Quantcast
Channel: Forum Microsoft Identity Manager
Viewing all 4767 articles
Browse latest View live

SharePoint User Profile Sync join attribute?

0
0

Hi,

When setting up SharePoint User Profile Sync, the default Join attribute is:

User profile property

AD DS attribute

SPS-DistinguishedName

dn

Can we change this using the MIISClient to something like "employeeID" or "samaccountname"?

Or will SharePoint override our settings and revert it to the original Join criteria?

Thanks,

SK



How to add license for FIM 2010 R2

0
0

Hi all,

I wonder that how we can add license for FIM 2010 R2. I do not see where we can add the license on FIM Synchronization Service (I only need FIM Sync service component)

Many thanks.

Action Workflow Terminated with Permission Denied Exception

0
0

Hi Guys,

Everything was woking fine untill yesterday. I am constantly getting post-processing error while I am trying to update an attribute for a group in portal. When I looked into Advanced properties of the request I realized that there is an action workflow that is getting terminated. The reason it gives is as below:

EXCEPTION DATA\r\n\r\nMESSAGE: Microsoft.ResourceManagement.WebServices.Exceptions.PermissionDeniedException: ManagementPolicyRule
   at Microsoft.ResourceManagement.Workflow.Hosting.RequestWorkItemProcessor.DispatchRequest[TResponseType](RequestType request, Boolean applyAuthorizationPolicy)
   at Microsoft.ResourceManagement.Workflow.Hosting.RequestWorkItemProcessor.ProcessPutWorkItem(UpdateRequestWorkItem updateWorkItem)
   at Microsoft.ResourceManagement.Workflow.Hosting.RequestWorkItemProcessor.ProcessWorkItem(WorkItem workItem)\r\n\r\n**METHOD:Void ProcessRequestResponse(System.Object, System.Workflow.ComponentModel.QueueEventArgs)\r\n\r\n**METHOD:Boolean Run(System.Workflow.ComponentModel.IWorkflowCoreRuntime)\r\n\r\n**METHOD:Void Run()\r\n\r\n

Most of the time it gives this error and at times by luck, the same update activity gets completed without any error. Unable to understand this wierd situation.

There has been no changes made to the MPR or the Workflow. I am unable to figure out what permission is this error referring to. The MPR/Workflow which is throwing this error is a request based MPR to update a particular attribute whenever a group is updated. Requestors has a set and I am a part of that set.

Also noted that the account that is used for updating  the particular attribute whenever the group is updated is mentioned as "Service Account" from the drop down. Which account does this refer to. Is this the account with which FIM Service is running or its the account configured in FIM Management agent. I am suspecting this account is missing some permission.

I am struggling since yest. Please help me if anyone has gone through the same issue and have a suggestion/solution to try.

Regards,


Veena


FIM Portal not working after accidentally deleting rows from fim.UserSecurityIdentifiers in test environment

0
0

Hello,

In my test environment, while executing a query, i accidentally deleted rows in FIM.UserSecurityIdentifiers table. After this FIM Portal stopped working. Other than restoring the FIMService DB with an earlier backup, is there any other solution to get the Portal working?

FIM to MIM upgrade/Migrate

0
0

Hi All,

If someone wants to move from FIM to MIM.

What is the process? 

Is there any official article from MS?

  1. Timelines: Moving somebody from FIM to MIM
  2. Client dependencies
  3. How long will this transition take
  4. Other facts if required

Please let me know. Thanks in Advance.


If My Answer helps you do not forget to check helpful post and If answers your question do not forget to "Mark it as an Answer" Thanks~ Giriraj Singh Bhamu

FIM Sync Engine Connecting to AD Forest over 636

0
0

Hi All,

I'm new to FIM and Active Directory/PKI in general.

I'm doing a project where my FIM 2010 R2 Sync Engine server is joined to a Forest called Prod.NET

But I'm creating 2x management agents to import AD data from the following forests.

Prod.NET

Dev.NET

There is no trust relationship set between the two forests. However, there is also no firewall between these FIM and the domain controllers of these forests. My requirement is to select this option:

When I click on NEXT, I'm presented with this error:

I only get this error for DEV.NET. When I do this for Prod.NET, it works fine.

What is required so I can get the DEV.NET management agent working for the SSL option?


How to export MV reference object to string in sql table

0
0

When I try to create rules extension it errors our saying "MV reference attributes cannot be defined as source attributes". How to solve this?

I am trying to export User data out of MV to an external sql table. One of the attributes is department.

reference in MV to string in SQL. Thanks!

FIM Service SQL Exception - Procedure UpdateResource

0
0

Hi,

We are getting following exception when multiple workflows are trying to modify the same single valued attribute on the same object. 

System.Data.SqlClient.SqlException: Reraised Error 50000, Level 14, State 1, Procedure ReRaiseException, Line 37, Message: Reraised Error 50000, Level 14, State 1, Procedure ReRaiseException, Line 37, Message: Reraised Error 2601, Level 14, State 1, Procedure UpdateResource, Line 575, Message: Cannot insert duplicate key row in object 'fim.ObjectValueString' with unique index 'IX_ObjectValueString_ObjectKey_AttributeKey_LocaleKey-Filtered_Multivalued'. The duplicate key value is (179755, 32507, 127).

is there any workaround available to resolve this issue? Appreciate your help. Thanks!


Help Desk has been delegated rights to reset password, but receiving error message Access denied.

0
0

All,

I really need your help.  In our environment a strange thing is happening.  Help Desk has been delegated rights to reset all users password at the Domain level and Domain >Properties > Security > Advanced section shows that Help Desk has reset password capability.  Inheritance column shows not inherited.  Strange thing is when I re-delegate it works then it does not work after sometime. How do I check which GPO is turning this capability off??I will really appreciate your help.

thanks,

Riba

How to exclude explicit members defined in a Set during policy export using PowerShell

0
0

Hi Folks,

I am trying to migrate delta Policy changes from Dev environment to UAT. I exported the policy config from both the environments and during the compare using SyncPolicy.ps1, encountered an error

Join-FIMConfig : Unable to find anchor attribute 'MailNickname' for object type 'Person' with identifier

urn:uuid:cc29dc1f-93a9-4674-8f21-c5884a3b3245.

When I checked for the uid in Dev, and also checked the Policy file exported from Dev env,found that this user is part of a Set where its added as a member explicitly. This is obviously going to give me problems.

Can someone please help me as to how I can exclude Person objects being exported to Policy file so that during compare I will not get an error.

Regards,


Veena

Projecting AD accounts from a specific OU

0
0

Is there a way to project manually created AD accounts, in a specific OU, into the Metaverse?

Thank you,
Mike

Customize Group Views - Remove Manual add and remove memberships and New and Delete

0
0

Hello All,

I have been working for a couple days on trying to modify Security Group UI available to Non-Administrators

I would like them to be able to leave the Join and Leave Buttons but not see the add member and remove member, New and Delete at the all Security Groups Page, I have tried modifying it by removing setting the Set of group administrators to only administrators,

I also need to hide from non-administrator users the Manually Add and remove members


Russell Lema

empty metaverse object: cd-existing-object error when exporting a group

0
0

Hi all,

I'm having some trouble with my AD connector. I'm trying to add a user to a group:

The user was added in the connector space, and the object has a pending export status. The issue is that when I do the export, it trows me thecd-existing-object error.

When I was investigating the issue, I found the following elements:

  • the user in question is present in AD, but is not part of the group
  • the group's metaverse object is empty: it doesn't have any attribut
  • the group doesn't apears in a metaverse search (maybe related to the above obs)

After a day trying to solve the issue (with syncs, imports, exports, ...), I'm running out of ideas :(

Maybe someone can help me out?

Thanks in advance for your help,

Marc

SQL server 2012 AlwaysOn Availability Groups support with FIM 2010 R2 Sp1

0
0
Could anyone suggest if SQL server 2012 AlwaysOn Availability Groups support with FIM 2010 R2 Sp1

Accounts disabled when flowing 512 to ueraccountcontrol

0
0

Hello,

I have MPRs and sync rules in FIM to disable AD accounts for users who are inactive in ERP and to enable them when they are active. To enable them I flow 512 to useraccountcontrol. Today I turned FIM on for the first time against my production AD and when it was time ran an export to AD. It did what I expected; active users got the "enable active users" ERE and 512 flowed out to AD but LOTS (not all) of my AD accounts got disabled. My own normal account was locked out so I logged in with my admin account and checked out my non-privileged account. Sure enough it had 512 in the uac value.  I've worked in directories a long time including ten years at Microsoft and I can't understand what happened. Can anyone explain why flowing 512 disabled the account? A small clue maybe; the accounts were set to 544 previously. Maybe moving from 544 to 512 doesn't work?

Thanks,

Lee


Trust requirement for user provisioning from one forest to another forest

0
0
Please advise whether any kind of Trust is required for user provisioning from one forest to another one. If not how the AD management Agent identify and connect to the Target Forest domain controller. What information has to fill Forest and Domain fields in AD management agent connectivity tab. whether credential given in the target AD management agent authenticates to the target forest domain controller without trust.

Sync Password OpenLdap to FIM

0
0

Hi All,

Is possible synchronize passwords between OpenLdap and FIM. I dont want change password via Portal, but copy from open to fim and vice versa.

Example, user change password in Linux or change in Windows, the passwords are copied to all bases.

regards.

Workflow being terminated with error "Cannot insert duplicate key row in object 'fim.ObjectValueString'"

0
0

Hi Folks,

We keep running into the below error when we are trying to bulk update an attribute in FIM Portal via Powershell. This also occurs when the attribute is being updated for bulk user records with values flowing from Synchronization Service Manager.

EXCEPTION DATA\r\n\r\nMESSAGE: Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---> System.Data.SqlClient.SqlException: Reraised Error 50000, Level 14, State 1, Procedure ReRaiseException, Line 37, Message: Reraised Error 50000, Level 14, State 1, Procedure ReRaiseException, Line 37, Message: Reraised Error 2601, Level 14, State 1, Procedure UpdateResource, Line 575, Message:Cannot insert duplicate key row in object 'fim.ObjectValueString' with unique index 'IX_ObjectValueString_ObjectKey_AttributeKey_LocaleKey-Filtered_Multivalued'. The duplicate key value is (12337, 32507, 127).
   at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection)
   at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)
   at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
   at System.Data.SqlClient.SqlDataReader.ConsumeMetaData()
   at System.Data.SqlClient.SqlDataReader.get_MetaData()
   at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString)
   at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async)
   at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, DbAsyncResult result)
   at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method)
   at System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior, String method)
   at System.Data.SqlClient.SqlCommand.ExecuteReader()
   at Microsoft.ResourceManagement.Data.DataAccess.ProcessRequest(RequestType request)
   --- End of inner exception stack trace ---
   at Microsoft.ResourceManagement.Utilities.ExceptionManager.ThrowException(Exception exception)
   at Microsoft.ResourceManagement.Data.Exception.DataAccessExceptionManager.ThrowException(SqlException innerException, TransactionAndConnectionScope scope)
   at Microsoft.ResourceManagement.Data.DataAccess.ProcessRequest(RequestType request)
   at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.ProcessInputRequest(RequestType request)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction(RequestType request)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction[ResponseBodyType](RequestType request)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request, Guid requestIdentifier, Object redispatchSingleInstanceKey, Boolean isRedispatch)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request)
   at Microsoft.ResourceManagement.Workflow.Hosting.RequestWorkItemProcessor.DispatchRequest[TResponseType](RequestType request, Boolean applyAuthorizationPolicy)
   at Microsoft.ResourceManagement.Workflow.Hosting.RequestWorkItemProcessor.ProcessPutWorkItem(UpdateRequestWorkItem updateWorkItem)
   at Microsoft.ResourceManagement.Workflow.Hosting.RequestWorkItemProcessor.ProcessWorkItem(WorkItem workItem)\r\n\r\n**METHOD:Void ProcessRequestResponse(System.Object, System.Workflow.ComponentModel.QueueEventArgs)\r\n\r\n**METHOD:Boolean Run(System.Workflow.ComponentModel.IWorkflowCoreRuntime)\r\n\r\n**METHOD:Void Run()\r\n\r\n
------------------------------------------------------------

We are having 4.1.3496.0 version of the portal.

Has someone come across the same error and have any solution for this?

Thanks,


Veena

Sync FIM with AD

0
0

Hi All,

we have to sync FIM database with Active Directory (a particular OU only).

We are using FIM only for Password Managments Portal services. Currently FIM was synced with AD almost one year back. 

We have two Management Agents FIMMA and ADMA.

Should i have to run only below profiles so that FIM will be sync all current user in AD OU.

FIMMA - Full Import

FIMMA- Full Synchoronization

FIMMA- Export

FIMMA- Delta Import

pls need your suggestion...



FIM portal not opening

0
0

greetings

I installed fim successfully and portal was visible with no problem. due to an error i change some of the identities in iis 7.5 to a domain user account, and after that not the share point and not any other website were visible.

i changed all the application pool identities to 'network service' and sharepoint got fixed. but i still cant browse http://fim/identitymanagement and it shows 'The webpage cannot be found' error.

what can be the problem?


Viewing all 4767 articles
Browse latest View live




Latest Images