Zone users are removed from zone and now ZPA will not provision new users.
Applies to:
All versions of Centrify Zone Provisioning agent.
Problem:
ZPA is no longer provisioning AD users into zone.
Background:
Previous to issue, some or all zone profiles were deleted from the zone in question.
ZPA log shows the following:
[2014-09-10 16:54:17.743 -0400]Centrify.Provisioning.Agent.exe[4848,6] Warning: ProvisioningWorker.LogEvent: Failure: [2014-09-10 16:54:17.743 -0400] Centrify.Provisioning.Agent.exe[4848,6] Warning: ProvisioningWorker.LogEvent: testlab.net/Zone1 [2014-09-10 16:54:17.743 -0400] Centrify.Provisioning.Agent.exe[4848,6] Warning: ProvisioningWorker.LogEvent: - Failed to provision user aduser1@testlab.net. Error: The UNIX name is already in use.
Resolution:
This issue stems from leftover Service Connection Point (SCP) artifacts in AD from the previous provisioned users for this zone.
Steps to resolve as authorized administrator:
1. Launch Centrify Access Manager
2. Right click the zone in question and select properties
3. Take note of the Location listed on the General tab
4. As a precaution please open "authentication" then right click Users and select Export to take a backup of the existing users and their Unix Profiles.
5. Start Active Directory users and Computers (ADUC)
6. Drill down to the location from step #3
7. Expand the zone container and open the "users" Container
8. The conflicting Service Connection Points should be removed from this container to allow ZPA to be able to provision them again.