MIM 2016 - Errors 3001, 3004. Cannot use passwordreset or passwordregistration portals.

November 20, 2019, 4:56 am

≫ Next: Detecting Sync type in Extension code

≪ Previous: MIM 2016 GAL Sync - Contacts not created

Good day everyone.

I am stuck on the password reset and password registration portals with the 3001 and 3004 error codes coming up.

I followed the standard deployment documentation for deploying MIM 2016 (on server 2016, with SQL2016 and SharePoint 2016 installations), but get stuck on this.

To summarise some steps:

* I've gone into MIM and checked the MPRs (user and general);

* Added the Authn work flows;

* Created test users that are AD accounts;

* Checked the created users extended attributes - the ResourceID was not exportable so according to an article that means it wasn't populated - I used a hex editor to manually create it, cross-referencing in the metaverse properties, and output seems fine;

* Checked IIS for the application pools for FIMPasswordReset and FIMPasswordRegistration - both are started and use the same service account (in this case svc-MIMpool);

* The AD account is unlocked and password verified as well as credentials confirmed;

* I've gone into SharePoint and added the domain users as a group with read permissions for the site.

There were some scripts for fixing the objectSID but I did not come right with them. Probably running incorrectly (saved as .vbs but when run gave errors in code) and tried in command prompt but could not determine output (screen closed).

I do not know what flow and precedence is or how to set them.

I checked the metaverse and users are in there, and the test account I referenced the same objectSID I manually created in MIM.

Any help would be appreciated.

Kindest regards

Darren

↧

Detecting Sync type in Extension code

December 20, 2019, 5:17 am

≫ Next: ADFS PHP application

≪ Previous: MIM 2016 - Errors 3001, 3004. Cannot use passwordreset or passwordregistration portals.

I have C# extension code for MapAttributesForExport in one of my MA’s. I want it to work differently depending on whether it is being called from a Delta Sync or a Full Sync. Is there a way of having the code detect which flavor of Sync is being run?

Thanks

↧

ADFS PHP application

December 22, 2019, 10:25 pm

≫ Next: ADMA Export Error -permission issue

≪ Previous: Detecting Sync type in Extension code

Hi Friends,

We have created ADFS setup to publish an internal(intra-app) application to external world. The application is php build running on nginx webserver. How to add this php application to relying party? Has anybody done this already? Can you please share some guidelines?

Can it be treated as claim aware or non-acclaim aware application? Is there anything to do on the application part to get the link or *.xml file to import to relying party?

We have a plan to setup the adfs WAP just once we get the app logged in from intranet. Hope it is fine.

Any help would be highly appreciated here

Thanks,

Subhas Roy

↧

ADMA Export Error -permission issue

October 11, 2017, 9:26 am

≫ Next: How to Integration MIM 2016 with Azure MFA after depreciation MFA Server and SDK

≪ Previous: ADFS PHP application

Dear All,

Getting following error on ADMA Export. ADMA account is a member of Domain Admins & Enterprise admins

I look at the details, I see in the Connected data source error "Access Denied"

Please help!

↧

How to Integration MIM 2016 with Azure MFA after depreciation MFA Server and SDK

January 1, 2020, 1:32 am

≫ Next: FIM Service request stuck in post processing

≪ Previous: ADMA Export Error -permission issue

Hi All,

Happy New Year

How to Integration MIM 2016 on-premises with Azure MFA after depreciation MFA Server and SDK.

Is the following steps still valid?

Create an MFA provider.
Open a support case and request the direct SDK for ASP.net 2.0 C#. The SDK will only be provided to current users of MIM with MFA because the direct SDK has been deprecated. New customers should adopt the next version of MIM that will integrate with MFA server.
Copy the resulting ZIP file to each system where MIM Service is installed. Please be aware that the ZIP file contains keying material which is used to authenticate to the Azure MFA service.

Regards,

↧

FIM Service request stuck in post processing

January 2, 2020, 5:37 am

≫ Next: Do you want to be acknowledged as Microsoft Forefront Identity Manager Guru? Submit your work to January 2020 competition!

≪ Previous: How to Integration MIM 2016 with Azure MFA after depreciation MFA Server and SDK

Dear All,

from past few days, FIM Service requests stuck in post processing. when i restart the services,it starts working.

What will be the cause. Need your help!

Thanks in Advance,

Shashidhar Joliholi

↧

Do you want to be acknowledged as Microsoft Forefront Identity Manager Guru? Submit your work to January 2020 competition!

January 2, 2020, 10:57 am

≫ Next: exporting user Accountname using MIMMA dn's

≪ Previous: FIM Service request stuck in post processing

What is TechNet Guru Competition?

Each month the TechNet Wiki council organizes a contest of the best articles posted that month. This is your chance to be announced as MICROSOFT TECHNOLOGY GURU OF THE MONTH!

One winner in each category will be selected each month for glory and adoration by the MSDN/TechNet Ninjas and community as a whole. Winners will be announced in dedicated blog post that will be published in Microsoft Wiki Ninjas blog, a tweet from the Wiki Ninjas Twitter account, links will be published at Microsoft TNWiki group on Facebook, and other acknowledgement from the community will follow.

Some of our biggest community voices and many MVPs have passed through these halls on their way to fame and fortune.

If you have already made a contribution in the forums or gallery or you published a nice blog, then you can simply convert it into a shared wiki article, reference the original post, and register the article for the TechNet Guru Competition. The articles must be written in January 2020 and must be in English. However, the original blog or forum content can be from beforeJanuary 2020.

Come and see who is making waves in all your favorite technologies. Maybe it will be you!

Who can join the Competition?

Anyone who has basic knowledge and the desire to share the knowledge is welcome. Articles can appeal to beginners or discusse advanced topics. All you have to do is to add your article to TechNet Wiki from your own specialty category.

How can you win?

Please copy/Write over your Microsoft technical solutions and revelations to TechNetWiki.
Add a link to your new article on THIS WIKI COMPETITION PAGE (so we know you've contributed)
(Optional but recommended) Add a link to your article at the TechNetWiki group on Facebook. The group is very active and people love to help, you can get feedback and even direct improvements in the article before the contest starts.

Do you have any question or want more information?

Feel free to ask any questions below, or Join us at the official MicrosoftTechNet Wiki groups on facebook. Read More about TechNet Guru Awards.

If you win, people will sing your praises online and your name will be raised as Guru of the Month.

PS: Above top banner came from Syed Shanu.

Thanks,
Kamlesh Kumar

If my reply is helpful please mark as Answeror vote as Helpful.

My blog | Twitter | LinkedIn

↧

exporting user Accountname using MIMMA dn's

January 2, 2020, 9:09 pm

≫ Next: User is not allowed to access application Azure Portal due to Legal Age Group Requirement

≪ Previous: Do you want to be acknowledged as Microsoft Forefront Identity Manager Guru? Submit your work to January 2020 competition!

Dear Team,

We need to export changes happens in the MIM portal. we exported MIMMA pending report. the reference dn will be in Hexa value. How to use the dn value to get Users AccountName?

Need your Help!

Thanks in Advance,

Shashidhar

↧

User is not allowed to access application Azure Portal due to Legal Age Group Requirement

December 8, 2019, 4:20 pm

≫ Next: Unable to login remotely even after giving 'RemoteDesktopUser' access

≪ Previous: exporting user Accountname using MIMMA dn's

I chose by mistake in Azure Portal administrators profile MINOR, not ADULT! (that was very silly)

Now I cannot sign in and can't i get support services etc, DO NOTHIG

In sign in process I get this error message: AADSTS54000: User is not allowed to access application Azure Portal due to Legal Age Group Requirement of application Windows Azure Service Management API.

Can anyone help me?

Please!

I chose by mistake

↧

Unable to login remotely even after giving 'RemoteDesktopUser' access

January 7, 2020, 9:28 am

≫ Next: PAM Sample Portal Status code: 406. Error: Not Acceptable.

≪ Previous: User is not allowed to access application Azure Portal due to Legal Age Group Requirement

I've provisioned RemoteDesktopUser access to 'User1' to login to Domain joined machine (Machine1). It was not working until I manually added user1 in Machine1-System-Remote Settings.

Operating System : Windows Server 2019

Any user with RemoteDesktopUser access used to be able to login remotely in previous Operating Systems. Is this a new feature or is there anything I missed?

↧

PAM Sample Portal Status code: 406. Error: Not Acceptable.

January 8, 2020, 6:26 am

≫ Next: Retention period of the approval or deny request for the user in FIM portal by default

≪ Previous: Unable to login remotely even after giving 'RemoteDesktopUser' access

I installed MIM 2016 SP2 Server in privOnly mode, with PAM feature and have the following error when deploying the PAM Sample portal.

Oops! Something went wrong. The ajax calls failed, please contact your administrator.
Status code: 406.
Error: Not Acceptable

When testing with http://mydomain.local:port/api/pamresources/pamroles I got the following error :

406 - Client browser does not accept the MIME type of the requested page.

So if I understand the error, it seems that the server is sending some information that the browser cannot parse, which is strange since I took the the exact files in the src folder in github .

Can someone help to resolve this issue ?

Thanks in advance.

↧

Retention period of the approval or deny request for the user in FIM portal by default

January 8, 2020, 5:12 pm

≫ Next: Enforcing UsageKeywords in RCDC

≪ Previous: PAM Sample Portal Status code: 406. Error: Not Acceptable.

Hello All,

What is the retention period of approval or deny request for the user in FIM portal by default

The requirement is to understand , the end user sees the request in his approval in FIM portal, which has been already been approved by the FIM admin.

Kindly let me know, where i need to check and for what duration of time, the end user can see it in the FIM portal. Is there any time line by which the end user will no longer see it.

Thanks,
AllStair

↧

Enforcing UsageKeywords in RCDC

January 9, 2020, 3:19 am

≫ Next: Problem: ECMA 2.2 custom agent multiple object types

≪ Previous: Retention period of the approval or deny request for the user in FIM portal by default

Hi.

I have a UocIdentityPicker in a RCDC, where i want to show only a subset of a resource type.

When using the browse functionality it works fine, by only showing items in the SearchScope chosen by the UsageKeywords section.

But when using the resolve box, it can find resorces outside the SearchScope.

It is a Resourcetype with plus 10000 items, so I don't want to use the Filter option.

Is there a way to enforce the SearchScope defined in the UsageKeywords, when using the resolve button?

Thanks,

Søren

↧

Problem: ECMA 2.2 custom agent multiple object types

January 9, 2020, 12:07 pm

≫ Next: ADFS-Proxy Issue while connecting to ADFS Farm

≪ Previous: Enforcing UsageKeywords in RCDC

I am having a wired problem with importing data using a custom agent that integrates with Dynamics 365 (on prem)

My issue is with the import process. The code imports users and business roles. The code is below. When I run the Import profile, the Sync manager shows users got imported and not roles. When I debug the code, importReturnInfo shows both users and roles but Sync manager and agent's CS only show users.

Here is another confusing part. I tried to process the roles before the users in the GetImportEntries. It worked and the Sync manager is importing both rules and users. However, when I delete any role from Dynamics, the sync engine doesn't recognize the deleted role. Any idea what I am missing? Thanks

    public GetImportEntriesResults GetImportEntries(GetImportEntriesRunStep importRunStep)
        {

            DynamicsUserProfileQueryResult dynamicsUserProfileQueryResult = new DynamicsUserProfileQueryResult();
            List<CSEntryChange> csentries = new List<CSEntryChange>();
            GetImportEntriesResults importReturnInfo;


            if (personMoreToImport)
            {

                dynamicsUserProfileQueryResult = Connector.GetDynamicsUsers(ImportPageSize, userPageNumber);

                userPageNumber++;
                personMoreToImport = dynamicsUserProfileQueryResult.QueryPagingCookie != null;
                ProcessImportedDynamicsUsers(dynamicsUserProfileQueryResult, csentries);

            }


            //if we try to add users first, roles are not being added for some reason
            if (rolesMoreToImport)
            {
                var businessRoles = ImportBusinessRoles();
                foreach (var businessRole in businessRoles)
                {
                    CSEntryChange entry = CSEntryChange.Create();
                    entry.ObjectModificationType = ObjectModificationType.Add;
                    entry.ObjectType = BusinessRole;

                    if (businessRole.RoleId.HasValue)
                        entry.AttributeChanges.Add(AttributeChange.CreateAttributeAdd("RoleId", businessRole.RoleId.ToString()));
                    if (!String.IsNullOrWhiteSpace(businessRole.RoleText))
                        entry.AttributeChanges.Add(AttributeChange.CreateAttributeAdd("RoleName", businessRole.RoleText));

                    entry.DN = String.Format("CN={0},O=Role", businessRole.RoleText);


                    csentries.Add(entry);
                }
                rolesMoreToImport = false;

            }

            importReturnInfo = new GetImportEntriesResults()
            {
                MoreToImport = rolesMoreToImport,
                CSEntries = csentries
            };
            return importReturnInfo;


        }

Ahmed is an independent consultant in Ottawa, Canada specialized in .NET, Biztalk, WCF, WPF, TFS and other Microsoft technologies.

Blog: http://lajak.wordpress.com

Twitter: ahmedalasaad

↧

ADFS-Proxy Issue while connecting to ADFS Farm

January 10, 2020, 3:31 pm

≫ Next: Session ID Issue with SAML Authentication for Azure AD

≪ Previous: Problem: ECMA 2.2 custom agent multiple object types

Team

We are unable to connect ADFS proxy server to ADFS farm.

the error code we get is Event ID 393.

Please suggest us asap

Dinesh Mishra

↧

Session ID Issue with SAML Authentication for Azure AD

January 11, 2020, 1:58 am

≫ Next: Do I need to make the machine Join in Domain?

≪ Previous: ADFS-Proxy Issue while connecting to ADFS Farm

We are facing issue in case of SAML Authentication for Azure AD using Session Object earlier the same solution was working. Session Object is getting killed (abandoned ) while getting response fromAzure authentication (SAML). Once we got the response from Azure,Application Session Object was used to validate the Local Authentication and Authorization.

↧

Do I need to make the machine Join in Domain?

January 13, 2020, 6:49 am

≫ Next: FIM portal, is there a way to show the last modified date of the system?

≪ Previous: Session ID Issue with SAML Authentication for Azure AD

I have couple of guest users wanted to login to our Domain.

I have created user accounts for them, but still unable to login.

Do I need to make their machine Join in Domain? If yes, any alternate method available?

↧

FIM portal, is there a way to show the last modified date of the system?

January 13, 2020, 8:01 am

≫ Next: Approval on EMAIL

≪ Previous: Do I need to make the machine Join in Domain?

In the FIM Portal is there a way to show the last modified date of the system? For instance, if a version upgraded recently occurred, the screenshot would show the new version that the system is running and show the date that the version changed.

↧

Approval on EMAIL

January 13, 2020, 8:28 am

≫ Next: Scripting un-approval of user and re-approval of user

≪ Previous: FIM portal, is there a way to show the last modified date of the system?

Hi All,

I have to provide AD account date extensions based on the approvals. I am not able to find much documents/blog which can help in securing approval over emails. If i can send a mail with Approved/Rejected with Notes field in a mail and then call a workflow with will add some days to the expiry date and sync with AD this will complete the usecase. Can anyone help in this regards or help how approvals can be secured over mail.

↧

Scripting un-approval of user and re-approval of user

January 15, 2020, 7:07 am

≫ Next: Web Service MA with TLS and client certificate

≪ Previous: Approval on EMAIL

An account which I work on have found differences between between data flowing from the active directory and the replica.

I have found by un-approving the user, running a sync, re-approving the user and syncing again rectifies the discrepancies.

I would like to script this using powershell but don't know the details to implement this.

I was hoping that someone here may be able to point me in the right direction. If anyone can detail the method to do this then I may be able to produce a script to make the necessary changes.

Thank you in advance.

↧