Web Service MA with TLS and client certificate

January 15, 2020, 7:21 am

≪ Previous: Scripting un-approval of user and re-approval of user

Hi!

I've been struggling with the MIM sync 'Web Service' MA for weeks. The config-tool for web-services is able to successfully connect to our web-service, but when I try to create an MA for it it fails to connect. Only relevant error message is from SChannel that says its received a fatal alert from endpoint (code 40 - handshake failed). By increasing the logging of SChannel we also get a warning stating that it did not find a suitable client cert, and attempts to connect without any. (EventID 36875)

I've been following this wiki for instructions for setting up the MA. One of the things that I cannot understand is that there is no mention of which certificate is going to be used when creating the actual MA. In the config-tool, I get to specify store and name of certificate, but not so when creating the MA in MIM Sync:

Under Connectivity there's only the config-file, server and port.
Under Global Params, there's only username and password:

This is with the latest connectors from MS (1.1.953.0), and tested in three different environments on MIM 2016 SP1 (4.4.1642, 4.5.34) and SP2. OS's are win2012r2 or win2016.

Any input would be greatly appreciated, as I'm all out of ideas...

↧

FIM WebService Connector

November 7, 2014, 4:19 am

≫ Next: Need to store Binary in string attribute

≪ Previous: Web Service MA with TLS and client certificate

I'm struggling with the FIM Web service connector in different areas that i need some help with.

For starters i just want to let you know that i've worked a great deal with the connector, and learned how to cope with most of the shortcomings and quirks. My work has mostly been for on-premise tasks, i.e. connecting to other on-premise systems.

Now I am trying to connect to a Web service over the Internet, hence the security setup is significantly different from what I am used to in conjunction with the Web Service Connector.

I this case the web services is https based and also requires a client certificate for authentication.

The client certificate part is actually not a problem as the connector supports authenticating using client certificates natively and it works like a charm.

My problems seems to be around using a https based web service, also that the web service presents itself as supporting both soap and soap12 requests. When I add the web service to the Web Service Configuration Tool, I receive a warning telling that one of my endpoints has a unsupported (custom) binding, that is not a basic http binding. I actually discover two endpoints that seem alike but the failing one is based on soap12. I am not able to remove the failing endpoint within the Web Service Configuration Tool and successive attempts to configure a Management Agent in FIM Sync Manager using this Web Service Project fails as unsupported bindings are used.

According to the hotfix update 1.0.419.911 for the FIM WebService Connector - this update should address certain limitations towards custom bindings, so I tried to implement this update.

But this gave another headache - after updating the Web Service Connector (actually uninstalling the old one, and installing the new one - as there seems to be some versioning mishaps) I am not able to start the Web Service Configuration Console as i am presented with the following error:

---

Error occurred while running the tool

Could not load flie or assemply 'Microsoft.MetaDirectorySericesEx,Version=4.1.2.0...etc...

---

The error is: Strong name validation failed.

I've tried several things to address the issue, i.e.:

- Copying the Microsoft.MetaDirectorySericesEx.dll file from other folder to the UIShell\Web Service Configuration folder as the versions was not alike - resultet in manifest problems.

- Turning off Strong Name Checking for the library in question - the Web Config tools has able to start but crashed when used.

- Upgraded to newest build of FIM Sync (4.1.3559) - still not working.

So - my actual questions are:

- Does the FIM Web Service Connector support accessing web services that are https based in either the old (5.3.407.0) version or the new one (hotfix update 1.0.419.911) ?

- What about soap12?

- Did anyone succeed in implementing the new Web Service Connector update?

- Any hints on solving the problem I encountered with the Web Service Connector ?

Any input highly appreciated.

Best regards

Søren

↧

Need to store Binary in string attribute

January 16, 2020, 2:10 am

≫ Next: Unable to get to MIM portal

≪ Previous: FIM WebService Connector

Hello,

I have a binary attribute in Active Directory 1 that need to be stored in another attribute in active directory 2 , the problem I tried to store in MIM but in flow didn't accept to flow from binary to string in MIM metaverse and when I converted the atttribute to binary in MIM metaverse I couldn't flow it to AD2, what is the solution in that situation

↧

Unable to get to MIM portal

January 16, 2020, 12:36 pm

≫ Next: Advanced Criteria Based on Date/TimeStamp For Set fails

≪ Previous: Need to store Binary in string attribute

I have followed the Microsoft on-line instructions to set up a test network with ADDS, MIM Sync Server, MIM Service Server, Exchange, SQL and Sharepoint (just Google "Set up an identity management server: SharePoint")

After having completed the Sharepoint configuration and trying to connect to the MIM portal, it fails.

All I get is that default IIS landing page.

When I look in the Sharepoint Admin page, the MIM Portal site exists but I cannot get to it or load it.

I have no clue how to troubleshoot this or how to move forward.

In short, I am stuck.

Can anyone provide hints of what I should look at?

I tried to connect to the portal using the A-record "mim.mytestdomain.com" as well as the IP address of the Sharepoint server but still I only get the default, generic landing page.

I tried to delete the Default website as well as both that and the MIM portal were configured with the binding of port 80 but that did not help either.

Greatful for input.

Regards

↧

Advanced Criteria Based on Date/TimeStamp For Set fails

January 20, 2020, 8:30 am

≫ Next: Omg I cant believe this happened

≪ Previous: Unable to get to MIM portal

I want to run a Powershell script which provisions the remote exchange by running some commands. This can be achieved through an MPR, Set and workflow. The users created from MIM portal takes some time to sync to Azure AD and only after that we can provision mail box. So i want to create a SET of users who have been created 3 hours prior and also not before 12 hours.

Created a set with Advanced filter criteria but it fails.

<Filter xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Dialect="http://schemas.microsoft.com/2006/11/XPathFilterDialect" xmlns="http://schemas.xmlsoap.org/ws/2004/09/enumeration">/Person[(CreatedTime > op:subtract-dayTimeDuration-from-dateTime(fn:current-dateTime(), xs:dayTimeDuration('PT3H'))) and (CreatedTime < op:add-dayTimeDuration-to-dateTime(fn:current-dateTime(), xs:dayTimeDuration('PT12H')))]</Filter>

This works fine in a search scope but fails in SET advanced filter. Can anyone help in this regards or a way to find a better solution to provision exchange mailbox only after the user has synched to Azure as it sometimes take the user to sync to azure

↧

Omg I cant believe this happened

January 20, 2020, 7:09 pm

≫ Next: [MIMPAM] : Sync users without Sync Engine

≪ Previous: Advanced Criteria Based on Date/TimeStamp For Set fails

Ok so here we go My wife switched me out of outlook and put her self in my spot as the primary alias on my email account. The problem here is i just lost my Google password and now she has my email account and iam in big trouble cause google is now saying they have no way to prove iam the owner of my account. Please i need help..

↧

[MIMPAM] : Sync users without Sync Engine

January 21, 2020, 6:52 am

≫ Next: Windows Auto Pilot for workgroup or non domain joined machine

≪ Previous: Omg I cant believe this happened

Hello all,

This is a Straight forward question about MIM sync. Is there a way to sync/bulk create users in MIM 2016, without using MIM Sync ?

Thanks in advance :)

↧

Windows Auto Pilot for workgroup or non domain joined machine

January 21, 2020, 7:41 pm

≫ Next: Bulk update of SG using a CSV

≪ Previous: [MIMPAM] : Sync users without Sync Engine

Hi,

I there a way to carryout windows autopilot without joining to the AAD yet auto enrolling to intunes.

if the above is possible, then how windows gets activated.

Best regards

↧

Bulk update of SG using a CSV

May 5, 2010, 8:46 am

≫ Next: Using PowerShell to turn static groups into dynamic groups

≪ Previous: Windows Auto Pilot for workgroup or non domain joined machine

Hello!!

I imported 2000 groups of my production AD and I need to set that groups as criteria-based groups.
The problem is to convert all the groups as Criteria-based and do a bulk upload of different criteria for the existents groups.

Searching in the script box, I found this two scripts:
http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/c124a548-7013-405a-bce3-457c4dced8f3
http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/ac451c42-337a-4396-ad06-ce2a36e8001f

I already mapped all the criterias in the excel, but I don't have enough knowledge in powershell to merge the scripts.

Someone can help me?

Thank in advance,

Diego Shimohama

- Diego Shimohama http://www.dshimo.com.br

↧

Using PowerShell to turn static groups into dynamic groups

May 27, 2010, 2:43 pm

≫ Next: Group Administartors- Group management

≪ Previous: Bulk update of SG using a CSV

	Summary
	This script transforms static groups into dynamic groups. The script reads a CSV file (delimited by tabs), "MyFile.csv" to identify and modify static groups into dynamic groups. The CSV file takes in DisplayName-Filter pairs. The script will look up the groups by DisplayName, removes all its explicit members, and sets the appropriate attributes to make those groups dynamic.

if (@(get-pssnapin | where-object {$_.Name -eq "FIMAutomation"} ).count -eq 0)
{
 Add-PSSnapIn FIMAutomation
}

function GenerateFilter
{
 PARAM ($xpathFilter)
 END
 {    
  return "<Filter xmlns:xsi=`"http://www.w3.org/2001/XMLSchema-instance`" xmlns:xsd=`"http://www.w3.org/2001/XMLSchema`" Dialect=`"http://schemas.microsoft.com/2006/11/XPathFilterDialect`" xmlns=`"http://schemas.xmlsoap.org/ws/2004/09/enumeration`">" + $xpathFilter + "</Filter>"
 }
}

function CreateImportChange
{
 PARAM($AttributeName, $AttributeValue, $Operation)
 END
 {
  $importChange = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportChange
  $importChange.Operation = $Operation
  $importChange.AttributeName = $AttributeName
  $importChange.AttributeValue = $AttributeValue
  $importChange.FullyResolved = 1
  $importChange.Locale = "Invariant"
  return $importChange
 }
}

function GetAttributeValueFromResource
{
 PARAM ($exportObject, $attributeName)
 END
 {
  foreach ($attribute in $exportObject.ResourceManagementObject.ResourceManagementAttributes)
  {    
   if($attribute.AttributeName.Equals($attributeName))
   {
    if ($attribute.IsMultiValue)
    {
     return $attribute.Values
    }
    else
    {
     return $attribute.Value
    }
   }
   
  }
  return $null
 }
}

$csv = Import-Csv -delimiter `t -header "GroupName","Filter" "MyFile.csv"

foreach ($entry in $csv)
{
 $myGroupName=$entry.GroupName
 $myFilter = $entry.Filter

 $group = Export-FIMConfig -customConfig "/Group[DisplayName='$myGroupName']" -onlyBaseResources
 if ($group -eq $NULL) #if group doesn't exist, continue
 {
  continue
 }
 $filter = GenerateFilter -xpathFilter $myFilter

 #construct the web service operation
 $importObject = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject
 #the object type is Group
 $importObject.ObjectType = "Group"
 #we are modify the group we've identified above
 $importObject.SourceObjectIdentifier = $group.ResourceManagementObject.ObjectIdentifier
 $importObject.TargetObjectIdentifier = $group.ResourceManagementObject.ObjectIdentifier
  #Put operation is enum 1
 $importObject.State = 1

 #construct the operation to Replace filter, Replace attribute operation is enum 1
 $importObject.Changes += CreateImportChange -attributeName "Filter" -attributeValue $filter -operation 1

 #construct the operation to change membership add workflow to None. Replace attribute operation is enum 1
 $importObject.Changes += CreateImportChange -attributeName "MembershipAddWorkflow" -attributeValue "None" -operation 1

 #construct the operation to change membership locked to True. Replace attribute operation is enum 1
 $importObject.Changes += CreateImportChange -attributeName "MembershipLocked" -attributeValue "True" -operation 1

 #construct the operations to remove explicit members. Remove attribute operation is enum 2

 $explicitMembers = GetAttributeValueFromResource -exportObject $group -attributeName "ExplicitMember"
 if ($explictMembers -ne $NULL)
 {
  foreach ($explicitMember in $explicitMembers)
  {
   $importObject.Changes += CreateImportChange -attributeName "ExplicitMember" -attributeValue $explicitMember -Operation 2
  }
 }
 $importObject | Import-FIMConfig$undone.Count
}

Go to the FIM ScriptBox

↧

Group Administartors- Group management

January 22, 2020, 11:33 pm

≫ Next: PAM Sample Portal Status code: 406. Error: Not Acceptable.

≪ Previous: Using PowerShell to turn static groups into dynamic groups

Dear All,

when portal admin/group admin tries to add members to not owned groups, the approval pending has been triggered to owners.

how to add users to any groups using GroupAdmin/PortalAdmin without triggering approval request or can say full control on all groups.

↧

PAM Sample Portal Status code: 406. Error: Not Acceptable.

January 8, 2020, 6:26 am

≫ Next: Missing connector in User profile.

≪ Previous: Group Administartors- Group management

I installed MIM 2016 SP2 Server in privOnly mode, with PAM feature and have the following error when deploying the PAM Sample portal.

Oops! Something went wrong. The ajax calls failed, please contact your administrator.
Status code: 406.
Error: Not Acceptable

When testing with http://mydomain.local:port/api/pamresources/pamroles I got the following error :

406 - Client browser does not accept the MIME type of the requested page.

So if I understand the error, it seems that the server is sending some information that the browser cannot parse, which is strange since I took the the exact files in the src folder in github .

Can someone help to resolve this issue ?

Thanks in advance.

↧

Missing connector in User profile.

January 23, 2020, 10:13 am

≫ Next: AD MA not importing everything to connector space

≪ Previous: PAM Sample Portal Status code: 406. Error: Not Acceptable.

Recently two on my Connectors (MA) does not show as a link for a user. How do I troubleshoot this?, and why would an lose a connector?

↧

AD MA not importing everything to connector space

January 24, 2020, 3:44 am

≫ Next: MIM to SCSM Incident manager connectivity

≪ Previous: Missing connector in User profile.

I'm completely new to MIM 2016 so I've probably overlooked something. I've created a user in AD in a container called Sandbox, using a ruby script. Scripts that connect to AD can authenticate the user so it's all fine.

When I do a full import on the AD MA that manages the same AD that contains the user, the user is not imported. Lots of other users are not imported either. Searching the connector space doesn't find them after a full import. All the objects that have been imported as also marked as Pending Import, which seems odd as they have been imported so can't be pending.

I would have expected all objects in AD to have been imported (as per the training I've been on). I understand filtering on syncing to restrict what goes into the metaverse but I was told MIM will import everything to the connector space. It doesn't in this case.

Would there be something I'm missing that would mean lots of users in various containers are not imported to the connector space?

thanks,

Alistair

↧

MIM to SCSM Incident manager connectivity

January 27, 2020, 3:05 am

≫ Next: MIM with AD root child forest

≪ Previous: AD MA not importing everything to connector space

Hello All,

I need one help in connectivity from MIM to SCSM incident manager. only I've gone through with some articles and all are re-directing me towards Data warehousing. Can someone help me to understand "how can i connect with SCSM Incident manager"?.

Any help is highly appreciated.

↧

MIM with AD root child forest

January 28, 2020, 6:26 am

≫ Next: MIM service SSL certificate Expired

≪ Previous: MIM to SCSM Incident manager connectivity

Is there a way to get MIM working with an AD root child forest. The AD MA is pointing at the 'root' which only ever returns a specific AD server, which can only see a very limited area of the tree. So MIM cannot see 98% of the tree. Is there a solution to a root child forest?

thanks,

Alistair

↧

MIM service SSL certificate Expired

January 28, 2020, 10:33 pm

≫ Next: MIM Service repair

≪ Previous: MIM with AD root child forest

Dear All,

the certificate used for MIM service got expired. How to renew or use other certificate for MIM service?

Thanks,

Shashidhar

↧

MIM Service repair

January 29, 2020, 1:16 am

≫ Next: Edit wireless connection while offline

≪ Previous: MIM service SSL certificate Expired

Dear All,

What happens when we run Repair. does it repair DB,program files,etc?

Thanks,

Shashidhar

↧

Edit wireless connection while offline

January 29, 2020, 3:31 am

≫ Next: Prevent Deletion by Connector Space

≪ Previous: MIM Service repair

Hello

*sorry if section is not the correct one*

I would know if there's a way to edit wireless connection detail even if I'm not already connected to this network.

Using command line (also in Admin mode) is possible to solve this?

Thx

↧

Prevent Deletion by Connector Space

January 29, 2020, 3:35 am

≫ Next: Hotmail to Outlook live migration question about MX record

≪ Previous: Edit wireless connection while offline

I have a CS that deletes records from the SQL on SQL-Export if the status is INACTIVE. The issue is that once the record is re-created with status ACTIVE, the connector space still deletes the record. Why is this so?

↧