Quantcast
Channel: Forum Microsoft Identity Manager
Viewing all 6657 articles
Browse latest View live

PostProcessing Error on deleting a user

August 7, 2013, 8:31 am
$
0
0

Hi,

I've been trying to learn how to code custom workflow activities, all to do with creating users to start with. I noticed now that when I delete any user in the FIM portal, I get a PostProcessing Error in the Request. The event Manager shows this:

System.InvalidOperationException: The system configuration is incorrect.  The target object 'b5dcb92d-7ba3-45ff-8de7-9ae18d9bf58b' cannot be found.  This can happen if the target object was deleted during the processing of this request.
   at Microsoft.ResourceManagement.Workflow.Activities.SynchronizationRuleActivity.GenerateTargetExpectedRulesList()
   at Microsoft.ResourceManagement.Workflow.Activities.SynchronizationRuleActivity.GenerateRemoveExpectedRuleEntry(ActivityExecutionContext executionContext)
   at Microsoft.ResourceManagement.Workflow.Activities.SynchronizationRuleActivity.Execute(ActivityExecutionContext executionContext)
   at System.Workflow.ComponentModel.ActivityExecutor`1.Execute(T activity, ActivityExecutionContext executionContext)
   at System.Workflow.ComponentModel.ActivityExecutor`1.Execute(Activity activity, ActivityExecutionContext executionContext)
   at System.Workflow.ComponentModel.ActivityExecutorOperation.Run(IWorkflowCoreRuntime workflowCoreRuntime)
   at System.Workflow.Runtime.Scheduler.Run()

The only MPRs applied when deleting a user is "Administrators can delete non-administrators or users"

Any idea why I'm getting these errors? 

Thanks

PS: The user object does disappear from the portal albeit with that warning, but I'm worried its leaving behind entries in the SQL database

Search

Password Change Notification Service Installation - Error 25011 SetInfo()

August 6, 2013, 9:59 am
$
0
0

I'm attempting to setup the FIM PCNS on a domain controller I'm promoting.  I'm running into an error with the installer.

Error 25011. The Forefront Identity Manager Password Change Notification Service Setup Wizard failed calling SetInfo() on the Active Directory object LDAP://CN=System,DC=domain,DC=com.
Access is denied.

I'm running the installer using the default domain admin account for this installation.

FIM Delta Import/Delta Sync not syncing attribute to Metaverse

August 7, 2013, 9:33 am
$
0
0

Feel free to offer better ways to accomplish this task.

Single metaverse; mv_person

3 MAs:

- DIDS from SQL

imports cs:userPrincipalName -> mv:userPrincipalName

- Export & DIDS to o365,

exports mv:userPrincipalName -> cs:userPrincipalName

imports cs:userPrincipalName -> mv:audit_userPrincipalName

- Export to SQL audit

exports mv:audit_userPrincipalName -> cs:audit_userPrincipalName

Data flows from SQL source to o365 perfectly. o365 delta import sees the data change but does not sync the data to the metaverse. Generating a full preview works as expected. From everything I've read, I would expect a DI DS to change the data in the metaverse? 

Running a full sync catches the change and things flow as expected.

FIM 2010 do not sync manager attribute for disabled users.

August 6, 2013, 6:21 am
$
0
0

Hi,

I am pretty much new to FIM, and exploring it further.

I would like to stop synchronizing the manager field from HR system and pushing the manager field to AD for disabled users.

Please help me with the above requirement.

Thanks

-Kunal Jain

FIM 2010 R2 Self-Service password reset not working

September 30, 2012, 7:37 am
$
0
0

Hi everybody,

I am preparing a demo for FIM 2010 R2 in a test lab all roles on the same server.

when i try to test the password reset i enter a username as follows: domain\username and click next it gives me the following error:

Communication Error

<center>
                                                    ...                                               
</center>
      An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3008)  

      Go to      Self-Service Password Reset      home page

while in App Log:

FIM Password Reset Portal failure to connect to FIM Service

The FIM Password Reset Portal failed to connect to the FIM Service.

Ensure that (1) the FIM Service is running, (2) the FIM Service server address is correct in the web.config file on the FIM Password Reset Portal, and (3) that network connectivity is available between the FIM Password Reset Portal and the FIM Service over the designated port.

Details:

System.ServiceModel.Security.SecurityNegotiationException: The caller was not authenticated by the service. ---> System.ServiceModel.FaultException: The request for security token could not be satisfied because authentication failed.

   at System.ServiceModel.Security.SecurityUtils.ThrowIfNegotiationFault(Message message, EndpointAddress target)

   at System.ServiceModel.Security.IssuanceTokenProviderBase`1.ThrowIfFault(Message message, EndpointAddress target)

   at System.ServiceModel.Security.SspiNegotiationTokenProvider.GetNextOutgoingMessageBody(Message incomingMessage, SspiNegotiationTokenProviderState sspiState)

   --- End of inner exception stack trace ---

Server stack trace:

   at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout)

   at System.ServiceModel.Security.SspiNegotiationTokenProvider.OnOpen(TimeSpan timeout)

   at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)

   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)

   at System.ServiceModel.Security.SecurityUtils.OpenCommunicationObject(ICommunicationObject obj, TimeSpan timeout)

   at System.ServiceModel.Security.SymmetricSecurityProtocol.OnOpen(TimeSpan timeout)

   at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)

   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)

   at System.ServiceModel.Channels.SecurityChannelFactory`1.ClientSecurityChannel`1.OnOpen(TimeSpan timeout)

   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)

   at System.ServiceModel.Channels.LayeredChannel`1.OnOpen(TimeSpan timeout)

   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)

   at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)

   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)

   at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)

   at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)

   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)

   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)

   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:

   at Microsoft.ResourceManagement.WebServices.Client.UninitializedResource.PerformUpdate()

   at Microsoft.ResourceManagement.WebServices.Client.UninitializedResource.Update()

   at Microsoft.IdentityManagement.CredentialManagement.Portal.Common.ResetProxy.GetChallenge(String domain, String userName, ChallengeContext gateChallengeResponse)

   at Microsoft.IdentityManagement.CredentialManagement.Portal.Common.ResetProxy.GetNextChallenge(String domain, String userName, ChallengeContext gateChallengeResponse, FaultExceptionHandlerDelegate faultExceptionHandler)

any ideas?

Thanks

Rateb

Using PowerShell to delete an ExpectedRuleEntry

February 23, 2010, 2:03 pm
$
0
0
 Summary
 

The script code below deletes an ExpectedRuleEntry object from your environment.
To run this script, you need to configure a Management Policy Rule that grants you permission to perform this operation:

 

Management Policy Rule Configuration
NameAdministration: Administrators can delete Expected Rule Entries
TypeRequest
Grants PermissionsTrue
DisabledFalse
Requestors and Operators
RequestorAdministrators
OperationDelete
Target Resources
Before RequestAll expected rule resources
After Request(Attribute)
Resources AttributesAll Attributes

 

 

#----------------------------------------------------------------------------------------------------------
 set-variable -name URI -value "http://localhost:5725/resourcemanagementservice" -option constant
#----------------------------------------------------------------------------------------------------------
 If(@(get-pssnapin | where-object {$_.Name -eq "FIMAutomation"} ).count -eq 0) {add-pssnapin FIMAutomation}

 if($args.count -ne 1) {throw "Missing GUID parameter"}
 $objectGUID = $args[0]
 $exportObject = export-fimconfig -uri $URI `–onlyBaseResources `
                                  -customconfig "/ExpectedRuleEntry[ObjectID='$objectGUID']" `
                                  -ErrorVariable Err `
                                  -ErrorAction SilentlyContinue 
 If($Err){Throw $Err}
 If($exportObject -eq $null) {throw "ERE not found"}

 $ImportObject = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject
 $ImportObject.ObjectType = "ExpectedRuleEntry"
 $ImportObject.TargetObjectIdentifier = (($exportObject.ResourceManagementObject.ObjectIdentifier).split(":"))[2]
 $ImportObject.SourceObjectIdentifier = (($exportObject.ResourceManagementObject.ObjectIdentifier).split(":"))[2]
 $ImportObject.State = 2 
 $ImportObject | Import-FIMConfig -uri $URI -ErrorVariable Err -ErrorAction SilentlyContinue 
 If($Err){Throw $Err}
 Write-Host "`nCommand completed successfully`n"
#----------------------------------------------------------------------------------------------------------
 trap 
 { 
    Write-Host "`nError: $($_.Exception.Message)`n" -foregroundcolor white -backgroundcolor darkred
    Exit 1
 }
#----------------------------------------------------------------------------------------------------------

 

 Go to the FIM ScriptBox
Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Reference attribute to string on export

August 7, 2013, 12:38 am
$
0
0

Hi!

Im currently configuring a way for my customer to handle telephone numbers in FIM portal. Therefore, we have created a new object /telephone. This object are then referenced from the user, a way for my customer to assign telephone objects to the users instead of writing in the number as a string on the user. This way my customer can handle number series delivered from their provider. Why we do this is because some users share phone numbers and it is a way of sorting different kinds of numbers like, fax, mobile, system number etc. These numbers are then used in export to ad, adlds, lync etc.

Anyway. Everything works great when it comes to referencing the numbers from the users. I now have a user like this: AccountName: remi - string
EmployeeID: 2222 - string
DisplayName: Remi remi - string
Mobile: 22222222 - reference

I synced all the info and the new object (/telephone) to MV and now I need a way to export a string value of "Mobile" to ex. AD/ADLDS. It doesn`t seem like a strait forward procedure though.

I have read this:http://social.technet.microsoft.com/Forums/en-US/2b529085-3368-421b-9ac1-3ba20411c55c/passing-reference-and-string-attribute-in-advanced-mapping-from-metaverse-to-active-directory

But it is not giving me any idea on how to proceed. I know how to solve this on an IMPORT rule, but not on EXPORT. The thing is that it is the FIM portal who will be authorative for all numbers so we can`t import them from elsewhere.

Now I need someone to play ball withJ


Regards, Remi www.iamblogg.com

What will happen if connected CS object is disconnecte from Metaverse Object ?

August 4, 2013, 8:42 pm
$
0
0

We use MIIS for galsync.

If some MA had connected to metavase person object ,

and that MA's  had import flow and was imported some values to person object and that CS object were  disconnected from  person object, what will happne to person object ?

Those person attribute values which are imported from that MA will disappear when disconnected ?

Search

Authentication Issues with IE 10 on Windows 8 domain-joined machines

August 7, 2013, 9:46 pm
$
0
0

Performing some user testing this week and have noticed that users running IE 10 on Windows 8 machines joined to different domains are unable to authenticate properly with the FIM Portal.

None of the usual suspects:

  • Confirmed the issue is explicitly IE10/Win8 Enterprise/domain-joined. Can login using the same credentials on IE10/Win 8 Professional/no-domain
  • Other users using IE10/Win7 can login fine
  • The same credentials on IE10/Win7 work fine.
  • Ran through the MS instructions at http://technet.microsoft.com/en-us/library/jj863245(v=ws.10).aspx - get told that the update isn't applicable to our version of Windows.
  • Added FIM Portal site to trusted/intranet sites and with lowered security permissions

Currently running FIM 2010 R2 SP1 on WSS 3.0.

Next step is to try upgrading to SPF 2010, but not sure that will help in this case.

Anyone got any ideas?

- Ross Currie

FIMSpecialist.com | MCTS: FIM 2010 | Now Offering ECMA1->ECMA2 Upgrade Services

Is there any way to speed up CSexport of MIIS ?

August 8, 2013, 12:30 am
$
0
0

We are in MIIS migration project.

I backuped MIIS SQLDB and restored to MIIS test environment.

I tried to csexport some AD_MA which has about 22000 objects but it is incredibly slow.

 MIIS test environment is 8 core CPU and 12 GB memory but,  it is very slow and CPU usage is also low(1%,2%) memory usage is high.(9.6GB) by task manager .

How could I improve that ? 

Newbie - building a portal using UAG / FIM

August 8, 2013, 4:34 am
$
0
0

Hi,

i'm a complete newbie to many of the topics in my question so for that i do apologise. In the absence of an architect familiar with portal / security / web design i've been asked to give a brief overview of what UAG / FIM is in relation to my organization building a portal (to be used by 'external' users to access various functionality such as interacting with workflow steps, submitting files, receiving documents etc.).  For workflow I have suggested a product, and pointed out that we would need developement time to set up a suite of workflows on said product.  We would also need to allow for installation / setup of said product.  For the portal itself, i'm envisaging a website onto which users can log on and once logged on can browse to whatever area they need to use.  What i'm not clear on is what UAG / FIM's role in this is.  If the website was developed in, say, ASP.Net woudl it be a case of the ASP.Net code calling UAG / FIM at the logon screen to authenticate? Or would UAG / FIM provide a wizard to build a logon page or...what?

Thanks!!!

Access to BHOLD is refused for the following reason(s):Access to BHOLD is refused for the following reason(s):

August 8, 2013, 7:57 am
$
0
0

Hi -

I'm able to login to BHOLD with Service account after installation but I'm trying to figure out how to create a user in BHOLD to provide access to BHOLD Suite for other Users.. does it allow to do? as of now I'm in the process of creating MA for BHOLD no users has been exported from FIM Sync Service to BHOLD yet.

Any suggestions..

Thanks

Deprovisioning from FIM

August 8, 2013, 7:58 am
$
0
0

Hello, 

i want to able deleting users in FIM portal, but these users should not be deleted in AD but moved in another OU ! 

someone have an idea ? 

Regards

Creating custom workflows using powershell

August 7, 2013, 11:16 pm
$
0
0

I am trying to create a workflow using the FIM powershell module from codeplex.
I have created a attribute in FIM called "mygroupexpiration" and it is linked to user object.
My aim is to add current date + 90 days to "mygroupexpiration"  when user transition in to a set.
I have created transition in MPR and which in turn calls a custom workflow to add date to mygroupexpiration.

In the custom workflow, i have selected action and selected powershell module and added the following script , but in the portal request section i am getting an error that workflow was aborted.
<RequestStatusDetail xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" DetailLevel="Information" EntryTime="2013-08-07T11:09:49.4741289Z">Workflow Instance '8584232d-c896-437e-af02-39c3584ae583' was aborted.</RequestStatusDetail>

Any suggestion or help in the script is highly appreciated.

##--------------start of the script------------------

### Load the FIM PowerShell Module
###
if (-not (Get-Module FimPowerShellModule))
{
    Write-Verbose "Loading the FIM Service Config Module from: C:\CodePlex\FimPowerShellModule"
if (-not (Test-Path C:\installers\FimPowerShellModule.psm1))
{
Throw "This script requires the FimPowerShellModule from http://fimpowershellmodule.codeplex.com"
}
    Import-Module C:\installers\FimPowerShellModule.psm1 -Verbose:$false
}

Add-PSSnapin FIMAutomation -Verbose:$false

$ErrorActionPreference = 'Stop'
$ProgressPreference = 'SilentlyContinue'
$ENV:ADPS_LoadDefaultDrive = 0

$dates =([DateTime]::Now).ToString('M/d/yyyy')

### 
### Get the Target
### 
Write-Verbose ("Getting the Targetby ObjectID: {0}" -F $fimwf.TargetId.Guid)
###$Target= Export-FimConfig -CustomConfig ("*[ObjectID='{0}']" -F ###$fimwf.TargetId.Guid) | Convert-FimExportToPSObject 
$Target = Export-FIMConfig -CustomConfig [System.String]::Format("*[ObjectID='{0}']") -Uri "http://localhost:5725" | Convert-FimExportToPSObject

New-FimImportObject -ObjectType Person -State Put -AnchorPairs @{ObjectID = $Target } -Changes @(New-FimImportChange -Operation replace -AttributeName 'mygroupexpiration' -AttributeValue $dates ) -ApplyNow


##-------------End of script---------------------------

 

AdiKumar

Microsoft.MetadirectoryServices.FunctionEvaluationException: Error encountered during evaluation of Sync Rule Details: Object reference not set to an instance of an object

May 7, 2013, 6:43 am
$
0
0

Hi,

I'm trying to start a provisioning rule (FIM -> AD) for distribution groups and I get the following error during the sync process (on FIM MA) :

Microsoft.MetadirectoryServices.FunctionEvaluationException: Error encountered during evaluation of Sync Rule: 'My SYNC RULE Name'. Details: Object reference not set to an instance of an object.
   at Microsoft.MetadirectoryServices.FunctionLibrary.AttributeFlowMappingHandler.ExecuteOutboundTransformation(CSEntry csentry, MVEntry mventry, String strSyncRuleGuid, String xmlExpression, String workflowParameterTypes, String workflowParameterValues)

I've used the following link : http://technet.microsoft.com/en-us/library/ff686261(v=ws.10).aspx

My Outbound rule works fine with Security Groups. I only get that error when I tried to create a new distribution group from the FIM portal. I don't understand the error. 

In the Metaverse, the distribution group is present (Scope : Universal / Type : Distribution)

Im' running FIM 2010 R2 with SP1.

Could you help me ?

Regards,

Jeremy

Search

how to get the value of the domain when synchronizing users from AD

August 9, 2013, 4:57 am
$
0
0
I need to synchronize users from AD to FIM service but i keep getting the error "failed modification via web services " and i think that's because i'm missing the value of the domain

regarding service account and security group of FIM

July 24, 2013, 11:37 pm
$
0
0

If we use domain account for FIM sync service , we need to create and use AD security group ( domain\FIMadmins ,etc),

and if we use local account for FIM sync service , we need to use FIM server localgroup (FIMhostname\FIMadmins ,etc) ?

FIM2010 R2 SP1 - Exchange 2013 provisioning option not available

July 3, 2013, 8:03 pm
$
0
0

Hi,

Following this article I see an exchange 2013 provisioning option should be available for FIM GAL Sync.

http://technet.microsoft.com/en-us/library/aa998597(v=exchg.150).aspx

I have FIM2010 R2 SP1 installed with hotfix KB2814853 - Version is showing 4.1.3419.  Surely I should have the Exchange 2013 provisioning option available?  Is there something else I need to install?

Cheers,

Provisioning mailboxes to multiple Exchange in the environment

June 6, 2013, 11:35 am
$
0
0

Hello All,

Provisioning mailboxes to multiple Exchange in the environment, Is it possible to provision mailbox for the user in 2010,2007 and 2003 at the same time in FIM, the environment is a mix type having all these exchange version, Currently user are provisioning with customization code, can it be configured in FIM Portal and what would be the challenge?

Regards,
Anirban Singha(Bangalore,India).

HR Maintenance App in Ramp Up

May 2, 2012, 5:42 pm
$
0
0

Hi,

There is a simple HR Maintenance program used in the Ramp Up Virtual labs here:

http://technet.microsoft.com/en-us/forefront/ff793470

Is this program available to download?  The exe name is HRMaintenance.exe.

The virtual labs are all well and good, but they take a while to load and you only have limited time before they expire.  It would be nice to be able to create our own duplicates of these labs for testing\learning.  The FIM & SQL config can be duplicated, this HR tool cannot (easily).

Many thanks.

Brendan

Viewing all 6657 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>