Quantcast
Channel: Forum Microsoft Identity Manager
Viewing all 6657 articles
Browse latest View live

MIM 2016 SP1 update to 4.5.286 and .Net Framework 4.7+

February 4, 2019, 10:16 am
$
0
0
Hello there,

I would like to know if any of you have already successfully updated MIM 2016 SP1 with latest update 4.5.286.0, when .Net Framework on server (Win2012R2) is already updated to version 4.7+ (in our case 4.7.2) ?
I found myself unable to do the MSP update for MIM Sync (I didn't tried the other components at the moment) which failed with error 1723 on action CheckDotNetVersion.

I know that the requirement for MIM 2016 SP1 is Framework 4.6.
But unfortunately the servers has been updated to latest .Net Framework version without our knowledge, and Security officers prevent us to do a rollback.

Have a nice day,
Ghislain


Search

Unable to uninstall MIM Portal setup

February 4, 2019, 10:36 pm
$
0
0

Hi,

I am trying to install MIM on new WIN server 2012 , i have successfully installed as per the Microsoft guidelines.

1)SharePoint 2013

2)MIM synchronization services

3)Visual studios 

4)SQL 2012

i successfully installed the MIM service portal and hosted the page mimportal.com and i got the below error message,

This site can’t be reached


when i try to uninstall/repair/change i get the below error message,


MIM Service and Portal Setup Wizard ended prematurely




please help to resolve

Thanks

Suman.

?


PAM - Multiple AD Site

February 4, 2019, 11:05 pm
$
0
0

How do PAM permissions work with Geographically spread AD sites (same domain and PAM is installed at 1 site)? Does it replicate the access permissions right away? If no then what is the best way to give the user a good experience.

Is there any posted article for PAM with multiple AD sites?

Email notification bug when requesting on behalf of a user

January 9, 2019, 10:46 am
$
0
0

When our help desk staff submits a request on a behalf of another user the default email sent to the approver is misleading in that it looks like it's the help desk person that is requesting the access instead of the true beneficiary.  I believe this is because of the parameter:  //Requestor/DisplayName in the "Default pending approval email template" which resolves to the person submitting the request instead of the beneficiary.  How can I modify the email template so that it reflects the actual beneficiary's name instead of the person requesting the access?

Also, are the email templates and object model documented anywhere?  There might be additional details I'd like to include to include in the approval, rejection and completion e-mails.

Any guidance is appreciated!

Christian



Synchronization rule creation error with PowerShell Connector

February 5, 2019, 3:09 pm
$
0
0

I configure Microsoft PowerShell Connector. I did the Import (Full Import and Delta Import) without problems.

When I tried to create the outbound sync rule in the portal, the wizard interrupted with an error. There are no errors in event log.

I select an outbound scope

Outbound scope

I select a relationship criteria:

relation ship criteria

But, when I click en next wizard fails:

error

I am using MIM build 4.4.1749.0 and Sharepoint 2013 with Windows server 2012 R2.

Any Help?

Thanks in Advanced

JuanCC Technology Specialist

Microsoft PAM- Privilege access manager

February 7, 2019, 5:18 am
$
0
0 
Hi Team,



I need a little expert advice. I have a scenario where I have to implement PAM.

Scenario Short and Simple:

1. 1 main production forest abc.no and has a child domain pqr.abc.no all my user data and OUs are stored here.

2. I have created a bastian forest xyz.priv and have a MIM Server installed in that domain.

I now want to establish a trust as per microsoft documentation by running the command  

New-PAMTrust -SourceForest "qbc.no" -credentials $ca.

I wanted to know , by running this command will the trust be created with child domain pqr.abc.no as well ?

Since as mentioned above this is where all my user data is and eventually, I need to migrate the admin user from this domain to my bastian forest. 



Please assist with your inputs.

Thank You.


MIM 2016 Service and Portal - Error when trying to install hotfix rollup 4.5.286.0 (KB4469694)

February 7, 2019, 11:06 am
$
0
0

Hey all,

I'm getting the following error when trying to apply hotfix 4.5.286.0 to the MIM Portal Server:

"PowerShell 1.0 or better was not detected on this machine.  Please install PowerShell and run this installer again".  

I obviously have PowerShell installed so I'm baffled as to why I'm getting this error.  I tried to run the Repair option for the existing version installed on the machine, however I end up with the same error.

Any suggestions?  I really would like to avoid having to reinstall and start all over again...

Thanks,

Christian

Common name for PAM Sample Portal - PAM.contoso.com

January 11, 2019, 10:29 am
$
0
0

Can we use a common name for PAM SAMPLE Portal? 

I tried to use PAM.contoso.com rather using server FQDN:8090 and received the error below:

Oops! Something went wrong. The ajax calls failed, please contact your administrator. Error code:0

Has anyone configured the PAM sample portal using the common name? Could you please share the steps I need to perform to use the common name?

Thanks!

Search

FIM Question on Permanent employee and Non-employee

January 30, 2019, 8:29 am
$
0
0

We have an employee that used to be permanent, but is now a contractor working for us. Currently we are using his old permanent account to work so there is no disruption to his work.

 Is there a way to keep the same AD object without breaking FIM? Or do we need to set up another AD account with a different networkID, employee ID, etc...

MA error as Completed-discovery-error

February 11, 2019, 1:08 am
$
0
0
Received error (Completed-discovery-error) on operations in one of the MA's.

Automate multiple Criteria-based groups creation - Possible ?

January 23, 2019, 9:36 am
$
0
0

Hello, 

Is it possible to create multiple Criteria-based groups in MIM Portal based on inputs I will provide?

Any way we can Automate or Import the Criteria file? 


Regards, Amol Patil

Modify RDN

February 12, 2019, 7:23 am
$
0
0

Hello,

For various reasons I won't go into we are using the latest version of the Generic LDAP connector to sync users and groups to AD LDS.

The sync rule for groups is pretty straightforward with the usual two attribute flows for DN (IFO and persistent) and a bunch of others, none of which are CN before you ask!  The DN is constructed from CN=accountname,OU=etc,etc

The problem occurs when a group manager renames one of his groups and modifies the accountName in MIM.  Although this flows to AD fine in AD LDS it errors because in the LDAP world it has to delete the Old RDN before it can write the new RDN.  We can prove this by doing it manually in LDP.exe whereby if you don't select to delete the Old RDN the operation fails.

Any ideas as to why we cannot do this with the Generic LDAP MA?

TIA

Rob

Issue installing 4.5.286 hotfix on Service & Portal. Failed on "UpdateAppConfigSettingsInPatch"?

February 12, 2019, 5:38 pm
$
0
0

Has anyone ever see this one when installing a hotfix on the MIM Service & Portal?  I'm installing 4.5.286.0 when it fails.  I just installed 4.4.1642.0 successfully.  It seems to have an issue with editing the config file, though I can see the file being updated twice.  I assume once for initial update pass and once for rollback.  It's SharePoint 2013 on Server 2016 (I know, I know), though I don’t think that is the issue. All MIM components and SQL on same server (test server).

MSI (s) (DC:60) [16:53:35:241]: Executing op: ActionStart(Name=UpdateAppConfigSettingsInPatch,,)

Action 16:53:35: UpdateAppConfigSettingsInPatch.

MSI (s) (DC:60) [16:53:35:241]: Executing op: CustomActionSchedule(Action=UpdateAppConfigSettingsInPatch,ActionType=3074,Source=BinaryData,Target=Operation=Patch ConfigFilePath="C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\\Microsoft.ResourceManagement.Service.exe.config",)

CustomAction UpdateAppConfigSettingsInPatch returned actual error code -1 (note this may not be 100% accurate if translation happened inside sandbox)

MSI (s) (DC:60) [16:53:35:397]: Note: 1: 1722 2: UpdateAppConfigSettingsInPatch 3: C:\Windows\Installer\MSIE484.tmp 4: Operation=Patch ConfigFilePath="C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\\Microsoft.ResourceManagement.Service.exe.config" 

MSI (c) (34:8C) [16:53:35:397]: Transforming table Binary.

MSI (c) (34:8C) [16:53:35:397]: Transforming table Binary.

MSI (c) (34:8C) [16:53:35:397]: Note: 1: 2262 2: Binary 3: -2147287038

Error 1722. There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor. Action UpdateAppConfigSettingsInPatch, location: C:\Windows\Installer\MSIE484.tmp, command: Operation=Patch ConfigFilePath="C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\\Microsoft.ResourceManagement.Service.exe.config"

MSI (s) (DC:60) [16:55:53:320]: Product: Microsoft Identity Manager Service and Portal -- Error 1722. There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor. Action UpdateAppConfigSettingsInPatch, location: C:\Windows\Installer\MSIE484.tmp, command: Operation=Patch ConfigFilePath="C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\\Microsoft.ResourceManagement.Service.exe.config"

Keith

MIM 2016 Integration with AS400

February 13, 2019, 5:46 am
$
0
0

Hello Everyone,

I have an implementation of MIM 2016 and we are looking to integrate it with IBM AS 400. So my question is:

Is there any recommended third party connector for AS 400 besides the one from IDMWorks?

Thanks in advanced for your answers 

MIM CM Error : the version of OLE on the client and server machines does not match

February 13, 2019, 7:40 am
$
0
0

Hello all,

we have just installed a MIM 2016 CM SP1 (4.4.1302.0) on a windows server 2016.

the Certificate Authority is a 2016 one.

and we have the Error: the version of OLE on the client and server machines does not match.(Exception from HRESULT: 0x80010110)

Is someone know how to solve this problem?

we check all the spn and delegation, the rights on the database, and the group in Web Config, and all seem to be good.

thanks,

Regards,

Jean.

Search

MIM ADMA and "permission-issue" when Deleting an Account

February 13, 2019, 5:07 pm
$
0
0

Hello all,

Not sure where to start with this.  I suspect it's more of an AD issue than a MIM issue.  None of the posts I've read seem to address this issue specifically.

My MIM ADMA is throwing a "permission-issue" message when trying to delete an account.  I've managed to mess around with it some and can make it work. But, I'm confused about a few things.

The account MIM is trying to delete was created by  the ADMA, and owned by the account the ADMA is running under.  The ADMA account is granted full control rights to the parent OU, with inheritance set to this object and all child objects. (the account is actually four levels down).  If I check the security tab of the account, the ADMA account shows up with full control checked (and all the other checkboxes, includeing delete).  Seems pretty simple, to me.  I can't think of any more pertinent information to add.

What I have done to make it work is: 1) remove the ADMA rights from the parent OU, 2) drill down to the account and assigned the ADMA account full control to the actual account.  After doing that, ADMA will delete the account.  Then, I'll set the ADMA account back to full control at the parent and enable inheritance.

So, this leads me to believe there's something in the inheritance that's not getting set.  When setting file system rights, there is an option to replace all the child permissions when the changes are applied.  I don't see that option for user accounts.

To throw another thing at this, I don't have the problem with all the accounts.  It actually seems to be quite rare that I run into this.

I can't be certain about this final aspect.  I do have cases where there is an account I temporarily do not want MIM messing with. So, I'll break the inheritance on the one account and revoke the ADMA account rights.  When I'm comfortable that MIM isn't going to do something sinister to that account, I'll put the inheritance back.  It's rare that I do that, but in one case, this "permission-issue" has reared its head on an account I have done that to. 

Is the a way to force the inheritance to propogate throughout the tree?  Is there something I'm missing?

My "go to" work around has been to just go into AD and manually delete the account. That's quick and dirty and it keeps the ADMA from failing.  But, I'd like to know what's going on.

Thanks,

Greg

MIM-PAM 2016 error

February 14, 2019, 4:02 am
$
0
0

I am having installation error in PAM 2016, please help

Error 2826:  Control ckboxUseSSL on dialog ExchAndCertificateDlg extends beyond the boundaries of the dialog to the right by 15 pixels
The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 2826. The arguments are: ExchAndCertificateDlg, ckboxUseSSL, to the right

AQuietExec:  Error - SharePoint did not confirm the deployment of the FIM solution pack microsoftilmportalcommondlls.wsp within the expected time. This operation may take long time on SharePoint farm. Specify the bigger value for "SHAREPOINTTIMEOUT" parameter. (The default value is 180 seconds)
CAQuietExec:  An error occurred while deploying FIM portal solution packs. 
CAQuietExec:  Error 0xfffffffa: Command line returned an error.
CAQuietExec:  Error 0xfffffffa: CAQuietExec Failed
CustomAction InstallCommonPortal returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)

Possible bug: MIM 2016 PAM and removal of Shadow Principal membership

December 13, 2016, 1:24 am
$
0
0

TL;DR: 
Users do not get removed from shadow principals by PAM Component Service upon manual deactivation of PAM role membership. Removal from regular security groups works as intended. TTL based group membership also works. Correct access has been granted to the service account. 


So I have a 2016 AD domain/forest (PRIV) with MIM 2016 SP1 and PAM configured (4.4.1302.0). I also have a 2012 domain (CORP - One-way trust). 

I have configured PAM groups and roles using the cmdlets, which creates a shadow principal object as expected. Any access requests through the API results in the user being added to the shadow principal (with a TTL as expected). So far so good.

But if the role is manually deactivated before the TTL has expired, I can see all the request go through successfully (the TTL of the PAM request is set to 0 and it is expired). However the user is never removed from the shadow principal by the PAM Component service. Yes, the service account has been granted the proper permissions to do so, and no failure audit is logged. It simply seems as it never even tries to remove it from the shadow principal at all. The ETW trace shows a few log messages saying that it found an expired/closed membership and that the user was removed from the shadow principal, so it knows that it's dealing with a shadow principal and not a security group at this stage. 

"User 'sAMAccountName', (Priv SID 'S-1-5-21-PRIV-SID-1688') was removed fromshadow principal CORP.GroupName (SID 'S-1-5-21-CORP-SID-131870')"

However no removal (or failure events in MIM/Event logs) actually occur. 

If I on the other hand create a regular security group and assign a role to it, the above procedure works. The user is added to the group when requested, and if the request is manually closed, the user is removed from the security group by the PAM Component service. 

User 'sAMAccountName', (Priv SID 'S-1-5-21-PRIV-SID-1688') was removed from group GroupName (SID 'S-1-5-21-PRIV-SID-3106')

So in other words, log wise everything looks OK, but when it's dealing with a shadow principal nothing actually happens even though the logs state that 'the user was removed'. 

Has anyone else run into this and perhaps can shed some light on this behavior? 


Andreas


REST ODATA API URL does works for integrating the third party applications with MIM Web Service Connector

February 15, 2019, 12:17 am
$
0
0

Hi All

Am trying to integrate the SAPSuccessFactors which is in the form of ODATA API URL. am not able to see the list of attributes which gets when i do integrate the same.

while finding out the troubleshoot options in one of the MIM Technet documents mentioned that

  • REST (not ODATA): An HTTP protocol-based connector/web.

https://docs.microsoft.com/en-us/microsoft-identity-manager/reference/microsoft-identity-manager-2016-ma-ws

Can some one please provide their inputs to get it corrected.

 

I have implemented basic Approval Workflow using Microsoft Article. But still am not able to see that getting the Workflow Triggered

February 15, 2019, 12:21 am
$
0
0

Hi All

I have implemented basic Approval Workflow using Microsoft Article. But still am not able to see the Workflow Triggered. not able to identify what exactly went wrong.

Thanks

Viewing all 6657 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>