Symantec IGA

We'd like to know if anyone has a possitive experience with Lync Server (Skype for Business)  did it work?  how do you create a new skype for business user account using Identity Manager?

In our experience it's not possible to create an AD user account with skype for Business attributes, neither can we assign those attributes to an already created AD account


We have already opened 2 cases with CA Support:  1068904 and 20062206   as well as asking here in the community


We get this error when we try to create a user with a skype provisioning role:

Causa: Active Dir. Account 'XXX' on 'ActiveDirectory' modification failed: Connector Server Modify failed: code 70 (RESULTS_TOO_LARGE): failed to modify entry: eTADSAccountName=XXX,eTADSOrgUnitName=Usuarios,eTADSOrgUnitName=Sucursales BF,eTADSDirectoryName=ActiveDirectory,eTNamespaceName=ActiveDirectory,dc=im,dc=etasa: JCS@svriam: JNDI: [LDAP: error code 70 - Unable to determine Lync User Enabled status: No se encontró ningún objeto de administración para la identidad "CN=XXX,OU=Usuarios,OU=Sucursales BF,DC=bfamiliar,DC=com,DC=py".]: failed to modify eTADSAccountName=XXX,eTADSOrgUnitName=Usuarios,eTADSOrgUnitName=Sucursales BF,eTADSDirectoryName=ActiveDirectory,eTNamespaceName=ActiveDirectory,dc=im,dc=etasa (ldaps://svriam.bfamiliar.com.py:20411) Action: Assign user "XXX (LPAL)" provisioning role "AD-Skype": Failed to execute AssignProvisioningRoleEvent.

The Connector between IM and Skype uses Remote Powershell functionality that has a flaw in it, that sometimes returns an error, and that Microsoft have allegedly said they will not be fixing (back in 2017).  Broadcom say it is a Microsoft issue.  This is the error concerning Types not matching.  The same command sometimes fails but issuing the exact same command again probably works.

There are a number of errors you can get when trying to provision a Skype user from IM  we have had many support cases open on this item as well :(

We have found it impossible to create a skype account at the same time that an AD account is created.  Instead we have one provisioning role to create the AD account and associated Exchange mailbox (using one account template) and another provisioning role that creates the Skype account.  For this Skype role we took a copy of the Account Template to create the standard user, removed only the Exchange info from the Account Template and added Skype info to the AT.  If too much info was stripped from the AT it didn't create the Skype user correctly.

This latter role needs to be added at a later point, after initial account creation - I know colleagues who have used when the user changes their initial password at first login as the trigger to create the Skype account, alternatively you can schedule a batch job.  You then need to sync the user with their roles to create the Skype account - something you can do with a policy xpress when automated and manually with Provisioning Manager when testing.  The problem is this sync can return an error in IM - saying there is no management object for the user in Skype - however you will find that the user has indeed been successfully created in Skype and this error message can be ignored.

Skype has it's own directory so there can be replication issues.  Same as replication issues in AD can be problematic and default timeout values need increasing, or acquire an individual AD DC rater than the generic name.

Another problem can be trying to sync the roles in the first place - a defect in IM (which has been fixed in most versions now) with remote powershell IDs meant that sometimes it was necessary to restart the JCS and CCS connector services before Provisioning manager was able to successfully sync the Skype prov role and create the Skype account.

I'm not sure if any of this relates to your problem from the error message above, but as you can see there are lots of challenges with working with Skype and simply following the instructions in the documentation will probably not give you a working solution, in our experience, without tweaking things here and there :(

Good luck!
Original Message:
Sent: 10-22-2019 04:13 PM
From: Felix Varela
Subject: Has anyone ever made the Lync/Skype for Business Server work with IDM?

We'd like to know if anyone has a possitive experience with Lync Server (Skype for Business)  did it work?  how do you create a new skype for business user account using Identity Manager?

In our experience it's not possible to create an AD user account with skype for Business attributes, neither can we assign those attributes to an already created AD account


We have already opened 2 cases with CA Support:  1068904 and 20062206   as well as asking here in the community


We get this error when we try to create a user with a skype provisioning role:

Causa: Active Dir. Account 'XXX' on 'ActiveDirectory' modification failed: Connector Server Modify failed: code 70 (RESULTS_TOO_LARGE): failed to modify entry: eTADSAccountName=XXX,eTADSOrgUnitName=Usuarios,eTADSOrgUnitName=Sucursales BF,eTADSDirectoryName=ActiveDirectory,eTNamespaceName=ActiveDirectory,dc=im,dc=etasa: JCS@svriam: JNDI: [LDAP: error code 70 - Unable to determine Lync User Enabled status: No se encontró ningún objeto de administración para la identidad "CN=XXX,OU=Usuarios,OU=Sucursales BF,DC=bfamiliar,DC=com,DC=py".]: failed to modify eTADSAccountName=XXX,eTADSOrgUnitName=Usuarios,eTADSOrgUnitName=Sucursales BF,eTADSDirectoryName=ActiveDirectory,eTNamespaceName=ActiveDirectory,dc=im,dc=etasa (ldaps://svriam.bfamiliar.com.py:20411) Action: Assign user "XXX (LPAL)" provisioning role "AD-Skype": Failed to execute AssignProvisioningRoleEvent.

Thanks Adrian for your honesty you are the first person to tell us how things really are

We suspected there was an issue when after carefully following the documentation in 3 different clients it still wouldn't work

Since there was no way around it I had to write a script to create the skype account
Original Message:
Sent: 10-23-2019 03:04 AM
From: Adrian Bullock
Subject: Has anyone ever made the Lync/Skype for Business Server work with IDM?

The Connector between IM and Skype uses Remote Powershell functionality that has a flaw in it, that sometimes returns an error, and that Microsoft have allegedly said they will not be fixing (back in 2017).  Broadcom say it is a Microsoft issue.  This is the error concerning Types not matching.  The same command sometimes fails but issuing the exact same command again probably works.

There are a number of errors you can get when trying to provision a Skype user from IM  we have had many support cases open on this item as well :(

We have found it impossible to create a skype account at the same time that an AD account is created.  Instead we have one provisioning role to create the AD account and associated Exchange mailbox (using one account template) and another provisioning role that creates the Skype account.  For this Skype role we took a copy of the Account Template to create the standard user, removed only the Exchange info from the Account Template and added Skype info to the AT.  If too much info was stripped from the AT it didn't create the Skype user correctly.

This latter role needs to be added at a later point, after initial account creation - I know colleagues who have used when the user changes their initial password at first login as the trigger to create the Skype account, alternatively you can schedule a batch job.  You then need to sync the user with their roles to create the Skype account - something you can do with a policy xpress when automated and manually with Provisioning Manager when testing.  The problem is this sync can return an error in IM - saying there is no management object for the user in Skype - however you will find that the user has indeed been successfully created in Skype and this error message can be ignored.

Skype has it's own directory so there can be replication issues.  Same as replication issues in AD can be problematic and default timeout values need increasing, or acquire an individual AD DC rater than the generic name.

Another problem can be trying to sync the roles in the first place - a defect in IM (which has been fixed in most versions now) with remote powershell IDs meant that sometimes it was necessary to restart the JCS and CCS connector services before Provisioning manager was able to successfully sync the Skype prov role and create the Skype account.

I'm not sure if any of this relates to your problem from the error message above, but as you can see there are lots of challenges with working with Skype and simply following the instructions in the documentation will probably not give you a working solution, in our experience, without tweaking things here and there :(

Good luck!
Original Message:
Sent: 10-22-2019 04:13 PM
From: Felix Varela
Subject: Has anyone ever made the Lync/Skype for Business Server work with IDM?

We'd like to know if anyone has a possitive experience with Lync Server (Skype for Business)  did it work?  how do you create a new skype for business user account using Identity Manager?

In our experience it's not possible to create an AD user account with skype for Business attributes, neither can we assign those attributes to an already created AD account


We have already opened 2 cases with CA Support:  1068904 and 20062206   as well as asking here in the community


We get this error when we try to create a user with a skype provisioning role:

Causa: Active Dir. Account 'XXX' on 'ActiveDirectory' modification failed: Connector Server Modify failed: code 70 (RESULTS_TOO_LARGE): failed to modify entry: eTADSAccountName=XXX,eTADSOrgUnitName=Usuarios,eTADSOrgUnitName=Sucursales BF,eTADSDirectoryName=ActiveDirectory,eTNamespaceName=ActiveDirectory,dc=im,dc=etasa: JCS@svriam: JNDI: [LDAP: error code 70 - Unable to determine Lync User Enabled status: No se encontró ningún objeto de administración para la identidad "CN=XXX,OU=Usuarios,OU=Sucursales BF,DC=bfamiliar,DC=com,DC=py".]: failed to modify eTADSAccountName=XXX,eTADSOrgUnitName=Usuarios,eTADSOrgUnitName=Sucursales BF,eTADSDirectoryName=ActiveDirectory,eTNamespaceName=ActiveDirectory,dc=im,dc=etasa (ldaps://svriam.bfamiliar.com.py:20411) Action: Assign user "XXX (LPAL)" provisioning role "AD-Skype": Failed to execute AssignProvisioningRoleEvent.