Provision User to AD Fails with "The specified directory service attribute or value already exists"
Nov 26, 2024
Okta Classic Engine
Okta Identity Engine
Directories
Overview
When provisioning an Okta user to an Active Directory OU, the user fails to provision. A failure event is seen in the syslog for the provisioning task. In the Okta Admin Dashboard, the following reason for the failure is given:
The specified directory service attribute or value already exists.
Applies To
- Directories
- Active Directory
- Provisioning
Cause
The failed provisioning task provides the initial key information: "The specified directory service attribute or value already exists." A value being sent to AD is not accepted. Okta Syslog may also contain the error.
This error can be seen in Okta AD Agent logs with some crucial context. In this example, "proxyAddresses" fails to be written:
2024/11/25 13:59:19.012-05:00 Info -- <HOSTNAME>(<#>) -- Starting processing of WRITE_OBJECT action rpc::app.active_directory.agent.reply.<OKTA_INTERNAL_SERVER>//<EVENT_COUNTER>//<REQUEST_ID>:<UUID>:.
2024/11/25 13:59:19.012-05:00 Info -- <HOSTNAME>(<#>) -- Creating <USER_DN> with schemaClass user
2024/11/25 13:59:19.028-05:00 Warning -- <HOSTNAME>(<#>) -- CreateObject: Ignoring action CLEAR on preferredLanguage attribute
2024/11/25 13:59:19.028-05:00 Warning -- <HOSTNAME>(<#>) -- CreateObject: Ignoring action CLEAR on physicalDeliveryOfficeName attribute
2024/11/25 13:59:19.028-05:00 Warning -- <HOSTNAME>(<#>) -- CreateObject: Ignoring action CLEAR on extensionAttribute7 attribute
2024/11/25 13:59:19.028-05:00 Warning -- <HOSTNAME>(<#>) -- CreateObject: Ignoring action CLEAR on facsimileTelephoneNumber attribute
2024/11/25 13:59:19.028-05:00 Warning -- <HOSTNAME>(<#>) -- CreateObject: Ignoring action CLEAR on co attribute
2024/11/25 13:59:19.043-05:00 Error -- <HOSTNAME>(<#>) -- DirectoryServicesCOMException: The specified directory service attribute or value already exists.
ErrorCode=8007200D; ExtendedError=00002083, ExtendedErrorMessage=00002083: AtrErr: DSID-03151F37, #1:
0: 00002083: DSID-03151F37, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 200d2 (proxyAddresses):len 70
2024/11/25 13:59:19.043-05:00 Error -- <HOSTNAME>(<#>) -- Error processing WRITE_OBJECT action rpc::app.active_directory.agent.reply.<OKTA_INTERNAL_SERVER>//<EVENT_COUNTER>//<REQUEST_ID>:<UUID>:
2024/11/25 13:59:19.043-05:00 Info -- <HOSTNAME> at System.DirectoryServices.DirectoryEntry.CommitChanges()
at Okta.DirectoryServices.ActiveDirectoryAdapter.CommitChanges(IDirectoryEntry entry, IEnumerable`1 attributeChanges)
at Okta.DirectoryServices.ActiveDirectoryAdapter.CreateObject(String targetDN, String cn, String schemaClass, List`1 properties)
at Okta.Action.Handler.WriteActionHandler.Handle(AgentAction action, ActionContext context)
at Okta.Action.Handler.MultiTypeActionHandler.Handle(AgentAction action, ActionContext context)
at Okta.Action.Dispatch.MultiThreadedDispatcher.HandlerCallback(Object param)
System.DirectoryServices.DirectoryServicesCOMException received with message The specified directory service attribute or value already exists.
Source=System.DirectoryServices InnerException=.
2024/11/25 13:59:19.043-05:00 Info -- <HOSTNAME>(<#>) -- Processing WRITE_OBJECT action (id=rpc::app.active_directory.agent.reply.<OKTA_INTERNAL_SERVER>//<EVENT_COUNTER>//<REQUEST_ID>:<UUID>:) finished, (executionTime=00:00:00.0263218)
Enabling verbose logging on all Okta AD Agents, restarting all Agents, then retrying the task will provide the values being sent to AD. Reviewing these attributes will reveal the offending attribute value.
2024/11/26 10:36:24.573-05:00 Info -- <HOSTNAME>(<#>) -- Starting processing of WRITE_OBJECT action rpc::app.active_directory.agent.reply.<OKTA_INTERNAL_SERVER>//<EVENT_COUNTER>//<REQUEST_ID>:<UUID>:.
2024/11/26 10:36:24.573-05:00 Info -- <HOSTNAME>(<#>) -- Creating <USER_DN> with schemaClass user
2024/11/26 10:36:24.588-05:00 Verbose -- <HOSTNAME>(<#>) -- Action:[WRITE_OBJECT], Type:[CREATE] for TargetDN:[<TARGET_OU>] as User:[<USER_CN>]
[CLEAR:preferredLanguage: {} ]
[ADD:telephoneNumber: {<REDACTED>} ]
[ADD:mail: {<REDACTED>} ]
[ADD:displayName: {<REDACTED>} ]
[ADD:postalCode: {<REDACTED>} ]
[ADD:targetAddress: {<REDACTED>} ]
[ADD:description: {<REDACTED>} ]
[ADD:employeeID: {<REDACTED>} ]
[ADD:title: {<REDACTED>} ]
[ADD:employeeNumber: {<REDACTED>} ]
[ADD:division: {<REDACTED>} ]
[ADD:countryCode: {0} ]
[ADD:company: {<REDACTED>} ]
[ADD:sn: {<REDACTED>} ]
[ADD:department: {<REDACTED>} ]
[ADD:userPrincipalName: {<REDACTED>} ]
[ADD:extensionAttribute10: {<REDACTED>} ]
[ADD:extensionAttribute11: {<REDACTED>} ]
[ADD:st: {<REDACTED>} ]
[ADD:c: {US} ]
[CLEAR:physicalDeliveryOfficeName: {} ]
[ADD:manager: {<REDACTED>} ]
[ADD:sAMAccountName: {<REDACTED>} ]
[ADD:givenName: {<REDACTED>} ]
[ADD:mobile: {<REDACTED>} ]
[ADD:extensionAttribute8: {<REDACTED>} ]
[CLEAR:extensionAttribute7: {} ]
[CLEAR:facsimileTelephoneNumber: {} ]
[ADD:l: {<REDACTED>} ]
[CLEAR:co: {} ]
[ADD:extensionAttribute9: {<REDACTED>} ]
[ADD:proxyAddresses: {SMTP:example1@domain.com,SMTP:example1@domain.com,SMTP:example2@domain.com,example3@domain.com,example4@domain.com} ]
[ADD:streetAddress: {<REDACTED>} ]
[ADD:departmentNumber: {<REDACTED>} ]
[ADD:middleName: {<REDACTED>} ]
2024/11/26 10:36:24.588-05:00 Warning -- <HOSTNAME>(<#>) -- CreateObject: Ignoring action CLEAR on preferredLanguage attribute
2024/11/26 10:36:24.588-05:00 Warning -- <HOSTNAME>(<#>) -- CreateObject: Ignoring action CLEAR on physicalDeliveryOfficeName attribute
2024/11/26 10:36:24.588-05:00 Warning -- <HOSTNAME>(<#>) -- CreateObject: Ignoring action CLEAR on extensionAttribute7 attribute
2024/11/26 10:36:24.588-05:00 Warning -- <HOSTNAME>(<#>) -- CreateObject: Ignoring action CLEAR on facsimileTelephoneNumber attribute
2024/11/26 10:36:24.599-05:00 Warning -- <HOSTNAME>(<#>) -- CreateObject: Ignoring action CLEAR on co attribute
2024/11/26 10:36:24.599-05:00 Error -- <HOSTNAME>(<#>) -- DirectoryServicesCOMException: The specified directory service attribute or value already exists.
ErrorCode=8007200D; ExtendedError=00002083, ExtendedErrorMessage=00002083: AtrErr: DSID-03151F37, #1:
0: 00002083: DSID-03151F37, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 200d2 (proxyAddresses):len 70
2024/11/26 10:36:24.604-05:00 Error -- <HOSTNAME>(<#>) -- Error processing WRITE_OBJECT action rpc::app.active_directory.agent.reply.<OKTA_INTERNAL_SERVER>//<EVENT_COUNTER>//<REQUEST_ID>:<UUID>:
2024/11/26 10:36:24.604-05:00 Info -- <HOSTNAME> at System.DirectoryServices.DirectoryEntry.CommitChanges()
at Okta.DirectoryServices.ActiveDirectoryAdapter.CommitChanges(IDirectoryEntry entry, IEnumerable`1 attributeChanges)
at Okta.DirectoryServices.ActiveDirectoryAdapter.CreateObject(String targetDN, String cn, String schemaClass, List`1 properties)
at Okta.Action.Handler.WriteActionHandler.Handle(AgentAction action, ActionContext context)
at Okta.Action.Handler.MultiTypeActionHandler.Handle(AgentAction action, ActionContext context)
at Okta.Action.Dispatch.MultiThreadedDispatcher.HandlerCallback(Object param)
System.DirectoryServices.DirectoryServicesCOMException received with message The specified directory service attribute or value already exists.
Source=System.DirectoryServices InnerException=.
2024/11/26 10:36:24.604-05:00 Info -- <HOSTNAME>(<#>) -- Processing WRITE_OBJECT action (id=rpc::app.active_directory.agent.reply.<OKTA_INTERNAL_SERVER>//<EVENT_COUNTER>//<REQUEST_ID>:<UUID>:) finished, (executionTime=00:00:00.0264974)In the example provided above, the same proxyAddress is being sent twice.
In Active Directory, this error can be replicated by adding the same proxyAddress twice to a user profile.
Solution
Removing this proxyAddress from the list of attributes that are being sent will resolve the issue.
If the existing provisioning task keeps the erroneous value in cache until the provisioning task is removed, the user must be removed from the provisioning group, then re-added to the same group. This action will clear and recreate the task, sending the correct profile to AD.
