Adaxes

Google Account Creation Failing

0 votes

Hi all,

Having issues creating a GSuite (Apps for Education) account for my users during a new user creation process.

I set up GAM and the user passes all API tests successfully

However, I receive the following error in the Adaxes web GUI when creating the user:

"An error occurred while creating a Google account. Error: ERROR: 403: Not Authorized to access this resource/api - forbidden"

As stated, no user is created. Any idea how I can go about troubleshooting this?

by (90 points)
0

Hello,

We recommend you to re-authorize the user. Make sure that the account used is the Adaxes service account (specified during Adaxes installation). The following forum post should be helpful: https://github.com/jay0lee/GAM/issues/461.

by (289k points)
moved by

1 Answer

0 votes
by (90 points)
selected by
Best answer

I have located the problem, posting in case it helps anyone else who is in a unique situation.

Because we are education, we split our domain for staff (O365: site.com) and students (GAFE: student.site.com); these cannot use the same domain and retain mail functionality. The non-descriptive error was referring to the domain presented with the %userPrincipalName% variable.

By using %saMAccountName% in lieu of %userPrincipalName%, I was able to pass the data through.

For testing only, a quick/dirty/insecure way to test without error checking was (in case someone needs to troubleshoot GAM):

$firstName = "%firstname%"
$lastName = "%lastname%"
$unicodePwd = %unicodePwd%"
$userName = "%saMAccountName%"

C:\Gam\gam.exe create user $userName firstname $firstName lastname $lastName password $unicodePwd

For production, I suggest modifying line 16 of the Adaxes-provided script to reflect %saMAccountName% instead of %userPrincipalName%

For reference, the account that establishes OAuth does not need to be tied to Adaxes in any way. It just needs to be a service account on GAFE with Super Admin permissions to grant API access.

Related questions

0 votes
1 answer
Create group on account creation if it doesn't already exist

Hello, When a user account is created, we would like for that user to be added to a group whose name is based on a certain naming convention. If the group doesn't yet exist ... If that group doesn't exist, it will first create the group and then add the user.

asked Mar 11 by sjjb2024 (60 points)
0 votes
1 answer
Is it possible when copying a user to reference the source account in an after user creation business rule?

I am trying to trigger processing outside of Active Directory when an account is created based on the source user account that was used. Does Adaxes store the source account anywhere?

asked Oct 9, 2023 by jnordell (20 points)
0 votes
1 answer
Building a report during an account creation

Hi, Is there a way to store information throughout the running of a custom command? For instance, when creating a user, we use a custom command to move the user ... the entire process with the information, rather than 5 or 6 generated throughout the process.

asked Dec 16, 2022 by gareth.aylward (180 points)
0 votes
1 answer
Account transliteration before creation

Is it possible to transliterate the specified first and last name before creating an account so that the correct username, upn etc are formed based on the transliteration?

asked Nov 18, 2022 by Alvares (100 points)
0 votes
1 answer
Create custom form for new user account creation

We have a business need for automating and controlling the creation of service accounts in our AD. For example, we want all new service accounts to start with "svc_" for ... customize the "New User" form to create a "New Service Account" workflow in Adaxes?

asked Sep 10, 2021 by joshua.lapchuk (60 points)
3,549 questions
3,240 answers
8,232 comments
547,820 users