Hi all,

I'm planing to have FIM server and SQL Server for FIM at DR site

I'm not sure that when I install FIM at DR Site to connect to SQL DB at DR site (SQL DB is replicated from DC to DR). Does it require me to input an exist encryption key to connect to DB at DR?

Anyone can help?

Thanks !

I have setup Export Add workflow and setpassword workflow to update the user in Webservice connector for SAP.

but the workflow is not working as expected, if any references regarding this issue, please post the answers.

Hello,

I'm wondering if it's possible to send notifications to a user when they are added or removed from a security or distribution group. It seems like the default approval workflow for adding a user to a group does not do this.

thanks,

Josh

Hello,

The title pretty much explains it all. I'm using SQL Server 2014 as a remote hosting DB server. I have the FIM Service and Portal installed and had no issues. But when installing the Synchronization Service, specifying the same DB server as the FIM Service and Portal, I get the following error:

Error 25009.  The Forefront Identity Manager Synchronization Service setup iszard cannot configure the specified database.  Usage: sp_dbcmptlevel [dbname [, compatibilitylevel]].  I get this message at the very end of the install process.

I would imagine I'm going to get an answer that the synchronization service is not support on SQL Server 2014, but I'm looking for a workaround.  The only think I can think of is the synchronization service database is supposed to run in a compatibility mode no longer support by SQL Server 2014.

But, I checked the installation I have on SQL Server 2008 R2 and the Synchronization service database is running is 2008 compatibility mode, just like the FIM Server db on the SQL Server 2014 installation.

Anyone have any ideas?

I'm trying to apply latest hotfix (4.1.3613.0) to a lab machine but hitting an error when updating the FIM Service. The install fails quickly, so I turned .msi logging on and can see this in the log

invalid for package C:\Windows\Installer\20946a.msi. Expected product version == 4.1.2273.0, found product version 4.1.3114.0

Which is odd, as the Hotfix says "To apply this update, you must have Forefront Identity Manager 2010 R2 SP1 (build 4.1.3419.0 or a later build) installed." - which is what FIM tells me I have installed...

I'm going to try applying some intermediary hotfixes and see if that helps, but thought I would raise the issue in case anyone else has seen it.

Cheers,

Dave

Hello,

Does anyone have any experience with publishing a Password Reset portal for external users? We have many users that work remotely, what would be the best or most secure way for these users to access the password reset portal? Any information is appreciated.

thanks 

Hi,

The latest MIM VMs are zipped on Connect. Is there a way to get them into Azure, without having to download them first unto a local workstation? Is there a way to directly copy them from Connect into Azure?

Thanks,

SK

Hi,

Running FIM 2010 R2 SP1 (4.1.3613.0) and have a very simple Outbound System Scoped Sync Rule, setting the following attributes:

• initial password
• initial DN

The sync rule works, as users are provisioned in the target system. However the FIM MA generates the "Sync-rule-validation-parsing-error". Even if we remove all the attributes from the sync rule, the error continues to exists. We have also recreated the rule.

Any ideas why we're getting the error message (and the rule is working)?

Here is the extract of the Sync Rule:

<?xml version="1.0" encoding="utf-8"?>
<Results xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <ExportObject>
    <Source>http://localhost:5725/ResourceManagementService</Source>
    <ResourceManagementObject>
      <ObjectIdentifier>urn:uuid:9d587de2-5ed2-46a6-9354-e7a12865a55f</ObjectIdentifier>
      <ObjectType>SynchronizationRule</ObjectType>
      <IsPlaceholder>false</IsPlaceholder>
      <ResourceManagementAttributes>
        <ResourceManagementAttribute>
          <AttributeName>ObjectID</AttributeName>
          <HasReference>false</HasReference>
          <IsMultiValue>false</IsMultiValue>
          <Value>urn:uuid:9d587de2-5ed2-46a6-9354-e7a12865a55f</Value>
        </ResourceManagementAttribute>
        <ResourceManagementAttribute>
          <AttributeName>ConnectedObjectType</AttributeName>
          <HasReference>false</HasReference>
          <IsMultiValue>false</IsMultiValue>
          <Value>businessperson</Value>
        </ResourceManagementAttribute>
        <ResourceManagementAttribute>
          <AttributeName>ConnectedSystem</AttributeName>
          <HasReference>false</HasReference>
          <IsMultiValue>false</IsMultiValue>
          <Value>{57C9FB04-B024-4E6C-BBED-CEBF930EBD1B}</Value>
        </ResourceManagementAttribute>
        <ResourceManagementAttribute>
          <AttributeName>CreateConnectedSystemObject</AttributeName>
          <HasReference>false</HasReference>
          <IsMultiValue>false</IsMultiValue>
          <Value>True</Value>
        </ResourceManagementAttribute>
        <ResourceManagementAttribute>
          <AttributeName>CreatedTime</AttributeName>
          <HasReference>false</HasReference>
          <IsMultiValue>false</IsMultiValue>
          <Value>17/05/2015 12:05:35 a.m.</Value>
        </ResourceManagementAttribute>
        <ResourceManagementAttribute>
          <AttributeName>CreateILMObject</AttributeName>
          <HasReference>false</HasReference>
          <IsMultiValue>false</IsMultiValue>
          <Value>False</Value>
        </ResourceManagementAttribute>
        <ResourceManagementAttribute>
          <AttributeName>Creator</AttributeName>
          <HasReference>false</HasReference>
          <IsMultiValue>false</IsMultiValue>
          <Value>urn:uuid:6f478f0e-9205-4082-870e-9616f96ccf45</Value>
        </ResourceManagementAttribute>
        <ResourceManagementAttribute>
          <AttributeName>DisconnectConnectedSystemObject</AttributeName>
          <HasReference>false</HasReference>
          <IsMultiValue>false</IsMultiValue>
          <Value>False</Value>
        </ResourceManagementAttribute>
        <ResourceManagementAttribute>
          <AttributeName>DisplayName</AttributeName>
          <HasReference>false</HasReference>
          <IsMultiValue>false</IsMultiValue>
          <Value>LDAP Sync Rule</Value>
        </ResourceManagementAttribute>
        <ResourceManagementAttribute>
          <AttributeName>FlowType</AttributeName>
          <HasReference>false</HasReference>
          <IsMultiValue>false</IsMultiValue>
          <Value>1</Value>
        </ResourceManagementAttribute>
        <ResourceManagementAttribute>
          <AttributeName>ILMObjectType</AttributeName>
          <HasReference>false</HasReference>
          <IsMultiValue>false</IsMultiValue>
          <Value>person</Value>
        </ResourceManagementAttribute>
        <ResourceManagementAttribute>
          <AttributeName>InitialFlow</AttributeName>
          <HasReference>false</HasReference>
          <IsMultiValue>true</IsMultiValue>
          <Values>
            <string>&lt;export-flow allows-null="false"&gt;&lt;src&gt;Password1&lt;/src&gt;&lt;dest&gt;userpassword&lt;/dest&gt;&lt;scoping&gt;&lt;/scoping&gt;&lt;/export-flow&gt;</string>
            <string>&lt;export-flow allows-null="false"&gt;&lt;src&gt;&lt;attr&gt;uid&lt;/attr&gt;&lt;attr&gt;ldapOu&lt;/attr&gt;&lt;/src&gt;&lt;dest&gt;entrydn&lt;/dest&gt;&lt;scoping&gt;&lt;/scoping&gt;&lt;fn id="+" isCustomExpression="false"&gt;&lt;arg&gt;"uid="&lt;/arg&gt;&lt;arg&gt;uid&lt;/arg&gt;&lt;arg&gt;",ou="&lt;/arg&gt;&lt;arg&gt;ldapOu&lt;/arg&gt;&lt;arg&gt;",o=company.org"&lt;/arg&gt;&lt;/fn&gt;&lt;/export-flow&gt;</string>
          </Values>
        </ResourceManagementAttribute>
        <ResourceManagementAttribute>
          <AttributeName>ObjectType</AttributeName>
          <HasReference>false</HasReference>
          <IsMultiValue>false</IsMultiValue>
          <Value>SynchronizationRule</Value>
        </ResourceManagementAttribute>
        <ResourceManagementAttribute>
          <AttributeName>Precedence</AttributeName>
          <HasReference>false</HasReference>
          <IsMultiValue>false</IsMultiValue>
          <Value>1</Value>
        </ResourceManagementAttribute>
        <ResourceManagementAttribute>
          <AttributeName>RelationshipCriteria</AttributeName>
          <HasReference>false</HasReference>
          <IsMultiValue>false</IsMultiValue>
          <Value>&lt;conditions/&gt;</Value>
        </ResourceManagementAttribute>
        <ResourceManagementAttribute>
          <AttributeName>ManagementAgentID</AttributeName>
          <HasReference>true</HasReference>
          <IsMultiValue>false</IsMultiValue>
          <Value>urn:uuid:8a6b60b0-b286-4cc8-9b0f-cdf043cd41ec</Value>
        </ResourceManagementAttribute>
        <ResourceManagementAttribute>
          <AttributeName>msidmOutboundIsFilterBased</AttributeName>
          <HasReference>false</HasReference>
          <IsMultiValue>false</IsMultiValue>
          <Value>True</Value>
        </ResourceManagementAttribute>
        <ResourceManagementAttribute>
          <AttributeName>msidmOutboundScopingFilters</AttributeName>
          <HasReference>false</HasReference>
          <IsMultiValue>false</IsMultiValue>
          <Value>&lt;scoping&gt;&lt;scope&gt;&lt;csAttribute&gt;company&lt;/csAttribute&gt;&lt;csOperator&gt;EQUAL&lt;/csOperator&gt;&lt;csValue&gt;LDAP&lt;/csValue&gt;&lt;/scope&gt;&lt;/scoping&gt;</Value>
        </ResourceManagementAttribute>
      </ResourceManagementAttributes>
      <LocalizedResourceManagementAttributes />
    </ResourceManagementObject>
  </ExportObject>
</Results>

I was wondering if anyone might be able to help me with my inital setup of FIM 2010R2.  I have imported HR information to FIM Service and I can see all of my users via the portal.  I have created my ADMA, Outbound Sync Rules, set, ERL and Workflow. When I perform an import and sync of my FIMMA, I see all of my users, and when I look at their connectors I see my HRMA, and FIMMA, but not my ADMA.  When I pull up a users provisioning in the portal, I see my AD Users Outbound rule, but with a sync rule status of pending.  

Any help would be awesome.  Thanks in advance!

I have deleted some user objects from the FIM portal but get "access denied" errors when I want to "export" those deletions to AD. Creating & modifying user objects from FIM to AD has no issues.

Checked the FIM ADMA account but that appears to have the right permissions to delete objects from that particular OU and downwards. What am i missing.

Thanks,

JD

Where to start?

First, what editor to you use to edit these things?  When I export one out of FIM, then load it into Visual Studio, it's all one line.  So, to get it "pretty" formatted, I copy and paste that into a new XML file.  But, even if I immediately safe the pretty formatted file and try to reload it into FIM, I get an error at bottom of the RCDC page "There's an error in the <resourcetype> display configuration.  Please contact your system administrator".

If I strip the whitespace and <cr><lf> from the file (turn it back into one line) I can import it and it works.  It FIM so sensitive to white spaces?

Second, in reviewing the Resource Control Display Configuration XML Reference document, it seems as if modifying these things should be very simple.  All the references and the XSD make sense.  But, it's a crap shoot as to whether the changes are going to be taken by FIM or not.  Even modifying simple attributes like the height of a text box cause the error listed above.  I've had limited success in modifying these things and it's becoming quite frustrating.

Thanks,

Greg

Hi

I am facing an issue where users can't access to the FIM Portal. It doesn't matter are you a normal user or admin. The error message is allways the same, "Unable to process your request".

Also I have managed to get a Detailed error message from the portal but it does point me to nowhere. It is below:

Server Error in '/' Application.
--------------------------------------------------------------------------------

Object reference not set to an instance of an object.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.NullReferenceException: Object reference not set to an instance of an object.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:


[NullReferenceException: Object reference not set to an instance of an object.]
   Microsoft.IdentityManagement.WebUI.Controls.UICacheUtils.GetCacheKey(CacheKey key) +274
   Microsoft.IdentityManagement.WebUI.Controls.NavigationBarConfigurationModel.RetrieveSiteNodeFromCache() +118
   Microsoft.IdentityManagement.WebUI.Controls.NavigationBarProvider.BuildSiteMap() +63
   Microsoft.SharePoint.WebControls.AspMenu.AdjustForProviderMaximumDepth() +90
   Microsoft.SharePoint.WebControls.AspMenu.OnPreRender(EventArgs e) +49
   System.Web.UI.Control.PreRenderRecursiveInternal() +154
   System.Web.UI.Control.PreRenderRecursiveInternal() +239
   System.Web.UI.Control.PreRenderRecursiveInternal() +239
   System.Web.UI.Control.PreRenderRecursiveInternal() +239
   System.Web.UI.Control.PreRenderRecursiveInternal() +239
   System.Web.UI.Control.PreRenderRecursiveInternal() +239
   System.Web.UI.Control.PreRenderRecursiveInternal() +239
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +4105



--------------------------------------------------------------------------------
Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.34248 

Any ideas what to do next?

Hello,

Since the information normally flows from AD to FIM. I want to change the flow for Group Management, where the flow is from FIM to AD. So FIM would be in charge of adding and removing users from certain groups. When I did the switch some Users that had their Primary Group set in AD, after the switch, FIM removed that group from the "Members of" for that user, and assigned Domain Users (513) as their Primary Group. I had to go back and fix their Primary Groups, is there a way to prevent that from happening. 

Or is there a Synchronization Rule I can write up with a "Custom Expression" as for Inbound/Outbound?

Thanks

I am trying to configure detailed error pages for Fim Portal using this article:

How to Configure Detailed Error Pages for the FIM Portal

The problem is that I am using Fim 2010 R2 and I think that the article above is for Fim 2010.

There is (at least) one difference in web.config file. The article says "Enable the ILMError HTTP module" but in my web.config file there is not ILMEerror in httpModules section. Anyway ILMEerror is in modules section and I edited it as the article says.

Unfortunately now when I am connecting to the portal, I get this error message anytime:

Server Error in '/' Application.
--------------------------------------------------------------------------------

Object reference not set to an instance of an object.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.NullReferenceException: Object reference not set to an instance of an object.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:


[NullReferenceException: Object reference not set to an instance of an object.]
   Microsoft.IdentityManagement.WebUI.Controls.UICacheUtils.GetCacheKey(CacheKey key) +274
   Microsoft.IdentityManagement.WebUI.Controls.NavigationBarConfigurationModel.RetrieveSiteNodeFromCache() +118
   Microsoft.IdentityManagement.WebUI.Controls.NavigationBarProvider.BuildSiteMap() +63
   Microsoft.SharePoint.WebControls.AspMenu.AdjustForProviderMaximumDepth() +90
   Microsoft.SharePoint.WebControls.AspMenu.OnPreRender(EventArgs e) +49
   System.Web.UI.Control.PreRenderRecursiveInternal() +154
   System.Web.UI.Control.PreRenderRecursiveInternal() +239
   System.Web.UI.Control.PreRenderRecursiveInternal() +239
   System.Web.UI.Control.PreRenderRecursiveInternal() +239
   System.Web.UI.Control.PreRenderRecursiveInternal() +239
   System.Web.UI.Control.PreRenderRecursiveInternal() +239
   System.Web.UI.Control.PreRenderRecursiveInternal() +239
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +4105



--------------------------------------------------------------------------------
Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.33440 

So the case is I get that error message above straight after enabling detailed error pages. I think I shouldn't get that error mesage when the portal is working and now the error message is saying that my modifications broke something.

Any comments or ideas or something? Has the configuration changed for Fim 2010 R2?

Hi all,

I'm trying to figure out this:

We have a web server profile template that collects FQDN and passes it to the certificate template when enrolled, works just fine. Now I'm trying to set up online update scenario that emails the subscriber of the web server certificate that the certificate needs renewal, but I'm stuck on passing the FQDN that was collected during the initial enrollment phase to the email body during the one-time passwords distribution. Is it really so, that I can only use these variables in the one-time password emails:

• {SecretX} where X is 1 or 2
• {User}
• {Manager}
• {Originator}
• {User!Attribute}
• {Manager!Attribute}
• {Originator!Attribute}
• {SCSerialNumber}
• {SCPIN}
• {SCSequence}
• {LongDate}
• {ShortDate}
• {LongTime}
• {ShortTime}

Since the data is there in the FIMCM database, I would assume that it could be used in this kind of scenario?

Hi,

Is it possible to do the above based upon the person's email address?

Thanks,

Matt

http://blogs.technet.com/b/ad/archive/2014/11/18/microsoft-identity-manager-preview-release-1-is-now-available.aspx

From the blog: "As more and more organizations and information workers move to SaaS applications, the IAM systems expands to the cloud, but still exists on premises."

Will FIM 2015 be multi-tenant enabled?

Thanks,
John