When registering a new database on Exact Online, the following error message may occur:
There can be at most one data container in all databases in all organizations with the single authentication identifier ‘…#…’.
Existing datacontainer with this identifier may require repair.
First remove the other datacontainer with this single authentication identifier or choose another combination of login credentials and possibly OAuth client ID.
This article will help you understand the meaning of this message and how to resolve the
Just as there can only be one Highlander left in the Golden Oldies movie “Highlander,” Exact has chosen in 2019 to allow only one active application-specific password for the combination of application and user. More background on this so-called “refresh token” can be found at Exact Online error message: Old refresh token used and Auto-recovery of Exact Online refresh tokens for data containers.
Currently, there are no other (cloud)platforms known to have a similar “single instance.” However, there are platforms such as Google that place an upper limit on the number of simultaneously usable refresh tokens (e.g., 50).
A database on Invantive Cloud contains one or more data containers. Each data container is a link to a (cloud)platform. For example, the database “Exact Online with Yuki and SQL Server” contains three data containers: an Exact Online connection, a Yuki connection and one to a SQL Server database.
A unique value is held on each Exact Online data container: with a whole mouthful, it’s called the “single instance authentication identifier,” or the “single authentication attribute,” from the error message. For users with sufficient permissions, it is visible at the data container in Invantive Cloud under the heading “Authentication.”
The single authentication attribute consists of two parts, separated by a hash (“#”): the client ID of the Exact Online app and the ID of the Exact Online user.
When creating a new data container, for example when a database is initially created, the single authentication identifier will be determined after logging in to Exact Online.
The mentioned error message
itgenscr590 will be displayed when the same single authentication identifier is already registered to another data container. The other registration may belong to a data container in the same organization of the user, but may also belong to another organization. The data container is not in the list of data containers the user sees when the same data container is registered under another organization in Invantive Cloud. This is somewhat confusing, but unfortunately unavoidable given security concerns.
The newly created data container is automatically deleted again when the error message occurs. It will also be deleted if the affected data container was the only one in the database.
Side effect of registering the same app and user twice is that the original registration becomes invalid. After all, the Exact Online authorization has been run through again, making all previously issued refresh tokens for the combination of app and Exact Online user invalid.
This means that every attempt to retrieve data from the original registered data container will fail with an error message such as:
Access to the OAuth data source requires a valid access token.
The access token could not be obtained.
An outdated refresh token cannot be used on Exact Online.
This occurs if an Exact Online user is linked twice with the same OAuth application.
Please generate a new refresh token and make sure to keep the chain intact.
Log on to Invantive Cloud and refresh the authorization on the data container with alias ‘eol’ of the database ‘…’.
If the original registration falls within the current organization, then the authorization can be restored by following the steps at Easier renewal of authorizations on Invantive Cloud (itgenscr652).
If the original registration falls outside the current organization, then only a member of the other organization can restore it. Until then, this other organization is faced with confusing error messages such as the
If the other organization cannot be reached, please send an e-mail to email@example.com stating the single authentication identifier and the name of the current and other organization. After verification, this will be corrected by Invantive.
We advise users to always register databases within the organization belonging to the Exact Online subscription. It is not recommended that consultants themselves perform registration in their organization for an end customer; consultants can access customer databases via delegation.
The scenario above indicates that it is possible for one registration of an Exact Online app to exclude another. Therefore, for many apps such as Exact Online’s own app, expiration is turned off; these apps would otherwise have to resolve the aforementioned authorization issues in a manner similar to Invantive Cloud.