Quantcast
Channel: Forum Microsoft Identity Manager
Viewing all 4767 articles
Browse latest View live

ECMA 2 Connection Log

0
0

When using an OOTB MA which connects to a system, such as SQL Server MA or ADDS MA, a connection status is visible which when clicked on opens a connection log. Is it possible to create such a status/log with ECMA2 and if so, what method do I use?

Thank you.


FIM mailnickname append

0
0

Hello,

We have run IDFix and found duplicated contacts from FIM that we need to fix. We think we can fix that if we make changes to the emailnickname attribute that are coming in from another forest.  Our idea is to add a suffix to the end of the nick name as in gets synchronized to our domain.  So it would be something like this. If the emailnickname is emailnickname@domain.com, we want to change it to emailnickname@domain.com.AMX  for example.  Can this be done using the functions? Would you be able to send me an example on how the function would look like such as ReplaceString and how to apply the function?  I am sorry, but we have been doing a straight GALsync for a long time but nothing has been done in this level.

Thank you. 

Error processing your request: The operation was rejected because of access control policies.

0
0

Am unable to add any staffs to the security group. It pop's for the below mentioned error,

Error processing your request: The operation was rejected because of access control policies.

Reason: The server workflow rejected the operation.

Correlation Id: 6ebb20f7-9807-4db8-a412-8a80cc1fa829

Request Id: 6d05799f-3c92-410c-88c1-accb8f0d64a5

Details: The Workflow Instance 'fbcef8fb-4524-4deb-9af3-c03ca7a7b93e' encountered an internal error during processing. Contact your system administrator for more information.

Can we configure FIM Portal to not accept unsatisfactory inputs from other sources for an attribute that is set to some validation in Portal?

0
0

Hi Guys,

We have a situation where Owner for a group should be Active, Enabled and Employee of the organization. We can set this criteria in Search Scope.

But when I try setting the Owner(who does not meet the required conditions) via PowerShell script or via sync from AD-->MV-->FIM Portal, the portal seems to accept the value.

Is there any way where we can configure FIM Portal to not accept Unsatisfactory inputs from other sources?

I am thinking its not possible to set this in FIM Portal and might be we have to manually be sure of the Owner value what we set using Powershell or AD.

Please let me know your thoughts on this.

Thanks!

ECMA2: how to process deletes in the connected system during a full import?

0
0

I have an ECMA2 ma, and in the Full Import I create a list of CSEntryChange objects with ObjectModificationType Add, like in this example:

// iterate through the objects in the connected system
foreach (var website in theListOfWebsitesInTheConnectedSystem) {
    // create a CSEntryChange object
    var entry = CSEntryChange.Create();
    entry.ObjectType = "website";
    entry.ObjectModificationType = ObjectModificationType.Add;
    entry.AnchorAttributes.Add(AnchorAttribute.Create("Name", website.NAME));
    entry.AddAttributeAdd("Description", website.DESCRIPTION);
    entry.AddAttributeAdd("Category", website.CATEGORY);
    // add it to the list (this list will be split somewhere else to manage the page size)
    listOfEntries.Add(entry);
}

My understanding was that if an object is not in the list of objects I return, FIM should understand that the object has been deleted in the connected system, and try to recreate it.

However, if I delete an object in the Connected System and then run a Full Import, the object is NOT returned in the list, but FIM still sees it as a connector in the connector space of my MA, and I see no deletion in the import results.

How is this supposed to work? What should I do to make FIM realize that an object was deleted?


Paolo Tedesco - http://cern.ch/idm


FIM 2010 R2 - It is not possible to delete a user (Error: permission-issue, Error code: 5, Access denied)

0
0

We have several domains  to manage for our customers, so we have installed "FIM 2010 R2" to manage our admin-accounts. But if I now try to delete a user, by deletion from the "User Set", I get this error (please note the screenshot) after synchronization.

Error

Running management agent:

AD MA xyz

Error:

Permission-issue

Latest occurrence:

07.05.2015 15:30:06

Initial occurrence:

07.05.2015 11:07:22

Retry count:

15

Connected data source error code:

5

Connected data source error :

Access is denied.


I don't get more information about this error, not in the eventvwr and also not in the FIM-Panel even. 

Maybe someone knows more about this issue I would be very thankful for helping to solve this problem.

If more information is needed let me know what kind of.

Thank you

Creating a set or Reporting method with out SCSM

0
0

I am trying to get some numbers on how many password resets have occurred in a specified amount of days/Months/years.

Is there a way to do this with sets? Or is this something done with FIM Powershell or FIM Query?

Thanks

Brandon

Automate Deleting a particular metaverse object using some script(powershell)

0
0

Hi,

We are using Generic Rest API MA for Google(Naohiro) Provisioning from FIM. For provisioning,we are using provision code and mapped FIM "Email" Attribuite with DN(google) i.e.(FIM Email->dn) and FIM Email-->PrimaryEmail(Google) in MVExtension code. Now we have to change PrimaryEmail value on Google. As 'PrimaryEmail' is used as Anchor attribute, through FIM Sync we are unable to change PrimaryEmail. So, we came up by deleting/disconnecting the metaverse object  and re provisioned the user with changed Email. So now we want to automate deleting a particular user from Metaverse.

Is there any way for automating the deletion of a specific user from metaverse using some script(powershell or any others).

Thanks

Prasanthi.


Unable to extract the hotfix rollup (build 1.0.419.911) for the Generic LDAP connector

0
0

Hi,

The Generic LDAP MA takes about 50 minutes to import 90 records from a target Oracle server.

So we looked for a hotfix, and came across this: https://support.microsoft.com/en-nz/kb/3008177

However, once we download this hotfix and try to extract it, we get the following error:

"An error has occurred while unzipping. One or more files were not successfully unzipped. The error code is 40."

We have tried to download and extract this file on 3 different computers, but get the same error message.

Please could someone from Microsoft fix the zip file please, or point us to the correct URL?

thank you,

SK

FIM Oracle MA: struct & aux class support?

0
0

Hi,

Does the built-in FIM 2010 R2 Oracle MA support structural, aux and extensibleObject classes?

Thanks,

SK

Email Notification/Email Template containing non-ascii characters getting converted to '?'

0
0

Trying to develop an Email Template for local user to Notify when a new AD account is created for the user.

The local language here norse/finnish/ has extended ascii characters in the alphabet e.g. ö ä å Æ æ Œ œ ø Ø þ Þ ð Ð

(I hope these are visible in the forum message, they are danish/norwegian and swedish/finnish characters)

These get scrambled when the Notification Email is built by FIM.

How do I start debugging this to track down what is wrong?

*HH

Access denied error - More than one boolean attribute in the same page

0
0

We have a tab in FIM that has 3 boolean attributes. 2 set of users have got different level of access to those attributes. When one of the boolean is checked, FIM is trying to set the value to false for other 2 attributes and they are getting access denied error. In RCDC, I changed the default value to false for all those 3 attributes but still getting the same error. Is there any other solution?

  <my:Property my:Name="Text" my:Value="Termination" />
  <my:Property my:Name="Checked" my:Value="{Binding Source=object, Path=ForceDeprovision, Mode=TwoWay}" />
  <my:Property my:Name="DefaultValue" my:Value="false" />




Ignite 2015: Upgrading from FIM to MIM and Azure Active Directory questions

0
0

Hi,

Have listened to this Ignite 2015 talk, and have a few questions: http://channel9.msdn.com/Events/Ignite/2015/BRK3857

  1. The roadmap goes as follows: FIM to MIM to AAD Connect. So will AAD Connect have a different Sync Engine from its predecessors? Will we still have a Metaverse, Connector Space, Management Agents, etc? Or is the entire architecture changing?
  2. Will AAD Connect still have the 'FIM Portal' equivalent?
  3. It almost sounds like AAD Connect will only support Declarative Provisioning, and will no longer support Rules Extensions, is this correct?
  4. Is there BHOLD in AAD Connect?
  5. Will the FIM deprecated features still be available in MIM? https://technet.microsoft.com/en-us/library/jj879229%28v=ws.10%29.aspx; and they will only be unavailable in AAD Connect?
  6. Comment: sounds like MIM 2016 will still support "FIM Reporting & SCSM combination". MIM will also be able to use Azure AD for Reporting (via an agent).

If anyone has any more questions/comments, please post.

Looking forward to the answers.

Thanks,

SK




Is it possible to force the EWS FIM Notification activity/Email Template to use the 'Text' BodyType property and not HTML?

0
0

What version of EWS libraries does FIM 2010 R2 Sp1 use?

I have traced the problem with FIM 2010 R2 SP1 Notifications via EWS down to the message to the BodyType. At least with our Exchange 2013 set up we get scrambled accented chars.

Writing a simple Powershell script to use the latest 2.2 EWS immediately highlighted the issue. Switching the BodyType has a profound effect.

Question is.. If I want, how can I configure FIM to use Text Emails always?

#Web Service Path

$EWSServicePath = "C:\Program Files\Microsoft\Exchange\Web Services\2.2\Microsoft.Exchange.WebServices.dll"

#Importing WebService DLL

Import-Module $EWSServicePath

#Creating Service Object

$Service = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService -ArgumentList Exchange2010_SP1

#Setting up Credentials

$user = "mydomain\fim.service"

$pass = "********"   # just a test ffs

$service.Credentials = New-Object Microsoft.Exchange.WebServices.Data.WebCredentials -ArgumentList $user, $pass

#Setting up EWS URL for exchange.

$EWSurl = "https://mail.mydomain.com/EWS/Exchange.asmx"   # same as FIM config

$Service.URL = $EWSurl

#Setting up Email message Class

$message = New-Object Microsoft.Exchange.WebServices.Data.EmailMessage -ArgumentList $service

$message.Subject = "This Message has been Created by EWS on my mail server"

$message.From = "fim.service@mydomain.local"

$message.ToRecipients.Add("harold.hare@mycompany.com")

$message.Body = "This is Test Message öäåÖÄÅ <br>Greetings, EWS Client 2.2"

$message.Body.BodyType = 'Text'   # works

#$message.Body.BodyType = 'HTML'   # likes the break but scrambles the scandies

$message.SendAndSaveCopy()

 

FIM SSPR - Portal can send e-mails, but SSPR gets "Unable to send a security code"

0
0

Hi all,

In the middle of retrofitting a test environment with OTP in SSPR and while FIM Portal sends my new user notifications fine, I am having troubles sending out the one-time-codes.

In SSPR, I enter the username, and it sits there for a while with a spinning wheel before erroring out with the message: Unable to send a security code.

When I review Event logs, I can see that the e-mail sending is timing out:

Any thoughts on why this might be? It works fine in production, but not in test - and the only difference between the two environments is that we're using EWS in Prod and SMTP relay in test... but again, I've verified the SMTP relay works.

- Ross


FIMSpecialist.com | MCTS: FIM 2010 | Now Offering ECMA1->ECMA2 Upgrade Services


Consideration when applying FIM Database backups (DB Owner SID)

0
0

Hello,

we experienced an obscure issue in FIM, that costs us a lot of time and effort.

I would like to share my experiences.

We recently applied a FIMService Database backup for our FIM environment, due to a failed change implementation.

After implementing the fallback Database, everything was fine at the first glance. After some weeks, I recognized that our criteria based groups and sets in the FIM portal withdate time filters doesn’t work properly as intended and the necessary MPR’s didn’t get fired.

Long story short, I figured out that the SQL Server Agent Jobs didn’t run successful since our fallback. In our case the FIM_TemporalEventsJob (This job evaluates temporal sets and policies, validates set and group membership, and runs daily by default.)

https://technet.microsoft.com/en-us/library/ff830030%28v=ws.10%29.aspx

Recognized failure in the Job history:

'EXECUTE AS LOGIN' failed for the requested login “ServiceAccount”.  The step failed.

That was strange, because the ServiceAccount, that runs the Jobs is owner of the FIMService Database.

Further investigations reveals following:

The database owner SID recorded in the master database differs from the database owner SID recorded in database 'XXXX'. You should correct this situation by resetting the owner of database 'XXXX' using the ALTER AUTHORIZATION statement.

To prove that the problem is in factdiffering SID's I ran the following two SQL statements.

  • To get owner SID recorded in the master database for the current database
    SELECT owner_sid FROM sys.databases WHERE database_id=DB_ID()
  •  To get the owner SID recorded for the current database owner
    SELECT sid FROM sys.database_principals WHERE name=N'dbo'

They should return youSID values in the format of a GUID

Now if the two SID's differ which they did in my case it means that you need to reset the database owner so that both values are the same. To do this you can run another ALTER statement and pass in the owner value you want to use e.g

 ALTER AUTHORIZATION ON Database::XXXX TO [domain\user]

Once I had run this code the problem was fixed.

Hope this helps for those for those, having similar issues.

Thanks Fatih


Quest FIM Powershell Snapin - Unable to install.

0
0

Hi,

 I am trying to install Quest FIM Powershell Snapin. I dowloaded from Codeplex and added the DLL "Quest.FIMPowershellSnapin.dll" into the assembly. In powershell i checked whether the snapin is registered or not and the results showed that this Quest sanpin is registered. But When i try to add "Add-PSSnapin Quest.FIMPowershellSnapin", it is givivng me an error

Add-PSSnapin: Cannot load  windows powershell snapin "Quest.FIMPowershellSnapin.dll" because of the following error "The windows powershell snapin module Quest.FIMPowershellSnapin.dll does not have required  windows powershell snapin  strong name Quest.FIMPowershellSnapin version=1.0.0.0,Culture=neutral,PublicKeyToken=null".

Please help

Thanks

Prasanthi.

Migrating FIM Portal to a different Sharepoint Environment

0
0

I have been looking around.

We have decided to use the FIM portal more and our current system we have a separate sharepoint environment to house the FIM portal.

I cannot seem to find any examples, but we would like to migrate this FIM portal to a different sharepoint environment that our company is already using that way it has better infrastructure than the current shallow sharepoint we have.

Thanks

Russ


Russell Lema

Unique value on the export in C#

0
0

Hi all

I'm wanting to export a value to the CS which I want to be unique.

I've read a few pages regarding how this can be done using custom worksflows etc, but I'm wanting to do the comparison this based on what's in the CS rather than FIM/MV, as there's more objects (unrelated to FIM) in there that may already have this generated value.

I originally found the MV class utils.findmventries:

https://msdn.microsoft.com/en-us/library/windows/desktop/ms698827%28v=vs.85%29.aspx

I'm wondering if there's something just like this but for the CS or is there a better way?


Event log errors - Application and FIM Operational

0
0

So I was just doing some checking up and making sure everything was running correctly, which it seems it is, but I have come across a lot of errors in the Windows logs attached to the FIMSync Service. Was wondering if anyone could give me any advice.

This is happening on our cycles, delta sync and exports

I know that some of the errors have to do with ADMIN accounts and the MA account does not have access to manage them. But not sure what the rest are

APPLICATION LOG ERROR

Forefront Identity Manager 4.1.3599.0

The server encountered an unexpected error in the synchronization engine:

 

 "BAIL: MMS(5504): d:\bt\37281\private\source\miis\server\sqlstore\csobj.cpp(8254): 0x80230404 (The operation failed because the attribute cannot be found)

BAIL: MMS(5504): d:\bt\37281\private\source\miis\server\sqlstore\csobj.cpp(8254): 0x80230404 (The operation failed because the attribute cannot be found)

BAIL: MMS(5504): d:\bt\37281\private\source\miis\shared\entry\tower.cpp(3989): 0x80004005 (Unspecified error)

ERR_: MMS(5504): d:\bt\37281\private\source\miis\shared\entry\tower.cpp(12133): BAIL: MMS(5504): d:\bt\37281\private\source\miis\server\sqlstore\csobj.cpp(1833): 0x80004005 (Unspecified error)

BAIL: MMS(5504): d:\bt\37281\private\source\miis\server\sync\expcall.cpp(905): 0x80004005 (Unspecified error)

ERR_: MMS(5504): d:\bt\37281\private\source\miis\server\sync\expbase.cpp(2957): PutAnchorWithDnInternal failed on CS object {0E6B94B6-4416-E211-ABF9-005056BA0089} with 0x80004005 (pass 1 of 5)

Forefront Identity Manager 4.1.3599.0"

The management agent controller encountered an unexpected error.

 

 "BAIL: MMS(5504): d:\bt\37281\private\source\miis\cntrler\cntrler.cpp(12498): 0x80004005 (Unspecified error)

BAIL: MMS(5504): d:\bt\37281\private\source\miis\cntrler\cntrler.cpp(9395): 0x80004005 (Unspecified error)

BAIL: MMS(5504): d:\bt\37281\private\source\miis\cntrler\cntrler.cpp(8158): 0x80004005 (Unspecified error)

Forefront Identity Manager 4.1.3599.0"

OPERATIONAL LOG ERROR – TONS OF THESE, NO OTHER DETAILS

HRESULT: '0x80230507' Source: 'd:\bt\37281\private\source\miis\server\rules\project.cpp(1635)' Thread ID: '0x109c' Additional Info: ''


Russell Lema



Viewing all 4767 articles
Browse latest View live




Latest Images