ARS Upgrade to 8.0 workflow approvals that request information causes error


This is my very first posting to any One Identity forum.  I recently upgraded my Active Roles server from 7.4.3 to 8.0 and noticed that some of my workflows are throwing web errors.  This big red error banner on the approval pop-up states "Object reference not set to an instance of an object".  After getting a few complaints, I noticed a pattern.  The workflows having the issues, are ones that request information from the end user before the approval can be completed.  However, we are getting the error message before any pop-up window presents a prompt to enter in the requested data.  I've tried a couple tricks like removing the requirement for requested data, then saving, then re-runing the request and the approver can actually approve the workflow. However, as soon as I put the requirement to enter data into an attribute, the error returns.  This happens for every workflow I have that requires the approver to enter some data into the approval prior to the operation being completed.

Any ideas as to what might be causing this?  A bug in version 8.0 perhaps?

All workflows were working normally prior to the upgrade.  All approval requests were made after the upgrade was in place (no approvals migrated from 7.4.3 as they get auto cancelled by the upgrade).

  • I have no answer on the question. Maybe my recent observations will help alittle. Unfortunately, I have seen the same error "Object reference not set to an instance of an object" on ARS 7.6.1 recently after upgrade (from 7.3.1). I think there was much coding changed on backend and I had the following unfortunate discoveries, so far.

    1) error "phase" reporting might change.

    2) I found that *msExchHideFromAddressLists* is not treated as flat ldap AD attribute anymore, but in compliance with "Exchange Rule" and cannot be set on AD user without email (contact or mailbox).

    3) ARS Sync cannot set $null on AD attribute, instead need to use Sync Consol UI option <clear> (But I have a custom code returning value A,B,C,$null) (it seems like, I need to do additional testing). In case the #3 confirmed, it will impact all my Sync PS1 custom codes returning A,B,C...,$null.

  • Thank you for the response, Aidar.

    This is actually a big issue for us.  We use workflows that request information from the "Approver's" for things such as employee badge number, DID's, Two Factor hardware token ID's, etc.  Since the approvers are now unable to enter in this information into the requested attribute, it affects downstream workflows (notifications that recall those attributes) to our onboarding and training staff. 

    What is the best course of action to getting a hot fix for ARS 8.0?  The 7.4.3 version we were on is on limited support, which is why we did the upgrade.  Otherwise, I'm a firm believer in, "If it isn't broke, don't fix it" (unless there is a vulnerability, in that case I consider it broke)!  We have been running ARS 8.0 for about a week now.  I'm thinking that it might be more harmful to roll-back now that we have had a couple hundred transactions since the upgrade.  I'll file a support request for this issue, but I assume others maybe having this issue too.  What is the process to getting a hot fix developed for this issue?  Wondering if One Identity needs a certain number of tickets before this is put on the project list.

    Thanks in advance for any advise.

  • This seems like a pretty big deal for your organization.  I would recommend you proceed as follows:

    1) Log the details of the issue into a ticket via the Support portal - this will save "20 questions" later.

    2) With SR # in hand, CALL into Support and tell them you would like this escalated as a Sev 1.

  • Thank you, JohnnyQuest.

    I have done as you recommended.

    For reference:

    "Technical Support | Case Number: 01938243 | all approvals that require a request of info are throwing an error"

  • You're quite welcome.  If it ends up that there's no solution on the immediate horizon, I can suggest an alternative way of meeting your use case that would involve some minor, entirely out-of-the-box customization of the AR Web UI.

  • Recently I looked alittle closer at ARS8.0. Many high-impact bugs were fixed in the release 8.0, in respect to ARS 7.3/7.4/7.5.0. For example, issues I noticed in the chat above (2) msExchHideFromAddressLists and (3) Sync setting $null to -Empty attribute value. In my opinion, it might be worth to stay with ARS 8.0 trying to fix the issue observed, unless Support recommends to rollback to legacy version.

  • Aidar, I'm curious about your focus on msExchHideFromAddressLists.  What is the down side of this now only being manageable for mail enabled objects (that is my understanding of your comments - please correct me if I am missing your point)?  It doesn't have any meaning / use outside of Exchange that I am aware of?

  • John, you are correct. *msExchHideFromAddressLists* What is the down side of this now only being manageable for mail enabled objects *only*.
    I ‘hit’ the following dependencies on my customer:
    Legacy ARS Sync Solution: HR.csv provision goes to legacy AD1 domain with onprem Exch (no Hybrid AADconnect) (many years ago)
    Migration. legacy AD1 to new AD2 (supports cloud AAD/O365 Exchange Hybrid Mode /AADConnect)
    Legacy AD1 lost onprem Exchange.
    Legacy AD1 still contains important network resources and cannot be decommissioned in near future.
    Result: Legacy ARS Sync Solution: HR.csv provision *still* goes to AD1 legacy domain. With additional new ARS Sync support “long-term” sync users/groups with SIDHistory/Password from/to legacy AD1 to/from new AD2.
    Something like that. Hope that explains.

  • (continued...) HR >> AD1 still controls Provision/Term user including mailbox related properties (msExchHideFromAddressLists), though AD1 is not Exchange aware anymore.

  • Legacy AD1 lost onprem Exchange.

    Is it operating as an Exchange Hybrid (i.e. with mail enabled user objects that point to their Cloud equivalents) or did they eliminate Exchange completely?

    If the former, then you should still be able to manage some Exchange properties?

    Or, with the latest version has something been done with the AR Admin service that breaks the ability to manage a Hybrid?