Highlighted
Respected Contributor.
Respected Contributor.
1223 views

AzureAD Driver IDM 4.7 Roles query fails , status 400

Jump to solution

NetiQ IDM 4.7.2
NetIQ Identity Manager Driver for Azure AD and Office365
product version="5.1.0.0"


When starting AzureAD driver but driver fails to start with "fatal" error.

We are getting the following error when shim tries to query "Roles" with IDMExchangeOnlineService which return in 400


DirXML: [06/14/19 15:30:53.19]: TRACE: Azure AD: Sending command document to subscriber
DirXML: [06/14/19 15:30:53.19]: TRACE:
<source>
<product version="5.1.0.0">NetIQ Identity Manager Driver for Azure AD and Office365</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<driver-operation-data class-name="directoryRoles" command="query">
<request method="GET">
<url-token api-version="?api-version=1.6"/>
<header/>
<value/>
</request>
</driver-operation-data>
</input>
</nds>
DirXML: [06/14/19 15:30:53.19]: TRACE: Azure AD_Azure: sub-execute
DirXML: [06/14/19 15:30:53.19]: TRACE: Azure AD_Azure: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.GraphAPI Extension.modifySubscriberRequest()
DirXML: [06/14/19 15:30:53.19]: TRACE: Azure AD_Azure: queryHandler
DirXML: [06/14/19 15:30:53.19]: TRACE: Azure AD_Azure: queryHandler: class-name == 'directoryRoles'
DirXML: [06/14/19 15:30:53.19]: TRACE: Azure AD_Azure: Query: preparing GET to https://graph.windows.net/cloudforfu...pi-version=1.6
DirXML: [06/14/19 15:30:53.19]: TRACE: Azure AD_Azure: Resetting headers
DirXML: [06/14/19 15:30:53.19]: TRACE: Azure AD_Azure: Setting the following HTTP request properties:
Authorization:
DirXML: [06/14/19 15:30:53.19]: TRACE: Azure AD_Azure: Content-Type:application/xml
DirXML: [06/14/19 15:30:53.20]: TRACE: Azure AD_Azure: OAuth2: Token is valid.
DirXML: [06/14/19 15:30:53.20]: TRACE: Azure AD_Azure: OAuth2: Token is valid.
DirXML: [06/14/19 15:30:53.20]: TRACE: Azure AD_Azure: Did a HTTP GET with 0 bytes of data to https://graph.windows.net/cloudforfu...pi-version=1.6
DirXML: [06/14/19 15:30:53.30]: TRACE: Azure AD_Azure: Response code and message: 200 OK
DirXML: [06/14/19 15:30:53.30]: TRACE: Azure AD_Azure: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.GraphAPI Extension.modifySubscriberResponse()
DirXML: [06/14/19 15:30:53.30]: TRACE: Azure AD: Received response document from subscriber
DirXML: [06/14/19 15:30:53.31]: TRACE:
<source>
<product build="20180222_0635" version="1.0.0.2">Identity Manager REST Driver</product>
<contact>NetIQ Corporation.</contact>
</source>
<output>
<status level="success" type="driver-general">
<driver-operation-data class-name="directoryRoles" command="query" dest-dn="">
<response method="GET">
<url-token api-version="?api-version=1.6"/>
<header/>
<value message="OK" status="200">{[{SOME_VALID_JSON_BACK_FROM_AZURE_AD}]}</value>
</response>
</driver-operation-data>
</status>
</output>
</nds>



[06/14/19 15:30:53.35]: TRACE: Azure AD: Sending command document to subscriber
DirXML: [06/14/19 15:30:53.35]: TRACE:
<source>
<product version="5.1.0.0">NetIQ Identity Manager Driver for Azure AD and Office365</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<driver-operation-data class-name="Roles" command="query">
<request method="GET">
<url-token/>
<header/>
<value/>
</request>
</driver-operation-data>
</input>
</nds>
DirXML: [06/14/19 15:30:53.35]: TRACE: Azure AD_Exchange: sub-execute
DirXML: [06/14/19 15:30:53.35]: TRACE: Azure AD_Exchange: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.Exchange APIExtension.modifySubscriberRequest()
DirXML: [06/14/19 15:30:53.36]: TRACE: Azure AD_Exchange: queryHandler
DirXML: [06/14/19 15:30:53.36]: TRACE: Azure AD_Exchange: queryHandler: class-name == 'Roles'
DirXML: [06/14/19 15:30:53.36]: TRACE: Azure AD_Exchange: Query: preparing GET to https://RLSERVER:2313/ExchServer/clo...soft.com/Roles
DirXML: [06/14/19 15:30:53.36]: TRACE: Azure AD_Exchange: Resetting headers
DirXML: [06/14/19 15:30:53.36]: TRACE: Azure AD_Exchange: Setting the following HTTP request properties:
Authorization:
DirXML: [06/14/19 15:30:53.36]: TRACE: Azure AD_Exchange: Content-Type:application/xml
DirXML: [06/14/19 15:30:53.36]: TRACE: Azure AD_Exchange: Did a HTTP GET with 0 bytes of data to https://RLSERVER:2313/ExchServer/clo...soft.com/Roles
DirXML: [06/14/19 15:30:53.37]: TRACE: Azure AD_Exchange: Response code and message: 400 Bad Request
DirXML: [06/14/19 15:30:53.37]: TRACE: Azure AD_Exchange: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.Exchange APIExtension.modifySubscriberResponse()
DirXML: [06/14/19 15:30:53.37]: TRACE: Azure AD: Received response document from subscriber
DirXML: [06/14/19 15:30:53.37]: TRACE: Azure AD: Caught exception during REST Channels initialization.
DirXML: [06/14/19 15:30:53.37]: TRACE: Remote Loader: PublicationShim.init() returned:
DirXML: [06/14/19 15:30:53.38]: 
DirXML Log Event -------------------
Driver = \IDM\DriverSet\Azure AD
Thread = Subscriber
Level = error
Message = Fatal error returned from shim



1) Why its querying "Roles", is it AzureAD Application Roles or Userapp Roles ?

2) Why it ends up with 400 error

Labels (1)
Tags (1)
1 Solution

Accepted Solutions
Highlighted
Micro Focus Contributor
Micro Focus Contributor

Re: AzureAD Driver IDM 4.7 Roles query fails , status 400

Jump to solution

I've been following this post has there been a resolution? 

View solution in original post

0 Likes
15 Replies
Highlighted
Honored Contributor.
Honored Contributor.

Re: AzureAD Driver IDM 4.7 Roles query fails , status 400

Jump to solution

v5.1.1.0 was released at the end of May....tried giving that a go?

 

https://dl.netiq.com/Download?buildid=apKeh7RfSc4~

 

It appears the driver utilises Microsoft GraphAPI for Exchange. As Microsoft is always changing the API, and as a result buggering up referencing applications (i.e. Teams, etc), the patch may account for the changes.

_____________
Bernard: "Of course, in the service, CMG stands for Call Me God. And KCMG for Kindly Call Me God."
Hacker: "What about GCMG?"
Bernard: "God Calls Me God."
Highlighted
Respected Contributor.
Respected Contributor.

Re: AzureAD Driver IDM 4.7 Roles query fails , status 400

Jump to solution
I actually tried i did not work, i was just thinking how to enable more trace on the IDMExchangeSevice so we can see the actual error. It looks like very typical WCF webservice in .NET, so enabling WCF trace should reveal the actual error.
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: AzureAD Driver IDM 4.7 Roles query fails , status 400

Jump to solution

I would be interested in how to enable WCF trace if you can explain it.

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: AzureAD Driver IDM 4.7 Roles query fails , status 400

Jump to solution

So HTTP 400  response is bad request.  I need to find the trace samples I have of that working and see how it differs from yours, but no time right now.

 

Second glad to see you made it over to the new site.

 

Third, the Roles are the Azure Roles. This is like Exchange Administrator and so on.  Not super useful, since your Azure folk will NOT want to let you managet their permissions easily.  So yes, you can turn it off in the GCV's which is the implied question I saw in your actual question.  🙂

0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Re: AzureAD Driver IDM 4.7 Roles query fails , status 400

Jump to solution

@geoffc   all the AzureAD and Exchange is managed by IAM team here at my team :), so we don't have any other exchange administrators or any other IT ruling on us on IAM part of the solutions.

 

I have turned off all the GCVS for the Roles on the azure ad driver, but it still doing the "Roles" query,  but I am again bit curious even if its does "Query" i don't mind, but why it's getting 400 error back? 

 

400 errors typically client-side errors, so something is not correct the way "driver shim" queries the IDMExchagneOnlineService for the "Roles Query" 

or it could be "Programmed" so bad by the developer  chooses to return error 400 from IDMExchangeServiceOnline in case developer could not establish or enable powershell connection to the ExchangeOnline.  

 

How to catch the "Powershell" related errors from IDMExchange service?

Surprisingly enough, if I disable the IDMExhangeONline Service from driver configuration, the driver just works perfect, so it must be to do with ExchangeOnlien intgr and powershell  (which i reffere powerHELL)

 

I need only to enable poweshell service in order to cache the "Deleted users" i dont need it for other stuff.

 

 

 

 

 

 

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: AzureAD Driver IDM 4.7 Roles query fails , status 400

Jump to solution

The query, I THINK is coming from the Code Map Refresh.  After you changed the GCV make sure your EntitlementConfiguration object does not reference the Azure Role Entitlement object in the XML.

As for the 400, I think I agrree with Ben, but you say you tried the latest version.  Hmm...

You know... Now that you say that I wonder. The PowerShell service in Azure driver is actually a REST web service that the IDM driver makes a REST call to the PowerShell service, which converts into PowerShell in its context.

In fact, you can see in the trace as follows. Query 1 is against Graph:

DirXML: [06/14/19 15:30:53.19]: TRACE: Azure AD_Azure: Query: preparing GET to https://graph.windows.net/cloudforfu...pi-version=1.6

 

Notice the Trace name, Azure AD_Azure, and the URL is MS end.

Query 2:

DirXML: [06/14/19 15:30:53.36]: TRACE: Azure AD_Exchange: queryHandler: class-name == 'Roles'
DirXML: [06/14/19 15:30:53.36]: TRACE: Azure AD_Exchange: Query: preparing GET to https://RLSERVER:2313/ExchServer/clo...soft.com/Roles

 

So  it is the Azure AD_Exchnge thread, and it is pointing to your Exchange service.  Can you hit that URL without error?

 

0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Re: AzureAD Driver IDM 4.7 Roles query fails , status 400

Jump to solution

@geoffc  yes, i can see hit the Exchange service from the browser

https://RLSERVER:2313/ExchServer/clo...soft.com/Roles

 

I have removed the "Roles" Entitlement from GCV but the shim behaves still the same. 

 

Anyone at NetIQ knows how to enable "IDMExchange" Service extended debugging in service itselfdetails?,  it looks to me a standard WCF service built in .NET

 

 

0 Likes
Highlighted
Honored Contributor.
Honored Contributor.

Re: AzureAD Driver IDM 4.7 Roles query fails , status 400

Jump to solution

I would be tempted to drop SoapUI on the Remote Loader machine, then just try accessing the REST interface (authenticating as the same driver user)....see if you can get some more info that way.

If that does work and you see no errors, I would try running the RL service as the same authenticating account. I have had issues in the past where the service in the "Local System" account session couldn't really do much.

_____________
Bernard: "Of course, in the service, CMG stands for Call Me God. And KCMG for Kindly Call Me God."
Hacker: "What about GCMG?"
Bernard: "God Calls Me God."
Highlighted
Knowledge Partner
Knowledge Partner

Re: AzureAD Driver IDM 4.7 Roles query fails , status 400

Jump to solution

Hi Maqsood,

What trace level you have on RemoteLoader side?

You can try to increase the trace level to 10. Maybe it will show more "internal" information.

0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Re: AzureAD Driver IDM 4.7 Roles query fails , status 400

Jump to solution

@al_b 

 

Actually i did not help a lot;

 

here is with trace 10 on RL:

 

 

ML: [06/21/19 15:45:08.56]: TRACE:
DirXML: [06/21/19 15:45:08.56]: TRACE: Azure AD: Sending command document to subscriber
<source>
<product version="5.1.1.0">NetIQ Identity Manager Driver for Azure AD and Office365</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<driver-operation-data class-name="Roles" command="query">
<request method="GET">
<url-token/>
<header/>
<value/>
</request>
</driver-operation-data>
</input>
</nds>
DirXML: [06/21/19 15:45:08.56]: TRACE: Azure AD_Exchange: sub-execute
DirXML: [06/21/19 15:45:08.56]: TRACE: Azure AD_Exchange: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.ExchangeAPIExtension.modifySubscriberRequest()
DirXML: [06/21/19 15:45:08.56]: TRACE: Azure AD_Exchange: queryHandler
DirXML: [06/21/19 15:45:08.56]: TRACE: Azure AD_Exchange: queryHandler: class-name == 'Roles'
DirXML: [06/21/19 15:45:08.56]: TRACE: Azure AD_Exchange: Query: preparing GET to https://localhost:2313/ExchServer/cloudforfun.onmicrosoft.com.onmicrosoft.com/Roles
DirXML: [06/21/19 15:45:08.56]: TRACE: Azure AD_Exchange: Resetting headers
DirXML: [06/21/19 15:45:08.56]: TRACE: Azure AD_Exchange: Setting the following HTTP request properties:
Authorization:
DirXML: [06/21/19 15:45:08.57]: TRACE: Azure AD_Exchange: Content-Type:application/xml
DirXML: [06/21/19 15:45:08.57]: TRACE: Azure AD_Exchange: Did a HTTP GET with 0 bytes of data to https://localhost:2313/ExchServer/cloudforfun.onmicrosoft.com.onmicrosoft.com/Roles
DirXML: [06/21/19 15:45:08.65]: TRACE: Azure AD_Exchange: Response code and message: 400 Bad Request
DirXML: [06/21/19 15:45:08.65]: TRACE: Azure AD_Exchange: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.ExchangeAPIExtension.modifySubscriberResponse()
DirXML: [06/21/19 15:45:08.65]: TRACE: Azure AD: Received response document from subscriber
DirXML: [06/21/19 15:45:08.72]: TRACE: Azure AD: Caught exception during REST Channels initialization.
DirXML: [06/21/19 15:45:08.72]: TRACE: Remote Loader: PublicationShim.init() returned:
DirXML: [06/21/19 15:45:08.77]:
DirXML Log Event -------------------
Driver = \IDM\DriverSet\Azure AD
Thread = Subscriber
Level = error
Message = Fatal error returned from shim
DirXML: [06/21/19 15:45:08.78]: TRACE: Remote Loader: Sending...
DirXML: [06/21/19 15:45:08.78]: TRACE: Remote Loader: Document sent.
DirXML: [06/21/19 15:45:08.78]: TRACE: Remote Loader: Calling DriverShim.shutdown() because of error in driver startup.
DirXML: [06/21/19 15:45:08.79]: TRACE: Remote Loader: Closing connection...
DirXML: [06/21/19 15:45:08.79]: TRACE: Remote Loader: Connection closed
DirXML: [06/21/19 15:45:08.79]: TRACE: Azure AD: AZDriverShim.shutdown()
DirXML: [06/21/19 15:45:08.80]: TRACE: Remote Loader: Connection monitor thread waking up.
DirXML: [06/21/19 15:45:08.80]: TRACE: Remote Loader: Connection monitor thread exiting.
DirXML: [06/21/19 15:45:08.96]: TRACE: Azure AD: Closing queue.
DirXML: [06/21/19 15:45:08.96]: TRACE: Azure AD: Shutting down driver 'Azure AD_Azure'...
DirXML: [06/21/19 15:45:08.96]: TRACE: Azure AD_Azure: DriverShim.shutdown() is called.
DirXML: [06/21/19 15:45:08.96]: TRACE:
<source>
<product version="5.1.1.0">NetIQ Identity Manager Driver for Azure AD and Office365</product>
<contact>NetIQ Corporation</contact>
</source>
<input/>
</nds>

0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Re: AzureAD Driver IDM 4.7 Roles query fails , status 400

Jump to solution

@al_b @geoffc  Afer enabling WCF trace on the IDMExchangeOnline Service:

 

<system.diagnostics>
<sources>
<source name="System.ServiceModel"
switchValue="Information, ActivityTracing"
propagateActivity="true">
<listeners>
<add name="traceListener"
type="System.Diagnostics.XmlWriterTraceListener"
initializeData= "C:\Novell\ExchangeService\Logs\Traces.svclog" />
</listeners>
</source>
</sources>
</system.diagnostics>

 

 

I see the following error:

 

https://docs.microsoft.com/dotnet/framework/wcf/diagnostics/tracing/System-ServiceModel-Diagnostics-TraceHandledExceptionHandling an exception. Exception details: System.NullReferenceException: Object reference not set to an instance of an object.
at IDMExchServer.DriverThread.QueryAllRoles()
at IDMExchServer.ExchServer.GetRoles(String domain)
at SyncInvokeGetRoles(Object , Object[] , Object[] )
at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]&amp; outputs)
at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc&amp; rpc)
at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc&amp; rpc)
at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage11(MessageRpc&amp; rpc)
at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)</Description><AppDomain>ExchServerHost.exe</AppDomain><Exception><ExceptionType>System.NullReferenceException, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType><Message>Object reference not set to an instance of an object.</Message><StackTrace> at IDMExchServer.DriverThread.QueryAllRoles()
at IDMExchServer.ExchServer.GetRoles(String domain)
at SyncInvokeGetRoles(Object , Object[] , Object[] )
at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]&amp;amp; outputs)
at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc&amp;amp; rpc)
at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc&amp;amp; rpc)
at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage11(MessageRpc&amp;amp; rpc)
at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)System.NullReferenceException: Object reference not set to an instance of an object.
at IDMExchServer.DriverThread.QueryAllRoles()
at IDMExchServer.ExchServer.GetRoles(String domain)
at SyncInvokeGetRoles(Object , Object[] , Object[] )
at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]&amp;amp; outputs)
at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc&amp;amp; rpc)
at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc&amp;amp; rpc)
at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage11(MessageRpc&amp;amp; rpc)
at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)</ExceptionString></Exception></TraceRecord>

 

 

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.