Dear Office365 Experts,
We have a Office365 and ADConnect environment. Password hash sync is enabled. We thinking about enabling Azure active directory SSPR. But I have question : what happens if we don't enable password writeback?
> User has got password in local and it is sync to O365 by ADConnect.
> User resets password in Azure SSPR.
> Does local password syncs and overwrites the resetted password in O365? Or will be there 2 different passwords in local and O365?
Thank you very much..
I have backup solution DPM 2019. I know I can take backup of MIM SQL DB but
1. Can I take object level backup of MIM so in case if someone delete any object from MIM, i can restore it from backup
2. If I restore the MIM object will SID, GUID be same?
Arif
If we have two separate organizations in separate forest which do not have a trust: A and B.
For A to access B resources do both forests need to have a ADFS server in their respective forest?
If A has a federated farm consisting of 50 servers. How do the 50 separate ADFS servers write to the same SQL server? or is there something I am not understanding?,...
dsk
I recently upgraded the MS Graph connector to 1.1.1170.0 (from 1.1.1130.0). Now when I run a delta import on the MA that uses this connector, it fails with an error. Full import and all the other operations work fine.
It looked like it needed a schema update, which I performed (and it took several hours, which seems a lot longer than it should for a database of this size). Delta import worked immediately after that, but it's failing again.
The full error message in the event log is:
Log Name: Application
Source: FIMSynchronizationService
Date: 5/21/2020 2:40:21 PM
Event ID: 6801
Task Category: Server
Level: Error
Keywords: Classic
User: N/A
Computer: SVPHCMIM01.hc.hctx.net
Description:
The extensible extension returned an unsupported error.
The stack trace is:
"Microsoft.MetadirectoryServices.ExtensibleExtensionException: Exception during the import: ---> Microsoft.IdentityManagement.Connector.Graph.GraphAPIException: File was corrupted or removed. Try to re-run 'FullImport' to re-initialize it.
at Microsoft.IdentityManagement.Connector.Graph.LocalStorageManager..ctor(String fileName, String fileHash, Boolean isDeltaImport)
at Microsoft.IdentityManagement.Connector.Graph.ImportContext.GetImportEntries()
at Microsoft.IdentityManagement.Connector.Graph.GraphConnector.GetImportEntries(GetImportEntriesRunStep importRunStep)
--- End of inner exception stack trace ---
at Microsoft.IdentityManagement.Connector.Graph.GraphConnector.GetImportEntries(GetImportEntriesRunStep importRunStep)
Forefront Identity Manager 4.5.412.0"
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="FIMSynchronizationService" />
<EventID Qualifiers="49152">6801</EventID>
<Level>2</Level>
<Task>3</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2020-05-21T19:40:21.754947400Z" />
<EventRecordID>1773995</EventRecordID>
<Channel>Application</Channel>
<Computer>SVPHCMIM01.hc.hctx.net</Computer>
<Security />
</System>
<EventData>
<Data>Microsoft.MetadirectoryServices.ExtensibleExtensionException: Exception during the import: ---> Microsoft.IdentityManagement.Connector.Graph.GraphAPIException: File was corrupted or removed. Try to re-run 'FullImport' to
re-initialize it.
at Microsoft.IdentityManagement.Connector.Graph.LocalStorageManager..ctor(String fileName, String fileHash, Boolean isDeltaImport)
at Microsoft.IdentityManagement.Connector.Graph.ImportContext.GetImportEntries()
at Microsoft.IdentityManagement.Connector.Graph.GraphConnector.GetImportEntries(GetImportEntriesRunStep importRunStep)
--- End of inner exception stack trace ---
at Microsoft.IdentityManagement.Connector.Graph.GraphConnector.GetImportEntries(GetImportEntriesRunStep importRunStep)
Forefront Identity Manager 4.5.412.0</Data>
</EventData>
</Event>
Hallo Everyone
I have new installation of MIM Sync Service 2016 SP2 (version 4.6.34.0). Installation was successful (service registered, DB created, I can start manager and e.g. manipulate metaverse schema). Service account provisioned as gMSA.
I cannot export encryption key. When I run "miiskmu /e ...bin /u:<domain>\<gmsa-sam>" from cmd line (as administrator) the tool fails with error 80004003 (object reference not set to an instance of an object).
Can someone help me with it?
Maciek Kluz
Hello Everyone,
i just finished upgrading my mim sync engine and portal farm with the KB3201389 patch
everything worked fine in my single server test environment, but my production is a 2 server farm and in this case the upgrade was successful but i'm not able to open the user create page or the user edit or and popup page...
i have a mim 2016 with shrepoint foundation 2013
anyone can help figure this out ?
Thanks
Hicham
Hitch Bardawil
Hi,
I have a management agent source for groups. Creating groups was very fast. Now I'm updating them to be criteria based. It seams MIM is not creating msidmCompositeObject but updating each group seperately. Can I do anything about it? There are no errors and it works, but at a pace of 2 groups per minute. I disabled all validation policies but that did not help. Not significantly anyway. Is there something to do about it?
GH
Hi Guys,
I am hoping someone can point me in the right direction for this. I have been searching the web and finding lots of information most of which looks to be out of date.
I am trying to setup a test for Azure MFA and VDI. The current concept is to setup MFA on the Windows 10 VDI, but if its better to setup on the gateway we could also use this option.
I have the VDI machine created and I have them Azure AD Registered. What I am trying to working out, is how to enforce MFA, 2FA on these devices. It looks like I need to enable Windows hello, it also looks like I need to make the device a Azure Hybrid. At present I only want to add 1 or 2 device for testing.
Has anyone got good instruction on how to get this setup?
Thanks for your time
Craig
Craig G
Hi ,
I have MIM servers. So if I need to plan backup and disaster recovery plan, how would I do it?
1. What are the things that I need to include in backup?
Arif
We have custom search scope with selected attributes.
Requirement is if we login as a member of Trainer set then they should not see couple of attributes in that search scope.
Is it possible if I change the MPR and remove those attributes from read access for that Set.
Thanks
Hi,
I upgraded to SP1 on MIM and the pop up windows when clicking on something like "About Forefront Identity Manager" get stuck on loading.
If I clear the browser's cache the pop up load OK--but is that something I'm going to have to tell all of my users to do? Does anyone have a more elegant solution for this issue?
Thank you!
I'm writing an email template that notifies a user of a first name change. So they get an email when their First Name changes. The email template needs to contain both their old First Name and their new First Name. I'm using WAL so I can pull some data into [//WorkflowData/x] but is there any way I can get their old First Name? I had a look at [//Delta/x] but that doesn't contain the old value.
The only workaround I can think of is to have another attribute Old First Name and each time I run the notification workflow, I could update the Old First Name attribute with the current value. Then when the actual First Name is updated, triggering my workflow, I have the Old First Name there. But I don't like creating another attribute just for this purpose.
Hi All,
I am tying to use the members of nested groups under a criteria groups.Would it be possible to do the same??
Kindly advise.
Thanks
Rajesh
Hi,
We have MIM 2016 SP1 (version 4.5.286).
The user works with Internet Explorer 11 and when they access MIM Portal, they have issues with popup several times a day.
What happen is the popup just hang at "loading...". The only way to fix this is to close the popup and open it again.
This cause the user to make his search again.
I found some information on the internet where some peoples said that you must clear Internet cache or modify some files on the MIM Portal Server.
Anybody had this before ?
Thanks
This posting is provided AS IS without warranty of any kind
Hi,
we are currently experiencing a strange issue with delta imports via OpenLdap
Issue
While using delta import to get the changes from OpenLdap via AccessLog certain groups are left with only one member.
To restore all members we have to do a full import.
The behavior only occurs if an existing group member is removed and added in the same (Deltalog) step.
Removing and adding in separate steps works fine.
Environment
- MIM Syncservice v4.4.1302.0
- MIM Generic LDAP Connector v1.1.1170.0
- Openldap 2.4
Steps to reproduce
Example ldif file:
```
dn: reqStart=20200527050001.000001Z,cn=log
objectClass: auditModify
reqStart: 20200527050001.000001Z
reqEnd: 20200527050001.000002Z
reqType: modify
reqSession: 4593433
reqAuthzID: cn=admin,ou=admins,o=contoso,c=com
reqDN: cn=test,ou=groups,o=contoso,c=com
reqResult: 16
reqMod: member:- uid=dummy,ou=users,o=contoso,c=com
reqMod: member:+ uid=user3,ou=users,o=contoso,c=com
reqMod: member:+ uid=user4,ou=users,o=contoso,c=com
reqMod: member:+ uid=dummy,ou=users,o=contoso,c=com
reqMod: entryCSN:= 20200527050001.258824Z#000000#001#000000
reqMod: modifiersName:= cn=admin,ou=admins,o=contoso,c=com
reqMod: modifyTimestamp:= 20200527050001Z
reqEntryUUID: 428ab767-6257-4435-81cb-852523b1b871
```
1 The group "test" contains the users in Openldap and Connectorspace
- dummy
- user1
- user2
2 The ldif-file is imported in openldap
3 The group "test" contains the users
- In Openldap
-- dummy
-- user1
-- user2
-- user3
-- user4
- In Connectorspace
-- dummy
-- user1
-- user2
4 Delta import is run, after this "test" in the (Openldap) Connectorspace only contains the user
- dummy
If we then do a full import we get the correct users in "test" in the OpenLdap Connectorspace
- dummy
- user1
- user2
- user3
- user4
---
Has anyone encountered this strange behavior and found a solution for it or is this a bug?
Hi All,
I have an inbound sync rule that creates resources in FIM.
I wanted to restrict some objects from the management agent to not project. So I have defined scoping filter but even after defining it, I could
See objects getting projected. Is there any issue or am missing anything over here?
Flow direction: Inbound
Apply Rule: To specific MV resources
Rajesh
Hi,
We're having a weird error from MIM CM when we revoke certificate or disable smart card.
Exception Type: System.ArgumentException
Message: CCertAdmin::PublishCRLs: The parameter is incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
ParamName: NULL
Data: System.Collections.ListDictionaryInternal
TargetSite: Void PublishCRLs(System.String, System.DateTime, Microsoft.Clm.CertificateServices.Interop.CrlFlags)
HelpLink: NULL
Source: CertificateAuthority.Admin
HResult: -2147024809
MIM CM call the CA to publish a CRL with the new certificate that has been revoked. Theorically, i would say it's "by design".
But, the msClm-Data attribute of the Profile Template in Active Directory ("CN=MyProfile,CN=Public Key Services,CN=Configuration,DC=MyDomaine,DC=Com") specify that PublichCRL and PublishDeltaCRL are set to False for ALL policies
<xxxPolicy>
<PublishBaseCrl>false</PublishBaseCrl>
<PublishDeltaCrl>false</PublishDeltaCrl>
It's not critical but if someone has an idea why we have this issue would be appreciate.
Adding to this, the CA receive the call from CM
Event ID 4871 – Certificate Services Received A Request To Publish The Certificate Revocation List
Next Update: 0
Publish Base: No
Publish Delta: No
Thanks!
This posting is provided AS IS without warranty of any kind
When the users can activate the windows installation using our KMS-server without buying or reporting the installation.
Is it possible to get a report from the KMS-server about activated installations or how can we control this kind of installations/activations?
Thanks in advance.
Best Regards
/ Tubay
Quick backstory, my company hired consultants to setup our MIM environment and left me the keys to our solution. I took a training course in MIM and learned the rest as I went. I have become very capable and comfortable with SQL, C#, PowerShell, Synchronization and Portal Service which I think is pretty good given how spread out documentation for MIM seems to be. Where I am lacking is Sharepoint because I have never had to do anything beyond putting the Portal into "Maintenance" mode or running IISRESET.
In production we have 1 Synchronization server and 2 Portal servers. In dev we have 1 Synchronization server and 1 Portal server. I recently put together a bunch of changes in Dev along with upgrading to Hotfix 4.5.412. This week I attempted to rollout the Hotfix and the configuration changes to Production and immediately hit an issue with the hotfix. I could no longer access the MIM Portal with our load-balanced address or pointing directly at the servers.
Looking in the event logs I found the following error
The Portal cannot connect to the middle tier using the web service interface. This failure prevents all portal scenarios from functioning correctly. The cause may be due to a missing or invalid server url, a downed server, or an invalid server firewall configuration. Ensure the portal configuration is present and points to the resource management service.
I googled the error and tried everything I understood in the search results but had no luck resolving the issue so I had to rollback to my snapshots and SQL Backups. I copied all the .config files I kept seeing referenced in the search results on my non-working servers before doing this. The only difference in prod is the fact that we have 2 Portal servers instead of 1 so I suspected these were causing my problems.
What I discovered was in the C:\InetPub\wwwroot\wss\VirtualDirectories\80\web.config file, after applying the hotfix the value of resourceManagementClient resourceManagementServiceBaseAddress changed from "http://server1.domain.org:5725" and "http://server2.domain.org:5725" to our load balanced address of "http://manageidentity.webdomain.org:5725".
I am fairly confident this is the cause of my issue, however in trying to understand why, I found this https://social.technet.microsoft.com/wiki/contents/articles/10186.fim2010-troubleshooting-fim-service-is-not-available.aspx#APPENDIX_B which says "Essentially the value for resourceManagementServiceBaseAddress should match the same thing in the FIM Configuration File ( resourceManagementClient and resourceManagementServiceBaseAddress )". When I look at the MIM config i see the load balanced address of "http://manageidentity.webdomain.org:5725".
I have also seen that the web.config file should be the same on all the servers on the farm, but that was not the case with our working MIM solution as the 2 respective servers both referenced themselves in resourceManagementServiceBaseAddress.
I feel I am either misunderstanding the documentation/blogs or our production Portal servers were setup improperly.
Can anyone shed light on the resourceManagementServiceBaseAddress value when you have multiple portal servers? Or know of good documentation on setting it up so I can make sure my environment is setup correctly?
I am in the process of syncing a custom attribute.
I would like to know when I perform this action whether I need to keep the existing "optional features " e.g. hybrid exchange, password write hash write-back etc
These options are already selected.
Do they need to be removed??
What is the impact of these options being left selected. I assume nothing. But would like confirmation.
Thanks in advance!