Hi ISIM colleages,
once we have found out the issue, we would like to share with you.
It is important to stress that the error came from how the ProxyAddress attribute is managed in AD and it is only important if the ProxyAddress values have to be enforced.
When a personal mailbox is generated to the user or when a Lync/skype account is created, Exchange provisions automatically new values in the ProxyAddress. In other words, when some values are provisioned into the "SMTP Address" or/and "SIP Address" AD attributes, Exchange includes the same values in the "ProxyAddress" attribute.
If the provisioning policies define some values in the ProxyAddress, when the ISIM adapter tries to incorporate those values after the mailbox/Lync creation, an error is risen since those values are already existed: "The value 'SMTP:xxx@mail.com' is already present in the collection."
How to fix it.
- Don't provisioning those values in the ProxyAddress attribute the first time you are creating the mailbox/lync account. Once, those are created, the ProxyAddress values can be enforced. Here you have a proposal of provisioning policy javascript for setting the ProxyAddress.
var SIPAddress=null;
var myAccount = (new AccountSearch()).searchByUidAndService(parameters.eruid[0],service.name);
if ((myAccount != null) && (myAccount.length > 0))
if ((myAccount[0].getProperty("eradlyncsipadr") != null) && (myAccount[0].getProperty("eradlyncsipadr").length > 0))
SIPAddress=myAccount[0].getProperty("eradlyncsipadr")[0];
return SIPAddress;
- Change how the ISIM adapter manages the ProxyAddress attribute to remove the previous values before adding new ones. If you don't do that, you will have the same error until ISIM doesn't realize that new values have been provisioned (by Exchange) in the ProxyAddress attribute, ie, until next service reconciliation.
dn: erobjectprofilename=ADprofile,ou=serviceProfile,ou=itim,ou=xxx,DC=COM
changetype: modify
replace: eropmultireplace
eropmultireplace: modify=st,postofficebox,mail,telephonenumber,homephone,mobile,description,cn,title,l,pager,postalcode,street,givenname,sn,erADLoginWorkst ations,erADEProxyddresses
In the adapter log can be seen how a Clear() is done before the Add() of values in the ProxyAddress
DBG:21/06/08 14:46:19 Thread:006688 Attribute operation type is replace so clearing the idlist to fill new set of values
DTL:21/06/08 14:46:19 Thread:006688 EXCH 32 02:46:19 Invoking: $6688.Clear()
I hope it could be interesting for you.
------------------------------
Felipe Risalde Serrano
Security Expert
Banco de España
------------------------------
Original Message:
Sent: Thu March 18, 2021 10:17 AM
From: Felipe Risalde Serrano
Subject: Running an add account operation a modify operation is triggered
I have seen that the error didn't came from provisioning policy if not how the adapter is managing this attribute. I have seen in the adapter log next entries:
DTL:21/03/18 10:31:16 Thread:008116 EXCH 1004 10:31:16 Collection<PSObject> po:
DTL:21/03/18 10:31:16 Thread:008116 EXCH 1004 10:31:16 SMTP:q31830@correo.interno
DTL:21/03/18 10:31:16 Thread:008116 EXCH 1004 10:31:16 sip:pablo.mateo@mydomain.com
DTL:21/03/18 10:31:16 Thread:008116 EXCH 1004 10:31:16 Invoking: $8116 = (get-mailbox 'q31830@mydomain.com' -DomainController 'snt0051').EmailAddresses
DTL:21/03/18 10:31:16 Thread:008116 EXCH 1004 10:31:16 Invoking: $8116.Add( 'SMTP:q31830@correo.interno' )
DTL:21/03/18 10:31:16 Thread:008116 EXCH 1004 10:31:16 Invoking: $8116.Add( 'sip:pablo.mateo@mydomain.com' )
DTL:21/03/18 10:31:16 Thread:008116 EXCH 1004 10:31:16 Invoking: set-mailbox -Identity 'q31830@mydomain.com' -EmailAddresses $8116 -DomainController 'snt0051'
DTL:21/03/18 10:31:16 Thread:008116 EXCH 1004 10:31:16 Cannot process argument transformation on parameter 'EmailAddresses'. Cannot convert value "System.Collections.ArrayList" to type "Microsoft.Exchange.Data.ProxyAddressCollection". Error: "The value 'SMTP:q31830@correo.interno' is already present in the collection."
Moreover, ones the account is created and conciliated by ISIM, next operations for modifying this attribute will work fine, it maybe because Exchange has created the ProxyAddress by itself.
We have to find out the differences with the adapter in our testing enviroment due to it wasn't happended there.
On the other side, I don't understnad why onces the former operation failt, the server (or the adapter) run a second operation for modifying the atributtes which are wrong provisioning during the add account.
------------------------------
Felipe Risalde Serrano
Security Expert
Banco de España
Original Message:
Sent: Wed March 17, 2021 01:09 PM
From: Felipe Risalde Serrano
Subject: Running an add account operation a modify operation is triggered
Hi ISIM colleagues,
I would like to share with you an ISIM odd behaviour instead of opening an PMR due to I am sure it is a configuration issue but I am not able to find out what the reason is.
Summary: running an add account operation a modify operation is triggered, although the workflow design there is just one CREATEACCOUNT extension.
Reason: it happens when the AD account provisioning policy is modified to manage the 'Proxy Address' field. This attribute it used to define the primary and secundaries email address. In the attached document you can find the details of the issue, and the provisioning policy definition. The idea is to set Excluded fixed values which are overwritten by the result of the Mandatory javascript. The javacript result is working fine as it can be shown in the add request, indead it is working in modify account operation.
Any clue?
------------------------------
Felipe Risalde Serrano
Security Expert
Banco de España
------------------------------