I am trying to register users for SSPR  using a powershell script. When I run the script, I get this below error. I have tried enabling multiple MPRs, creating new MPRs for giving access but all in vain. 

Power shell error:

Register-AuthenticationWorkflow : No policy grants the Requestor permission to complete all changes.
At C:\Users\mimadmin\Desktop\MIM\sspr.ps1:25 char:1+ Register-AuthenticationWorkflow -UserName "$Domain$AccountName" -AuthenticationW ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo          : NotSpecified: (:) [Register-AuthenticationWorkflow], ClientPermissionDeniedException+ FullyQualifiedErrorId : Microsoft.ResourceManagement.WebServices.Client.Exceptions.ClientPermissionDeniedExcepti
   on,Microsoft.ResourceManagement.Automation.RegisterAuthenticationWorkflow

When I check event view logs, I get these error logs:

Reraised Error 50000, Level 16, State 1, Procedure DoEvaluateRequestInner, Line 1319, Message: Permission denied: <ai><Name>DisplayName</Name></ai><ai><Name>GateData</Name></ai><ai><Name>GateID</Name></ai><ai><Name>GateTypeId</Name></ai><ai><Name>ObjectType</Name></ai><ai><Name>UserID</Name></ai><ai><Name>WorkflowDefinition</Name></ai>

Requestor: urn:uuid:7fb2b853-24f0-4498-9534-4e10589723c4
Correlation Identifier: f882774e-9749-47b4-99af-447941ce9d02
Microsoft.ResourceManagement.Service: Microsoft.ResourceManagement.WebServices.Exceptions.PermissionDeniedException: ManagementPolicyRule ---> System.Data.SqlClient.SqlException: Reraised Error 50000, Level 16, State 1, Procedure DoEvaluateRequestInner, Line 1319, Message: Permission denied: <ai><Name>DisplayName</Name></ai><ai><Name>GateData</Name></ai><ai><Name>GateID</Name></ai><ai><Name>GateTypeId</Name></ai><ai><Name>ObjectType</Name></ai><ai><Name>UserID</Name></ai><ai><Name>WorkflowDefinition</Name></ai>
   at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection)
   at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)
   at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
   at System.Data.SqlClient.SqlDataReader.ConsumeMetaData()
   at System.Data.SqlClient.SqlDataReader.get_MetaData()
   at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString)
   at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async)
   at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, DbAsyncResult result)
   at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method)
   at System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior, String method)
   at System.Data.SqlClient.SqlCommand.ExecuteReader()
   at Microsoft.ResourceManagement.Data.DataAccess.DoRequestCreation(RequestType request, Guid cause, Guid requestMarker, Boolean doEvaluation, Int16 serviceId, Int16 servicePartitionId)
   --- End of inner exception stack trace ---
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean isChildRequest, Guid cause, Boolean doEvaluation, Nullable`1 serviceId, Nullable`1 servicePartitionId, UniqueId messageIdentifier, UniqueIdentifier requestContextIdentifier, Boolean maintenanceMode)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean isChildRequest, Guid cause, Boolean doEvaluation, Nullable`1 serviceId, Nullable`1 servicePartitionId, UniqueId messageIdentifier)
   at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Create(Message request)

Microsoft.ResourceManagement.WebServices.Exceptions.PermissionDeniedException: ManagementPolicyRule ---> System.Data.SqlClient.SqlException: Reraised Error 50000, Level 16, State 1, Procedure DoEvaluateRequestInner, Line 1319, Message: Permission denied: <ai><Name>DisplayName</Name></ai><ai><Name>GateData</Name></ai><ai><Name>GateID</Name></ai><ai><Name>GateTypeId</Name></ai><ai><Name>ObjectType</Name></ai><ai><Name>UserID</Name></ai><ai><Name>WorkflowDefinition</Name></ai>
   at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection)
   at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)
   at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
   at System.Data.SqlClient.SqlDataReader.ConsumeMetaData()
   at System.Data.SqlClient.SqlDataReader.get_MetaData()
   at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString)
   at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async)
   at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, DbAsyncResult result)
   at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method)
   at System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior, String method)
   at System.Data.SqlClient.SqlCommand.ExecuteReader()
   at Microsoft.ResourceManagement.Data.DataAccess.DoRequestCreation(RequestType request, Guid cause, Guid requestMarker, Boolean doEvaluation, Int16 serviceId, Int16 servicePartitionId)
   --- End of inner exception stack trace ---

Add-PSSnapin FIMAutomation

$AccountName = "fmajeed"

$Email = "fahad.majeed@xnrel.com"
$FNAME = "fahad"
$LNAME = "majeed"
$MOBILE ="0000000000"
$CNIC = "000000000000"
$PASSPORT ="00000000"
$DOB = "00-00-0000"


$Domain = "AD\"
if($Email)
{
$template = Get-AuthenticationWorkflowRegistrationTemplate -AuthenticationWorkflowName 'Password Reset AuthN Workflow For Students'
$template.GateRegistrationTemplates[0].Data[0].Value = $FNAME
$template.GateRegistrationTemplates[0].Data[1].Value = $LNAME
$template.GateRegistrationTemplates[0].Data[2].Value = $MOBILE
$template.GateRegistrationTemplates[0].Data[3].Value = $CNIC
$template.GateRegistrationTemplates[0].Data[4].Value = $PASSPORT
$template.GateRegistrationTemplates[0].Data[5].Value = $DOB
Register-AuthenticationWorkflow -UserName "$Domain$AccountName" -AuthenticationWorkflowRegistrationTemplate $template
Write-Host "Register Successfully";
}
else
{
Unregister-AuthenticationWorkflow -UserName "$Domain$AccountName" -AuthenticationWorkflowName 'Password Reset AuthN Workflow For Students'
}

F.

I came to know from a video on internet that it is possible to register users through a powershell script automatically by setting answer to security questions. Can anyone provide me with such script?

F.

Hi,

How can I know when a RCDC (User Editing) was changed?

Thanks,

JD

Hi, Anyone who can advise; how to add an attribute in the “Click to select attribute” drop down selection?

I  need to add an attribute in the available attributes when you click on the“Click to select attribute” drop down selection.

Im using FIM 2010 R2 Ver 4.1.3510.0

r0m3llm

Hello,

My environment is one active directory  (domain B)-> FIM -> active directory (domain A). It's only for replicate a user from domain B to domain A with a new domain name. 3 Managements agents (ADMB,FIMMA,ADMA)

Its'ok when create, disable, change any attributes, but not when a delete a user in domain B.

I have this error when export in FIMMA

(failed-modification-via-web-services)

If someone has an idea...

Thanks in advance

GH

GH

What is TechNet Guru Competition?

Each month Microsoft TechNet Wiki council organizes a contest of the best articles posted that month. This is your chance to be announced as MICROSOFT TECHNOLOGY GURU OF THE MONTH!

One winner in each category will be selected each month for glory and adoration by the MSDN/TechNet Ninjas and community as a whole. Winners will be announced in dedicated blog post that will be published inMicrosoft Wiki Ninjas blog, a tweet fromMicrosoft Wiki Ninjas Twitter account, links will be published atMicrosoft TNWiki group on Facebook, and other acknowledgement from the community will follow.

Some of our biggest community voices and many MVPs have passed through these halls on their way to fame and fortune.

If you have already made a contribution in the forums or gallery or you published a nice blog, then you can simply convert it into a shared wiki article, reference the original post, and register the article for the TechNet Guru Competition. The articles must be written in July 2019 and must be in English. However, the original blog or forum content can be from beforeJuly 2019.

Come and see who is making waves in all your favorite technologies. Maybe it will be you!

Who can join the Competition?

Anyone who has basic knowledge and the desire to share the knowledge is welcome. Articles can appeal to beginners or discusse advanced topics. All you have to do is to add your article to TechNet Wiki from your own specialty category.

How can you win?

1. Please copy/Write over your Microsoft technical solutions and revelations to TechNetWiki.
2. Add a link to your new article on THIS WIKI COMPETITION PAGE (so we know you've contributed)
3. (Optional but Recommended) Add a link to your article at the TechNetWiki group on Facebook to get feedback and tips from the council members and from the community. The group is very active and people love to help. You can even get direct improvements to your article before the contest starts.

Do you have any question or want more information?

Feel free to ask any questions below, or Join us at the official MicrosoftTechNet Wiki groups on facebook. Read More about TechNet Guru Awards.

If you win, people will sing your praises online and your name will be raised as Guru of the Month.

PS: Above top banner came from James van den Berg.

Please, If you think your question has been answered click "Mark as Answer" if just helped click "Vote as helpful". This can be beneficial to other community members reading this forum thread.

So I can access to MIM portal using address hostname.domain.com. Portal works fine. But then I want to access to the portal with mimportal.domain.com and now the browser is asking my credentials 3 times and then returns a blank white screen.

So what is the issue? I have configured dns-a record with mimportal.domain.com to point MIM portal ip address.

I have not configured Kerberos. I have followed http://www.fimspecialist.com/fim-portal/installing-fim-2010-r2-sp1-portal-on-sharepoint-foundation-2013/ this manual to install the portal.

Hi,

I need to make a FIM Portal field visible to a person only if he/she is manager of the person being visualized.

How can I achieve this?

Thanks,

JD

Hi,

I have MIM Portal installed on SharePoint farm (portal only, the rest is on separate servers). It is build 4.4.1302.0

During hotfix installation (4.5.286.0) I'm getting error 1723. About DLL could not be run, Action DoCheckElevatedPrivileges, library C:\Users\svcsp\AppData\Local\Temp\MSI9E70.tmp

I did check the account I'm using is having all rights in Temp folder. It is as well SharePoint farm admin. I run setup in "administrator" cmd.

What else could be the reason?

Borys Majewski, Identity Management Solutions Architect (Blog: IDArchitect.NET)

Hi everybody

I'm trying to setup an outbound synchronization rule to provision groups into active directory. I'm filtering for <customBooleanAttribute> equal "true". Create resource in external system is true and I have the following flows:

initial: CustomExpression -> dn
member->member
accountName->sAMAccountName
CustomExpression -> groupType

The sync rule is syncing already existing groups with new data, if I change membership for example. But newly created groups in the MIM Portal aren't projected into the AD mgmt agent.

Is there anything I might have forgotten about?

Hi,

last august we had a problem with the MIM Hotfix to version 4.5.26.0, that Sync Rule suddenly doesn't work properly anymore, see also Forum Entry: Technet Forum Artikel August 2018: MIM Portal Sync Rules have become orphaned

In the context of a Microsoft ticket we received several fixes for the problem, which were marked as private fixes with the version numbers 4.5.255.0 and 4.5.261.0.

After the problem was resolved, the official public fix with the number 4.5.286.0 was released, which could also be installed cleanly on our environment.

Due to a current problem with multilingualism, we should now update to version 4.5.412.0 on Microsoft's advice.

Unfortunately, the update fails, because the Private Fixes already contained adjustments that are not expected by the Update Script to 4.5.412.0 and a database inconsistency exists for the setup.

On environments that did not get the private fixes, the hotfix works fine.

I already found the following inconsistencies:
 - Attributes PageTitle
 - Binding PageTitle ==> Resource Type Description
 - Table sync.ExportTimeOutReached in MIM Database


Now there are other forum participants who have received 4.5.255.0 or 4.5.261.0 as Private Fix and can't update on one of your environments anymore?

I would be very pleased about feedback, so that we can increase the priority if we get several customers together.

Thank you and greetings Mario from Switzerland

Hi everyone,

We have MIM 2016 provisioning our user accounts/email and have run into an issue after migrating to Exchange Online.  When creating mailboxes on-prem, Exchange natively removes spaces (which are illegal characters), but Exchange Online does not seem to do/support this, which leads to the system trying to create a mailbox with an alias with spaces (e.g. john.smith johnson@domain.com vs john.smithjohnson@domain.com).  MIM is just calling a PowerShell script from the portal to run Enable-RemoteMailbox on the user's account.

Has anyone else encountered this and if so, how did they correct it/get around?  My Exchange Admin says Exchange Online doesn't support this functionality (I've yet to see any documentation either way, and I don't fully trust him), so wanted to see if anyone else has dealt with this?

Systems Engineer

We updated MIM from 4.4.1302.0 to 4.5.412.0. After that all our workflows containing powershells generates postprocessingerrros.

We are using PowerShell Activity from CodePlex to run powershells inside the workflows.

I have inspected the problem and seems that forexample this kind of powershell works:

"testing" > c:\temp\MIM_output.txt

But all the workflows containing powershells using these fails:

Add-PSSnapin FIMAutomation 
Import-Module D:\FIMPowerShellModuleV2-1\FimPowerShellModule.psm1

Add-PSSnapin FIMAutomation section gives this in EventViewer:

System.InvalidOperationException: Exception of type 'Microsoft.ResourceManagement.Workflow.WorkflowExtensionException' was thrown.
   at FimExtensions.FimActivityLibrary.PowerShellActivity.Execute(ActivityExecutionContext context)
   at System.Workflow.ComponentModel.ActivityExecutor`1.Execute(T activity, ActivityExecutionContext executionContext)
   at System.Workflow.ComponentModel.ActivityExecutor`1.Execute(Activity activity, ActivityExecutionContext executionContext)
   at System.Workflow.ComponentModel.ActivityExecutorOperation.Run(IWorkflowCoreRuntime workflowCoreRuntime)
   at System.Workflow.Runtime.Scheduler.Run()

Hi,

One of my customers have MIM installed long time ago on Windows Server 2012. It is using SCSM 2012 SP1 for reporting feature. Right now they want to upgrade to latest MIM hotfix, Windows Server 2016 and SCSM 2016.

With MIM servers it is easy (we will rebuild them on new platform connecting to same databases). However there is question how to upgrade reporting (move to SCSM 2016) without loosing the data? Is there any described migration path? Can we install new servers and connect old database somehow and update them automatically?

Borys Majewski, Identity Management Solutions Architect (Blog: IDArchitect.NET)

Hi,

I have used before a boolean field to set the visibility of a control, e.g:

my:Visible="{Binding Source=object, Path=isMyVisibleAttrib, Mode=TwoWay}"

But now I need to do the same thing depending on two non boolean attributes and I really would like to avoid creating a new 3rd attribute to represent the logical value of those 2 attributes (and avoid all the required MPR/WF to maintain the values accurate)

Any sugestion?

Many thanks,

JD

Hi, 

Does anyone have a good article/blog they're willing to share when it comes to best/preferred practices, "do:s" and "don't:s", "gotcha:s" and the like, when it comes to scaling out MIM? 

Andreas Hultgren&lt;br/&gt; MCTS, MCITP&lt;br/&gt; &lt;a href=&quot;http://ahultgren.blogspot.com/&quot;&gt;http://ahultgren.blogspot.com/&lt;/a&gt;

I am looking at the article https://support.microsoft.com/en-us/kb/2443871

"FIM 2010 Self Service Password Reset now supports Enforcement of all domain password policies"

It seems I need to set a Registry Key. [FIM] documentation says:

Registry Key
SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters\PerMAInstance\<ma name>
Registry Value Name    Values    Class    Created by    Explain
ADMAEnforcePasswordPolicy    dword    HKLM    Admin    1- true, everything else is false

Setting this value to “1” will cause the AD MA to verify the password history before it will reset a password during password reset.

Note:

This setting is only supported on FIM build version 4.0.3561.2 and later versions.

Note:

This is only supported where the domain controller is as follows:
· Windows Server 2008 R2 with KB2386717
· Windows Server 2008 R2 SP1
· Windows Server 2008 with KB2386717

Our Windows 2008 DomainControllers are patched. ldp.exe works over SSL.I have MIM. version 4.3.2266.0

BUT I cannot locate that registry key in SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters

What must I do for MIM 2016 to enforce the AD Password Policy. Testers complain that SSPR works but allows old passwords.