Hello All,

I have a Multiple Forest environment that has a shared single namespace, ILM 2007 is currently performing GALsync and as part of that sync ensures that users have a unique email address. The ILM server is running on Server 2003 and needs to be replaced as part of the End Of Support of Server 2003.

The environment looks a like this

SMTP Domain - company.com

Doamin1.com - Exchange 2010 - This is the owner of our smtp domain and where all email is delivered to, there are send connectors configured to forward email on to domain2 and doamin3 based on target address
Domain2.com - Exchange 2007 - This is a part of the company that has its own IS - users have a contact on in domain1.com with target address of @e2k07.domain2.com
Domain3.com - Exchange 2010 - This is a company that was acquired - users have a contact on in domain1.com with target address of @e2k10.domain3.com

The ILM service is the glue that ensures the GALs are synced across all three environments and most importantly all users have a unique email address.

Email address provision happens as follows

Domain1 - users are created with email enabed with whatever email address is available e.g.joe.blogs@company.com

Domain2 - users are created with and email address that has a prefix domain2_joe.blogs@company.com when the ILM service runs its management agents it then assigns the user a available email address e.g.joe.blogs2@company.com which is set as primary, it also creates a secondary address ofjoe.blogs2@e2k07.domain2.com ILM will also create contacts in doamin1 and domain3 for the user with the target address ofjoe.blogs2@e2k07.domain2.com

Domain3 - users are created with and email address that has a prefix domain3_joe.blogs@company.com when the ILM service runs its management agents it then assigns the user a available email address e.g.joe.blogs3@company.com which is set as primary, it also creates a secondary address ofjoe.blogs3@e2k07.domain2.com ILM will also create contacts in doamin1 and domain3 for the user with the target address ofjoe.blogs3@e2k07.domain3.com

To add more complexity - Domain4.com - Exchange 2013 / O365 Hybrid - This is a new domain that users from Domain2 and Domain3 will be migrating to - users will have a contact on in domain1.com with target address of @e2k13.domain4.com (This domain is not currently configured in ILM)

My problem is that I was not involved in the original implimentation of the ILM server and it looks like the 3rd party that was brought in to do it wrote some custom dll's to carry out the requried work.

What I would like to do is impliment FIM 2010 R2 to replace the ILM server, running FIM on Server 2012 R2 with SQL 2012 SP2.

So following these two guides;
https://www.winsec.nl/2012/10/08/installing-fim-2010/
http://www.msexchange.org/articles-tutorials/exchange-server-2010/migration-deployment/deep-dive-into-rich-coexistence-between-exchange-forests-part1.html

Which are both excellent!

I have built the new FIM server and have configured a couple of Management Agents for Active Directory global address list (GAL) for domain2 and domain4, and so far have run the Full Import (Stage Only) and then Full Synchronization to populate the Metaverse and that appears to work.

My next step is to setup the MA to connect to Domain1 and then populate the Metaverse

After that I am afraid that my searching of the interweb is drying up on the method to provison an unique email address and creating the contacts in the other domains with the target addresses.

I was planning to configure the email address creation rules (once i figure out how to do it) to work on Domain4 and write contacts in to Domain3 so we could test that the logic all works without impacting the mail flow of the primary (Domain1), then once happy introduce it to the other domain and decomission the ILM service.

This article https://technet.microsoft.com/en-us/magazine/ff472471.aspx that suggests with FIM 2010 I wont need to use Code but rather the Codeless Provisioning option to setup the email address creation rules?? I have yet to setup the FIM Portal server though.

This article was going in the direction that I needed however was never completed - https://ibrahimnore.wordpress.com/2012/09/02/cross-forest-smtp-namespace-sharing-part-1/

Has anyone had any experance with a similar requirement?

I have been documenting my steps so far in setting up the FIM 2010 server and will be more than happy to share / publish the entire process once it is completed

Many thanks in advance for any help

Graham

Hi all,

I have several custom ECMA1 MAs that have started to behave pretty badly after I upgraded to FIM R2, as there are some undocumented changes in the way FIM reacts to exceptions thrown by the MAs.

I would need to "migrate" my old custom management agents to ECMA2 management agents, and I was wondering if there would be a way to change the type of the existing ones to Extensible Connectivity 2 without creating a brand new MA and re-configuring everything, and migrating all the existing data.

Is this possible at all?

Paolo Tedesco - http://cern.ch/idm

Hello,

I'm relatively new to FIM and because of a new job back at doing MS servers again.
FIM is part of a MS Lync 2013 installation for one special customer.

Customer manages his AD himself, puts Accounts into a special security group, if Lync should be activated.

Lync is installed in own forest, with trust to customer forest.

FIM creates contacts in resource AD for customer's real accounts. Powershell script updates contacts into forest's lync-group.
Just FIM sync is used, every 30 minutes, with 4 profiles and lcssync.dll used for deprovisioning.

From time to time FIM "sees" delete of e.g. customer\user1234, in my resource forest this contact loses all its attributes, hence the group.
It was removed from Lync but Lync-enable script will try to enable "him" again and runs into error:

-ERROR- enabling   () for Lync
CN=user1234,OU=CUSTOMER,DC=blabla,DC=net
Cannot bind argument to parameter 'Identity' because it is null.

Some time later, I check in customer's AD for account customer\user1234 and it's not deleted nor disabled and "it" has all attributes.
In FIM this connector is placed into "explicit disconnectors" of CUSTOMER AD.
Here I'll do a fix of the problem.

But what's the reason for FIM to see a delete of customer\user1234?
Is there anyway to tell?

Thanks for your advise!

Bye,

Jens

Hi,

Does FIM have an out of the box MA for Oracle Unified Directory 11G R2?

Will the out of the box "Management Agent for Oracle (previously Sun and Netscape Directory Servers)" work here?

Thanks,

SK

We have managed to install FIM Reports. I (as a FIM admin) can view them either via the Service Manager Console or via the Reporting Server no problem.

We want an "ordinary" user to be able to browse for and load a Report e.g. User History.

I guess the choice is either access the SM Console or Reporting Server.

I am having hard time getting a non-admin user to see these Reports via SM Console!

I have granted a user ( mydomain\fim.reportuser ) Browser role in the Report Server security. To see a Report that user HAS to type a long URL (our DW is on a separate sql instance SCSMDW) like:

http://mySQLReportServer/Reports_SCSMDW/Pages/Report.aspx?ItemPath=%2fSystemCenter%2fServiceManager%2fForefront.IdentityManager.Reporting%2fFIMUserHistory

I guess each FIM Report URL *could* be hidden on the Portal as a link but what I hope for is to allow the user to browse for it i.e. get rights to see Forefront.IdentityManager.Reporting and from there chose one of the 8 standard reports available.

What are the MINIMUM rights an account needs to EASILY access FIM Reports one way or another?

I tried to install FIM hotfix for service and portal, FIMService_x64_KB3048056. It just fails. Using msiexec I managed to get an log file which says this:

System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.IO.FileNotFoundException: The Web application at http://sp.site.net could not be found. Verify that you have typed the URL correctly. If the URL should be serving existing content, the system administrator may need to add a new request URL mapping to the intended application.
   at Microsoft.SharePoint.SPSite.LookupSiteInfo(SPFarm farm, Boolean contextSite, Boolean swapSchemeForPathBasedSites, Uri& requestUri, Boolean& lookupRequiredContext, Guid& applicationId, Guid& contentDatabaseId, Guid& siteId, Guid& siteSubscriptionId, SPUrlZone& zone, String& serverRelativeUrl, Boolean& hostHeaderIsSiteName, Boolean& appWebRequest, String& appHostHeaderRedirectDomain, String& appSiteDomainPrefix, String& subscriptionName, String& appSiteDomainId, Uri& primaryUri)
   at Microsoft.SharePoint.SPSite..ctor(SPFarm farm, Uri requestUri, Boolean contextSite, Boolean swapSchemeForPathBasedSites, SPUserToken userToken)
   at Microsoft.SharePoint.SPSite..ctor(SPFarm farm, Uri requestUri, Boolean contextSite, SPUserToken userToken)
   at Microsoft.SharePoint.SPSite..ctor(String requestUrl)
   at Microsoft.IdentityManagement.ManagedCustomActions.SharepointCustomActions.VerifyClaimsAuthenticationOff(Session session)
   --- End of inner exception stack trace ---
   at System.RuntimeMethodHandle.InvokeMethod(Object target, Object arguments, Signature sig, Boolean constructor)
   at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object parameters, Object arguments)
   at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object parameters, CultureInfo culture)
   at Microsoft.Deployment.WindowsInstaller.CustomActionProxy.InvokeCustomAction(Int32 sessionHandle, String entryPoint, IntPtr remotingDelegatePtr)
CustomAction VerifySharePoint2013ClaimsAuthenticationOff returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)

I'm writing an ECMA2 MA, and I'm implementing the IMAExtensible2GetCapabilitiesEx interface.

It looks like the GetCapabilitiesEx method is called only when the Management Agent is created, and every time the MA dll is updated, which makes development very hard.

Could anyone confirm if this is actually the case or I'm getting something wrong?

Is there a way to force the update of an existing MA capabilities?

Paolo Tedesco - http://cern.ch/idm

I am looking to establish the following scenario.

I have two MA's: FIMMA and ADMA

I want to create a Distribution Group through FIM Portal (FIMMA). Also I want to make all the changes to the group only through the AD (NOT through the FIM Portal). I have created both Outbound Sync rules (to push the group to AD upon creation) and Inbound Sync rules (to push the changes to the FIM Portal).

Since I want to make all the changes to a group through AD, I have set ADMA with higher precedence than FIMMA for the Group attributes. This is pushing the group to the AD, but not pushing the attribute values. This happens similarly the other way if I change the precedence. If I set equal precedence, I am able to push the group with all the attributes to the AD, but the changes in the AD is not pushed to the MV. 

I am little confused at this point. Is there a way to handle the situation? Any help will be much appreciated.

Hi,

Please suggest options to change the name of the BHOLD portal to an userfriendly name.

Regards

shakti

Hi all,

After I updated to FIM 2010 R2, I discovered that my custom ECMA1 MAs were broken, while in theory they should just be deprecated but continue to work regularly, and this is forcing me to migrate all my existing MAs to ECMA2.

Therfore, I would like to start a discussion about the development of Extensible Connectivity Management Agents, because I think that there's room for some serious improvements.

Problem: ECMA2 Management Agents are hard to develop and debug

Every time I modify something in the MA, I have to manually refresh the interfaces from the Synchronization Service console.
This is very annoying, for example, if I just fixed a bug, without adding/removing interfaces or changing configuration paramaters.

Since the MA dll is loaded only when the MA is being executed, it's impossible to attach a debugger.
This forces me to insert Debugger.Launch() statements in the code.

I recently discovered that the GetCapabilitiesEx method of the IMAExtensible2GetCapabilitiesEx interface is called only when the Management Agent is created, and not when the dll of the MA is updated.
This implies that if I'm developing a new MA, I must get the capabilities right at the first attempt, otherwise I'll have to delete the MA and create a new one, which also means that I'll have to reconfigure everything.

Proposal: it would be nice to have a "development mode" option for Management Agents, which could make the MA work differently than in "production mode". For example, in "development mode" the MA could reload the capabilities on demand, ignore dll changes (it will be my responsibility to refresh the interfaces if I know it is needed), and we could have an option to run a profile (or refresh the schema) attaching a debugger at the same time.

Problem: Documentation for ECMA2 Management Agents could be improved and is scattered around

The documentation for many interfaces or methods seems to be automatically generated, and is not very helpful.
This is the case, for example, of the IMAExtensible2GetCapabilitiesEx.GetCapabilitiesEx Method.
The relevant information for that method is instead at a generic "What's New in ECMA 2.2" page, which states that the capabilities page will not appear when editing an existing ECMA 2.2 connector: this information should be in the documentation of the method itself.

Several pages, like IMAExtensible2CallImport.GetImportEntries and IMAExtensible2GetSchema.GetSchema provide a link to a generic page for "Return values, Errors, and Exceptions" instead of specifying what the method should return.

Proposal: I think that the documentation would be greatly improved if

• all the relevant information for each topic was in a single place
• it was stated clearly when the methods of each interface are called by the system
• it was clearly specified what each method is expected to return, which exceptions it is expected to throw and how the system will react to them.

Please comment

Paolo Tedesco - http://cern.ch/idm

Hi all -

Trying to wrap my head around what I suspect is an easy answer.  In light of the recent LastPass 'hack' I decided to enable two-factor authentication.  I had Google authenticator already on my iPhone but as a MSFT person decided to download and install MSFT authenticator as well.  I enrolled both applications with LastPass by scanning a bar code into each.

When I log into LastPass it prompts for my soft token code from Goodle Authenticator which works a treat.  What perplexes me is that I can ALSO use my MSFT Authenticator soft token, which is a completely different code, to authenticate.

How can I use one of two very codes to authenticate?  How does LastPass know which authenticator I'm using?  I'm very confused but I'm sure it all makes sense.  DOes anyone have a layman's explanation?

Hi all

I'am having some issues with the codeless provisioning framework from granfeld. Long story short, i'am simply synchronising AD accounts from one AD forest to another. And I would like to achieve this without the use of FIM Service and Portal. So I have tried to achieve this with the sample script and dll from granfeldt.

But I'am a bit new at this and is getting this error on full import and full sync from the Source AD.

System.NullReferenceException: Object reference not set to an instance of an object.
   at Granfeldt.MVEngine.Provision(MVEntry mventry)

This is the content of the FIM.MRE.xml:

<?xml version="1.0" encoding="utf-8"?><RulesFile xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><DisableAllRules>false</DisableAllRules><Rules><Rule><Name>provision person to ad13180lyn</Name><Description></Description><TargetManagementAgentName xsi:type="xsd:string">ad13180lync</TargetManagementAgentName><Enabled>true</Enabled><SourceObject>person</SourceObject><TargetObject>user</TargetObject><Action>provision</Action><InitialFlows><AttributeFlowBase xsi:type="AttributeFlowConstant"><Constant>CN=#mv:displayName#,OU=ImportedAccounts,OU=Users,OU=ad13180lyn,DC=ad13180lyn,DC=ddc,DC=intra</Constant><Target>[DN]</Target></AttributeFlowBase><AttributeFlowBase xsi:type="AttributeFlowConstant"><Constant>Passw0rd</Constant><Target>unicodePwd</Target></AttributeFlowBase><AttributeFlowBase xsi:type="AttributeFlowConstant"><Constant>514</Constant><Target>userAccountControl</Target></AttributeFlowBase><AttributeFlowBase xsi:type="AttributeFlowAttribute"><Source>accountName</Source><Target>sAMAccountName</Target></AttributeFlowBase></InitialFlows></Rule></Rules></RulesFile>

Does anybody se any issues with this xml file?

I really would like to make this as simple as possible, just import the accounts and provisioned them into ImportedAccounts OU, disabled state.

Andre

Hi,

What are FIM SQL database DR supported scenarios?

SQL Clustering?

SQL Log Shipping?

Mirroring?

etc?

thanks,

SK

Dear all,

I have a new questions from my customer.

They have some internal websites, when users open homepage need logon via domain\user account. Using LDAP char to connect Active Directory, ex: cn=Users, dc=contoso, dc=com

The GPO of domain will lock account If logon failed 10 times. They tested by logon with wrong password on clients, that is Ok, GPO work fine, the user locked, take 30 minutes to re-login.

But, the user logon when open website's homepage, also logon fail more than 10 times, the user is NOT "lock". Why is that?

I find in Windows Logs on Domain controllers, not found audit event ID (i had enable sussess/fail logon audit)

Many thanks for your support!

HoangTT

Note that this FIM installation does not have the portal available, so everything needs to be handled via code and/or the synchronization manager

I am in the process of developing and setting up a new MA for provisioning users to an external system. I wish to use a local SQL database for storing the connector space data, and I've set it up so that the schema is determined from the structure of the database tables and their columns. I have defined one column "recordId" to serve as anchor and configured it as such in the MA configuration in the synchronization manager.

We have set up an extension for handling provisioning etc within the metaverse, and I have added my MA there. However, when I try to do synchronization, I get error messages about:

System.InvalidOperationException: The DN must be set before calling CSEntry.CommitNewConnector.
   at Microsoft.MetadirectoryServices.Impl.ConnectorImpl.Commit()
   at Mms_Metaverse.MVExtensionObject.Microsoft.MetadirectoryServices.IMVSynchronization.Provision(MVEntry mventry) in c:\FIM\Solutions\MVExtension\MVExtension.cs:line 344

If I try to set the DN explicitly with CSEntry.DN before calling CSEntry.CommitNewConnector(), I get error messages about:

"Object <DN-value> doesn't have a parent object in management agent <MA>"

This makes me wonder if I need to do some kind of initialization of the connector space or something special when I start using this new MA for the first time in this FIM implementation, or perhaps there is something else entirely. And and all advice on how to get this sorted out is welcome!

Any update on MIM 2016 RTM release date?

I wouldnt hold you to it :-)

Thanks

I have 2 MAs AD MA and SQL MA

Want to synhronize password from AD to SQL.

SQL has following table

FirstNameLastNameEmployeeType EmploymentStatus EmployeeIDOfficeTelephoneMobilePhone IDAppPassword

PCNS is installed with target specified. password management is enabled under tools->options,for AD ma and SQL MA

I have written a password extension for SQL MA

using System;
using System.IO;
using System.Xml;
using System.Text;
using System.Collections.Specialized;
using Microsoft.MetadirectoryServices;
using System.Data.SqlClient;

namespace Miis_PasswordManagement
{
    public class MAPasswordManagement :
        IMAPasswordManagement
    {
        //
        // Constructor
        //
        public MAPasswordManagement(
            )
        {

        }


        public void BeginConnectionToServer(
            string connectTo,
            string user,
            string password
            )
        {
            try
            {
                string connectionString = null;
                SqlConnection cnn;
                connectionString = "Data Source=win2k8base;Initial Catalog=TelephoneDB;Integrated Security=SSPI";
                cnn = new SqlConnection(connectionString);
                cnn.Open();
            }
            catch (Exception Ex)
            {
                //
                // TODO: Remove this throw statement if you implement this method
                //
                //throw new EntryPointNotImplementedException();
                throw new UnexpectedDataException("Error Begintoconnect" + Ex);
            }
        }

        public void EndConnectionToServer(
            )
        {


            //cnn.close();
            //
            // TODO: Remove this throw statement if you implement this method
            //
            //throw new EntryPointNotImplementedException();
        }

        public ConnectionSecurityLevel GetConnectionSecurityLevel(
          )
        {
         //
            // TODO: Remove this throw statement if you implement this method
            //
           throw new EntryPointNotImplementedException();
        }

        public void SetPassword(
            CSEntry csentry,
            string  NewPassword
            )
        {
            try
            {
                SqlCommand sqlCmd = new SqlCommand();
                string DN = csentry.DN.ToString();

                String SQLString = "UPDATE [TelephoneDB].[dbo].[EmployeesData] SET [AppPassword] = '" + NewPassword + "' WHERE ID = '" + DN + "'";
                sqlCmd.CommandText = SQLString;
                //sqlCmd.connection = sqlconnection;
                sqlCmd.ExecuteNonQuery();
                sqlCmd.Dispose();
            }
            catch (Exception Ex)
            {
                throw new UnexpectedDataException("Error SetPassword" + Ex);
                //

                // TODO: Remove this throw statement if you implement this method
                //
                //throw new EntryPointNotImplementedException();
            }
        }

      public void ChangePassword(
        CSEntry csentry,
      string  OldPassword,
      string  NewPassword
            )
       {
            //
            // TODO: Remove this throw statement if you implement this method
            //
            //throw new EntryPointNotImplementedException();
      }

        public void RequireChangePasswordOnNextLogin(
            CSEntry csentry,
            bool    fRequireChangePasswordOnNextLogin
            )
        {
            throw new EntryPointNotImplementedException();
        }
    }
}

PCNS is getting the password and sending it to SQL. It is able to get the DN for which it needs to set the password

A password notification was successfully staged for synchronization. 

Additional information: 
Reference ID: {1A8ED5DB-2A17-4FE9-A28D-43C354461B4B} 
Target Object GUID: {A409AC81-A17F-E411-B681-000C29F9D1D0} 
Target MA Name: Telephone 
Target DN: 2

But then FIM sync fails with following error

Any suggestions

AdiKumar

I'm provisioning a record from AD into a SQL table using FIM 2010 R2 Synchronization Engine.

The provisioning works fine. I'm taking the AD user object and FIM runs the provisioning code to create a record in SQL table. Here is my table design. Basically I'm taking the AD user and FIM is writing a record in SQL for that user. This part is working fine.

CREATE TABLE [dbo].[tbl_FGPP_Members](
	[MemberObjectGUID] [varbinary](50) NULL,
	[MemberDN] [nvarchar](255) NOT NULL,
	[MemberObjectType] [nvarchar](10) NOT NULL,
	[Member_ADDomain] [nvarchar](16) NULL,
	[Member_sAMAccountName] [nvarchar](64) NULL
) ON [PRIMARY]

So on FIM SQL management agent I'm using 'MemberDN' as the anchor attribute. I could have used MemberObjectGuid but for troubleshooting memberDN is better as it contains a string value (distinguished name of the user from AD).

When an AD account is renamed or moved within an AD domain, it's distinguishedName will change. Since MemberDN is the anchor which is taking the distinguishedName value from AD in the provisioning code, I cannot just create a flow rule to update it. I was told, I could write some code to update it from the MVExtension provisioning code. So here is how I'm trying to do it:

        void IMVSynchronization.Provision (MVEntry mventry)
        {
           ConnectedMA sqlFGPPUser;


            switch (mventry.ObjectType)
            {


                case "FGPPUser100":
                    sqlFGPPUser = mventry.ConnectedMAs["DGROUPS - USERS SQL MA"];
                    mvObjectType = "FGPP100SQLUser";

                    if (sqlFGPPUser.Connectors.Count == 0)
                    {
                        createFGPPUsersInSQL(mventry, sqlFGPPUser);
                    }

                    else if (sqlFGPPUser.Connectors.Count == 1)
                    {
                        updateFGPPUsersInSQL(mventry, sqlFGPPUser);                                            }

break;
}



        void updateFGPPUsersInSQL(MVEntry mventry, ConnectedMA sqlFGPPUser)
        {
            CSEntry csentry;
            ReferenceValue dn;

            csentry = sqlFGPPUser.Connectors.ByIndex[0];
            dn = sqlFGPPUser.EscapeDNComponent(mventry["ADdistinguishedName"].Value);

            if (mventry["ADdistinguishedName"].Value.ToLower() != csentry.DN.ToString().ToLower())
            {
                try
                {
                    csentry.DN = dn;
                }
                catch (Exception Ex)
                {
                    throw new Exception("Exception Message: Exception encountered while renaming the MemberDN " + Ex.Message.ToString());
                }
            }
        }

However, when I rename the AD user and import and then run sync run profile, I get the following error:

System.Exception: Exception Message: Exception encountered while renaming the MemberDN attribute MemberDN is read-only
   at Mms_Metaverse.MVExtensionObject.updateFGPPUsersInSQL(MVEntry& mventry, ConnectedMA& sqlFGPPUser) in D:\FIM C# Code\FGPP100\FGPP100\MVExtension\MVExtension.cs:line 526
   at Mms_Metaverse.MVExtensionObject.Microsoft.MetadirectoryServices.IMVSynchronization.Provision(MVEntry mventry) in D:\FIM C# Code\FGPP100\FGPP100\MVExtension\MVExtension.cs:line 566

What am I doing wrong? :(

Hello!

I created a custom user attribute  (webaddress) to FIM Portal.

In a metaverse have the custom user attribute.

In the attribute flow Sync Service have the custom attribute.

When I run export from metaverse to FIM Portal I get error: "failed-modification-via-web-services".  

Help please.

Alex

Hi,

Can someone tell me if NotEquals function is supported with IIF or not in FIM 2010 R2? I tried using NotEquals but landup with error "NotEquals is not recognized as a supported function". Is there any other alternative to check not equal?

Any kind of help is appreciated.

Thanks,

Veena