0 votes

Hi all,

Having issues creating a GSuite (Apps for Education) account for my users during a new user creation process.

I set up GAM and the user passes all API tests successfully

However, I receive the following error in the Adaxes web GUI when creating the user:

"An error occurred while creating a Google account. Error: ERROR: 403: Not Authorized to access this resource/api - forbidden"

As stated, no user is created. Any idea how I can go about troubleshooting this?

by (90 points)
0

Hello,

We recommend you to re-authorize the user. Make sure that the account used is the Adaxes service account (specified during Adaxes installation). The following forum post should be helpful: https://github.com/jay0lee/GAM/issues/461.

1 Answer

0 votes
by (90 points)
selected by
Best answer

I have located the problem, posting in case it helps anyone else who is in a unique situation.

Because we are education, we split our domain for staff (O365: site.com) and students (GAFE: student.site.com); these cannot use the same domain and retain mail functionality. The non-descriptive error was referring to the domain presented with the %userPrincipalName% variable.

By using %saMAccountName% in lieu of %userPrincipalName%, I was able to pass the data through.

For testing only, a quick/dirty/insecure way to test without error checking was (in case someone needs to troubleshoot GAM):

$firstName = "%firstname%"
$lastName = "%lastname%"
$unicodePwd = %unicodePwd%"
$userName = "%saMAccountName%"

C:\Gam\gam.exe create user $userName firstname $firstName lastname $lastName password $unicodePwd

For production, I suggest modifying line 16 of the Adaxes-provided script to reflect %saMAccountName% instead of %userPrincipalName%

For reference, the account that establishes OAuth does not need to be tied to Adaxes in any way. It just needs to be a service account on GAFE with Super Admin permissions to grant API access.

Related questions

0 votes
1 answer

We have a business need for automating and controlling the creation of service accounts in our AD. For example, we want all new service accounts to start with "svc_" for ... customize the "New User" form to create a "New Service Account" workflow in Adaxes?

asked Sep 10, 2021 by joshua.lapchuk (60 points)
0 votes
1 answer

As part of our HR onboarding process, they need to specify non-AD integrated software requirements. Is there a way to have a customised field on the form that when ticked or ... say the name of the software and have it linked to a particular field in AD.

asked Apr 15, 2020 by russmerriman (40 points)
0 votes
1 answer

Hi, I'm trying to create a new user using SPML request and it is returning with an error message as below, I appreciate your help. ErrorReponse: < ... /requestElement> </ProcessRequest> </soap:Body> </soap:Envelope> Thanks, Aravindh

asked Nov 14, 2018 by Aravindh (100 points)
0 votes
1 answer

I need a group created based on %ipPhone% when ever a new user is provisioned. The group name has to match %ipPhone% and have email enabled and to be hidden from the address list. We are on Version 3.8.314823.0

asked Nov 6, 2018 by hgletifer (1.3k points)
0 votes
1 answer

We were wondering if Adaxes has a script available to create AS400 accounts during the AD creation. This will allow us to totally automate the new hire process going forward.

asked Jan 26, 2017 by willy-wally (3.2k points)
2,803 questions
2,535 answers
6,605 comments
62,550 users