Hotmail to Outlook live migration question about MX record

December 7, 2011, 7:04 pm

≫ Next: FIM Password Registration Portal - Error 3008 - Communication Error.

≪ Previous: Prevent Deletion by Connector Space

Hi,

One of the steps mentioned during the migration from hotmail to outlook live is this:

Edit the MX record for the domain

Sign in to the domain management tool at the DNS hosting service for your domain.
Remove the Hotmail MX record.
Add an MX Record for <token>.mail.Outlook.com and set it to the highest priority.
Note If you have a third-party MX record, in the Service Management Portal Migration page, click Refresh. Once the removal of the Hotmail MX record is detected, click Skip MX Check.

What must the <token> be in the <token>.mail.Outlook.com namespace?

thanks,

↧

FIM Password Registration Portal - Error 3008 - Communication Error.

July 10, 2013, 11:09 am

≫ Next: SSPR registration and reset started to fail after renewing the certificates

≪ Previous: Hotmail to Outlook live migration question about MX record

I am having a problem registering on the Password Registration Portal. I can login and proceed to answer the security questions. When i click next after answering all the questions I get an error on browser

An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3008)

3 events are also logged in the Event Viewer on the Portal Server. (SEE BELOW)

I am able to connect to the fimservice2 from browser on Portal server using the URLs : http://fimservice2.idmad.lab:5725 and http://fimservice2.idmad.lab:5726. So I think its not network or firewall problem. I have included the relevant information below. Please let me know if you need any more information.

Environment :

Windows Server 2012 , FIM 2010 R2 SP1, Sharepoint 2013 Foundation.

FIM Portal, Password Registration and Reset portals are all on a separate server than FIM Service. FIM Portal is working fine.

SPNS:

CN=FIM PWService,OU=FimServiceAccounts,OU=FIMAdmin,OU=FimLab2,DC=idmad,DC=lab

HTTP/fimreset
HTTP/fimreset.idmad.lab
HTTP/fimreg.idmad.lab
HTTP/fimreg
-----------
CN=FIM Service,OU=FimServiceAccounts,OU=FIMAdmin,OU=FimLab2,DC=idmad,DC=lab

FIMService/fimservice2
FIMService/fimservice2.idmad.lab
-----------
CN=FIM SPPool,OU=FimServiceAccounts,OU=FIMAdmin,OU=FimLab2,DC=idmad,DC=lab

HTTP/fimportal2
HTTP/fimportal2.idmad.lab

Web.config for Password Registration Portal :

Microsoft.ResourceManagement.Service.exe.config file :

3 events in Event log on the portal server:

EVENT 1

Failure to connect to FIM Service
The web portal failed to connect to the FIM Service.

Ensure that (1) the FIM Service is running, (2) the FIM Service server address is correct in the web.config file on the web portal, and (3) that network connectivity is available between the web portal and the FIM Service over the designated port.
Details:
System.ServiceModel.CommunicationException: An error occurred while receiving the HTTP response to http://fimservice2.idmad.lab:5726/ResourceManagementService/SecurityTokenService/Registration. This could be due to the service endpoint binding not using the HTTP protocol. This could also be due to an HTTP request context being aborted by the server (possibly due to the service shutting down). See server logs for more details. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
   at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
   --- End of inner exception stack trace ---
   at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.PooledStream.Read(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.Connection.SyncRead(HttpWebRequest request, Boolean userRetrievedStream, Boolean probeRead)
   --- End of inner exception stack trace ---
   at System.Net.HttpWebRequest.GetResponse()
   at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
   --- End of inner exception stack trace ---

Server stack trace:
   at System.ServiceModel.Channels.HttpChannelUtilities.ProcessGetResponseWebException(WebException webException, HttpWebRequest request, HttpAbortReason abortReason)
   at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
   at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.ContextRequestChannel.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at Microsoft.ResourceManagement.WebServices.WSTrust.ISecurityTokenService.RequestSecurityTokenResponse(Message request)
   at Microsoft.ResourceManagement.WebServices.SecurityTokenServiceClient.RequestSecurityTokenResponse(Message request)
   at Microsoft.ResourceManagement.WebServices.SecurityTokenServiceClient.RequestSecurityTokenResponse(RequestSecurityTokenResponseType request, ClientOptionsHelper clientOptionsHelper, MessageBuffer& messageBuffer)
   at Microsoft.ResourceManagement.WebServices.Client.AuthenticationRequiredException.Authenticate(AuthenticationChallengeResponseType[] authenticationChallengeResponses, MessageBuffer& messageBuffer, ClientOptionsHelper clientOptionsHelper)
   at Microsoft.IdentityManagement.CredentialManagement.Portal.Common.RegistrationProxy.GetNextChallenge(String domain, String username, ChallengeContext gateChallengeResponse, FaultExceptionHandlerDelegate faultExceptionHandler)
Web Portal: FIM Password Registration Portal
Session Id: qoind5aknc1xmn55ho033qn0
IP Address: 10.0.44.44

EVENT 2

Microsoft.IdentityManagement.CredentialManagement.Portal: System.Web.HttpUnhandledException: ScriptManager_AsyncPostBackError ---> Microsoft.IdentityManagement.CredentialManagement.Portal.Exceptions.GenericCommunicationException: An error occurred while receiving the HTTP response to http://fimservice2.idmad.lab:5726/ResourceManagementService/SecurityTokenService/Registration. This could be due to the service endpoint binding not using the HTTP protocol. This could also be due to an HTTP request context being aborted by the server (possibly due to the service shutting down). See server logs for more details. ---> System.ServiceModel.CommunicationException: An error occurred while receiving the HTTP response to http://fimservice2.idmad.lab:5726/ResourceManagementService/SecurityTokenService/Registration. This could be due to the service endpoint binding not using the HTTP protocol. This could also be due to an HTTP request context being aborted by the server (possibly due to the service shutting down). See server logs for more details. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
   at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
   --- End of inner exception stack trace ---
   at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.PooledStream.Read(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.Connection.SyncRead(HttpWebRequest request, Boolean userRetrievedStream, Boolean probeRead)
   --- End of inner exception stack trace ---
   at System.Net.HttpWebRequest.GetResponse()
   at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
   --- End of inner exception stack trace ---

Server stack trace:
   at System.ServiceModel.Channels.HttpChannelUtilities.ProcessGetResponseWebException(WebException webException, HttpWebRequest request, HttpAbortReason abortReason)
   at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
   at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.ContextRequestChannel.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at Microsoft.ResourceManagement.WebServices.WSTrust.ISecurityTokenService.RequestSecurityTokenResponse(Message request)
   at Microsoft.ResourceManagement.WebServices.SecurityTokenServiceClient.RequestSecurityTokenResponse(Message request)
   at Microsoft.ResourceManagement.WebServices.SecurityTokenServiceClient.RequestSecurityTokenResponse(RequestSecurityTokenResponseType request, ClientOptionsHelper clientOptionsHelper, MessageBuffer& messageBuffer)
   at Microsoft.ResourceManagement.WebServices.Client.AuthenticationRequiredException.Authenticate(AuthenticationChallengeResponseType[] authenticationChallengeResponses, MessageBuffer& messageBuffer, ClientOptionsHelper clientOptionsHelper)
   at Microsoft.IdentityManagement.CredentialManagement.Portal.Common.RegistrationProxy.GetNextChallenge(String domain, String username, ChallengeContext gateChallengeResponse, FaultExceptionHandlerDelegate faultExceptionHandler)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityManagement.CredentialManagement.Portal.Common.RegistrationProxy.GetNextChallenge(String domain, String username, ChallengeContext gateChallengeResponse, FaultExceptionHandlerDelegate faultExceptionHandler)
   at Microsoft.IdentityManagement.CredentialManagement.Portal.Components.DriverBase.GetNextGate(IGateControl currentGate)
   at Microsoft.IdentityManagement.CredentialManagement.Portal.Registration.Next()
   at System.Web.UI.WebControls.Button.OnClick(EventArgs e)
   at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)
   at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityManagement.CredentialManagement.Portal.Site.ScriptManager_AsyncPostBackError(Object sender, AsyncPostBackErrorEventArgs eventArgs)
   at System.Web.UI.ScriptManager.OnAsyncPostBackError(AsyncPostBackErrorEventArgs e)
   at System.Web.UI.PageRequestManager.OnPageError(Object sender, EventArgs e)
   at System.Web.UI.TemplateControl.OnError(EventArgs e)
   at System.Web.UI.Page.HandleError(Exception e)
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest()
   at System.Web.UI.Page.ProcessRequest(HttpContext context)
   at ASP.default_aspx.ProcessRequest(HttpContext context)
   at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

EVENT 3

The error page was displayed to the user.
Details:
Title: Communication Error
Message: An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3008)
Source:
Attributes:
Details: Microsoft.IdentityManagement.CredentialManagement.Portal.Exceptions.GenericCommunicationException: An error occurred while receiving the HTTP response to http://fimservice2.idmad.lab:5726/ResourceManagementService/SecurityTokenService/Registration. This could be due to the service endpoint binding not using the HTTP protocol. This could also be due to an HTTP request context being aborted by the server (possibly due to the service shutting down). See server logs for more details. ---> System.ServiceModel.CommunicationException: An error occurred while receiving the HTTP response to http://fimservice2.idmad.lab:5726/ResourceManagementService/SecurityTokenService/Registration. This could be due to the service endpoint binding not using the HTTP protocol. This could also be due to an HTTP request context being aborted by the server (possibly due to the service shutting down). See server logs for more details. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
   at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
   --- End of inner exception stack trace ---
   at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.PooledStream.Read(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.Connection.SyncRead(HttpWebRequest request, Boolean userRetrievedStream, Boolean probeRead)
   --- End of inner exception stack trace ---
   at System.Net.HttpWebRequest.GetResponse()
   at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
   --- End of inner exception stack trace ---

Server stack trace:
   at System.ServiceModel.Channels.HttpChannelUtilities.ProcessGetResponseWebException(WebException webException, HttpWebRequest request, HttpAbortReason abortReason)
   at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
   at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.ContextRequestChannel.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at Microsoft.ResourceManagement.WebServices.WSTrust.ISecurityTokenService.RequestSecurityTokenResponse(Message request)
   at Microsoft.ResourceManagement.WebServices.SecurityTokenServiceClient.RequestSecurityTokenResponse(Message request)
   at Microsoft.ResourceManagement.WebServices.SecurityTokenServiceClient.RequestSecurityTokenResponse(RequestSecurityTokenResponseType request, ClientOptionsHelper clientOptionsHelper, MessageBuffer& messageBuffer)
   at Microsoft.ResourceManagement.WebServices.Client.AuthenticationRequiredException.Authenticate(AuthenticationChallengeResponseType[] authenticationChallengeResponses, MessageBuffer& messageBuffer, ClientOptionsHelper clientOptionsHelper)
   at Microsoft.IdentityManagement.CredentialManagement.Portal.Common.RegistrationProxy.GetNextChallenge(String domain, String username, ChallengeContext gateChallengeResponse, FaultExceptionHandlerDelegate faultExceptionHandler)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityManagement.CredentialManagement.Portal.Common.RegistrationProxy.GetNextChallenge(String domain, String username, ChallengeContext gateChallengeResponse, FaultExceptionHandlerDelegate faultExceptionHandler)
   at Microsoft.IdentityManagement.CredentialManagement.Portal.Components.DriverBase.GetNextGate(IGateControl currentGate)
   at Microsoft.IdentityManagement.CredentialManagement.Portal.Registration.Next()
   at System.Web.UI.WebControls.Button.OnClick(EventArgs e)
   at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)
   at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
CorrelationId:
RequestId:
ErrorCode: 3008
CaughtTime: 07/10/2013 10:12:55

Web Portal: FIM Password Registration Portal
Session Id: qoind5aknc1xmn55ho033qn0
IP Address: 10.0.44.44

↧

SSPR registration and reset started to fail after renewing the certificates

January 15, 2015, 1:55 am

≫ Next: Problem registering for password reset

≪ Previous: FIM Password Registration Portal - Error 3008 - Communication Error.

Hi,

On our FIM 2010 R2 environment (version 4.1.3599.0), after renewing the certificates used on FIM Service/Portal and Password Reset/Registration servers two days back, both the password registration and reset no longer work but instead fails on the last step of the process. So for example when user browse to https://passwordreset.domain.com and fills in their domain\username and click next, FIM will send a security code (SMS OTP) to user´s mobile phone and once user then fills in code and click Next, the Communication error 3008 is shown to user. Same happens in the last step of the registration where user reviews that the mobile number is correct before clicking finally next. Once clicked the same error as is with Reset portal is shown to user.

Other changes than renewing the certificates have not been done to the environment after it was working last time two days ago. Synchronization of users/groups create in FIM Portal works normally towards AD.

All servers within FIM environment are on same domain and subnet and firewall is off on all servers.

The following error message as an example is recorded on FIM app log on either of the SSPR servers (two in NLB):

**********

The error page was displayed to the user.
Details:
Title: Communication Error
Message: An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3008)
Source:
Attributes:
Details: Microsoft.IdentityManagement.CredentialManagement.Portal.Exceptions.GenericCommunicationException: An error occurred while receiving the HTTP response to http://fimservice.domain.com:5726/ResourceManagementService/SecurityTokenService/Registration. This could be due to the service endpoint binding not using the HTTP protocol. This could also be due to an HTTP request context being aborted by the server (possibly due to the service shutting down). See server logs for more details. ---> System.ServiceModel.CommunicationException: An error occurred while receiving the HTTP response to http://fimservice.domain.com:5726/ResourceManagementService/SecurityTokenService/Registration. This could be due to the service endpoint binding not using the HTTP protocol. This could also be due to an HTTP request context being aborted by the server (possibly due to the service shutting down). See server logs for more details. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host

***********

The following error message as an example is recorded on FIM app log on either of the FIM Service/Portal servers (two in NLB):

***********

Microsoft.ResourceManagement.Service: System.NullReferenceException: Object reference not set to an instance of an object.
at Microsoft.ResourceManagement.WebServices.SecurityTokenService.TokenIssuer.IssueSecurityToken(Message requestMessage, Object request, Claim[] claims)
at Microsoft.ResourceManagement.WebServices.SecurityTokenService.Challenger.IssueAuthenticationChallenge(Message requestMessage, Object requestBody, Nullable`1 requestContext, UniqueIdentifier authenticationProcessIdentifier, List`1 accumulatedClaims, Nullable`1& currentWorkflowInstanceIdentifier, AuthenticationChallengeType[]& currentChallenges)
at Microsoft.ResourceManagement.WebServices.SecurityTokenService.ProcessRequest(Message requestMessage, Object requestBody)
at Microsoft.ResourceManagement.WebServices.SecurityTokenService.RequestSecurityTokenResponse(Message requestMessage)

***********

Both http://fimservice.domain.com:5726 or http://fimservice.domain.com:5725 can be accessed ok using web browser from the SSPR servers. The url of http://fimservice.domain.com:5726/ResourceManagementService/SecurityTokenService/Registration gives http 400 bad request which is ok.

At least the following fixes provided on urls below have been tried out or were in place already but did not fix the issue:

http://social.technet.microsoft.com/wiki/contents/articles/24629.fim-troubleshooting-sspr-registration-error-3008-an-error-occurred-while-receiving-the-http-response.aspx

https://social.technet.microsoft.com/Forums/en-US/ae16496e-413a-45b7-a0d1-b39652c6478a/fim-password-registration-portal-error-3008-communication-error?forum=ilm2 (we have exactly the same three errors on FIM app log as mentioned in this post)

https://social.technet.microsoft.com/Forums/en-US/aa14cff7-6b93-4413-8c75-737dd08bd25f/error-when-resetting-password-on-sspr?forum=ilm2

https://social.technet.microsoft.com/Forums/en-US/aab6d5ef-667a-4ea9-876d-415c56852da9/sspr-password-reset-failure?forum=ilm2 (no such lines on FIMService config files)

Can anyone help us with this and provide some tips what to check next on the environment? As the most weird thing here is that everything was working just fine before the certificates were renewed on all servers and no other changes were done on the environment.

-Pappa75

↧

Problem registering for password reset

March 29, 2010, 9:17 pm

≫ Next: MIM-WF Activity - Function Evaluator - CustomExpression - How to Truncate String

≪ Previous: SSPR registration and reset started to fail after renewing the certificates

I have the same symptoms as the user from this thread:

http://social.technet.microsoft.com/Forums/en/ilm2/thread/ab79b77e-d44e-46b8-9500-b1a8350699c3

I register for password reset and after answering my security gate questions I get the error: An error was encountered. Please call helpdesk or your system administrator.

However, I received a different error in the Password Management Proxy Log:

mscorlib: System.ServiceModel.CommunicationException: An error occurred while receiving the HTTP response to http://fim02.fimdemo.local:5726/ResourceManagementService/SecurityTokenService/Registration. This could be due to the service endpoint binding not using the HTTP protocol. This could also be due to an HTTP request context being aborted by the server (possibly due to the service shutting down). See server logs for more details. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
   at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
   --- End of inner exception stack trace ---
   at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.PooledStream.Read(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.Connection.SyncRead(HttpWebRequest request, Boolean userRetrievedStream, Boolean probeRead)
   --- End of inner exception stack trace ---
   at System.Net.HttpWebRequest.GetResponse()
   at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
   --- End of inner exception stack trace ---

Server stack trace:
   at System.ServiceModel.Channels.HttpChannelUtilities.ProcessGetResponseWebException(WebException webException, HttpWebRequest request, HttpAbortReason abortReason)
   at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
   at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.ContextRequestChannel.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at Microsoft.ResourceManagement.WebServices.WSTrust.ISecurityTokenService.RequestSecurityTokenResponse(Message request)
   at Microsoft.ResourceManagement.WebServices.SecurityTokenServiceClient.RequestSecurityTokenResponse(Message request)
   at Microsoft.ResourceManagement.WebServices.SecurityTokenServiceClient.RequestSecurityTokenResponse(RequestSecurityTokenResponseType request, MessageBuffer& messageBuffer)
   at Microsoft.ResourceManagement.WebServices.Client.AuthenticationRequiredException.Authenticate(AuthenticationChallengeResponseType[] authenticationChallengeResponses, MessageBuffer& messageBuffer)
   at Microsoft.IdentityManagement.PasswordReset.GinaOperation.STSSubmitAndRetrieveChallenges(Byte[] gateData)

↧

MIM-WF Activity - Function Evaluator - CustomExpression - How to Truncate String

February 3, 2020, 2:26 am

≫ Next: MIM Password Synchronisation

≪ Previous: Problem registering for password reset

Hi,

I'm using a customExpression on a WF Activity (Function Evaluator Activity)

On the Custom Expression, I'm using this:

LowerCase(CompanyCode+"-"+FirstName+"."+LastName)

Now I need to ensure that I don´t exceed 19 chars in the output string len. How Can I do that?

Any kind of substring Function? I did not find it here https://docs.microsoft.com/en-us/previous-versions/mim/ff800820(v=ws.10)?redirectedfrom=MSDN

Thanks,

↧

MIM Password Synchronisation

February 3, 2020, 4:22 am

≫ Next: MIM SP2 upgrade error

≪ Previous: MIM-WF Activity - Function Evaluator - CustomExpression - How to Truncate String

Hello, Everybody

We deployed MIM 2016 and we're able to get a set of accounts from our source forest and create these accounts in all our target domains.

On the Agents, we enabled password sync, however, it’s not working.

One account has to be synchronize in two domains at the same time (Two agents). The account is created in all the domains but the password is synchronized only in the first domain (firt agent).

If I deactivate the password synchronization on the first agent, the password is synchronized in the second.
Is there an option I need to configure so that password is synchronize on the two agents at the same time?

Thanks for the feedback.
Regards
Anta

↧

MIM SP2 upgrade error

February 3, 2020, 5:53 am

≫ Next: Kerberos and MIM

≪ Previous: MIM Password Synchronisation

I am upgrading my MIM SP1 install to MIM SP2 and I am getting the dll is missing error:

There is a problem with the Windows Installer package. A DLL required for this installation to complete could not be run. Contact your support personnel or package vendor.

I have verified that I have the following installed as this is suppose to fix the issue:

Download the Visual C++ Redistributable Package (Vsresist_x64.exe) from the following Windows Download Center

Error still persists for me. I have run the package with logging enabled but only an really pull out the following error from the end of the log:

CustomAction DoCheckElevatedPrivileges returned actual error code 1157 (note this may not be 100% accurate if translation happened inside sandbox)
MSI (c) (C8:D0) [08:39:40:289]: Note: 1: 1723 2: DoCheckElevatedPrivileges 3: DoCheckElevatedPrivileges 4: C:\Users\FIMINS~1\AppData\Local\Temp\MSIED7.tmp

↧

Kerberos and MIM

February 3, 2020, 6:21 am

≫ Next: Do you want to be acknowledged as Microsoft Identity Manager Guru ? Submit your work to February 2020 competition!

≪ Previous: MIM SP2 upgrade error

Hi

I am trying to make everything authenticate with AES256 in our domain(s)
However, one service account(used with MIM) still authenticates with RC4. The traffic is between two domains. Other traffic between the domains is AES256.
I have run 
ksetup /setenctypeattr <trustingdomain> RC4-HMAC-MD5 AES128-CTS-HMAC-SHA1-96 AES256-CTS-HMAC-SHA1-96
on both domains and verified ok in adsi edit. It also made almost everything use AES256 encryption

Also checked the service account and ticked:
"this account supports kerberos aes128bit encryption"
"this account supports kerberos aes256bit encryption"
And restarted the service on MIM server. But it still authenticates with RC4.

I checked the domain controllers and found in secpol.msc:
network security: configure encryption types allowed for kerberos
I then removed RC4 but then the MIM server started complaining with this event:

An unexpected error has occurred during a password set operation. 
 "BAIL: MMS(7848): ..\dnutils.cpp(1341): 0x800700b7 (Cannot create a file when that file already exists.)
BAIL: MMS(7848): ..\dnutils.cpp(1341): 0x800700b7 (Cannot create a file when that file already exists.)
BAIL: MMS(7848): ..\dnutils.cpp(1341): 0x800700b7 (Cannot create a file when that file already exists.)
ERR_: MMS(7848): D:\bt\52550\sources\dev\Sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMADoNormalization', 0x2
BAIL: MMS(7848): D:\bt\52550\sources\dev\Sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2
BAIL: MMS(7848): D:\bt\52550\sources\dev\Sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)
ERR_: MMS(7848): D:\bt\52550\sources\dev\Sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMARecursiveUserDelete', 0x2
BAIL: MMS(7848): D:\bt\52550\sources\dev\Sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2
BAIL: MMS(7848): D:\bt\52550\sources\dev\Sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)
ERR_: MMS(7848): D:\bt\52550\sources\dev\Sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMARecursiveComputerDelete', 0x2
BAIL: MMS(7848): D:\bt\52550\sources\dev\Sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2
BAIL: MMS(7848): D:\bt\52550\sources\dev\Sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)
ERR_: MMS(7848): admaexport.cpp(4207): The Kerberos change operation failed: 0xc00002fd
ERR_: MMS(7848): ..\ma.cpp(8531): ExportPasswordSet failed with 0x80004005
Forefront Identity Manager 4.4.1302.0"


So I guess I can't force it that way.

The service account is from 2009 and has a service principal name made with "setspn" command.
Microsoft Identity Manager Password ChangeNotification Service (PCNS)  is installed on domain controllers and PCNSCFG commands has been used with the account.

Just thinking of stuff that might be related.

Any thoughts?

↧

Do you want to be acknowledged as Microsoft Identity Manager Guru ? Submit your work to February 2020 competition!

February 4, 2020, 3:23 am

≫ Next: Generic LDAP Adapter Sync rules

≪ Previous: Kerberos and MIM

What is TechNet Guru Competition?

Each month the TechNet Wiki council organizes a contest of the best articles posted that month. This is your chance to be announced as MICROSOFT TECHNOLOGY GURU OF THE MONTH!

The winners are selected each month for glory and adoration by the global technical community. Winners will be announced in Microsoft's channels and communities channels including a dedicated blog post, Twitter, Microsoft TNWiki group on Facebook, and other acknowledgement from the community will follow.

Some of our biggest community voices and many MVPs have passed through these halls on their way to fame and fortune.

If you have already made a contribution in the forums or gallery or you published a nice blog, then you can simply convert it into a shared wiki article, reference the original post, and register the article for the TechNet Guru Competition. The articles must be written in February 2020 and must be in English. However, the original blog or forum content can be from beforeFebruary 2020.

Come and see who is making waves in all your favorite technologies. Maybe it will be you!

Who can join the Competition?

Anyone who has basic knowledge and the desire to share the knowledge is welcome. Articles can appeal to beginners or discusse advanced topics. All you have to do is to add your article to TechNet Wiki from your own specialty category.

Note! Articles must be original written by the user, and not a duplicate of existsting article in the Wiki.

How can you win?

Please copy/Write over your Microsoft technical solutions and revelations to TechNetWiki.
Add a link to your new article on THIS WIKI COMPETITION PAGE (so we know you've contributed)
(Optional but recommended) Add a link to your article at the TechNetWiki group on Facebook. The group is very active and people love to help, you can get feedback and even direct improvements in the article before the contest starts.

Do you have any question or want more information?

Feel free to ask any questions below, or Join us at the official MicrosoftTechNet Wiki groups on facebook. Read More about TechNet Guru Awards.

If you win, people will sing your praises online and your name will be raised as Guru of the Month.

PS: Above top banner came from James van den Berg.

Please, If you think your question has been answered click "Mark as Answer" if just helped click "Vote as helpful". This can be beneficial to other community members reading this forum thread.

↧

Generic LDAP Adapter Sync rules

March 9, 2017, 12:12 pm

≫ Next: MIM Custom Workflow - set reference value

≪ Previous: Do you want to be acknowledged as Microsoft Identity Manager Guru ? Submit your work to February 2020 competition!

I found that the generic LDAP adapter, you cannot configure any Sync rules in the portal for it.. you can never see the external resource type.

Has anyone found a work around for this? Or experienced this?

I guess I can do a work flow and MPR in the portal without the sync rule, but would prefer to use the sync rules.

Thanks

Russ

Russell Lema

↧

MIM Custom Workflow - set reference value

February 5, 2020, 7:30 am

≫ Next: Trying to create a transform within AADC (Azure AD Connect)

≪ Previous: Generic LDAP Adapter Sync rules

Hey Everyone,

tough question here,

do you know if i use there is way to push a reference value to a portal attribute

i have the agency which is a reference lookup, and i d like to automatically set it to a single value for certain users.

i was thinkng of using a the function evaluator workflow but i dont know how to set the value since its a reference not a string...

thanks for the help

Hitch Bardawil

↧

Trying to create a transform within AADC (Azure AD Connect)

February 6, 2020, 3:39 am

≫ Next: PAM - Expired PAM Request Cleanup fails

≪ Previous: MIM Custom Workflow - set reference value

Hi Guys

Im looking for a little help on AADC and out of box ruiles

Im working with a business who have acquired another company and need to synchronise identities from this new forest into AzureAD then migration mailboxes (multiforest hybrid). This new forest has a lot of groups which are similarly named to the existing forest. This is distribution groups like HR, Sales etc. The natural solution would be for forestB to rename all their groups prior to sync however this is a big task and will effect on premises users prior to onboarding to Exchange Online. One idea i had was whether we could prefix all these groups only within AzureAD as part of the sync by using a custom group join rule. The problem is I don't know how to construct the attribute or know what language MIM uses under the bonnet to even google.

The plan for me would be to duplicate the existing Group Common join rule for the MA associated with forestB with a higher precendent and change the transform already used for displayname.

Below is the following screen shot from AADC with the displayname as:

IIF(IsNullOrEmpty([displayName]),[cn],[displayName])

Firstly what languaue or format is used by FIM

Secondly - what does the current transform do? I can see there is an if statement and CN buried in there

Thirdly- How can i prefix all displaynames with "Prefix_" (what would be the transform format)

↧

PAM - Expired PAM Request Cleanup fails

February 6, 2020, 7:26 am

≫ Next: Request Type MPR: Which requestor to use?

≪ Previous: Trying to create a transform within AADC (Azure AD Connect)

Hi,
Our PAM installation is having some issues with the cleanup of expired PAM requests.
This makes the PAM Portal extremely slow(Some experience timeout on the web page).
We make due with running a custom powershell script which deletes expired Pam Requests, but it would be preferable if the service did so itself, like it's supposed to do.

We get a lot of these events in the Priveleged Access Management EventLog:
Event 866 - Failed to run PAM expired requests handler
And we've narrowed it down to being the PAM Monitoring Service.

We've seen the exact same issue on a seperate PAM installation which makes me think this might be a bug and not a configuration error.

Any ideas of how we can make this work like it should?

↧

Request Type MPR: Which requestor to use?

February 6, 2020, 2:57 pm

≫ Next: MIM Portal - Asks credentials 3 times and then give a wihte page

≪ Previous: PAM - Expired PAM Request Cleanup fails

I decided to try an experiment with a workflow to set the value of an attribute based on some criteria that can change throughout the lifecycle of the user account. I am trying not to use a set and a set transition MPR, so I went with the request MPR option. Unfortunately, I am now a bit confused on how to set up the requestor. Should I select the "Specific Set of Requestors" option? And if so, would I select Synchronization engine as the requestor? The target resource will be a specific set of users, and I am using a MIMWAL activity.

↧

MIM Portal - Asks credentials 3 times and then give a wihte page

January 6, 2016, 10:35 pm

≫ Next: MIM 2016 Support for PostGre SQL

≪ Previous: Request Type MPR: Which requestor to use?

So I can access to MIM portal using address hostname.domain.com. Portal works fine. But then I want to access to the portal with mimportal.domain.com and now the browser is asking my credentials 3 times and then returns a blank white screen.

So what is the issue? I have configured dns-a record with mimportal.domain.com to point MIM portal ip address.

I have not configured Kerberos. I have followed http://www.fimspecialist.com/fim-portal/installing-fim-2010-r2-sp1-portal-on-sharepoint-foundation-2013/ this manual to install the portal.

↧

MIM 2016 Support for PostGre SQL

July 5, 2018, 6:15 am

≫ Next: Group Validation Failed

≪ Previous: MIM Portal - Asks credentials 3 times and then give a wihte page

Hi EveryOne,

I wish to know if there is anyone who has been able to integrate the MIM 2016 SP1 Generic SQL Connector successfully with PostGre SQL 9.x Database.

The configuration works, and Import works as well but I am having some issues with Export Run. Troubleshooting with PostGre ODBC Logs shows that Export activity from MIM is not recorded, while Import activities are well logged.

On the MIM Synchronization Console, the error is described as "unexpected error 0x8ffe2740" after Export run.

I am almost concluding that this issue could because PostGre SQL is not on the list of supported Databases for MIM 2016 Generic SQL Connectors.

https://docs.microsoft.com/en-us/microsoft-identity-manager/reference/microsoft-identity-manager-2016-connector-genericsql

Appreciate some advice from anyone with some experience with this or a workaround to address the issue.

Thanks

↧

Group Validation Failed

July 20, 2011, 11:15 am

≫ Next: "Initial flow only" in MvExtension DLL

≪ Previous: MIM 2016 Support for PostGre SQL

I am an administrator within our FIM Portal. Another Employee created a security Group within FIM. It has been provisioned within AD with no problem. When I try to edit the Security Group within the FIM Portal (AddingCriteria's) I get the following access denied error.

<RequestStatusDetail xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" DetailLevel="Information" EntryTime="2011-07-20T17:57:33.6279504Z">Group validation failed: A group with calculated membership cannot have explicit members added or removed.</RequestStatusDetail>
------------------------------------------------------------

Any Idea why I would be getting this error? I was not able to find anything on the WEB or in this Forum relating to this exact error. Let me know if you need additional info.

↧

"Initial flow only" in MvExtension DLL

February 13, 2020, 3:04 am

≫ Next: Sync fails for FIM service with "Attribute "uid" is not present"

≪ Previous: Group Validation Failed

Is there a way to handle initial flow only in the metaverse provisioning process using a rules extension?

IMVSynchronisation.Provision(MVEntry mventry)

only has the metaverse. If the object doesn't exist in the CS of the target MA, that could be used to tell if it's an initial flow but all there is:

StartNewConnector("user");

which returns CSEntry.

If CSEntry is empty, would that mean it's now in intial flow? i.e. does StartNewConnector return a fully populated CSEntry if it's not intial flow (object exists in CS)?

thanks,

Alistair

↧

Sync fails for FIM service with "Attribute "uid" is not present"

February 14, 2020, 3:45 am

≫ Next: SQL server in another AD Forest

≪ Previous: "Initial flow only" in MvExtension DLL

I have an MvExtension DLL that provisions new AD accounts. When I do a full sync from the FIM Service MA it fails with the error "Attribute "uid" is not present". Attribute uid is present in the MA Person attribute flows. A full sync from the SQL MA works. Is there something special about the FIM Service (portal) MA?

thanks,

Alistair

↧

SQL server in another AD Forest

February 14, 2020, 9:19 am

≫ Next: Service and Portal Installation Error

≪ Previous: Sync fails for FIM service with "Attribute "uid" is not present"

Hello,

can someone confirm that it is not necessary to have the SQL server in the same AD Forest that the MIM servers ?

FYI there is a full trust between the 2 forest.

thanks

↧