Is it possible to implement Web SSO for FIM Portal? If yes, how? Any pointers, suggestions, insight would be highly appreciated.
Thanks,
John
Web SSO for FIM Portal
↧
↧
AD MA - Error Log
Hi,
How can I write to eventlog any errors that occur during AD MA run?
Many thanks,
DD
↧
Exchange provisioning for select users
Scenario:
Users in Set 123 need AD accounts only
Users in Set B need Ex mbxs (& AD accounts obviously)
Users can move from Set 123 to Set B, or go directly into Set B
We cannot simply create a 'base' AD sync rule, and then a dependent Ex sync rule with homemdb,mail,msexchhomeserver &mailnickname - we cannot use 'initial flow only' in a dependent sync rule. We don't want FIM to continue to set the msexchhomeserver and other attributes - we want to transfer authority to Exchange to manage those attributes.
If we create two separate sync rules, not dependent, we can't control which tries to execute first. If we have the ex sync rule withjust homemdb,mail,msexchhomeserver &mailnickname attributes set for initialflowonly, it will fail if it tries to run before the sync rule that creates the AD account.
Separately, does initial flow only run when the user is added to the scope of the sync rule for the first time, or when the object is actually provisioned in AD? In other words, if a user object exists in AD and FIM is aware of this, will FIM flow out attributes in a sync rule set for initial flow only?
Ben Pahl
↧
Attention All FIM Gurus! Time to SPRING Into Action!
April fools out of the way, now let's find an April genius!
The name "April" is derived from the Latin verb "aperire", meaning "to open", as it is the season when trees, flowers AND MINDS start to open! And.. I can't wait to OPEN and read this month's community contributions! (groan, tenuous link!)
Things are indeed heating up around TechNet. The Wiki has become a shining example of what the community has to offer, and talent is SPRINGING FORTH from all corners of our garden of knowledge.
If you can find the time to enrich us with your latest revelations, or some fascinating facts, then not only will you build up a profile and name for yourself within the gaze of Microsoft's very own glitterati, but you will be adding pages to the most respected source for Microsoft knowledge base articles. This could not only boost your career, but would benefit generations to come!
So don't be an April fool. Please realise the potential of this platform, realise where we are going, and join us in growing this community, learning more about you, and opening the minds of others!
All you have to do is add an article to TechNet Wiki from your own specialist field. Something that fits into one of the categories listed on the submissions page. Copy in your own blog posts, a forum solution, a white paper, or just something you had to solve for your own day's work today.
Drop us some nifty knowledge, or superb snippets, and become MICROSOFT TECHNOLOGY GURU OF THE MONTH!
This is an official Microsoft TechNet recognition, where people such as yourselves can truly get noticed!
HOW TO WIN
1) Please copy over your Microsoft technical solutions and revelations toTechNet Wiki.
2) Add a link to it on THIS WIKI COMPETITION PAGE (so we know you've contributed)
3) Every month, we will highlight your contributions, and select a "Guru of the Month" in each technology.
If you win, we will sing your praises in blogs and forums, similar to the weekly contributor awards. Once "on our radar" and making your mark, you will probably be interviewed for your greatness, and maybe eventually even invited into other inner TechNet/MSDN circles!
Winning this award in your favoured technology will help us learn the active members in each community.
Feel free to ask any questions below.
More about TechNet Guru Awards
Thanks in advance!
Pete Laker 
#PEJL
Got any nice code? If you invest time in coding an elegant, novel or impressive answer on MSDN forums, why not copy it over toTechNet Wiki, for future generations to benefit from! You'll never get archived again, and
you could win weekly awards!
Have you got what it takes o become this month's
TechNet Technical Guru? Join a long list of well known community big hitters, show your knowledge and prowess in your favoured technologies!
↧
login as administrator without password
how do I login without an administrator's password?
↧
↧
Is the Eq test in an IIF statement in a Sync Rule custom function, case sensitive?
Hellos.
Just to save my sanity and having to change my custom function
I need to set initial passwords on a new AD account depending on their unit. I have the IIF constructed but it simply tests the MV attribute with a fixed string.
e.g.
IIF(Eq(ToimialaNimi,"SOTET"),"SOTETpwd",
IIF(Eq(ToimialaNimi,"PALI"),"PALIpwd",
IIF(Eq(ToimialaNimi,"TYT"),"TYTpwd",
IIF(Eq(ToimialaNimi,"KEHA"),"KEHApwd","SITOpwd"))))
would this statement catch ToimialaNimi values like sotet Sotet SOteT Pali PALI PalI etc.. or *must* I plug in the Uppercase function (does it exist?) before each ToimialaNimi
like IIF(Eq(Upper(ToimialaNimi),"SOTET"),"SOTETpwd", and so on.....
I prefer not to use the Uppering function if I can get away with it.
*HH
↧
RCDC User Creation and email address
I would like to have the option to add the email for a user when I use RCDC User Create.
The only option I have is "Mailnickname" which does a Regex (MailNickname.StringRegex) - is there a way to bypass that.
Thanks Mickey
↧
Configuring Attribute precedence when multiple MAs are present.
Hi,
In our environment, we have multiple MAs configured.
1.FlatFile MA(source)
2. FIM MA
3. ADDS MA(target)
4.Google Apps MA.(target)
The flow will be like we provision users from Flat file to FIM and from FIM to AD and Google. We are using MV extension code for ADDS MA and Google MA for provisioning users from FIM to AD and Google. In turn we are flowing object SID and domain back to FIM from AD. For that we have build an Inbound sync rule for AD. When I do Full sync of ADDS MA, the objectSID and domain is not getting to metaverse and not exporting to FIM MA. I had examined the attribute precedence.The precedence is as follows.
1. ADDS MA
2.FIM MA
3.Google MA
Is Inbound sync rule is needed to flow objectSID and domain back to FIM in which user is already present? If not how should be the attribute precedence? If Outbound and Inbound Sync rules are preseent, then which rule will be called first.
Thanks
Prasanthi.
↧
script to report on which MPR uses what workflow
Is there using Powershell to report on MPRs and what workflows they are kicking off?
Thanks,
Mickey
↧
↧
when multiple MAs present in fimsync belonging to same domain, how to define attribute precedence.
Hi,
In our environment there are multiple MAs and i have to define proper precedence of attribute flows in order to function properly. The list of MAs present are
1. FlatFileMA
2. FIM MA
3. ADDs MA
4. Google Apps MA
We are provisioning the user from FlatFile to FIM, and then from FIM to AD, FIM to Google Apps MA. Some times the provision directly takes from FIM to AD and from FIM to Google Apps MA. In order to achieve this how should i assign the attribute precedence. The attributes that are using are accountName,firstName,LastName etc..
We are using Code Based provisioning...
Thanks
Prasanthi
↧
Issue with FIM 2010 R2 SP1 SSPR Enforces Password History
Hello All,
We recently just changed our domain password policy to exclude allowing a user to use the last two passwords, however SSPR does not seem to read this value.
I have read the following articles https://support.microsoft.com/en-us/kb/2443871?wa=wsignin1.0 and it points to an older version of FIM and a domain controller that is running 2008/r2. In our environment we are running Windows Sever 2012 R2 as our domain controllers and FIM 2010 R2 version 4.1.3613.0.
I checked the forum and found the following post https://social.technet.microsoft.com/Forums/en-US/03013ce2-486f-4b39-a1ea-86ef66c7931c/fim-sspr-adma-enforce-password-policy-ad-server-2012?forum=ilm2 however this was posted last year and no resolution was found. I was wondering if any progress has been made on this or if anybody can provide me with any advice.
We recently just changed our domain password policy to exclude allowing a user to use the last two passwords, however SSPR does not seem to read this value.
I have read the following articles https://support.microsoft.com/en-us/kb/2443871?wa=wsignin1.0 and it points to an older version of FIM and a domain controller that is running 2008/r2. In our environment we are running Windows Sever 2012 R2 as our domain controllers and FIM 2010 R2 version 4.1.3613.0.
I checked the forum and found the following post https://social.technet.microsoft.com/Forums/en-US/03013ce2-486f-4b39-a1ea-86ef66c7931c/fim-sspr-adma-enforce-password-policy-ad-server-2012?forum=ilm2 however this was posted last year and no resolution was found. I was wondering if any progress has been made on this or if anybody can provide me with any advice.
↧
Delta Import on NetIQ eDirectory using Generic LDAP connector
Dear community,
we are running the latest version of Forefront Identity Manager and eDirectory. When we run a delta import on our eDirectory (using the Generic LDAP connector) we get the following error: no-start-ma
When I take a look at the Global Parameters section of the Agent the server information is listed as follows: Directory Name: NetIQ Corporation (LDAP Agent for NetIQ eDirectory 8.8 SP8 (20806.01)). A full import is working without any problems.
The eventlog reveals:
The extensible extension returned an unsupported error. The stack trace is: "System.InvalidOperationException: Delta import is aborted as the access log DN is missing, Please mention the access log DN and re-run the delta import profile. at Microsoft.IdentityManagement.Connector.GenericLdap.GenericLdapConnector.OpenImportConnection(KeyedCollection`2 configParameters, Schema types, OpenImportConnectionRunStep importRunStep) Forefront Identity Manager 4.1.3627.0"
From the documentation, the agent should use the modifyTimestamp to import the changed entries for eDirectory or am I wrong?
Best regards, Rainer
↧
Help Need - FIM
Hello Techies,
I know this is technical forum, but seeking your expert advice to know more about the career prospectus of a FIM administrator/developer.
I’ve a total of 8 years experience in AD administration and now moved to Identity manager team where have to support FIM 2010, OIM11g and some other identity in house tool.
To be honest, I’m in dilemma as not sure should I sustain with the new profile along with my AD expertise and I am more interested to know about MS FIM (did some research and understood that FIM is also packed with MS Azure and MS is started investing more on identity product) so if AD + FIM administrator will be a step ahead / consider a specialist (rather than in AD alone) in the market keeping in mind technologies moving rapidly to cloud?
Please, would you all share your feedback and if think is a positive move? And if yes I can start learning FIM (heard that to be good in FIM, to be good in SQL table/view/query & C#)
Thanks in advance and I’m really obliged to your responses.
Regards
Rahul
Rahul
↧
↧
IIF(IsPresent... function works with OOB Function Evaluator but not with "Generate Unique Value" within FIM WAL
Hi,
Just wanted to share the following strange behavior when using the similar IIF(IsPresent.. function both in OOB FIM Function Evaluator and "Generate Unique Value" in FIM WAL.
This one certainly works in OOB FIM Function Evaluator:
IIF(IsPresent(MiddleName),FirstName+" "+MiddleName+" "+LastName,FirstName+" "+LastName)
This one is not recognized as valid parameters in FIM WAL´s "Generate Unique Value":
IIF(IsPresent([//Target/MiddleName]),[//Target/FirstName]+"."+[//Target/MiddleName]+"."+[//Target/LastName],[//Target/FirstName]+"."+[//Target/LastName])
On the other hand, when simplified, it also works in FIM WAL´s "Generate Unique Value" (without concatenated values in expression):
IIF(IsPresent([//Target/MiddleName]),[//Target/WhatEverAttribute],[//Target/AnotherAttribute])
In case someone else is using FIM WAL as well, could you share your thoughts how to make this work on FIM WAL? As for now it seems it is not possible to use concatenation of values within IIF(IsPresent.. function same way as with OOB Function Evaluator.
↧
Password Sync from AD to AD LDS using FIM 2010 R2
Hi all,
I'm trying to sync password from AD to AD LDS. And what I got about password sync as the link below
https://technet.microsoft.com/en-us/library/jj590288%28v=ws.10%29.aspx
In my LAB I have:
1. DC Server for domain A
2. ADLDS Server
3. FIM server join to domain X
For the LAB, I want to test sync DC user to AD LDS include password sync And I just completed AD user to AD LDS (without password sync)
Basically I understand that the step I need to do is:
1. Install PCNS on DC Server for domain A
2. SetSPN ???
3. Configure FIM
I do not really understand that SetSPN command I should to use here in that case, any can help me please ?
Thanks a lot !
↧
ADFS and supportmultipledomain switch
Hi there,
We are trying to federate a second domain under a single ADFS server. We are running ADFS 2.0 with Update 2 installed. When we go to issue a Update-MsolFederatedDomain –DomainName <domain> –SupportMultipleDomain we get the following error :
Update-MsolFederatedDomain : The switch parameter SupportMultipleDomain is not
supported here.
At line:1 char:27
+ Update-MsolFederatedDomain <<<< -DomainName "tundraoilandgas.com" -SupportMu
ltipledomain
+ CategoryInfo : InvalidOperation: (:) [Update-MsolFederatedDomai
n], FederationException
+ FullyQualifiedErrorId : MultipleDomainSwitchNotSupported,Microsoft.Onlin
e.Identity.Federation.Powershell.UpdateFederatedDomainCommand
Does anyone know what may be causing this problem?
Thanks,
Kevin
↧
FIM and MIM Licensing Questions
Hello to all, MS stated the following about FIM Licensing:
xxxxxxxxxxx
In short, prior to 1st of april 2015, you required
- a FIM server license for every FIM server installed and a CAL for every user managed in the FIM Service, or
- Forefront Identity Manager 2010 R2 External Connector
After 1st of april 2015:
- Windows Server license (Standard & Datacenter) will include FIM server entitlement
- FIM Server 2010 R2 lices will not be available anymore on the price lists
The FIM server will no longer be sold as a separate license, but instead Windows Server licenses will allow customers to install the FIM Server software.
Azure Active Directory Premium (AADP) and any suite that contains AADP, including Enterprise Mobility Suite (EMS) and Enterprise Cloud Suite (ECS), will also entitle users to access FIM.
Since FIM users already required a Windows Server CAL or equivalent to access FIM running on Windows Server, no additional Windows Server CALs (or Windows Server External Connector) will be required.
xxxxxxxxxxx
Questions:
1- After 1st APril 2015, does I still need a FIM CAL for users (not the FIM server license, that is not necessary anymore because a Windows Server License is will be necessary for FIM server component), i.e. a CAL that is not the Windows CAL for users/machine, instead a specific FIM CAL for users that are managed by the tool?
2- Will MIM licesing follow this the same steps (after 1st APril 2015) ?
Regards, EEOC.
↧
↧
Create mailbox by FIM 2010 R2
Hi all,
I'm trying to use FIM 2010 R2 to do provisioning mailbox on Exchange 2013
According to some article on Internet I use that command in MVRule to create mailbox
csentry = ExchangeUtils.CreateMailbox(ManagementAgent, component, nickname, mailboxMDB);
But it doesn't work. I can see the HomeMDB has changed as the string mailboxMDB on the command, but the mailbox couldn't be created.
Anyone please help me. Thanks !
p/s: Is that possible if I use something simple like enable-mailbox in MVRule to create mailbox automatically after the user is created on AD?
↧
FIM 2010 R2 - Reporting problem
I am trying to deploy FIM reporting.
Currently I am facing errors described below related to System center management:
- for example management pack Incident management library is completed (not an error!)
- management packs from Incident management report library to FIM common report library are "failed"
- management packs from FIM request history report library to FIM group membership change report library are "waiting"
Related to FIM reporting, there is only a one report available (Common report) and it gives this error:
The report server cannot process the report or shared dataset. The shared data source 'MultiMartDatasource' for the report
server or SharePoint site is not valid. Browse to the server or site and select a shared data source. (rsInvalidDataSourceReference)
What should I do next? I have not found anything related to this from Event viewer. Also I have tried to redeploy failed management packs without a success.
↧
Provisioning to iPlanet
Hi,
What are the bare minimum attributes need to provision a user to iPlanet via FIM?
Thank you,
SK
↧
More Pages to Explore .....
