Quantcast
Channel: Forum Microsoft Identity Manager
Viewing all 4767 articles
Browse latest View live

HTTPS url rewrite seems to break request approvals

0
0

I have an issue where I can not approve or reject an approval. Initially I thought there was something wrong with my MPR's (see https://social.technet.microsoft.com/Forums/en-US/b24c7776-d5bc-4412-b4d2-a59e48f864a5/unable-to-approve-request?forum=ilm2) but it turns out it is an issue when using HTTPS to the FIM portal.

What happens is that someone can go into the page to approve / reject their request but they can't click on the approve/reject icon. The icon's are there but nothing happens.
They do this using a HTTPS link (e.g. https://identityserver.com).

When I do this from the local FIM server using thier account it works.

If I disable the HTTP-to-HTTPS rewrite rule on the FIM server and  use e.g. http://servername the approve/reject buttons work.

The FIM portal has a binding for https to hostname https://identityserver.com and port 443. This all seems to work as you can get to the FIM portal from external but as I said, some things don't seem to work.

I setup an alternate access mapping in Sharepoint as follows:
INternal URL: https://identityserver.com
Zone: Custom
Public URL for zone: https://identityserver.com

What am I missing???


Add user to group by email address

0
0
We have Manually Managed Distribution groups, so our group owners logon to the portal and manually add/remove their users. Currently when they add a user, they can only use Display Name or account name to resolve the user. They want to be able to resolve a user by Email address. How can I do this? 

Costumize Fim Portal

0
0
Hi , Iwant to customize my fim portal , so i have i portal for admins and users profils and i want to i portal fim service Desk and they can acces to "administration" in fim portal . The users of service desk are not simple users they need more rights and they are not admins i have to reduce the items in the menu they can see . Does someone can help me please ? 

FIM Portal Groups - Change from criteria based to manual

0
0

Hi,

I have groups in FIM portal that are criteria-based.

I need to change those groups to manual in order to add/remove users from them via my code with RMGroup resourceType.

I can´t use xpath filters anymore because it will be quite complex and FIM doesn't accept it.

I tried to, in code, remove the filter, set an empty filter, set MembershipLocked to false, ... every thing

I allways get the error "Policy prohibits the request from completing", so I still can´t add/remove users to the groups.

If I change the group from criteria-based to manual in the UI, it works but the code is calling the FIM webservices using the same credentials  I use to access the portal.

How can I do it programmatically?

Help is really appreciated,

Many thanks,

DevDiver

Password Sync Problem after applying Patch 4.1.3613.0

0
0

We are having a password sync problem after putting on hotfix 4.1.3613.0 (http://support.microsoft.com/kb/3011057 ). Originally we were on 4.1.3441.0. We put on 2 patches to bring us to the latest patch.  Patch 4.1.3510.0 then 4.1.3613

Structure of AD is

company.com Forest

               d1.company.com Domains

               D2.company.com Domains

FIM Sync is in d1.company.com

All the accounts from d1.company.com are syncing. The accounts from d2.company.com are failing.

We receive the error 6914 The connection from a password notification source failed because it is not a Domain Controller service account.

In the notes on the hotfix

Issues that are fixed or features that are added in this update

This update fixes the following issues or adds the following features that were not previously documented in the Microsoft Knowledge Base.

Password Change Notification Service (PCNS)

Issue 1

The following error message is logged:

6914 The connection from a password notification source failed because it is not a Domain Controller service account.


After you install this fix, adding a backslash character to a domain name causes the function to return the domain controller Security Identifier (SID) instead of an empty user SID

Error in FIM SYNC

6914 error

The connection from a password notification source failed because it is not a Domain Controller service account.

Domain: d2.company.com

Server: x.x.x.x

6915 error

An error has occurred during authentication to the password notification source.

 "ERR_: MMS(6872): d:\bt\35150\private\source\miis\shared\utils\libutils.cpp(11691): gethostbyaddr failed with 0x2afc

BAIL: MMS(6872): d:\bt\35150\private\source\miis\shared\utils\libutils.cpp(11693): 0x80004005 (Unspecified error)

BAIL: MMS(6872): d:\bt\35150\private\source\miis\password\listener\pcnslistener.cpp(316): 0x80070534 (No mapping between account names and security IDs was done.): Win32 API failure: 1332

BAIL: MMS(6872): d:\bt\35150\private\source\miis\password\listener\pcnslistener.cpp(570): 0x80070534 (No mapping between account names and security IDs was done.)

Forefront Identity Manager 4.1.3613.0"

The error we are getting when a user from d2.company.com tries a sync

ERROR IN PCNS

Log Name:      Application
Source:        PCNSSVC
Date:          3/10/2015 9:19:08 AM
Event ID:      6025
Task Category: (4)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:     
box.d2.company.com
Description:
Password Change Notification Service received an RPC exception attempting to deliver a notification.  
Thread ID: 3704 
Tracking ID: 19657b31-4547-4f18-94c3-e85adc1d0700 
User GUID: 99de63a6-9e09-4906-9515-bb4ba0a2c5d6 
User:
LOCB\user 
Target: FIMProd1 
Delivery Attempts: 1135 
Queued Notifications: 1 
0x00000005 - Access is denied.

LOCB netbios resolves to d2.company.com

LOCA netbios resolves to d1.company.com

C:\>setspn -l LOCA\_FIMSyncService

Registered ServicePrincipalNames for CN=_FIMSyncService,OU=Sec,OU=SA,OU=Resource

 Management,DC=d1,DC=company,DC=com:

       PCNSCLNT/fim2

       PCNSCLNT/fim2.d1.company.com

       PCNSCLNT/fim1

       PCNSCLNT/fim1.d1.company.com

--------------------------------------------------------------------------------------

C:\Program Files\Microsoft Password Change Notification>pcnscfg list

Service Configuration

  MaxQueueLength........: 0

  MaxQueueAge...........: 345600 seconds

  MaxNotificationRetries: 0

  RetryInterval.........: 60 seconds

Targets

  Target Name...........: FIMProd1

  Target GUID...........: 4C72BA98-8414-476B-80BF-6D9045EFCF39

  Server FQDN or Address: fim1.d1.company.com

  Service Principal Name: PCNSCLNT/fim1.d1.company.com

  Authentication Service: Kerberos

  Inclusion Group Name..: LOCB\Domain Users

  Exclusion Group Name..:

  Keep Alive Interval...: 0 seconds

  User Name Format......: 3

  Queue Warning Level...: 0

  Queue Warning Interval: 30 minutes

  Disabled..............: False

Total targets: 1

The password sync has been working for years now this is throwing this error.  Does anyone have clues to the problem with the Hotfix?

We have looked at trying to resolve 6025 errors using http://social.technet.microsoft.com/wiki/contents/articles/4159.pcns-troubleshooting-event-id-6025.aspx but there are no issues here.


Be our next Spring FIM Guru!

0
0



In the northern hemisphere at least, Spring is here! (apparently)

And at TechNet Wiki, we're hoping you're all hatching new ideas for this month's TechNet Guru competition!

We're looking for more shoots and leaves of wisdom to sprout forth from the great tree of MSDN/TechNet life.

We're also hoping some of our old Guru winners will be coming back out of hibernation and flexing their grey matter!

So, pick up your pen and MARCH into TechNet History! This could truly be the start of something BEAUTIFUL!

What delightful new arrival will YOU be bringing into this world?

All you have to do is add an article to TechNet Wiki from your own specialist field. Something that fits into one of the categories listed on the submissions page. Copy in your own blog posts, a forum solution, a white paper, or just something you had to solve for your own day's work today.

Drop us some nifty knowledge, or superb snippets, and become MICROSOFT TECHNOLOGY GURU OF THE MONTH!

This is an official Microsoft TechNet recognition, where people such as yourselves can truly get noticed!

HOW TO WIN

1) Please copy over your Microsoft technical solutions and revelations toTechNet Wiki.

2) Add a link to it on THIS WIKI COMPETITION PAGE (so we know you've contributed)

3) Every month, we will highlight your contributions, and select a "Guru of the Month" in each technology.

If you win, we will sing your praises in blogs and forums, similar to the weekly contributor awards. Once "on our radar" and making your mark, you will probably be interviewed for your greatness, and maybe eventually even invited into other inner TechNet/MSDN circles!

Winning this award in your favoured technology will help us learn the active members in each community.

Feel free to ask any questions below.

More about TechNet Guru Awards

Thanks in advance!
Pete Laker



#PEJL
Got any nice code? If you invest time in coding an elegant, novel or impressive answer on MSDN forums, why not copy it over toTechNet Wiki, for future generations to benefit from! You'll never get archived again, and you could win weekly awards!

Have you got what it takes o become this month's TechNet Technical Guru? Join a long list of well known community big hitters, show your knowledge and prowess in your favoured technologies!

SQL Agent missing in the "Create Management Agent" view

0
0

Hi,

we've set up a Sharepoint 2013 Server which usually comes with FIM 2010 Sync Manager. We would now like to add a synchronisation of our AD to an SQL table as outlined here:

https://technet.microsoft.com/en-us/library/ff608275%28v=ws.10%29.aspx

But in the list of Management Agents, SQL Server is missing.

We do not own a dedicated FIM 2010 license. Is the SQL Server Management Agent only part of the full version of this product or can we add the SQL Agent by downloading some add-on or upgrading to FIM 2010 R2?

Thanks for your help, Tom.

Synchronisation rule WF parameters

0
0

Hello, 

I have a CSV management agent in export mode. 

I want to export some informations about referenced data on the user, i explain

In FIM portal a user has an organisation which is a custom object in FIM and it's not synchronized. This organisation has a name. 

I want to export this information in the file of the users

In the synchronisation rule i add workflow parameter and in the WF of adding synchronisation rule i add the calculation of this workflow parameter. 

I have an issue, when i change the value of the organisation on the user, it does not change to organisation name in the file and keep the old value. 

It seems like it works only when the synchronization rule is added. The WF of adding the synchronization rule is based on set transition. 

Any idea ? 

Regards



extension-attribute-not-present error - but the attribute is still present in the MV?

0
0

I've a CSV MA which pulls in information for accountName, start date, end date and a few other bits and pieces. I provision the user to the FIM portal and I provision them to ADMA. I am using a rules extension to provision to AD. 

If the record for the user disappears from the CSV MA, I just want that to affect the CSV MA CS and not make any changes to the metaverse so I have ensured "Do not recall attributes contributed by objects from this MA when disconnected" is NOT checked.

However, when I remove a user's record from the CSV MA and run a FIFS on the CSV MA, I get an "extension-attribute-not-present" error which points to a line of code in MVExtension.dll referencingmventry("accountName").Value - checking the metaverse, the accountName attribute is still present and without ticking the 'do not recall' checkbox, I'm not sure why this happens. 

What am I misunderstanding about this process? 

Thanks.

Customize User creation Webform

0
0
Hi Every body , i want to customize the creation user webform in FIM portal , can some help me please ? 

FIM Service Management Agent error Export

0
0

Hello!

Help me to solve the problem that happened after the upgrading FIM: stopped working agent FIM Service Management Agent  during of action Export

In the event log two posts what to do?

The management agent controller encountered an unexpected error.

 "BAIL: MMS(6888): d:\bt\35150\private\source\miis\ma\managed\manhost\manhost.cpp(1357): 0x80230709 (unable to get error text)
BAIL: MMS(6888): d:\bt\35150\private\source\miis\ma\managed\nathost\nathost.cpp(767): 0x80230020 (unable to get error text)
BAIL: MMS(6888): d:\bt\35150\private\source\miis\cntrler\cntrler.cpp(3621): 0x80230020 (unable to get error text)
BAIL: MMS(6888): d:\bt\35150\private\source\miis\ma\managed\manhost\manhost.cpp(2133): 0x80230709 (unable to get error text)
BAIL: MMS(6888): d:\bt\35150\private\source\miis\ma\managed\nathost\nathost.cpp(870): 0x80230709 (unable to get error text)
Forefront Identity Manager 4.1.3613.0"

The management agent "Sync with FIM DB" failed on run profile "Export" because the server encountered errors.


SHA1 deprecation and impact on FIM CM?

0
0

Hi,

On November 12, 2013, Microsoft announced that it's deprecating the use of the SHA-1 algorithm in SSL and code signing certificates. The Windows PKI blog post "SHA1 Deprecation Policy" states that Windows will stop accepting SHA-1 end-entity certificates by January 1, 2017, and will stop accepting SHA-1 code signing certificates without timestamps after January 1, 2016. This policy officially applies to Windows Vista and later, and Windows Server 2008 and later, but it will also affect Windows XP and Windows Server 2003.

What does this mean to our FIM CM infrastructure?

  1. If we update our FIM CM integrated CA to use SHA-2, will FIM CM continue to work as usual?
  2. Will we need to update anything on the FIM CM server (like update the fingerprint? or anything else?)
  3. Will we need to renew all our Smart Cards, or will they continue to work?

Thank you,

SK

FIM Powershell Password Reset Workflow

0
0

Hello All,

I'm trying to use the FIM portal in order to allow helpdesk to reset an users password upon the end user calling helpdesk. But am running into an issue with the powershell workflow.


Currently I have added a boolean attribute called "PasswdReset" and binded it to the user type.
Created an criteria based set called "PasswordResetUsers" which will transition users into when passwdrest is set to true.
Created an workflow called "PasswordResetWF" which is made up of several steps
1. The powershell activity which executes the following script

Import-Module Activedirectory
$newpwd = ConvertTo-SecureString "P@ssw0rd" -AsPlainText –Force
Set-ADAccountPassword SampleUser -Credential domain\administrator -NewPassword $newpwd -Reset -PassThru | Set-ADuser -ChangePasswordAtLogon $True
Here lies the problems
First how do I pass the samaccountname of the user to the powershell script to replace the sampleuser parameter.
Second How do I  force this script to run as the domain\administrator without prompting for password

The rest of the workflow is as follows.
2. Trigger custom email notification to an monitored email account for logging purpose
3. Trigger custom email notification to Helpdesk monitored email account to generate support ticket. 
4. OOB function to set "PasswdReset" attribute to false and transition the user out of the "PasswordResetUsers" set.

As always any suggestions would be greatly appreciated. 



Fim failed to Export to FIM DB

0
0

BAIL: MMS(6888): d:\bt\35150\private\source\miis\ma\managed\manhost\manhost.cpp(1357): 0x80230709 (unable to get error text)
BAIL: MMS(6888): d:\bt\35150\private\source\miis\ma\managed\nathost\nathost.cpp(767): 0x80230020 (unable to get error text)
BAIL: MMS(6888): d:\bt\35150\private\source\miis\cntrler\cntrler.cpp(3621): 0x80230020 (unable to get error text)
BAIL: MMS(6888): d:\bt\35150\private\source\miis\ma\managed\manhost\manhost.cpp(2133): 0x80230709 (unable to get error text)
BAIL: MMS(6888): d:\bt\35150\private\source\miis\ma\managed\nathost\nathost.cpp(870): 0x80230709 (unable to get error text)
Forefront Identity Manager 4.1.3613.0

This is everytime i run export to FIM DB task. (it is finished with "stopped-server" state)


Be real

Can the user unlock his AD account in FIM 2010 R2

0
0

Hi all

can a user unlock his AD account from FIM portal.

Thanks


Teka


FIM SCOM Management Pack

0
0

Hi,

Whilst a FIM SCOM Management Pack exists, it is pretty basic.

It also seems to be a FIM 2010 MP, and not FIM 2010 R2?

Does anyone have perhaps a list of the most recommended things to monitor in FIM so that we can configure the FIM SCOM MP?

Thank you,

SK

Operations and Request History?

0
0

Hi,

How do I see what the default retention value is for the FIM Sync Operations tab? Was it 30 days? how do we confirm this and how do we change this?

Also, the FIM Portal 'Search Requests' also has a retention value, was it 14 days? How do we confirm this and how do we change this?

Thanks,

SK

How do I add my Custom Workflow Activity to FIM 2010 R2 SP1 installed on Windows 2012 server?

0
0

Hellos.

I have tried and failed to add my custom.dll into the Windows Server 2012  GAC.

We have a version of FIM 2010 R2 Sp1 running on Windows Server 2008 R2 and that was no problem. There seemed to be a gacutil.exe present on the system which added my assembly.

I cannot find gacutil.exe on the Windows 2012 Server.

I have downloaded and installed Windows SDK for Windows 8. However, when I try the gacutil.exe /i <myCustom.dll> nothing seems to happen.

Are there any guidelines how to add custom workflow activities to FIM when installed on a Windows Server 2012 system?

TIA

*HH

using custom expression in recipient field of email notificaiton workflow in FIM

0
0

Experts,

We have an requirement wherein we need to send mail notification to manager while creating a new user account.

Problem is currently FIM is not integrated with exchange hence email of the users is not present in FIM.

So we need to email using employeenumber@domain.com.

Basically I want to send mail to user's manager using manager's employee number.

When in workflow Iif I user [//Target/Manager] as recipient, it gives me postprocessing error of not finding emailaddress which is expected.

I thought of using something like [//Target/Manager/AccountName]+"domain.com" in email workflow.

It is not letting me save. How can I put something custom in recipient field of email workflow.

Thanks,

Mann

FIMSynchronizationService Event ID 6313

0
0

Hello,
I installed and configured DirSync v1.0.7020.0 on Windows Server 2012 R2. All is working fine but every timeForefront Identity Manager Synchronization Service is restarted, these errors appears under Application Log:

  • Source: FIMSynchronizationService
  • Event ID: 6313
  • Description: The server encountered an unexpected error creating performance counters for management agent "Active Directory Connector". Performance counters will not be available for this management agent.

  • Source: FIMSynchronizationService
  • Event ID: 6313
  • Description: The server encountered an unexpected error creating performance counters for management agent "Windows Azure Active Directory Connector". Performance counters will not be available for this management agent.

I already followed these links without any success:

If I run perfmon, these are performance counters already present (regarding DirSync):

  • FIM 2010: Connector Space
  • FIM 2010: Management Agents
  • FIM 2010: Synchronization Engine

Could you help me ?

Thank you,
Luca


Disclaimer: This posting is provided AS IS with no warranties or guarantees, and confers no rights. Whenever you see a helpful reply, click on [Vote As Help] and click on [Mark As Answer] if a post answers your question.

Viewing all 4767 articles
Browse latest View live




Latest Images