'm trying to synchronize my AD server with my RSA L&G and i generate the change request from the UI. This CR is approved, the fulfillment is done but the changes are not verified. We run a collection from the AD Directory but the CR is not verified despite of having the same value on both sides.

Here are the screenshots of the operations. The Change Request:

The Raw Data:

The Attributes in AD Server:

We are using a RSA Lifecycle and Governance 7.0.0.93958. Any ideas on what could be happening?

No one else has this question

Outcomes

16 Replies

Boris Lekumovich Mar 23, 2017 7:33 PM
Mark Correct
Correct Answer
To verify the CR, did you run the Identity collector or account collector?

Can you add a screenshot of the raw data for that specific record with the table column names?
Also a screenshot of the the fulfillment workflow during run time will be helpful.
Like • Show 0 Likes0
Actions
- Julian Di Pietrantonio @ Boris Lekumovich on Mar 27, 2017 9:23 AM
  Mark Correct
  Correct Answer
  We run both but the CR still needs verification, by the way, which one we should run to do the verification?
  
  Here is the raw data:
  And here the workflow:
  Like • Show 0 Likes0
  Actions
  - Marco Sannino @ Julian Di Pietrantonio on Mar 27, 2017 11:46 AM
    Mark Correct
    Correct Answer
    May you attach the AFX Logs?
    Like • Show 0 Likes0
    Actions
    - Julian Di Pietrantonio @ Marco Sannino on Mar 27, 2017 1:33 PM
      Mark Correct
      Correct Answer
      Where is the log that you need?
      Like • Show 0 Likes0
      Actions
      - Marco Sannino @ Julian Di Pietrantonio on Mar 27, 2017 2:33 PM
        Mark Correct
        Correct Answer
        In the 1st screenshot you posted under Email Logs you can See AFX Logs. If there was an afx error, Default AFX FF does not handle errors very well.
        Like • Show 0 Likes0
        Actions
        Julian Di Pietrantonio @ Marco Sannino on Mar 27, 2017 2:54 PM
        Mark Correct
        Correct Answer
        This logs?
        Like • Show 0 Likes0
        Actions
        Marco Sannino @ Julian Di Pietrantonio on Mar 27, 2017 3:05 PM
        Mark Correct
        Correct Answer
        Yes these logs... could you attach the time referring to that request?
        Like • Show 0 Likes0
        Actions
        Julian Di Pietrantonio @ Marco Sannino on Mar 27, 2017 4:33 PM
        Mark Correct
        Correct Answer
        Sorry, i lost my CR so i did again the same test with the same result.
        Attached are the screenshots for this new test:
        The CR:
        The Raw Data:
        The User in AD:
        the Workflow:
        and the AFX logs:
        Like • Show 0 Likes0
        Actions
        Boris Lekumovich @ Julian Di Pietrantonio on Mar 27, 2017 5:35 PM
        Mark Correct
        Correct Answer
        You need to run the account collector.
        Can you share a screenshot from the account collector raw data?
        Like • Show 0 Likes0
        Actions
        Julian Di Pietrantonio @ Boris Lekumovich on Mar 28, 2017 4:09 PM
        Mark Correct
        Correct Answer
        Here is the raw data of the account collection where we can see the department and title values
        and i also get this error in the Admin tab
        Like • Show 0 Likes0
        Actions
        Olivier Cheron @ Julian Di Pietrantonio on Mar 30, 2017 4:43 AM
        Mark Correct
        Correct Answer
        In the change request CN=Carlos Perez and the collection CN=Juan Carlos.
        Is this really the same account?
        This scenario can't work if accounts are identified differently in AFX and the collector.
        Like • Show 1 Like1
        Actions
        Julian Di Pietrantonio @ Olivier Cheron on Mar 30, 2017 2:42 PM
        Mark Correct
        Correct Answer
        Oliver, i send on my last post a fresh new test with a new user "Juan Carlos" in order to recreate the exact same case so just ignore the first examples, only the Juan Carlos's test are valid ones.
        
        Here is the User Juan Carlos with his Account
        Like • Show 0 Likes0
        Actions
        Olivier Cheron @ Julian Di Pietrantonio on Mar 31, 2017 3:38 AM
        Mark Correct
        Correct Answer
        OK but in that case what is immediately obvious is that this user has two AD Storm accounts instead of just one.
        The DN is probably normalized differently or there is a non-breaking space between "Juan" and "Carlos" in one instance. You should first check the reason for that and make sure the Change Request and the collected data match exactly.
        Like • Show 0 Likes0
        Actions
Olivier Cheron Mar 28, 2017 3:32 AM
Mark Correct
Correct Answer
In your change request, the column "User" in "Account Changes" is empty.
This does not look good. Have you installed all 7.0.0 patches?
Like • Show 0 Likes0
Actions
- Julian Di Pietrantonio @ Olivier Cheron on Mar 28, 2017 4:11 PM
  Mark Correct
  Correct Answer
  I have installed the 7.0.0.93958 version.
  I'm not very sure which patch is supposed to be installed, can you help me getting this information?
  Like • Show 0 Likes0
  Actions
  - Olivier Cheron @ Julian Di Pietrantonio on Mar 30, 2017 4:46 AM
    Mark Correct
    Correct Answer
    The latest patch for 7.0.0 is P05:
    https://community.rsa.com/community/products/governance-and-lifecycle/70
    Like • Show 0 Likes0
    Actions

CR Verification not working

Outcomes

Related Content

Recommended Content