Are you the publisher? Claim or contact us about this channel

Embed this content in your HTML


Report adult content:

click to rate:

Account: (login)

More Channels


Channel Catalog

Channel Description:

This forum is for IT Professionals who have questions/issues or other feedback about Forefront Identity Manager (FIM) 2010 suite

older | 1 | .... | 125 | 126 | (Page 127) | 128 | 129 | .... | 204 | newer

    0 0

    Hi All, I have installed SharePoint Foundation 2013 on my Windows 2012 standard server, as a prerequisite to installing FIMs.

    Exchange 2013 was previously installed on this server and so some fiddling was required to alter the bindings in IIS after the SharePoint install. Fine moving on....

    The SharePoint installed MS SQL Server 2008 R2 and completed.

    When I attempt to install FIMs, and point it to the sharepoint instance, it complains that SQL Server Full-Text Search component is not installed.

    After several attempts using various methods install, I am unable to figure out how to get that SQL component installed.

    Even if I copy over the SQL Server 2008 installation files locally and run setup, the component is not available for install.

    Tried also running SharePoint.exe again however the option to add that component was not available.

    What am I missing?

    Thanks very much


    0 0

    We have FIM 2010 R2 SSPR quickstart deployed. However, there has been some customizations on top of what was installed.

    There is KB3054847 pending from MS update. Is it safe to install this one? Are there any known issues?


    0 0

    I have general question regarding supported browsers in FIM CM 2010.

    The FIM CM 2010 instilled on Server 2008 enterprise, i would like to know if FIM CM 2010 support internet explorer IE11?

    and if i need to install HF for supported IE11 on FIM CM 2010.

    Thanks !!!


    0 0

    Just installed the FIM portal, I am able to access the portal and use it locally without issue, if I access from a remote server I can view the front page fine but if I click users then click search I get:

    Unable to process your request.  
       Please contact your help desk or system administrator. 

    If I access remotely, click administration, schema, bindings, all that loads fine. When I click to view page two of bindings I get the same error. Seems certain actions are causing an error but I have no idea where I begin to debug such a thing.

    Portal currently only has my user account and the built-in sync, I've not set-up a FIM portal MA yet. Portal, service and sspr portals are on server 1, the sync server and sql are on server 2. 

    Any suggestions would be great. Thanks.

    0 0
  • 07/29/15--02:46: Import-FIMConfig Exception
  • Hi Folks,

    I am trying to import a single Workflow from Dev to UAT env. Below is the code snippet I used to export the WF into a xml file.

    $WorkflowsInFIM = Export-FIMConfig -Uri $URI –OnlyBaseResources -CustomConfig "/WorkflowDefinition[DisplayName='ABC']"     

    $WorkflowsInFIM | ConvertFrom-FIMResource -file E:\WorkSpaces\MyFolder\Sample.xml

    Now when I try importing it, using the CommitChanges.ps1(From the TechNet blog), I get the below exception

    Import-FIMConfig : The input object cannot be bound to any parameters for the command either because the 
    command does not take pipeline input or the input and its properties do not match any of the parameters that 
    take pipeline input.
    At line:15 char:29
    + $undoneImports = $imports | Import-FIMConfig
    +                             ~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidArgument: (Microsoft.Resou...el.ExportObject:PSObject) [Import-FIMConfig], 
        + FullyQualifiedErrorId : InputObjectNotBound,Microsoft.ResourceManagement.Automation.ImportConfig

    Can someone guide me here. Also is this the correct way to export and import a single Workflow from one env. to another or is there any other approach. Please guide.

    Thanks in Advance.


    0 0


    We have one requirement to integrate/move  users/groups from  multi-forest, multi-domain AD environment to Azure Active directory and manage the password of users. I knew that FIM provides the AAD connector to move the user/groups object  to AAD. Request you please suggest me for the below.

    1. Where we need to deployee FIM - On premise or on cloud? 

    2. Whats are the others main things we need to consider  for solution.

    3 What about the FIM SSPR. Does it support the password reset on AAD.

    4. is there any document for it?




    0 0


    I am trying to configure the web service configuration tool to connect do Cisco CUCM AXL, but the web service address cannot find Web service discovery information in the address of the server.

    Dont know if it is the best way to do the SOAP integration  with FIM.


    0 0
  • 07/30/15--01:22: Lotus notes management agent
  • Hello, 

    I would use the MS lotus notes management agent, and I have a question about Certifier. 

    Is it possible to use many certifier file for the management agent, or should I have a management agent per certifier organization ? 

    Thanks for help 


    0 0

    Hi All,

    I am testing GAL sync between 3 forests. With 2 forests, everything is fine. When I try to add the third GAL sync management agent, Synchronization Service Manager fails to connect to the forest and shows error alert with number 80230904.

    I suspect the reason of failure is in the new forest which FIM tries to connect. What does this error number mean? Besides showing this number, nothing is recorded in logs. I am failing to find any info on this error.

    FIM 2012 R2 SP1 version: 4.1.3646.0, works on Windows 2008 R2 machine, the first and second forests are of level 2012 R2, and the third new one (failing) is of level 2008 R2.


    0 0
  • 07/30/15--07:01: Custom Workflow not running
  • I am following these two articles to create a workflow that will create Accoutname for a user using firstname and lastname when user is created in FIM portal. and

    I was able to successfully build the solution and created the workflow in FIM attached to an MPR-> administration:administrator and read and update users.

    When i create a user . two requests are generated.

    One is post processing error . Details are 

    <RequestStatusDetail xmlns:xsi="" xmlns:xsd="" 

    DetailLevel="Information" EntryTime="2015-07-

    30T13:01:04.7015693Z">Microsoft.ResourceManagement.WebServices.Exceptions.PermissionDeniedException: ManagementPolicyRule
       at Microsoft.ResourceManagement.Workflow.Hosting.RequestWorkItemProcessor.DispatchRequest[TResponseType](RequestType request, 

    Boolean applyAuthorizationPolicy)
       at Microsoft.ResourceManagement.Workflow.Hosting.RequestWorkItemProcessor.ProcessPutWorkItem(UpdateRequestWorkItem 

       at Microsoft.ResourceManagement.Workflow.Hosting.RequestWorkItemProcessor.ProcessWorkItem(WorkItem 


    However user is created. and then another request is generated to update account name by the user itself not administrator

    For second request , Denied.

    Stack Trace is as following

    Microsoft.ResourceManagement.WebServices.Exceptions.PermissionDeniedException: ManagementPolicyRule ---> System.Data.SqlClient.SqlException: Reraised Error 50000, Level 16, State 1, Procedure DoEvaluateRequestInner, Line 1319, Message: Permission denied:<ai><Name>AccountName</Name></ai>
       at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection)
       at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)
       at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
       at System.Data.SqlClient.SqlDataReader.ConsumeMetaData()
       at System.Data.SqlClient.SqlDataReader.get_MetaData()
       at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString)
       at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async)
       at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, DbAsyncResult result)
       at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method)
       at System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior, String method)
       at System.Data.SqlClient.SqlCommand.ExecuteReader()
       at Microsoft.ResourceManagement.Data.DataAccess.EvaluateRequest(RequestType request, RequestEvaluationOptions options)
       --- End of inner exception stack trace ---

    any help is appreciated.


    0 0
  • 07/30/15--19:39: MIM or AAD Connect?
  • Hi everyone,

    We have a scenario where I'm having trouble nailing a high level design so wanted to post here, see if I can get some answers and also share.


    - only working with identities from Microsoft AD and Azure AD

    - Account self service features and other identity sources are of low importance 

    - New'ish Resource Forest

    - Several user forests from which users will most likely be migrated to the resource forest at some future date (typical merger scenario)

    - Requirement for shadow accounts in resource domain for Lync and possibly Exchange at a later date

    - 2 new Azure tenants (geographical/political reasons), probably two more at a later date

    - User UPN's dont match email address and not viable at this time to change the UPN within AD

    - Requirement to do Password hash to Azure

    Originally we were envisaging FIM in the resource domain to bring the identities together and create the shadow accounts.

    We would also use inbound rules to transform the email address to UPN.

    Then use 2 x AADSync installs to sync users to the tenants (UPN to tenant 1 and UPN to tenant 2). 

    I have learnt that FIM doesn't do password hash to Azure, a must have for us, so initially I was thinking I'd have to wait for MIM but am now asking myself if I actually need MIM for this scenario.

    Can AAD Connect do what I want ... transform email to UPN, password hash to Azure and create shadow accounts in the resource domain?



    0 0


      FIM Community Information Center Article




      Go to the FIM Community Information Center



    0 0


     I'm using FIM 2010 R2 (4.1.3419.0) and Exchange 2010, I've recently hit an issue whereby the AD MA stops running due to "Stopped-entry-export-error". My environment was working fine, AD accounts and Exchange mailboxes were being provisioned OK (confirmed working for the past 6 months). I've only come upon this error since we installed around 25 Windows updates on our DC, Exchange server and FIM synchronization server.

     There is no associated error in the Synchronization service Application for the user object(s) which cause an error (as you'll see it's blank in the picture). AD MA delta imports and syncs work fine, but exports always fail with different user accounts (so I don't think it's an issue with the accounts being synced). Looking at the Windows logs shows errors as below:

    Application log (typical error for a user):

    There is an error in Exch2010Extension AfterExportEntryToCd() function when exporting an object with DN CN=jp um 
    receptionist,OU=staff,OU=Accounts,DC=contoso,DC=local. Type: Microsoft.MetadirectoryServices.ExtensionException Message: **** ERROR **** Property 
    expression "jp um receptionist" isn't valid. Valid values are: Strings formed with characters from A to Z (uppercase or lowercase), digits from 0 to 
    9, !, #, $, %, &, ', *, +, -, /, =, ?, ^, _, `, {, |, } or ~. One or more periods may be embedded in an alias, but each period should be preceded and followed by at least one of the other characters. Unicode characters from U+00A1 to U+00FF are also valid in an alias, but they will be mapped to a best-fit US-ASCII string in the e-mail address, which is generated from such an alias. Property Name: Alias **** END ERROR **** Stack Trace: at  Exch2010Extension.Exch2010ExtensionClass.AfterExportEntryToCd(Byte[] origAnchor, String origDN, String origDeltaEntryXml, Byte[] newAnchor, String new DN, String failedDeltaEntryXml, String errorMessage)

    Application Service Log (Forefront Identity Manager) - Error (happens every 30 minutes, this has been happening for 2 weeks, since the updates were installed):

    Microsoft.ResourceManagement.Service: System.InvalidOperationException: Operation is not valid due to the current state of the object.
    at Microsoft.ResourceManagement.WebServices.Mail.Exchange.MailChannel.ExchangeMailChannelListener`1.ExchangeMailListener.<OnPollTimerExpired>b__0 (Boolean findUnreadItems) at Microsoft.ResourceManagement.WebServices.Mail.Exchange.MailChannel.ExchangeMailChannelListener`1.ExchangeMailListener.OnPollTimerExpired(Object 

    Here's the relevant section from my Microsoft.ResourceManagement.Service.exe.config file

    < add key="mailServer" value="" />
    <add key="isExchange" value="1" />
    <add key="SendAsAddress" value="" />
    <add key="synchronizationServerName" value="SvrFIM01" />

    If I browse to I'm PROMPTED for Windows logon credentials (the EWS virtual is configured for anonymous and windows authentication).Upon entering the FIM service account details, the appropriate xml page appears (no certificate warnings or errors are generated). I can logon the FIM service mailbox and send emails.

    The error may be down to a PowerShell problem, as I couldn't initiate a remote PowerShell session from my FIM service account to the Exchange server using:

    $session=new-pssession -configurationName Microsoft.Exchange -connectionuri

    To get around this, I've added the fim service account to Organization management (it was already a recipient management user) and added it the local administrators group on the FIM server, I then restart the fim synchronization and fim service. The remote Power Shell connection works fine, but the AD MA export still does not.

    There are some warnings in the Application logs about not being able to connect to the Exchange web services, however I think these are red herrings as they've been going on for over a year (during which time FIM has been working fine)

    I would appreciate some help in resolving this as it's currently got me stumped.The only thing I can try is removing the security patches and giving the fim service account administrative and exchange organization management permissions on the server and rebooting all boxes.

    Thanks in advance

    0 0


    i'm trying to automate group creation in FIM by using a powershell script.

    as i found this page on technet i'm trying to use already build functions from there but for some reasons things are not working as i was expecting to.

    "ResolveObject" is the functions that doesn't seems to work, or i'm totally wrong about what it suppose to do.

    i was expecting that this function should identify an object in FIM in order to use its ObjectID (for example on group creation - to identofy group owner object) - eider it doesn't suppose to do this or it has some mistake in it.

    Can anyone please help me understand or fix this function,

    function ResolveObject
        PARAM([string] $ObjectType, [string]$AttributeName, [string]$AttributeValue)
            $importObject = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject
            $importObject.TargetObjectIdentifier = $TargetIdentifier
            $importObject.ObjectType = $ObjectType
            $importObject.State = 3 # Resolve
            $importObject.SourceObjectIdentifier = [System.String]::Format("urn:uuid:{0}", [System.Guid]::NewGuid().ToString())
            $importObject.AnchorPairs = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.JoinPair
            $importObject.AnchorPairs[0].AttributeName = $AttributeName
            $importObject.AnchorPairs[0].AttributeValue = $AttributeValue

    0 0


    I have 3 MA :

    • FIM
    • AD
    • Application #1

    Im trying to add Application's #1 group membership to FIM thru a delimited text file. Basicly, the file look like : 

    User / Group

    user1 group3
    user1 group2
    user1 group6
    user2 group4
    user2 group5
    user3 group7

    My understanding is that the user's need be referenced object to be add has group members. Referenced object need to be in the same connector space has my Application #1 connector but I can't because users are from AD

    • Users are from the AD. They have the same account name in the application. 
    • Group need to be imported from Application #1 delimited textfile

    Im trying to figure out a way to link all my applications access to a user. How would you do this ?


    0 0

    Hi all,

    I have an issue with the Oracle Database Management Agent, when i run a Full Import not detect deleted objects in the data source. When i search in the connector space the objects exists and are marked like connectors. 

    The management agent connect to an oracle view. 

    Someone has had the same error? any idea about the error?


    MCP-ASP.NET With C#, MCTS SQLServer 2005 I&M

    0 0

    I am using Forefront Identity Manager 2010 R2.  We have installed the Microsoft SharePoint Profile Store connector and have setup up attribute flow to my SharePoint Server.  We have disconnected and disabled the Native FIM Sharepoint Profile Connector that is deployed by SharePoint (This is my SharePoint DEV environment).

    I followed this Documentation:

    I used input from:

    I am pushing all the standard attributes such with no Custom Attributes on the SharePoint side.

    Data flow is one direction from my FIM Installation to Sharepoint. We do not have any flows from SharePoint to FIM.

    I have exported several thousand user objects to SharePoint with Success, photographs included.  User profiles are working and successful.

    After a few days of letting the synchronization bake, I am finding that Updates to user objects are failing on Export to SharePoint with the following error (taken from the MA error message):

    Export retry FAILED for Entry[ObjectType: user, Anchor: DOMAIN_USER1234__fa631765-12b1-4da1-879-2dcfd6a7afae]..
     Error: System.Web.Services.Protocols.SoapException: Server was unable to process request. ---> Value cannot be null.
    Parameter name: strAccountName
       at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
       at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
       at Microsoft.IdentityManagement.Connector.Sharepoint.SharePointProfileImportExportService.ProfileImportExportService.UpdateWithProfileChangeData(Int64 importExportId, ProfileChangeData[] profileChangeData)
       at Microsoft.IdentityManagement.Connector.Sharepoint.SharepointServiceProvider.UpdateWithProfileChangeData(Int64 importExportId, ProfileChangeData[] profileChangeData)
       at Microsoft.IdentityManagement.Connector.Sharepoint.SharepointConnector.PutExportEntries(IList`1 csEntries)

    I have verified that the AccountName is not blank as this error suggests.

    The XML of the update request (As pulled from a network trace):

    <?xml version="1.0" encoding="utf-8"?>
    <soap:Envelope xmlns:soap="" xmlns:xsi="" xmlns:xsd="">
            <UpdateWithProfileChangeData xmlns="">
                        <ProfileIdentifier />
                                    <anyType xsi:type="xsd:string">Smith</anyType>
                                    <anyType xsi:type="xsd:string"></anyType>

    The SharePoint server response:

    <?xml version="1.0" encoding="utf-8"?>
    <soap:Envelope xmlns:soap="" xmlns:xsi="" xmlns:xsd="">
                <faultstring>Server was unable to process request. ---&gt; Value cannot be null.

    Parameter name: strAccountName</faultstring>
                <detail />

    I can delete the profile in SharePoint and after a full sync the profile will be there with the updated data.

    Any thoughts on why SharePoint would be rejecting this update.

    0 0

    Hello cloud of wisdom :-)

    I was wondering if, using FIM 2010 R2 portal, this is possible:

    1) Modifying the "User view" where the users can see and modify their attributes to limit what attributes they see and what attributes they are able to modify 


    2) If that view code can be modified to include information from other data sources, like information coming from an application that stores some assets information in SQL.

    I have been playing around he customization document and settings for the FIM portal but I could not find this.

    Thanks in advance! Your Spanish site about XNA !

    0 0

    Hi All and thanks for any advice

    We are migrating from Novell IDM and have struck a issue with MS FIM 2010

    we have Teachers and Students with Classes stored in multi-valued attributes,

    The list changes as subjects and classes get added, changed and deleted, we would like FIM to create the classes as security groups in Active Directory and assign members,

    NOTE: the key point is we are trying to avoid creating a rule for every security group, the goal would be to have FIM create the groups that are in the users attribute and assigning/removing members with changes,

    example data in FIM

    user1 - classcosed = 11MTA01, 11ENG03, 11DES02

    user2 - classcosed = 11MTA02, 11ENG03, 11DES02

    user3 - classcosed = 9MTA01, 9ENG03, 9DES02

    user4 - classcosed = 9MTA02, 9ENG03, 9DES02

    Desired Security Groups Result in Active Directory

    11MTA01 = user1

    11MTA02 = user2

    11ENG03 = user1,user2

    11DES02 = user1,user2

    9MTA01 = user3

    9MTA02 = user4

    9ENG03 = user3, user4

    9DES02 = user3, user4

    again thank-you in advance for any ideas


    0 0

    Dear All,

    I have created FIM 2010 environment for synchronizatoin between two different AD forest and i have done all the configuration which is necessary for it but still users are not provisioning in external AD.

    If anyone have got step by step document then please share with me and please help me to check all the steps to do this.

    Please see the below mentioned steps in which i have done all the steps and if i skipped anything so please let me know.

    1- FIM Active Directory Service Agent.

    2- FIM MA agent.

    3- Synchronization Rules.

    4- Management Policy Rules

    5 - Work FLows

    - FIM ADMA Full Import and Full Sync is working fine

    - FIMMA Full Import is working fine

    - FIMMA Export is not sending the data to the external AD metaverse.


    Shakeel Shahid

older | 1 | .... | 125 | 126 | (Page 127) | 128 | 129 | .... | 204 | newer