Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2016-01-10) Joining Criteria In Azure AD Connect Throws An Error When Leveraging A Custom Attribute

Posted by Jorge on 2016-01-10


At some point in time during the Azure AD Connect Installation Wizard, you need to select how objects will be matched within Azure AD Sync/Connect and how user will be identified within Azure AD. The attribute “iamTECImmutableID” is an attribute in my TEST/DEMO AD forest. You should NOT use it in your AD forest. You should use your own custom AD attribute!

image

Figure 1: Specifying Object Matching Within Azure AD Sync And Object Identification Within Azure AD

As you can see there are 5 options to choose from with regards to object matching within Azure AD Sync/Connect. The first 4 options use “default” attributes that are known to AD and to the MV in Azure AD Sync/Connect. The last option allows you to specify any attribute that is known to the AD schema. When choosing the 5th option (“A Specific Attribute”), you must be aware that the name of the attribute chosen must also exist in the MV of Azure AD Sync/Connect. The matching will be similar to cs:<attribute> – mv:<attribute>. If you choose an attribute that is already known within the MV of Azure AD Sync/Connect then you are good to go. If you choose and attribute that is NOT yet known within the MV of Azure AD Sync/Connect then you will experience issues later on. You will see an error similar to what is displayed below.

image

Figure 1: Error “JoinCondition’s specified target attribute ‘iamTECImmutableID’ is not a defined attribute type”

The clue is in the sentence “JoinCondition’s specified target attribute ‘iamTECImmutableID’ is not a defined attribute type”. Basically it is saying “The attribute ‘iamTECImmutableID’ does not exist in the Metaverse (MV)”. Because it does not exist it cannot create the join criteria. Clicking [Retry] won’t help until you add the attribute to the MV. After adding the attribute to the MV and clicking [Retry], you could see a similar error message as shown below

image

Figure 2: Error “Failed To Set Connector <Error>E_MMS_SCHEMA_CLASS_NOT_FOUND</Error>”

Clicking [Retry] won’t help. At least, that’s what I experienced. The only solution I could use was aborting the wizard by clicking on the cross in the upper right corner. After that, uninstall Azure AD Connect by running the MSI and choosing remove. There is no need to uninstall the supporting components. Last but not least, make sure to delete everything in “C:\Program Files\Microsoft Azure AD Sync\Data” otherwise you will get an error during installation that folder is not empty.

Now you can reexecute the MSI and install Azure AD Connect again. As soon as you have configured the screen as shown in figure 1, DO NOT click on [Next]. Rather start the Azure AD Connect Synchronization Service client. Then:

  • Click on Metaverse Designer
  • Click person object
  • Click Add Attribute
  • Click New Attribute

Specify the name of the attribute. It should be the same name as the name used in AD.

Specify the type of the attribute. It should match the type of the attribute in AD and make sure it is indexable.

Check “Indexed”. This is needed as the attribute is used in join criteria

Click [OK] twice

image

Figure 3: Defining A New Attribute In The Metaverse

Close Azure AD Connect Synchronization Service client

Now click on [Next] as shown in figure 1. Everything should be OK now and you are good to go!

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

2 Responses to “(2016-01-10) Joining Criteria In Azure AD Connect Throws An Error When Leveraging A Custom Attribute”

  1. […] metaverse (MV), you will end up with errors during the installation as described in this blog post (2016-01-10) Joining Criteria In Azure AD Connect Throws An Error When Leveraging A Custom Attribute. In this case I chose an attribute that I added to the AD schema myself and in that […]

  2. […] Now DO NOT continue by clicking [Next]! Why? If the attributes chosen do not exist in the metaverse (MV) with the exact same name, the installation of AAD Connect will fail at the end and you will need to uninstall and reinstall again. Read more about this here. […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: