I get a problem with SAP, when creating WSDL web service for active directory integration with SAP. I use FIM 2010 R2 SP1 and SAP ECC 6.0. I've followed microsoft guidance for best practice creating web service.
I've set everything to Http Basic, then endpoint and service are alredy active on soa manager but when I use WSDL web service in FIM, I got this wsdl path error
eror image on link url
https://social.technet.microsoft.com/Forums/getfile/753263
please help, tell me what I did wrong
Hi All,
There is a Reference attribute bound to a Person object to which I want to grant users the permission to edit it. The attribute name is "Displayed Owner". Its referred to as "UoCIdentityPicker" in RCDC for EDIT form which is correct. I added this attribute in the custom Permission based MPR so that users should be able to edit this attribute but it does not seem to work. Adding this attribute in the MPR in turn is giving the edit permission to another reference attribute named "Owner". I checked the bindings and all other stuff and there seems to be no flaw. But I am unable to identify 2 things:
How is adding "Displayed Owner" attribute in the MPR giving Permission to "Owner" attribute?
What else do I need to do give permission to edit the "Displayed Owner" attribute.
One more thing I noticed is even though I login with Admin account which has full privileges to the FIM Portal, I do not have the permission to edit this attribute. I can only edit this attribute if I go into the Advanced View.
Thoughts on how to resolve this?
Any help would be appreciated
Regards,
Veena
Hi,
I installed the Lotus Note MA 8 connector with the last update (https://support.microsoft.com/fr-fr/kb/3096533) on FIM 2010 R2 (4.1.3599).
I would like to setup advanced log like they said there : http://social.technet.microsoft.com/wiki/contents/articles/14316.fim-2010-troubleshooting-enabling-verbose-logging-for-the-lotus-notes-management-agent.aspx.
But this doesn't work, the comment talks about ETW Logging (http://social.technet.microsoft.com/Forums/en-US/dbeeb280-4c2a-492f-9d5a-0c14d340ae0c/lotus-domino-connector-logging).
I enabled the following part in the %programfiles%\Microsoft Forefront Identity Manager\2010\Synchronization Service\Bin\miiserver.exe.config :
<source name="ConnectorsLog" switchValue="Verbose" switchType="System.Diagnostics.SourceSwitch">
<listeners>
<add name="MAEventTracingForWindowsListener" type="System.Diagnostics.Eventing.EventProviderTraceListener, System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" initializeData="{C4D0C1D4-909D-481b-B011-10E682A6009D}"
/>
</listeners>
</source>
This still doesn't work, event viewer doesn't show up more information than :
The management agent "MA Lotus" step execution completed on run profile "Export Run Profile" with errors.
Additional Information
Discovery Errors : "0"
Synchronization Errors : "0"
Metaverse Retry Errors : "0"
Export Errors : "1"
Warnings : "0"
User Action
View the management agent run history for details.
Actually, i am able to import data from the lotus server to fim server, and send updates from fim to lotus server, but creations fails (i have "invalid-provisioning-attribute-value" error).
Thanks for any suggestion, tip about this problem.
Hi,
I have a question around multiple Office 365 tenancies hanging off a single on premise Active Directory forest (single domain).
As background we have the following scenario:
We have a single Active Directory Forest (single domain)
We currently have a single Office 365 tenancy configured with DirSync and ADFS supporting 160 schools.
40 of these schools wish to utilise their own Office 365 tenancy. There are a number of reasons for this, including (but not limited to); being able to associate their own EES agreement to the tenancy to allow access to the Office 365 desktop applications, have control over certain globally controllable settings and the limit of 250 Address Book Policies is becoming a hindrance in a single tenancy environment.
Initially I was going to propose a MIM solution with the AAD Connector however have read a forum posting by Peter Stapf alluding to the AAD Connector becoming depreciated and receiving no further feature updates. https://social.msdn.microsoft.com/Forums/en-US/182ac1ae-e6b9-4f89-bb8b-65481ac00b5c/mim-microsoft-identity-manager-2016-setup-for-multiple-tenants-sync?forum=WindowsAzureAD
Obviously the customer would like some clarification on this as the other option requires a virtual machine creating for each Office 365 tenancy to run their instance of Azure Active Directory Connect.
Can anyone offer any suggestion as to where I might find a statement substantiating the statement that the AAD Connector for MIM will be depreciated, and can anyone see any major pitfalls in the proposal of implementing 40+ instances of AAD Connect?
As a side to this, I am content with all my tenancies that will be introduced using the same ADFS environment to support authentication and understand I will have to utilise a third part application to pull mailboxes from the existing Office 365 tenancy to the new upon migration of the users and MX records. Further, the customer is happy there will be down time associated with moving each school from one tenancy to another.
Happy to provide any further information or detail if I have been too vague!
Many thanks in advance.
Hi all,
Running FIM 2010R2 Build: 4.1.3627.0 on Server 2008R2.
Mission: synchronize GAL and Distribution Groups between 2 forests. (no trust, Exchange 2010 SP3 - Exchange 2013)
Frankly new on FIM, but got after a lot of google, GAL sync running. Works great.
Next on the list is sync distribution groups, but can't seem to find much info.
Is this possible with FIM? Can someone please push me in the right direction?
Thanks
I've created a new Portal Role (Telecoms) to allow a set of users to view and edit a sub set (Desk owners) of the user accounts in FIM. I've added the role to the list of portal roles in the FIM Portal, and I've added the MPR to grant them permission to view and edit certain attributes. When I submit a search for all users it's coming back with the error:
An internal error occurred and your request cannot be processed. Please contact your system administrator.
Should the members of this set (Telecoms) be able to use the search scope (All accounts) and only see the members of the subset (Desk owners) they have permission to see? Or should they not see this option in the search dropdown as they can't see all of the accounts?
Thanks...
AdiKumar
Hi , im working on project to convert Novel IDM to MIM 2016 . im having issue with getting SQL groups and members in to AD
So far
Get Users to FIM
SQL table structured for Users
[employeeDI] [varchar]
… AND other user attributes
User get provision in FIM Portal / AD/Exchange and User have access to FIM Portal – NO ISSUES
Get Groups to FIM
SQl table structured for Groups and group memberships
Table : Groups
[groupID] [varchar],
[groupDescription] [varchar],
[groupManager] [varchar],
[type] [varchar],
[groupType] [varchar],
Table : GroupsMembers
[employeeID] [varchar],
[groupID] [varchar],
Attribute [varchar]
MA Multi Value Configuration
Run Full Import in DCGroupsMA – NO ISSUES
When checking DCGROUPMA member attribute , members are there with multi value asemployeeID
DCGROUPMA Full Sync – NO ERROR
But when exploring the Metaverse , Groups are created in MV but no member attribute displayed
How do I fix this issue ? I have read 100 of articles in TechNet, still I can’t get this to working .
Here it is folks!
THE FINAL CHALLENGE OF 2015!!
Step up all known Gurus currently active!
Let us see the year out in style, with some final thoughts and knowledge from everyone we love and follow in the TechNet and MSDN community.
All you have to do is add an article to TechNet Wiki from your own specialist field. Something that fits into one of the categories listed on the submissions page. Copy in your own blog posts, a forum solution, a white paper, or just something you had to solve for your own day's work today.
Drop us some nifty knowledge, or superb snippets, and become MICROSOFT TECHNOLOGY GURU OF THE MONTH!
This is an official Microsoft TechNet recognition, where people such as yourselves can truly get noticed!
HOW TO WIN
1) Please copy over your Microsoft technical solutions and revelations toTechNet Wiki.
2) Add a link to it on THIS WIKI COMPETITION PAGE (so we know you've contributed)
3) Every month, we will highlight your contributions, and select a "Guru of the Month" in each technology.
If you win, we will sing your praises in blogs and forums, similar to the weekly contributor awards. Once "on our radar" and making your mark, you will probably be interviewed for your greatness, and maybe eventually even invited into other inner TechNet/MSDN circles!
Winning this award in your favoured technology will help us learn the active members in each community.
Feel free to ask any questions below.
More about TechNet Guru Awards
#PEJL
Got any nice code? If you invest time in coding an elegant, novel or impressive answer on MSDN forums, why not copy it over toTechNet Wiki, for future generations to benefit from! You'll never get archived again, and
you could win weekly awards!
Have you got what it takes o become this month's
TechNet Technical Guru? Join a long list of well known community big hitters, show your knowledge and prowess in your favoured technologies!
We're an MSP who manages 75+ customer forests & networks. In the LAB I am trying to switch my working ADMAs to use LDAP to ensure SSL encrypted traffic between forests.
In production I built a new Two Tier CA infrastructure and have imported the CA root certificate chains into the Trusted Certificate Authorities containers. I created a certificate for each of my target forest DC and have verified that LDAP over port 636 is working using the LDP.exe utility from my Lab MIM server
When I go into the working ADMA and change the settings from "Sign & Encrypt LDAP Traffic" to "Enable SSL for the Connection" I get the following error:
"An error was encountered trying to retrieve the SSL cipher strength"
I am using 256 bit encryption verified by LDP.exe
Any ideas ?
Thanks, Stu
Hi,
I've got FIM 2010 in a Lab with 2 Source Active Directory MAs and 1 Active Directory MA which I want to Export\Provision User objects to. My 2 Source MAs project, provision, and join objects to the Connector Spaces and Metaverse correctly, but when I try to Export\Provision objects to another Active Directory MA, nothing shows up. Im struggling with understanding what are all the specific requirements to Export\Provision User objects to MAs. Is coding a Metaverse Rules Extension needed for the Active Directory MA I want to Export\Provision to in order to Export\Provision User objects?
Thanks for your help! SdeDot
We're an MSP who manages 75+ customer forests & networks. In the LAB I am trying to switch my working ADMAs to use LDAP to ensure SSL encrypted traffic between forests.
In production I built a new Two Tier CA infrastructure and have imported the CA root certificate chains into the Trusted Certificate Authorities containers. I created a certificate for each of my target forest DC and have verified that LDAP over port 636 is working using the LDP.exe utility from my Lab MIM server
When I go into the working ADMA and change the settings from "Sign & Encrypt LDAP Traffic" to "Enable SSL for the Connection" I get the following error:
"An error was encountered trying to retrieve the SSL cipher strength"
I am using 256 bit encryption verified by LDP.exe
Any ideas ?
Thanks, Stu
Hi everyone,
I need to filter objects in the connector Space based on the imported date. I need to filter the objects imported in the connector space before of a specific date. Dou you have any idea?
Thanks in advance,
Hi,
I am trying to understand the working of Generic Ldap connector for OpenLDAP. I know it uses modifyTimeStamp to search for added/ modified objects for delta import. How about delta deletes?
I am wondering how does it figure about deleted entries during delta import? Could you please assist me on this?
Thanks,
Shobhit vaish
Hi,
i am a beginner in administration of FIM platform
i need to have a workflow to approve the modification of DN of users.
actually, and for AD Provisionning, we use a script and dll extension to calculate the DestinaoinOU for each account to create in Active Directory. the calculation is based of value in Human Resource Database, in some cases, the values are modified, and the corresponding AD account should be moved (according to the new values in HR database).
i need to approve each modification for these account before the move of these account.
how can i do it ?
Regards.
What's the best way to normalize a phone number in FIM? Phone number now appears as +15141234567#1234567, i want to change it to+1-514-123-4567 #1234567. It's quite easy to do with powershell, but I'm not able to do it with FIM.
I've created a custom workflow from a powershell script. I've also created a MPR triggered by Add, Create, Modify, Read, Remove. When i edit a user manually, i get the followign error:
<RequestStatusDetail xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" DetailLevel="Information"
EntryTime="2015-12-09T14:32:55.7203536Z">System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary.
at System.ThrowHelper.ThrowKeyNotFoundException()
at System.Collections.Generic.Dictionary`2.get_Item(TKey key)
at Microsoft.ResourceManagement.Query.QueryParametersGenerator.WriteRequestedAttributes()
at Microsoft.ResourceManagement.Query.QueryParametersGenerator.BuildParameterString()
at Microsoft.ResourceManagement.Query.QueryProcessor.BuildSqlCommand(Query objectRepresentation, Boolean countResultsOnly)
at Microsoft.ResourceManagement.Query.QueryProcessor.ExecuteQuery(Query query, Nullable`1 maximumTime, Boolean& endOfSequence, Boolean countResultsOnly, Int64& resultCount, Int64& executionTime)
at Microsoft.ResourceManagement.Data.DataAccess.GetObject(Guid objectId, CultureInfo locale, Guid requestor, String[] attributeNames, Boolean includeInlineRights)
at Microsoft.ResourceManagement.Data.DataAccess.GetObject(Guid objectId, String[] attributeNames)
at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.Read(Guid objectId, CultureInfo locale, Nullable`1 requestor, Nullable`1 resourceTime, String[] requestedAttributes, Boolean includeRights)
at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.ProcessOutputRequest(RequestType request)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteGetAction(RequestType request)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction(RequestType request)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction[ResponseBodyType](RequestType request)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request, Guid requestIdentifier, Object redispatchSingleInstanceKey, Boolean isRedispatch)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request)
at Microsoft.ResourceManagement.Workflow.Hosting.RequestWorkItemProcessor.DispatchRequest[TResponseType](RequestType request, Boolean applyAuthorizationPolicy)
at Microsoft.ResourceManagement.Workflow.Hosting.RequestWorkItemProcessor.ProcessGetWorkItem(ReadRequestWorkItem readWorkItem)
at Microsoft.ResourceManagement.Workflow.Hosting.RequestWorkItemProcessor.ProcessWorkItem(WorkItem workItem)</RequestStatusDetail>
------------------------------------------------------------
Is it the good way to it, should I use a synchronisation rule instead of a workflow?
Thanks
Pierre-Nicolas
