Quantcast
Channel: Forum Microsoft Identity Manager
Viewing all 6657 articles
Browse latest View live

Import deletion limit

September 22, 2016, 7:50 am
$
0
0

Hello,

I have setup a deletion limit of 50 users on one of my MA on the Full Import (stage only) step.

The deletion limit do the job, it delete only 50 users during the run but continue to run with the next MA.

That means, when all the agents have run, at the next cycle, the first MA will run again and will delete 50 more users.

And the issue I have is that I would like the first MA where the deletion limit is setup, stop to run in a stand by mode, and wait for a manual action to continue.

I know that's the case on the export step, the MA stop and does not export anything. I would like the same thing on the import step.

Is it possible ?

Thanks,
Bruno

Search

Upgrading customised FIM to MIM - process and things to be aware of

September 22, 2016, 7:42 am
$
0
0

Hello,
 We currently have FIM 2010 R2 in place and we're looking at upgrading MIM 2016. We're using FIM 2010 R2 4.1.3733.0 installed on Windows Server 2008 R2 as follow:

fimsync01 - FIM Sync Server + sync DB (SQL 2008 R2)
fimserviceDB01 - SQL 2008 R2 SQL DB for FIM service
fimportal01 - FIM portal server (also runs SharePoint Foundation 2010)

 My plan is to do the following in a lab environment first:

1. Upgrade all FIM 2010 R2 server components to the latest version (presumably this will not functionality with the client  component).
2. Deploy a new server to replace fimportal01. This will be a Windows 2012 R2 server with Share Point Foundation 2013.
2a. MIM portal will be installed on the new 2012 R2 server, but I'll point the installer to look at my existing 2008 R2 SQL DB.

I'll be using this guide or similar
https://blogs.msdn.microsoft.com/connector_space/2015/08/05/performing-an-in-place-upgrade-of-fim-2010-r2-to-microsoft-identity-manager-2016-service-and-portal/

I have a few questions:

1. I have extended the FIM portal schema to add new objects and attributes, will this cause an upgrade issue?
2. I've automated run profiles using scheduled tasks and scripts, these scripts reference GUIDs on the sync server - presumably I need to  
   amend these scripts?
3. I have customised the FIM portal, presumably I'll need to customise the portal again?
4. Is MIM compatible with existing FIM client plugins? We're using the SSPR plugin.

Thanks in advance

SSPR and Captcha

September 22, 2016, 9:06 pm
$
0
0

Hi,

Has anyone modified SSPR with a Captcha?

How easy was it?

Are there any recommendations?

Thanks,

SK

MIM 2016 and SQL 2016

September 23, 2016, 1:44 pm
$
0
0
I see MIM supports up to sQL 2014 SP1

https://docs.microsoft.com/en-us/microsoft-identity-manager/plan-design/microsoft-identity-manager-2016-supported-platforms

Is there any indication from Microsoft about if/when there will be support for SQL 2016?  I've looked but haven't found anything.  Also, has anyone tried MIM on SQL 2016?

FIM BP Analyzer

September 23, 2016, 2:22 pm
$
0
0

Hi,

We are searching for the FIm BP Analyzer but no way to download it, the link seems to be broken.

http://www.microsoft.com/en-us/download/details.aspx?id=30419

Is there anyway to get it ?

BR,

Emmanuel IT

Extract "Row Errors" in FIM using SQL query.

September 24, 2016, 12:43 am
$
0
0

Hi, Good afternoon,

Referring to Sync Service Manager console, how can i extract/copy all the errors shown in "Row Errors" (after a failed MA run) using SQL? (SQL is used in FIM backend for db).
There were a few tables inside the database such as the "dbo.mms_Connectorspace", "dbo.mms_Management_Agent" etc, but i could not identify which one would contain the "Row Errors" info that i need.

Thanks in advance!

r0m3ll

r0m3llm

Multiple Certificates in a Smart Card - FIM CM 2010 R2

September 26, 2016, 4:53 am
$
0
0

Hi, 

I am trying to see if its possible for me to have multiple active certificates for two AD user accounts installed in the same smart card. I have two user accounts, one for admin purposes and the other one for my activities as a normal user in the organization and would like to check the feasibility of having certificates for both the user accounts installed in the same smart card. 

The version of FIM which I am using is FIM 2010 R2. 

Thanks in advance. 

-- JPM


FIM 2010 R2 & GALSync?

May 26, 2014, 9:32 pm
$
0
0

Hi,

In the past, it was recommended (and I think required) that GALSync run on its own instance of MIIS/ILM/FIM.

I have experienced and seen posts where GALSync MA and FIM MA have issues coexisting on the same server - so is it still required that GALSync have its own instance of FIM 2010 R2 Sync?

Thanks,

SK

Search

GALSYNC: is there a way to deposit contacts into separate OUs

September 1, 2016, 10:37 pm
$
0
0

I'm using MIM 2016 GalSync with Exchange 2013 and Exchange 2010.

In a default GALSync installation, the MAs will deposit all contacts into a single OU.

I've seen the article How to Provision Contacts to Specific OU Units Based Upon an Originating Forest but the article is old an the method to update the GALSYNC solution is not working for me. Plus the attributemsExchOriginatingForest is not available in our schema.

I would like contacts from different MAs to go into separate OUs. How can I achieve that?

High CPU usage

September 26, 2016, 2:49 pm
$
0
0

Hi,

We have deployed a FIM configuration with 2 database sources for "input".

Synchronization rules are working and "populating" the MV database. FIM output is also populated. In this "inbound" phase, all seems to work correctly, but when export to FIM is started, the FIM database server gets high CPU usage (95 to 100%).

This state occurs during all the export phase.

We have tried to separate FIMService and FIMSynchronization databases on different servers, and the only one impacted is FIMService.

Is it known issue or configuration mistake that may explain this problem ?

BR,

Emmanuel IT

sync a new custom attribute (User emp number) from flat file database (*.CSV) to FIM to Active directory

September 25, 2016, 11:42 pm
$
0
0

FIM is already deployed and functional in the environment for the user object and its attribute to flow from data source (*.CSV file) to FIM and export in to Target i.e. Active directory.
New custom attribute will be published in the CSV file for each user object. What steps needs to be performed on the Forefront Identity manager so that the new attribute is imported from CSV file and gets exported to Target (AD)

please provide the technical steps

Notify requestor when request has been approved by owner

September 27, 2016, 10:48 am
$
0
0

I have a demand for sending a notification to the Requestor when the request is approved. Currently, MIM only notifies the requestor if the request is rejected by the owner (e.g. for joining a Security Group).

I tried adding a Notification task to the "Owner Approval Workflow", but that made all requests fail (error: the workflow encountered an internal error during processing) so I had to restore the Owner Approval Workflow XOML to the default value.

Any guidance on how I can make sure that requestors get an email when their request is approved?


How to delete an "orphaned" metaverse object in SQL

September 27, 2016, 2:41 am
$
0
0

We had three "export-phantom" errors occurring on the FIMMA Export run operation.

The errors indicated missing attributes in the metaverse objects.  Unfortunately, we could not re-present the three objects in the Oracle Database MA to attempts a Join.  So we had to look at the tables in the FIMSynchronization Database.

First, we took a snapshot of the FIM 2010 R2 server, a VMware virtual machine.

This is the SQL we used, after some investigation:

-- Find incomplete metaverse object and copy it's object_id for next step
SELECT accountName, email, mailcontacttype, mailNickname, CN, object_id   FROM [FIMSynchronizationService].[dbo].[mms_metaverse] where object_type = 'contact' and accountName = 'SGBS123UFA';
-- Returns this record:
-- accountName email mailcontacttype mailNickname CN object_id
-- SGBSEDPSUFA SGBS1123SUFA@sefkekskail.ok.or NULL NULL NULL 5DBA9A28-FD7F-E611-9C88-005056913B1F

-- 1.  Delete object from mms_metaverse table
DELETE FROM [FIMSynchronizationService].[dbo].[mms_metaverse] where object_id = '5DBA9A28-FD7F-E611-9C88-005056913B1F';

-- 2.  Delete record from mms_metaverse_lineageguid
DELETE FROM [FIMSynchronizationService].[dbo].[mms_metaverse_lineageguid] where object_id like '5DBA9A28-FD7F-E611-9C88-005056913B1F';

-- 3.  Delete record from mms_metaverse_lineagedate
DELETE FROM [FIMSynchronizationService].[dbo].[mms_metaverse_lineagedate] where object_id = '5DBA9A28-FD7F-E611-9C88-005056913B1F';
 
-- Find record in mms_csmv_link using
SELECT mv_object_id, cs_object_id FROM [FIMSynchronizationService].[dbo].[mms_csmv_link] where mv_object_id = '5DBA9A28-FD7F-E611-9C88-005056913B1F';
-- Returns this record: 
-- mv_object_id cs_object_id
-- 5DBA9A28-FD7F-E611-9C88-005056913B1F 01113ADC-6B80-E611-9C88-005056913B1F
-- 4.  Delete record from mms_csmv_link
DELETE FROM [FIMSynchronizationService].[dbo].[mms_csmv_link] where mv_object_id = '5DBA9A28-FD7F-E611-9C88-005056913B1F';

-- 5.  Delete record from mms_connectorspace
DELETE FROM [FIMSynchronizationService].[dbo].[mms_connectorspace] where object_id = '01113ADC-6B80-E611-9C88-005056913B1F';

We deleted records from five tables to effectively delete the incomplete metaverse objects.

The sequence of run operations were run and the "export-phantom" errors did not occur.

Has anybody else attempted working directly with SQL to delete a metaverse object?  Any comments on the five tables?

 


Declarative vs classic rules

September 26, 2016, 6:23 am
$
0
0

Hello!

I have some questions about MIM concepts.

  1. Can I do something like "sync preview" for all of my object? As I think, this can be useful when deploying in existing environments.
  2. Can anybody explain difference between attribute flows in Portal (Declarative) and in Synchronizations Service Manager(Classic) ? Pros and cons for every method?

Attribute flows can be declared in two places.

Portal:

+  We can make a separate inbound and outbound rule for attribute flows. This can simplify a sync process.

+  MS is recommending this type of sync

-     We need to make an extra “import cycle” for MIM MA to import declared rule and get it to work

- Can't make export of configuration.

Synchronizations Service Manager:

+ Extensions in C# and VB with more complicated rules

+ Simple export of all configuration

-      Only one place to declare sync rules, so this is can be + or – at the same time.

But, if you google for guides in Internet about provisioning users from AD to MIM there are many guides which are using for this a declarative rules in portal, but as I think more faster in this case is to use a classic flows in Sync Service Manager(a less mouse button clicks) :)

And declaring 2 rule flows in different places can be difficult to undestand.

So, what do you think about this situation, which methods are you preffer?

Thanks!

1



Deny all requests adding users from domain B to Security Groups in domain A

September 27, 2016, 10:26 am
$
0
0

We have two domains in our forest, CORP and PARTNER. CORP-users are allowed to access PARTNER-resources, but PARTNER-users are not allowed to access CORP-resources. Also, most Security Groups in CORP are of scope "Global", so trying to add any PARTNER-users in them would fail.

We are managing Security Groups for both domains in the MIM Portal with full self-service for group owners. But I need to get a fail-safe switch in place to stop any owners/requestors from adding (or requesting to add) PARTNER-users to CORP-groups:

  • If the request target is a CORP-group, deny request if trying to add PARTNER-members
  • If the request target is a PARTNER-group, allow requests for both PARTNER and CORP-members

I guess I should utilize AuthZ somehow, but I'm really not sure how to sort it out. PS: I do have MIMWAL in place.

Any guidance is much appreciated, thanks!


Search

Provision of users to AD OU

September 27, 2016, 4:58 am
$
0
0

Hi!

I am looking for ways how we can make users account flow to different ou, based on user department field.

We have an HR DB with DepartmentID field аnd a file (Excel) with relations departmentID and AD OU.

I can see such ways to get it to work:

1. Attribute valued text file with fields DepartmentID and AD OU relations. Fast and easy to add/delete new OU's.

2. Using some coding like this:

https://blog.kloud.com.au/2016/02/03/dynamic-active-directory-user-provisioning-placement-ou-using-the-granfeldt-powershell-management-agent/

PowerShell or C# code to export user to correct OU. As I think, this is not simple to maintain such code.

Do you have any more ideas?

Maybe I can store somewhere in MIM table with DepartmentID and AD OU relations?

Thanks!

 

 

1

Accidentally deleted Administrator from Portal - now can't access

September 27, 2016, 8:44 am
$
0
0

I've stupidly deleted the Administrator account from the MIM Portal and now I don't have access to Users, MPRs etc.

I was trying to re-import the administrator account and a few new accounts into the portal and thought I could just delete them out of the portal and import them back through the Synchronization Manager. This is clearly not the case!

I don't have any back ups of the Fim Database or anything to fall back on, so I was wondering if there was any powershell commands or any other way of getting the administrator back to how it was. 

I'm hoping I don't have to do a complete re-install! 

Can't believe I have done this! What an idiot!!!

Hoping for an easy fix :(

Migrating Tivoli Identity Manager to Microsoft Identity Manager - Tool for Migrating TIM Life cycle Rules and Operations

September 27, 2016, 7:19 pm
$
0
0

I am currently engaged in discovering  use cases , life cycle rules and associated operations (workflows) of a Tivoli Identity Manager solution for which no requirements, as built  or use case are available.

With the use of TIM admin access and TIM tools I am documenting the current configuration but wanted to consider the next phase. 

Is anyone aware of a tool to migrate ??? LCR - > MPR's ; Operations to MIM Workflows, Views and ACI -> RCDC? 

I am starting to sense a correlation between some Operations elements and MIM elements but would love to use (or develop) a solution to assist with migration. Something like we had in the good old days for Notes to SP migration - anyone remember Casahl ?

TIA

Nigel

FIM and two domains configuration.

September 28, 2016, 4:49 am
$
0
0

Hello!

I have an interesting question about two domain and MIM configuration.

We have one PROD domain and one TEST domain.

In PROD we have HR DB and MS AD with prod users. AD users were syncronized to MIM.

In TEST we have only MS AD with TEST users.

We want to test provision of users to TEST domain before deploying them in PROD.

As I understand, we can do it with 2 AD MA (AD MA PROD and AD MA TEST) for this domains.

In addition, I need to create a Sync rule in Portal with use of AD MA (TEST) to provision users to TEST domain.

We don’t need to synchronize passwords and so on for this scenario.

What else I need to do to test this case?

Thanks!

1

Statistics not reflected for extensible connectivity 2.0 Management Agents

September 27, 2016, 7:04 pm
$
0
0

Hello,

For an Extensible Connectivity 2.0 file based MA, Export profile is configured and execution of the profile is success and also we can find the exported accounts available in the file.

But the statistics of the same is not reflected. Adds , Updates remain zero even-though we have changes and those changes have been exported successfully.

Can anyone please suggest possible reasons for this behaviour and resolution for the same.

Let me know if any further information is needed.

Regards,

Jyothishree SP 


Viewing all 6657 articles
Browse latest View live
Search