Hi
I realize the SSPR web portal does not require SharePoint and only need IIS. Our security team does not want any self registration pages to be hosted on a domain joined server. We do have a reverse proxy server before the users can get to the registration pages. Q - Is it a possible scenario to have SSPR server in DMZ that is not joined to any domain?
I am trying to send an Email notification from a workflow and am getting the following error:
System.Web.Services: System.Web.Services.Protocols.SoapException: The request failed schema validation: The element 'Message' in namespace 'http://schemas.microsoft.com/exchange/services/2006/types' has invalid child element 'Header' in namespace 'http://schemas.xmlsoap.org/soap/envelope/'. List of possible elements expected: 'Sensitivity, Body, Attachments, DateTimeReceived, Size, Categories, Importance, InReplyTo, IsSubmitted, IsDraft, IsFromMe, IsResend, IsUnmodified, InternetMessageHeaders, DateTimeSent, DateTimeCreated, ResponseObjects, ReminderDueBy, ReminderIsSet, ReminderMinutesBeforeStart, DisplayCc, DisplayTo, HasAttachments, ExtendedProperty, Culture, Sender, ToRecipients, CcRecipients, BccRecipients, IsReadReceiptRequested, IsDeliveryReceiptRequested, ConversationIndex, ConversationTopic, From, InternetMessageId, IsRead, IsResponseRequested, References, ReplyTo' in namespace 'http://schemas.microsoft.com/exchange/services/2006/types'.
at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at Microsoft.ResourceManagement.WebServices.Mail.Exchange.ExchangeServiceBinding.CreateItem(CreateItemType CreateItem1)
at Microsoft.ResourceManagement.Mail.ExchangeProxy.ExecuteCreateItem(CreateItemType request)
at Microsoft.ResourceManagement.Mail.ExchangeServer.SendNotification(NotificationMessage message)
at Microsoft.ResourceManagement.Mail.NotificationMessage.Send(Int32 timeoutInMilliseconds)
at Microsoft.ResourceManagement.Workflow.Hosting.SendMailWorkItemProcessor.SendMailMessage(MessageContent messageContent, Int32 timeoutInMilliseconds)
at Microsoft.ResourceManagement.Workflow.Hosting.SendMailWorkItemProcessor.ProcessWorkItem(WorkItem workItem
It appears that the Exchange web service doesn't like the schema FIM is presenting. Anyone seen this? Is there a trace setting that will dump out the call to the Exchange server?
I have tested that I can hithttps://fqdn_server/ews/exchange.asmxfrom the FIM Service account and the certificate is correct.
I have a new installation of FIM 2012 R2 SP1 "on premise".
I can do import, synchronizations, etc... but at every hour sharp (12:00, 1:00, 2:00, ...) the Forefront Identity Manager Synchronization windows service stops (disabled). I have to enable it manually and re-start it every time...
Any things I should check...? Is it caused by a SharePoint Timer Job...?
The SharePoint logs or Event Viewer don't show anything particular...
Thanks,
J-F
Jean-François Guertin Entreprise Solution Architect Collaborum Services Conseils Inc | 1-581-997-4911 | jfguertin@collaborum.com Certifications Visual Studio Team Foundation Server 2010 Microsoft Office SharePoint Server 2007 - 2010 Windows SharePoint Services 3.0
Hi Gurus
I have a couple of quick questions about the FIM Password Reset and Registration Portal. I have a portal that is up and running and I can register users and can update their passwords. I am trying to do the following:
Any help will be greatly appreciated, thanks in advance.
Regards
Hi,
I've created two new custom attributes (one type string and the other a type boolean) and binded them to the Person object. I also modified the Create User and Edit User RCDC to include those attributes in the view.
The attributes show up just fine for the administrator which is expected when creating or editing a user object, however when I login as a normal user, I can still see those attributes despite the normal user not having Read permissions through any MPR on the attributes. The read permissions are controlled on an attribute level and I have double checked these attributes are not added to that list.
Is there some way to check if these attributes show up in any MPRs? My only guess here is that some MPR is granting read permission to these attributes but I don't want to go through all the MPRs to find out which one that might be.
Thanks
I created my web service to create, update and delete users from one of our systems.
Now I am to create MA to use my web service and export users into that system, there is no need to import!
I tried to use web service configuration tool but had lots of errors and could not find an example of configuring run profiles.
Now I am trying to write Extensible Conectivity 2.0 Management Agent. I need help as there is no examples available for how to call/use web service in MA.
Thanks
Hi all,
I'm busy with architects designing on a new scenario for me in FIM 2010 R2 Password reset Portal.
We have an existing FIM setup in our internal coperate AD Domain without any existing password reset/registration.
I've got to manage an AD (not domain- or forest-trusted) containing external users (no problem for the AD MA). The idea is to provide the FIM Password Reset Portal functionality to those users
(I've got their email address):
- Once a new user is created in that seperate AD, create an OTP via mail to that user to ask to set a password.
- Allow the users to ask for an OTP via mail on request (forgot my password) via reverse proxy (extranet scenario).
- There is no functional need for registering secrets in the self service (FIM registration NOT wanted/needed)
I'm not sure before proceeding if this is possible:
- is only OTP mail possible, without using the registering in FIM? (I think yes)
- can I set the password of a user of an external domain, without trust: this means does a reset go 100% via FIM, and there is no trust in the IIS required somehow to that domain?
I've seen the interesting video http://www.youtube.com/watch?v=T-p41Ze9ewA but I want to be sure.
Thanks for the reply and suggestions
David.
PS: anyone of you ever connected to DB2 on a Mainframe via the FIM DB2 MA?
I have a BDC connection to a SQL database, however this database may timeout from time to time or be offline... right now if the database is down the fields that depend on it on the user profile come out empty, i would like to have the old values if there is no connection. How can I achieve this? I am desperate
My sharepoint user profile has fields from AD and a BDC connection... how can I handle a missing connection?
Has anyone tried to tackle the issue of remote wiping ActiveSync devices before disabling a user account with FIM?
We have an issue when we terminate a user and disable the account and we reset the password for good measure, the phone will not receive a remote wipe command since that user on that phone will no longer authenticate.
Curious if anyone has thought of a work around or some solution to wipe mobile devices. Short of an MDM that will do this via an installed app on the phone.
Kirk
Jimmy George
When implementing this:
http://msdn.microsoft.com/en-us/library/windows/desktop/ms696034(v=vs.100).aspx
does it mandate that you use Full Synchronization or can you still run Delta's?
Ed Bell - Specialist, Network Services, Convergys
We're currently deploying the FIM 2010 R2 SP1 SSPR client and Chinese Language Pack to our Asia Pacific users. We have had several of our test users report that the currently selected keyboard language, they have the option of switching between English and Chinese Traditional, is ignored and defaults to English when entering challenge question answers.
The Chinese Traditional Language Pack is installed and matches the Server Side language packs version. End users have no problem registering and resetting their passwords, via the web portals, in Chinese, but when using the SSPR client the Keyboard Language always defaults to English and there seems to be no way to force the Chinese keyboard character set to be enforced.
Any help would be greatly appreciated!
Austin
Hi,
I am looking for a way to extract stats/reports for a customer around Self-Service Password Reset of ROI information.
e.g.
1.How many users have registered
2.List of account and displayname of users that have registered.
2.List of account and displayname of users that have not registered yet
3. How many user have successfully been able to reset there passwords for the week/month
4.Nice to have would be a more detailed report on password resets. e.g time of day, resets per day etc.
This customer does not have the FIM Reporting component installed and need to extract this from the FIM service DB.
Any info would be appreciated.
Hi,
I am trying to implement configuration for fim 2010 r2 password registration language pack.In my environment Password Registration and Password Reset portal working fine but now want to implement multi Language senario specially for Hindi Language.I installed
language pack in Password Registration and Reset Machine and do some configuration for Hindi Language like first create one Set,Workflow and MPR for Hindi Language and also create Customization folder in root directory of FIM Password Registration and Reset
and also create a Strings.hi-IN.Resources file in Customization folder but this is not reflected in my environment this take English Language by default.So please suggestiom me where i am wrong.
and also provide some setting for Hindi Language in Internet Explorer(Browser).
Regards
Anil Kumar
Hello!
I would like to export information from a referenced object during export flow but the referenced object is not part of the connector space object of the affected management agent. This is my demo configuration:
testEmployeeData:
- employeeId (anchor)
- personId (reference to testPerson object)
- telephoneNumber
- uid
testPerson:
- displayName
- givenName
- sn
- uid (anchor)
- employeeData (multi-value reference to testEmployeeData recors; can be null)
I have an SQL agent ("HR") that imports person and employeeData objects into the metaverse. The references seem to work as I can see them in the Sync Service Manager and they point to the right objects too. Now I would like to access some of the referenced objects' data during export attribute flow. I have configured an export-only "Persons" agent that should export the personal data into an attribute-value file. This is what I would like the export flow to look like:
displayName <- testPerson.displayName
employeeId (multi-value) <- testEmployeeData.employeeId (*)
firstName <- testPerson.firstName
lastName <- testPerson.sn
uid <- testPerson.uid
The problem is now the advanced attribute flow marked with (*). The testPerson.employeeData field contains a multi-valued reference to all matching employeeData records which contain the employeeId. The output file should contain all matching employeeIds instead of the reference values (GUIDs) but I can't get this to work. When I try to configure an advanced export flow rule flowing testPerson.employeeData to person.employeeId I just receive an error message stating that metaverse reference attributes cannot be defined as source attributes.
Do I have to create an appropriate connector space object for this to work? Or is there some other way to dereference objects in order to get certain attributes? By the way, the person connector space object in the "Persons" agent is created by
provisioning code based on testPerson metaverse objects.
Regards,
Philipp
Hello,
I want to use the Web Service of FIM to force user to register his password when he connects to his FIM.
Can i redirect page or something else , is anyone has an experience of that
Any idea ?
Thanks
Hi All,
New to FIM - apologies if this has been answered already elsewhere.
Reading the technet articles - it mentions the azure active directory connector does not synchronise passwords when it does the account synchronisation between onpremise AD to Azure Active Directory.
So the question is - is this still the case?
Do we still need to use AD FS to provide Single Sign On for cloud applications via the on premise AD?
or, are there potential solutions available?
I understand DirSync does password hash synchronisation but is unsuitable for multiple forest, multiple exchange scenarios. Unfortunately, we are such an organisation. Hence, DirSync does not seem to be an option.
Please advise.
Regards,
Ajay Suri
I need to put some control around the display name attribute (for all objects in the system). However, when I go to administration => schema management => all attributes => display name, I see the regular expression text field under validation tab is disabled for display name. How can I enable this? I see there is already an MPR called "Administration - Schema: Administrators can change selected attributes of schema related resource" which is granting admins to change the schema of the display name attribute, but it does not seem to help for the above scenario. Can someone please help?
Im having a problem in FIM 2010 R2 SP1 where the Resource SID is not being populated for new users that are synced and, thus, they cannot acccess the password registration portal with the error "The current user account is not recognized by Forefront Identity Manager. Please contact your help desk or system administrator. (Error 3003) ".
I can verify this by searching for the users in the FIM Portal, then Provisioning --> Advanced View --> Extended Attributes. Resource SID says "No value specified for this attribute." I can fix this problem with this script, but Id like it automated.
In my FIMMA I have Person: objectSID export to Person: objectSID
In my ADMA I have user: objectSID import to Person: objectSID
I searched around quite a bit but cannot find the resolution for this. Im fairly new to FIM and would appreciate any guidance on this problem.
Thanks!
Hi,
Running FIM Synchronization Service v 4.0.3531.2 - Update1.
This instance is a simple setup, import from AD, export to SQL. I'm trying to export two multivalue attributes, one is a normal multivalue string, second is a reference attribute (member). My anchor is the GUID from AD in string format, perfectly fitting into uniqueidentifier sql datatype.
Since I wanted to have the member values in the multivalue table also stored in a uniqueidentifier column (for further linking) I had to create two columns, one as "uniqueidentifier" and second as "text". FIM configuration went smoothly, I defined a member multivalue reference attribute and selected the uniqueidentifier column as "String attribute column", and the other multivalue string attribute had to be linked as "Large string attribute column" and I pointed it to the text datatype column.
Synchronization completed without errors, export step properly exported all multivalue string attributes to the text column, BUT when it came to exporting the GUID reference attribute to the uniqueidentifier column it exported only the first value showing a "dn-attribute-failure" error. From the FIM GUI it was only showing the error number = 0x80230808.
I did a SQL trace to see what's going on. I re-run the export and saw FIM trying to delete all the values for this attribute multiple times with:
DELETE from [tblAD_Multivalue] WHERE [objectGUID] = N'{B011B424-5B2F-43A9-84C5-8605A570487B}' AND [attributeName] = N'member'
followed by doing cursor magic with the first value that was already added:
exec sp_cursor 180150007,4,0,N'tblAD_Multivalue',@objectGUID='B011B424-5B2F-43A9-84C5-8605A570487B',@attributeName='member',@guidValue='2E52A484-C7F6-49C0-AAC8-0A30C732A385'
After repeating the above for over 10 times it added a export_error_detail:
update [mms_connectorspace] set [export_error_detail] = N'<export-status><cd-error><error-code>0x80230808</error-code><error-literal>[Modify] Failed operation</error-literal></cd-error></export-status>',[count_export_error_retries] = 0,[is_export_error] = 1,[initial_export_error_date] = '2011-02-12 21:36:08.995',[last_export_error_date] = '2011-02-12 21:36:08.995',[export_error_code] = -2145189885,[unapplied_export_batch_number] = 1,[unapplied_export_sequencer_number] = 2162572,[original_export_batch_number] = 1,[original_export_sequencer_number] = 2162572,[current_export_batch_number] = 4,[current_export_sequence_number] = 2216213 where ([object_id] = '6F5C98E3-38FF-4F32-95F6-B5A315B71D7A')
I tried manually adding one of the following values directly to SQL and it worked, so I'm not really sure what's wrong here.
Any ideas?
Piotr