Hello,
I have some issues with precedence
I have this situation
MA1 MV FIM Portal
Att1 mvAtt1 prtAtt1
MA2 MV FIM Portal
Att2 mvAtt1 prtAtt1
In flow precedence i have this for mvAtt1 ( MA1,MA2)
When i run a import from MA2 first with and i run a synchro and export in FIM , i have skipped not precedent ?
Can someone explain me this ? And how can i manage this
Thanks
Regards
We are trying to get ADDSync to work with Office 365.
servers: Windows 2012 r2
Environment: ADDSYNC
Cloud Service: Office 365
Federated Domain Services are setup and working
Our ADDsync (used to be dirsync) isn’t running properly anymore. We deleted a ton of test accounts, but some of them still existing only in the metaverse, they are gone in office365 and in our local ad. How do we get rid of them, they are getting sync-generic-failures.
I've tried full sync on both connectors but each time it gives sync-generic-failure. How do I remove the item from the metasync. There are accounts about 1400 accounts that only exist in the metaverse. They are no longer in active directory or in the cloud.
I've asked around the office 365 forum but no one seems to know how to get rid of the accounts from the metaverse.
Thanks,
Mike
Will MIM support a connector based on the SCIM protcol? is there any commercial FIM agent that support SCIM currently that anyone knows off?
I am looking for a way to standarize my (to be) connected applications when talking to application owners, i find the current 'generic' webservice connector very difficult to understand and to configure anybody have more documentation about this besides the document from 2012?
Need realtime FIM synchronization and advanced reporting? check out the new IM Sequencer 6.0 athttp://www.imsequencer.com, it supports FIM 2010 R2, Omada Identity Manager, SQL, File, AD, FTP or Powershell real time synchronization!
Hi ,
i have deleted two users in FIM portal. I executed Full Import of FIM MA. In synchronization statistics, the Deletes are showing as '2'. On doing full synchronization of FIM MA, the metaverse object deletes are showing as '0'. I searched in metaverse, the user is still exists. We are using code based provisioning and the Deprovisioning configuration page of MA is opted as "Make them as disconnectors".
Please help out
Thanks,
Prasanthi.
Hi,
We have a simple setup, flow in data from a SQL HR system and use the "Outbound System Scoping Filter" to provision users in AD and ADLDS.
Question: Will FIM be able to delete the object in AD/ADLDS without Rules Extensions or Sync Rules?
We were thinking of just using the following:
So is the above sufficient to delete the objects in AD & ADLDS?
Thanks
SK
Recently microsoft released PS management agent. Actually i saw some of the MSDN article about it but i find them less informative.
1- Can any provide me more details on how to use PS management agents ? I have installed it but not able to use it.
Details about various sections like schema import export etc
2-A guide with step by step instructions for a scenario which I can implement in lab and learn more about PS MA and use it configure other PS compatible systems.
AdiKumar
We are stuck on a FIM design.
We have a column in our SQL feed table to FIM MV named "ManualAction"
What we want to happen is that if this column has the value "YES" then FIM will not synchronize the MV entry to attached sources e.g. AD and FIM Portal.
If we try connector filter-ing on column ManualAction equals YES we either disconnect and preserve the MV attributes provided or disconnect and nullify those MV attributes. This is not what we want.
We want somehow to instruct FIM not to synchronize this MV entry if MV.ManualAction == YES
Could this be do via a Rule extension somehow??
The point of the Manual flag is that an Administrator may set one or more attributes in an AD account deliberately and does NOT want them overwritten by FIM even though the usual authoritative source value differs...
What we are thinking is ... is it possible to instruct FIM to 'skip' this MV entry at target resource(s) sync time.
I admit, I am not optimistic but I thought I could ask the FIM experts.
Hi All,
I'm new to C# and new to programming in general and although I'm ok at powershell, I have never worked with XML so this is a bit of a mystery topic for me.
I'm keeping some data about the group, its domain and some user attribute values in a structure shown below, in an XML file that I can read on the Initialise() method of the MA Extensions code.
<Groups><Group><GroupName samaccountname="FGPP-USA" Domain="usa.iam.net"><AccountType>01</AccountType><AccountType>02</AccountType><AccountType>03</AccountType></GroupName></Group><Group><GroupName samaccountname="FGPP-UK" Domain="uklondon.iam.net"><AccountType>04</AccountType><AccountType>05</AccountType><AccountType>06</AccountType></GroupName></Group><Group><GroupName samaccountname="FGPP-ROOT1" Domain="iam.net"><AccountType>07</AccountType><AccountType>08</AccountType><AccountType>09</AccountType></GroupName></Group><Group><GroupName samaccountname="FGPP-ROOT2" Domain="iam.net"><AccountType>01</AccountType><AccountType>02</AccountType><AccountType>03</AccountType><AccountType>04</AccountType></GroupName></Group></Groups>
So I have an single AD Forest consisting of some domains. I have a few groups per domain which I want FIM Sync to update memberships in. Using one management agent I'm reading groups and person into metaverse. I project all users from AD as persons to metaverse. However, when it comes to groups, I want to use the ShouldProjectToMV method in the import flow code to only project if a group has a samaccountname value and domain value matching with something in the XML (eg. <GroupName samaccountname="FGPP-ROOT2" Domain="iam.net">)
The next thing I want to do is get a list of AccountType values as a list that I can foreach with and find the person objects in metaverse and write to a custom mv attribute called memberSTR [multivalue string]. However, where I need help is some LINQ XML type. I would ideally want a function I can call from within MapAttributesForImport() which uses LINQ XML and returns me a list of AccountTypes for a specific Group for a specific domain.
I will have about 100 such groups so even though this would take a performance hit as FIM will have to calculate memberships for every group, its still OK.
So my question is
1. How do I get a list of all groups with samaccountname and domains from that XML?
2. If I know the samaccountname and domain of a group, how can I get the respective AccountType values from that XML?
I posted this question somewhere else and the gentleman was very helpful but they proposed a solution which is not suitable. I know the management will give me some more groups in future for FIM to update memberships. So there will be more additions to XML, however, I don't think the structure will change much.
Please help!
Hi,
I have created on Delimited text file MA in FIMSYNc and had given a input file with the data as
"AccountName","FirstName","SurName","Status"
"Test1","TFirst","TSur","Enabled"
It got successfully created and the user got provisioned into FIM. But now i have changed the input file and included one more multivalued attribute.
"AccountName","FirstName","SurName","Status","Company","Company"
"Test1","TFirst","TSur","Enabled","comp1","comp2".
When i execute FUll Import it is giving me error "no-start-header-row-mismatch". And in the MA also the newly added attribute is not reflecting. Colud you please help me out.
If the input file is needed to be changed, should i need to create the new MA again or is there any way to do with the existing MA.
Thanks
Prasanthi.
We face a situation where an AD extensionAttribute is to be made up of 11 (ELEVEN!) separate source fields separated by hyphens.
I have tried my inbound to MV attribute flow to be both CustomFunction
(F1+"-"+F2+"-"+F3+"-"+F4.....+F11) -> extensionAttribute1
and 3 screens of concatenate source + string "-"
F1+"-"+F2+"-"... F11 -> extensionAttribute1
I have noticed once we get past 6 or 7 concatenated fields the destination receives null or is empty
Just how many concatenations is allowed in a Sync Rule?
Is the classic flow rule extension subject to any limitations on the number of source attributes that can be "picked" off the list with control-click ?
Hi everybody.
I have a question about FIM 2010 R2 SP1 SSPR.
We are currently installing a new FIM 2010 R2 SP1 environement at a customer and the architecture we wish to implement is as follows:
- 1 Synchronization server
- 1 Fim Portal Server hosting FIM Portal + registration portal
- 1 Dataware House server for Reporting
- 1 Server hosting FIM reset Portal
We would like that the registration is only accessible from internal LAN and Reset portal accessible from Internet.
These servers are hosted in different security zones separated by firewalls
The Question is as follows: Can we install FIM reset portal on a workgroup machine or has it got to be in the same domain as the Registration portal? If it can be a workgroup machine what ports must be opened in the firewall in order to make it work.
Thanks for your help.
Sylvan
Hello,
I've searched but didn't see anything with this exact question. What I'd like to do (if possible) is create a custom error page on the password reset portal, so that if a user enters their username to reset their password and hasn't registered, they are forwarded to the Profile Registration page. If this automation isn't doable, can the error page displayed be modified to show a registration link? EX: You are receiving this error because you haven't registered with our new password reset portal, Click Here to complete this step.
The reason I ask: I am an employee at a helpdesk with 28,000+ users. We just switched to FIM, and we are getting hundreds of calls a day where we have to walk users through something that should be simple. If someone here could answer in the affirmative that this can be done, with steps for this to be done, I can create a business case and put in a Change Request to have this resolved.
Thank you.
I can't manually add any members to any groups under "Group -> Members -> Members to add" section.
The member is correctly populated for the lookupfield but when I press ok-button, it just closes the group pop up window.
What could be wrong?
I can add users to the groups using add member button straight from the list view.
Hello,
At the organisation I work for, we are looking at FIM 2010 R2 SP1.
Initially, we would like to use Self Service Password Reset (among other functionality).
We would also like to provide helpdesk / support colleagues the ability to reset user's passwords.
There is a discussion, including outlines of solutions, about this at...
...but it is relatively complex, requiring code, PowerShell MAs, etc.
I know now that FIM 2010 R2 SP1 gets very complex, very quickly. Acknowledging that, one of the reasons for using FIM 2010 R2 SP1 is it is arelatively off-the-shelf technology, as opposed to internally-developed code that is harder to maintain (again, relative to off-the-shelf technology).
FIM 2010 R2 SP1 already has a workflow called
Password Reset Action Workflow
The workflow takes no configuration.
Is it possible to create a [relatively] codeless solution (eg using MPRs) for password reset for helpdesk, using the Password Reset Action Workflow? If so, how...?
I know from my own searches of the Internet this is a popular request.
Kind regards,
Anwar
Hi All,
In our PoC we have created a number of Context Adaptable Permissions (CAP) for one of the definded applications, based on the organization unit Name. These permissions exist together with non-CAP permissions. All non-CAP permissions are imported into the FIM synchronization serivce as groups and the permission holders as members, exacly as expected. However, none of the CAP permissions are showing up as Groups in the FIM Bhold Management Agent connector space.
Is there a restriction for CAPs when using FIM synchronization service?
Bhold Version is 5.0.2959.00
FIM Version is 4.1.3627.0
Best regards
Christian
IAM Consultant
Hi,
We have installed FIM MA with an account that have all the sufficient rights.It got created successfully and worked for Full Import and Full Sync. But, due to some version incompatabilities, we have installed a patch.PFB link for the patch.
http://support.microsoft.com/en-us/kb/2969673/en-us
Now, we are trying to refresh the schema of FIM MA. While doing that we are facing an error "Failed to connect to database". The user account with which we are connecting has read and write permissions on DB.In the event viewer some errors are logged like "the current version of database is not compatible with the one expected by Forefront Identity Manager service. The current version of database is : 1116. The expected version is :1122" with event ID 3. PFB images for more detailed view.
Please advice how to fix the issue.
Thanks
Prasanthi.
Some of our groups have MembershipAddWorkflow set to "Owner Approval". When users request access to one of these groups an authz workflow is kicked off asking the group owner for permission. If this person is absent there is no way of approving the request and it stays pending. How can FIM be setup to allow members of "Administrators" or "Group Admins" to allow these requests as well?
Thanks,
Mickey
Hi ,
I am trying to start synchronization service. But I am unable to start the "Forefront Identity Manager Synchronization service."
When i checked in Event Logs, an error with Errror code : 7024 "the forefront identity manager synchronization service service terminated with the following service-specific error :%%2149778515".
I have checked SQL server service and User profile service. Both are up and running.
Please help me out.
Thanks
Praveen
Source: http://www.microsoft.com/licensing/products/products.aspx
Download the “Microsoft Product Use Rights (WW, English, April 2015)” document at
http://www.microsoftvolumelicensing.com/userights/Downloader.aspx?DocumentId=8488
In short, prior to 1st of april 2015, you required
After 1st of april 2015:
The FIM server will no longer be sold as a separate license, but instead Windows Server licenses will allow customers to install the FIM Server software.
Azure Active Directory Premium (AADP) and any suite that contains AADP, including Enterprise Mobility Suite (EMS) and Enterprise Cloud Suite (ECS), will also entitle users to access FIM.
Since FIM users already required a Windows Server CAL or equivalent to access FIM running on Windows Server, no additional Windows Server CALs (or Windows Server External Connector) will be required.
More info here:
Peter Geelen (Microsoft Belgium) - Premier Field Engineer Security Identity
[If a post helps to resolve your issue, please click the "Mark as Answer" of that post or click"Vote as helpful" button of that post.
By marking a post as Answered or Helpful, you help others find the answer faster.
We are about to deploy FIM in a simple topology to a costumer, aiming towards the Self Service Password Reset service.
However the database will be located somewhere else in the network, some concerns were raised by the DB Administrator of the costumer, and i still couldn't find proper documentation covering those questions such as follows:
- Names of user and database are fixed, or can be changed?
- If the DBA's create the database before the installation of Central Instance, the OWNER permission will suffice for the creation of objects?
- Is our standard collation "SQL_LATIN1_General_CP1_Cl_Al" compatible?
- Does the application need any permission on the catalog databases, like "máster", "msdb", etc?
- The migration of the database to production instances can be done using backup and restore?
- Is there a policy for the data stored on this database? Are there any archiving/purge of unecessary data?
