dears,
i deployed mim 2016 in my lab.
followed technet guide in order to create the run as profiles and sync the users from AD to MIM.
i created now users from mim portal, can anyone provide me with the steps to do in order to synchronize the users vice versa from mim to my AD?
thank you
More or less related to my upgrade question.
Situation to start from:
Situation to go to:
Now my question: is the MIM 2016 SERVER software backwards compatible? E.g. can FIM 2010 clients connect and perform a SSPR against a MIM 2016 server?
Or is it the other way round? Can a MIM 2016 SSPR client talk to a FIM 2010 server?
I've got quite some clients to upgrade and the first option, server is backwards compatible, would be very very convenient...
Hello,
Client have a production window server 2008 r2 with fim 2010 rtm installed and sql server 2008 r2 installed on different server and wants to upgrade them to mim 2016 sp1 and sql server 2016 on new window 2016 server and 2012 r2 platform respectively.
We are not doing in place migration.
Below are steps we performed:
Below is the error we received:
Error 25009 the microsoft identity manager synchronization service cannot configure the specified database.Invalid object name 'mms_management_agent'
<hr=0*80230406>
We tried to change the compatibility level from sql server 2008 to sql 2016 for FIM database but still getting the same error.
Is it possible to add a hyperlink to the FIM 2010 R2 sspr success page after a password reset?
I know you can customize text by modifying the strings.resource file, but I can't seem to add a hyperlink.
If I type out the HTML tag it doesn't work.
Cheers
IT Support/Everything
I have a "Unique Values" database that stores used usernames from many sources. Originally, I was planning on storing these usernames in 3 custom object types in the Metaverse and then send them out to the Unique Values DB with a SQL MA. These could be repeats of usernames of person objects. My reasoning for this was because I do not want them in the portal unless they are joined with an actual person. I am now realizing that this plan cannot work because those objects in the Unique Values MA connector space cannot be joined with multiple MV object types. Am I reading this documentation correctly? Do I need to do away with the custom object types and project person objects for a proper join? Is there any other way to keep the usernames that are not joined with a person from going out to the portal? Any suggestions?
Thanks!
Mike Leach | http://blogs.catapultsystems.com/mleach/default.aspx
Hi
I've got two SQL MAs that I'm trying to sync some attributes between. These are DateofBirth and ExpectedEndDate.
In the source SQL table I get these values in the format 1968-07-23 00:00:00.000
I can flow these values in to the metaverse via a direct flow on the source MA and export them to the destination SQL table. If I look directly at the destination table with SQL Management Studio I can see that these have been populated correctly. However when I do my confirming import I get the 'exported-change-not-reimported' error and when I look at what it is trying to do I see:
Imported Value 1968-07-23 00:00:00
Export Value 1968-07-23 00:00:00.000
It's been a very long week and maybe I'm missing something obvious but why is it trying to import a different value from what I can see in the destination SQL table? Any ideas what I can do about this?
Thanks for any help.
I think I already know this answer. But, I figured I would see if anyone has done this before.
I have a bunch of users synced to the metaverse from another domain. I am only using their usernames to send to a database via a SQL MA for use in a workflow that queries that DB. I do not want them to clutter the portal. There are over 50,000 of them. I initially tried using a custom object type which does keep them from syncing to the portal due to no mapping. But, that didn't work because I need all usernames from multiple sources to go to that SQL DB. You cannot have connector space objects connected to multiple MV object types. Is there any way to keep certain users from exporting to the portal?
Thanks.
Mike Leach | http://blogs.catapultsystems.com/mleach/default.aspx
I have a MIM SP1 system configured to use Office 365 Exchange OnLine for email. The mail sending is working fine but the approvals sit in the service mailbox and are never processed.
Is there a way to turn on more logging or tracing to see what is preventing the approvals from being detected?
Randy
Hi.
I am trying to set up different rules for password reset.
I need the type 'A' accounts to go through a Q/A and a e-mail OTP, while the Type 'B' accounts only needs a Q/A.
But when I change the 'Anonymous users can reset their password' MPR, so that the 2 target Sets (before and after) is a new Set with my Type 'A' accounts they get a 'You are not authorized to register for password reset'. Even though I am sure, they are in the new Set.
Anyone knows if this can be done? And if yes, how to do it?
Thanks,
Søren
I have a MIM SP1 [4.5.286.0] system configured to use Office 365 Exchange OnLine for email. The mail sending is working fine but the approvals sit in the service mailbox and are never processed. Anyone came accross this, I seem to be stuck and can not find any information to Proceed further. Should i be looking at MIM ? Firewall ? Office 365 ?
Thanks
Casey
https://docs.microsoft.com/en-us/microsoft-identity-manager/install-mim-sync-ad-service
Trying to do the initial synchronization with the FIM Service Management Agent. It keeps producing an Error on the Export job.
Error: failed-modification-via-web-services
Fault Reason: The endpoint could not dispatch the request.\r\n\r\nFault Details: <DispatchRequestFailures xmlns="http://schemas.microsoft.com/2006/11/ResourceManagement"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><DispatchRequestAdministratorDetails><FailureMessage>Exception:
Other
Stack Trace: Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---&gt; System.Data.SqlClient.SqlException: Procedure or function 'GetDomainConfigurationIdentifiersFromDomain' expects parameter'@domainName', which was not supplied.
at Microsoft.ResourceManagement.Utilities.ExceptionManager.ThrowException(Exception exception)
at Microsoft.ResourceManagement.Data.Exception.DataAccessExceptionManager.ThrowException(SqlException innerException, TransactionAndConnectionScope scope)
at Microsoft.ResourceManagement.Data.DataAccess.GetDomainConfigurationIdentifiersFromDomain(String domainName)
at Microsoft.ResourceManagement.ActionProcessor.DomainConfigurationActionProcessor.AddDomainConfigurationFromDomain(CreateRequestParameter domainNameParameter, RequestType request)
at Microsoft.ResourceManagement.ActionProcessor.DomainConfigurationActionProcessor.DoRequestCreationPreProcessByAttribute(RequestType request)
at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.DoRequestCreationPreProcessByAttribute(RequestType request)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean
isChildRequest, Guid cause, Boolean doEvaluation, Nullable`1 serviceId, Nullable`1 servicePartitionId, UniqueId messageIdentifier, UniqueIdentifier requestContextIdentifier, Boolean maintenanceMode)
at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Put(Message request)
--- End of inner exception stack trace ---</FailureMessage><DispatchRequestFailureSource>Other</DispatchRequestFailureSource><AdditionalTextDetails>Request could not be dispatched.</AdditionalTextDetails></DispatchRequestAdministratorDetails><CorrelationId>705ac252-a529-4b8f-ac48-d7751bda507b</CorrelationId></DispatchRequestFailures>
Received this trying to Populate the MIM Service database
Producing error on Export job.Additional error: Failed-creation-via-web-services
Fault Reason: The request message contains errors that prevent processing the request.\r\n\r\nFault Details: <RepresentationFailures xmlns="http://schemas.microsoft.com/2006/11/ResourceManagement"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="<AttributeRepresentationFailure><AttributeType>ObjectSID</AttributeType><AttributeValue></AttributeValue><FailureMessage>Exception">http://www.w3.org/2001/XMLSchema"><AttributeRepresentationFailure><AttributeType>ObjectSID</AttributeType><AttributeValue></AttributeValue><FailureMessage>Exception:
ValueViolatesUniqueness
Stack Trace: Microsoft.ResourceManagement.WebServices.Exceptions.InvalidRepresentationException: ValueViolatesUniqueness
at Microsoft.ResourceManagement.Utilities.ExceptionManager.ThrowException(Exception exception)
at Microsoft.ResourceManagement.Data.Exception.DataAccessExceptionManager.ThrowException(SqlException innerException, TransactionAndConnectionScope scope)
at Microsoft.ResourceManagement.Data.DataAccess.ProcessRequest(RequestType request)
at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.ProcessInputRequest(RequestType request)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction(RequestType request)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction[ResponseBodyType](RequestType request)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request, Guid requestIdentifier, Object redispatchSingleInstanceKey, Boolean isRedispatch)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request)
at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Create(Message request)</FailureMessage><AttributeFailureCode>ValueViolatesUniqueness</AttributeFailureCode><AdditionalTextDetails>The specified attribute
value must be unique for this Resource Type.</AdditionalTextDetails></AttributeRepresentationFailure><CorrelationId>c338690b-1b9b-47b9-8706-9c99dd24444c</CorrelationId></RepresentationFailures>
Any help resolving this would be appreciated.
Good morning,
This is a supported platform enquiry as we are aware that technically only 2008R2, 2012 and 2012R2 environments are supported by FIM 2010. There are plans to migrate to MIM 2016 however timeframes on this are uncertain and we are curious as to possible impact on this service in the following scenario:
Environment – FIM 2010 R2 running on Windows Server 2012, running in a domain called CONNECT, running with a combination of Windows 2008 R2 and Windows 2016 domain controllers.
FIM utilises an Active Directory Domain Services MA to only read information from a number of other “agency” active directories into the FIM metaverse. These ADs are currently at a variety of functional levels.
This information is then written from the metaverse into the CONNECT AD using another Active Directory Domain Services MA.
1. If one of the agencies replaces all of their DCs with Windows Server 2016 (or higher), will FIM continue to be able to read their data into the metaverse?
2. If only Windows 2016 domain controllers remain in the CONNECT domain (with or without a functional level increase), will FIM continue to function normally?
Hopefully I've provided enough information for a considered answer.
Thanks for your time,
Cheers, PF.
Hi,
our Linux colleagues use Beyondtrust PBIS to connect Linux servers to AD in order to use AD user accounts for logon to Linux.
Every week we get 1-2 PCNS events with ID 7000:
Log Name: Application
Source: PCNSSVC
Date: 26.02.2019 16:48:18
Event ID: 7000
Computer: DC22.contoso.com
Description:
An unexpected error occurred.
LDAP://DC22/CN=CALT01,OU=Workstation,OU=CAX,OU=PBISCELLS,DC=contoso,DC=compwdLastSet
But it is not only PBIS, such events can stem also from ESX hosts:
LDAP://DC22/CN=EPKWKB,OU=ESXiServer-Prod,OU=T4,OU=SC37E,DC=contoso,DC=compwdLastSet
BTW: Yes, I know that the last word "compwdLastSet" in the distinguishedName doesnt make sense. I believe it is just a display issue, a missing white space char.
I have no glue how these events are created.
Now the thing is:
I tried to avoid these events by adding the group "Domain Computers" to the PCNS Excluded Group, but this doesnt work: Today we got an event again.
I have verified using ntdsutil: The computer CALT01 is indeed member of the Excluded Group and also of Domain Computers.
But obviously this membership doesnt help.
2 Question, please:
1) Does anyone know when exactly the PCNS Excluded Group is evaluated:
Is it one time after the PCNS service has started? Then I'd have to restart the service so that the new membership gets effective.
Or is it every time when PCNS is called? Then PCNS would compute in real-time if the actual user/computer is member of the Excluded Group. No service restart necessary.
2) Has anyone an idea what else I could do? (the more important question)
Thanks
Walter
Trying to install PAM as a component of MIM 2016 - SP1 while following this document:
- https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/configuring-mim-environment-for-pam/
I'm a bit stumped by what I'm coming across. I built a test environment and a prod environment. I would perform a step in test and when if it worked I would do it in PROD. Everything was going great until I go to the end of Step 5.
The "PAM Component" and "PAM Monitor" services will not start in PROD but work just fine in test. Yes, both domains were built exactly the same from a VM template. If I user the MIM Service accounts that were created the services fail to start and give the useless message of "The PAM Component Service service on Local Computer started and then stopped. Some services stop automatically if they are not in use by other services or programs." I also get the same message when I try to start the PAM Monitor service. Keep in mind that this works perfectly in the test environment.
If I change the service to "Local System account" the service will then start but the Event log is filled with errors.
This a typical error in the PAM log. The common thread here is the web service.
Failed to load PAM configuration.
Exception: The web service client has encountered the following class of error: IdentityIsNotFound
Details: Additional Text Details: The requestor’s identity was not found.
Correlation Identifier: 69ad54b1-4aa8-4405-9cca-71b6bd4f5e95
Failure Message:
Request Identifier:
I currently have FIM 2010 R2 installed on a windows 200 r2 server. We need to upgrade this to 2019 or 2016. Is this supported ?
The below link seems no longer to be online, but it suggests that Windows Server 2008 R2 SP1 Windows Server 2012 are supported.
https://blogs.technet.microsoft.com/iamsupport/forefront-identity-manager-2010-r2-sp1-supported-platforms/
this this correct ?
Thanks
Hello,
One of my customers wanted to add Captcha to their Password Reset Portal. As it is not doable in supported way they come out with other idea (as the portal is published using F5). Put captcha and check user name on their F5 and call Password Reset Portal after that posting user name already pre-filled. Is it possible to call out of the box MIM Password Reset Portal with some parameters (via POST for example)?
Borys Majewski, Identity Management Solutions Architect (Blog: IDArchitect.NET)
There is a limitation mentioned on this page:
https://docs.microsoft.com/en-us/microsoft-identity-manager/microsoft-identity-manager-2016-supported-platforms
that the MIM Outlook plugin is not supported on Outlook Click-to-run.
Is this still true?
Does it throw an error?
It installed for me on Click-to-run with an Exchange-on-Line mailbox anf the Approve/Reject buttons work but so far I am not getting results back to MIM. I am using MIM 4.5.286.0
Randy
Hi,
where can i find a list with all routes from MIM REST API?
There are just some sample routes on https://docs.microsoft.com/en-us/microsoft-identity-manager/reference/certificate-management-rest-api-service-details.
I am looking for something like the one for example from venafi: https://docs.venafi.cloud/api/
We use the MIM graph connector for synchronizing group objects (create/update/delete) directly from MIM to Azure AD (not via AD-AAD Connect-AAD). This works great, but we have a issue with removal oflast group membership in a group with this connector. When MIM exports removal of a groups last membership, this member wont be removed with this connector - we get the famous "exported-change-not-reimported" messages in the sync engine on next import.
All other changes works just fine. Add/removal of memberships goes through as long as the group doesn't go from for example 1 member to 0 members:
We use the last build of the graph connector (1.1.913).
I have setup a MIM 2016 lab and have been following the steps outlined at the following: