Highlighted
maqsood1 Absent Member.
Absent Member.
94 views

AzureAD Driver IDM 4.7 Roles query fails , status 400

NetiQ IDM 4.7.2
NetIQ Identity Manager Driver for Azure AD and Office365
product version="5.1.0.0"


When starting AzureAD driver but driver fails to start with "fatal" error.

We are getting the following error when shim tries to query "Roles" with IDMExchangeOnlineService which return in 400


DirXML: [06/14/19 15:30:53.19]: TRACE: Azure AD: Sending command document to subscriber
DirXML: [06/14/19 15:30:53.19]: TRACE: <nds dtdversion="4.x" ndsversion="8.x">
<source>
<product version="5.1.0.0">NetIQ Identity Manager Driver for Azure AD and Office365</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<driver-operation-data class-name="directoryRoles" command="query">
<request method="GET">
<url-token api-version="?api-version=1.6"/>
<header/>
<value/>
</request>
</driver-operation-data>
</input>
</nds>
DirXML: [06/14/19 15:30:53.19]: TRACE: Azure AD_Azure: sub-execute
DirXML: [06/14/19 15:30:53.19]: TRACE: Azure AD_Azure: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.GraphAPIExtension.modifySubscriberRequest()
DirXML: [06/14/19 15:30:53.19]: TRACE: Azure AD_Azure: queryHandler
DirXML: [06/14/19 15:30:53.19]: TRACE: Azure AD_Azure: queryHandler: class-name == 'directoryRoles'
DirXML: [06/14/19 15:30:53.19]: TRACE: Azure AD_Azure: Query: preparing GET to https://graph.windows.net/cloudforfun.onmicrosoft.com.onmicrosoft.com/directoryRoles?api-version=1.6
DirXML: [06/14/19 15:30:53.19]: TRACE: Azure AD_Azure: Resetting headers
DirXML: [06/14/19 15:30:53.19]: TRACE: Azure AD_Azure: Setting the following HTTP request properties:
Authorization: <content suppressed>
DirXML: [06/14/19 15:30:53.19]: TRACE: Azure AD_Azure: Content-Type:application/xml
DirXML: [06/14/19 15:30:53.20]: TRACE: Azure AD_Azure: OAuth2: Token is valid.
DirXML: [06/14/19 15:30:53.20]: TRACE: Azure AD_Azure: OAuth2: Token is valid.
DirXML: [06/14/19 15:30:53.20]: TRACE: Azure AD_Azure: Did a HTTP GET with 0 bytes of data to https://graph.windows.net/cloudforfun.onmicrosoft.com.onmicrosoft.com/directoryRoles?api-version=1.6
DirXML: [06/14/19 15:30:53.30]: TRACE: Azure AD_Azure: Response code and message: 200 OK
DirXML: [06/14/19 15:30:53.30]: TRACE: Azure AD_Azure: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.GraphAPIExtension.modifySubscriberResponse()
DirXML: [06/14/19 15:30:53.30]: TRACE: Azure AD: Received response document from subscriber
DirXML: [06/14/19 15:30:53.31]: TRACE: <nds dtdversion="3.0">
<source>
<product build="20180222_0635" version="1.0.0.2">Identity Manager REST Driver</product>
<contact>NetIQ Corporation.</contact>
</source>
<output>
<status level="success" type="driver-general">
<driver-operation-data class-name="directoryRoles" command="query" dest-dn="">
<response method="GET">
<url-token api-version="?api-version=1.6"/>
<header/>
<value message="OK" status="200">{[{SOME_VALID_JSON_BACK_FROM_AZURE_AD}]}</value>
</response>
</driver-operation-data>
</status>
</output>
</nds>



[06/14/19 15:30:53.35]: TRACE: Azure AD: Sending command document to subscriber
DirXML: [06/14/19 15:30:53.35]: TRACE: <nds dtdversion="4.x" ndsversion="8.x">
<source>
<product version="5.1.0.0">NetIQ Identity Manager Driver for Azure AD and Office365</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<driver-operation-data class-name="Roles" command="query">
<request method="GET">
<url-token/>
<header/>
<value/>
</request>
</driver-operation-data>
</input>
</nds>
DirXML: [06/14/19 15:30:53.35]: TRACE: Azure AD_Exchange: sub-execute
DirXML: [06/14/19 15:30:53.35]: TRACE: Azure AD_Exchange: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.ExchangeAPIExtension.modifySubscriberRequest()
DirXML: [06/14/19 15:30:53.36]: TRACE: Azure AD_Exchange: queryHandler
DirXML: [06/14/19 15:30:53.36]: TRACE: Azure AD_Exchange: queryHandler: class-name == 'Roles'
DirXML: [06/14/19 15:30:53.36]: TRACE: Azure AD_Exchange: Query: preparing GET to https://RLSERVER:2313/ExchServer/cloudforfun.onmicrosoft.com/Roles
DirXML: [06/14/19 15:30:53.36]: TRACE: Azure AD_Exchange: Resetting headers
DirXML: [06/14/19 15:30:53.36]: TRACE: Azure AD_Exchange: Setting the following HTTP request properties:
Authorization: <content suppressed>
DirXML: [06/14/19 15:30:53.36]: TRACE: Azure AD_Exchange: Content-Type:application/xml
DirXML: [06/14/19 15:30:53.36]: TRACE: Azure AD_Exchange: Did a HTTP GET with 0 bytes of data to https://RLSERVER:2313/ExchServer/cloudforfun.onmicrosoft.com/Roles
DirXML: [06/14/19 15:30:53.37]: TRACE: Azure AD_Exchange: Response code and message: 400 Bad Request
DirXML: [06/14/19 15:30:53.37]: TRACE: Azure AD_Exchange: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.ExchangeAPIExtension.modifySubscriberResponse()
DirXML: [06/14/19 15:30:53.37]: TRACE: Azure AD: Received response document from subscriber
DirXML: [06/14/19 15:30:53.37]: TRACE: Azure AD: Caught exception during REST Channels initialization.
DirXML: [06/14/19 15:30:53.37]: TRACE: Remote Loader: PublicationShim.init() returned:
DirXML: [06/14/19 15:30:53.38]:
DirXML Log Event -------------------
Driver = \IDM\DriverSet\Azure AD
Thread = Subscriber
Level = error
Message = Fatal error returned from shim



1) Why its querying "Roles", is it AzureAD Application Roles or Userapp Roles ?

2) Why it ends up with 400 error
Labels (1)
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.