Articles on this Page
- 04/06/15--11:10: _Web SSO for FIM Portal
- 04/07/15--02:10: _AD MA - Error Log
- 04/07/15--07:08: _Exchange provisioni...
- 04/07/15--13:22: _Attention All FIM G...
- 04/07/15--18:49: _login as administra...
- 04/07/15--23:27: _Is the Eq test in a...
- 04/07/15--23:49: _RCDC User Creation ...
- 04/08/15--02:23: _Configuring Attribu...
- 04/08/15--17:29: _script to report on...
- 04/08/15--21:00: _when multiple MAs p...
- 04/09/15--16:18: _Issue with FIM 2010...
- 04/10/15--00:28: _Delta Import on Net...
- 04/10/15--00:41: _Help Need - FIM
- 04/10/15--03:34: _IIF(IsPresent... fu...
- 04/10/15--03:43: _Password Sync from ...
- 04/10/15--12:27: _ADFS and supportmul...
- 04/10/15--17:37: _FIM and MIM Licensi...
- 04/12/15--11:05: _Create mailbox by F...
- 04/12/15--22:06: _FIM 2010 R2 - Repor...
- 04/12/15--23:07: _Provisioning to iPl...
- 04/06/15--11:10: Web SSO for FIM Portal
- 04/07/15--02:10: AD MA - Error Log
- 04/07/15--07:08: Exchange provisioning for select users
- 04/07/15--13:22: Attention All FIM Gurus! Time to SPRING Into Action!
- 04/07/15--18:49: login as administrator without password
- 04/07/15--23:49: RCDC User Creation and email address
- 04/08/15--02:23: Configuring Attribute precedence when multiple MAs are present.
- 04/08/15--17:29: script to report on which MPR uses what workflow
- 04/09/15--16:18: Issue with FIM 2010 R2 SP1 SSPR Enforces Password History
- 04/10/15--00:28: Delta Import on NetIQ eDirectory using Generic LDAP connector
- 04/10/15--00:41: Help Need - FIM
- 04/10/15--03:43: Password Sync from AD to AD LDS using FIM 2010 R2
- 04/10/15--12:27: ADFS and supportmultipledomain switch
- 04/10/15--17:37: FIM and MIM Licensing Questions
- 04/12/15--11:05: Create mailbox by FIM 2010 R2
- 04/12/15--22:06: FIM 2010 R2 - Reporting problem
- 04/12/15--23:07: Provisioning to iPlanet
Is it possible to implement Web SSO for FIM Portal? If yes, how? Any pointers, suggestions, insight would be highly appreciated.
How can I write to eventlog any errors that occur during AD MA run?
Users in Set 123 need AD accounts only
Users in Set B need Ex mbxs (& AD accounts obviously)
Users can move from Set 123 to Set B, or go directly into Set B
We cannot simply create a 'base' AD sync rule, and then a dependent Ex sync rule with homemdb,mail,msexchhomeserver &mailnickname - we cannot use 'initial flow only' in a dependent sync rule. We don't want FIM to continue to set the msexchhomeserver and other attributes - we want to transfer authority to Exchange to manage those attributes.
If we create two separate sync rules, not dependent, we can't control which tries to execute first. If we have the ex sync rule withjust homemdb,mail,msexchhomeserver &mailnickname attributes set for initialflowonly, it will fail if it tries to run before the sync rule that creates the AD account.
Separately, does initial flow only run when the user is added to the scope of the sync rule for the first time, or when the object is actually provisioned in AD? In other words, if a user object exists in AD and FIM is aware of this, will FIM flow out attributes in a sync rule set for initial flow only?
April fools out of the way, now let's find an April genius!
The name "April" is derived from the Latin verb "aperire", meaning "to open", as it is the season when trees, flowers AND MINDS start to open! And.. I can't wait to OPEN and read this month's community contributions! (groan, tenuous link!)
Things are indeed heating up around TechNet. The Wiki has become a shining example of what the community has to offer, and talent is SPRINGING FORTH from all corners of our garden of knowledge.
If you can find the time to enrich us with your latest revelations, or some fascinating facts, then not only will you build up a profile and name for yourself within the gaze of Microsoft's very own glitterati, but you will be adding pages to the most respected source for Microsoft knowledge base articles. This could not only boost your career, but would benefit generations to come!
So don't be an April fool. Please realise the potential of this platform, realise where we are going, and join us in growing this community, learning more about you, and opening the minds of others!
All you have to do is add an article to TechNet Wiki from your own specialist field. Something that fits into one of the categories listed on the submissions page. Copy in your own blog posts, a forum solution, a white paper, or just something you had to solve for your own day's work today.
Drop us some nifty knowledge, or superb snippets, and become MICROSOFT TECHNOLOGY GURU OF THE MONTH!
This is an official Microsoft TechNet recognition, where people such as yourselves can truly get noticed!
HOW TO WIN
1) Please copy over your Microsoft technical solutions and revelations toTechNet Wiki.
2) Add a link to it on THIS WIKI COMPETITION PAGE (so we know you've contributed)
3) Every month, we will highlight your contributions, and select a "Guru of the Month" in each technology.
If you win, we will sing your praises in blogs and forums, similar to the weekly contributor awards. Once "on our radar" and making your mark, you will probably be interviewed for your greatness, and maybe eventually even invited into other inner TechNet/MSDN circles!
Winning this award in your favoured technology will help us learn the active members in each community.
Feel free to ask any questions below.
Got any nice code? If you invest time in coding an elegant, novel or impressive answer on MSDN forums, why not copy it over toTechNet Wiki, for future generations to benefit from! You'll never get archived again, and you could win weekly awards!
Have you got what it takes o become this month's TechNet Technical Guru? Join a long list of well known community big hitters, show your knowledge and prowess in your favoured technologies!
how do I login without an administrator's password?
Just to save my sanity and having to change my custom function
I need to set initial passwords on a new AD account depending on their unit. I have the IIF constructed but it simply tests the MV attribute with a fixed string.
would this statement catch ToimialaNimi values like sotet Sotet SOteT Pali PALI PalI etc.. or *must* I plug in the Uppercase function (does it exist?) before each ToimialaNimi
like IIF(Eq(Upper(ToimialaNimi),"SOTET"),"SOTETpwd", and so on.....
I prefer not to use the Uppering function if I can get away with it.
I would like to have the option to add the email for a user when I use RCDC User Create.
The only option I have is "Mailnickname" which does a Regex (MailNickname.StringRegex) - is there a way to bypass that.
In our environment, we have multiple MAs configured.
2. FIM MA
3. ADDS MA(target)
4.Google Apps MA.(target)
The flow will be like we provision users from Flat file to FIM and from FIM to AD and Google. We are using MV extension code for ADDS MA and Google MA for provisioning users from FIM to AD and Google. In turn we are flowing object SID and domain back to FIM from AD. For that we have build an Inbound sync rule for AD. When I do Full sync of ADDS MA, the objectSID and domain is not getting to metaverse and not exporting to FIM MA. I had examined the attribute precedence.The precedence is as follows.
1. ADDS MA
Is Inbound sync rule is needed to flow objectSID and domain back to FIM in which user is already present? If not how should be the attribute precedence? If Outbound and Inbound Sync rules are preseent, then which rule will be called first.
Is there using Powershell to report on MPRs and what workflows they are kicking off?
In our environment there are multiple MAs and i have to define proper precedence of attribute flows in order to function properly. The list of MAs present are
2. FIM MA
3. ADDs MA
4. Google Apps MA
We are provisioning the user from FlatFile to FIM, and then from FIM to AD, FIM to Google Apps MA. Some times the provision directly takes from FIM to AD and from FIM to Google Apps MA. In order to achieve this how should i assign the attribute precedence. The attributes that are using are accountName,firstName,LastName etc..
We are using Code Based provisioning...
We recently just changed our domain password policy to exclude allowing a user to use the last two passwords, however SSPR does not seem to read this value.
I have read the following articles https://support.microsoft.com/en-us/kb/2443871?wa=wsignin1.0 and it points to an older version of FIM and a domain controller that is running 2008/r2. In our environment we are running Windows Sever 2012 R2 as our domain controllers and FIM 2010 R2 version 4.1.3613.0.
I checked the forum and found the following post https://social.technet.microsoft.com/Forums/en-US/03013ce2-486f-4b39-a1ea-86ef66c7931c/fim-sspr-adma-enforce-password-policy-ad-server-2012?forum=ilm2 however this was posted last year and no resolution was found. I was wondering if any progress has been made on this or if anybody can provide me with any advice.
we are running the latest version of Forefront Identity Manager and eDirectory. When we run a delta import on our eDirectory (using the Generic LDAP connector) we get the following error: no-start-ma
When I take a look at the Global Parameters section of the Agent the server information is listed as follows: Directory Name: NetIQ Corporation (LDAP Agent for NetIQ eDirectory 8.8 SP8 (20806.01)). A full import is working without any problems.
The eventlog reveals:
The extensible extension returned an unsupported error. The stack trace is: "System.InvalidOperationException: Delta import is aborted as the access log DN is missing, Please mention the access log DN and re-run the delta import profile. at Microsoft.IdentityManagement.Connector.GenericLdap.GenericLdapConnector.OpenImportConnection(KeyedCollection`2 configParameters, Schema types, OpenImportConnectionRunStep importRunStep) Forefront Identity Manager 4.1.3627.0"
From the documentation, the agent should use the modifyTimestamp to import the changed entries for eDirectory or am I wrong?
Best regards, Rainer
I know this is technical forum, but seeking your expert advice to know more about the career prospectus of a FIM administrator/developer.
I’ve a total of 8 years experience in AD administration and now moved to Identity manager team where have to support FIM 2010, OIM11g and some other identity in house tool.
To be honest, I’m in dilemma as not sure should I sustain with the new profile along with my AD expertise and I am more interested to know about MS FIM (did some research and understood that FIM is also packed with MS Azure and MS is started investing more on identity product) so if AD + FIM administrator will be a step ahead / consider a specialist (rather than in AD alone) in the market keeping in mind technologies moving rapidly to cloud?
Please, would you all share your feedback and if think is a positive move? And if yes I can start learning FIM (heard that to be good in FIM, to be good in SQL table/view/query & C#)
Thanks in advance and I’m really obliged to your responses.
Just wanted to share the following strange behavior when using the similar IIF(IsPresent.. function both in OOB FIM Function Evaluator and "Generate Unique Value" in FIM WAL.
This one certainly works in OOB FIM Function Evaluator:
IIF(IsPresent(MiddleName),FirstName+" "+MiddleName+" "+LastName,FirstName+" "+LastName)
This one is not recognized as valid parameters in FIM WAL´s "Generate Unique Value":
On the other hand, when simplified, it also works in FIM WAL´s "Generate Unique Value" (without concatenated values in expression):
In case someone else is using FIM WAL as well, could you share your thoughts how to make this work on FIM WAL? As for now it seems it is not possible to use concatenation of values within IIF(IsPresent.. function same way as with OOB Function Evaluator.
I'm trying to sync password from AD to AD LDS. And what I got about password sync as the link below
In my LAB I have:
1. DC Server for domain A
2. ADLDS Server
3. FIM server join to domain X
For the LAB, I want to test sync DC user to AD LDS include password sync And I just completed AD user to AD LDS (without password sync)
Basically I understand that the step I need to do is:
1. Install PCNS on DC Server for domain A
2. SetSPN ???
3. Configure FIM
I do not really understand that SetSPN command I should to use here in that case, any can help me please ?
Thanks a lot !
We are trying to federate a second domain under a single ADFS server. We are running ADFS 2.0 with Update 2 installed. When we go to issue a Update-MsolFederatedDomain –DomainName <domain> –SupportMultipleDomain we get the following error :
Update-MsolFederatedDomain : The switch parameter SupportMultipleDomain is not
At line:1 char:27
+ Update-MsolFederatedDomain <<<< -DomainName "tundraoilandgas.com" -SupportMu
+ CategoryInfo : InvalidOperation: (:) [Update-MsolFederatedDomai
+ FullyQualifiedErrorId : MultipleDomainSwitchNotSupported,Microsoft.Onlin
Does anyone know what may be causing this problem?
Hello to all, MS stated the following about FIM Licensing:
1- After 1st APril 2015, does I still need a FIM CAL for users (not the FIM server license, that is not necessary anymore because a Windows Server License is will be necessary for FIM server component), i.e. a CAL that is not the Windows CAL for users/machine, instead a specific FIM CAL for users that are managed by the tool?
2- Will MIM licesing follow this the same steps (after 1st APril 2015) ?
I'm trying to use FIM 2010 R2 to do provisioning mailbox on Exchange 2013
According to some article on Internet I use that command in MVRule to create mailbox
csentry = ExchangeUtils.CreateMailbox(ManagementAgent, component, nickname, mailboxMDB);
But it doesn't work. I can see the HomeMDB has changed as the string mailboxMDB on the command, but the mailbox couldn't be created.
Anyone please help me. Thanks !
p/s: Is that possible if I use something simple like enable-mailbox in MVRule to create mailbox automatically after the user is created on AD?
I am trying to deploy FIM reporting.
Currently I am facing errors described below related to System center management:
- for example management pack Incident management library is completed (not an error!)
- management packs from Incident management report library to FIM common report library are "failed"
- management packs from FIM request history report library to FIM group membership change report library are "waiting"
Related to FIM reporting, there is only a one report available (Common report) and it gives this error:
The report server cannot process the report or shared dataset. The shared data source 'MultiMartDatasource' for the report
server or SharePoint site is not valid. Browse to the server or site and select a shared data source. (rsInvalidDataSourceReference)
What should I do next? I have not found anything related to this from Event viewer. Also I have tried to redeploy failed management packs without a success.
What are the bare minimum attributes need to provision a user to iPlanet via FIM?