Symptoms
Information about users from certain domain and specific OU not being updated in K2 identity cache, when Force Identity Refresh operation is being attempted for such users the following error is being logged in K2 host server log:
64010 The Identity User:K2:DOMAINuser_name does not appear to be discoverable or does not exist
After this user has Enabled and Resolved flags set to 0 in K2 identity cache. Such users unable to access K2. If other user from another OU which has been resolved properly before moved to problematic OU he keeps Resolved flag set to 1, but changes Enabled flag to 0.
Diagnoses
To analyze this issue further you can enable debug level ADUM logging and attempt to refresh identity for affected user. You may see the following error being logged when attempting this operation:
"Debug", "GetUser", "Name translated from DOMAINUser to CN=User Name,OU=TestOU,OU=Users,OU=TestOU,DC=DOMAIN,DC=COM"
"Error", "GetDirectoryEntry", "There is no such object on the server.
You may see that user's CN path contains duplicate OU names in it. There is a known issue which happens when CN path contains OUs with exactly the same names (in sample log entry above "TestOU").
For all the other versions the only available workaround is to rename one of the OUs so that CN path does not contain identical OU names.
Resolution
This is known issue which affects all versions of K2 up to 4.7 (internal ID 696047). Coldfix for this issue is only available for K2 4.7, and in case of previous versions the only available workaround is to rename one of the OUs so that CN path does not contain identical OU names.