What is the best way to implement a delay between Export and Delta Import run steps for the FIM MA?

November 12, 2015, 12:35 am

≫ Next: RBAC - Automatic Group Membership based on user attributes

≪ Previous: MIM 2016 Deployment

In the case where Export modifies user attributes which cause MPR/workflow to run, more often than not the Delta import step is running before all Workflows complete. This workflow could very well be setting attribute values on the user which are flowed to the MetaVerse

OK. plug in another profile run step called "Sleep" or something similar. No-can-Do. We can only chose predefined steps from a drop down list! So... and this must be an issue for all users of FIM who automate the FIM MA cycle

Is it possible to modify the FIM MA to build our own custom Run Profile step called Sleep?

If not, it seems I must fake a Run Step called WaitforWF in the defacto Powershell runMA script Based on: http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/c7e204be-05b4-40e1-bf95-e0191a76ece3

Which is simplest?

Also, what length of delay is typically necessary... 60 seconds or 600 seconds???

↧

RBAC - Automatic Group Membership based on user attributes

November 12, 2015, 7:23 am

≫ Next: PCNS service not starting

≪ Previous: What is the best way to implement a delay between Export and Delta Import run steps for the FIM MA?

Hi,

I am new to this but want to ask if Automatic Group membership based on their AD attributes, mainly Department, Jobtitle etc is possible?

1. We provision users from SAP via FIM to AD. Users remain Disabled until Service

Desk activates their AD accounts and then put them into AD groups based on their

role and requested access to different resources as part of user onboarding process.

2. These users then appear in FIM portal, where we have SSPR setup. Disabled users are removed from portal.

3. We now want to start syncing Groups from AD to FIM portal.

4. The required user attributes will also need to be enabled to come across from AD to

FIM Portal.

Theoretically I believe, this is what needs to be done but not sure if correct and how.

5. We do the necessary configuration in MPRs/Sets/Workflows to define automation,

where FIM picks the necessary user attributes and then puts them into the selected

groups based on the combination of their unique attribute combination also defined

earlier as part of the configuration.

6. There will be multiple mapping for roles to groups and when changes happen in AD,

then group membership should change automatically.

I am not sure if this is feasible in FIM portal or is there any other more elegant way to do this.

But I definitely want to avoid the code route at the start of the user provisioning process, as this will become part of user onboarding process, with automated.

Thanks,

↧

PCNS service not starting

November 12, 2015, 2:36 pm

≫ Next: Do not install FIM portal + Sync accounts between two AD.

≪ Previous: RBAC - Automatic Group Membership based on user attributes

Hi everyone,

I try to configure PCNS in order to synchronize passwords from an Active Directory, to an LDAP directory.

Everytime I add a target, the PCNS service is crashing (it starts and stops immediately after). As soon as the target is deleted, the service works again.

In the event viewer, there are only the following informations :

Faulting application name: pcnssvc.exe, version: 4.3.1935.0, time stamp: 0x50ad5a0d
Faulting module name: pcnssvc.exe, version: 4.3.1935.0, time stamp: 0x50ad5a0d
Exception code: 0xc0000005
Fault offset: 0x0000000000027880
Faulting process id: 0x1af4
Faulting application start time: 0x01d0f50ec3aa1c95
Faulting application path: C:\Program Files\Microsoft Password Change Notification\pcnssvc.exe
Faulting module path: C:\Program Files\Microsoft Password Change Notification\pcnssvc.exe
Report Id: 028a4c56-6102-11e5-80d3-3ca82a2117f7
Faulting package full name:
Faulting package-relative application ID:

I have the following setup :

- 3 DC with Windows Server 2012 R2 (ADs in 2008 R2 functional level)

- MIM and PCNS use the same version : 4.3.1935

- The SPN is configured with the following command : setspn -A PCNSCLNT/FIM.myDomain.com myDomain\FIMSyncAccount

- PCNS is configured with this command : pcnscfg.exe addtarget /N:MIMserver /A:FIM.myDomain.com /S:PCNSCLNT/FIM.myDomain.com /FI:"Domain Users" /f:3

Do you have any suggestion ?

Thank you for your help

Harry

↧

Do not install FIM portal + Sync accounts between two AD.

November 12, 2015, 3:43 pm

≫ Next: License FIM synchronization

≪ Previous: PCNS service not starting

Hi all,

I never used FIM before, and it's a little hard to understand all product features, but I have two questions.

1) Can I use only 'FIM Sync Manager' (without installing FIM SharePoint portal) to sync accounts between two domains;

2) It's little bit unclear for me -> how I can create/export accounts from AD1 to AD2. I tried use FIM Sync Manager and I can Sync accounts from both servers to metaverse, but I can't realize what I should do to export accounts from metaverse to activedirectory. I guess this process has name 'Provisioning accounts' but I'm not sure if I understand correct.

I pretty sure that's simple questions but they're confusing me a lot.

Thank you.

↧

License FIM synchronization

November 12, 2015, 7:07 pm

≫ Next: Update a value used by join logic --> how to automatically update joins ?

≪ Previous: Do not install FIM portal + Sync accounts between two AD.

Hi,

I need clarification pertaining to FIM Licensing.

Long time back, we're using free identity integration feature pack (IIFP) tool to facilitate GAL Sync and we only procured Windows Server license. However for FIM/MIM, do I need to buy FIM/MIM license if the deployment configuration in production meanly to do GAL Sync between two AD forest?

To my understand as per the TechNet article http://social.technet.microsoft.com/wiki/contents/articles/2487.how-to-license-fim-2010-and-mim-2016.aspx , if the deployment of FIM/MIM server in production where enable configurationFIM GAL (specifically AD Mgmt Agent and GAL Mgmt Agent used for sync) synchronization solution to synchronize users, groups, and contacts from one forest with contact objects to another forest, the licensing need to buy is only Windows Server license and CAL user is not required in this scenario.

Please advise.

Thanks

MMuhammimi

↧

Update a value used by join logic --> how to automatically update joins ?

November 13, 2015, 8:46 am

≫ Next: ECMA 2.2 - CSentry["Attribute"].Value

≪ Previous: License FIM synchronization

Hi everyone,

I'm facing a problem that I've never encoutered before.
As explain here: http://blogs.msdn.com/b/connector_space/archive/2015/03/23/changing-a-value-used-by-join-logic.aspx (I'm already the one that commented at the end of the article, to ask for help/advice), when an attribute used by join logic is update, FIM does not re-evaluate previous join that have been made.
Is there a way to make FIM detect that the attribute has been update, remove the old join and make a new one with the new fresh value update?

Everything needs to be automatic, don't tell me to make the object as disconnector and re-Sync the agent, the objective is to make this fully automatic
I'm trying to do this this since this morning and i'm going to run out of idea soon.

Any help appreciated.
Thx everyone.
Itch

↧

ECMA 2.2 - CSentry["Attribute"].Value

November 16, 2015, 5:12 am

≫ Next: Workflow Activity Library - Creat group object failed

≪ Previous: Update a value used by join logic --> how to automatically update joins ?

Hi

quick question!
Whats the Ecma2.2 equivalent of csentry["Attributename"].Value?

Trying to convert an XMA Managmnet Agent to ECMA 2.2 put having trouble reading attributes that's not in the Attributechanges.

Need to generate an URL with the employee ID field and the email field ,email field (changed)

emploeeID is not the anchor so i don't think i can use anchorattribute.

in XMA i just did this:

URL = exporturl + "/user/" + csentry["emploeeID"].Value + "/email/" + csentry["Mail"].Value;

in ECMA2 i can't seem to access the employeeid field:

URL = exporturl + ??????? + "/email/" + csentry.AttributeChanges["email"].ValueChanges[0].Value.ToString();

↧

Workflow Activity Library - Creat group object failed

November 16, 2015, 7:35 am

≫ Next: How to Synchronizing AD groups and Group memberships from SQL tables in MIM 2016.

≪ Previous: ECMA 2.2 - CSentry["Attribute"].Value

Hi all,

I would like to use the Workflow Activity Library from Soren to create group objects from a custom FIM object.

Hi, I've succesfully installed the workflow activity and created the following workflow in order to create group objects using the workflow. My source object in FIM is a custom object from named Location.

Initial values:

DG-[//Target/CompanyCode][//Target/LocationCode]-[//Target/City],displayName
All employees Location [//Target/CompanyCode][//Target/LocationCode]-[//Target/City],description
DG-[//Target/CompanyCode][//Target/LocationCode]-[//Target/City]@domain.com,Email
DG-[//Target/CompanyCode][//Target/LocationCode]-[//Target/City],MailNickname
GLOBAL,domain
true,MembershipLocked
None,MembershipAddWorkflow
Global,Scope
Distribution,Type

Existence lookup filter:

/Group[DisplayName = 'DG-[//Target/CompanyCode][//Target/LocationCode]-[//Target/City]']

New object type:

Group

As soon as I Trigger the workflow I get the following warning in the Eventlog.

Microsoft.ResourceManagement.WorkflowDataExchangeException: Microsoft.ResourceManagement.WebServices.Exceptions.InvalidRepresentationException: ResourceTypeViolatesSchema
   at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.ValidateObjectAttributes[T](RequestType request, Guid objectIdentifier, String objectTypeName, IEnumerable`1 parameters, OperationType operationType)
   at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.ValidateInputRequestCreate(RequestType request)
   at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.ProcessInputRequest(RequestType request)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction(RequestType request)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction[ResponseBodyType](RequestType request)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request, Guid requestIdentifier, Object redispatchSingleInstanceKey, Boolean isRedispatch)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request)
   at Microsoft.ResourceManagement.Workflow.Hosting.RequestWorkItemProcessor.DispatchRequest[TResponseType](RequestType request, Boolean applyAuthorizationPolicy)
   at Microsoft.ResourceManagement.Workflow.Hosting.RequestWorkItemProcessor.ProcessCreateWorkItem(CreateRequestWorkItem createWorkItem)
   at Microsoft.ResourceManagement.Workflow.Hosting.RequestWorkItemProcessor.ProcessWorkItem(WorkItem workItem)
   at Microsoft.ResourceManagement.Workflow.Activities.CreateResourceActivity.ProcessRequestResponse(Object sender, QueueEventArgs e)
   at System.Workflow.ComponentModel.ActivityExecutorDelegateInfo`1.ActivityExecutorDelegateOperation.Run(IWorkflowCoreRuntime workflowCoreRuntime)
   at System.Workflow.Runtime.Scheduler.Run()

Any idea what I'm missing? My request to create the Group is in the status "Denied".

If I look at the "detailed conntent" tab of the denied request I can see that all values are calculated correctly.

Thanks
Chris

↧

How to Synchronizing AD groups and Group memberships from SQL tables in MIM 2016.

November 17, 2015, 4:39 am

≫ Next: PowerShell MA: problems exporting

≪ Previous: Workflow Activity Library - Creat group object failed

Im working on MIM 2016 project for 1<sup>st</sup> time sofar I manage to get user provision /deprovision from SQL MA into FIM PORTAL -> AD & Exchange

Now I need to import/sync groups and membership from combination of SQL tables into FIMPORTAL then into AD.

In SQL I have 2 table and tables are structured as follows:

Table Groups

[groupID][varchar](21)NOTNULL,

[groupDescription][varchar](254)NULL,

[groupManager][varchar](254)NULL,

[type][varchar](254)NULL,

[groupType][varchar](254)NULL,

Table Groups_Members

[employeeID][varchar](254)NOTNULL,

[groupID][varchar](21)NOTNULL

Thanks in advance

↧

PowerShell MA: problems exporting

November 17, 2015, 9:11 am

≫ Next: Password Change Notification Service without domain trust

≪ Previous: How to Synchronizing AD groups and Group memberships from SQL tables in MIM 2016.

I'm really hoping to be able to use Soren Granfeldt's Powershell MA to do some new integrations with FIM, but am having some difficulties. My latest problem is that I get an ma.extension error, which dumps the following stack trace in the Application event log:

"System.NullReferenceException: Object reference not set to an instance of an object.
at Granfeldt.PowerShellManagementAgent.Microsoft.MetadirectoryServices.IMAExtensible2CallExport.PutExportEntries(IList`1 csentries)
Forefront Identity Manager 4.1.3613.0"

The only thing it's trying to export right now is a change of e-mail address on a user it's done a join for (I've only got my sync rule applied to one person at the moment), so I wouldn't think it would be a provisioning problem? I've commented out the majority of my code in my export script so I'm reasonably certain it's not a PS code problem.

Sync rule:

firstName -> first_name
lastName -> last_name
mail -> email
[init flow only] LowerCase(accountName)+"@uwrf.edu" -> username
[init flow only] LowerCase(accountName)+"@uwrf.edu" -> dn

I'm excited about the possibilities, but frustrated. I'd be happy to post additional details but I'm not sure what would be helpful.

-Robert

↧

Password Change Notification Service without domain trust

November 17, 2015, 12:37 pm

≫ Next: User Reference Objects throwing error

≪ Previous: PowerShell MA: problems exporting

I've read PCNS documentation and realized that it's not possible to configure password syncronization between two different domain in different forests without trust.

Am I right or it is possible to configure PCNS between two forests without trust?

Thank you!

↧

User Reference Objects throwing error

November 17, 2015, 1:09 pm

≫ Next: MIM 2016 encryption questions

≪ Previous: Password Change Notification Service without domain trust

I have the manager and assistant reference on the user objects in the Portal, recently it was noticed when you click on the reference to view the details like manager or assistant now get an error

Missing the definition of Symbol: BasicInfoTabHelpText

as well as all the other tabs.

The FIM Admin also gets this error. I am not sure what happened. Any ideas.

Thanks

Russ

Russell Lema

↧

MIM 2016 encryption questions

November 17, 2015, 2:56 pm

≫ Next: Metaverse Designer do not show all attribute precedence

≪ Previous: User Reference Objects throwing error

Hi,

I'm assuming the MIM Sync database is encrypted by default, since you get to save an encryption key after installation.

But what about the MIM Service database? Is this also encrypted by default, if not, what can we use to encrypt it.

What about the network communication from the MIM Sync & MIM Service servers to the SQL server that hosts their respective databases, is this done over an encrypted network channel? If not, how do we encrypt this layer?

What about the MIM SSPR Portal and its communication with AD domain controllers when resetting a password or registering for SSPR using the question&answer method.

Thank you,

↧

Metaverse Designer do not show all attribute precedence

November 18, 2015, 10:34 am

≫ Next: Can you change the email on an account?

≪ Previous: MIM 2016 encryption questions

Hi guys,<o:p></o:p>

I just install FIM 2010 R2 on a brand new server. I then import all configuration from a previous install of ILM 2007 in the brand new FIM.<o:p></o:p>

When I look a the precedence setting in a particular attribute of the Metaverse Designer, it seems that some properties are not showing. I'm wondering if I did something wrong or is it normal.<o:p></o:p>

Exemple:<o:p></o:p>

I have an ADMA set like that:<o:p></o:p>

(ADMA) altSecurityIdentities --> (Metaverse) uidMVT - Direct<o:p></o:p>

(ADMA) accountNameHistory --> (Metaverse) uidMVT - Direct<o:p></o:p>

(ADMA) sAMAccountName --> (Metaverse) uidMVT - Rule Extension<o:p></o:p>

When I look in the Metaverse Designer, the attribute "uidMVT" is only showing once. Some numbers are even not showing (current order is: 1, 4, 6, 8 etc. So, it is missing 2-3-5-7 and so on).<o:p></o:p>

http://s14.postimg.org/eoozj8evl/MV_Designer.png

Is there any way to make every contributing MA showing?<o:p></o:p>

When I go back to the old ILM server, the Metaverse Designer show me all numbers. I'm a bit confused.<o:p></o:p>

Thanks a lot guys! <o:p></o:p>

↧

Can you change the email on an account?

November 18, 2015, 11:41 am

≫ Next: FIM 2010 R2. Add user from domain B to AD group from domain A

≪ Previous: Metaverse Designer do not show all attribute precedence

We have been using the Identity manager to synchronize our students to Office 365. Or problem is that many students were created with an incorrect email address.

Unfortunately, many have also already created documents in OneDrive with the incorrect login.

Can we correct the login and save the documents at the same time? I guess my question has to do with what the application thinks is the identifying field.

Any thoughts?

↧

FIM 2010 R2. Add user from domain B to AD group from domain A

November 18, 2015, 9:57 pm

≫ Next: Is it possible to change the format of the Committed Date column on a FIM Report to be in local datetime format?

≪ Previous: Can you change the email on an account?

Hello!

I have FIM 2010 R2. The FIM 2010 R2 have connection to domain A and domain B.

Domain A and domain B have two-way trust.

I can add user from domain A to group domain A via FIM.

How can I add user from domain B to group from domain A via FIM?

Alex

↧

Is it possible to change the format of the Committed Date column on a FIM Report to be in local datetime format?

November 19, 2015, 4:55 am

≫ Next: synchronization process

≪ Previous: FIM 2010 R2. Add user from domain B to AD group from domain A

We have succeeded in getting FIM reports visible via the Datawarehouse SQL Reporting Service.

However, when we view the FIMHistory report for example, the Committed Date value is different from the corresponding Date Submitted value in the Requests as seen in the FIM Portal Search Requests link.

The Report shows the Committed Date as: 11/19/2015 1:26:46 AM << wrong

The Search Requests screen shows Date Submitted: 19.11.2015 3:26:46 << correct

the actual object modify time was 03:26:46 on 19th November 2015.

How do we configure the FIM Reporting to generate a report using local time (not UTC) and local date format????

↧

synchronization process

November 19, 2015, 5:37 am

≫ Next: MIM 2016 and SQL 2014 High Availability?

≪ Previous: Is it possible to change the format of the Committed Date column on a FIM Report to be in local datetime format?

1. help me with the inbound synchronization and outbound synchronization process with example.

2. types of MPRS.

↧

MIM 2016 and SQL 2014 High Availability?

November 19, 2015, 1:02 pm

≫ Next: MIM and BHOLD Upgrade

≪ Previous: synchronization process

Hi,

What are the options for MIM 2016 and SQL 2014 High Availability? Are we still limited to SQL Clustering?

Thanks,

↧

MIM and BHOLD Upgrade

November 19, 2015, 2:06 pm

≫ Next: Provisioning based on an Metaverse attribute

≪ Previous: MIM 2016 and SQL 2014 High Availability?

Question?

I see the documentation for upgrading FIM 2010 R2 to MIM and have completed that in my test environment. But, there is no mention of BHOLD. The BHOLD installation options are on the ISO. But, it this truly and upgrade, or does the old BHOLD have to be uninstalled and then the new BHOLD installed?

And, is there someplace that lists the BHOLD build numbers? I'm at 5.0.3079 right now.

Thanks,

Greg

↧

Latest Images