I'm starting to see the error during password changes or resets against AD. AD seems 'unwilling' and idm returns this error. Afterwards, subsequent updates against the accounts fail with the same error (they are also trying to push the password). Has anyone seen this before? Does anyone know what might be causing it? It is starting to make a big impact.
These transactions are coming through the AD Connector Server via a configured AD resource. Is there a configuration setting I need to update to alleviate this?
Google tells me that lots of people interpret this error for a bunch of different reasons. But it leads me to believe it has to do with how the Connector Server is communicating with AD.
We see this error sometimes when a Exchange attribute value is wrong (f.i. mailbox store). We've also seen it when someone tried to disable the AD account via an attribute in the resource schema (does not work, use the disable workflow).
I'm dealing with it now on a set of accounts that have not yet had Exchange provisioned. Default AD policy could maybe be adding bad exchange attributes to the accounts I guess.. I'll have to compare some AD objects.
We do use the userAccountControl attribute directly for enabling and disabling, but have not pushed any value to it yet. We don't push a value when accounts are created. Only when roles disable / re-enable them.