Quantcast
Channel: Forum Microsoft Identity Manager
Viewing all 6657 articles
Browse latest View live

MIM Portal Sync Rules have become orphaned

August 31, 2018, 3:39 am
$
0
0

We are running a MIM 2016 (latest patch) Portal/Service and Sync system (separate servers).  We created a few Synchronization rules within the MIM portal to perform data syncs from a SQL agent into an AD enviroment (group membership management).  The environment was not touched for a few weeks and when we came back to it the Portal was offline.  Upon starting the portal and going into the list of Synchronization rules each rule lists the following beside it:

<guid>
The referenced Management Agent has been deleted. Please delete this Synchronization Rule, update the external system field or re-import the deleted Management Agent)

Please note.  We did NOT remove any of the management agents from the sync server.  We did not change any MA configuration such as service account details, etc.

We checked the workflow history in the portal and found that the Built-in Synchronization account deleted the ma-data for each agent off the portal and when attempting to add it resulted in a error.

Anyone experience something similar before and managed to resolve without wiping everything out and re-creating?

AK

Search

CustomExpression for Attribute Flow: Is it possible to use OR?

January 28, 2019, 1:40 pm
$
0
0

I've tested this numerous different ways.  I need to assign the domain attribute based on Loc_Code.  This works if I have just one code in there:  IIF(Eq(Loc_Code,"167"),"SSHCA","UCH").  This correctly sets the domain to SSHCA if that code is 167.  Is it possible to have multiple conditions?  For example:  IIF(Eq(Loc_Code,"167" OR "40"),"SSHCA","UCH").  It seems like it should work.  But, it evaluates as false every time and sets to "UCH".

Thanks!

Mike Leach | http://blogs.catapultsystems.com/mleach/default.aspx

How to Send Email notification when new city Name added to FIM

May 18, 2018, 2:04 am
$
0
0

Dear All,

we are trying to trigger an email when New city/location/department added to SQL and imported to FIM with belonged users detail.

How it can be achieved ?

Need Your Help!

Thanks,

Shashidhar

FIM service - mailbox on cloud

January 29, 2019, 6:41 am
$
0
0

Is there any specification on where the fim service mailbox should present for FIM to send notifications? Can the mailbox be on-cloud?

How can you use Office 365 as FIM Service notification account

November 27, 2012, 1:12 pm
$
0
0

Hey All,

as office 365 is out there and getting popular, I would like to use an Office 365 account EWS endpoint for the FIM portal notification account. This would be excellent, but at the moment it is not documented anywhere. Has anyone experience of the settings needed to do this. I am sure I can change the EWS endpoint in the config file, but due to the nature of the "cloud" i am unsure that will change at another time.

Thoughts ?

Rob

Rob

FIMSynchronizationService

January 29, 2019, 9:41 am
$
0
0

An unexpected error has occurred during a password set operation.

"BAIL: MMS(9408): ..\dnutils.cpp(1341): 0x800700b7 (Cannot create a file when that file already exists.)

BAIL: MMS(9408): ..\dnutils.cpp(1341): 0x800700b7 (Cannot create a file when that file already exists.)

BAIL: MMS(9408): ..\dnutils.cpp(1341): 0x800700b7 (Cannot create a file when that file already exists.)

ERR_: MMS(9408): D:\bt\51912\sources\dev\Sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMADoNormalization', 0x2

BAIL: MMS(9408): D:\bt\51912\sources\dev\Sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2

BAIL: MMS(9408): D:\bt\51912\sources\dev\Sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)

ERR_: MMS(9408): D:\bt\51912\sources\dev\Sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMARecursiveUserDelete', 0x2

BAIL: MMS(9408): D:\bt\51912\sources\dev\Sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2

BAIL: MMS(9408): D:\bt\51912\sources\dev\Sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)

ERR_: MMS(9408): D:\bt\51912\sources\dev\Sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMARecursiveComputerDelete', 0x2

BAIL: MMS(9408): D:\bt\51912\sources\dev\Sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2

BAIL: MMS(9408): D:\bt\51912\sources\dev\Sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)

ERR_: MMS(9408): admaexport.cpp(4230): The Kerberos change operation failed: 0xc000005e

ERR_: MMS(9408): ..\ma.cpp(8531): ExportPasswordSet failed with 0x80004005

Forefront Identity Manager 4.4.1749.0"

Hi,

I have read the forums looking for a solution to the above problem but have not yet found the solution.

The senary is as follows,
There are 3 different domains connected by VPN to each Domain Controller.
FIM Server is new and is on Domain1.
When we create a new user in Portal, in the Domain Controller of Domain1 the user appears well created, but in others it is created but appears inactive.
When we run the Reset Password on the Domain Controller Domain1 in the EventViewer of the FIM server gives the above error.
Users used in agent synchronization are DomainAdmin (temporary permissions).
The Firewall of the servers are turned off and the VPN allows any port.
We tested a script by PowerShell and were able to change the Domain1 password to any user's Domain2.
Does anyone have a tip or doubt that might help solve the problem?

Thank you

Error Extending the Data Warehouse Schema (RequiredValueIsMissing Details: AttributeName: msidmDataWarehouseBindingIdentity)

May 9, 2017, 11:08 am
$
0
0

Hi,

I'm trying to extend reporting schema of MIM Reporting (on MIM SP1exactly like in example: FIM 2010 R2 Reporting Custom Reports and Extensibility

As the result of Import-FIMReportingSchemaDefinition I'm always getting error:

Import-FIMReportingSchemaDefinition : Failure when making web service call.
SourceObjectID = 518ecb9a-898f-4b35-831a-81d95970303d
Error = The web service client has encountered the following class of error: RequiredValueIsMissing
Details: AttributeName: msidmDataWarehouseBindingIdentity
AttributeValue:
Additional Text Details: An attribute is required to complete the operation.
Correlation Identifier: 3f973165-02a6-4c67-af59-4add4ce7bc5d
Failure Message:
Request Identifier:
At line:1 char:1
+ Import-FIMReportingSchemaDefinition -BindingXmlFile C:\DW\binding\M ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Import-FIMReportingSchemaDefinition], InvalidOperationException
    + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.ResourceManagement.ReportingAdministration.Im
   portReportingSchemaDefinition

I'm getting same error not only on my prepared extensions but as well using sample extensions from above Technet example. Anyone have any ideas what can be an issue?

Borys Majewski, Identity Management Solutions Architect (Blog: IDArchitect.NET)

FIM Maintenance Mode

January 29, 2019, 6:25 pm
$
0
0

Hi,

When doing some changes in FIM, it is often advised to place FIM in 'maintenance mode'.

I dont believe there is a magic button that says 'maintenance mode' - so what do they mean by this?

Does it suggest switching off any automation / scheduled tasks, disabling some MPRs? (which ones?), anything else?

Thank you,

SK

Search

Oops! Something went wrong. The ajax calls failed, please contact your administrator. Status code: 406. Error: Not Acceptable.

January 29, 2019, 10:41 pm
$
0
0

Getting below error sometimes when using PAM Sample portal. 

Oops! Something went wrong. The ajax calls failed, please contact your administrator.
Status code: 406.
Error: Not Acceptable.

Can anyone share the solution to fix it? 

Thanks!

FIM Question on Permanent employee and Non-employee

January 30, 2019, 8:29 am
$
0
0

We have an employee that used to be permanent, but is now a contractor working for us. Currently we are using his old permanent account to work so there is no disruption to his work.

 Is there a way to keep the same AD object without breaking FIM? Or do we need to set up another AD account with a different networkID, employee ID, etc...

MIM CM Modern App (UWP) - cannot get it working

January 30, 2019, 9:07 am
$
0
0

Hello,

I tried to get the modern app working, but unfortunately could not get it working.

The re-signing and installation all went well - I did:

- change Custom.Data MIMCM Url (skipped all other settings, since I suppose it is "optional" (like ADFS settings)

- re-signed the APPx

- Installed the App

Upon start - I get the following entries in the Log:

2019-01-30 17:59:33:4845Type: InformationalId: 2Message: 'Execute REST API GET call.
Uri: 'https://mim-dev-1.mim.dev/certificatemanagement/api/v1.0/profiles?status=Active''
2019-01-30 17:59:33:5158Type: VerboseId: 1Message: 'IsLOBComplianceEnabled : Start'
2019-01-30 17:59:33:5158Type: VerboseId: 1Message: 'IsLOBComplianceEnabled : END'
2019-01-30 17:59:33:5158Type: VerboseId: 1Message: 'OnLaunched() : End'
2019-01-30 17:59:33:5158Type: CriticalId: 5Message: 'Failed to load profile and profile templates from server.
System.FormatException: One of the identified items was in an invalid format.
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Clm.ModernApp.Proxy.HttpClientManager.<GetAsync>d__0.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Clm.ModernApp.Proxy.CredentialManagementRestApiProxy.<GetProfiles>d__29.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Clm.ModernApp.Repositories.ProfileRepository.<GetSoftwareProfilesAsync>d__29.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Clm.ModernApp.ViewModel.HomeScreenViewModel.<LoadProfiles>d__54.MoveNext()
'
2019-01-30 17:59:33:5158Type: VerboseId: 1Message: 'LoadEnrollableProfiles() : End'
2019-01-30 17:59:34:9064Type: VerboseId: 1Message: 'LoadEnrollableProfiles() : Start'
2019-01-30 17:59:34:9064Type: InformationalId: 2Message: 'Loading avabilable profile template, profiles and smartcards.'
2019-01-30 17:59:34:9064Type: InformationalId: 2Message: 'Execute REST API GET call.
Uri: 'https://mim-dev-1.mim.dev/certificatemanagement/api/v1.0/profiles?status=Active''
2019-01-30 17:59:34:9220Type: VerboseId: 1Message: 'IsLOBComplianceEnabled : Start'
2019-01-30 17:59:34:9220Type: VerboseId: 1Message: 'IsLOBComplianceEnabled : END'
2019-01-30 17:59:34:9220Type: CriticalId: 5Message: 'Failed to load profile and profile templates from server.
System.FormatException: One of the identified items was in an invalid format.
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Clm.ModernApp.Proxy.HttpClientManager.<GetAsync>d__0.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Clm.ModernApp.Proxy.CredentialManagementRestApiProxy.<GetProfiles>d__29.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Clm.ModernApp.Repositories.ProfileRepository.<GetSoftwareProfilesAsync>d__29.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Clm.ModernApp.ViewModel.HomeScreenViewModel.<LoadProfiles>d__54.MoveNext()
'
2019-01-30 17:59:34:9220Type: VerboseId: 1Message: 'LoadEnrollableProfiles() : End'

When I call the offending web-service in a browser (https://mim-dev-1.mim.dev/certificatemanagement/api/v1.0/profiles?status=Active) - I get an empty array as a result:

<ArrayOfProfile xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.datacontract.org/2004/07/Microsoft.Clm.Shared.Profiles"/>

So - apparently the call does work "halfway" (it does not run into an error, although the returned profiles are *wrong*!!!)

When I try to get profiles via "MIM-Remoting API" (basically I do: FindRequests, then with those requests query the profiles) I *do* get active profiles!

Information about my system - I tried it with two version of MIM 2016:

- MIM 2016 SP1 (4.4.1302)

then I tried updating to the "latest version":

- MIM 2016 - 4.5.286.0

However - there was no difference whatsoever - other operations in MIM-Rest-API which I am pretty sure are *broken* (not working as advertised in the documentation) still are broken (e.g. you cannot "Abandon" a request via REST-Api....you will always get "501 - Not Implemented")

So - what's the deal here - why does the REST-API not work as advertised? wrong installation on my side? wrong documentation on your side?? Same thing about Modern-App? and prerequisites I overlooked?

Kind Regards

Johannes Colmsee


Incorrect pageid FIMService database

January 30, 2019, 10:13 pm
$
0
0

Hello

We have a problem with FIMService database

Error in Event viewer:

SQL Server detected a logical consistency-based I/O error: incorrect pageid (expected 1:1477410; actual 101:2097266). It occurred during a read of page (1:1477410) in database ID 20 at offset 0x000002d1644000 in file 'E:\SQL\FIM\FIMService.mdf'.  Additional messages in the SQL Server error log or system event log may provide more detail. This is a severe error condition that threatens database integrity and must be corrected immediately. Complete a full database consistency check (DBCC CHECKDB). This error can be caused by many factors; for more information, see SQL Server Books Online.

No actual backup exist

Database working now, but problem with synchronization of some users between two domains. Is it possible recreate new database from scratch and start full sync?

Please Help!

Extensible Connectivity 2.0 Management Agent

January 31, 2019, 2:43 am
$
0
0

Hi Everyone,

I need to acquire some knowledge about ECMA 2.0. I have not found anything particular which directs me to right direction. As for my requirement I need to import users detail from xml file or any source, to the metaverse so that I can redirect it to destination.

Is there any source out there for as per my requirement?

Any help will be much appreciated.

Thanks,

biswajeet

MIM CM Rest API missing methods, wrong documentation, bugs?

January 31, 2019, 10:07 am
$
0
0

Hello,

I have been struggling with introducing the MIM-Rest-API.

When one does the most basic stuff, like - do what is decribed here: https://docs.microsoft.com/en-us/microsoft-identity-manager/reference/sample-enrollment-walkthrough

It does indeed work as advertised on the MSDN-Developer Reference.

However - once you try to do other operations, you *often* find yourself in a situation, where obviously the documentation is either flawed or even outright wrong.

One (of the many) examples - this page describes the "Set Status" endpoint:

https://docs.microsoft.com/en-us/microsoft-identity-manager/reference/cancel-abandon-complete-request

According to the documentation you can finish, cancel or abandon the request - however - in reality you can only "finish" the request.

When you try to cancel or abandon neither will work, and you will get a 500 server error....maybe even with message "NotImplemented" (take this "NotImplemented" one with a grain of salt, it might have been another method which had that in the message - like I said earlier, there are *many* examples where the documentation is wrong)

Some detailed information on my installation:

First tests were done in MIM 2016 SP1 (4.4.1302.0).

After I found out about the many problems I tried updating MIM to 4.5.286.0 (which should be the currently newest version) - it did not help in the least...

So - what's the deal with that?

Am I too stupid?

Is MSDN-API-Reference "false Advertisment"? (which would be really bad from a customers perspective....pre-alpha for years, advertised as "finished"....lots of wasted time for the customers...like me...)

Kind Regards

Johannes Colmsee

MIM / PAM 2016 SP1 - Child Domain

January 31, 2019, 10:54 am
$
0
0

Hello Experts,

Can anyone advise if Microsoft PAM 2016 SP1 works with child domains? 

We have PAM (Bastion Forest) deployed in the environment which works well with root forest but it looks that privileged permissions are not syncing up in child forest. Users are getting messages that they do not have enough permission in the child domain. 

We already have added the child domain in the root trust for PAM. 

Thanks!

Search

Identity and password stolen by spouse

December 21, 2014, 12:41 pm
$
0
0
Marrried 38 years and need help getting rid of hacker that knows everything about me

MIM 2016-Synchronization Service Manager

February 1, 2019, 9:45 am
$
0
0

When trying to install FIM agent, getting error +1
Failed to retrieve the schema.

Failed to connect to the specified database of Forefront Identity Management Service. Please check the specified database location, service host address, and account information.

Administration: Administrators can read all resources is disabled

March 10, 2014, 6:08 am
$
0
0

Hello,

Unfortunately and by mistake on my development server, I disabled the MPR named - "Administration: Administrators can read all resources".

Can anyone tell how to enable this? I am not able to see any administrative links on the Portal.

Thanks,

Manuj

delta sync "stopped-database-connection-lost" aad connect server

February 3, 2019, 1:55 pm
$
0
0

Team,

In my environment we are facing Delta sync issue in "stopped-database-connection-lost" aad connect server.

Its happening daily twice in a day.

Checked the system event logs ,just showing delta sync issue .

Thanks

====

Rama


New-PAMTrust : The specified forest does not exist or cannot be contacted.

February 4, 2019, 10:13 am
$
0
0

Hi Experts,<o:p></o:p>

Trust you are doing well, I need some assistance.<o:p></o:p>

I am setting up PAM in our testing environment on Windows Server 2016 Datacenter and while I have successfully configured most of the things including MIM components, the only place that I am stuck up at the moment is when I run a new PAM trust command from my MIM Server to establish a trust with my Corp DC.<o:p></o:p>

I have checked that both the DCs CORP and PRIV are able to resolve and reach each other via DNS ( as we have the same DNS Server in our env,)<o:p></o:p>

My MIM VersionMIM 2016 Version 4.4.1749.0.<o:p></o:p>

My CORP DC is running on win 2012 r2 standard.<o:p></o:p>

I have tried many things but I always get stuck and below is the error that I get.<o:p></o:p>

New-PAMTrust The specified forest does not exist or cannot be contacted.<o:p></o:p>

Please assist,<o:p></o:p>

Thanks<o:p></o:p>



Viewing all 6657 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>