Quantcast
Channel: Forum Microsoft Identity Manager
Viewing all 6657 articles
Browse latest View live

Cannot create FIM MA. Failed to connect to the specified database.

$
0
0

I installed a working DEV environment with the DB on the same box and everything works great.  When I started to create the FIM MA on PRODUCTION, I get an error:  Failed to connect to the specified database or Forefront Identity Management Service.  Please check the specified database location, service host address, and account information.

I have the newest updates, the only diffence between the two servers is PRODUCTION has the DB on a separate server.  I tested windows authenication by loggin in as FIMMA and runningodbc -Sphxsql -dFIMService -E  and it worked fine.  I can openhttp://localhost:5725 in a browser and I can see there is a web service there. 
I checked the FIM MA account like posted on other threads:
 -FIM MA account name: AD\fimma
 -FIM MA account SID : S-1-5-21-1773148640-766580905-579431697-4473
This also matches the SID in AD.
I installed the SQL Native Client 64 bit.

My settings are:
Server:  <ip address of SQL server>
Database: FIMService
FIM Service base address:  http://localhost:5725
Username: fimma
Password: ******
Domain: AD(name of domain)


Alex Trusler Systems Engineer

installing .net 4.5

$
0
0
would there be any harm in installing .Net 4.5 in portal machine? I need to install it for  running powershell for signed email messages by fimservice accounts. Just wondering if its ok to install 4.5 version

FIM/AD Account unlock

$
0
0

Hello,

Can someone confirm whether it is possible that end user can self unlock AD accounts in FIM 2010 R2 version 4.1.3613.0 ?

And what are the limitations associated with this?

Thank you in advance.

Regards,

Suman


Lync 2013 lcssync.dll for MIM 2016

$
0
0

Hello,

I have a functional lab environment with 2 x user forests and 1 x central forest on FIM 2010/R2 SP1. Porting that environment to 2016 causes lcssync.dll to fail owing to references to Microsoft.MetadirectoryServices.dll,  Microsoft.MetadirectoryServicesEx.dll and logging.dll assembly version differences. I note that GALSync source is included, but no source or new version of lcssync.dll.

Does anyone know if lcssync.dll is going to be provided? Has anyone else seen this behavior?

Error details:

Log Name:      Application
Source:        FIMSynchronizationService
Date:          8/17/2015 8:24:23 AM
Event ID:      6300
Task Category: Server
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      MIM2016.domain.com
Description:
The server encountered an unexpected error:
 
 "Could not load file or assembly 'Microsoft.MetadirectoryServices, Version=3.0.577.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies. The located assembly's manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040)

   at System.Reflection.RuntimeAssembly.GetExportedTypes(RuntimeAssembly assembly, ObjectHandleOnStack retTypes)
   at System.Reflection.RuntimeAssembly.GetExportedTypes()
   at Microsoft.MetadirectoryServices.Impl.ScriptHost.InitializeWorker(InitializeArguments pArgs)


InnerException=>
none
"
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="FIMSynchronizationService" />
    <EventID Qualifiers="49152">6300</EventID>
    <Level>2</Level>
    <Task>3</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-08-17T15:24:23.000000000Z" />
    <EventRecordID>1080</EventRecordID>
    <Channel>Application</Channel>
    <Computer>MIM2016.paukkunen.net</Computer>
    <Security />
  </System>
  <EventData>
    <Data>Could not load file or assembly 'Microsoft.MetadirectoryServices, Version=3.0.577.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies. The located assembly's manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040)

   at System.Reflection.RuntimeAssembly.GetExportedTypes(RuntimeAssembly assembly, ObjectHandleOnStack retTypes)
   at System.Reflection.RuntimeAssembly.GetExportedTypes()
   at Microsoft.MetadirectoryServices.Impl.ScriptHost.InitializeWorker(InitializeArguments pArgs)


InnerException=&gt;
none
</Data>
  </EventData>
</Event>

Thanks,

Jarmo

Avanade Lync team

Unable to Install MIM 2016 SyncServices

$
0
0

Hi,

When installing MIM Synchronization Service I keep getting this error:

Product: Microsoft Identity Manager Synchronization Service -- Error 25009.The Microsoft Identity Manager Synchronization Service setup wizard cannot configure the specified database. <hr=0x80131700>

- Setup-User is admin on MIM Server and SA on remote SQL Instance. Any Idea?
- It's a new MIM Installation & SQL native Client is installed
- The definied SA has no SQL Login and the DB does not exist on the SQL Instance

best regards

Pirmin

FIM WAL - powershell error - system.secuity.keycontainerpermission

$
0
0

I am calling a powershell activity using FIM WAL 2010 R2. The powershell works fine if I run it manually but if I call it via FIM WAL, it is throwing an error. what could be the reason. I have attached the powershell and error message.

function SendEmailNotification2
{
[System.Reflection.Assembly]::LoadFile("\\FIM\Portal-Sync-Scripts\notify\SignCreds\Cpi.Net.SecureMail.dll") | Out-Null
$objCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$objCert.Import('cer','pwd',)
[string]$strSmtpServer  = "SERVER"
[string]$strSmtpPort    = "PORT"
[string]$strFrom        = "from"
[string]$strFromAlias   = "name"
[string]$strTo          = $emailto
[string]$strToAlias     = $DisplayName
[String]$strSubject =   "sub"
[string]$strBody        = $strbody
$objEnc = $null
$objMail = New-Object Cpi.Net.SecureMail.SecureMailMessage
$objFrom = New-Object Cpi.Net.SecureMail.SecureMailAddress($strFrom,$strFromAlias,$objEnc,$objCert)
$objTo   = New-Object Cpi.Net.SecureMail.SecureMailAddress($strTo,$strToAlias)
$objMail.From = $objFrom
$objMail.to.Add($objTo)
$objMail.Subject = $strSubject
$objMail.Body = $strBody
$objMail.IsBodyHtml = $TRUE
$objMail.IsSigned = $TRUE
$objMail.IsEncrypted = $FALSE
$objSMTPClient = New-Object System.Net.Mail.SmtpClient($strSmtpServer,$strSmtpPort)
$objSMTPClient.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials
$objSMTPClient.send($objMail)

}

Powershell MA Access connector space attributes

$
0
0

Hi,

Getting my feet wet with the Granfeldt Powershell MA, what a great piece of kit.

One thing I can't figure out...:

When exporting, how can I get access to connectorspace attributes other than anchor and the changed attribute value?

Example: I need to use the attribute UserPrincipalName, but it is not the DN. $_.UserPrincipalName returns blank:

    $EmployeeId = $_.DN #expected value
    $UserPrincipalName = $_.UserPrincipalName #blank, wtf

Why? And how do I get hold of that value form the connectorspace?

MIM 2016 On Server 2012 R2 - Does the QuickStart Tool not work?

$
0
0

I have MIM up and running and was hopping to use the quickstart module tool to get SSPR going but I am having an issue. 

Firstly, I cannot find any documentation relating to MIM2k16/QuickStart tool, but I did notice that it does exist in the installation directory, so I figured I'd give it a go.

When I run Import-Module QuickStart, I get the StrongName error as mentioned in the FIM2010 Documentation for the tool. I have added the registry entries as the 2010 documentation recommends, and restarted, but I continue to get the StrongName error.

I was wondering if anyone else has tried to run this tool on MIM 2016/Server 2012R2? Or, if anyone has gotten this error and resolved it?

Here is the error that I get:



Thanks for any assistance!


help,ITS AN EMERGENCY,SOMEONE WAS IN MY CIOMPUTER ID THREATENING ME I DONT KNOW WHAT IM DOING BUT IM IN THE KERNAL I DONT EVEN KNOIW

$
0
0

I GOT $100.00 I8F ANYONE IS AROUND imperIAL BEACH AREA, I NEED HELP NOW I HAVE ALL OF THE LOGS AND EVENTS OPEN I H]JUST DONT KNOW WHAT IM DOING 5 MIN $100.00 PLEAS EHELP

Assigning a Group to be the Owner of a FIM managed Group

$
0
0

Greetings FIM Forum,

I wanted to tap the FIM knowledge base before proceeding with a few questions. For managing AD security groups from FIM, I would rather assign a group as an owner of security groups for approving membership to the group.

The FIM Portal by default will only allow users to be assigned and displayed. A prior post explained how to update a Resource Control Display Configuration to allow groups to be assigned as owners through the FIM Portal. http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/8f7345a2-c3fb-4d1c-bf9d-b133a87f7ca6

After this is done, would each person in the owner group receive a notification to approve the request? For example, how would FIM handle the approval if the owner group is another security group or a distribution list?

Once one of the owner members approves the request, would it then be considered completed and the request no longer be listed under the requests to be approved for the other owner members?

When loading in the groups from AD, if the memberOf is not set and I want to assign a default Owner Group, I would assume I would need to assign the objectID reference of the Owner Group. How should this be done?

How are others typically handling owner assignment and approvals for AD security groups in FIM as a best practice?

Thanks

FIM 2010 R2 GALSync and multiple forests

$
0
0

We currently have FIM 2010 R2 GALSync working between a "Main" Forest (where the FIM server resides) and a "Second" forest. These are separate ADs from two different companies.

We are now looking to use GALSync to sync with a "Third" forest. We would like to sync All the GALs so Main, Second, and Third organizations have GALs that are synced.

When I add the Third MA, if I select the org unit that contains the cross-forest mail contacts that were synced from "Second" to "Main" will those mail contacts be synced over to "Third"? If not, how do I sync between "Second" and "Third"?

Granfeldt Powershell MA - Access connector space attributes during export gives blank result

$
0
0

I am currently working on doing some implementations using the great Granfeldt Powershell MA. 

I have schema, import and export working, but face a problem with export when I want to use attributes in connectorspace to perform something, not just updating. Like for executing a powershell command, where I need both the userprincipalname and the location, or something like that.

I have created a simple example MA just for the purpose of testing this issue. It manages ContactInformation from a database (email, phone) and accepts the first and lastname back from the FIM metaverse from other source. I use the latest Powershell MA. 

The problem is in export.ps1 (shown later in this post), in the line that says...:

$ExternalEmail = $_.ExternalEmail

I would expect this value to be filled with the value from the connectorspace, but it is just blank. There is a value in there, this is not the first time it runs or anything like that. I see the same approach used in the Lync samples for Powershell MA, so I assume I am doing something wrong somewhere else.

Can you please help by telling me what I am doing wrong?

This is the pending export I test with:


Database: 


schema.ps1


$obj = New-Object -Type PSCustomObject
$obj | Add-Member -Type NoteProperty -Name "Anchor-EmployeeId|String" -Value "000000"
$obj | Add-Member -Type NoteProperty -Name "objectClass|String" -Value "user"
$obj | Add-Member -Type NoteProperty -Name "Phone|String" -Value "+99 9999999"
$obj | Add-Member -Type NoteProperty -Name "ExternalEmail|String" -Value "some@email.com"
$obj | Add-Member -Type NoteProperty -Name "LastName|String" -Value "firstname"
$obj | Add-Member -Type NoteProperty -Name "FirstName|String" -Value "lastname"
$obj | Add-Member -Type NoteProperty -Name "CreatedOn|String" -Value "2016-04-06 13:46"
$obj | Add-Member -Type NoteProperty -Name "ModifiedOn|String" -Value "2016-04-06 13:47"
$obj

import.ps1

param (
    $Username,
	$Password,
	$OperationType
    )

$DebugFilePath = "C:\PSMA\ContactInfo\ImportDebug.txt"
    if(!(Test-Path $DebugFilePath))
        {$DebugFile = New-Item -Path $DebugFilePath -ItemType File}
    else
        {$DebugFile = Get-Item -Path $DebugFilePath}"Starting Import : " + (Get-Date) | Out-File $DebugFile -Append

$ConnectionString = "Data Source=localhost;Initial Catalog=TestDatabase;Integrated Security=True";

$Connection = New-Object System.Data.SQLClient.SQLConnection
$Connection.ConnectionString = $ConnectionString
$Connection.Open()
$Command = New-Object System.Data.SQLClient.SQLCommand
$Command.Connection = $Connection

$SQL = "SELECT * FROM ContactInfo"

$Command.CommandText = $SQL

$Reader = $Command.ExecuteReader()

While ($Reader.Read())
{
    $obj = @{}

    $obj.Add("objectClass", "user")
    $obj.Add("EmployeeId", $Reader[“EmployeeId”])
    $obj.Add("Phone", $Reader[“Phone”])
    $obj.Add("ExternalEmail", $Reader[“ExternalEmail”])
    $obj.Add("FirstName", $Reader[“FirstName”])
    $obj.Add("LastName", $Reader[“LastName”])
    $obj.Add("ModifiedOn", $Reader[“ModifiedOn”].ToString("o"))
    $obj.Add("CreatedOn", $Reader[“CreatedOn”].ToString("o"))

    $obj
}

$Connection.Close()

export.ps1 (most of which is debug code)

param (
    $Username,
    $Password
    )

BEGIN
{
    #Writing Start tag in Debug File.
    $DebugFilePath = "C:\PSMA\ContactInfo\ExportDebug.txt"

    if(!(Test-Path $DebugFilePath))
        {$DebugFile = New-Item -Path $DebugFilePath -ItemType File}
    else
        {$DebugFile = Get-Item -Path $DebugFilePath}

    "Starting Export : " + (Get-Date) | Out-File $DebugFile -Append
}

PROCESS
{

	#Initialize Parameters
	$Identifier = $_.Identifier

	$EmployeeId = $_.DN
    $FirstName = $_.FirstName
    $ExternalEmail = $_.ExternalEmail

    "Firstname: '" + $Firstname + "' " + (Get-Date) | Out-File $DebugFile -Append"ExternalEmail: '" + $ExternalEmail + "' " + (Get-Date) | Out-File $DebugFile -Append

	$ErrorName = "success"
	$ErrorDetail = $null
	$date = Get-Date -Format "yyyy-MM-dd""Processing : " + $_.DN | Out-File $DebugFile -Append"No of Changes : " + $_.ChangedAttributeNames.Count | Out-File $DebugFile -Append

	#Loop through changes and update parameters
	foreach ($can in $_.ChangedAttributeNames)
		{# $can : ChangedAttributeName
		foreach ($ValueChange in $_.AttributeChanges[$can].ValueChanges)
			{
				if ( $can -eq 'FirstName' ){$FirstName = $ValueChange.Value}
				if ( $can -eq 'LastName' ){$LastName = $ValueChange.Value}
			}
		}

	"Firstname: '" + $Firstname + "' " + (Get-Date) | Out-File $DebugFile -Append #Now has a value, if the attribute changed"LastName: '" + $LastName + "' " + (Get-Date) | Out-File $DebugFile -Append #Now has a value if the attribute changed

	#Verify changetype.
	if ($_.ObjectModificationType -eq 'Add')
		{
			throw "Add modification are not supported"
		}

	if ($_.ObjectModificationType -eq 'Delete')
		{
			throw "Delete modification are not supported"
		}

	#Supported ChangeType is Replace
	if ($_.ObjectModificationType -match 'Replace')
		{
			$ConnectionString = "Data Source=localhost;Initial Catalog=MiisInput;Integrated Security=True";

			$Connection = New-Object System.Data.SQLClient.SQLConnection
			$Connection.ConnectionString = $ConnectionString
			$Connection.Open()
			$Command = New-Object System.Data.SQLClient.SQLCommand
			$Command.Connection = $Connection

			$SQL = "UPDATE ContactInfo SET LastName = @LastName, FirstName = @FirstName, ModifiedOn = GETDATE() WHERE EmployeeId = @EmployeeId"

			$Command.CommandText = $SQL

			$Command.Parameters.Add("@EmployeeId", [System.Data.SqlDbType]::VarChar, 50) | Out-Null
			$Command.Parameters.Add("@LastName", [System.Data.SqlDbType]::VarChar, 50) | Out-Null
			$Command.Parameters.Add("@FirstName", [System.Data.SqlDbType]::VarChar, 50) | Out-Null

			$Command.Parameters[0].Value = $EmployeeId
			$Command.Parameters[1].Value = $LastName
			$Command.Parameters[2].Value = $FirstName

			$Command.ExecuteNonQuery() | Out-Null

			$Connection.Close()
		}

	#Return the result to the MA
	$obj = @{}
	$obj.Add("[Identifier]",$Identifier)
	$obj.Add("[ErrorName]",$ErrorName)
	if($ErrorDetail){$obj.Add("[ErrorDetail]",$ErrorDetail)}
	$obj
}

END
{
	"Ending Export : " + (Get-Date) | Out-File $DebugFile -Append
}




Manage Mailbox Permission - "Send As" from FIM

$
0
0
Anyone please suggest how to achieve mailbox permissions via FIM 2010? Is there any attribute mapped for it to be managed?

Regards,
Manuj Khurana

FIM 2010 Sp1 to MIM 2016 Upgrade

$
0
0

Hi All,

I am writing here to have knowledge about MIM 2016 upgrade. I need help !

I have FIM 2010 R2 version 4.1.3613 in my environment currently and need to upgrade to MIM 2016, So which of the following is correct procedure ?

1) upgrading directly to MIM 2016 ?

2) upgrading first to FIM version  4.1.3721 and then to MIM 2016 ?

Regards,

Suman

Number of Required authentication gates in SSPR portals

$
0
0

I have installed MIM 2016 Password Reset and Registration Portals and all of the functionality is working as intended when I have one authentication gate. But when I add multiple authentication gates in the "Password Reset AuthN Workflow" such as QA gate, Email OTP and SMS OTP gates, users need to register all of these gates and they need to pass them one by one when they are resetting their passwords. Is there a way to make only one gate required so that users do not need to register all of them? On Azure (as explained here https://blogs.technet.microsoft.com/ad/2014/04/29/deep-dive-password-reset-with-on-premise-sync-in-azure-ad-premium/) you can pick the number of required contact methods, I was wondering if a similar functionality is available on MIM/FIM SSPR portals.


FIM 2010 webservice - set custom field in RMPerson

$
0
0

Hi,

I'm using the FIM webservices to create Persons. I'm also able to set their properties (ex:phone).

The Person type has a custom field that is being sucessfully manipulated via the FIM Portal but when I try to set that custom field the FIM webservice I get the erro:Message: Fault Reason: Policy prohibits the request from completing.

I'm a developer and I'm not sure what I need to tell the FIM Admin guy what should be enabled/disabled. Any MPR?

Thanks for your help,

DD


FIM ECMA 2.0 no-Start-Ma issue

$
0
0

Hi All,

I am connecting to web service through ECMA 2.0 and got the no-start-ma issue. Also find the eventlog for the MA. When i connect from normal C# code for the same webservice it was working fine.  When I run  full import on my ECMA2.0 its shows this error. 

EVENT 1:

 

The extensible extension returned an unsupported error.
 The stack trace is:

 "Microsoft.MetadirectoryServices.TerminateRunException: Web Exception : Unable to connect to the remote server - HTTP Status :  (-1)
   at MobileIron_MA.EzmaExtension.OpenImportConnection(KeyedCollection`2 configParameters, Schema types, OpenImportConnectionRunStep importRunStep)
Forefront Identity Manager 4.1.3496.0"

EVENT 2:

 

The management agent controller encountered an unexpected error.

 "BAIL: MMS(8328): d:\bt\16961\private\source\miis\ma\extensible\extensionmanager.cpp(620): 0x80230731 (unable to get error text)
BAIL: MMS(8328): d:\bt\16961\private\source\miis\ma\extensible\extensionmanager.cpp(1463): 0x80230731 (unable to get error text)
BAIL: MMS(8328): d:\bt\16961\private\source\miis\ma\extensible\import.cpp(404): 0x80231348 (unable to get error text)
BAIL: MMS(8328): d:\bt\16961\private\source\miis\cntrler\cntrler.cpp(2817): 0x80231348 (unable to get error text)
ERR_: MMS(8328): d:\bt\16961\private\source\miis\shared\utils\libutils.cpp(10174): Failed to start run because of undiagnosed MA error

EVENT 3:

The management agent "WebService MA" step execution completed on run profile "Full Import (Stage Only)" but the watermark was not saved.
 
 Additional Information
 Discovery Errors       : "0"
 Synchronization Errors : "0"
 Metaverse Retry Errors : "0"
 Export Errors          : "0"
 Warnings               : "0"
 

Regards,

Sridhar


Sridhar

Password Rest through Reverse Proxy

$
0
0

Hi everybody,

actually I´m forcing a very huge problem for me and my customer. Here is a short explanation what configuration we have:

-MIM 2016 with Password Registration and Reset Portal on Server1

-Password Reset Portal for extranet on Server2

We are trying to publish the Password-Reset Site for the extranet through an Reverse-Proxy called NginX. The reverse proxy is slightly difficult to understand so here is another example:

Our customer has the following site published:

https://services.customer.com

after the .com the service application is hosted like this:

https://services.customer.com/pwdservice

actually what this reverse proxy internal does is, translate this into an interal url

https://mimserverExtranet.customerdomain.local/pwdservice

BUT the Password Reset service is just available at this site

https://mimserverExtranet.customerdomain.local.

I hope everything is clear until this point.

So, to make the Password Reset working, the application must be available through this url

https://mimserverExtranet.customerdomain.local/pwdservice

Actually I can provide this through an virtual directory in IIS but then no Scripts and no CSS are working, because of a absolute and not relative paths in the sourcecode I think.

So my question is: is it possible to install the MIM Password Reset into an directory shifted one to the right?

So not into C:\Program Files\Microsoft Forefront Identity Manager\2010\Password Reset Portal

but into

C:\Program Files\Microsoft Forefront Identity Manager\2010\Password Reset Portal\pwdservice

I know, this is a very specific request and hope that someone can help me! Anthony I am counting on you as the developer :-)

Thank you very much in advance!

Tom

powershell : export-config on temporal set

$
0
0

I have a set in FIM that has datatime criteria. When I view the members in FIM, I can see the users. When I use the export-config powershell command, it is not retrieving users. It is working fine if it is not a temporal set. How can I export users belonging to a temporal set in FIM.

$users = export-fimconfig -uri $URI `
                                  –onlyBaseResources `
                                  -customconfig "/Person[(ObjectID=/Set[ObjectID = '$SetId']/ComputedMember)]" | Convert-FimExportToPSObject


Lotus Domino Connector - Unable to provision user

$
0
0

Hi all,

I have a small problem using the Lotus Domino Connector. I can not get FIM to provision a user (International user, with and ID stored as an attachement) in Domino. Also I can not activate the logs on the connector. I have tried to follow these threads:

http://social.technet.microsoft.com/wiki/contents/articles/21086.how-to-enable-etw-tracing-for-fim-2010-r2-connectors.aspx
http://social.technet.microsoft.com/Forums/en-US/dbeeb280-4c2a-492f-9d5a-0c14d340ae0c/lotus-domino-connector-logging?forum=ilm2

And for the config of the connector itself this one: https://msdn.microsoft.com/en-us/library/hh859750%28v=ws.10%29.aspx

This is my config:

- FIM 2010 R2 SP1

- Lotus domino 8.5.3 HF6

- Lotus domino client 8.5.3 HF6 install in single mode on the FIM box

- Lotus Domino Connector build: 1.0.597.910

I am using the Portal for my sync rules.

I have activated the verbose logging on the DOMINO Server and I can see a connection made to the server by FIM but no provisionning.

The connector gives me this error in the stack trace: Notes Error: Access to Data Denied.

I am using an admin account, who is in the LocalAdmins Group on the domino server (I have check with a Notes admin and everything looks perfectly fine on the DOmino side).

Also as mentionned I have been trying to activate the logging of the connector but without success. I have seen that I need to use ETW tracing, I have followed the instructions on the tehcnet site, I got the Source Name (connectorLog) however I do not know the ETW GUID (I have tried many GUID's with no success).

I was wondering if anyone could lend me a hand to activate logging and provision a user. For information an update of the user in the domino directory works fine.

Also I was wondering if someone had already succeded in making the connector work for provisioning.

Thanks for your help.

Sylvan


Viewing all 6657 articles
Browse latest View live


Latest Images

<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>