Crowd Synchronisation with Azure AD fails with "java.lang.IllegalArgumentException: name argument cannot be null or blank"

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

問題

Users are unable to authenticate with Azure Active Directory and the following appears in the atlassian-crowd.log:


com.atlassian.crowd.exception.OperationFailedException: java.util.concurrent.ExecutionException: java.lang.IllegalArgumentException: name argument cannot be null or blank
	at com.atlassian.crowd.directory.cache.DeltaQueryCacheRefresher.synchroniseAllGroups(DeltaQueryCacheRefresher.java:328)
	at com.atlassian.crowd.directory.cache.DeltaQueryCacheRefresher.synchroniseAll(DeltaQueryCacheRefresher.java:91)
	at com.atlassian.crowd.directory.DbCachingRemoteDirectory.synchroniseCache(DbCachingRemoteDirectory.java:968)
	at com.atlassian.crowd.manager.directory.DirectorySynchroniserImpl.synchronise(DirectorySynchroniserImpl.java:71)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:333)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:190)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
	at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99)
	at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:282)
	at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:213)
	at com.sun.proxy.$Proxy93.synchronise(Unknown Source)
	at com.atlassian.crowd.directory.DbCachingDirectoryPoller.pollChanges(DbCachingDirectoryPoller.java:45)
	at com.atlassian.crowd.manager.directory.monitor.poller.DirectoryPollerJobRunner.runJob(DirectoryPollerJobRunner.java:85)
	at com.atlassian.scheduler.core.JobLauncher.runJob(JobLauncher.java:153)
	at com.atlassian.scheduler.core.JobLauncher.launchAndBuildResponse(JobLauncher.java:118)
	at com.atlassian.scheduler.core.JobLauncher.launch(JobLauncher.java:97)
	at com.atlassian.scheduler.caesium.impl.CaesiumSchedulerService.launchJob(CaesiumSchedulerService.java:443)
	at com.atlassian.scheduler.caesium.impl.CaesiumSchedulerService.executeClusteredJob(CaesiumSchedulerService.java:438)
	at com.atlassian.scheduler.caesium.impl.CaesiumSchedulerService.executeClusteredJobWithRecoveryGuard(CaesiumSchedulerService.java:462)
	at com.atlassian.scheduler.caesium.impl.CaesiumSchedulerService.executeQueuedJob(CaesiumSchedulerService.java:390)
	at com.atlassian.scheduler.caesium.impl.CaesiumSchedulerService$1.consume(CaesiumSchedulerService.java:285)
	at com.atlassian.scheduler.caesium.impl.CaesiumSchedulerService$1.consume(CaesiumSchedulerService.java:282)
	at com.atlassian.scheduler.caesium.impl.SchedulerQueueWorker.executeJob(SchedulerQueueWorker.java:65)
	at com.atlassian.scheduler.caesium.impl.SchedulerQueueWorker.executeNextJob(SchedulerQueueWorker.java:59)
	at com.atlassian.scheduler.caesium.impl.SchedulerQueueWorker.run(SchedulerQueueWorker.java:34)
	at java.lang.Thread.run(Thread.java:745)
Caused by: java.util.concurrent.ExecutionException: java.lang.IllegalArgumentException: name argument cannot be null or blank
	at java.util.concurrent.FutureTask.report(FutureTask.java:122)
	at java.util.concurrent.FutureTask.get(FutureTask.java:192)
	at com.atlassian.crowd.directory.cache.DeltaQueryCacheRefresher.synchroniseAllGroups(DeltaQueryCacheRefresher.java:320)
	... 31 more
Caused by: java.lang.IllegalArgumentException: name argument cannot be null or blank
	at org.apache.commons.lang3.Validate.isTrue(Validate.java:158)
	at com.atlassian.crowd.model.group.GroupTemplate.<init>(GroupTemplate.java:35)
	at com.atlassian.crowd.model.group.GroupTemplate.<init>(GroupTemplate.java:56)
	at com.atlassian.crowd.directory.rest.mapper.AzureAdRestEntityMapper.mapDeltaQueryGroup(AzureAdRestEntityMapper.java:216)
	at com.atlassian.crowd.directory.rest.mapper.AzureAdRestEntityMapper.lambda$mapDeltaQueryGroups$4(AzureAdRestEntityMapper.java:147)
	at java.util.ArrayList.forEach(ArrayList.java:1249)
	at com.atlassian.crowd.directory.rest.mapper.AzureAdRestEntityMapper.mapDeltaQueryGroups(AzureAdRestEntityMapper.java:145)
	at com.atlassian.crowd.directory.AzureAdDirectory.performGroupsDeltaQuery(AzureAdDirectory.java:514)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	... 1 more

原因

  • When a Group is deleted from Azure Active Directory, Azure AD performs a soft delete and retains the Azure Active Directory (AD) Office 365 Group information for 30 days so it can still be restored if required

  • When Crowd polls information from Azure AD (using the REST API https://graph.microsoft.com/v1.0/groups/delta?$select=displayName,id,members), the deleted Groups information are returned back as well

    • Crowd does not appear to handle the deleted group data coming back from Azure AD as it is expecting a displayName field and value from each JSON object (i.e. the Azure AD Group has a valid name)
    • It appears that deleted group data from Azure AD may not always contain the displayName field or at least a flag indicating the JSON object is marked as 'removed'
    • Known defect tracked under:  CWD-4998 - Getting issue details... STATUS

診断

  • Create a script that uses the Azure Rest API to retrieve the group information from Azure AD as such:
    • Authenticate to Azure using Crowd's Web application ID and Key
    • Query Azure AD's delta query groups endpoint with this exact URL - https://graph.microsoft.com/v1.0/groups/delta?$select=displayName,id,members
    • The endpoint will return a JSON response, the following actions should then be performed:
      • Look for:
        • "displayName": ""; or
        • "displayName": null; or
        • Absence of a "displayName" tag altogether

        • In the above screen shot example, the third item is not marked as '@removed' but all the items under members@delta are actually marked as "deleted"

    • (info) There may be an attribute called @odata.nextLink in the response JSON - that is a link to the next page of the results. Another request should be made to that URL to pull all Group information from Azure AD until there are no more results.


tip/resting Created with Sketch.

For easier viewing of the JSON response data in a graphical interface, you can use https://jsoneditoronline.org

tip/resting Created with Sketch.

It may be worth retrieving all the JSON response pages and start the analysis at the last results page as we have seen that Deleted Groups are returned at the end.


回避策

Follow the steps on the Microsoft guide to Permanently delete an Office 365 group (last section of the page) to force the deletion of the Groups within Azure Active Directory before the 30 days is up.

    1. Start a PowerShell
    2. Run this command on the PowerShell to see the list of soft-deleted Groups from Azure AD:

      Get-AzureADMSDeletedGroup


      1. This should return a list of IDs of the deleted groups - this list should match the "removed" JSON results identified in the Diagnosis section above that had no DisplayName tag
    3. Run this command on the PowerShell to purge out all the soft deleted group informationfrom Azure AD!

      Remove-AzureADMSDeletedDirectoryObject -Id <soft_deleted_groupid 1>
      Remove-AzureADMSDeletedDirectoryObject -Id <soft_deleted_groupid 2>
      ...
       

      Please be aware that the above will permanently purge the soft deleted Group Information from Azure Active Directory and the action cannot be undone!

    4. Run this command on the PowerShell to see the list of soft-deleted Groups from Azure AD (which should return nothing):

      Get-AzureADMSDeletedGroup


      1. (info) Please note that as per the above Microsoft KB, "In some cases it may take as long as 24 hours for the group and all of its data to be permanently deleted". So please allow up to 24 hours to confirm the results.
    5. You should now be able to retry the Sync with Azure Active Directory within Crowd and it should complete successfully!


(info) While bug CWD-4998 - Getting issue details... STATUS  has been marked as close, it may have regressed in newer versions of Crowd.  If this is the case and Crowd DataCenter 3.6 or higher is in use, another workaround would be to specify the groups to be used by Crowd by setting them within the group filter that's part of the Azure AD directory configuration.


最終更新日 2020 年 6 月 24 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.