<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base

Okta Active Directory Provisioning Fails With "The specified directory service attribute or value already exists" Error

Last Updated:

Okta Classic Engine
Directories
Okta Identity Engine

Overview

Okta generates a specific directory service error when an Active Directory provisioning task fails due to duplicate attribute values. Removing the duplicate attribute from the provisioning profile and recreating the task resolves the issue.

 

Review the Okta Admin Console for the specific directory service error message associated with AD task provisioning due to duplicate attribute values.

 

The specified directory service attribute or value already exists.

 

Tasks

Applies To

  • Okta Identity Engine (OIE)
  • Okta Classic Engine
  • Directories
  • Active Directory (AD)
  • Provisioning

Cause

The failed provisioning task indicates that AD rejects a value sent by Okta. Review the Okta System Log to identify the specific directory service error associated with the failed provisioning task.

 

System logs.

 

Review the Okta AD Agent logs to identify the specific attribute, such as proxyAddresses, that fails to write.

 

2024/11/25 13:59:19.012-05:00 Info -- <HOSTNAME>(<#>) -- Starting processing of WRITE_OBJECT action rpc::app.active_directory.agent.reply.<OKTA_INTERNAL_SERVER>//<EVENT_COUNTER>//<REQUEST_ID>:<UUID>:.
2024/11/25 13:59:19.012-05:00 Info -- <HOSTNAME>(<#>) -- Creating <USER_DN> with schemaClass user
2024/11/25 13:59:19.028-05:00 Warning -- <HOSTNAME>(<#>) -- CreateObject: Ignoring action CLEAR on preferredLanguage attribute
2024/11/25 13:59:19.028-05:00 Warning -- <HOSTNAME>(<#>) -- CreateObject: Ignoring action CLEAR on physicalDeliveryOfficeName attribute
2024/11/25 13:59:19.028-05:00 Warning -- <HOSTNAME>(<#>) -- CreateObject: Ignoring action CLEAR on extensionAttribute7 attribute
2024/11/25 13:59:19.028-05:00 Warning -- <HOSTNAME>(<#>) -- CreateObject: Ignoring action CLEAR on facsimileTelephoneNumber attribute
2024/11/25 13:59:19.028-05:00 Warning -- <HOSTNAME>(<#>) -- CreateObject: Ignoring action CLEAR on co attribute
2024/11/25 13:59:19.043-05:00 Error -- <HOSTNAME>(<#>) -- DirectoryServicesCOMException: The specified directory service attribute or value already exists.
 ErrorCode=8007200D; ExtendedError=00002083, ExtendedErrorMessage=00002083: AtrErr: DSID-03151F37, #1:
	0: 00002083: DSID-03151F37, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 200d2 (proxyAddresses):len 70
2024/11/25 13:59:19.043-05:00 Error -- <HOSTNAME>(<#>) -- Error processing WRITE_OBJECT action rpc::app.active_directory.agent.reply.<OKTA_INTERNAL_SERVER>//<EVENT_COUNTER>//<REQUEST_ID>:<UUID>:
2024/11/25 13:59:19.043-05:00 Info -- <HOSTNAME>   at System.DirectoryServices.DirectoryEntry.CommitChanges()
   at Okta.DirectoryServices.ActiveDirectoryAdapter.CommitChanges(IDirectoryEntry entry, IEnumerable`1 attributeChanges)
   at Okta.DirectoryServices.ActiveDirectoryAdapter.CreateObject(String targetDN, String cn, String schemaClass, List`1 properties)
   at Okta.Action.Handler.WriteActionHandler.Handle(AgentAction action, ActionContext context)
   at Okta.Action.Handler.MultiTypeActionHandler.Handle(AgentAction action, ActionContext context)
   at Okta.Action.Dispatch.MultiThreadedDispatcher.HandlerCallback(Object param)
System.DirectoryServices.DirectoryServicesCOMException received with message The specified directory service attribute or value already exists.
 Source=System.DirectoryServices InnerException=.
2024/11/25 13:59:19.043-05:00 Info -- <HOSTNAME>(<#>) -- Processing WRITE_OBJECT action (id=rpc::app.active_directory.agent.reply.<OKTA_INTERNAL_SERVER>//<EVENT_COUNTER>//<REQUEST_ID>:<UUID>:) finished, (executionTime=00:00:00.0263218)

 

Enable verbose logging on all Okta AD Agents, restart the agents, and retry the task to reveal the exact values sent to AD and identify the offending attribute.

 

 

In the provided example below, the attribute proxyAddress includes the same example1@domain.com value twice.

2024/11/26 10:36:24.573-05:00 Info -- <HOSTNAME>(<#>) -- Starting processing of WRITE_OBJECT action rpc::app.active_directory.agent.reply.<OKTA_INTERNAL_SERVER>//<EVENT_COUNTER>//<REQUEST_ID>:<UUID>:.
2024/11/26 10:36:24.573-05:00 Info -- <HOSTNAME>(<#>) -- Creating <USER_DN> with schemaClass user
2024/11/26 10:36:24.588-05:00 Verbose -- <HOSTNAME>(<#>) -- Action:[WRITE_OBJECT], Type:[CREATE] for TargetDN:[<TARGET_OU>] as User:[<USER_CN>]
[CLEAR:preferredLanguage: {} ]
[ADD:telephoneNumber: {<REDACTED>} ]
[ADD:mail: {<REDACTED>} ]
[ADD:displayName: {<REDACTED>} ]
[ADD:postalCode: {<REDACTED>} ]
[ADD:targetAddress: {<REDACTED>} ]
[ADD:description: {<REDACTED>} ]
[ADD:employeeID: {<REDACTED>} ]
[ADD:title: {<REDACTED>} ]
[ADD:employeeNumber: {<REDACTED>} ]
[ADD:division: {<REDACTED>} ]
[ADD:countryCode: {0} ]
[ADD:company: {<REDACTED>} ]
[ADD:sn: {<REDACTED>} ]
[ADD:department: {<REDACTED>} ]
[ADD:userPrincipalName: {<REDACTED>} ]
[ADD:extensionAttribute10: {<REDACTED>} ]
[ADD:extensionAttribute11: {<REDACTED>} ]
[ADD:st: {<REDACTED>} ]
[ADD:c: {US} ]
[CLEAR:physicalDeliveryOfficeName: {} ]
[ADD:manager: {<REDACTED>} ]
[ADD:sAMAccountName: {<REDACTED>} ]
[ADD:givenName: {<REDACTED>} ]
[ADD:mobile: {<REDACTED>} ]
[ADD:extensionAttribute8: {<REDACTED>} ]
[CLEAR:extensionAttribute7: {} ]
[CLEAR:facsimileTelephoneNumber: {} ]
[ADD:l: {<REDACTED>} ]
[CLEAR:co: {} ]
[ADD:extensionAttribute9: {<REDACTED>} ]
[ADD:proxyAddresses: {SMTP:example1@domain.com,SMTP:example1@domain.com,SMTP:example2@domain.com,example3@domain.com,example4@domain.com} ]
[ADD:streetAddress: {<REDACTED>} ]
[ADD:departmentNumber: {<REDACTED>} ]
[ADD:middleName: {<REDACTED>} ]
2024/11/26 10:36:24.588-05:00 Warning -- <HOSTNAME>(<#>) -- CreateObject: Ignoring action CLEAR on preferredLanguage attribute
2024/11/26 10:36:24.588-05:00 Warning -- <HOSTNAME>(<#>) -- CreateObject: Ignoring action CLEAR on physicalDeliveryOfficeName attribute
2024/11/26 10:36:24.588-05:00 Warning -- <HOSTNAME>(<#>) -- CreateObject: Ignoring action CLEAR on extensionAttribute7 attribute
2024/11/26 10:36:24.588-05:00 Warning -- <HOSTNAME>(<#>) -- CreateObject: Ignoring action CLEAR on facsimileTelephoneNumber attribute
2024/11/26 10:36:24.599-05:00 Warning -- <HOSTNAME>(<#>) -- CreateObject: Ignoring action CLEAR on co attribute
2024/11/26 10:36:24.599-05:00 Error -- <HOSTNAME>(<#>) -- DirectoryServicesCOMException: The specified directory service attribute or value already exists.
 ErrorCode=8007200D; ExtendedError=00002083, ExtendedErrorMessage=00002083: AtrErr: DSID-03151F37, #1:
	0: 00002083: DSID-03151F37, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 200d2 (proxyAddresses):len 70
2024/11/26 10:36:24.604-05:00 Error -- <HOSTNAME>(<#>) -- Error processing WRITE_OBJECT action rpc::app.active_directory.agent.reply.<OKTA_INTERNAL_SERVER>//<EVENT_COUNTER>//<REQUEST_ID>:<UUID>:
2024/11/26 10:36:24.604-05:00 Info -- <HOSTNAME>   at System.DirectoryServices.DirectoryEntry.CommitChanges()
   at Okta.DirectoryServices.ActiveDirectoryAdapter.CommitChanges(IDirectoryEntry entry, IEnumerable`1 attributeChanges)
   at Okta.DirectoryServices.ActiveDirectoryAdapter.CreateObject(String targetDN, String cn, String schemaClass, List`1 properties)
   at Okta.Action.Handler.WriteActionHandler.Handle(AgentAction action, ActionContext context)
   at Okta.Action.Handler.MultiTypeActionHandler.Handle(AgentAction action, ActionContext context)
   at Okta.Action.Dispatch.MultiThreadedDispatcher.HandlerCallback(Object param)
System.DirectoryServices.DirectoryServicesCOMException received with message The specified directory service attribute or value already exists.
 Source=System.DirectoryServices InnerException=.
2024/11/26 10:36:24.604-05:00 Info -- <HOSTNAME>(<#>) -- Processing WRITE_OBJECT action (id=rpc::app.active_directory.agent.reply.<OKTA_INTERNAL_SERVER>//<EVENT_COUNTER>//<REQUEST_ID>:<UUID>:) finished, (executionTime=00:00:00.0264974)

 

In Active Directory, this error can be replicated by adding the same proxyAddress twice to a user profile.

AD error

Solution

How is the Active Directory provisioning failure caused by a duplicate attribute error resolved?

Remove the duplicate attribute value from the provisioning profile and clear the cached task by following these steps:

  • Remove the duplicate attribute value, such as example1@domain.com, from the proxyAddress attribute.

 

If the existing provisioning task keeps the erroneous value in the cache:

  1. Remove the user from the provisioning group.
  2. Re-add the user to the same provisioning group to clear and recreate the task, which sends the correct profile values to AD.

Recommended content

Still looking for help?
Loading
Okta Support - Okta Active Directory Provisioning Fails With "The specified directory service attribute or value already exists" Error