MIIS / ILM Error Codes

(from http://marksmith.netrends.com/Lists/Posts/Post.aspx?ID=33)
Management agent run error codes
The following tables contain error codes that might appear in the Identity Manager user interface, as well as descriptions for each of those
errors.
Connection errors
Error Description
failed-
connection
Connection to the connected directory has failed for a reason other than authentication. For example, the network is unavailable,
or the target server is offline.
dropped-
connection
The connection between the management agent and the connected directory no longer exists. The management agent tries to
reconnect to the connected directory in many instances.
failed-
authentication
Authentication is not possible using the supplied credentials.
failed-
permission
Insufficient rights to access a container in the connected directory. This error is only expected for Lightweight Directory Access
Protocol (LDAP) management agents that search different connected directory containers.
failed-search A container or table search failed with an unexpected error.
warning-no-
watermark
The management agent can not read the watermark when doing a full import. This error is only expected for the management
agent for Sun ONE Directory Server 5.1 (formerly iPlanet Directory Server) when the initial management agent configuration is
completed and the connected directory has change log enabled. Later, when the connected directory change log is turned off, if
the management agent configuration is not updated, this warning occurs when a full import is done.
Discovery errors
Error Description
missing-change-
type
This error is returned during a delta import run by file-based and database management agents, as well as the management
agent for Sun and Netscape directory servers, when the change type column value (add, modify, delete) is not present.
invalid-change-type This error is returned during a delta import run by file-based and database management agents, as well as the management
agent for Sun and Netscape directory servers when the change type column value does not match the list of valid change
types. It is also returned from an LDAP Data Interchange Format (LDIF) full import when a change type field is present and
has a value other than add.
multi-valued-
change-type
This error is returned during a delta import run by file-based and Sun and Netscape directory servers management agents
when more than one value for the change type is present.
need-full-object This error is returned during a delta import run of a file-based management agent or when resuming from a file-based
management agent. It indicates that the management agent has submitted a modification on an object which cannot be
located in the connector space. The synchronization engine is requesting the current values of all attributes on the object.
Since this is an import from a file, that information is not available. A full import should resolve this problem.
missing-dn This error is returned for file-based management agents (that is, management agents for LDIF, DSML, or flat files with
configured domain name attributes) when there is no domain name value. This is also returned in the case of a corrupted Sun
ONE Directory Server change log where the domain name attribute is missing. It indicates that the management agent could
read the element and parse it, but there was no domain name value for the object.
dn-not-ldap-
conformant
This error is returned when a management agent for LDAP, LDIF, DSML, or a flat file with a configured domain name attribute
reports a domain name value that does not conform to the LDAP specification.
invalid-dn This error is returned when a management agent reports that a domain name does not meet a Microsoft Identity Integration
Server 2003 constraint, which includes:
O One or more characters that are not allowed by Microsoft Identity Integration Server 2003
O An empty relative distinguished name (also known as RDN)
O A relative distinguished name that exceeds the maximum for Microsoft Identity Integration Server 2003
O The number of hierarchy levels of the domain name exceeds the maximum for Microsoft Identity Integration Server
2003
missing-anchor-
component
This error is returned by file-based and database management agents, as well as the management agent for Sun and Netscape
directory servers, when the anchor cannot be constructed because one or more anchor construction rule attributes do not have
values.
multi-valued-
anchor-component
This error is returned by the management agent for Sun and Netscape directory servers if they cannot construct the anchor
because an anchor construction rule attribute has more than one value.
anchor-too-long This error is returned by file-based and database management agents, as well as the management agent for Sun and Netscape
directory servers, when the anchor construction produces an anchor that exceeds the maximum size limit for Microsoft Identity
Integration Server 2003.
duplicate-object This error is returned on full imports by file-based and database management agents when an object with the same anchor
has already been reported to the synchronization engine during this run.
missing-object-
class
This error is returned by a file-based management agent (that is, a management agent for DSML, LDIF, or a flat file with a
configured object class attribute), or for the management agent for Sun and Netscape directory servers, if there is a corrupted
change log. This indicates that the management agent cannot read a value for the object class attribute.
missing-object-type This error is returned when performing a resume of import from a corrupted drop file. This error should not be encountered
during normal operation.
unmappable-
object-type
This error is returned by a file-based management agent when it reads an object that has a set of object class values that
cannot be matched to any of the prefix mappings.
parse-error This error is returned by the management agent for Sun and Netscape directory servers in delta mode and by file-based
management agents when they cannot parse an entry. The <entry-number> element (and in most cases <line-number> and
<column-number>) will be present to help locate the error. The <attribute-name> element might be present. The
management agent for Sun and Netscape directory servers terminates the run when this is encountered. The file-based
management agents log the discovery error and continue.
read-error This error is returned by call-based management agents when there is a generic error reading a particular object. This
generally causes termination of the run. The connected data source error element is present, which you can use to
troubleshoot the problem.
staging-error This error is returned by most management agents. It indicates that the synchronization engine could not stage the delta in
the connector space. The server creates an event log that provides information about the problem and that can be used for
troubleshooting. Most management agents continue the import run when the error is logged, but the management agent for
Sun and Netscape delta runs stops because gaps in the change log processing could be cause an inconsistent state in the
connector space. This error should not be encountered during normal operation.
invalid-
modification-type
This error is returned during a delta import on an LDIF management agent when an object level modification type is not one of
the standard LDIF modification types or there is a non-replace modification type on the objectclass, such as add: objectclass or
delete: objectclass.
conflicting-
modification-types
This error is returned by the LDIF management agent indicating differing attribute level modification types were encountered in
the same record (in this case the attribute name which produced the conflicting types is reported) or multiple replace LDIF
deltas are seen in the same file, such as:
replace: objectclass
objectclass: group

replace: objectclass
objectclass: user
multi-single-
mismatch
This error is returned by a file-based management agent when it reports more than one value add, or more than one value
delete for an attribute that is defined in Microsoft Identity Integration Server 2003 as being a single value attribute. This error
might indicate that the connected data source schema that is stored with Microsoft Identity Integration Server 2003 is
incorrectly specified (file-based management agents) or out of date with the current schema. Includes an <attribute-name>
element to give the context of the error.
invalid-attribute-
value
This error is returned by a call-based management agent when an attribute value is read that does not conform to the
attribute type declared in the schema. Includes an <attribute-name> element to give the context of the error.
invalid-base64-
value
This error is returned by the management agents for LDIF, DSML and Sun and Netscape directory servers when they
encounter an invalid base64 string.
invalid-numeric-
value
This error is returned by file-based management agents and the management agent for LDAP when they are unable to parse a
numeric value. Includes an <attribute-name> element to give the context of the error.
invalid-boolean-
value
This error is returned by file-based management agents and the management agent for LDAP when they are unable to parse a
Boolean value. Includes an <attribute-name> element to give the context of the error.
reference-value-
not-ldap-
conformant
This error is returned by management agents for LDAP, LDIF, and DSML or flat files (with configured domain name attribute)
when a domain name value does not conform to the LDAP specification. This error message includes an <attribute-name>
element to give the context of the error.
invalid-reference-
value
This error is returned by a management agent when a domain name does not meet Microsoft Identity Integration Server 2003
constraints, which include:
O One or more characters that are not allowed by Microsoft Identity Integration Server 2003
O An empty relative distinguished name (also known as RDN)
O A relative distinguished name that exceeds the maximum for Microsoft Identity Integration Server 2003
O The number of hierarchy levels of the domain name exceeded the maximum for Microsoft Identity Integration Server
2003
unsupported-value-
type
This error is returned by the DSML or LDIF management agent when the type of value given in the file is incompatible with the
type of attribute, including:
O A URI or URL value is given for a non-string attribute or for any reserved keyword such as dn, objectclass, or
changetype.
O A base64 value is given for the changetype attribute.
O A string value containing non-ASCII characters is given for a binary attribute.
$ynchronization errors
Error Description
extension-dll-
exception
This error occurs if a rules extension causes an exception. If you encounter this error, look at the <exception-error-info>
element to examine the call stack of the exception. In some cases, the <rule-error-info> is present and provides additional
information about what rule was being processed when the error occurred.
extension-dll-crash This error occurs when the process executing the rules extension unexpectedly terminated. This error can only occur when a
rule extension is being executed out-of-process. A possible cause for this error value is the rules extension is calling code
that causes an access violation.
extension-dll-timeout This error occurs if the customer has configured an extension timeout and the call on a single customer extension code
entry point exceeds the configured timeout. The <exception-error-info> will give contextual information about what entry
point was being called when it timed out. In some cases the <rule-error-info> will be present and will provide additional
information about which rule was being processed when the error occurred. Note that when you are debugging the process
that is executing the extension, timeouts are not enforced.
extension-projection-
object-type-not-set
This error occurs The implementation of the IMA$ynchronization.$houldProjectToMV method in the rules extension
does not specify the metaverse object type.
extension-projection-
invalid-object-type
This error occurs when the implementation of the IMA$ynchronization.$houldProjectToMV method in the rules
extension sets the value of the outbound metaverse object type to a value that is not listed in Metaverse Designer of
Identity Manager. Check that the method uses one of the specified object type values.
extension-join-
resolution-invalid-
object-type
This error occurs when the implementation of the IMA$ynchronization.ResolveJoin$earch method in the rules extension
sets the value of the outbound metaverse object type to a value that is not listed in Metaverse Designer of Identity
Manager. Check that the method sets the value of the outbound metaverse object type to one of the listed object type
values.
extension-join-
resolution-index-out-
of-bounds
This error occurs when an implementation of the IMA$ynchronization.ResolveJoin$earch method in the rules extension
set an index value that is either negative or greater than equal to the number of metaverse objects.
extension-
provisioning-call-limit-
reached
This error occurs when the IMASynchronization.Provision method is called more than 10 times during the synchronization of
a single object. This method can be called more than once if the customer logic in the Provision method deprovisions an
object and there is attribute recall that causes a change to the metaverse object resulting in a new call to Provision. The
10 call limit for the Provision method is set to stop possible infinite provisioning notes.
extension-
deprovisioning-
invalid-result
This error occurs when an implementation of the IMA$ynchronization.Deprovision method returns an invalid
DeprovisionAction enumeration value. Verify that the method returns a valid value.
extension-entry-point-
not-implemented
This error occurs when a rules extension throws an EntryPointNotImplementedException exception.
extension-
unexpected-attribute-
value
This error occurs when a rules extension throws an UnexpectedDataException exception.
flow-multi-values-to-
single-value
This error occurs when an import or export attribute flow rule configured in Identity Manager attempts to flow an attribute
with multiple values to a single-value attribute. This error is only returned for direct flow rules configured in Identity
Manager. If the flow rule uses a rules extension that flows multiple values to a single-value attribute, the
TooManyValuesException exception is thrown.
cs-attribute-type-
mismatch
This error occurs when the type of the imported attribute does not match the attribute type specified in the management
agent schema. One cause of this error could be that the stored connected data source schema has become out of date with
the actual schema of the connected data source. To bring the stored connected data source schema up-to-date, refresh the
schema using Identity Manager.
join-object-id-must-
be-single-valued
This error occurs when the data source attribute value used to join a metaverse object through a join rule specified in the
properties of a management agent in Identity Manager contains more than one value. The data source attribute value used
in the join rule can only contain a single value.
dn-index-out-of-
bounds
This error occurs when the distinguished name component index value used in an import attribute flow configured in the
properties of a management agent in Identity Manager is larger than the number of components in the distinguished name
of the source object.
connector-filter-rule-
violation
This error occurs when you perform an add or rename provisioning operation or export attribute flow and when a connector
object becomes a filtered disconnector object as a result of a connector-filter configuration. This value does not occur on
explicit connector objects.
unsupported-
container-delete
The management agent is attempting to delete a container object during deprovisioning. Microsoft Identity Integration
Server 2003 management agents cannot delete container objects with child objects.
ambiguous-import-
flow-from-multiple-
connectors
This error occurs when you have multiple connectors under the source management agent connected to the metaverse
object and a declarative import attribute flow rule is defined. To import attributes through a management agent with
multiple connectors to a metaverse object, use a rules extension to define the flow rules rather than configuring a direct
rule in the properties of a management agent.
ambiguous-export-
flow-to-single-valued-
attribute
This error occurs when the export flow rule, configured in the properties for a management agent in Identity Manager,
attempts to flow multiple values from a metaverse object to a single-value attribute.
cannot-parse-object-
id
The string value that is used to search for a metaverse object in a join rule that is specified in the properties of a
management agent in Identity Manager is not in the correct globally unique identifier (GUID) format. The GUID format is
33333333333333333333333333333333< where 3 is a hexadecimal number.
unexported-container-
rename
The implementation of the IMV$ynchronization.Provision or IMA$ynchronization.Deprovision method is attempting
to rename a container object with one or more unexported child objects.
mv-constraint-
violation
This error occurs when direct import attribute flow occurs and the attribute value from the connector space exceeds the
length restrictions of the metaverse attribute.
locking-error-needs-
retry
Multiple management agents are attempting to synchronize the same connector space object. Run the management agent
again.
unique-index-violation A user is manually setting a unique index on an attribute in a metaverse table. Do not manually configure the metaverse
tables.
encryption-key-lost The encryption key sets are missing from the server that is running Microsoft Identity Integration Server 2003.
unexpected-error This error occurs when the synchronization engine tries to apply a change to the metaverse (including provisioning and
export attribute flow). This error can only occur during runs which apply changes to the metaverse. Check the event log for
more information.
exported-change-not-
reimported
This error occurs when changes that are exported to a management agent are not reconfirmed during this import
management agent run. A user or a system process operating outside of Microsoft Identity Integration Server 2003 has
changed the data in the connected data source in a way that indicates a configuration problem where the export attribute
flow rule is trying to flow a value to a connected data source object, but the connected data source automatically resets the
value to something different without reporting an error to the management agent. The <change-not-reimported> element
indicates which changes were not reconfirmed.
cannot-parse-dn-
component
This error is returned by any management agent that has an LDAP-style distinguished name (also known as DN) configured
and synchronization from the connector space to the metaverse has failed. A distinguished name component cannot be
parsed by a dn-component mapping because it is not in the correct format for the destination attribute type.
Export errors
Error Description
cd-missing-object This error is returned when a modify of an object is exported to the connected data source, but the object cannot be found in
the connected data source. It is returned only for call-based management agents. The cause of this error is that a person or
external process has deleted an object from the connected data source outside of Microsoft Identity Integration Server 2003.
cd-existing-object This error is returned when an add is exported to the connected data source, but the object is already present in the connected
data source. It is returned only for call-based management agents and relational database management agents.
duplicate-anchor This error is returned if the anchor on a newly provisioned object is not unique. It is returned only for call-based and database
management agents, as well as the management agent for Sun and Netscape directory servers. If this error is encountered,
check the anchor construction rules to ensure that a unique anchor value for each object has been defined.
ambiguous-update This error is returned when the management agent cannot apply an update or delete delta because the anchor is not unique. It
is returned only for the management agents for Microsoft SQL Server and Oracle Database. If this error is encountered, check
the anchor construction rules to ensure that a unique anchor value for each object has been defined.
password-policy-
violation
This error is returned by the management agents for Active Directory and Active Directory global address list (GAL) when the
password attribute is set or changed to a value that does not meet the administrator-defined password policy of the connected
data source.
password-set-
disallowed
This error is returned by the management agent for Active Directory Application Mode (ADAM) when the password encryption is
set to no encryption or 128-bit Secure Sockets Layer (SSL), and the administrator has not explicitly made an override to allow
password sets in this scenario.
kerberos-time-
skew
This error is returned by the management agents for Active Directory and Active Directory global address list (GAL) when the
password attribute is being set or changed and the Microsoft Identity Integration Server 2003 server machine time is more
than five minutes different from the time on the domain controller.
kerberos-no-logon-
server
This error is returned by the management agents for Active Directory and Active Directory global address list (GAL) when they
try to set or change a password attribute and cannot resolve the server for the domain part of the logon credentials. This can
be caused by an incorrect NetBIOS or DNS configuration.
encryption-not-
enabled
This error is returned by the management agent for Active Directory Application Mode (ADAM) when the password attribute is
set or being changed and the connection that the management agent uses to communicate to the connected data source has
not been configured with an appropriate encryption mechanism (128 bit SSL or TLS). ADAM requires either 128 bit SSL or TLS
configuration for setting passwords.
invalid-dn This error is returned by the management agents for LDAP and Windows NT 4.0 when exporting a newly provisioned object or
renaming an existing object and when the distinguished name is incompatible with the connected data source naming
requirements.
schema-violation This error is returned by the management agent for LDAP when exporting an object modification and adding a attribute that is
not in the connected data source schema or when removing an attribute from an object that is required by the schema.
Microsoft Identity Integration Server 2003 does not allow these operations to occur because its rules check the stored copy of
the connected data source schema. However, this problem might occur if the Microsoft Identity Integration Server 2003
schema is out of date with the connected data source schema. If you encounter this problem, refresh the management agent
schema by using the user interface.
constraint-violation This error is returned by the management agent for LDAP and database management agents when the export of an add,
modify, or delete violates connected data source enforced constraints. Typical causes for the management agent for LDAP
include setting multiple values for a single value attribute, exceeding field width constraints on string and binary attributes, or
violating range constraints on numeric attributes. There are many possible causes for database management agents, including
referential integrity, rules, and constraints that might be defined for their database.
syntax-violation This error is returned by the management agents for LDAP and Windows NT 4.0 when the value for an attribute violates certain
value constraints. For example, when the value being exported contains an invalid character.
modify-naming-
attribute
This error is returned by the management agent for LDAP when a naming attribute (such as CN for many object types) is set to
a value that conflicts with the relative distinguished name (also known as RDN) value. This can happen because of a poorly
defined export attribute flow rule or because an error in the script code that sets initial values on a newly provisioned object.
insufficient-field-
width
This error is returned by the management agent for fixed-width text files when exporting an add or modify to an object and
when the value of an attribute exceeds the width of the column.
insufficient-
columns
This error is returned by the management agents for fixed-width and delimited text files when exporting an add or modify to an
object and when the number of values for a multivalue attribute exceeds the number of columns configured for that attributes
multiple values.
permission-issue This error is returned by the management agents for LDAP and Windows NT 4.0 when the export of an add, modify, or delete
fails because the management agent has insufficient permissions to perform the operation against the connected data source.
dn-attributes-
failure
This error is returned by the management agents for Active Directory, Active Directory global address list (GAL), and Active
Directory Application Mode (ADAM) when exporting an add or modify sets a reference value for which there is no corresponding
connected data source object. If you see this error, use the connector space object viewer to determine which changes to
reference attributes were not successfully exported.
non-existent-
parent
This error is returned by the management agent for LDAP when either the export of an add or a rename fails because the
parent object does not exist in the connected data source.
code-page-
conversion
This error is returned by file-based management agents when the conversion of an attribute value, which is stored in Unicode
within the server running Microsoft Identity Integration Server 2003, to the code page of the export file failed because of
conversion errors.
no-export-to-this-
object-type
This error is returned by the management agent for Windows NT 4.0 when you try to perform provisioning operations or export
attribute flow on computer objects. Export operations are not allowed on this type of object but you can perform an import on
objects of this type.
missing-
provisioning-
attribute
This error is returned by the management agent for Lotus Notes when you are exporting a newly provisioned object and when
certain attributes that are required for provisioning a new object have not been set by the rules extension.
invalid-
provisioning-
attribute-value
This error is returned when you are exporting a newly provisioned object and when certain attributes for provisioning set by the
rules extension are invalid, for example, when they are not in a certain value range.
provision-to-
secondary-nab
This error is specific to the management agent for Lotus Notes when an attempt is made to provision a person or certifier
object to a secondary Lotus Notes address book. Lotus Notes only allows provisioning contacts to secondary address books.
missing-anchor-
component
This error is returned when you are exporting a newly provisioned object and an anchor cannot be generated because a value
required for constructing the anchor is not available. Possible causes are when an attribute is not set during provisioning (that
is, in management agents for Sun or Netscape directory servers, database, and file-based management agents), or it cannot be
read from the connected data source (that is, in management agents for Active Directory, Sun and Netscape directory servers,
and database management agents) when the anchor is constructed from an auto-increment column.
multi-valued-
anchor-component
This error is generated by the management agent for Sun and Netscape directory servers when it cannot construct the anchor
for a newly provisioned object because one of the attributes that are used in constructing the anchor has multiple values.
Attributes used in the anchor construction can be defined to be multivalue in the connected data source schema, but they must
only have a single value on the actual objects in Microsoft Identity Integration Server 2003.
anchor-too-long This error is returned by file-based and database management agents, as well as the management agent for Sun and Netscape
directory servers, when the anchor construction produces an anchor that exceeds the maximum size limit for Microsoft Identity
Integration Server 2003. The maximum length of anchor values for a single attribute in the connector space is 398 characters.
If the anchor is constructed from multiple attributes, subtract 2 characters for each additional attribute. For example, an anchor
constructed of 3 attributes (sn+location+telephoneNumber) would have a limit of 392 characters.
invalid-attribute-
value
This error occurs when you try to flow out an attribute value that contains characters which are invalid for the connected data
source. For example, the attribute values exported to the management agents for fixed-width text files, delimited text files,
and attribute-value pair text files cannot contain CR, LF, or EOF characters.
encryption-key-
lost
This error should not be encountered as part of normal operation. It indicates that Microsoft Identity Integration Server 2003 is
unable to decrypt the value of an encrypted attribute that is stored in the connector space when it loads the object. It might
indicate that the encryption key sets used by Microsoft Identity Integration Server 2003 are missing from the computer. This
error can be generated by any management agent that contains a password attribute such as Active Directory, Active Directory
global address list (GAL), Sun and Netscape directory servers, Lotus Notes, and Windows NT 4.0.
locking-error-
needs-retry
This error should only occur when multiple management agents have tried to synchronize the same connector space object at
the same time. If this error is encountered, try running the export a second time.
cd-error This error is returned when the connected data source has a specialized error type. This error is accompanied by the <cd-
error> element, and the information contained there should aid in troubleshooting.
unexpected-error This error is returned when a change is trying to be exported and the operation causes a malfunction. If this error is
encountered, look in the event log for more information that will help troubleshoot the problem.
no-export-to-this-
object-type
This error is returned by the management agent for Windows NT 4.0 when you try to perform provisioning operations or when
you export attribute flow on computer objects. The management agent for Windows NT 4.0 does not support export operations
on this type of object.
certifier-ou-not-
configured
This error is returned by the management agent for Lotus Notes when you are trying to provision a new user or container and
the certifier name you have specified for the _MMS_Certifier attribute is not the name of a properly configured certifier
container. Each certifier container must be configured using Identity Manager before it can be used in provisioning.
temporary-
certifier-file-
creation-failure
This error is returned by the management agent for Lotus Notes when a new user or container is provisioned and the process
of creating the certifier file fails for any reason (for example, out of disk space, permissions, and so on). The Microsoft Identity
Integration Server 2003 process for creating the certifier file is to fetch the certifier information for the certifier container,
specified by the _MMS_Certifier attribute, and temporarily create a certifier file in the MAData folder of the management agent
for Lotus Notes for use by the Notes API.
unexpected-
provisioning-
attribute
This error is returned by the management agent for Lotus Notes when you are exporting a newly provisioned object and certain
attributes for provisioning, set by the customer extension, should not be included because they are incompatible with the
values of other provisioning attributes. For example, you might see this error when:
O ou create a contact (_MMS_IDRegType=0) and supply any one of the following attributes: _MMS_Certifier,
_MMS_OU, _MMS_Password, _MMS_IDStoreType, _MMS_IDPath, or MailFile
O ou create a US user or International user but do not specify creating an ID file (_MMS_IDStoreType=0), but supply
the _MMS_IDPath or MailFile attributes
O ou create an OU (certifier), and supply the _MMS_OU attribute
O ou create an O (certifier), and supply the _MMS_Certifier attribute