Active roles assigning duplicate smtp address

Hello,

Current ARS version deployed : 6.9.0.5483

It is noticed that activeroles assigns duplicate smtp address to newly created mailbox/contacts.

This means that it assigns same email address to object 2 even if it is assigned to object 1

This issue is noticed for mailboxes as well as contacts.

Referred article and issue is described.

Ref : https://support.oneidentity.com/active-roles/kb/230143

Request you to please help if there is any hotfix for this

Regards,

Ajit

 

 

  • below is my understanding.

    Email address is to be set by Exchange side (ARS calls Exchange cmdlets) and Exchange side is responsible to check the uniqueness against whole Exchange Organization. It is as per MSFT Best Practices.

    Example: Exchange Org server multiple Domains A,B,C and ARS registers A only (and does not see B,C). How ARS will enroce the uniqueness?

    If ARS got legacy User Provision workflow from Exchange 2000 days and still manages email/smtp addresses directly as LDAP attributes (legacy custom script), then the legacy workflow must be changed.

    Aidar Karabalaev

  • In reply to Aidar.Karabalaev:

    Hello,

    Thank you for the reply.
    Exchange will not permit assigning email address if the same is already assigned.

    Could you please help to clarify the statement in the article

    When modifying the mail attribute via the E-mail field in the General tab of the User Properties dialogue, Active Roles does not check if the address is unique, potentially resulting in duplicate email addresses.
  • In reply to Ajit:

    Hmmm....in my experience, setting the mail attribute in the General tab does not actually update the user's primary SMTP address in Exchange. Normally (i.e. natively in AD/Exchange), the contents of that attribute actually **come from** the primary SMTP address as defined by Exchange so the contents of 'mail' flow **down** FROM Exchange and not the other way around.

    Indeed, it is not correct to attempt update of the primary SMTP address by changing this attribute - rather, this action should be performed on the user E-mail addresses (proxyaddresses) attribute in the user's Exchange properties.

  • In reply to JohnnyQuest:

    Hello,

    Thanks again.
    As it is listed as product defect , do you suggest to upgrade to which version.

    Thanks and Regards,
    Ajit
  • In reply to Ajit:

    >Description
    When modifying the mail attribute via the E-mail field in the General tab of the User Properties dialogue, Active Roles does not check if the address is unique, potentially resulting in duplicate email addresses.<

    looks confusing. My understanding
    User | General Tab| E-mail -is just to show primary SMTP: address and not to change it.
    AD ADmin needs to use User | Email Addresses tab to set smpt addresses and this is expected to trigger Exchange cmdlet.

    Aidar Karabalaev

  • Here are the steps noted from Defect TF00704954 which can be used to reproduce this issue:

    1. Create two users (User A& User B) with Exchange email addresses.
    2. Open User A's properties in the Active Roles Console.
    3. Change email address within the General tab to the primarySMTP address of User B.
    4. Notice that both 'mail' attribute and proxyAddresses:primarySMTP attribute of User A are now changed to the primarySMTP of User B.

    I have tested and confirmed that this is what happens in all Active Roles 7.0 and 7.1 codelines.

    The expected behaviour is that updating a User's Email Address on the general tab does not change the User's Primary SMTP. It is possible to assign a duplicate email address, but this only updates the mail attribute and does not affect mailflow. This is described in detail in this Microsoft resource:

    blogs.technet.microsoft.com/.../

    As of this moment, there is no hotfix available to address this issue for these versions.

    That being said, I was not able to reproduce this behaviour in Active Roles 7.2

    If you upgrade to Active Roles 7.2, that should resolve the issue.

    Terrance C

    Social Media and Community Professional
    #iWork4OneIdentity

  • In reply to Terrance.Crombie:

    Hello,

    Thank you for the help. Appreciate very much

    Questions :

    If we upgrade to 7.2 , what will happen to the duplicate email addresses already assigned. Will they be removed and unique email address be maintained

    Regards,
    Ajit
  • In reply to Terrance.Crombie:

    I understood Terrance C. answer as the issue does not depend on Exchange version, but on ARS version only, because the test was done with variation of ARS versions with the same Exchange version environment.

    Aidar Karabalaev

  • In reply to Ajit:

    I would not expected that existing duplicates would be cleaned up by an upgrade.

    Terrance C

    Social Media and Community Professional
    #iWork4OneIdentity

  • In reply to Aidar.Karabalaev:

    Correct, I have both Microsoft Exchange 2013 and Microsoft Exchange 2016 in my labs and functionality was identical.

    Terrance C

    Social Media and Community Professional
    #iWork4OneIdentity