Workflow triggered by selection of selected attributes

February 26, 2015, 2:45 am

≫ Next: eDirectory auxiliary class sync problem

≪ Previous: Have FIM Email notifications display or contain only true boolean values

$

0

0

Hello guys,

I have a customized access rights request form in FIM 2010. This form is filled by users requesting different rights to a number of applications listed. A workflow is triggered when the user clicks on submit button. However, some requested application rights don't need approval from top management.

Is there a way by which picking selected attributes within this resource can trigger different workflows?

That is, if the specific attributes are selected by users, a workflow that includes top management on approvers' list is triggered.

Regards,

Phina.

---

Phina

---

eDirectory auxiliary class sync problem

February 26, 2015, 2:50 am

≫ Next: Change display for custom resorce

≪ Previous: Workflow triggered by selection of selected attributes

$

0

0

Hello guys,

I am trying to sync objects from eDirectory 8.8.5. Everything works fine, I map inetOrgPerson objects to person objects. I discovered if an inetOrgPerson object has an auxiliary class attached in eDirectory it does not get synchronized into the connector space. In case it is referenced by another user or group, a placeholder object is created.

When I remove the auxiliary class, the object gets synchronized fine.

Is there a solution/workaround?

I believe I have the latest hotfix rollup installed, 4.1.3599.0

Thanks,
Csaba

---

Csaba

Change display for custom resorce

February 26, 2015, 3:48 am

≫ Next: Troubleshooting Outlook Add-In - Email is not sent

≪ Previous: eDirectory auxiliary class sync problem

$

0

0

I have created a custom resource in FIM , I have following options to enter - accountname , displayname, domain.

All these are custom attributes binding done to custom resource.

I have created a create RCDC.

Now when I create that resource , after entering details i see following screen

 As you can see display name is no display name.

My question,

1- How do i change this pane to reflect my custom display name , my custom accountname and NOT display name description created time etc ?

2-I don't want creators to put any any display name while creating so display name should be accountname automatically when resource is created.

Please advice.

---

AdiKumar

Troubleshooting Outlook Add-In - Email is not sent

February 26, 2015, 4:40 am

≫ Next: Error when running Fulll Sync

≪ Previous: Change display for custom resorce

$

0

0

I have created a distribution group and try to notify the list owner when somebody wants to join to the group.

The group owner can see the request and approve or deny it from the portal, but no email is sent.

From the server's where the portal is located at evet viewer gives this kind of errors:

The Forefront Identity Manager Add-in for Outlook will not function without required configuration data.

Required configuration data was not found.

Ensure that configuration data is available for the Outlook Add-in either from the application configuration file or via group policy.

---

and

---

The mail sender could not send an outbound email.  This failure indicates a misconfiguration either with the mail server or with the specific mail.  Frequent, repeating instances of this event indicate a failure with the mail server.  If this event occurs alongside event 12, then this event indicates a failure with Exchange. Infrequent instances of this event indicate misconfiguration of individual emails.

The mail server address is incorrect or specific outbound email has invalid data.

Ensure that the mail sender is configured to connect to the correct mail server and that the outbound mail has correct email addresses.
 
The specific exception reported by the mail server:

---

I have tested that exchange works.

Can I somehow check what are the Outlook Add-In's configs?

Do I need a email for the distribution group? It now contains only a email alias?

Outlook Add-In can't find distribution group when trying to join using Outlook.

Error when running Fulll Sync

February 26, 2015, 12:00 pm

≫ Next: Outlook Add-In - Joining group - Not any groups shown

≪ Previous: Troubleshooting Outlook Add-In - Email is not sent

$

0

0

Hi,

I am new to FIM2010 R2. We are going to implement FIM2010R2 Sync services and are testing. The Sync service suddenly stops when we are doing a full sync on a particular MA. Below is error details from Application log:

Faulting Application: miisserver.exe, version: 4.0.3613.0, timestamp:)x546133b4

Faulting module name: clr.dll, version: 4.0.30319.233, timestamp: 0x4d92ed2f

Fault offset: 0x0000000003b18a1

Faulting process id: 0xa88

Faulting application start time: 0x01d051546ce8e460

etc...

I am unable to attach a screen shot at this point as my account is not yet verified.

Can somebody point me in the right direction on why this is happening and what could we possibly do to fix this.

Also i have question on what are latest hot fixes we need to apply for FIM 2010 R2 Sync services.

Thanks,

Bhargavi.

Outlook Add-In - Joining group - Not any groups shown

February 26, 2015, 10:03 pm

≫ Next: system.collections.specialized.stringcollection separator

≪ Previous: Error when running Fulll Sync

$

0

0

When I am trying to join a group using Outlook Add-In I can't see any groups under the join menu. The group exist in the fim portal and I can access to it from the portal. The portal is also able to send for example notification emails.

The picture shows a part from a joining message generated by Outlook. When I press the join button shown in the picture, I can't find any groups from there.

Ok, I can't add any pictures because my account is not verified.

system.collections.specialized.stringcollection separator

February 27, 2015, 5:09 am

≫ Next: ambiguous-import-flow-from-multiple-connectors when running AD MA Full Sync

≪ Previous: Outlook Add-In - Joining group - Not any groups shown

$

0

0

Hi

I have to import an AVP-based file to a FIM management agent. There is a multivalued attribute but I don't know how the format should be of the multivalued attribute in the AVP file. Can you help me with this? What is the default separator and how should it be used?

ty

ambiguous-import-flow-from-multiple-connectors when running AD MA Full Sync

March 1, 2015, 10:03 pm

≫ Next: Exporting Email to SAP Employee

≪ Previous: system.collections.specialized.stringcollection separator

$

0

0

When I run a Full Sync on the AD MA, I get a bunch of "ambiguous-import-flow-from-multiple-connectors" errors when running AD MA. How can I find out which attribute is causing this?

If I open one of the errors and run a "generate preview" I can see there is a join ("match") based on (data asource attribute) samaccountname &  (metaverse attribute)  accountName but I don't seem to be able to figure out what attribute is causing this and / or needs precedence.

Anyone any ideas?

JD

---

Exporting Email to SAP Employee

March 2, 2015, 3:56 am

≫ Next: FIM2010: Filter objects on export

≪ Previous: ambiguous-import-flow-from-multiple-connectors when running AD MA Full Sync

$

0

0

I'm using the Microsoft Web Service MA to synchronize with SAP. I've modified the example workflows for import and can successfully import data from Employee and User objects, but when I try to export an Email to an Employee (again by modifying the example) I'm hitting the following:

"Microsoft.MetadirectoryServices.ExtensibleExtensionException: Sequence contains no matching element ---> System.InvalidOperationException: Sequence contains no matching element

   at System.Linq.Enumerable.Single[TSource](IEnumerable`1 source, Func`2 predicate)

   at Microsoft.VisualBasic.Activities.VisualBasicValue`1.GetValueCore(ActivityContext context)

   at Microsoft.VisualBasic.Activities.VisualBasicValue`1.TryGetValue(ActivityContext context, TResult& value)

   at System.Activities.InArgument`1.TryPopulateValue(LocationEnvironment targetEnvironment, ActivityInstance activityInstance, ActivityContext resolutionContext)

   at System.Activities.ActivityInstance.ResolveArguments(ActivityExecutor executor, IDictionary`2 argumentValueOverrides, Location resultLocation, Int32 startIndex)

   at System.Activities.Runtime.ActivityExecutor.ExecuteActivityWorkItem.ExecuteBody(ActivityExecutor executor, BookmarkManager bookmarkManager, Location resultLocation)

   --- End of inner exception stack trace ---

   at Microsoft.IdentityManagement.MA.WebServices.ExportStrategy.PutExportEntries(IList`1 csEntries)

   at Microsoft.IdentityManagement.MA.WebServices.WebServiceManagementAgent.PutExportEntries(IList`1 csentries)

Forefront Identity Manager 4.1.3599.0"

Has anyone seen this before, or got the WS MA to export Email to an Employee?

Ta,

Dave

FIM2010: Filter objects on export

March 2, 2015, 4:07 am

≫ Next: Provision exchange 2013 groups through FIM

≪ Previous: Exporting Email to SAP Employee

$

0

0

 

FIM Community Information Center Article

 

Wiki Page: FIM2010: Filter objects on export

 

Go to the FIM Community Information Center

 

 

Provision exchange 2013 groups through FIM

March 2, 2015, 6:32 am

≫ Next: FIM CM 2010 R2 Smart Card Renew policy, update service creates additional renewal requests

≪ Previous: FIM2010: Filter objects on export

$

0

0

I am using active directory management agent to provision mail enabled security groups in Exchange 2013.

I have selected Provisioning for Exchange 2010 (as suggested on other websites) because we do not have option for exchange 2013. And then in the box => http://{Server-Name}/Powershell

Everything works fine but the group is created as Exchange 2007(our previous version) rather than Exchange 2013. Can anyone help  me on this please.

FIM CM 2010 R2 Smart Card Renew policy, update service creates additional renewal requests

March 2, 2015, 7:27 am

≫ Next: Can't Edit Oracle Management Agent Column Attributes

≪ Previous: Provision exchange 2013 groups through FIM

$

0

0

Hi,

I could use some advice with a smart card renewal issue in FIM CM 2010 R2. (Self-service)

How can I prevent FIM CM update service from creating additional renewal requests for a smart card that was already renewed?

FIM CM update service detects in FIM CM database when a certificate enters its renewal period. When it's time, a renewal request is created and an email with OTP is sent to the user. The user successfully completes the renewal request and all should be OK.

The problem: FIM CM update service will soon (default within 5 hours), re-check for certificates entering renewal. Although the smart card was just renewed, an additional renewal request is created and a new OTP email is sent to the user.
If the user completes also the second renewal request, a third request is generated, and it goes on.

I'm assuming that the still valid, still expiring certificate is re-detected by the FIM CM update service.

The second renewal request can be avoided by enabling "revoke old certificates" in the revokation settings workflow, without delay. This would however make the renewal request creation revoke the certificate. I would prefer to keep the certificate valid until expiry, or revoke it when the request is completed.

Thanks

Can't Edit Oracle Management Agent Column Attributes

March 2, 2015, 8:53 am

≫ Next: Workflow Custom Activity / Set

≪ Previous: FIM CM 2010 R2 Smart Card Renew policy, update service creates additional renewal requests

$

0

0

I'm a FIM newbie and am currently configuring an Oracle Management agent to connect to a view I created on the Oracle DB server.  Everything look good with the exception of my inability to edit any of the column attributes from within the Management Agent Designer.  Specifically the column length.  I need to use a specific field (column) as an anchor, and currently it is too large (DBTYPE_WSTR length 4000).     

Any help will be appreciated.

Workflow Custom Activity / Set

March 2, 2015, 10:07 am

≫ Next: Custom Resources - FIM MA Export failure

≪ Previous: Can't Edit Oracle Management Agent Column Attributes

$

0

0

Hi,

I followed the guidelines from "Create a Logging Custom Activity and Deploy it to the FIM Portal"

 https://msdn.microsoft.com/en-us/library/ff859524.aspx?f=255&MSPPError=-2147217396

and it worked fine with a workflow MPR. I can see the type of the operation performed and the resource attributes that changed.

Now, when I use it on a Set MPR I don´t have the same information. Should I use a workflow MPR for that? I mean to know if a resource in that set had an attribute value change?

Many, many thanks,

DD

Custom Resources - FIM MA Export failure

March 2, 2015, 11:59 am

≫ Next: FIM Metaverse & FIM Service

≪ Previous: Workflow Custom Activity / Set

$

0

0

Hi,

I have some custom resources imported into MV and now, when running FIM-MA Export, those resources are not created.

In the sync service console (operations tab) I can see in the "export errors", this: "...No policy grants the Requestor permission to complete all changes..."

I opened the request in the portal and saw that it has no MPRs in "Applied Policy" Tab.

Although the requests created in the portal UI are succeeded (they have anadmin account and an applied MPR).

What should I do to have the "Built-In syncronization account" be able to create those custom resources?

Please note I'm a developer, not the administrator who created the resources, so walkthrough docs/articles are welcome.

Many thanks,

DD

---

FIM Metaverse & FIM Service

March 2, 2015, 9:46 pm

≫ Next: A user synced from external AD is unabled to access FIM Portal(present in different domain and different forest).

≪ Previous: Custom Resources - FIM MA Export failure

$

0

0

Dear all,

I am trying to sync user from AD01 to AD02 using FIM. I already installed FIM Sync & FIM service

As far as I understand, I need to have 02 MA to connect to AD01 and AD02 and the flow seems to be like this

AD01=====(MA01)=> CS01==> Metaverse ==>CS02=(MA02)=====>AD02

Now I still have no idea to configure them and appreciate someone can hell me some questions

- There is only one Metaverse on FIM Sync?

- How to push user object from CS01 to Metaverse? Is it projection rules?

- How to push Metaverse to CS02 and export them to AD02. Any pre-conditions to be able to create object on AD02

- Anyone have LAB guide for this scenario please send me the link.

Thanks a lot !

A user synced from external AD is unabled to access FIM Portal(present in different domain and different forest).

March 3, 2015, 12:56 am

≫ Next: Error You do not have permission to access this site after creating inbound AD sync rule

≪ Previous: FIM Metaverse & FIM Service

$

0

0

Hi,

In our environment, we have two AD's (Domain A and Domain B) in two different forests. The FIM is located in Domain A. Now, i am trying to sync a user from AD domain B to FIM. I got synced and created at FIM(Domain A). But the domain attribute in FIM is not populating with the external Domain i.e. Domain B, and the user is also unable to access the FIM Portal.

Could you please help me out. Please let me know if any configurations have to be done in FIM portal for an external user to access the FIM portal.

Thanks 

Prasanthi.

Error You do not have permission to access this site after creating inbound AD sync rule

March 3, 2015, 1:11 am

≫ Next: Error FIM Export Users : From Csv file to FIM Portal

≪ Previous: A user synced from external AD is unabled to access FIM Portal(present in different domain and different forest).

$

0

0

Hi all,

i configured an inbound AD sync rule to sync the AD users to FIM, after creating this rule no one can access the portal even the administrator, i receive this error You do not have permission to access this site.

Thanks

---

Teka

Error FIM Export Users : From Csv file to FIM Portal

March 3, 2015, 3:29 am

≫ Next: Reference attributes

≪ Previous: Error You do not have permission to access this site after creating inbound AD sync rule

$

0

0

Hello , I am trying to export My users form a CSV file to FIM Portal so i got the following error messages. 

Does anyone have an idea about what can be the issue 

Best regards 

Fault Reason: The request message contains errors that prevent processing the request.\r\n\r\nFault Details: <RepresentationFailures xmlns="http://schemas.microsoft.com/2006/11/ResourceManagement" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><AttributeRepresentationFailure><AttributeType>MailNickname</AttributeType><AttributeValue>michael.jackson@adatum.com</AttributeValue><FailureMessage>Exception: ValueViolatesRegularExpression Target(s): Micheal Jackson
Stack Trace: Microsoft.ResourceManagement.WebServices.Exceptions.InvalidRepresentationException: ValueViolatesRegularExpression
   at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.ValidateObjectAttributes[T](RequestType request, Guid objectIdentifier, String objectTypeName, IEnumerable`1 parameters, OperationType operationType)
   at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.ValidateInputRequestCreate(RequestType request)
   at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.ProcessInputRequest(RequestType request)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction(RequestType request)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction[ResponseBodyType](RequestType request)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request, Guid requestIdentifier, Object redispatchSingleInstanceKey, Boolean isRedispatch)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request)
   at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Create(Message request)</FailureMessage><AttributeFailureCode>ValueViolatesRegularExpression</AttributeFailureCode><AdditionalTextDetails>The specified attribute value does not satisfy the regular expression.</AdditionalTextDetails></AttributeRepresentationFailure><CorrelationId>6b91286f-4b45-4097-8c1d-38d699a968c5</CorrelationId></RepresentationFailures>

Reference attributes

March 3, 2015, 6:45 am

≫ Next: FIM SSPR and AD password

≪ Previous: Error FIM Export Users : From Csv file to FIM Portal

$

0

0

Guys,

I am trying to figure out what is happening with my custom reference attributes.

I created two custom resource types, coming from a single view, separated by a object type column.

On the customs resource types on Portal:

• Extend Schema on FIM Portal / MV
• Set permissions through MPR
• Set ADM and Non-ADM Filters
• Create Synchronization Acct MPR and give permission on the new resource types
• Configure Search Scope by both
• Configure the Inbound Rule (join by a GUID) and attrib flow on the FIM MA

So, let's Custom1 and Custom2.

On Custom1 I have two reference attributes, one to refer to user EmployeeID and other to reference to Custom2 ID.

When I execute the Sync, the FIM doesn't flow the reference attributes to MV neither FIM Portal, if I open the object and try to fill the attribute with EmployeeID / Custom2 ID, FIM not find the objects.

Any idea?

---

Diego Shimohama