Quantcast
Channel: Forum Microsoft Identity Manager
Viewing all 6657 articles
Browse latest View live

Want to be the Microsoft TechNet FIM Guru for September?

September 1, 2015, 1:17 pm
$
0
0

All you have to do is add an article to TechNet Wiki from your own specialist field. Something that fits into one of the categories listed on the submissions page. Copy in your own blog posts, a forum solution, a white paper, or just something you had to solve for your own day's work today.

Drop us some nifty knowledge, or superb snippets, and become MICROSOFT TECHNOLOGY GURU OF THE MONTH!

This is an official Microsoft TechNet recognition, where people such as yourselves can truly get noticed!

HOW TO WIN

1) Please copy over your Microsoft technical solutions and revelations toTechNet Wiki.

2) Add a link to it on THIS WIKI COMPETITION PAGE (so we know you've contributed)

3) Every month, we will highlight your contributions, and select a "Guru of the Month" in each technology.

If you win, we will sing your praises in blogs and forums, similar to the weekly contributor awards. Once "on our radar" and making your mark, you will probably be interviewed for your greatness, and maybe eventually even invited into other inner TechNet/MSDN circles!

Winning this award in your favoured technology will help us learn the active members in each community.

Feel free to ask any questions below.

More about TechNet Guru Awards

Thanks in advance!
Pete Laker

#PEJL
Got any nice code? If you invest time in coding an elegant, novel or impressive answer on MSDN forums, why not copy it over toTechNet Wiki, for future generations to benefit from! You'll never get archived again, and you could win weekly awards!

Have you got what it takes o become this month's TechNet Technical Guru? Join a long list of well known community big hitters, show your knowledge and prowess in your favoured technologies!

Search

sync-rule-required-attr-not-found after runing a bad sync rule, unable to remove.

September 2, 2015, 1:26 am
$
0
0

Hi all.
A little history, a few weeks ago I created a new sync rule on the FIM portal(we'll call it SR-WD) that imported some data from a file, this data was set at a lower precedence than the other MAs (mainly the old file import, we'll call SR-PSE). Last week I change the precedence on SR-WD to be higher than SR-PSE, everything was fine until the new sync rules where taken into the MV. Now I'm getting errors of "sync-rule-required-attr-not-found" with little to no imformation (no stack trace).

I'm only getting 5000 errors, due to the default error limit (I've increased this as a test).

As I'm working blind I double checked a few things and noticed one of my SR attribute flows was wrong on the new SR-WD (custom expression), or at least it looked wrong to me. So I removed the attribute flow to no avail. I have now removed the new SR completly.

After this I've done the normal, full import and full sync to no avail. I can see that related (good) attributes are still present on person objects but without a MA contributer.

I have generated a full sync XML file which shows the error but not which attribute it's looking for and not finding.

Any ideas on where I start looking now?



This is the error I get when trying to disconnect the MA (SR-PSE) from my person object.


I've checked the sync rule in the MV and found the SR-PSE sync rule and it still has an attribute flow that's no longer in the FIM portal (I removed it). Why wouldn't the sync rules sync?

Attribute Mapping with Advanced option allow mutiple attribute to select. What is meaning of that selection ?

September 1, 2015, 3:47 am
$
0
0

During attribute mapping When Advanced option selected it is being handle by rule extension. 
Now if you select left side attribute and at that time you can select multiple right side attribute. ( CTRL + SHIFT).

What is use of that ? 

SSPR and Google Authenticator

August 24, 2015, 2:41 am
$
0
0

Hi,

I got a question from a customer the other day about the possibility to use Google Authenticator in SSPR for the OTP part after answering the security questions.

Does anyone knows if this is possible?

Regards

Patrik

ECMA 2 not giving me all attributes in PutExportEntries with capabilities set to MAExportType.ObjectReplace

September 2, 2015, 5:58 am
$
0
0

Hi,

I have a ECMA 2 MA and I'm trying to export complete objects to a target system when an object is updated.

I have set the MACapabilities to MAExportType.ObjectReplace so that I can access all attributes on the user, not only the change one(s). But I can't seem to get it to work. When I run:

foreach

(CSEntryChangecsentryChangeincsentries)

            {

foreach

(stringattribNameincsentryChange.ChangedAttributeNames)

                    {

The only attributes I can access is the changed ones. Does anyone have a clue on this? Is there a bug with the capabilities?

Regards

Patrik

Use email workflow on account creation to send mail to msidmOneTimePasswordEmailAddress

November 19, 2012, 1:37 pm
$
0
0

I am having some problems with a workflow.

I have populated msidmOneTimePasswordEmailAddress from the FIM portal , this is commonly an external account such as someone@hotmail.com or gmail.com etc. I know that address.

When i create a user I want the Email Notification workflow use this msidmOneTimePasswordEmailAddress  atribute to email the user. I have tested email with a user that is in the FIM portal and the default notification works fine, but I need to send this mail externally to a user.

Can anyone tell me what I need to put in the [//Target/SomeAttributeName] to do that , or how to extend the workflow parameters to expose this property ?

Rob

FIM Sync service account and db_owner database role

September 2, 2015, 8:03 am
$
0
0

Hello everyone,

My question is similar to an existing one, Minimum set of database role memberships for FIM Sync Service and FIM Service accounts, but considering that question got zero answers, I'll be more specific with mine.

Does anyone have experience lowering the FIM Sync service account database permission role from db_owner to ddl_admin (for the FIMSynchronizationService database, of course)?

Reason I ask is that I'm in an environment where the policy generally prohibits this type of configuration.  In the DBA's own words:

"DBO is inherently risky as it allows operations such as dropping/deleting the DB, also backing the DB up, potentially to somewhere other than the DB server."

Thanks!

MIM 2016: no-start-ma on AD MA export with Provision for Exchange 2010

September 2, 2015, 5:39 am
$
0
0

I'm currently testing my upgraded MIM infrastructure. This infrastructure is a lab that had FIM 2010 in it and is now running MIM 2016. I've got most of my customizations working again with little to no issues. The MIM Sync service was installed according to these steps: http://setspn.blogspot.be/2015/08/fim-2010-not-r2-upgrade-to-mim-2016.html Perhaps there's an issue in that process...

The AD MA refuses to export when "Provision for" "Exchange 2010" is on... When I choose "No Provisioning", the AD MA exports without issues. I tried starting a remote powershell sessions from the Sync server to the Exchange RPS URI and that succeeds...

Errors in the event log:

The management agent controller encountered an unexpected error.

"ERR_: MMS(8228): ..\libutils.cpp(10186): Failed to start run because of undiagnosed MA error

Forefront Identity Manager 4.3.1935.0"

And

The management agent "AD_LAB" failed on run profile "E." because of an unspecified management agent error.

Additional Information

%3

Any Thoughts?

UPDATE: there's also an appcrash for mmsscrpt.exe

Event Name: APPCRASH

Response: Not available

Cab Id: 0

Problem signature:

P1: mmsscrpt.exe

P2: 4.3.1935.0

http://setspn.blogspot.com


Search

Newbie - Source AD forest single OU one way sync Users & Groups to multiple forests

September 2, 2015, 10:49 am
$
0
0

I have built my MIM 2016 platform based upon TechNet documentation in a dev lab and have my specified accounts from my source forest in the Metaverse.  I'm new to MIM and looking for any related documentation to make this first project easier. In the lab I have my source forest for which I have created an ADMA & MIMMA. For each of my 3 remote Forests that I want to sync \ export  to I have created a ADMA.

I'm looking for any guidance on getting the Target ADMA's to export and write Users & Groups to the remote forest.

Thanks, Stu

Functions supported by FIM Function evaluator Workflow activity

September 2, 2015, 2:34 pm
$
0
0

I was having a problem using the Length function in a FIM Workflow activity and got the following answer:

Length isn't a function supported by the FIM Function evaluator Workflow activity. (Which is frustrating).

I find this be very true. It just leads me to wonder what other functions are not support and if there is any reference for this. I would rather not find out through trial and error.

Thanks, J.Greene


FIM Sync DB Maintenance

September 2, 2015, 8:07 pm
$
0
0

Hi,

In a little over 3 months our FIM Sync database has grown to over 30GB.

At the SQL database level, there do not appear to be any default jobs to archive/purge data. Is there anything in FIM Sync itself - other than clearing the Run Profile history?

Do FIM SQL backups do anything?

I assume the FIM Sync database is just expected to grow over time?

Thanks,

SK

Unable to Install MIM 2016 SyncServices

September 4, 2015, 1:21 am
$
0
0

Hi,

When installing MIM Synchronization Service I keep getting this error:

Product: Microsoft Identity Manager Synchronization Service -- Error 25009.The Microsoft Identity Manager Synchronization Service setup wizard cannot configure the specified database. <hr=0x80131700>

- Setup-User is admin on MIM Server and SA on remote SQL Instance. Any Idea?
- It's a new MIM Installation & SQL native Client is installed
- The definied SA has no SQL Login and the DB does not exist on the SQL Instance

best regards

Pirmin

Search account name and unlock disabled user

September 4, 2015, 4:02 am
$
0
0

Hi

Forgive me I am looking at a way to script searching for a user in fim and changing the singlevalueattribute account locked false to account unlocked true.

I have trawled the internet to no avail :(

Ideas?

Thanks

Darren

darren hitchen

miisactivate FIM 2010 error

April 14, 2011, 10:03 pm
$
0
0

Hi All,

1st time post. Hope you can help, when I run miisactivate cmd to enable a DR sync Server with my account (Local Admin on the server)

I recieve error "Login Failed for User 'Mydomain\loginid' " 

However a user with Domain Admin rights can run the command succesfully

The Command that I run is miisactivate "%Path%\fimSync_Encryptionkey_backup.bin"  Service AccountID

Does this require Domain admin level, to run, or is there something else I may require

Regards

"HTTP Error 503 The service is unavailable" error after restoring backup

September 4, 2015, 5:19 am
$
0
0

I've restored a backup on a test machine, to check if I can reproduce a problem I recently had after an update.

The installation went fine, but if I try to access the portal I just get "HTTP Error 503. The service is unavailable."

Checking the event log, I see some errors like this:

Workflow host activation failed for workflow definition id : dc9515e6-8883-4101-96f4-23e19b66cb9f, version key: 197. Exception: Object reference not set to an instance of an object.   at Microsoft.ResourceManagement.Workflow.Hosting.HostActivator.ActivateHost(ResourceManagementWorkflowDefinition workflowDefinition, Boolean suspendWorkflowStartupAndTimerOperations)
   at Microsoft.ResourceManagement.Workflow.Hosting.HostActivator.RetrieveWorkflowDataForHostActivator()

The service seems to be otherwise working, e.g. I can query objects with PowerShell cmdlets.

Any idea what the problem could be?

Paolo Tedesco - http://cern.ch/idm

Search

Workflow notification activity

September 4, 2015, 6:35 am
$
0
0
I am writing a workflow to send email notification to an external email address stored in FIM under the variable ExternalEmail. While I am doing a Lookup for the Recipients, when I am selecting "Target" as Workflow Parameter, I do not see ExternalEmail among the Parameter Attributes. Basically, I want to setup something like [//Target/ExternalEmail] as the Recipient. How can I achieve that? 

FIM sync force update on attribute that hasn't changed.

September 7, 2015, 2:21 am
$
0
0

Morning,

I have been asked to update CustomAttribute1 in Azure to populate the Address Books in Exchange Online, when I tried it failed stating that this was controlled by FIM.

I thought about running the same commands on our Exchange users online to trigger a sync up to Azure but was told that FIM would check AD and compare it against its own copy and see that there were no changes so wont cause a sync.

Is there a way in FIM to take the value of CustomAttribute1 and force it to sync to Azure even if it hasn't changed?

.: Lister :.

FIM PowerShell Management Agent - the object reference not set to an instance of an object

September 6, 2015, 11:14 pm
$
0
0

Hi There

I've been running into the following problem when trying to import from my Management Agent, based on Soren Granfeldt's PowerShell MA. In FIM it says "stopped-extensible-extension-error". 

The log contains the following text (and some more which I figured wasn't important for my issue):

07.09.2015 06:11:08: Invoking import script: d:\daten\xml-agent\import.ps1
07.09.2015 06:11:08: Should impersonate: False
07.09.2015 06:11:10: Page token returned: ''
07.09.2015 06:11:10: Custom data returned: ''
07.09.2015 06:11:10: Object(s) in pipeline: 2
07.09.2015 06:11:10: System.NullReferenceException: Der Objektverweis wurde nicht auf eine Objektinstanz festgelegt.
07.09.2015 06:11:10: Leave InvokeImportEntryWorker->GetImportEntries

Der Objektverweis wurde nicht auf eine Objektinstanz festelegt is German for "the object reference not set to an instance of an object"

This is  my import-script:

param
(
	$Username = "",
	$Password = ""
)

[xml]$content = Get-Content -Encoding UTF8 -Path "D:\daten\XML-Agent\Export.xml"
$mitarbeiter = $content.SelectNodes("/Header/MITARBEITER_LISTE/item")


foreach ( $item in $mitarbeiter ){
    $name = $item.NAME
    $vorname = $item.VORNAME
    $persnr = $item.PERSONALNR


    $obj = @{}
    $obj.Add("id", "$persnr")
    $obj.Add("sn", "$name")
    $obj.Add("givenName", "$vorname")
	$obj.Add("objectClass","user")
    $obj
}

This is my schema-script:

$obj = New-Object -Type PSCustomObject
$obj | Add-Member -Type NoteProperty -Name "Anchor-id|String" -Value "123456"
$obj | Add-Member -Type NoteProperty -Name "objectClass|String" -Value "person"
$obj | Add-Member -Type NoteProperty -Name "givenName|String" -Value "Peter"
$obj | Add-Member -Type NoteProperty -Name "sn|String" -Value "Muster"
$obj

I will appreciate any advice to solve my problem.
Thanks


Advanced mapping reference attribute

September 7, 2015, 5:49 am
$
0
0

Hello, 

I'am trying to use advanced mapping for manager attribut on export for an ADLDS management agent but it's not permitted. 

Actually, I want to synchronize the manager attribut from AD to ADLDS but the DN is not calculated by the same rule 

in AD cn=toto,DC=contoso,DC=com

in ADLDS cn=toto,OU=Users,DC=contoso,DC=com

Any idea

Regards

WorkflowDataExchangeException: Microsoft.ResourceManagement.WebServices.Exceptions.PermissionDeniedException: ResourceIsMissing

September 6, 2015, 7:52 pm
$
0
0

Hi 

I use a custom workflow to create account names in the portal... at some stage the workflow stopped working producing the below error in the portal requests...

Microsoft.ResourceManagement.WorkflowDataExchangeException: Microsoft.ResourceManagement.WebServices.Exceptions.PermissionDeniedException: ResourceIsMissing
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteGetAction(RequestType request)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction(RequestType request)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction[ResponseBodyType](RequestType request)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request, Guid requestIdentifier, Object redispatchSingleInstanceKey, Boolean isRedispatch)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request)
   at Microsoft.ResourceManagement.Workflow.Hosting.RequestWorkItemProcessor.DispatchRequest[TResponseType](RequestType request, Boolean applyAuthorizationPolicy)
   at Microsoft.ResourceManagement.Workflow.Hosting.RequestWorkItemProcessor.ProcessGetWorkItem(ReadRequestWorkItem readWorkItem)
   at Microsoft.ResourceManagement.Workflow.Hosting.RequestWorkItemProcessor.ProcessWorkItem(WorkItem workItem)
   at Microsoft.ResourceManagement.Workflow.Activities.ReadResourceActivity.ProcessRequestResponse(Object sender, QueueEventArgs e)
   at System.Workflow.ComponentModel.ActivityExecutorDelegateInfo`1.ActivityExecutorDelegateOperation.Run(IWorkflowCoreRuntime workflowCoreRuntime)
   at System.Workflow.Runtime.Scheduler.Run()

Permission denied suggests an MPR but im not entirely sure which one.
The workflow runs under the context of the built in admin account as evidenced by the code snippet from the cs file below...

  const string FIMADMIN_GUID = "7fb2b853-24f0-4498-9534-4e10589723c4";

Any guidance appreciated.

Viewing all 6657 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>