Quantcast
Channel: Forum Microsoft Identity Manager
Viewing all 4767 articles
Browse latest View live

Provisioning based on an Metaverse attribute

November 20, 2015, 1:44 am
$
0
0

Hi everyone,

we are currently working on implementing FIM 2010 for synchronizing multiple LDAP and AD systems.
Since we are only using the synchronisation engine without the FIM Portal, we built a small web app connected to a MSSQL database.

Currently, we are looking at our LDAP:
If an object is deleted directly in the LDAP (not through FIM), the connector object is also deleted in the connector space of the LDAP MA. While doing that, we are also setting an attribute called "ldapAccountActive" in the web app connector to "false", so we can tell if the Identitiy managed through our web app has an account inside the LDAP directory. We do that through the MapAttributesForExport method in the extension for the web app MA:

void IMASynchronization.MapAttributesForExport (string FlowRuleName, MVEntry mventry, CSEntry csentry)
        {
            switch (FlowRuleName)
            {
                case "setLdapActiveState":

                    if(csentry["ldapAccountActive"].BooleanValue) {
                        if (mventry.ConnectedMAs["LDAP"].Connectors.Count == 0)
                        {
                            csentry["ldapAccountActive"].BooleanValue = false;

                        }
                    }

                    break;
                default:
                    throw new EntryPointNotImplementedException();
            }

        }

This part works without problems. If we run an export to the web app, we check if the identity has connectors in the LDAP and set the attribute.

Our problem is with the provisioning. We have the following provisioning code in the MA extension:

int Connectors = 0;
CSEntry csentry;
ReferenceValue DN;
ConnectedMA ManagementAgent;
DateTime parsedDate;


ManagementAgent = mventry.ConnectedMAs["LDAP"];
Connectors = ManagementAgent.Connectors.Count;

if ((Connectors == 0) && (mventry["ldapAccountActive"].BooleanValue == true))
{
	ValueCollection objectClassValues = Utils.ValueCollection(new String[] { "person", "inetOrgPerson", "organizationalPerson" });

	csentry = ManagementAgent.Connectors.StartNewConnector("inetOrgPerson");

	DN = ManagementAgent.EscapeDNComponent("cn=" + mventry["serialNumber"].Value).Concat("ou=Users,o=Company");
	csentry.DN = DN;

	csentry["objectclass"].Values = objectClassValues;
	csentry["cn"].Value = mventry["serialNumber"].Value;
	csentry["serialNumber"].Value = mventry["serialNumber"].Value;
	csentry["sn"].Value = mventry["lastName"].Value;
	csentry["givenName"].Value = mventry["firstName"].Value;

	csentry.CommitNewConnector();
}

In provisioning, we determine if a new account should be provisioned to the LDAP by two criterias:

- does the identity managed through the web app have no connectors in the LDAP MA connector space?
- is the "ldapAccountActive" state set to "true"?

This works fine, as long as we create a new identity directly in the web app, project it to metaverse, set the "ldapAccountActive" state to "true" and run an export on the LDAP MA.

If we now delete an account in the LDAP directory and run a full sync cycle (Export, Import, Sync) on the LDAP MA, the attribute "ldapAccountActive" attribute is set correctly on the "csentry" of the web app MA. The problem is, that in this moment, the provisioning method is also triggered. Meaning that in that point in time, the "csentry" is correct, but the "mventry" has not yet been set to the correct "ldapAccountActive" state, which we need to determine if an LDAP account should be provisioned.

What that means is:

We delete an account in the LDAP and FIM immediately provisions a new one. This can only be stopped if we set the "ldapAccountActive" state to "false" through the web app. This is not what we want in our case. There has do be a way to delete an LDAP account either through the web app or through the LDAP directly.

Is there a way to accomplish that?

Thank you in advance. Sorry for the long text.

Regards,

Timo

Search

change in UPN throwing error in fimma ds

November 20, 2015, 7:16 am
$
0
0

The previous sync rules were UPN – accountname@xyz.local; DN- accountname,OU=users,dc=xyz,dc=local and was working fine. I modified the UPN so thatUPN – accountname@ORG.edu; DN- accountname,OU=users,dc=xyz,dc=loca. DN was kept the same.

xyz.local is the actual domain name. FIMMA DS is throwing error for new user creation in AD. Microsoft.MetadirectoryServices.ProvisioningBySyncRuleException: The DN must be set before calling CSEntry.CommitNewConnector.

what is weird was, I am able to change the UPN of the account from accountname@xyz.local to accountname@org.edu.I am unable to create new account with the UPN of accountname@org.edu.Please help.


MIM 2016: Microsoft.IdentityManagement.ConfigurationBackup.exe utility fails with error, not installed or version

November 23, 2015, 6:03 am
$
0
0

MIM 2016: Microsoft.IdentityManagement.ConfigurationBackup.exe utility fails with error, not installed or version

Product documentation for Backup specifies to use the Microsoft.IdentityManagement.ConfigurationBackup.exe utility to export settings for backup.  See https://technet.microsoft.com/en-us/library/jj134435(v=ws.10).aspx

Running the tool on my production server (MIM 2016 version 4.3.1935.0) fails with the following error:

Product is not installed or tool is not supported on your current installation version.

Any assistance is appreciated.

-Stu

Using Request in SETs are they always processed via set corrections?

November 23, 2015, 12:40 pm
$
0
0
What about using Request Objects from FIM Portal in Sets? What I see is that those Sets are calculated (membership updated) via Set Corrections afterwards. Is that true, or is there somewhere a setting or just simply do I need to do some configuration?

MIM 2016 SSPR Answer Constraint User Description and Answer Constraint Violation Error Message not able to be changed

November 23, 2015, 2:05 pm
$
0
0

Greetings,

I just changed both the User Description and Answer Constraint Violation Error Message in MIM 2016 and I noticed that it did not change the text message for either one of these items.  Thought I was crazy and tried it on FIM 2012 and it worked as expected.  I've now tried it on two MIM 2016 environments and I'm getting the same issue.

I can change the text in the workflow configuration just fine, but it doesn't show up correctly when an end user is going through the registration process.

any assistance would be appreciated.

-Peter

Simple way to export change type information to delimited text file

November 23, 2015, 7:26 pm
$
0
0

Hi 

As the subject suggests, im after a simple way to capture whether the operation is achange and report this out to an attribute within a text file.

Eg, the results would be something like below:

"UID","FIRSTNAME","SURNAME","JOBTITLE","CHANGESTATUS"
"jbond","James","Bond","Account Executive","ACTIVE"
"jdoe","John","Doe","Account Executive","CHANGED"
"fname","fake","name","Sales Manager","ACTIVE"


Appreciate if anyone can provide guidance.

many thanks

Stu


How to cancel a pending export

November 24, 2015, 12:22 am
$
0
0

Hello all,

I would need your help to cancel a pending export from a AD MA.

To explain the context, I have a AD MA that normally does only a export job. For a reason that I don't know, one of the entries has an export error (permission-issue). I'm new in the organization, and apparently this is an old error, witch was not closed due the fact that this person never complained and also was an AD administrator.

But since I arrived this person leave the organization, and I have this pending export error that I would love to eliminate.

I read some posts that said to "uncheck the container that you don't want to synchronize and run a full import and full sync again", but I really don't know how to do it, or even if this will work in my case knowing that my MA does only an export. I've tried to do import/sync but the pending export is is still there.

Can you help me to deal with this pending export?

Thanks in advance for all your help,

Marc

Building New Forefront Identity Manager Server for Password Management

November 24, 2015, 3:38 am
$
0
0

Hello Guys,

I am trying to build a Forefront Identity Manager server to serve the Password management within my domain controllers. It seems that I need to make changes to my schema in order to work with PCNS. 

Could please help with  how and what to extend in the Schema to implement this.

Thanks,

Sirish Oggu


Search

MIM 2016 and aad connect

November 24, 2015, 4:26 am
$
0
0

hi all, 

Does MIM 2016 include a built-in management agent for Azure AD or will we still require to have a separate installation of aad connect for OFfice 365 and Azure AD synchronization?

thanks

MM

MIM 2016 GALSYNC using NAT

November 24, 2015, 5:55 pm
$
0
0

Hi,

We are planning to setup MIM for GALSYNC.

But, we want to use NAT onthe firewall when connecting to the DC/GC of org2

DC/GC (Org1)-->MIM-->Firwall(NAT)-->DC/GC (ORG).

Please let me know if this is going to work or not ?

NAT is supported with MIM 2016

O365 Granfeldt PS MA

November 25, 2015, 3:35 am
$
0
0

Hi All,

I'm trying to use the PS MA from Mister Granfeldt (thanks!!!) to import our O365 users in FIM.

I configured the MA with a global Azure admin for Authentication and domain admin for Impersonation.

I'm successfully able to connect with PowerShell ISE but unfortunately, with the MA, i receive the following error messages.

25/11/2015 09:46:20: Script error: There was no endpoint listening at https://provisioningapi.microsoftonline.com/provisioningwebservice.svc that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.
25/11/2015 09:46:20: Script error: Exception of type 'Microsoft.Online.Administration.Automation.MicrosoftOnlineException' was thrown.

The import script

param

(

$Username,

$Password

)

Import-ModuleMSOnline-Force

$SecurePassword=ConvertTo-SecureString$Password-AsPlainText-Force

$Creds=New-ObjectSystem.Management.Automation.PSCredential$Username,$SecurePassword

Connect-MsolService-Credential$Creds

Any help would be appreciated;

Yannick

Installation Prerequisites Not Met - SharePoint

November 25, 2015, 6:54 am
$
0
0

Just completed all the steps and when I run the Install Service and Portal I get the following error:

Installation Prerequisites Not Met

The Features you have selected have the following prerequisites. Refer to the installation guide for more information. Please update your machine and retry the installation.

-SharePoint.

I can get into admin central just fine and I see the site collection as created by this article.

Any ideas? googling “FIM 2010 Prerequisites Not Met” has only lead me back to initial install documents. Thanks for any help you can provide.

Oracle Ebusiness Management Agent

November 26, 2015, 12:49 am
$
0
0

Hi, 

Is anyone has used the Oracle ebusinness management agent offered by MS with FIM2010 R2 or MIM 2016 ? 

Thanks 

FIM 2010 R2. Run set-aduser from PowerShell Activity

November 27, 2015, 12:36 am
$
0
0

Hello!

I have WF with PowerShell Activity and I can't run command set-aduser. Problem with ActiveDirectory module PS.

When I add

<startup>
<supportedRuntime version="v4.0"/>
<supportedRuntime version="v2.0.50727"/>
</startup>

to Microsoft.ResourceManagement.Service.exe.config file, FimService does not start.

How can I run PS Activity with ActiveDirectory module?

 

Alex

FIM Clearing Run Profiles Status

November 27, 2015, 2:45 am
$
0
0

How do I  know the status of Clearing run profiles whether it is completed or not?

How can we know the history of Clearing run profiles that when it was happened lastly?

Search

Active Rights Management Service

November 30, 2015, 8:25 pm
$
0
0

Hello,

I had protected my Excel File using IRM on Office 2010 Pro .

I am now using Office 365 Home . Now I am not able to access my Excel File .

Request inputs from anyone having knowledge regarding this .

Thanks!

FIM- Changing Datasource of Oracle.

December 1, 2015, 2:42 am
$
0
0

Hello All,

Our FIM admin will be changing the datasource name and table view. I've to update the same change in FIM MA and Oracle client on FIM sync server, is there any other location besides these?


Nikhil


FIM Synchronization rules (Portal) issue

December 1, 2015, 6:43 am
$
0
0

I currently have a few synchronization rules (both inbound and outbound) setup in the fim portal.  everything works fine except if i need to edit my attribute flows.  When I pull up the sync rule, go to my attribute flows, it will only allow my to pull up the properties for the attributes if I do not change pages.  When I go from page 1 to another page it simply displays the same attributes, when i go to another page it will then show me new attributes.  Not a super big deal except that I cannot edit or delete any attributes except those on the first page.  I can add attributes just fine.

Does anyone have any suggestions?

Microsoft Identity Manager CM

December 1, 2015, 8:19 am
$
0
0

We are testing MIM CM, and since there is not a lot of documentation out there I have been following the Test Lab Guide: Demonstrating Forefront Identity Manager 2010 Certificate Management Centralized Smart Card Registration. (https://technet.microsoft.com/en-us/library/hh230258(v=ws.10).aspx). However, when I try to issue and assign a smart card to a user I get an error saying "One or more of the supplied parameter could not be properly interpreted". Has anybody here come across this error, and did you do to fix it?

Thanks!

MIM PAM in Windows Server 2016 - Basic Question

December 1, 2015, 2:51 pm
$
0
0

Hello All,

Per the TechNet instructions at > https://technet.microsoft.com/en-us/library/mt345588.aspx

The pre-requisites are founded upon the assumption that you should create and build a PRIV domain, as the approval workflow "forest".

Is this really necessary?  Why is there not an intra-forest install/setup option?  We use a forest-empty-root > child domain where the resources and users are in context here.  For Enterprise applications that require forest wide usage, such as on-prem Exchange and LYNC we had previously done installs at forest root, but again, still the active resource and user domain in context is the child domain.

Can anyone comment, please?

Thanks, Richard.

Viewing all 4767 articles
Browse latest View live
More Pages to Explore .....
Search

Latest Images

Eco Data 4/26/24

Eco Data 4/26/24

April 25, 2024, 5:00 pm
‘Pay day every day’ may become Shangri-La Group, BPOs’ secret to happy employees

‘Pay day every day’ may become Shangri-La Group, BPOs’ secret to happy employees

April 25, 2024, 5:51 am
Nonprofit donates custom home in this East Bay city for Marine injured in...

Nonprofit donates custom home in this East Bay city for Marine injured in...

April 23, 2024, 7:00 am
New private rooms on Tokaido Shinkansen change the way we travel from Tokyo...

New private rooms on Tokaido Shinkansen change the way we travel from Tokyo...

April 22, 2024, 6:00 am
Ukraine bans military from online gambling amid addiction concerns

Ukraine bans military from online gambling amid addiction concerns

April 22, 2024, 5:17 am
ಮಂಡ್ಯದಿಂದ ಸುಮಲತಾ ದೂರ; ಹೆಚ್‌ಡಿಕೆ ಪರ ಪ್ರಚಾರಕ್ಕಿಳಿಯದ ಸಂಸದೆ –ಬರ್ತಾರೆ ನೋಡೋಣ ಎಂದ...

ಮಂಡ್ಯದಿಂದ ಸುಮಲತಾ ದೂರ; ಹೆಚ್‌ಡಿಕೆ ಪರ ಪ್ರಚಾರಕ್ಕಿಳಿಯದ ಸಂಸದೆ –ಬರ್ತಾರೆ ನೋಡೋಣ ಎಂದ...

April 20, 2024, 8:08 pm
OCBC Bank Singapore Offers Up to 2.8% p.a. Fixed Deposit Promotion from 21...

OCBC Bank Singapore Offers Up to 2.8% p.a. Fixed Deposit Promotion from 21...

April 20, 2024, 12:38 pm
National Poetry Month 2024: Maxine Starr

National Poetry Month 2024: Maxine Starr

April 19, 2024, 9:56 am
Vegan Chicken Pot Pie

Vegan Chicken Pot Pie

April 19, 2024, 9:18 am
Firefox UX: On Purpose: Collectively Defining Our Team’s Mission Statement

Firefox UX: On Purpose: Collectively Defining Our Team’s Mission Statement

April 19, 2024, 7:03 am