Wim Beck | IS4U FIM/MIM Expert Blog: blog.is4u.be
If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer. Thank you!
FIM2010 Troubleshooting: examining Outbound System Scoping Filter Syntax
↧
↧
Manager Based Groups
Hello All,
I need a suggestion on how to implement Manager Based Groups in FIM from HR
HR has ManagerID as ref attribute. I need to populate Manager based groups according to ManagerID.
My Plan was to use a powershell script after each run to check if the group is there in FIM and create one using Powershell script. I don't know if this approach is the best.
↧
SSPR Client with multiple workflows
Hello,
I have a requirement to have two separate authentication workflows for SSPR. One set of users are required to use the SMS authentication and the other set are not.
I have created the second workflow, MPR etc and it all works perfectly when accessed through the browser.
However, users who are in the new custom set for SSPR are not being prompted to register using the SSPR client.
Is it possible to use the client with a custom authentication workflow?
↧
MIM Portal - Asks credentials 3 times and then give a wihte page
So I can access to MIM portal using address hostname.domain.com. Portal works fine. But then I want to access to the portal with mimportal.domain.com and now the browser is asking my credentials 3 times and then returns a blank white screen.
So what is the issue? I have configured dns-a record with mimportal.domain.com to point MIM portal ip address.
I have not configured Kerberos. I have followed http://www.fimspecialist.com/fim-portal/installing-fim-2010-r2-sp1-portal-on-sharepoint-foundation-2013/ this manual to install the portal.
↧
Linking two AD accounts to One Metaverse Object
Does anyone have any clever ideas for the following situation? I have employees that have both regular user AD accounts and an additional Privileged AD Account. Users are intended to use the regular account for all regular activities - but switch
to the privileged account for admin work. So when a user is terminated in HR - I already de-provision their regular account. But is there a way to pair another AD account to the Metaverse user object - so I can term both user accounts even
though they are both in the same domain?
↧
↧
Microsoft identity manager 2016
First question:
Is Forefront Identity Manager (FIM) 2010 suite still available? My environment has 2003 servers that still need to be managed thus why I am asking.
Second question:
Does Forefront Identity Manager (FIM) 2010 suite &/ or Microsoft identity manager 2016 Offer support and management of Microsoft security essentials AKA the anti virus?
↧
Insufficient access rights to perform the operation error while Syncing users in Forefront Identity Manager
Hi All
I am new to FIM and I have few users which I am not able to Sync in FIM and getting the error "Insufficient access rights to perform the operation error"
Details of my setup
I have a forest AAA.local as forest
Domain -1:abc.aaa.local and Domain 2: xyz.aaa.local and email is associated to only one domain controller. I have few users who's have accounts in both domains and their logon ID is same in both domain controller
abcFirst Name :- Test User 5
Last Name :- FIM
Display name :- FIM, Test User 5
Logon name :-fimpasmx5
E-mail :- none
xyz
First Name :- Test User
Last Name :- FIM
Display name :- FIM, Test User
Logon name :-fimpasmx5
E-mail :- fimpasmx5@p*****.com
When the account is Synced in FIM e-mail is taken from domain 2 and first name & last name is taken from domain-1.
Can you please help me when user have same logon name in both domain how to sync both domain ID in FIM
Permissions on OU are fine as other accounts which exists only in one domain (abc or xyz) are able to sync.
Appreciate your help
↧
Error importing management agent: The overall anchor attribute length exceeds the maximum size for an index key.
Hi,
I'm having problems importing an MA. The exported MA has an anchor length of 448. When I'm importing the MA, the anchor length is changing to 512 and the action fails with the error:
The overall anchor attribute length exceeds the maximum size for an index key. You must select anchor attributes with combined column length of 900 bytes or less.
How can it be? How to solve it?
The MA is targeting two SQL views. The views top part is here:
User_GroupMembership
FROM FIMSynchronizationService.dbo.mms_metaverseAS PMV WITH (nolock)
WHERE object_type ='person'
UNIONALL
SELECTDISTINCT'Group' AS ObjectType,'OCGBogus6'AS Anchor
UNIONALL
SELECTDISTINCT'Group' AS ObjectType, GMV.accountNameAS Anchor
FROM FIMSynchronizationService.dbo.mms_metaverseAS GMV WITH (nolock)
WHERE object_type ='group'
UNIONALL
SELECTDISTINCT'functionalAccount'AS ObjectType, 'functionalAccountOCGBogus5'AS Anchor
UNIONALL
SELECTDISTINCT'functionalAccount'AS ObjectType, FMV.object_type+ FMV.employeeIDAS Anchor
FROM FIMSynchronizationService.dbo.mms_metaverseAS FMV WITH (nolock)
WHERE object_type ='functionalAccount'
GO
Etc…
User_GroupMembership_MV
USE [OxfordServiceDB]
GO
/****** Object: View [dbo].[User_GroupMembership_MV] Script Date: 1/8/2016 9:17:53 AM ******/
SETANSI_NULLSON
GO
SETQUOTED_IDENTIFIERON
GO
CREATEVIEW [dbo].[User_GroupMembership_MV]
AS
SELECTDISTINCT MV.object_type+ MV.employeeIDAS'Anchor','MemberOf'AS 'AttributeName', MV2.accountNameAS'Vallue'
FROM FIMSynchronizationService.dbo.mms_mv_linkAS link WITH (nolock)INNERJOIN
FIMSynchronizationService.dbo.mms_metaverseAS MV WITH (nolock)ON link.reference_id= MV.object_idINNERJOIN
FIMSynchronizationService.dbo.mms_metaverseAS MV2 WITH (nolock)ON link.object_id= MV2.object_id
WHERE (link.attribute_name='member')AND(mv2.object_type='group')
UNIONALL
SELECTDISTINCT'QEHDPNTQEMU!!'AS'Anchor','MemberOf'AS 'AttributeName','QEHDPNTQEMU!!'AS'Vallue'
GO
Etc…
GH
↧
How to synchronize users who are part of two domain in same forest. The user logon name and e-mail ID are identical
Hi All,
We a forest under which we have two domains e,g ABC and XYZ. Some of the users have accounts in both domains where in their user login ID and e-mail ID are identical. When we tried to sync user some of the attributes are picked from abc domain and some are picked from xyz domain in metaverse
For example for below two ID when i sync First name, last name & e-mail ID are picked from abc domain and object ID & domain are picked from xyz because of this users are not able to register and getting Unrecognized user error.
Can anyone help to resolve this issue.
abcFirst Name :- fimtest
Last Name :- users100
Display name :- users100, fimtest
Logon name :-fimtestusers100
E-mail :- fimtestusers100@*****.com
xyz
First Name :- Testuser100
Last Name :- FIM
Display name :- FIM, Testuser100
Logon name :-fimtestusers100
E-mail :- fimtestusers100@*****.com
↧
↧
MIM Portal 2016 - Page Navigation Control bug with IE11, Chrome
I had a prior thread on this issue and have not resolved it yet. It makes adding Sync rules with lot's of attribute flows difficult and I have over 70 ADMA's with portal sync rules, workflows and sets to create.
Has anyone elase run into this and resolved it?
Below is a image of the failing control.
See
↧
DeprovisionAll Method
Hi All,
I want to deprovisioning all the connectors based on certain value from the source, Let's say when value of the attriute update =" DEL", it should deprovisioning all the connectors.
When i apply the below logic, in Syn i can see all the connectors are deprovisioned and mventry gets deleted at first. but in AD connectors I can see the object .
I understand my function for deprovisioning call at last. so there should not be no object in the AD connectors.
Kindly advice.
void IMVSynchronization.Provision(MVEntry mventry)
{
// Provisioning code & logic
// Calling the function to check the value & if it is meet the conditon, it will deprovisioning.
Deltest(mventry);
}
The Function
public void Deltest(MVEntry mventry)
{
if (mventry["status"].Value == "DEL")
{
mventry.ConnectedMAs.DeprovisionAll();
mventry.ConnectedMAs["AD"].Connectors.DeprovisionAll();
}
in AD Connectors
Thanks & Regards,
Anirban Singha
Blog : http://a-zenith.blogspot.in/
↧
MIM Password Reset Portal - Page can't be displayed
I just installed MIM Password Reset Portal on another host than the "normal" portal is. Now when I try to connect to the portal, IE just says that the page can't be displayed.
Am I facing another spn problem? So do I need to register spns for password reset and registration too?
↧
FIM Group Management (tab)
In FIM, in the Navigation Bar, we have the Security Groups section where Users can view their membership also request to join a group. I want to be able to create a tab in the User view Interface, so when we go on a user we have the tabs “General, Work Info, contact Info, and I added the Group Membership tab, so users can see what groups they are a member of”. I want to be able to create another tab where users can initiate group requests, so basically have what is in the navigation bar on a tab in user view. Is that possible? Please help.
↧
↧
MIM 2016 FIMMA Full Import & Full Sync vs. Full Sync
Hi,
I've just installed MIM and play a bit but I noticed something I cannot really explain. I have a scope based sync rule to AD (ADMA) with a outbound system scoping filter like: employeeStatus equal Employee. Problem is that this rule isn't applied when I run FIMMA Full Import and Full Sync (in 1 step), however it is applied when I run a full sync preview on object or just a full sync step (without full import). Am I missing something, does it work as designed or I may have some issue in my configuration ?
Regards,
Tomasz
↧
FIM Portal - Multiple objects header sorting issue
Hey all,
I have an issue I cant seem to figure out how to resolve.
I have a page in the portal I created called Phonebook
I have populated the search scope to return both Person Objects and a custom resource call contacts
The search works great, but when I try to sort the page by anything but display name (by clicking the header) it turns up blank with no results and I have to hit search again. Then I can sort it.
This also happens with just the custom object contacts page.
Any help you can give would be appreciated.
Thanks
Russ
Russell Lema
↧
IDsync Between AD Forest
I have two different AD forest (Prod and Test) , is there any way we can replicate(add/remove/modify) accounts/OUs from Prod AD to Test ? Is there any way we can export all from prod to test
Thanks, Sandheep
↧
AD Connect atribute filtering issues
Hello all. I recently upgraded from DirSync and AAD Sync to AD Connect for syncing my Office 365 accounts. Within the older version of DirSync, I could create a filter that would only sync accounts with a certain UPN ending. Now with the new AD Connect, I cannot get this to work. I have tried suggestions listed here (https://azure.microsoft.com/en-gb/documentation/articles/active-directory-aadconnectsync-configure-filtering/#attribute-based-filtering) but none seem to work. I've also been working with Microsoft phone support for 2 days and they cannot get it to work either.
I created an "In From AD" filter and in the "Scoping filter, my attribute is userPrincipalName, Operator is NOTENDSWITH, and Value is the UPN ending starting (@domain.com). I have nothing in Join rules and Transformation is Constant, cloudFiltered, True.
Any help would be greatly appreciated.
↧
↧
Internal error 3000 after adding a new attribute to the portal. DB restore.
Hi all.
I've come across an issue.
I try to create a new attribute on the portal.
Standard things: name, displayname and details. I've tried both indexed and unindexed string.
Once I click "finish" the wheel spins then I'm directed to an internal error then the whole portal crashes and will only load to the "internal error 3000" page. During this time The FIM sync will get an error during import, "failed-schema-access"
The only way I've been able to fix this is to restore the DB.
The eventlogs dont show a great deal, they shows errors along the longs of "something out of index or bounds" and nullpoint exception error.
I have created new attributes in the portal before without issue. To note I have tried this 3 or 4 times as originally thought I'd copied in some bad chars from winword but no, it's something else.
If you can direct me how to gather more details that would help.
Error snippets:
Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---> System.IndexOutOfRangeException: Index was outside the bounds of the array.
at Microsoft.ResourceManagement.Schema.ServerSchemaManager.Reload()
at Microsoft.ResourceManagement.ActionProcessor.SchemaActionProcessor.UpdateSchemaCache()
at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.ProcessInputRequest(RequestType request)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction(RequestType request)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction[ResponseBodyType](RequestType request)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request, Guid requestIdentifier, Object redispatchSingleInstanceKey, Boolean isRedispatch)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request)
at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Create(Message request)
--- End of inner exception stack trace ---
Requestor: urn:uuid: UUID REPLACED
Correlation Identifier: UUID REPLACED
Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---> System.ArgumentNullException: Value cannot be null.
Parameter name: key
at System.ThrowHelper.ThrowArgumentNullException(ExceptionArgument argument)
at System.Collections.Generic.Dictionary`2.FindEntry(TKey key)
at System.Collections.Generic.Dictionary`2.TryGetValue(TKey key, TValue& value)
at Microsoft.ResourceManagement.Schema.ServerSchemaManager.GetAttributeSchema(String attributeName)
at Microsoft.ResourceManagement.Query.QueryProcessor.ReadFragment(SqlDataReader reader, Int64& resultCount, Boolean& endOfSequence)
at Microsoft.ResourceManagement.Query.QueryProcessor.ReadQueryResults(SqlDataReader reader, Int64& resultCount, Boolean& endOfSequence)
at Microsoft.ResourceManagement.Query.QueryProcessor.ExecuteQuery(Query query, Nullable`1 maximumTime, Boolean& endOfSequence, Boolean countResultsOnly, Int64& resultCount, Int64& executionTime)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecutePullActionImpl(PullRequestParameter pullParameter)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteEnumerateAction(RequestType request)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction(RequestType request)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction[ResponseBodyType](RequestType request)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request, Guid requestIdentifier, Object redispatchSingleInstanceKey, Boolean isRedispatch)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request)
at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Enumerate(Message request)
--- End of inner exception stack trace ---
↧
ECMA v1 Full Import Hungs
Hello. We have FIM 2012 R2 SP1 v 4.1.3646.0 installed
We are having a strange behavior with an ECMA 1.0 MA, in which the Full Import run profile gets into an infinite loop and consumes almost all the CPU. The FIM console does not show any updated numbers (and there should be) for the operation, as the CS is not getting populated, and after a long time in the “in-progress” state with no progresses we need to stop the run. Then, the console immediately shows the“stopped-user-termination-from-wmi-or-ui” state.
This MA works fine in ILM 2007, but not on FIM 2012 R2 (tested on several FIMs with same results).
This MA was initially configured for import and export. Then the FI (Staging only) run profile was created (along with several export profiles), and after that the MA was reconfigured to have interface for export only. That way, export are processed by the dll (call based) and the FI by FIM.
Any ideas? Thanks!!
↧
Announcing the public availability of the MIMWAL project, now available as an Open Source Project on GitHub.
The MIMWAL is a Workflow Activity Library (WAL) for building complex workflows in the Microsoft Identity Manager (MIM) 2016 and Forefront Identity Manager (FIM) 2010 R2 solution.
The WAL is a powerful solution accelerator for MIM / FIM that provides foundational activities which can be combined to create complex workflows to implement business processes within a MIM / FIM solution simply by configuration instead of coding for days and months.
MIMWAL Features
- Building-block Workflow Activities
- Conditional Execution Capability for Building-block Activities
- Support for Iteration Over a Collection of Values in Building-block Activities
- Deep Resolution Capability for FIM Lookup Grammar
- Rich Library of Workflow Functions
- UI Framework for Building Additional Custom Workflow Activities
- Support for ETW Event Tracing
- Optimization of Update Requests
- Combining multiple updates into a single request per resource per activity
- Issuing update request only when resource is actually modified.
More information
Please visit the MIMWAL site athttp://aka.ms/MIMWAL for information on project source code, releases and documentation, and discussion forums.
↧
More Pages to Explore .....
