When we are Integrating MIM, MIM CM along with PAM what would be the suggested prerequisites we have to consider from Azure AAD Connector, AD, SQL Server and from Networking point of view? like creation of Service Accounts, Groups, SPN's , applying Permissions etc.
↧
Prerequisites
↧
ECMA agent and multi-tenancy applications
Hello community,
I have one MIM 2016 SP1 server. Let's say I have an asp.net application with SQL server backend. The application is deployed in multiple environments (e.g. dev, test, prod). Each deployment has its own database connection string. A user can have an account in each environment.
I would hate to have an agent and sync rules per tenant. Is there a way to use one agent instead of an agent per environment?
Ahmed is an independent consultant in Ottawa, Canada specialized in .NET, Biztalk, WCF, WPF, TFS and other Microsoft technologies.
Blog: http://lajak.wordpress.com
Twitter: ahmedalasaad
↧
↧
MIM - Collect user access data from a database table/view
Hello,
There is a requirement to import users and their access data from a database table/view into MIM portal.
The db view contains userid, user email, roles etc. And this need to be imported to mim portal . where it should have a relationship like users and what roles they have . Users can have multiple roles too.
How can we achieve this in MIM. I have a DB management agent created but how to import roles and user-role relationships.
Please elaborate
↧
How to determine which users have pending FIMCM action approved but not executed yet?
Use-case: Online update triggered multiple emails to users, is there any way to get the email addresses of these users who still haven't done the execution of the update? Was thinking about the SQL database straightly, any ideas or thoughts?
↧
MIM portal - The requestor's identity was not found for all users after service account password change
Hi guys,
I've inherited a problem at a customer who has (apparently!) changed the passwords of the MIM service accounts and since they have, they get the "The requestor's identity was not found" error when logging on to the portal. In the event log, no matter which user is attempting to log on, the missing identity is apparently the same: and it's that of thesync account. Services all look OK and are configured to use individual accounts, i.e. the sync service is using the sync account, MIM service has a MIMService AD account, and Sharepoint has its own too.
If I turn off ASP.Net impersonation in IIS, the identity changes to that of the Sharepoint app pool, but still doesn't allow a user to log on, throwing the same error.
I've checked Kerberos and SPNs look OK, as does delegation and there's no duplicate in the forest. I've checked and togged requireKerberos=true in web.config and I've checked useAppPoolCredentials in applicationHost.config.
Users look OK in SQL - the objectString and objectBinary tables suggest they have a domain, account name and a SID.
Interestingly, Export-FIMConfig works OK which leads me to conclude that the user is definitely OK too.
Any ideas? Especially where might it be configured to reference the sync account?
Thanks,
Paul.
↧
↧
MIM 2016 SP1 ignoring sendAsAddress email
Hello,
I am using MIM 2016 SP1. I am trying to send emails as a different account. From my reading on other posts on this forum, I should be able to change sendAsAddress attribute in the service.exe.config file. I followed the steps in https://social.technet.microsoft.com/Forums/en-US/aec634d2-165e-49c9-960e-0eaa6625b040/can-mail-server-be-configure-in-fim-post-install?forum=ilm2
I restarted the FIM service in services
But it seems that MIM is ignoring the email address and still sends the email using the MIM Service email account.
I tried entering an invalid value (e.g. "aadddf"). I saw an error in the event viewer that the email format is not valid.
My conclusion, MIM is validating the email address in the sendAsAddress attribute but it is not using it when it is valid.
Any idea what's going on?
Thanks
Ahmed is an independent consultant in Ottawa, Canada specialized in .NET, Biztalk, WCF, WPF, TFS and other Microsoft technologies.
Blog: http://lajak.wordpress.com
Twitter: ahmedalasaad
↧
FIM stopped server error
Hi All,
is there is way to deep down the error FIM stopped server error.
Tried the below option as mentioned in the article
https://social.technet.microsoft.com/wiki/contents/articles/11331.fim-2010-r2-troubleshooting-stopped-server-error-on-the-fim-service-management-agent.aspx
Database index are fine and have enough free space in temdb and other drives for processing the records.
Thanks,
Anirban
http://iam-ninja.blogspot.com/
↧
Problem exporting encryption key
Hello.
I've today begun installing MIM 2016 on a brand new Windows Server 2016 server. I've followed the install instructions specified here: https://docs.microsoft.com/en-us/microsoft-identity-manager/install-mim-sync
At the very end of Synchronization Service installation, there is a step to backup the encryption key. However, no matter where I attempted to save the key, I always got an error.
“The Forefront Identity Manager Synchronization Service setup wizard was unable to back up the key set. <hr=0x80131904> … try again?”
This error is also described on page https://idm4real.com/2013/07/31/error-saving-the-fim-sync-key-set/
There it is said that the key can be exported later in the Synchronization Service Key Management tool. However, when I attempt to do so by using either MIMSync or MIMInstall user accounts, I receive another error.
"A required privilege is not held by the client."
I also attempted a repair install of Synchronization Service, that didn't help. Then I uninstalled Synchronization Service, removed the SQL database, rebooted the server and then ran the install again. Once again same issue.
Please assist.
↧
MIM 2016 - RCDC "my:Description" not displaying in browsers
Hi everyone, I recently upgrade from FIM to the latest version of MIM. I noticed the my:Description attribute in the RCDC no longer gets displayed in the browsers. According to the latest documentation, this is still supported.
Here is a sample line that I am trying to use, that worked previously. Any idea's?
my:Groupingmy:Name="ContentGroupingSample"my:Caption="Sample Content Grouping"my:Description="Some description"
↧
↧
Update to Group membership denied trying to modify E-mail Alias/MailNickname
I'm new to an existing MIM 2016 environment (and FIM in general) and trying to track down an issue we've been experiencing. In the Portal, group owners are attempting to modify membership which is being denied.
Reason: The operation failed as a result of insufficient access rights.
Attributes: MailNickname
Details: No policy grants the Requestor permission to complete all changes.
If the owner is removed and re-added, they are then able to successfully modify the group membership for some short period of time (less than 24 hours). When these requests are processed, there is no mention of E-mail Alias/MailNickname being modified.
In each case, the Request appears to be using the same MPRs so I'm confused as to why it's trying to modify the E-mail Alias in one situation and not the other.
Thanks
Brett
↧
Deployment Guide - MIM High Availability
Hi
We need to deploy MIM tool in a high availability environment where we have 2 MIM portals serving requests, with MIM service on the same sever. The MIM Sync service resides on a third server and then SQL is clustered with inbuilt high availability. I had tried to find a deployment guide in technet forums blogs etc. but was not able to find any. Can anyone guide how to deploy MIM on this kind of environment and while installing does the installer provides the options
↧
Use SMTP instead of Exchange MIM2016SP1
So I went in to Microsoft.ResourceManagement.Service.exe.config and updated the following:
<appSettings>
<!-- Setup adds entries -->
<add key="mailServer" value="sw20smtp.ourdomain.com" />
<add key="isExchange" value="0" />
<add key="sendAsAddress" value="svc-mimservice@ourdomain.com" />
I then get the following in the event viewer after I restart the FIMService:
The Forefront Identity Manager Service cannot connect with Exchange because required configuration is missing.
The mailServer configuration setting in the Forefront Identity Manager Service application configuration file is missing or not a valid URI.
Ensure an XML Node with this XPath exists and has inner text that is a valid URI representing the Exchange server:
/configuration/appSettings/add[@key='mailServer']
/configuration/appSettings/add[@key='mailServer']
For example,
<configuration><appSettings><add key="mailServer" value="http://www.contoso.com/ews/exchange.asmx" /></appSettings></configuration>;
What is my issue??? Any insight would be great!!
Thanks
↧
SMTP authentication for FIM 2020 r2
Hi All,
Is FIM capable of using SMTP Authentication to send email.? We are using mimecast gateway to send emails and we are planning to create an account in mimecast and thatcan perform SMTP Submission to route mail to Mimecast.
How to define these things in FIM config file?
Is this possible?
Rajesh Kumar NSR, FIM administrator, Wipro Technologies. India.
↧
↧
FIM 2010 R2 Registration Portal (Error 3001) - rejected because of access control policies; The supplied request content violates system rules
Hello FIM Experts;
Reaching out to the people who are way smarter than me ;-).
Scenario: Issue occurs when attempting to register user in Password Registration Portal; user is immediately given a message informing them to contact their Systems Administrator.
Background:
- FIM 2010R2
- Single server instance (SSPR, FIM Service, FIM Synchronization, Sharepoint Services)
The error page was displayed to the user.
Details:
Title: Access denied.
Message: Error processing your request: The operation was rejected because of access control policies.
Source: The supplied request content violates system rules.
Attributes:
Details: The Request contains changes that violate system constraints.
CorrelationId: e51762ae-780d-413a-80dd-40263ba45d86
RequestId:
ErrorCode: 3001
CaughtTime: 09/16/2012 21:34:29
Web Portal: FIM Password Registration Portal
Session Id: 1mlmg055qvoe25njdvtvzz55
Thanks in advance,
Unique
UG.
↧
Microsoft Identity Manager right for mobile phone
must give a group of employees (members of a particular AD group) the right to edit the mobile phones of all company employees on the MIM portal. Editing other fields is prohibited. What is the top-level scheme for the implementation of this task by means of MIM.
Windows 2016
C уважением к Вам, Я
↧
X path filter condition in FIM 2010
Hi,
We need to make a searchs cope which displays all the users who have the same displayname as the logged in user . We have tried as "/Person[DisplayName='%Attribute_DisplayName%'] but it is not working....
Please can some one give some inputs on it?
hima
↧
Add users from different domains to an AD group
I have an environment where a person can have an account in two different AD domains (Domain A and Domain B). It is also possible for a user account from Domain A to be a member in a group in Domain B. This is currently managed manually.
I'm working on a solution where this will be handled by FIM (actually MIM). The solution I envisioned would have an MA for each AD domain. Group membership will be determined by a third HR system so there will be an MA for that as well, which will
be authoritative. The person object in the MV would join to each AD MA, the FIM portal and the HR MA (ie 1 MV object per person). The challenge with this design is that I'm not sure it's possible to populate the Membership attribute of an
AD group using a synchronization rule in a way that distinguishes which domain a group member comes from. Does anyone know if this is possible and if so how would I set this up? A solution that I think would work is to create multiple objects for
a person in the MV (eg one for Domain A and one for Domain B). But I would prefer not to do that.
Thanks,
Moe
Thanks,
Moe
↧
↧
Outbound sync rule with Custom Expression in MIM - is it possible to check boolean user portal only value?
Hi,
Could some one advise please how to check MIM Portal only boolean attribute value of a user in Outbound sync rules?
We have a custom Portal only boolean attribute binded to user and need to check it making conditional export to AD if it is True before make Outbound sync to AD.
IIF(PortalCustomDisplayNameAllowed, Null(), DisplayName)=>DisplayName
I am not sure how to select Portal only current PortalCustomDisplayNameAllowed user attribute value. XPath filter?
'PortalCustomDisplayNameAllowed' boolean attribute exists only at MIM Portal and does not exist at MV.
It could be set at user properties portal Page simultaneously with new custom DisplayName.
↧
ECMA agent and multi-tenancy applications
Hello community,
I have one MIM 2016 SP1 server. Let's say I have an asp.net application with SQL server backend. The application is deployed in multiple environments (e.g. dev, test, prod). Each deployment has its own database connection string. A user can have an account in each environment.
I would hate to have an agent and sync rules per tenant. Is there a way to use one agent instead of an agent per environment?
Ahmed is an independent consultant in Ottawa, Canada specialized in .NET, Biztalk, WCF, WPF, TFS and other Microsoft technologies.
Blog: http://lajak.wordpress.com
Twitter: ahmedalasaad
↧
Why is not the connector existing
Hello!
I only use the Synchronization Service and no Portal.
I have three agents HR, AD and Phone. The two HR and AD are just simple database and no real AD and HR
Five object in HR are the same as five in AD.
I run these profiles
Full Import for agent HR so the CS contains the Data
Full Sync HR which call the provision which create Phone object that links to MV object
Full Import AD so the CS contains the AD data
Full Sync AD which call the provision for Phone and when I check the debugger I can see that targetAgent(se code below) is 0 but I mean that this should be 1 because when run full sync on HR I created a connector between the created Phone object and
the MV. If I do search Connector space for Phone I can see that the Connector is True for all 10 objects.
//Here is the code that provision Phone
void ProvisionPhone(MVEntry mventry)
{
CSEntry csentryKatalog;
ReferenceValue dn;
int connectorsSourceSystem = mventry.ConnectedMAs["Projekt - Personal"].Connectors.Count;
if (connectorsSourceSystem == 0)
{
connectorsSourceSystem = mventry.ConnectedMAs["Projekt - AD"].Connectors.Count;
}
ConnectedMA targetAgent = mventry.ConnectedMAs["Projekt - Phone"];
if (connectorsSourceSystem >= 1 && targetAgent.Connectors.Count == 0)
{
dn = targetAgent.CreateDN(mventry["personnummer"].Value);
csentryKatalog = targetAgent.Connectors.StartNewConnector("Katalog");
csentryKatalog.DN = dn;
csentryKatalog["MAID"].Value = mventry["personnummer"].Value;
csentryKatalog.CommitNewConnector();
}
//Tony
↧