The following are the possible values for this element.
| Error |
Cause |
| ambiguous-update |
The management agent cannot fulfill an update or delete request
because the anchor is incorrectly configured or not unique. This
error can be returned by SQL and Oracle management agents. If this
error is encountered, check the anchor construction rules to ensure
that each object has a unique anchor value. |
| anchor-too-long |
An attempt is made to construct an anchor that exceeded the
maximum size limit for Microsoft Identity Integration
Server 2003. This error can be returned by database management
agents, file management agents, or the iPlanet 4.0 management
agent. |
| cd-error |
An error is encountered while attempting to communicate with a
connected data source, but there is no specialized error type for
this error. This error is accompanied by a <cd-error>
element, which contains information that should aid in
troubleshooting the cause of the error. |
| cd-existing-object |
A request to add an object is exported to the connected data
source, but the object is already present in the connected data
source. This error can be returned by call-based management agents
except for relational database management agents. It is never
returned by file management agents. |
| cd-missing-object |
A request to modify an object is exported to the connected data
source, but the object cannot be found in the connected data
source. This error can be returned by call-based management agents,
but never by a file management agents. The likely cause of this
error is because some person or external process has deleted the
object from the connected data source outside Identity Integration
Server. |
| certifier-ou-not-configured |
An attempt is made to provision out a new user or container (o
or ou) and the certifier name you have specified for the
"_MMS_Certifier" attribute is not the name of a properly configured
certifier container. Each certifier container must be configured
using the Identity Integration Server administrative UI before it
can be used in provisioning. This error can be returned by the
management agent for Lotus Notes. |
| code-page-conversion |
An attempt is made to export an attribute value, which is
stored in Unicode within the Identity Integration Server, to the
code page of the export file, but fails because of conversion
errors. This error can be returned by file management agents. |
| constraint-violation |
An attempt is made to export an add, modify, or delete request
that violates the constraints of a connected data source. This
error can be returned by LDAP management agents and database
management agents. Violations for LDAP management agents include
setting multiple values for a single valued attribute, exceeding
field width constraints on string and binary attributes, or
exceeding range constraints on numeric attributes. Database
management agents can impose a variety of constraints, including
those for referential integrity, rules, and constraints that may be
defined for their database. |
| dn-attributes-failure |
An attempt is made to export an add or modify request that sets
a reference value for which there is no corresponding connected
data source object. This error can be returned by the Active
Directory management agent, Active Directory/Application Mode
management agent, and global address list synchronization
management agent. The other management agents do not generate an
error in this situation—the set is accepted by the connected data
source. To correct this error, use the connector space object
viewer to determine which of the changes to the reference
attributes were not successfully exported. |
| duplicate-anchor |
The anchor on a newly provisioned object is not unique. This
error can be returned by file management agents, database
management agents, or the iPlanet 4.0 management agent. If this
error is encountered, check the anchor construction rules to ensure
that each object has a unique anchor value. |
| encryption-not-enabled |
An attempt is made to set or change the password attribute and
the connection that the management agent uses to communicate to the
connected data source has not been configured with an appropriate
encryption mechanism (128 bit SSL or TLS). This error can be
returned by the Active Directory/Application Mode management agent.
128-bit SSL or TLS configuration is a requirement imposed by Active
Directory/AM for setting passwords. |
| insufficient-columns |
An attempt is made to export an add or modify request to an
object and the number of values for a multivalued attribute exceeds
the number of columns configured for that attribute’s multi-values.
This error can be returned by the Fixed Width management agent or
Delimited management agent. |
| insufficient-field-width |
An attempt is made to export an add or modify request to an
object and the value of an attribute exceeds the width of the
column. This error can be returned by the Fixed Width management
agent. |
| invalid-attribute-value |
An attempt is made to flow out an attribute value that contains
characters which are invalid for the connected data source. For
example, the attribute values exported to the fixed width,
delimited, and AVP file management agents cannot contain CR, LF, or
EOF characters. |
| invalid-dn |
An attempt is made to export a newly provisioned object or
rename an existing object, and the distinguished name is
incompatible with the connected data source naming requirements.
This error can be returned by LDAP management agents and the
Windows NT 4.0 management agent. |
| invalid-provisioning-attribute-value |
An attempt is made to export a newly provisioned object, but
certain attributes for provisioning set by the customer extension
are invalid (such as not in a certain value range). |
| kerberos-no-logon-server |
An attempt is made to set or change a password attribute, and
the management agent cannot resolve a server for the domain part of
the logon credentials. This generally means a NetBIOS or DNS
misconfiguration. This error can be returned by the Active
Directory management agent or the global address list
synchronization management agent. |
| kerberos-time-skew |
The password attribute is being set or changed, and the time on
the server running Identity Integration Services differs from the
time on the Active Directory domain controller by more than five
minutes. This error can be returned by the management agent for
Active Directory or the management agent for Active Directory
global address list (GAL). |
| locking-error-needs-retry |
Returned by a management agent when another management agent is
trying to synchronize the same connector spaces object. To resolve
this error, rerun the management agent a second time and error
should not reoccur. |
| missing-anchor-component |
An attempt is made to export a newly provisioned object, but an
anchor cannot be generated because a value required for
constructing the anchor is not available. Possible for reasons for
this error are that the attribute was not set at provisioning time
(in the case of the iPlanet 4.0 management agent, database
management agents, or file management agents) or it cannot be read
from the connected data source (Active Directory management agents,
the iPlanet 5.0 management agent, and database management agents
when the anchor is constructed from an auto-increment column). |
| missing-provisioning-attribute |
An attempt is made to export a newly provisioned object, but
certain attributes that are required for provisioning a new object
have not been set by the customer extension. This error can be
returned by the Notes management agent. |
| modify-naming-attribute |
An attempt is made to export a request where a naming attribute
(such as CN for many object types) is set to a value that conflicts
with the RDN value. This error can be returned by LDAP management
agents. This error can occur because of a poorly defined export
attribute flow rule or an error in the process code that sets
initial values on a newly provisioned object. |
| multi-valued-anchor-component |
An attempt is made to construct the anchor for a newly
provisioned object, but one of the attributes used in constructing
the anchor has multiple values. This error can be returned by the
iPlanet 4.0 management agent. Attributes used in the anchor
construction can be defined to be multivalued in the connected data
source schema, but they must only have a single value on the
objects in Identity Integration Server. |
| no-export-to-this-object-type |
The management agent only allows import of objects of this
object type. No export operations are allowed on this type of
object. This error is returned by the NT 4.0 management agent if
you try to perform provisioning operations or export attribute flow
on computer objects. |
| non-existent-parent |
An attempt is made to export an add or a rename request but the
parent object does not exist in the connected data source. This
error can be returned by LDAP management agents. |
| password-policy-violation |
The password attribute is set or changed to a value which does
not meet the administrator defined password policy of the connected
data source. This error can be returned by the Active Directory
management agent and global access list directory synchronization
management agents. |
| password-set-disallowed |
The password encryption is set to either no encryption or less
than 128-bit SSL and the administrator has not explicitly made an
override to allow password sets. This error can be returned by the
Active Directory management agent. |
| permission-issue |
An attempt is made to export an add, modify, or delete request
and the management agent has insufficient permissions to perform
the operation against the connected data source. This error can be
returned by LDAP management agents and the NT4.0 management
agent. |
| provision-to-secondary-nab |
An attempt is made to provision a person or certifier object to
a secondary Notes address book. This error can be returned by the
Notes management agent. Lotus Notes only allows provisioning
contacts to secondary Notes address books. |
| rename-to-existing-dn |
An attempt is made to change the distinguished name of the
object at the time of export but there is already an object in the
connector space with that distinguished name. The distinguished
name of an object can be changed on export in two ways:
- Database management agents, where the distinguished name is
calculated based on the values of the attributes making up the
anchor (these values may not be present until the object is
exported)
- LDAP management agents where the connected data source applies
certain normalization rules that cause the distinguished name to
change.
In either case, examine how the distinguished name property of the
object is created in the provisioning extension. |
| schema-violation |
An attempt is made to export an object modification that would
add an attribute that is not in the connected data source schema or
remove an attribute from an object which is required by the schema.
This error can be returned by LDAP management agents. In most cases
Identity Integration Server will not allow this error to occur
since its rules check the stored copy of the connected data source
schema. However, this error can occur if the Identity Integration
Server schema is out of date with the connected data source schema.
If this error is encountered, use the Identity Manager to refresh
the schema stored with the management agent. |
| syntax-violation |
An attempt is made to export a request where the value for an
attribute violates certain value constraints. This error can be
returned by the management agent for LDAP Data Interchange Format
(LDIF) files and the management agent for Windows NT 4.0. A typical
case of this error is when the value being exported contains an
invalid character. |
| temporary-certifier-file-creation-failure |
An attempt was made to fetch the certifier information for the
certifier container specified by the "_MMS_Certifier" attribute and
temporarily create a certifier file in the MAData directory of the
Notes MA for use by the Notes API. This occurs when a new user or
container (o or ou) is provisioned. If this process of creating the
certifier file fails for any reason (for example, out of disk
space, permissions, etc) this export error is reported. This error
can be returned by the Lotus Notes management agent. |
| unexpected-error |
An attempt is made to export a change and an unexpected error
is encountered. To help troubleshoot this error, examine the event
log. This error should not be encountered as part of normal
operation and indicates a product malfunction. If you do encounter
this error, contact Microsoft Product Support. |
| unexpected-provisioning-attribute |
This error is returned when you are exporting a newly
provisioned object and certain attributes for provisioning set by
the customer extension should not be included because they are
incompatible with the values of other provisioning attributes. This
error is returned by the Notes management in the following cases:
- When you create a contact (_MMS_IDRegType=0) and supply
any one of the following attributes:
- _MMS_Certifier
- _MMS_OU
- _MMS_Password
- _MMS_IDStoreType
- _MMS_IDPath
- MailFile
- When you create a U.S. user or International user but do not
specify creating an ID file (_MMS_IDStoreType=0), but supply
the _MMS_IDPath or MailFile attributes.
- When you create an OU (certifier), and supply the
_MMS_OU attribute.
- When you create an O (certifier), and supply the
_MMS_Certifier attribute.
|