An error occurs when Okta provisions a user to Active Directory (AD) because the manager attribute format is incorrect or the referenced manager account is disabled. Resolve this issue by updating the manager attribute mapping to use the correct format and ensuring the manager account is active. When Okta provisions a user to AD, Okta generates the following error:
There is no such object on the server
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Directories
- Active Directory (AD)
- Provisioning to App
- Distinguished Name (DN)
There are two potential causes for this error:
- AD expects the value for the
managerattribute as a Distinguished Name (DN), and Okta attempts to pass the attribute in a different format, such as a User Principal Name (UPN). - Okta sends the value for the
manageras a DN to AD, but the referenced manager account has a disabled status in AD.
How is the manager attribute mapping resolved in Active Directory?
A user's manager value can be mapped from Okta to AD using either managerDN or managerUPN, depending on the organization's needs.
NOTE: If the manager exists in a different AD domain than the user, managerDN must be used for the mapping.
When managerDN is used in the mapping, the value provided must be the full Distinguished Name of the manager's AD account. Confirm that the manager's DN value specified in the user's profile is correct.
- Incorrect:
- Correct:
When managerUPN is mapped, the value provided must be the UPN of the manager's AD account, which must exist in the same AD instance as the user's own AD account.
Regardless of the attribute used in mapping, this error will occur if the referenced manager account is disabled in Active Directory. Update the value passed to Active Directory with the proper manager value.
