Just wondering are there any guides how to create own "normal" reports for FIM. For example if I need a report which lists all users in FIM, how can I do that?

Hello,

I would like to know if it's still impossible to reset an expired password or a temporary password from an external web portal with FIM 2010 R2 ? I read in this thread that it was still impossible in FIM 2010, so I wanted to know if R2 changed this behavior ?

http://social.technet.microsoft.com/Forums/en-US/c5bd39b6-5bbe-4ca7-8036-634cedf042f9/will-fim-2010-allow-users-to-reset-expired-passwords-from-an-external-portal-website

We are considering FIM so that both our internal users and our external users and partners can reset their password from any computer anywhere, either domain joined computers, or not.

Thank you very much and have a nice day,

Konnan

Understanding XP Mode, the key to success

Hi All,

I have scoured the forum for a solution to my problem, and I have found similar threads, but  none of the proposed fixes have yielded a solution.

I have a sandbox environment based on the FIM 2010 R2 RC Test Lab Guide configuration.

I have a FIM 2010 R2 RC installation, with the Identity Managment portal on one FIM server, and the password registration/reset on another.

I have a Windows 7 x64 client running Office Professional Plus 2010, and have installed the FIM Outlook 2010 add-ins and extensions.  I have made sure that I have the client requisites installed, although this is based on documentation for Outlook 2007:

Actions .NET Programmability Support

Microsoft Forms 2.0 .NET Programmability Support

Windows installer isn't a problem as it's Windows 7 from what I can tell, it's already available and doesn't require a separate install.  SmartTag .NET Programmability Support doesn't show as an option in the Office Tools in the Office 2010 installation, so I don't know if it's deprecated for Office 2010 or changed to something else.

I have verified that the e-mail addresses for the users trying to join groups show correctly in both the FIM portal as well as the GAL. I have also verified that the FIMService account is mail-enabled and is entered correctly in the Microsoft.ForefrontIdentityManager.exe.config file (I'm assuming it's not case sensitive).

Here is the excerpt form that file:

****************************************************

<appSettings>

<add key="mailserver" value="server.corp.contoso.com" />

<add key="isExchange" value=0" />

<add key="sendAsAddress" value=FIMService@corp.contoso.com />

<add key="synchronizationServerName" value="FIM1" />

****************************************************

The Exchange server is 2010, so I believe the "isExchangeServer" value is correct set at 0.  I have seen other configurations prepending https:// to the mailServer value, but again, I don't believe this is required for Exchange 2010 (please correct me if I'm wrong).

Basically, the user logged into Windows 7 can see the Groups button on the Outlook client.  They can send the e-mail requesting a join, but the e-mail never gets to the owner of the distribution list (I've verified the owners are correct in the FIM portal).  The e-mails do however get to the FIMService e-mail account; I have logged in to OWA with FIMService and verified this.  So the hand-off to the owners isn't happening.  Additionally, if I manually approve a group join request in the FIM portal, the owner will get the e-mail but there is no "approve" option anywhere.

Troubleshooting steps I've taken:

1) I can request/approve joins/leaves if I use the FIM Identity Management portal.

2) I have attempted to change the Active-x by using steps described to remove it from the Tools option in Outlook and re-add it, no luck.

3). I have logged onto the https://EX1/ews/exchange.asmx website on the FIM Server, both as the Administrator of the domain as well as the FIM Service.  It does show me a certificate error warning "The security certificate presented by this website was issued for a different websites's address", but does allow me to click "Continue to this website", and if I do, it does show me the Service.wsdl file.

I also have checked Exchange 2010 to make sure nothing appears odd.  The fact the e-mail does show up in the FIMService account tells me the client e-mail is being handled by the Exchange server; it's just not handling the e-mail to send a request to the group owner. Since this is a sandbox environment, I do not believe any permission groups regarding the hub transport to allow anonymous need to be changed for either client or default under receive connectors, but please again, correct me if I'm wrong.

I have also enabled tracing, but haven't seen anything definitive yet in the application logs for the FIMService that point me in the right direction.

Again, I know this question has been asked already, but I've tried to hunt down the problem based on what I've read in the forums and haven't had any luck yet.

Many thanks,

-Martin

All you have to do is add an article to TechNet Wiki from your own specialist field. Something that fits into one of the categories listed on the submissions page. Copy in your own blog posts, a forum solution, a white paper, or just something you had to solve for your own day's work today.

Drop us some nifty knowledge, or superb snippets, and become MICROSOFT TECHNOLOGY GURU OF THE MONTH!

This is an official Microsoft TechNet recognition, where people such as yourselves can truly get noticed!

HOW TO WIN

1) Please copy over your Microsoft technical solutions and revelations toTechNet Wiki.

2) Add a link to it on THIS WIKI COMPETITION PAGE (so we know you've contributed)

3) Every month, we will highlight your contributions, and select a "Guru of the Month" in each technology.

If you win, we will sing your praises in blogs and forums, similar to the weekly contributor awards. Once "on our radar" and making your mark, you will probably be interviewed for your greatness, and maybe eventually even invited into other inner TechNet/MSDN circles!

Winning this award in your favoured technology will help us learn the active members in each community.

Feel free to ask any questions below.

More about TechNet Guru Awards

Thanks in advance!
Pete Laker

#PEJL
Got any nice code? If you invest time in coding an elegant, novel or impressive answer on MSDN forums, why not copy it over toTechNet Wiki, for future generations to benefit from! You'll never get archived again, and you could win weekly awards!

Have you got what it takes o become this month's TechNet Technical Guru? Join a long list of well known community big hitters, show your knowledge and prowess in your favoured technologies!

Hey everyone, I'm trying to install MIM 2015 in a lab environment and I have run into a problem.

The lab environment consists of the following.

1 - domain controller 2012 R2 (dc.alpha.domain.com)
1 - Exchange 2013 Server (Exchange13.alpha.domain.com)
1 - MIM Sync Server (Server 2012 R2 with SQL 2012) (MIMSync.alpha.domain.com)
1 - MIM Portal Server ( Sharepoint Foundation 2013) (MIMPortal.alpha.domain.com)

Everytime I try to install the Service & Portal, the installation simply ends saying that the MIM Wizard ended prematurely. It doesn't tell me why or what went wrong.

To give you a little background on the environment, the MIM Sync machine is running Windows Server 2012 R2 and already has MIM Synchronization Service installed with its own SQL 2012.

There is another machine running Windows Server 2012 which is the Service & Portal machine. It is running on Windows Server 2012 as well as SharePoint 2013 Foundation. (All SQL databases are stored on MIMSync.Alpha.domain.com)  I have followed the lab guide however I still receive the error message any advice is greatly appreciated. 

Since the error is so vague, I ran a log file with Verbose to see what the problem could be, however this log does not make any sense to me. I have attached the log file to this post in hopes that somebody can assist in decoding this for me. 

MIM Error Log

Hi All,

I do not see the Delta Import profile in SQL MA in FIM 2010 SP1, does Delta Import in SQL MA  is deprecated from FIM 2010 SP1.

Regards,
Anirban Singha

Hello,

I have a problem when I'm installing Service and Portal. Everything is good whrn I setup MSI, I can connect to SQL server, but at this end of installation I have this error :

"The Forefront Identity Manager server database could not be successfully deployed. Error: Length cannot be less than zero. Parameter name: Length"

Error in eventviewer :

"Product: Forefront Identity Manager Service and Portal -- Error 1722. There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor. Action DeployAndPopulateDatabase, location: C:\Windows\Installer\MSI4285.tmp, command: installApp=FIM action=DeployAndPopulateDatabase databaseName=FimService namespaceName="fim" datFilesInstallDir="C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\Data" sqlserverName=BASYOASQL01I, 65140 FIMServiceAccountDomain=intopen FIMServiceAccountName=s-fim-service SyncServiceAccountDomain=INTOPEN SyncServiceAccountName=s-fim-ma RunningUserDomain=***OPEN RunningUserName=admin.yoa RunningUserEmail= CreateDatabase=True"

Account used to install is sysadmin on SQL server and user domain. SPNs have been configured too.

My platform

FIM :

- Windows std 2008 R2 US

- Natif client 2008 R2

- Fim service synchronization has been installed

SQL Cluster :

- Windows SQL 2008 R2

Hope this helps

Yoann

On the inbound attribute flow page I select the source attribute samAccountName.  However the Destination attribute list does not have samAccountName.  There is an account name.

I am following this documentation:  https://technet.microsoft.com/en-us/library/mt219040.aspx

I am new to MIM 2016 and have never used FIM 2010 and this is an installation in our test lab.

I tried to set up concatenate for the attribute but this did not work.

Any ideas are appreciated.

Thank you!

kathy4270

Hi!

Im using the lcs sync tool from Microsoft.

It is basicly some predefined xml files for AD MA's, a metaverse extension dll and a rules Extension dll.

The thing is, that it is complied against FIM2010 Microsoft.MetadirectoryServices.dll and Microsoft.MetadirectoryServicesEX.dll so it will not run on a MIM2016 Sync Engine.

anyone has an idea, where to request an updated version?

Regards,

Søren

Hi,

New hybrid reporting feature at the first step writes data into event log. Can I use just this part (without installing agent which pulls data into azure)?

Is the reporting feature which should write requests data into event log enabled by default? How to enable this (if not enabled)? How often data are written to event log (are they written online or in some schedule)?

Borys Majewski, Identity Management Solutions Architect (Blog: IDArchitect.NET)

My User ADMA sync rule does not delete target objects, but will create, modify, password sync, enable, disable, etc.

I am syncing users and a group from my primary forest one-way into what will be many customer forests.  This will allow our engineers to be Admins for these customer forests with their passwords synced.

I morph my user objects in the outbound User sync rule to ensure that there will be no name collisions in any customer forest:  Could this be the cause?

accountName+"-ACME"=>sAMAccountName

accountName=>msDS-cloudExtensionAttribute15  (existence test)

"CN="+aacountName+"ACME"+",OU=ACME Users,DC=LABForest1,DC=corp"=>dn  (Initial flow Only)

displayName+" (ACME)"=>displayName

My sync rule Relationship Criteria is:  accountName = sAMAccountName

On my primary inbound ADMA I have flow errors on the two deleted user accounts

• Error: extension-dll-exception.
• Sync step: export flow
• occurrences..
• Retry count: 33
• extension name: FunctionLibrary.dll
• extension rule: export flow
• extension context:  <export-flow allows-null="true"><src><attr>displayName</attr></src><dest>displayName</dest><scoping></scoping><fn id="+" isCustomExpression="false"><arg>displayName</arg><arg>" (EdgeTG)"</arg></fn></export-flow>
• Destination MA:  ADMA-LABForest1
• Destination Object: CN=TestUser2-ACME,OU=ACME Users,DC=LABForest1,DC=corp
• Mapping type: direct
• Data source attribute: sAMAccountName

Call Stack:

Microsoft.MetadirectoryServices.FunctionEvaluationException: Error encountered during evaluation of Sync Rule: 'LABForest1 User Outbound Sync Rule'. Details: Object reference not set to an instance of an object.
   at Microsoft.MetadirectoryServices.FunctionLibrary.AttributeFlowMappingHandler.ExecuteOutboundTransformation(CSEntry csentry, MVEntry mventry, String strSyncRuleGuid, String xmlExpression, String workflowParameterTypes, String workflowParameterValues)

Thanks, Stu

Getting the following error after running the core install procedures.  I've confirmed each pre-requisite.  Installing as the BHOLD service account which has local admin and domain admin membership, also has sqladmin rights on the SQL server DB. 

Product: Microsoft BHOLD Suite - Core -- Error 1720. There is a problem with this Windows Installer package. A script required for this install to complete could not be run. Contact your support personnel or package vendor.  Custom action CA_CoreProductGetWebsiteExists script error -2147217389, : Line 70, Column 1, 

Some additional information.

• Running latest version of Silverlight 5.1 (version 4 is mentioned in the guide)
• I'm installing on the same server where FIM Portal/Service and the Sync engine reside, we have a SQL server on another machine that I'm pointing to during install.
• Windows Internal DB (for portal) and FIM services are running.
• I noticed Windows Installer keeps shutting off, but have run through the install attempt while it was running.  Same failed result.  I ran the Microsoft Fixit Utility to see if something broke with the installed, it reported that it did not find anything....perhaps that tool shut it off?

Anyway, have the same result. Install fails with a Core Setup window stating.  There is a problem with this Windows Installer package.  A script required for this install to complete could not be run.  Call Bill, er Steve, for help.

Hello Everyone,

Need your help/guidance in one of the issues I had encountered recently. I have to test few things on an assigned development server having FIM 2010 installed. This server is not in regular use.

Almost all of the MA sync runs are failing with "stopped-extension-dll-exception" error. Below are more details:

Event Log for one of the failed MA sync run is :

General Tab

"

"

Details Tab

"

"

From the imported user records, I had tried to project one of the user record into Metaverse using Joiner, and the projection is of type  "Declared" for the MA i tried with, but still getting same error in the joiner as well, below is the screen shot:

Any help in this regards is highly appreciated.

Regards,

RS

Howdy all,

I have an existing file ma connector with an attribute "manager" as type string. I would like to change the attribute to a Reference(DN). When I follow the instructions and try to import per the TN article: http://social.technet.microsoft.com/wiki/contents/articles/16056.troubleshooting-fim-sync-rule-invalid-xml-attribute-flow.aspx

I get "sync-rule-invalid-xml-attribute-flow". I feel this is because the data currently contained in the CS is still of type string and I am getting a mismatch. How do I clear this out of the File and the FIMDB CS so that it can be replaced with the new data type?

Thanks!

Is it possible to add a hyperlink to the FIM 2010 R2 sspr success page after a password reset?

I know you can customize text by modifying the strings.resource file, but I can't seem to add a hyperlink.

If I type out the HTML tag it doesn't work.

Cheers

IT Support/Everything

I am trying to install BHOLD Core. The wizard ended prematurely because of an error.

Verbose logging is saying this:

he property 'SqlStatements' was found with value 'AddLoginB1User1,AddLoginB1User2,AddLoginB1User3,AddRoleB1User,StartInternalProcess,SetAdministrator1,SetAdministrator2,SetDomain'
The property 'AddLoginB1User1' was found with value 'EXEC sp_grantlogin '
Executing SQL command in property 'AddLoginB1User1'
Error: System.Data.SqlClient.SqlException: Windows NT user or group 'fim.com\BHOLDApplicationGroup' not found. Check the name again.
   at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection)
   at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection)
   at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)
   at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
   at System.Data.SqlClient.SqlCommand.RunExecuteNonQueryTds(String methodName, Boolean async)
   at System.Data.SqlClient.SqlCommand.InternalExecuteNonQuery(DbAsyncResult result, String methodName, Boolean sendToPipe)
   at System.Data.SqlClient.SqlCommand.ExecuteNonQuery()
   at DBUpgraderCA.CustomActions.UpgradeDB(Session session) on query: EXEC sp_grantlogin
Error executing custom sql-statementsSystem.Data.SqlClient.SqlException: Windows NT user or group 'fim.com\BHOLDApplicationGroup' not found. Check the name again.
   at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection)
   at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection)
   at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)
   at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
   at System.Data.SqlClient.SqlCommand.RunExecuteNonQueryTds(String methodName, Boolean async)
   at System.Data.SqlClient.SqlCommand.InternalExecuteNonQuery(DbAsyncResult result, String methodName, Boolean sendToPipe)
   at System.Data.SqlClient.SqlCommand.ExecuteNonQuery()
   at DBUpgraderCA.CustomActions.UpgradeDB(Session session)
CustomAction CoreDBUpgradeCA returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)

Which is weird because the group name is definately correct. Also when I am trying to access the BHOLD portal, I am getting this:

Access to BHOLD is refused for the following reason(s):
Username unknown

Hi

We are trying to use FIM to provision users in Lotus Domino 9, and can create users in the names and addressbook including ID file, but when the mailfile is created, 3 seconds later the mailfile gets deleted again.

The errorcode is: 0x80230709 (unexpected-error)

Anyone else seeing this error and knows how to solve it?