Microsoft KB Archive/939938

= FIX: Error message when you try to synchronize Active Directory objects that contain a pound (#) character with IBM RACF: &quot;Failure attempting to add username to group groupname&quot; =

Article ID: 939938

Article Last Modified on 11/15/2007

-

APPLIES TO


 * Microsoft Identity Integration Server 2003 Host Access Management Agent Feature Pack 1

-





SYMPTOMS
If you use the Host Access Management Agent (HAMA) to synchronize Active Directory group members with IBM Resource Access Control Facility (RACF), you receive an error message that resembles the following during the export process:

Microsoft.MetadirectoryServices.EntryExportException: Failure attempting to add USER\#100 to group USERS.

Please verify that the USER\#100 object exists. at

Microsoft.MetadirectoryServices.Host.RACF.RACFMA.CheckForExportGroupsError(Hashtable scriptReturnValues,

String parentId, String objectId) at

Microsoft.MetadirectoryServices.Host.RACF.RACFMA.ExportGroupMembers(ModificationType modificationType,

String[] changedAttributes, CSEntry csentry) at

Microsoft.MetadirectoryServices.Host.RACF.RACFMA.ExportGroupEntries(ModificationType modificationType,

String[] changedAttributes, CSEntry csentry) at

Microsoft.MetadirectoryServices.Host.RACF.RACFMA.ExportEntry(ModificationType modificationType,

String[] changedAttributes, CSEntry csentry)

Note In this example error message, the Active Directory user name is USER#100. Microsoft Identity Integration Server (MIIS) 2003 adds a backslash (\) character to any object reference (DN) value that includes the pound (#) character in Metaverse or Connector space objects.

This problem occurs if the Active Directory user names include a pound (#) character.

Additionally, you receive an error message that resembles the following when you issue an IBM RACF ALTUSER command:

Microsoft.MetadirectoryServices.EntryExportException: IKJ56702I INVALID SEGMENT, User ID IKJ56703A REENTER

THIS OPERAND -? SYNTAX CONNECT Syntax The complete syntax of the CONNECT command is: +

+ | subsystem-prefix CONNECT | CO | +--+--

---+ | | (userid ...) | +--+--

---+ | | ADSP | NOADSP | | | ______ | +--+

-+ | | AT(node.userid ...) | ONLYAT(node.userid ...) | +--+---

--+ | | AUDITOR | NOAUDITOR | | | _________ | +---

---+-+ | | AUTHORITY(group-authority) | +-

-+-+ | | GROUP(group-name) | +--+-

+ | | GRPACC | NOGRPACC | | | ________ | +--+-

+ | | OPERATIONS | NOOPERATIONS | | | ____________ | +

--+-+ | | OWNER(userid or group-name) | +-

-+-+ | | RESUME(date) | NORESUME | +--

+-+ | | REVOKE(date) | NOREVOKE | +--+

-+ | | SPECIAL | NOSPECIAL | | | _________ | +

--+-+ | | UACC(access-authority) | +--

+-+ For more information regarding this command's syntax,

see the OS/390 Security Server (RACF) Command Language Reference. at

Microsoft.MetadirectoryServices.Host.RACF.RACFMA.CheckForExportObjectErrors(Hashtable scriptReturnValues,

ModificationType modificationType) at

Microsoft.MetadirectoryServices.Host.RACF.RACFMA.ExportUsers(ModificationType modificationType, String[]

changedAttributes, CSEntry csentry) at

Microsoft.MetadirectoryServices.Host.RACF.RACFMA.ExportEntry(ModificationType modificationType, String[]

changedAttributes, CSEntry csentry)

This problem occurs if the following conditions are true:
 * You issue the IBM RACF ALTUSER command after you issue an ALTUSER command.
 * The ALTUSER command specifies a user ID by using the backslash command.

This problem occurs in Microsoft Identity Integration Server 2003 Host Access Management Agent Feature Pack 3.



CAUSE
You receive these error messages because MIIS uses the LDAP style of escaping special characters that are included in the Reference (DN) connector space. Any DN element that includes a pound (#) character is modified to include the LDAP escape character. The LDAP escape character is the backslash character. The HAMA sends the modified object name to IBM RACF. Because the object name has been modified, you receive the error messages.



Hotfix information
A supported hotfix is now available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next service pack that contains this hotfix.

To resolve this problem, submit a request to Microsoft Online Customer Services to obtain the hotfix. To submit an online request to obtain the hotfix, visit the following Microsoft Web site:

http://go.microsoft.com/?linkid=6294451

Note If additional issues occur or any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. To create a separate service request, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Prerequisites
You must have Microsoft Identity Integration Server 2003 Service Pack 2 (SP2) or Microsoft Identity Lifecycle Manager 2007 installed before you apply this hotfix.

Restart requirement
You do not have to restart the computer after you apply this hotfix.

Hotfix replacement information
This hotfix does not replace any other hotfixes.

File information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Note Because of file dependencies, the most recent hotfix that contains these files may also contain additional files.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.



MORE INFORMATION
For more information, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates

After you apply this hotfix, the RACF Management Agent removes the backslash character from the user ID that contains a pound (#) character before the RACF Management Agent sends the user ID to the IBM RACF. In addition, the RACF Management Agent adds the backslash character to RACF user IDs that include the pound character when these user IDs are received during an import process. This insures that the received user IDs match the user IDs that the MIIS connector space contains.

Keywords: kberrmsg kbexpertiseinter kbbug kbfix kbhotfixserver kbqfe kbpubtypekc KB939938

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.