Quantcast
Channel: Forum Microsoft Identity Manager
Viewing all 6657 articles
Browse latest View live

FIMSynchronization Service not starting - O365 Dirsync

August 4, 2013, 6:17 am
$
0
0

Hi,

I have Dirsync installed for O365 and its been working perfectly for the past couple of weeks but when I logon today the FIM service was stopped and when I tried to start I  get errors below. The account obviously as it has been working does have full access to the reg key.

Log Name:      Application
Source:        FIMSynchronizationService
Date:          04/08/2013 14:07:58
Event ID:      6208
Task Category: Database
The server encryption keys could not be accessed. 
 User Action
 Verify that the service account has permissions to the following registry key:
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Forefront Identity Manager\2010\Synchronization Service
 

The Forefront Identity Manager Synchronization Service service terminated with the following service-specific error:

%%2149781504

Celtic

Search

What will happen if connected CS object is disconnecte from Metaverse Object ?

August 4, 2013, 8:42 pm
$
0
0

We use MIIS for galsync.

If some MA had connected to metavase person object ,

and that MA's  had import flow and was imported some values to person object and that CS object were  disconnected from  person object, what will happne to person object ?

Those person attribute values which are imported from that MA will disappear when disconnected ?

"user must change the password at next logon...." and Novell MA

August 5, 2013, 3:24 am
$
0
0

Hello,

i am using ILM 2007 to sync users from AD to Novell Edir (and PCNS to sync passwords). Everything is working very well but now i have problem. My client ask me to sync also the password reset. I mean, when the help desk operator reset a password in AD for a user, he checks the "user must change the password at next logon" check box. This won't be synched to Novell (that use another way to ask for a new password) and so the users can use the temporary password to login in Novell without to be prompted for a new password.

Novell use attribute "passwordExpirationTime" that must be set to a date in the past (so for Novell the password is expired and asks for a new one). In AD, when "user must change the password at next logon" is checked, the attribute "pwdLastSet" is forced to ZERO.

I can manage this, using a management agent extension to transform "pwdLastSet=0" to "passwordExpirationTime=01/01/1992". But the problem is that passwords are synchronize in real time, while the pwdLastSet attribute is synchronized only based on the run profile schedulation. I can't be sure that right after a password sync, a delta sync is run.

I know that i can write a password extension, but probably i cannot it use with the Novell MA, is it right ? Do i have to write also a new MA ?

Thanks !

Bodo

Set based on expiration time is not present

August 5, 2013, 10:09 am
$
0
0

Im trying to create a set that will include a date fields that i would like to check if one is not present. Obviously this can't be done through adding statements due to the lack of "is present"  & "is not present".  Would be nice to have considering the sync manager has these.  I know the below filter is for expirationtime is present...but that doesn't work either.

I received an error when trying to add this to the filter:

<Filter xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" Dialect="http://schemas.microsoft.com/2006/11/XPathFilterDialect" xmlns="http://schemas.xmlsoap.org/ws/2004/09/enumeration">/Person[(EmployeeType = 'Employee') and (EmergencyTerm = False) and (EmployeeEndDate &lt; fn:current-dateTime()) and (ExpirationTime,'%')]</Filter>

Thoughts?


FIM Error:: Unable to connect to Synchronization Service

August 5, 2013, 3:30 am
$
0
0

Hi! after installing sharepoint 2010 foundation on Windows Server 2008 R2 Standard where there is IIS 7.0, i installed FIM Synchronization Service after successful installation when i open Synchronization Service it throws below error

Unable to connect to the Synchronization Service.

Some possible reasons are:
1) The service is not started.
2) Your account is not a member of a required security group.

See the Synchronization Service documentation for details

1) Here i have made the setspn account for the user account SPService andFIMService.

2) FIMSynchService is the user account which i am using when i am installing FIMSynchronization Service.

FIM Sync service not starting

August 5, 2013, 2:49 am
$
0
0

I am getting the following error when trying to start the FIM sync service:-

Windows could not start the Forefront Identity Manager Synchronization Service service on Local Computer.Error 5: Access is denied.

And this is what in application logs:-

The server encountered an unexpected error and stopped.

"BAIL: MMS(5472): d:\bt\800\private\source\miis\server\server\service.cpp(2260): 0x80070005 (Access is denied.)

BAIL: MMS(5472): d:\bt\800\private\source\miis\server\server\service.cpp(1088): 0x80070005 (Access is denied.)

Forefront Identity Manager 4.1.3419.0"

Any HELP please.....

<o:p></o:p>

<o:p></o:p>

How to update an extension dll

August 5, 2013, 8:08 am
$
0
0

Is there any documents or could someone let me know how to update an extension dll?  i have some code that needs to be updated and have never compiled one before. 

Thanks@!

Handling export-only attributes in ECMA2

August 2, 2013, 5:36 am
$
0
0

I am creating an ECMA2 MA.

I have a couple of metaverse attributes, that I use ONLY when exporting - and that I cannot read back in an import, because they are not stored anywhere. 

So the export works fine, but when I then try to Import, I get "exported-change-not-reimported" errors.

How can I avoid that?

One workaround is to define a constant import for an export-only attribute. This will not get rid of the "exported-change-not-reimported" errors on first import, but on subsequent export/import cycles, the constant value will have taken over, and I will not get the error again. Feels like a dirty hack though, since I still get the error first time around.

Another workaround could be to store the export-only values in a file or something, so I can import them again, but that seems like a lot of trouble for no value - and just another dirty hack. 

If anybody is wondering "why would you export something, that you cannot import again":

An example is that on export I supply a geographic identifier, to determine which mailstore a new shared mailbox (exchange) should be created in. That geographic id is never stored anywhere, as it is only used temporarily.

---Sig---

Search

UocDropDownList does not display values when containing international characters

August 5, 2013, 1:03 pm
$
0
0

Hi,

I have a dropdown Control in the FIM portal where the values specified in the attribute regular expression validation contains international characters. For example^(Administratör|Förman|Säkerhetschef)?$

When selecting this dropdown in the portal it gets empty. If I modify the validation to^(Administrator|Forman|Sakerhetschef)?$ the Control renders correctly an displays the values. I get the same behavour when values contains other chars like ( or ).

Is it possible to get around this limitation or is this by design? I have seen some other threads about using a custom resource type to solve limitation with large dropdowns containing many values. I guess that could be a solution around this as well if the identity picker Control can handle objects with international chars. But Before I go for that solution I thought I seek a simpler one if it exists.

Regards

Patrik

What task fim operators group member can do ?

August 6, 2013, 7:02 pm
$
0
0

We plan to introdue FIM.

What task fim operators group member  can do ?

Issue with an XMA that someone else wrote

July 30, 2013, 10:14 am
$
0
0

Hello

I'm struggling with moving the extensible MA by PoshCompany, between machines: I'm moving from the Development Environment to the pre-Live environment. I suspect that this is a more general question about an extensible management agent which has been developed by someone else, but it's driving me nutso.

I've copied over the .dll, I've had the webservice set up correctly. I've double checked that both machines are running the same version of .Net (3.5.1). I've copied a .avp file hither and thither, but since it doesn't seem to matter where said file is (it's moved several times on the Development Machine).

Every single time I try to run my initial import, I get an error 'stopped-extension-dll-load'. The Application Event Log gives me eventID 6166 qualifier 49152, with the further information of "The run step stopped because a configured extension for this management agent could not be loaded. Verify that the extension is loaded in the Extensions Directory. If the extension is present, confirm that the version of the .NET framework that can run the extension is installed on the server and that a supportedRuntimes entry in the configurations files specifies that version. The synchronization engine will not be able to load an extension that is built with a newer version of the .NET framework than the version of the .NET runtime it is hosting."  I've double checked the relevant .config file in the extensions folder - it doesn't have a supportedRuntimes entry. And, given that the .dll dates from July 2011, I doubt that the problem is that it's been built with a newer version of .NET than that which is currently installed!

There are no errors in the Forefront Identity Manager eventlog when checking in eventviewer.

I've worked my way through http://social.technet.microsoft.com/wiki/contents/articles/17550.troubleshooting-fim-event-id-6152-stopped-extension-dll-load.aspx

The runtime section of miis.config.exe looks like this in the source

<dependentAssembly>
<assemblyIdentity name="Microsoft.MetadirectoryServicesEx" publicKeyToken="31bf3856ad364e35" />
<bindingRedirect oldVersion="3.3.0.0" newVersion="4.0.0.0" />
</dependentAssembly>

and this in the destination:

<dependentAssembly>
<assemblyIdentity name="Microsoft.MetadirectoryServicesEx" publicKeyToken="31bf3856ad364e35" />
<bindingRedirect oldVersion="3.3.0.0" newVersion="4.0.1.0" />
<bindingRedirect oldVersion="4.0.0.0" newVersion="4.0.1.0" />
</dependentAssembly>

Until I updated it to look like this:

<dependentAssembly>
<assemblyIdentity name="Microsoft.MetadirectoryServicesEx" publicKeyToken="31bf3856ad364e35" />
<bindingRedirect oldVersion="3.3.0.0" newVersion="4.0.2.0" />
<bindingRedirect oldVersion="4.0.0.0" newVersion="4.0.2.0" />
<bindingRedirect oldVersion="4.0.1.0" newVersion="4.0.2.0" />
</dependentAssembly>

Which didn't help

Then I changed it to being

<dependentAssembly>
<assemblyIdentity name="Microsoft.MetadirectoryServicesEx" publicKeyToken="31bf3856ad364e35" />
<bindingRedirect oldVersion="3.3.0.0" newVersion="4.0.0.0" />
</dependentAssembly>

Also, no joy. So I went back to where I'd been in the first place for the destination, double checked mnsscrpt.exe.config and created dllhost.exe.configwo as per http://support.microsoft.com/kb/2635086

I'm running 4.0.3594.2 in the DEV environment, and 4.0.3606.2 in the pre-Live environment.

All this leads me to believe that my next step is to recompile the .dll? It's probably a Good Thing that I do have access to the original code.

Any further ideas appreciated...

Jane

state machine workflow

August 6, 2013, 5:36 am
$
0
0

Hi  How can i create a state machine workflow to approve my request after 3days if my manager not approves it.

If he approves it before 3days the process has to continu.

pls help me in this.......

Home Directory Custom PowerShell Workflow

November 2, 2011, 11:45 am
$
0
0

I have attached a screenshot of the Custom PowerShell workflow used to create, attach, and apply permisions for a user and thier home directory  when createing a new user in FIM.

 

Param($SamName,$SiteCode)

Import-Module ActiveDirectory

# Change these to work with FIM
#$SamName = $args[0]
#$SiteCode = $args[1]

$Spacer="  "
$SamName,$Spacer,$SiteCode | out-file -filepath c:\PSscripts\HomeDir.Log
#Set Home Directory Path

switch ($SiteCode)
{
SITE1 {$homedir = "\\HOMEDIRECTORYPATH\"+$SamName}
SITE2 {$homedir = "\\HOMEDIRECTORYPATH\"+$SamName}
SITE3 {$homedir = "\\HOMEDIRECTORYPATH\"+$SamName}
default {""}
}

if ($homedir){
#Create Home Directory
mkdir $homedir

#Assign Access Rights
 
      $account="YOURDOMAINHERE\"+$SamName
      $rights=[System.Security.AccessControl.FileSystemRights]::FullControl
      $inheritance=[System.Security.AccessControl.InheritanceFlags]"ContainerInherit,ObjectInherit"
      $propagation=[System.Security.AccessControl.PropagationFlags]::None
      $allowdeny=[System.Security.AccessControl.AccessControlType]::Allow
 
      $dirACE=New-Object System.Security.AccessControl.FileSystemAccessRule ($account,$rights,$inheritance,$propagation,$allowdeny)
      $dirACL=Get-Acl $homedir
      $dirACL.AddAccessRule($dirACE)
      Set-Acl $homedir $dirACL
  
#Assign AD Attributes
Set-ADUser -Identity $SamName -Replace @{homeDirectory=$homedir;homeDrive="H:"} -Confirm:$false -CannotChangePassword:$true
}
Return "Success"

 

 

 

Anthony Marsiglia

Is it possible to hide attributes in an RCDC if a particular value is true?

August 6, 2013, 11:18 pm
$
0
0
You can base the visibility of an attribute in an RCDC off of a boolean attribute by binding it to the my:Visible property:

<my:Control my:Name="PositionRef" my:TypeName="UocIdentityPicker" my:Caption="Position Reference" my:Description="%SYMBOL_PositionRefDescription_END%"my:Hint="%SYMBOL_PositionRefHint_END%" 
my:Visible="{Binding Source=object, Path=IsInChris21, Mode=TwoWay}"

Is it possible to set this using the inverse of the attribute instead? In other words, when it's true, to hide a control instead? 

PeoplePicker showing DisplayName

August 6, 2013, 10:18 am
$
0
0

Hello pips!

Does`s anybody know if it is possible to have the PeoplePicker show another attribute then DisplayName when you have selected a object?

I don`t use DisplayName on the given objecttype, and therefore the list is "empty" even though I selected one.

Regards, Remi www.iamblogg.com

Search

Provisioning Sharepoint 2013 with FIM 2010R2

August 7, 2013, 1:48 am
$
0
0

Hi guys,

I'm using SP2013 Ent in my enviroment and currently installed FIM 2010 R2 on a different server with SP 2013 Foundation. Is it possible to provision users from AD to SP2013 Ent portal or I need to reinstall FIM on the same portal where UPS is?

And one more sub question: I have AD users in FIM metaverse space, but when I open Users page on FIM portal I can see only FIMSERVICE account. Do I need to provision users from metaverse to FIM portal or FIM portal Users is just a group of management accounts?

Need to create a script on MIIS

August 7, 2013, 2:52 am
$
0
0

Would someone help me in creating a script read from CSV file to disconnect objects form a CS, only one connector needs to be disabled from object that has 3 connectors.

I’m using MIIS server 2003 SP2, and windows Server 2003 enterprise SP2

FIM CM 2010r2 issue with Cluster CA

August 1, 2013, 2:55 am
$
0
0

Hello to All,

Description of the problem:

Our organizations have Enterprise CA installed in Failover cluster the cluster works active/passive mode.Aftersuccessful installationof theFIM 2010r2 CM Server, In additionwe installedon each node of CA the FIM CA module and configure Exit module for connectivity for SQL Data Base. We checked theproperconnectivityforCA servers to SQL Data Base via SQL FIM DB Table: Certificate Authority andWe sawtwoof thephysical CA serversregisteredin this table" Certificate Authority"- for this step look iseverythingsuccessful.

1. The main problem when I want to set and configure certificate template of CA in Profile Template of FIM CM system get the error: CcertAdmin::GetCAPropertyFlags: The RPC Server is unavailable. 0x800706ba

2. Another thingthatis not clear why in SQL FIM DB Table" Certificate Authority",physical CA servers (node) registered and not Virtual CA name server (VIP cluster name) because its Cluster?  

*When I workwith onlyone CA (note) server that register in  SQL FIM DB Table" Certificate Authority"I'm notexperiencingthe problem.

Any ideas / helps please for my issue.

Thanks

Code question...

August 7, 2013, 6:56 am
$
0
0
 Im having an issue when trying to do a check to see if an attribute is present or if the attribute has a value of not true, but when using the code snip below, the sync server returns a bunch of "extension-attribute-not-present" errors stating: Microsoft.MetadirectoryServices.AttributeNotPresentException: Attribute "Attribute1" is not present.  When i remove the "Or Not mventry("Attribute").Value = "True" Then" piece, it will run without errors, but skips accounts that should be run through the rest of the script to evaluate if the person should be termed or not.  basically, i would like to check to see if the attribute is present or not true.  Any ideas?

  If Not mventry("Attribute1").IsPresent Or Not mventry("Attribute").Value = "True" Then

Allow help desk to read password challenge questions

August 6, 2013, 12:06 pm
$
0
0

I know this has been asked a couple of time but I just wanted to confirm that it is not possible at this time to grant help desk users the ability to read the password challenge answers for another user.

Basically, we want to make these answers read only objects on a user profile so if someone calls in, the help desk can use this information to authenticate the caller based on their registration.  If anyone has any insight or suggestions on this scenario, please speak up!

Cheers!

Viewing all 6657 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>