Written code to lookup physcialDeliveryOfficeName to set dial plan for Skype users in FIM based on their location.  We have the import script working to do the lookup and compare.  We do not use FIM Portal and are getting error on export script attempting to update dialplan getting error  MA-Extension-error 0x80230825. Here is snip of the code - Any thoughts?

param

(

     $username="",

     $password=""

)

begin

{

           import-modulelync

}

process

{

     $error.clear()

     $errorstatus="success"

     $errordetails=""

     $identifier=$_."[Identifier]"

     $anchor=$_."[Anchor]"

     $samaccountname=$_.accountName

     $physicalDeliveryOfficeName=$_.physicalDeliveryOfficeName

     $SkypeDialPlan=$_.SkypeDialPlan

     $objectmodificationtype=$_."[ObjectModificationType]"

     $objectguid=$_.objectguid

     $changedattrs=$_.'[ChangedAttributeNames]'

      [bool]$SkypeUserEnabled=$_.SkypeUserEnabled

     $_ |out-filec:\psma\dump\$samaccountname.txt

     try

      {

          foreach ($canin$_.ChangedAttributeNames)

      {

       $can

        foreach ($ValueChangein$_.AttributeChanges[$can].ValueChanges)

          {

           if ($can-eq'physicalDeliveryOfficeName')

                        {if ($objectmodificationtype-match'Replace')

                        {

                                   #physicalDeliveryOfficeName has changed and we need to update the dialplan

                                   Grant-CsDialPlan-Identity$_.sipaddress-PolicyName$_.SkypeDPLookup

                              }

                       }          

              }

      }

I am setting up new FYNC sync between 2 ads. From newly set up ads I am getting tombstoned objects in FUll import as group member. How to remediate the issue?

1. REstrciting access to my service account to "CN=Deleted Objects,DC=Contoso,DC=com" tombstoned objects?

2. What declared import filter I need to add in MA to exclude these objects?

I'm really hoping to be able to use Soren Granfeldt's Powershell MA to do some new integrations with FIM, but am having some difficulties.  My latest problem is that I get an ma.extension error, which dumps the following stack trace in the Application event log:

 "System.NullReferenceException: Object reference not set to an instance of an object.
   at Granfeldt.PowerShellManagementAgent.Microsoft.MetadirectoryServices.IMAExtensible2CallExport.PutExportEntries(IList`1 csentries)
Forefront Identity Manager 4.1.3613.0"

The only thing it's trying to export right now is a change of e-mail address on a user it's done a join for (I've only got my sync rule applied to one person at the moment), so I wouldn't think it would be a provisioning problem?  I've commented out the majority of my code in my export script so I'm reasonably certain it's not a PS code problem.

Sync rule:

firstName -> first_name
lastName -> last_name
mail -> email
[init flow only] LowerCase(accountName)+"@uwrf.edu" -> username
[init flow only] LowerCase(accountName)+"@uwrf.edu" -> dn

I'm excited about the possibilities, but frustrated.  I'd be happy to post additional details but I'm not sure what would be helpful.

-Robert

I have a query regarding Microsoft Test manager tool ,can you please provide  answer to  my query .

I have 3 resources in my test team & I want to use Microsoft Test manager tool in my project.

Do I need to purchase 3 separate licenses for individuals or only one license can be shared by the all 3 members?

Hello,

We are running in a very critical issue. Need your kinds thoughts, please review below details.

Background : We are running SharePoint 2013 on premises farm with 2 WFEs, 2 APPs and 1 DB server. As per the architecture we are running User Profile Service on APP1 & APP2 and User Profile Synchronization Service on APP1 server. Everything is running smoothly and AD profiles are syncing with SharePoint 2013.

Problem : We ran a security scan using a third party tool which scanned the whole farm and pointed few Vulnerabilities in servers. Most of them are fixed. However its pointing to http://localhost:5725 or http://MyServerIP:5725 saying that its allowing ClickJacking on this URL. This Vulnerability is appearing only on the server that is running User Profile Synchronization Service (i.e APP1). I am unable to find this binding in IIS with any site or web service. Research on Google says that it belongs to Forefront Identity Manager Synchronization Service which connects with AD for User Profile Synchronization Service.

I can see Inbound Rules in  firewall and found that this port is allowed with below name.

ILM Web Service - RMS  (Port 5725)

ILM Web Service - STS   (Port 5726)

Question : Any idea how i can get to source of this service or prevent from ClickJacking?

I'll glad to provide more details on it and really thankful for your kind thoughts.

Regards,

Muhammad Zeeshan Tahir

Is FIM 2010 R2 getting support for Outlook 2016 like MIM 2016 got? Or is there some unsupported way to get the add-ins and extensions to be installed on a client that has Outlook 2016?

Hi Guys,

At a customer I have an issue with the Lotus Domino Connector whilst trying to rename a Lotus Notes Group.

When I export the change I get the following error during the export: The given Key was not present in the dictionary.

I used debugViewer to check if there is any more information before the error and there is none specific.

The error in the MA is :

System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary.
   at System.Collections.Generic.Dictionary`2.get_Item(TKey key)
   at System.Collections.ObjectModel.KeyedCollection`2.get_Item(TKey key)
   at Microsoft.IdentityManagement.MA.LotusDomino.NotesClientWrapper.DominoGroup.UpdateGroupAttributesByUNID(CSEntryChange csentry, IDictionary`2 schema, Context exportContext, IDictionary`2 deleteInfo)
   at Microsoft.IdentityManagement.MA.LotusDomino.Core.Group.ExportEntry(CSEntryChange csentry, Context exportContext, List`1 listChangeResult)

The error in debug viewer is:

[6220] Message: The given key was not present in the dictionary. 
[6220] Exception root Exception type: System.Collections.Generic.KeyNotFoundException 
[6220] Source: mscorlib 
[6220] Stack Trace:    at System.Collections.Generic.Dictionary`2.get_Item(TKey key) 
[6220]    at System.Collections.ObjectModel.KeyedCollection`2.get_Item(TKey key) 
[6220]    at Microsoft.IdentityManagement.MA.LotusDomino.NotesClientWrapper.DominoGroup.UpdateGroupAttributesByUNID(CSEntryChange csentry, IDictionary`2 schema, Context exportContext, IDictionary`2 deleteInfo) 
[6220]    at Microsoft.IdentityManagement.MA.LotusDomino.Core.Group.ExportEntry(CSEntryChange csentry, Context exportContext, List`1 listChangeResult) 
[6220] Target Site: get_Item 

I was wondering if anybody could give me any pointers on how to solve this problem (Maybe a missing attribute,...) I have checked the group exists in Lotus Notes because I imported it from there.

There is no error on the Lotus Notes side as it does not arrive to Notes.

I am using Lotus Client 9.0 and domino server 8.6FP6

My FIM 2010 R2 version is  4.1.3671.0

My Lotus Domino Connector is 1.1.117.0

Any help would be appreciated. I have been trying to solve this problem for a few days now with no luck.

Thanks

Sylvan

Hi,

I have developed a new custom activity for FIM and deployed it. In the activity UI, we provide three radio buttons to select different options. The activity UI looks like below:

For Option 1 selection, the activity receives the string Option 1 and so on for other options. Based on that value, we run different business logic in the activity. However, I am facing issues when I select Options 2 and 3. When I select Option 2 or 3, it gets selected and the value received in the activity during execution is also proper. However, when I open the workflow to check what Option we have selected, then the UI always displays "Option 1" though it is sending values for Option 2 and 3 as expected during execution.

How do I persist the selection on the Activity UI for different options?

Hello!

Can anybody advice, what to do in such case:

I have 2 Oracle HR tables

First:

1. UserID
2. Division ID
3. ManagerID

Second:

1. DivisionID
2. Division Description

How I can populate user info in MV, if I need to have information about account in such form:

1. UserID
2. Division Description

As I understand I need to use 2 references, but to different objects.

I can't found such examples is one guide and don't know if it can work.

Thanks!

1

Hi,

 I have developed a new custom activity for FIM and deployed it. In the activity UI, we provide three radio buttons to select different options. The activity UI looks like below:

or Option 1 selection, the activity receives the string Option 1 and so on for other options. Based on that value, we run different business logic in the activity. However, I am facing issues when I select Options 2 and 3. When I select Option 2 or 3, it gets selected and the value received in the activity during execution is also proper. However, when I open the workflow to check what Option we have selected, then the UI always displays "Option 1" though it is sending values for Option 2 and 3 as expected during execution.

Below is the UI code for the activity:

public static DependencyProperty ActivityNameProperty = DependencyProperty.Register("ActivityName", typeof(System.String), typeof(CustomActivity));
[Description("Please specify the target attribute")]
[DesignerSerializationVisibility(DesignerSerializationVisibility.Visible)]
[Browsable(true)]
public string ActivityName
{
    get
    {
        return ((String)(base.GetValue(CustomActivity.ActivityNameProperty)));
    }
    set
    {
        base.SetValue(CustomActivity.ActivityNameProperty, value);
    }
}

 static string[] ActivityNames = new string[]
{
    "Option1","Option2","Option3"
};

public class CustomActivitySettingsPart : ActivitySettingsPart
{

   public override Activity GenerateActivityOnWorkflow(SequentialWorkflow workflow)
   {
       if (!this.ValidateInputs())
       {
           return null;
       }
       CustomActivity changeActivity = new CustomActivity();
       changeActivity.ActivityName = this.GetRadioSelection("activityToRun");
       return changeActivity;
   }

   public override void LoadActivitySettings(System.Workflow.ComponentModel.Activity activity)
   {
       CustomActivity changeActivity = activity as CustomActivity;
       if (changeActivity != null)
       {
           this.SetRadioSelection("activityToRun", changeActivity.ActivityName);
       }
   }

   public override ActivitySettingsPartData PersistSettings()
   {
       ActivitySettingsPartData data = new ActivitySettingsPartData();
       data["ActivityName"] = this.GetRadioSelection("activityToRun");
       return data;
   }

   public override void RestoreSettings(ActivitySettingsPartData data)
   {
       if (data != null)
       {
           this.SetRadioSelection("activityToRun", (string)(data["ActivityName"]));
       }

   }

   public override void SwitchMode(ActivitySettingsPartMode mode)
   {
       bool readOnly = (mode == ActivitySettingsPartMode.View);
       this.SetRadioListReadOnlyOption("activityToRun", readOnly);
   }

   public override string Title
   {
       get { return "My custom activity"; }
   }

   public override bool ValidateInputs()
   {
       return true;
   }

   /// <summary>
   ///  Creates a Table that contains the controls used by the activity UI
   ///  in the Workflow Designer of the FIM portal. Adds that Table to the
   ///  collection of Controls that defines each activity that can be selected
   ///  in the Workflow Designer of the FIM Portal. Calls the base class of
   ///  ActivitySettingsPart to render the controls in the UI.
   /// </summary>
   protected override void CreateChildControls()
   {
       Table controlLayoutTable;
       controlLayoutTable = new Table();

       //Width is set to 100% of the control size
       controlLayoutTable.Width = Unit.Percentage(100.0);
       controlLayoutTable.BorderWidth = 0;
       controlLayoutTable.CellPadding = 2;

       controlLayoutTable.Rows.Add(this.AddTableRowRadioList("Please select one option", "activityToRun", ActivityNames, ActivityNames[0]));
       this.Controls.Add(controlLayoutTable);

       base.CreateChildControls();
   }

   #region "Radio Functions"
   private TableRow AddTableRowRadioList(String labelText, String controlID, String[] radioOptions, String defaultValue)
   {
       TableRow row = new TableRow();
       TableCell labelCell = new TableCell();
       TableCell controlCell = new TableCell();
       Label label = new Label();
       RadioButtonList radioList = new RadioButtonList();

       label.Text = labelText;
       label.CssClass = base.LabelCssClass;
       labelCell.Controls.Add(label);
       radioList.ID = controlID;
       foreach (String Item in radioOptions)
       {
           radioList.Items.Add(new ListItem(Item, Item));
       }
       radioList.SelectedValue = defaultValue;
       radioList.RepeatDirection = RepeatDirection.Vertical;
       controlCell.Controls.Add(radioList);
       row.Cells.Add(labelCell);
       row.Cells.Add(controlCell);
       return row;
   }

   private String GetRadioSelection(String radioListID)
   {
       RadioButtonList radioList = (RadioButtonList)this.FindControl(radioListID);
       return radioList.SelectedValue;
   }
   private void SetRadioSelection(String radioListID, String radioSelection)
   {
       RadioButtonList radioList = (RadioButtonList)this.FindControl(radioListID);
       if (radioList != null)
       {
           radioList.SelectedValue = radioSelection;
       }
       else
       {
           radioList.SelectedValue = radioList.Items[0].Text;
       }
   }

   private void SetRadioListReadOnlyOption(String radioListID, bool readOnly)
   {
       RadioButtonList radioList = (RadioButtonList)this.FindControl(radioListID);
       radioList.Enabled = !readOnly;
   }
   #endregion
}

Please let know if I have missed anything in the UI code. When the activity reloads, it is always displaying first option as selected.

Hi,

We are sending out an email notification to a manager 2 weeks before a contractor is to be terminated.

The email notification depicts the date/time in UTC...not in the time zone we are in (e.g. UTC -7), but in UTC.

This has the possibility of confusing people.

Is there a way to correct this UTC time in the email template to reflect the correct time zone (e.g. UTC -7)?

Thank you,

SK

Hi,

Just going through the "Before you begin" section of FIM setup. We are planning to use a hardware load balancer, and this has been configured and the relevant 'A' record created in DNS. We next go to a DC and try to register the SPN for this new NLB name as follows:

• setspn –S FIMService/IDM.company.com domain\FIMSync
• setspn –S FIMService/IDM domain\FIMSync
• setspn –S HTTP/IDM.company.com domain\FIMWSS
• setspn –S HTTP/IDM domain\FIMWSS

When we run the first setspn registration we get the error message:

• Unknown Parameter FIMService/IDM.company.com. Please check your usage.

We also tried running it like this:

• setspn –A FIMService/IDM.company.com domain\FIMSync

But the same error message appears.

Any ideas?

thank you

Hi

I have three entity Types within the same connector space (CS). Two are mapped to the same Metaverse (MV) Entity:
CS User -> MV Person
CS Contact -> MV Person

CS Organization -> MV Organization

Now my Problem: MV Organization references to a MV Person. I would like to flow that information to CS using Synch engine only (no FIMService, no syncRules, no Flow Scope - means coding, which is normally not a problem to me). Using direct flows I get ambiguous flows as expected. So I need an advanced rule. But since I cannot use a MV Reference Attribute as Source-Attribute in an Advanced Export flow things get complicated.
What's the best option?

thanks for your help

Pirmin

Hello,

I am receiving  "This page cannot be displayed" while accessing SSPR sites. Please note that i have checke application pools and srvices are up and running.

Kindly suggets.

Regards,

Suman

Hello All,

TLDR; Upon deleting ALL entries of a multivalued reference attribute, the Generic SQL connector does not export the changes. Removing only some of the entries works fine. Reproduction steps at the end.

We have 3 management agents:

• MA connected to an authorative datasource for users
• Access Management MA connected to Bhold for Role Based Access Control
• Generic SQL MA connected to the destination datasource which is also the source of 'permissions' (being groups in MV & BHOLD)

We provide users from the first MA, and permissions from the Generic SQL MA. Then we use BHOLD to assign these permissions to the user roles. In the MetaVerse BHOLD permissions are translated into group objects. The users that have these permissions are stored in a multivalued reference attribute (called UserID) of each corresponding group object.

These group objects later update their permissions in the Generic SQL connectorspace via a basic attribute flow (allow nulls is checked). Afterwards they get exported to the destination datasource and we can verify that the permissions are assigned to the users.

Everything works like a charm except when we remove a certain permission from ALL users in BHOLD (removing the permissions from some users works fine). In the MetaVerse this translates in the removal of all values from the multivalued reference field (and again, leaving just 1 or more values present works fine).

This works like a charm and propagates properly to the datasource

This does not work (note that this screenshot was taken after we removed the first two entries shown in the screenshot above thus only one entry is present).

We expect the cause to be a not implemented scenario (bug?) in the Generic SQL connector. Upon debugging the code of the generic SQL connector using reflection we encountered the code below. Since we have a multivalued attribute we enter the first (highlighted) if-statement. Once inside it counts the 'ValueChanges' of the attribute, but apparently this count returns zero, causing the code to pass the two next if statements.

A result of this is represented in the export run profile logfile you can find below. The former logfile removes all but one entry of the reference field and the latter removes all of them. As you can see the '<dn-attr>' element in the latter is empty (which according to us is originating in the code above).

Export log file upon removing some entries:

<?xml version="1.0" encoding="UTF-16"?><mmsml xmlns="http://www.microsoft.com/mms/mmsml/v2" step-type="export"><directory-entries><delta operation="update" dn="CN=G01,OBJECT=role"><anchor encoding="base64">CAAAAEcAMAAxAAAACgAAAHIAbwBsAGUAAAA=</anchor><dn-attr name="UserID" operation="update" multivalued="true"><dn-value operation="delete"><dn>CN=U02,OBJECT=user</dn><anchor encoding="base64">CAAAAFUAMAAyAAAACgAAAHUAcwBlAHIAAAA=</anchor></dn-value><dn-value operation="delete"><dn>CN=U03,OBJECT=user</dn><anchor encoding="base64">CAAAAFUAMAAzAAAACgAAAHUAcwBlAHIAAAA=</anchor></dn-value></dn-attr></delta></directory-entries></mmsml>

Export log file upon removing ALL entries:

<?xml version="1.0" encoding="UTF-16"?><mmsml xmlns="http://www.microsoft.com/mms/mmsml/v2" step-type="export"><directory-entries><delta operation="update" dn="CN=G01,OBJECT=role"><anchor encoding="base64">CAAAAEcAMAAxAAAACgAAAHIAbwBsAGUAAAA=</anchor><dn-attr name="UserID" operation="delete" multivalued="true"></dn-attr></delta></directory-entries></mmsml>

Is this some mistake or a not implemented scenario in the Generic SQL connector, and if so, where do i report this? Since we only got part of the code using reflection is it possible to obtain the source code for the Generic SQL Connector so we can investigate further?

Reproduction Steps :

1. Create accounts in the source system
2. Create permissions in the destination system
3. Import both the accounts and the permissions
4. Synchronize both accounts and permissions to the MV (they will get provisioned to BHOLD through a MV-extension)
5. Export to BHOLD
6. Assign a couple of roles to the permissions in BHOLD
7. Import from BHOLD
8. Synchronize BHOLD MA (groups will contain their member ID's in the destination CS)
9. Export the destination MA (+ confirming import)
10. Remove all roles from the BHOLD permission
11. Import from BHOLD (group objects will have no members in BHOLD CS)
12. Synchronize BHOLD MA (group objects will have no members in the MV and destination CS)
13. Export the destination MA

Could someone please help me out with this error below:

Recently, when I run a FIM Full Sync and/or Delta Sync, I've started getting this error, and I can't get new users in FIM to feed over to Active Directory, nothing has been changed in the sync ruled mentioned:

Hi

I have provisioned a Criteria based group from the FIM provisioning process.

Is it possible to populate a Criteria based group with Filter attribute /Person[orunit=345234]. All I am trying to do is set the criteria via the provisoing process of Groups.

How do I set the criteria ?

Can I do the following ?

mventry["filter"].value = "/Person[Orgunit=234123]";

Its has not worked but can you guide me how to do something like this ?

Regards,

Dev

I am struggling to configure the MIM 2016 Password Registration and Password Reset features that I managed to install.

I followed the MIM Deployment guide and I believe I have them on my FIM Service server. mim1

I want to run all 3 services on same server. MIM Portal (sharepoint port 80)  Password Registration on port 8080 ad Password Reset on port 8088.

I discover these lines in the old FIM 2010 Deployment Guide:

"If you are not going to have the password registration and password reset portals extranet facing and wish to install everything on one server, this is supported but there are some things that need to be considered. The first is that SharePoint for the FIM Portal will be using port 80 on IIS, so additional ports will be required for the password registration and password reset portals. Also, if you are installing everything on one machine and are using Kerberos then useAppPoolCRedentials=true will be set because SharePoint runs as a “farm”. If this is true, then the Application Pool account that runs the FIM Password Registration Site and the FIM Password Reset Site will need to have the appropriate SPNs and delegation configured."

Just my scenario. One machine not extranet facing. BUT nowhere does it describe just what these "appropriate" SPNs and delegations are.

All over the net there seems to be advice about this topic but no actual examples.

I followed the MIM 2016 Deployment guide, it is hard to follow and has quite a few anomalies but what I used was:

Password Registration server:  mim1.mimtest.local    Port 8080

Pool Account  mimtest\MIMSSPR

Password Reset server:   mim1.mimtest.local      Port 8088

Pool Account mimtest\MIMSSPRSVC

How do I check I am using Kerberos? How do I check the value of useAppPoolCRedentials?

OK. and what are the appropriate necessary SPN(s) for me?

HELP!!

Hi,

Not sure how this happened, but it did.  I have about 300 groups that are stuck in a pending export with a delete-add operation on them.  I tested this "operation" with a low impact group to see if it was actually going to delete it and re-add it.  It did just that.  That's going to be a problem because, if I'm not mistaken, that's going to wipe out the ACLs (permissions) for the group. 

I need to figure out how to get this to not delete the groups.  Everything is identical between what's in Active Directory and what's in the connector space.  So, there are no changes in any of the group names, DNs, members, etc. 

I read something about the DeleteAddAsReplace property that would change a delete-add operation to a replace. But, I don't think that's something I can set when configuring the MA. But, I may not be looking in the right place.

Right now, I have the permissions on those group objects revoked. So, the export can mess with them.  But, I can't leave it like that forever.

Any ideas would be appreciated.

Greg