I have (or had) a functioning FIM environment until yesterday when the FIM Service stopped.  The service will not start automatically and when I try to start it manually I get the error 

"The ForeFront Identity Manager Service service on Local Computer started and then stopped..."

The following entries appear in the error log when I try to restart the FIM Service

• "Workload Monitor failed to start. Workload Manager functionality will be turned off. As a result, you may notice decreased performance in the FIM portal or in policy application scenarios. The detailed error information is in the following error report. If you correct the underlying error and restart the service, Workload Manager functionality will be turned on."
• "mscorlib: System.OverflowException: Arithmetic operation resulted in an overflow."
• "System.ServiceModel: System.InvalidOperationException: Cannot find the X.509 certificate using the following search criteria: StoreName 'My',..."

There are other recent FIM related errors in the Log that are not directly related to restarting the FIM Service but I suspect are associated with the issue. 

• "mscorlib: System.ServiceModel.EndpointNotFoundException: There was no endpoint listening at http://localhost:5725/ResourceManagementService/MEX that could accept the message. This is often caused by an incorrect address or SOAP action...."
• "The Forefront Identity Manager Service could not bind to its endpoints.  This failure prevents clients from communicating with the Web services.
  
  A most likely cause for the failure is another service, possibly another instance of Forefront Identity Manager Service, has already bound to the endpoint.  Another, less likely cause, is that the account under which the service runs does not have permission to bind to endpoints.
  
  Ensure that no other processes have bound to that endpoint and that the service account has permission to bind endpoints.  Further, check the application configuration file to ensure the Forefront Identity Manager Service is binding to the correct endpoints."
  

Nothing has changed in the FIM environment except for a reboot of the SQL Server where the FIM dbs Live.  Also, we recently updated the cert that is bound to the FIM portal.  However, that happened a month ago and the portal was working fine up until yesterday.  As far as I know no other change has taken place on the server so I am at a bit of a loss to explain what has happened.  Any suggestions would be appreciated

As an aside, I have seen several posts where people have reported some of the error messages I listed above.  But in all cases, it appears the the issue was associated with SharePoint UPS, which we are not using.

Thanks

Hi,

Version FIM2010R2SP1 with latest publicly available hotfix rollup applied.

Use case: Legacy enterprise directory (SUN iPlanet 5.2)  has users in different (ou) branches under the same tree depending on their current job. If they are transferred to another part of the organisation in the HR system, the requirement is to  move their user entry in this directory into a different ou.

MA/Connector: Out of the box Sun/Oracle directory MA

e.g. (dn) uid=hsmith001, ou=Sales,o=MyOrg.com

moved to:

(dn) uid=hsmith001, ou=Cleaners,o=MyOrg.com

When the export is run to the connected directory, the "move" does actually happen in the connected source (the SUN directory server). So far so good.

The connector space object is now marked as  'Awaiting exportconfirmation' (which is meant to occur on the next import).

When an import is run, instead of the expected confirmation, FIM creates a new connector space object with the new (renamed) dn but retains the existing object i.e. it doesn't join up the existing object that is awaiting export confirmation. At the same time it reports an error "ambiguous-import-flow-from-multiple-connectors" because it is seeing two objects with the same RDN.

It appears that with this connector connected to Sun Directory v5.1 and newer , you don't get to choose which attribute(s) you use for the anchor - it chooses the dn.

It's puzzling why this issue exists in a technology set that has been around for years, so we are assuming that there is workaround or solution to this problem.

N.B. This problem has been replicated on two completely independent environments by different people in our organisation.

Any help/advice/suggestions would be most welcome.

David.

Hi,

Assume a lab environment was used for a SSPR POC (Question & Answer) - Can one migrate a FIM SSPR solution without requiring registered users to re-register?

thanks

dw

Hi,

Does FIM (out of the box) allow for authorization and attestation of user access requests?

thanks

DW

Hello,

I tried the new Microsoft Generic LDAP Connector, but can't see any of the "Auxiliary classes" ... the abstract class "top" is also not in the list of selectable object classes. Any ideas?

BR,

juvi

Hello all,

We installed successfully FIM R2 SP1 on Sharepoint Foundation 2013.

The portal is running and at the first glance it looks fine.

Unfortunately we have no chance to open the FIM site via SharePoint Designer.

We receive following Error Message: "Object moved: Object moved to here"

Any ideas or suggestions?

Kind regards Fatih

Hey All,

as office 365 is out there and getting popular, I would like to use an Office 365 account EWS endpoint for the FIM portal notification account. This would be excellent, but at the moment it is not documented anywhere. Has anyone experience of the settings needed to do this. I am sure I can change the EWS endpoint in the config file, but due to the nature of the "cloud" i am unsure that will change at another time.

Thoughts ?

Rob

Rob

Hello All,

While exporting the attributes to FIM Portal, for few attributes the request is not generating from built in sync account which was being generated earlier. Has anyone seen any such scenario in which the requestor - built in sync account is not able to generate the requests in FIM portal? Despite the fact, the attribute's value is being updated for the user in the FIM Portal and I can see the attribute's updated value and the time in metaverse is changed too for the same attribute. As of now i believe that whenever any attribute of user changes and requestor is FIM Portal Administrator/Built In Sync Account/any other requestor, the request is generated but in our production environment the requests are not generating properly when exporting the changes to FIM Portal specially from built in sync account.

Can anyone help me with this? Quick replies are highly appreciated in advance.

Regards,

Manuj Khurana

Hello All,

While exporting a user object in Fim Portal, I get few requests having request status as "PostProcessingError" which have display name as "Create Person: '' Request". For these requests no ERE is being applied to the object despite the fact it is coming in set for MPR having transition-in and due to this I have to manually add the ERE to it.

When I open the request I see the error message as "An unexpected error occurred when trying to create the Expected Tule Entry. Inspect the error logs for more information." but whenever I search Logs in Event Viewer, I am not able to fetch any log for the same.

Kindly suggest and all the responses would be highly appreciated.

Please Note : This does not comes always, it comes randomly in the production environment.

Regards,

Manuj Khurana

Hi,

I have an FIM 2010 R2 SP1 install on Windows 2012 infrastructure using SharePoint 2013.  Roles are broken out so I have a separate server for FIM Service, FIM Sync and SQL backend.

I have populated users as required but they cannot access the FIM Portal unless they are members of the local security group "Users" on the FIM Service server itself.  When not added to this group they get prompted for credentials repeatedly and after entering them repeatedly then I receive a message from the below link

"https://idmportal.company.com/_layouts/MSILM2/ErrorPage.aspx

Unable to process your request"

Once I add the user into the "Users" group on the FIM Service server then the user logs in with no issues.

Has anyone else come across this issue?

Thanks,

B

I've developed a call-based ECMA2.0 xma that gets a load of users from a web-service and for the full-import builds a ~3600 user list of CSEntryChange objects which are added to the GetImportEntriesResults object that's returned to the sync engine.

I've got a full-import (stage only) run profile with default values and when running the xma, which builds the list of users as expected, I get a "stopped-ma" error in the sync engine and then the following item in the event log:

Looking at the http://technet.microsoft.com/en-us/library/hh859479(v=ws.10).aspx walk-through guide, I've followed it and even put in their values for the page-size properties (which seem very low to me) and even tried configuring the page-size of the run profile, though this doesn't seem to have any effect.

I'd like an unlimited page-size so it can handle any number of users, which I thought the default run profile value of 0 would be.

Does anyone know what I'm doing wrong?

Hi,

I'm trying to get started with the PowerShell MA. I successfully installed the MA, and am trying to run the sample O365 scripts that were made available with the MA. I am able to successfully run the Import.ps1 script from the PowerShell ISE, and see my users in my O365 tenant, but when I try to run a Full Import on my PowerShell MA, it fails with "stopped-extensible-extension-error". In Event Viewer, I see a number of errors and warnings, one of which says "Cannot bind argument to parameter 'String' because it is null."

Any ideas? Thanks in advance. The full script is below (scrubbed):

param

$Username="admin@tenant.onmicrosoft.com",

$Password="password"

MSOnline-Force

=ConvertTo-SecureString$Password-AsPlainText-Force

=New-ObjectSystem.Management.Automation.PSCredential$Username,$SecurePassword

-Credential$Creds

=0

=Get-MsolUser-MaxResults20000|Where-Object{($_.isLicensed)-and($_.UserPrincipalName-match'contoso.com$')}

($Users.Count-lt$Threshold)

throw"Less users than expected returned from MSOnline"

($Userin$Users)

$obj=@{}

$obj.Add("Id",$User.UserPrincipalName)

$obj.Add("objectClass","user")

$obj.Add("IsLicensed",$User.IsLicensed)

$obj

Hello!

I would like to export information from a referenced object during export flow but the referenced object is not part of the connector space object of the affected management agent. This is my demo configuration:

testEmployeeData:
- employeeId (anchor)
- personId (reference to testPerson object)
- telephoneNumber
- uid

testPerson:
- displayName
- givenName
- sn
- uid (anchor)
- employeeData (multi-value reference to testEmployeeData recors; can be null)

I have an SQL agent ("HR") that imports person and employeeData objects into the metaverse. The references seem to work as I can see them in the Sync Service Manager and they point to the right objects too. Now I would like to access some of the referenced objects' data during export attribute flow. I have configured an export-only "Persons" agent that should export the personal data into an attribute-value file. This is what I would like the export flow to look like:

displayName <- testPerson.displayName
employeeId (multi-value) <- testEmployeeData.employeeId (*)
firstName <- testPerson.firstName
lastName <- testPerson.sn
uid <- testPerson.uid

The problem is now the advanced attribute flow marked with (*). The testPerson.employeeData field contains a multi-valued reference to all matching employeeData records which contain the employeeId. The output file should contain all matching employeeIds instead of the reference values (GUIDs) but I can't get this to work. When I try to configure an advanced export flow rule flowing testPerson.employeeData to person.employeeId I just receive an error message stating that metaverse reference attributes cannot be defined as source attributes.

Do I have to create an appropriate connector space object for this to work? Or is there some other way to dereference objects in order to get certain attributes? By the way, the person connector space object in the "Persons" agent is created by provisioning code based on testPerson metaverse objects.

Regards,

Philipp

TechNet loves you!

We love your contributions at TechNet Wiki sooo much that we give you more than just love in return...

We give you NOTORIETY, GLORY... and VIRTUAL MEDALS!

That's not all, this love we have, together, it flows both ways my friend.

You give us stuff, we give you stuff, like interviews, recognition points, Ninja Belt rankings, and of coursefront page love!

If the love is strong enough, who knows where it could end! We may even invite you into secret clubs and other initiatives.

So why not spread the love a little further this Valentines, with more than just a cheap card from the highstreet...

Express your love for your favourite technology in a TechNetWiki article!

Pour your heart out to us, capture our hearts and woo us with your prowess!

All you have to do is add an article to TechNet Wiki from your own specialist field. Something that fits into one of the categories listed on the submissions page. Copy in your own blog posts, a forum solution, a white paper, or just something you had to solve for your own day's work today.

Drop us some nifty knowledge, or superb snippets, and become MICROSOFT TECHNOLOGY GURU OF THE MONTH!

This is an official Microsoft TechNet recognition, where people such as yourselves can truly get noticed!

HOW TO WIN

1) Please copy over your Microsoft technical solutions and revelations toTechNet Wiki.

2) Add a link to it on THIS WIKI COMPETITION PAGE (so we know you've contributed)

3) Every month, we will highlight your contributions, and select a "Guru of the Month" in each technology.

If you win, we will sing your praises in blogs and forums, similar to the weekly contributor awards. Once "on our radar" and making your mark, you will probably be interviewed for your greatness, and maybe eventually even invited into other inner TechNet/MSDN circles!

Winning this award in your favoured technology will help us learn the active members in each community.

Feel free to ask any questions below.

More about TechNet Guru Awards

Thanks in advance!
Pete Laker

#PEJL

Got any nice code? If you invest time in coding an elegant, novel or impressive answer on MSDN forums, why not copy it over to the one and onlyTechNet Wiki, for future generations to benefit from! You'll never get archived again!

If you are a member of any user groups, please make sure you list them in the Microsoft User Groups Portal. Microsoft are trying to help promote your groups, and collating them here is the first step.

...the search scope is used to subset the SGs and DGs. The search scope itself shows expected results. The search scope filter used is: /Group[Type='Security' or Type='MailEnabledSecurity'][(Domain = 'DomainX') or (Domain = 'DomainY')]

Tried the following, with the GUID being the resource ID from the search scope for security groups:

~/identitymanagement/aspx/customized/CustomizedObjects.aspx?type=Group&searchtype=e8ed98b6-e299-4b8d-bfe5-e4b2adf1cd60

~/IdentityManagement/aspx/groups/Groups.aspx?type=Group&searchtype=e8ed98b6-e299-4b8d-bfe5-e4b2adf1cd60

Thanks

I have a requirement to use a multi-valued attribute in the body of an email template. Currently if I just inject the values from the attribute using the default method I get a jumbled mess of data.

What I would like to do is format the data from the mult-valued attribute to make it more readable by adding a CR/LF between each value in the list e.g.

Table Heading1:    Mult-valued attribute, text string1

                           Mult-valued attribute, text string2

                           Mult-valued attribute, text string3

                           ...

So far I cannot see how this can be achieved as any substitutions I make to try and add CR/LF or even make any change to the data seems to be ignored.

Is there any way to achieve this?

Thanks

CV

Hi there,

I have a scenario- How to do that activity?

DL : DG1 , DG2 , DG3 (all have email attribute's value)

Members : M1,M2,M3,M4,M5

DLs | Members

DG1 | M1,M2

DG2 | M1,M3,M5

DG3 | M3,M4

I want ONLY M1,M3 members can SEND E-MAILS to DLs(DG1,DG2,DG3).

How to perform that activity?

Hi All,

New to FIM - so, apologies for asking if it has already been answered elsewhere.

I have an understanding to some level of what FIM architecture components are.

I have a particular scenario and I wanted to discuss if and how FIM can support it please.

If there is an internal system with in the company, let us say a web application with SQL server database.

Assume the users for this application are managed locally in the database in a users table.

The web application has a module for user management that admins can use to manage users.

Let us assume the account on the system consists of account name, password, profile and a set of 10 roles that user can chose from.

If I want to use FIM to manage user access to this system (and get rid of admin function on the application itself), will I be able to create a system on FIM portal with add, modify, delete and password reset functions. SO that user's can make applications accordingly. I would like to use FIM's built in application forms, workflow, approval processes and I am ready to build a custom adaptor that synchronization service will use to call a user management web service written by the developers of this application.

Users dont get access to this application by default. They only apply if their job requires them to.

Please advise.

Regards,

Ajay Suri

Hi,

I have been trying to enable the Lotus Domino Connector  (build  5.3.721.0) to log detailed information into some place. I've seen that this latest build switches to ETW logging. So I've added the following to the miiserver.exe.config file in the system.diagnostics/sources section:

   <source name="ConnectorsLog" switchValue="Verbose" switchType="System.Diagnostics.SourceSwitch">
<listeners>
<add name="LotusNoteTextTraceFile" type="System.Diagnostics.TextWriterTraceListener" initializeData="c:\temp\notesconnector.log" /> 
</listeners>
   </source>

Unfortunately that is not working, I also tried eventlogging, but that didn't work either. Can anyone point me into the right direction?

Thanks in advance