Unable to install MIM 2016 Service and Portal - SharePoint Claims Issue

August 5, 2015, 8:20 pm

≫ Next: SQL server 2012 AlwaysOn Availability Groups support with MIM 2016

≪ Previous: FIM Portal Internal Error

$

0

0

Hi,

Have deployed SharePoint Foundation 2013 Sp1, and now am trying to install MIM 2016 Service and Portal and get the following error:

"The FIM portal does not support being deployed on a SharePoint web application with claims-based authentication. Please make sure the SharePoint web application is configured with classic-mode authentication"

According to another Microsoft article: "claims-based authentication is the default (in SharePoint Foundation 2013) and preferred method of user authentication". So why is MIM not following Microsoft best practices?

It would be nice if the MIM documentation team would provide us with an answer in order to deploy and test their new product (or update MIM to work according to Microsoft best practices).

Unfortunately this article does not really say enough: https://technet.microsoft.com/en-us/library/jj863242.aspx?f=255&MSPPError=-2147217396

Look forward to hearing some feedback from the team.

Regards,

SK

---

SQL server 2012 AlwaysOn Availability Groups support with MIM 2016

August 5, 2015, 8:52 pm

≫ Next: FIM 2010 in not provisioning users in externet AD Environment

≪ Previous: Unable to install MIM 2016 Service and Portal - SharePoint Claims Issue

$

0

0

As MIM 2016 is released could you please advise if SQL server 2012 AlwaysOn Availability Groups support with MIM 2016

FIM 2010 in not provisioning users in externet AD Environment

August 6, 2015, 6:15 am

≫ Next: Microsoft Identity Manager 2016 is now GA!

≪ Previous: SQL server 2012 AlwaysOn Availability Groups support with MIM 2016

$

0

0

Dear Sir,

I am facing some issue is FIM 2010 while exporting user to another AD environment. Please tell me the feasible time for you so that i can communicate with you on it.

Regards,

Shakeel Shahid.

Microsoft Identity Manager 2016 is now GA!

August 6, 2015, 12:53 pm

≫ Next: Upgrade to MIM fails with UpgradeDatabase error

≪ Previous: FIM 2010 in not provisioning users in externet AD Environment

$

0

0

Source: http://blogs.technet.com/b/ad/archive/2015/08/06/microsoft-identity-manager-2016-is-now-ga.aspx

---

Peter Geelen (Microsoft Belgium) - Premier Field Engineer Identity and Security

[If a post helps to resolve your issue, please click the "Mark as Answer" of that post or click"Vote as helpful" button of that post.
By marking a post as Answered or Helpful, you help others find the answer faster.

Upgrade to MIM fails with UpgradeDatabase error

August 6, 2015, 5:46 pm

≫ Next: Installation of Microsoft Identity Manager 2016 fails every time

≪ Previous: Microsoft Identity Manager 2016 is now GA!

$

0

0

I'm following the upgrade instructions here https://technet.microsoft.com/en-us/library/mt219041.aspx on upgrading to MIM.  The FIM build version isFIM 2010 R2 SP1 (4.1.3634.0). 

Error captured in MSIEXEC logs is below. I found one wiki reference to a 1772 error which related to the install account not having Farm admin rights in Sharepoint. I checked that I have this right, and have also tried giving SQL db_owner on the FIMService DB to the FIM service account & the installer account, but no change.

Any ideas? Thanks,

Matthew

CustomAction UpgradeDatabase returned actual error code -2 (note this may not be 100% accurate if translation happened inside sandbox)
Error 1722. There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor. Action UpgradeDatabase, location: C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\Microsoft.IdentityManagement.DatabaseUpgrade.exe, command: /ConnectionString:"Data Source=FIM1;Initial Catalog=FIMService;Integrated Security=SSPI;Pooling=true;Connection Timeout=225" /FimServiceAccountName:"CORP\SVC_FIMService" /FimServiceDatabaseName:"FIMService" 
MSI (s) (7C:64) [10:30:05:896]: Product: Microsoft Identity Manager Service and Portal -- Error 1722. There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor. Action UpgradeDatabase, location: C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\Microsoft.IdentityManagement.DatabaseUpgrade.exe, command: /ConnectionString:"Data Source=FIM1;Initial Catalog=FIMService;Integrated Security=SSPI;Pooling=true;Connection Timeout=225" /FimServiceAccountName:"CORP\SVC_FIMService" /FimServiceDatabaseName:"FIMService" 

08/07/2015 10:30:05.896 [5500]: Assembly Install: Failing with hr=80070005 at RemoveDirectoryAndChildren, line 384

08/07/2015 10:30:05.896 [5500]: Detailed info about C:\Windows\assembly\tmp\7MIPTGMU\Microsoft.ResourceManagement.WorkflowContract.dll

08/07/2015 10:30:05.896 [5500]: File attributes: 00000080

08/07/2015 10:30:05.932 [5500]: Restart Manager Info: 1 entries

08/07/2015 10:30:05.932 [5500]: App[0]: (5500) Windows Installer (msiserver), type = 3 

08/07/2015 10:30:05.932 [5500]: Security info:

08/07/2015 10:30:05.932 [5500]: Owner: S-1-5-18

08/07/2015 10:30:05.932 [5500]: Group: S-1-5-18

08/07/2015 10:30:05.932 [5500]: DACL information: 4 entries:

08/07/2015 10:30:05.932 [5500]: ACE[0]: Type = 0x00, Flags = 010, Mask = 001f01ff, SID = S-1-5-18

08/07/2015 10:30:05.932 [5500]: ACE[1]: Type = 0x00, Flags = 010, Mask = 001f01ff, SID = S-1-5-32-544

08/07/2015 10:30:05.932 [5500]: ACE[2]: Type = 0x00, Flags = 010, Mask = 001200a9, SID = S-1-5-32-545

08/07/2015 10:30:05.932 [5500]: ACE[3]: Type = 0x00, Flags = 010, Mask = 001200a9, SID = S-1-15-2-1

Installation of Microsoft Identity Manager 2016 fails every time

August 7, 2015, 1:05 am

≫ Next: Advanced Set Filter

≪ Previous: Upgrade to MIM fails with UpgradeDatabase error

$

0

0

Hi Everyone,

I wanted to install Microsoft Identity Manager 2016, but during the installation I always have the following message:

Once I started installation with verbose logging, and I found the following rows:

Action 14:13:58: SetPolicyforServiceAccount. 
Action 14:13:58: SetPolicyforMonitoringServiceAccount. 
CustomAction SetPolicyforMonitoringServiceAccount returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Action ended 14:13:58: InstallExecute. Return value 3.
Action 14:13:58: Rollback. Rolling back action:
Rollback: SetPolicyforMonitoringServiceAccount
Rollback: SetPolicyforServiceAccount
Action ended 14:13:58: INSTALL. Return value 3.

This happens only in case if I want to install Privileged Access Management feature. If I deselect it, the installation fininshes successfully and all features working perfectly.

Do you know, what does this SetPolicyforMonitoringServiceAccount method do during the installation?

Maybe it is an important information that in my environment many very strict policies are configured and many options are disabled (I mean editing local permissions in the local GPO).

Thanks a lot!

BR

Gabor

Advanced Set Filter

August 7, 2015, 6:57 am

≫ Next: FIM Certificate Management -> MIM Certificate Management

≪ Previous: Installation of Microsoft Identity Manager 2016 fails every time

$

0

0

Hello, 

I try to create a set with a filter starts-with('*') the * is the literral caracter but I have an error that the filter is not supported. 

Any solution for that, thx

FIM Certificate Management -> MIM Certificate Management

August 7, 2015, 7:30 am

≫ Next: MIM 2016 upgrade from Forefront Identity Manager 2010 R2

≪ Previous: Advanced Set Filter

$

0

0

Anyone tried upgrading FIM CM to MIM CM or is even supported? Cannot find any guides or other articles for MIM CM other than guide to use (in my opinion useless) modern app.

---

MIM 2016 upgrade from Forefront Identity Manager 2010 R2

August 7, 2015, 11:21 am

≫ Next: pass word protected

≪ Previous: FIM Certificate Management -> MIM Certificate Management

$

0

0

Hello,

I am upgrading my development environment to MIM 2016. Synchronization service is one server and MIM service and Portal on a different server. I upgraded the synchronization service. When I am upgrading MIM service and portal I get "The MIM synchronization server you have entered does not exist or is not running". I am guessing may be some ports are not open. Which ports I should be looking for?

How else can I troubleshoot this error?

Thank you for any help,

Svetlana

pass word protected

August 9, 2015, 11:20 am

≫ Next: FIM MA Export taking very long time after schema changes

≪ Previous: MIM 2016 upgrade from Forefront Identity Manager 2010 R2

$

0

0

Hello, About a month ago I had to re-install Windows8 on my laptop. Well some how I have now pass word protected it. How can I undo that. Just today I did the windows10 upgrade and I was hoping that would fix that problem, but it didn't. Thanks for any help, Stan(Bikrdad)

FIM MA Export taking very long time after schema changes

August 9, 2015, 8:26 pm

≫ Next: MIM2016 - Installing PAM server

≪ Previous: pass word protected

$

0

0

Hi Guys,

I am going through a very unusual scenario here. I added a new attribute in FIM Portal. Created new attribute in Metaverse. Defined an export attribute flow in  FIM.Service Management agent. Defined an import attribute flow in Source MA. We have around 2 lakh records to be processed. FI and FS on source MA together took 9 hours approx. But export to FIM MA is very very slow. I can tell its processing approx. 5 records every 30 secs. Is this normal??? I am wondering since I have 2 lkh records to be exported, will it take 2 weeks to complete? Can someone help me out here? Is there any way we can have the records exported faster to FIM Portal?

Kindly help!!

Regards,

---

Veena

MIM2016 - Installing PAM server

August 10, 2015, 4:36 am

≫ Next: Provisoning AD LDS User behind BIG-IP (Load balancing)

≪ Previous: FIM MA Export taking very long time after schema changes

$

0

0

I am trying to install PAM server. I have followed this guide https://technet.microsoft.com/en-us/library/mt345588.aspx with a couple of difference with my environment. 

I have allready done steps 7a and 7b, but in the step 7c I can't find any files under \the Privileged Access Management Portal\folder.

Also when I am trying to access to addresses http://localhost:8086/ and http://localhost:8090/ I get http errors.

This from the first one:

HTTP Error 500.19 - Internal Server Error

The requested page cannot be accessed because the related configuration data for the page is invalid.



Detailed Error Information:



Module
   WindowsAuthenticationModule

Notification
   AuthenticateRequest

Handler
   ExtensionlessUrlHandler-ISAPI-4.0_64bit

Error Code
   0x80070021

Config Error
   This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false".

Config File
   \\?\C:\Program Files\Microsoft Forefront Identity Manager\2010\Privileged Access Management REST API\web.config



Requested URL
   http://localhost:8086/

Physical Path
   C:\Program Files\Microsoft Forefront Identity Manager\2010\Privileged Access Management REST API

Logon Method
   Not yet determined

Logon User
   Not yet determined




Config Source:
   36:       <authentication>
   37:         <windowsAuthentication enabled="true" useKernelMode="false"/>
   38:       </authentication>

And this from the second one:

HTTP Error 403.14 - Forbidden

The Web server is configured to not list the contents of this directory.



Most likely causes:
•A default document is not configured for the requested URL, and directory browsing is not enabled on the server.



Things you can try:
•If you do not want to enable directory browsing, ensure that a default document is configured and that the file exists.
• Enable directory browsing using IIS Manager. 1.Open IIS Manager.
2.In the Features view, double-click Directory Browsing.
3.On the Directory Browsing page, in the Actions pane, click Enable.

•Verify that the configuration/system.webServer/directoryBrowse@enabled attribute is set to true in the site or application configuration file.



Detailed Error Information:



Module
   DirectoryListingModule

Notification
   ExecuteRequestHandler

Handler
   StaticFile

Error Code
   0x00000000



Requested URL
   http://localhost:8090/

Physical Path
   C:\Program Files\Microsoft Forefront Identity Manager\2010\Privileged Access Management Portal

Logon Method
   Anonymous

Logon User
   Anonymous

Provisoning AD LDS User behind BIG-IP (Load balancing)

August 10, 2015, 5:15 am

≫ Next: FIM - Sharepoint mappings

≪ Previous: MIM2016 - Installing PAM server

$

0

0

Hi there,

I am facing a problem want to need your help.

My topology is below:

AD ==> FIM == BIG-IP (Load balancing)==> AD LDS

- Connection from FIM to BIG-IP is encrypted with SSL (using port 636). And from FIM, I can retrieve AD LDS object information

- BIG-IP to AD LDS is not encrypted (using port 389).

I'm using Metaverse Rule to provision and sync user from AD to AD LDS. Import from AD to Metaverse works normally and see the provision will be run with MA Export to AD LDS

When I run Export User to AD LDS, the data is pushed into connector space successfully but cannot create user on AD LDS.

The error is “Illegal modify operation. Some aspect of the modification is not permitted.”

Hope anyone can help.

I do some google search and got the link here https://lainrobertson.wordpress.com/2011/03/03/ad-lds-ssl-woes/

But it is not look like exactly the issue I am facing..

FIM - Sharepoint mappings

August 10, 2015, 10:35 am

≫ Next: Methodology: Generate a new attribute but only for new accounts

≪ Previous: Provisoning AD LDS User behind BIG-IP (Load balancing)

$

0

0

A couple of questions.

1) In Sharepoint, system settings, alternate access mappings, I could read MANY internal URLs mapped to ONE public URL. What's that for? Also, if I have to change the public URL, do I have to reinstall sharepoint again? If not, where would I change it? The reason I am asking is fim portal is accessed via fimportal.domain.local as our AD domain name is domain.local. We would like to change the fimportal access to fimportal.domain.edu when we renew the certs. What are the complications?

2) In my understanding, fimportal can be accessed only via domain joined machines and not outside firewall. Is that correct?

Thanks in advance.

Methodology: Generate a new attribute but only for new accounts

August 12, 2015, 1:27 pm

≫ Next: Does not work kerberos from other server.

≪ Previous: FIM - Sharepoint mappings

$

0

0

Hi there.
I hope this is just a simply question that I've simply not thought about correctly.

I'm planning to setup a PS MA that will create homedirs and update AD accounts with the correct path.
The homedir is new and nothing will be moved into it, only new users will use it. What sort of methods are best to have the new MA only work for new accounts?

Before with other attributes they have been simply imported first and then a exported or generated if not present, I'm just a little unsure how to go about this with something as active and static as homedirs.
:) Jon.

---

Does not work kerberos from other server.

August 13, 2015, 2:03 am

≫ Next: Using nothing but Scoped Sync Rules

≪ Previous: Methodology: Generate a new attribute but only for new accounts

$

0

0

Hello!

I have FIM 2010 R2.

When I connect to FIM Portal from server FIM - all ok.

When I connect to FIM Portal from other server - I can't sign in to the FIM Portal.

Basic auth work correct from the other server.

Help!

---

Alex

Using nothing but Scoped Sync Rules

August 13, 2015, 5:39 am

≫ Next: WHICH PQX-36589 CONSOLE GAME IS ADDED IN NEXA 99 PRO LUGAZ KATIMBA ?

≪ Previous: Does not work kerberos from other server.

$

0

0

I've just posted the second in my series of blog posts on this subject here:

#FIM2010 R2 Scoped Sync Rules – Part 2 (The Experience)

I would be keen to collect thoughts on this topic, before posting my 3rd and final part.  I thought perhaps the best place to do just this was our forum here ...

Thanks in advance!

---

Bob Bradley (FIMBob @ TheFIMTeam.com) ... now using FIM Event Broker for just-in-time delivery of FIM 2010 policy via the sync engine, and continuous compliance for FIM

WHICH PQX-36589 CONSOLE GAME IS ADDED IN NEXA 99 PRO LUGAZ KATIMBA ?

August 13, 2015, 5:53 am

≫ Next: Issue update object to AD

≪ Previous: Using nothing but Scoped Sync Rules

$

0

0

Which PQX-36589 Console Game is added in Nexa 99 Pro lugaz katimba ? This could be the most hilarious one but the question is still lacking the current id sollutions Postimees kirjutas täna, kuidas Tartumaa väikelinna Kallaste meer Australian streaming service Stan is set to air the highly-anticipated TV series "Ash vs. Evil Dead" hours before the rest of the world this Viktor Nukka, pearaamatupidaja Aive Laumets ja vanemraamatupidaja Kiira such as nuckka purrila acchalla dhirra  Bethesda's Fallout 4 Pip Boy Edition has proven to be a hot commodity in the weeks Jones was found dead July 26 in her cell in Cleveland Heights. A cause of death hasn't been determined, but an autopsy didn't find suspicious since pre-orders went live and it's now extremely difficult to

Issue update object to AD

August 16, 2015, 2:51 am

≫ Next: FIM Sync Engine service issue

≪ Previous: WHICH PQX-36589 CONSOLE GAME IS ADDED IN NEXA 99 PRO LUGAZ KATIMBA ?

$

0

0

Hi there,

I am facing with a trouble .. seem so strange.

I'm trying to sync user from CSV file to AD so I create 02 MA

1. MA connect to CSV (MA-CSV)

2. MA connect to AD (MA-AD)

After running "delta import and delta sync" on MA-CSV, it's trigged to Outbound sync and can Export MA-AD to create user on AD.

I change one attribute on CSV  file and run "delta import and delta sync" again. It is also trigged Outbound Sync and after that, run Export of MA-AD and I can see the update on Connector space of MA-AD without any problems. However, it is so strange that AD user is not updated !

But since the second update, it works perfectly. So I always miss the first one.

I did try to change "delta import and delta sync" ==> "delta import and Full sync" and it is okay with update for the first time.

But I cannot find the root cause here.. anyone can explain for me please?

I believe that AD is working okay (nothing related to replication issue on AD because I just have one AD)

Thanks a lot.

FIM Sync Engine service issue

August 16, 2015, 6:58 am

≫ Next: Unable to install SharePoint 2013 as per MIM article

≪ Previous: Issue update object to AD

$

0

0

My Sync Engine services ran properly until I have implemented a code to update the oracle DB through SQL package.