(2016-01-10) Joining Criteria In Azure AD Connect Throws An Error When Leveraging A Custom Attribute
Posted by Jorge on 2016-01-10
At some point in time during the Azure AD Connect Installation Wizard, you need to select how objects will be matched within Azure AD Sync/Connect and how user will be identified within Azure AD. The attribute “iamTECImmutableID” is an attribute in my TEST/DEMO AD forest. You should NOT use it in your AD forest. You should use your own custom AD attribute!
Figure 1: Specifying Object Matching Within Azure AD Sync And Object Identification Within Azure AD
As you can see there are 5 options to choose from with regards to object matching within Azure AD Sync/Connect. The first 4 options use “default” attributes that are known to AD and to the MV in Azure AD Sync/Connect. The last option allows you to specify any attribute that is known to the AD schema. When choosing the 5th option (“A Specific Attribute”), you must be aware that the name of the attribute chosen must also exist in the MV of Azure AD Sync/Connect. The matching will be similar to cs:<attribute> – mv:<attribute>. If you choose an attribute that is already known within the MV of Azure AD Sync/Connect then you are good to go. If you choose and attribute that is NOT yet known within the MV of Azure AD Sync/Connect then you will experience issues later on. You will see an error similar to what is displayed below.
Figure 1: Error “JoinCondition’s specified target attribute ‘iamTECImmutableID’ is not a defined attribute type”
The clue is in the sentence “JoinCondition’s specified target attribute ‘iamTECImmutableID’ is not a defined attribute type”. Basically it is saying “The attribute ‘iamTECImmutableID’ does not exist in the Metaverse (MV)”. Because it does not exist it cannot create the join criteria. Clicking [Retry] won’t help until you add the attribute to the MV. After adding the attribute to the MV and clicking [Retry], you could see a similar error message as shown below
Figure 2: Error “Failed To Set Connector <Error>E_MMS_SCHEMA_CLASS_NOT_FOUND</Error>”
Clicking [Retry] won’t help. At least, that’s what I experienced. The only solution I could use was aborting the wizard by clicking on the cross in the upper right corner. After that, uninstall Azure AD Connect by running the MSI and choosing remove. There is no need to uninstall the supporting components. Last but not least, make sure to delete everything in “C:\Program Files\Microsoft Azure AD Sync\Data” otherwise you will get an error during installation that folder is not empty.
Now you can reexecute the MSI and install Azure AD Connect again. As soon as you have configured the screen as shown in figure 1, DO NOT click on [Next]. Rather start the Azure AD Connect Synchronization Service client. Then:
- Click on Metaverse Designer
- Click person object
- Click Add Attribute
- Click New Attribute
Specify the name of the attribute. It should be the same name as the name used in AD.
Specify the type of the attribute. It should match the type of the attribute in AD and make sure it is indexable.
Check “Indexed”. This is needed as the attribute is used in join criteria
Click [OK] twice
Figure 3: Defining A New Attribute In The Metaverse
Close Azure AD Connect Synchronization Service client
Now click on [Next] as shown in figure 1. Everything should be OK now and you are good to go!
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
This entry was posted on 2016-01-10 at 23:28 and is filed under Azure AD Connect, Windows Azure Active Directory. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.