Quantcast
Channel: Forum Microsoft Identity Manager
Viewing all 6657 articles
Browse latest View live

Extranet Self Service Reset Portal for OTP Mail only via FIM to an untrusted AD

September 23, 2013, 12:38 am
$
0
0

Hi all,

I'm busy with architects designing on a new scenario for me in FIM 2010 R2 Password reset Portal.
We have an existing FIM setup in our internal coperate AD Domain without any existing password reset/registration.

I've got to manage an AD (not domain- or forest-trusted) containing external users (no problem for the AD MA). The idea is to provide the FIM Password Reset Portal functionality to those users (I've got their email address):
- Once a new user is created in that seperate AD, create an OTP via mail to that user to ask to set a password.
- Allow the users to ask for an OTP via mail on request (forgot my password) via reverse proxy (extranet scenario).
- There is no functional need for registering secrets in the self service  (FIM registration NOT wanted/needed)

I'm not sure before proceeding if this is possible:
- is only OTP mail possible, without using the registering in FIM? (I think yes)
- can I set the password of a user of an external domain, without trust: this means does a reset go 100% via FIM, and there is no trust in the IIS required somehow to that domain?  

I've seen the interesting video http://www.youtube.com/watch?v=T-p41Ze9ewA but I want to be sure.

Thanks for the reply and suggestions
David.
PS: anyone of you ever connected to DB2 on a Mainframe via the FIM DB2 MA?

Search

Problems with Exchange 2010 provisioning

April 18, 2013, 11:34 am
$
0
0

Hi,

We have the basic outbound sync rules for both users and groups which works great from FIM to AD and vice versa. Then we configured Exchange 2010 Provisioning on FIM using guides found at http://technet.microsoft.com/en-us/magazine/ff472471.aspxhttp://bennettadelson.wordpress.com/2012/05/21/fim-2010-with-exchange-2010-configuration-for-provisioning/ and http://fabienduchene.blogspot.fi/2010/02/fim-2010-exchange-2010-provisioning.html but we haven´t got this to work. When using PowerShell as FIM MA user (remote towards Exchange on http://fqdn/powershell) on its own to enable mailbox for user, it works just brilliantly so I would assume permissions on Exchange for the FIM MA service account are correct, PS remoting correctly enabled etc.

When exporting changes on AD MA, we do not get any errors on either application logs at FIM sync server or on the Exchange server. On the Exchange server we can see on the security logs that FIM MA account has indeed logged in while we did the Export on AD MA but no mailbox is created for the synchronized user. While running the export on AD MA, netstat -n shows that connection to Exchange server has been established on port 80.

I think we have gone through most of the forums/posts on internet regarding the Exchange 2010 provisioning on FIM 2010 but we cannot find the root cause for the problem as there are no errors on any logs. Do you guys have any idea what might be wrong and if we should check something on the configurations? Thanks.

-Pappa75 

OTP SSPR greyed out email address not showing

February 27, 2014, 3:47 pm
$
0
0

Hi,

According to http://technet.microsoft.com/en-us/library/jj134288(v=ws.10).aspx#email_gate if the SSPR Registration mode is set to Read-Only then the user will be presented with the screen showing them their registered email address in read only/greyed out mode.

However, we have just deployed this solution in both lab and production, and neither displays the greyed-out registered email - has one of the service packs/hotfixes changed this?

thanks,

dw

SUN/Oracle directory user entry DN rename (move)

February 25, 2014, 7:49 pm
$
0
0

Hi,

Version FIM2010R2SP1 with latest publicly available hotfix rollup applied.

Use case: Legacy enterprise directory (SUN iPlanet 5.2)  has users in different (ou) branches under the same tree depending on their current job. If they are transferred to another part of the organisation in the HR system, the requirement is to  move their user entry in this directory into a different ou.

MA/Connector: Out of the box Sun/Oracle directory MA

e.g. (dn) uid=hsmith001, ou=Sales,o=MyOrg.com

moved to:

(dn) uid=hsmith001, ou=Cleaners,o=MyOrg.com

When the export is run to the connected directory, the "move" does actually happen in the connected source (the SUN directory server). So far so good.

The connector space object is now marked as  'Awaiting exportconfirmation' (which is meant to occur on the next import).

When an import is run, FIM creates a new connector space object with the new (renamed) dn but retains the existing object . At the same time it reports an error "ambiguous-import-flow-from-multiple-connectors" because it is seeing two objects with the same RDN (uid=hsmith). It has marked the original CS object for deletion.

On the next synch, it says it has successfully deleted the original CS Object, however it is still there (and with the same anchor guid).

It appears that with this connector connected to Sun Directory v5.1 and newer , you don't get to choose which attribute(s) you use for the anchor - it chooses the dn.

It's puzzling why this issue exists in a technology set that has been around for years, so we are assuming that there is workaround or solution to this problem.

N.B. This problem has been replicated on two completely independent environments by different people in our organisation.

Any help/advice/suggestions would be most welcome.

David.

 


Get pending operation for a CS object with an export error

February 28, 2014, 2:50 am
$
0
0

I'm writing a PowerShell script that sends a warning email in case an export operation fails with a certain error count (e.g. if an export fails 5 times probably some manual action will have to be taken in the connected system).

I manage to get the export errors analyzing the xml provided by the RunDetails function of MIIS_ManagementAgent:

$runDetails = [xml]$managementAgent.RunDetails().ReturnValue
$exportErrors = $runDetails.'run-history'.'run-details'.'step-details'.'synchronization-errors'.'export-error'

However, export error details do not include the operation (add, replace, delete) that failed. The xml looks like this:

<export-error cs-guid="{61A544B0-C19F-E311-B753-00155DFF7EED}" dn="316f5dc6-d8ed-460d-a2d4-700775e99055"><date-occurred>2014-02-28 09:21:40.322</date-occurred><first-occurred>2014-02-27 15:46:10.897</first-occurred><retry-count>20</retry-count><error-type>ma-extension-error</error-type><cd-error><error-code>0x80230703</error-code><error-literal>(error message)</error-literal></cd-error></export-error>

I tried checking if the connector space object contains information about the pending operation, but couldn't find it there either.

Is there a method to determine what's the type of the pending export operation?

I was thinking I could check the UnappliedExportHologram and UnconfirmedExportHologram of the MIIS_CSObject, but I'm not sure it's correct (and maybe there's a simpler way).

Thanks,
Paolo

Paolo Tedesco - http://cern.ch/idm

Trigger a MPR on a specific time

February 17, 2014, 5:43 am
$
0
0

Hi,

I have a requirement to trigger a MPR at exactly at 07h00, is this possible? and how?  I have reviewed some of the articles on this topic, but they concentrate more on a specific date.

I have created a custom Workflow activity to send a SMS to a user when a password is about to expire.  The TemporalEventsJob runs at 00h00 resulting in the SMS going out at about 01h00 in the morning, I want to change / delay the SMS to 07h00 without changing the schedule of the TemporalEventsJob.

Thanks

Johan Marais

JkM6228

How to cretae powershell variabels from hash table?

February 28, 2014, 2:30 am
$
0
0

How to cretae powershell variabels from hash table?
I get from the function evaluator a hast table thet looks like this:

Name                           Value
----                           -----
samid                          123456
pw                             Pa$$1234

I need to convert it into PowerShell variabels with values:

$samid = 123456
$pw = Pa$$1234

How to?

GH

How to use FIM web service endpoint using JAVA.

November 30, 2012, 2:41 am
$
0
0

Hi,

I am evaluating FIM 2012 R2 and trying to connect the FIM using Java through Web Service exposed by FIM(as per FIM documentation). I searched for WSDL of the FIM webService, however no luck on that. Please someone help me in these issue:

FIM WebService WSDL location?

How to connect FIM using JAVA?

Search

FIM 2010 management agent support Oracle Identity directory OID 10.1.4.2.0

March 2, 2014, 1:16 am
$
0
0

Does FIM 2010 R2 SP1 support  OID version  10.1.4.2.0 ? If there is no support for OID then what is the alternative for making its connectivity?

You can be our next Spring FIM Guru !!

March 2, 2014, 2:13 pm
$
0
0



In the northern hemisphere at least, Spring is here! (apparently)

And at TechNet Wiki, we're hoping you're all hatching new ideas for this month's TechNet Guru competition!

We're looking for more shoots and leaves of wisdom to sprout forth from the great tree of MSDN/TechNet life.

We're also hoping some of our old Guru winners will be coming back out of hibernation and flexing their grey matter!

So, pick up your pen and MARCH into TechNet History! This could truly be the start of something BEAUTIFUL!

What delightful new arrival will YOU be bringing into this world?

All you have to do is add an article to TechNet Wiki from your own specialist field. Something that fits into one of the categories listed on the submissions page. Copy in your own blog posts, a forum solution, a white paper, or just something you had to solve for your own day's work today.

Drop us some nifty knowledge, or superb snippets, and become MICROSOFT TECHNOLOGY GURU OF THE MONTH!

This is an official Microsoft TechNet recognition, where people such as yourselves can truly get noticed!

HOW TO WIN

1) Please copy over your Microsoft technical solutions and revelations toTechNet Wiki.

2) Add a link to it on THIS WIKI COMPETITION PAGE (so we know you've contributed)

3) Every month, we will highlight your contributions, and select a "Guru of the Month" in each technology.

If you win, we will sing your praises in blogs and forums, similar to the weekly contributor awards. Once "on our radar" and making your mark, you will probably be interviewed for your greatness, and maybe eventually even invited into other inner TechNet/MSDN circles!

Winning this award in your favoured technology will help us learn the active members in each community.

Feel free to ask any questions below.

More about TechNet Guru Awards

Thanks in advance!
Pete Laker

#PEJL

Got any nice code? If you invest time in coding an elegant, novel or impressive answer on MSDN forums, why not copy it over to the one and onlyTechNet Wiki, for future generations to benefit from! You'll never get archived again!

If you are a member of any user groups, please make sure you list them in the Microsoft User Groups Portal. Microsoft are trying to help promote your groups, and collating them here is the first step.

Configuration for fim 2010 r2 password registration language pack.

January 26, 2014, 9:11 pm
$
0
0

Hi,
 
I am trying to implement configuration for fim 2010 r2 password registration language pack.In my environment Password Registration and Password Reset portal working fine but now want to implement multi Language senario specially for Hindi Language.I installed language pack in Password Registration and Reset Machine and do some configuration for Hindi Language like first create one Set,Workflow and MPR for Hindi Language and also create Customization folder in root directory of FIM Password Registration and Reset and also create a Strings.hi-IN.Resources file in Customization folder but this is not reflected in my environment this take English Language by default.So please suggestiom me where i am wrong.
 
and also provide some setting for Hindi Language in Internet Explorer(Browser).

Regards
 
Anil Kumar

exported-change-not-reimported for carriage return line feeds

June 27, 2010, 10:36 am
$
0
0

Dear Community,

when exporting to FIM it seems that CRLF are changed somehow so that kind of ping-pong effect might occur between MV and FIM. Any suggestions to this? I already thought about either getting rid of all them in the external systems or write custom sync rules to filter them on the way to MV (but I would have to enable that for all string attributes...)

Thanks, Rainer

My Group memberships not appearing in portal

August 9, 2011, 8:27 am
$
0
0

New FIM setup,  AD imported.  Everything seems fine Except:

Under My Distribution list / My security group memberships,  none of the AD groups are listed.
Looking at the groups in metaverse search in Sync server,  members do appear. 

If I manually create a dist.sec group in the portal,  it appears in portal normaly.   Only th AD imported groups do not show up for a user.   Portal seems to search the computed members field. 

Where do I look next?

Dan

FIM 2010 R2 SSPR URL re-direction

August 13, 2012, 4:14 am
$
0
0

Hi

I have a requirement to use single URL for password registration and reset.(FIM 2010 R2)

Requirement: External non registered users are trying to reset the password, redirect to password registration site and then to password reset site.

Please advice how to achive this.

Run History - Details

March 2, 2014, 3:54 am
$
0
0

Is there a way to export a specific Export Run from the Run-History along with what specifically were modified using powershell or some other automated way? I have a number of modifications and can't do it manually.

Search

FIM Web Service Connector - how to pass all known employee IDs to the web service?

March 3, 2014, 5:59 am
$
0
0

Hi all,

I'm implementing the web service connector for a customer who have presented an extract to me which expects the Employee ID number to be passed in, in order to return the information.

Looking at the samples, I can see examples of paginating through characters and appending a wildcard '*' but that's not an option.  If I, as a one off, specify a valid employee ID, I do get the data, so I know that works.

Setting a paginate depth of 3 and a pattern of "include [0-9]", I can see through a logging activity it paginating through

000
001
...
999

which would achieve what I need through a (very!) brute force method if I was able to increase the depth to 8, but unfortunately (or fortunately!) that's not a valid depth.

Does anyone have any experience of something similar and can we paginate through a list obtained from SQL, for example?

Any assistance would be appreciated.

Many thanks,

Paul.


Problem with Full Import FIM MA

February 18, 2014, 8:16 am
$
0
0

Hello,

i'm a beginner in FIM.

i want to understand why Full Import for FIM MA does not importing objects? i have these statistics in "Synchronization Statistics":

After Full Sync , i have these statistics :

No projections, no joins ? what are  the probable causes for that ?

Regards

Delegation in FIM 2010

March 3, 2014, 5:27 am
$
0
0

Experts,

Is it possible to delegate the role in FIM 2010.

Say I have a requirement where manager request for account activation. Initially from HR, accounts are getting created in disabled state.

In case manager is not present, can manager delegates this right to some other person?

Kindly suggest.

Thanks,

Mann

Custom FIM BHOLD approval

March 2, 2014, 11:48 am
$
0
0

I am aware of the concept of role approval within FIM BHOLD
But is there a way to change this? Is it possible to run my own authorization workflow on BHOLD requests?

Thanks, Henry

Unable to Export / Import Google APP MA

March 3, 2014, 6:28 pm
$
0
0

I am unable to either Export or Import from Google APP MA

I get following error :

 

The extensible extension returned an unsupported error.
 The stack trace is:

 "Microsoft.MetadirectoryServices.ExtensibleExtensionException: The given key was not present in the dictionary. ---> System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary.
   at System.Collections.Generic.Dictionary`2.get_Item(TKey key)
   at System.Collections.ObjectModel.KeyedCollection`2.get_Item(TKey key)
   at FimSync_Ezma.EzmaExtension.OpenExportConnection(KeyedCollection`2 configParameters, Schema types, OpenExportConnectionRunStep exportRunStep)
   --- End of inner exception stack trace ---
   at FimSync_Ezma.EzmaExtension.OpenExportConnection(KeyedCollection`2 configParameters, Schema types, OpenExportConnectionRunStep exportRunStep)
Forefront Identity Manager 4.1.3419.0"

Please help as me with this i tried to google this but could not find relevant answer

Viewing all 6657 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>