Wim Beck | IS4U FIM/MIM Expert Blog: blog.is4u.be
If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer. Thank you!
Wim Beck | IS4U FIM/MIM Expert Blog: blog.is4u.be
If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer. Thank you!
Hello All,
I need a suggestion on how to implement Manager Based Groups in FIM from HR
HR has ManagerID as ref attribute. I need to populate Manager based groups according to ManagerID.
My Plan was to use a powershell script after each run to check if the group is there in FIM and create one using Powershell script. I don't know if this approach is the best.
Hello,
I have a requirement to have two separate authentication workflows for SSPR. One set of users are required to use the SMS authentication and the other set are not.
I have created the second workflow, MPR etc and it all works perfectly when accessed through the browser.
However, users who are in the new custom set for SSPR are not being prompted to register using the SSPR client.
Is it possible to use the client with a custom authentication workflow?
So I can access to MIM portal using address hostname.domain.com. Portal works fine. But then I want to access to the portal with mimportal.domain.com and now the browser is asking my credentials 3 times and then returns a blank white screen.
So what is the issue? I have configured dns-a record with mimportal.domain.com to point MIM portal ip address.
I have not configured Kerberos. I have followed http://www.fimspecialist.com/fim-portal/installing-fim-2010-r2-sp1-portal-on-sharepoint-foundation-2013/ this manual to install the portal.
First question:
Is Forefront Identity Manager (FIM) 2010 suite still available? My environment has 2003 servers that still need to be managed thus why I am asking.
Second question:
Does Forefront Identity Manager (FIM) 2010 suite &/ or Microsoft identity manager 2016 Offer support and management of Microsoft security essentials AKA the anti virus?
Hi All
I am new to FIM and I have few users which I am not able to Sync in FIM and getting the error "Insufficient access rights to perform the operation error"
Details of my setup
I have a forest AAA.local as forest
Domain -1:abc.aaa.local and Domain 2: xyz.aaa.local and email is associated to only one domain controller. I have few users who's have accounts in both domains and their logon ID is same in both domain controller
abcWhen the account is Synced in FIM e-mail is taken from domain 2 and first name & last name is taken from domain-1.
Can you please help me when user have same logon name in both domain how to sync both domain ID in FIM
Permissions on OU are fine as other accounts which exists only in one domain (abc or xyz) are able to sync.
Appreciate your help
Hi,
I'm having problems importing an MA. The exported MA has an anchor length of 448. When I'm importing the MA, the anchor length is changing to 512 and the action fails with the error:
The overall anchor attribute length exceeds the maximum size for an index key. You must select anchor attributes with combined column length of 900 bytes or less.
How can it be? How to solve it?
The MA is targeting two SQL views. The views top part is here:
User_GroupMembership
FROM FIMSynchronizationService.dbo.mms_metaverseAS PMV WITH (nolock)
WHERE object_type ='person'
UNIONALL
SELECTDISTINCT'Group' AS ObjectType,'OCGBogus6'AS Anchor
UNIONALL
SELECTDISTINCT'Group' AS ObjectType, GMV.accountNameAS Anchor
FROM FIMSynchronizationService.dbo.mms_metaverseAS GMV WITH (nolock)
WHERE object_type ='group'
UNIONALL
SELECTDISTINCT'functionalAccount'AS ObjectType, 'functionalAccountOCGBogus5'AS Anchor
UNIONALL
SELECTDISTINCT'functionalAccount'AS ObjectType, FMV.object_type+ FMV.employeeIDAS Anchor
FROM FIMSynchronizationService.dbo.mms_metaverseAS FMV WITH (nolock)
WHERE object_type ='functionalAccount'
GO
Etc…
User_GroupMembership_MV
USE [OxfordServiceDB]
GO
/****** Object: View [dbo].[User_GroupMembership_MV] Script Date: 1/8/2016 9:17:53 AM ******/
SETANSI_NULLSON
GO
SETQUOTED_IDENTIFIERON
GO
CREATEVIEW [dbo].[User_GroupMembership_MV]
AS
SELECTDISTINCT MV.object_type+ MV.employeeIDAS'Anchor','MemberOf'AS 'AttributeName', MV2.accountNameAS'Vallue'
FROM FIMSynchronizationService.dbo.mms_mv_linkAS link WITH (nolock)INNERJOIN
FIMSynchronizationService.dbo.mms_metaverseAS MV WITH (nolock)ON link.reference_id= MV.object_idINNERJOIN
FIMSynchronizationService.dbo.mms_metaverseAS MV2 WITH (nolock)ON link.object_id= MV2.object_id
WHERE (link.attribute_name='member')AND(mv2.object_type='group')
UNIONALL
SELECTDISTINCT'QEHDPNTQEMU!!'AS'Anchor','MemberOf'AS 'AttributeName','QEHDPNTQEMU!!'AS'Vallue'
GO
Etc…
GH
Hi All,
We a forest under which we have two domains e,g ABC and XYZ. Some of the users have accounts in both domains where in their user login ID and e-mail ID are identical. When we tried to sync user some of the attributes are picked from abc domain and some are picked from xyz domain in metaverse
For example for below two ID when i sync First name, last name & e-mail ID are picked from abc domain and object ID & domain are picked from xyz because of this users are not able to register and getting Unrecognized user error.
Can anyone help to resolve this issue.
abcHi All,
I want to deprovisioning all the connectors based on certain value from the source, Let's say when value of the attriute update =" DEL", it should deprovisioning all the connectors.
When i apply the below logic, in Syn i can see all the connectors are deprovisioned and mventry gets deleted at first. but in AD connectors I can see the object .
I understand my function for deprovisioning call at last. so there should not be no object in the AD connectors.
Kindly advice.
void IMVSynchronization.Provision(MVEntry mventry)
{
// Provisioning code & logic
// Calling the function to check the value & if it is meet the conditon, it will deprovisioning.
Deltest(mventry);
}
The Function
public void Deltest(MVEntry mventry)
{
if (mventry["status"].Value == "DEL")
{
mventry.ConnectedMAs.DeprovisionAll();
mventry.ConnectedMAs["AD"].Connectors.DeprovisionAll();
}
in AD Connectors
Thanks & Regards,
Anirban Singha
Blog : http://a-zenith.blogspot.in/
I just installed MIM Password Reset Portal on another host than the "normal" portal is. Now when I try to connect to the portal, IE just says that the page can't be displayed.
Am I facing another spn problem? So do I need to register spns for password reset and registration too?
In FIM, in the Navigation Bar, we have the Security Groups section where Users can view their membership also request to join a group. I want to be able to create a tab in the User view Interface, so when we go on a user we have the tabs “General, Work Info, contact Info, and I added the Group Membership tab, so users can see what groups they are a member of”. I want to be able to create another tab where users can initiate group requests, so basically have what is in the navigation bar on a tab in user view. Is that possible? Please help.
Hi,
I've just installed MIM and play a bit but I noticed something I cannot really explain. I have a scope based sync rule to AD (ADMA) with a outbound system scoping filter like: employeeStatus equal Employee. Problem is that this rule isn't applied when I run FIMMA Full Import and Full Sync (in 1 step), however it is applied when I run a full sync preview on object or just a full sync step (without full import). Am I missing something, does it work as designed or I may have some issue in my configuration ?
Regards,
Tomasz
Hey all,
I have an issue I cant seem to figure out how to resolve.
I have a page in the portal I created called Phonebook
I have populated the search scope to return both Person Objects and a custom resource call contacts
The search works great, but when I try to sort the page by anything but display name (by clicking the header) it turns up blank with no results and I have to hit search again. Then I can sort it.
This also happens with just the custom object contacts page.
Any help you can give would be appreciated.
Thanks
Russ
Russell Lema
I have two different AD forest (Prod and Test) , is there any way we can replicate(add/remove/modify) accounts/OUs from Prod AD to Test ? Is there any way we can export all from prod to test
Thanks, Sandheep
Hello all. I recently upgraded from DirSync and AAD Sync to AD Connect for syncing my Office 365 accounts. Within the older version of DirSync, I could create a filter that would only sync accounts with a certain UPN ending. Now with the new AD Connect, I cannot get this to work. I have tried suggestions listed here (https://azure.microsoft.com/en-gb/documentation/articles/active-directory-aadconnectsync-configure-filtering/#attribute-based-filtering) but none seem to work. I've also been working with Microsoft phone support for 2 days and they cannot get it to work either.
I created an "In From AD" filter and in the "Scoping filter, my attribute is userPrincipalName, Operator is NOTENDSWITH, and Value is the UPN ending starting (@domain.com). I have nothing in Join rules and Transformation is Constant, cloudFiltered, True.
Any help would be greatly appreciated.
Hi all.
I've come across an issue.
I try to create a new attribute on the portal.
Standard things: name, displayname and details. I've tried both indexed and unindexed string.
Once I click "finish" the wheel spins then I'm directed to an internal error then the whole portal crashes and will only load to the "internal error 3000" page. During this time The FIM sync will get an error during import, "failed-schema-access"
The only way I've been able to fix this is to restore the DB.
The eventlogs dont show a great deal, they shows errors along the longs of "something out of index or bounds" and nullpoint exception error.
I have created new attributes in the portal before without issue. To note I have tried this 3 or 4 times as originally thought I'd copied in some bad chars from winword but no, it's something else.
If you can direct me how to gather more details that would help.
Error snippets:
Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---> System.IndexOutOfRangeException: Index was outside the bounds of the array.
at Microsoft.ResourceManagement.Schema.ServerSchemaManager.Reload()
at Microsoft.ResourceManagement.ActionProcessor.SchemaActionProcessor.UpdateSchemaCache()
at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.ProcessInputRequest(RequestType request)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction(RequestType request)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction[ResponseBodyType](RequestType request)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request, Guid requestIdentifier, Object redispatchSingleInstanceKey, Boolean isRedispatch)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request)
at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Create(Message request)
--- End of inner exception stack trace ---
Requestor: urn:uuid: UUID REPLACED
Correlation Identifier: UUID REPLACED
Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---> System.ArgumentNullException: Value cannot be null.
Parameter name: key
at System.ThrowHelper.ThrowArgumentNullException(ExceptionArgument argument)
at System.Collections.Generic.Dictionary`2.FindEntry(TKey key)
at System.Collections.Generic.Dictionary`2.TryGetValue(TKey key, TValue& value)
at Microsoft.ResourceManagement.Schema.ServerSchemaManager.GetAttributeSchema(String attributeName)
at Microsoft.ResourceManagement.Query.QueryProcessor.ReadFragment(SqlDataReader reader, Int64& resultCount, Boolean& endOfSequence)
at Microsoft.ResourceManagement.Query.QueryProcessor.ReadQueryResults(SqlDataReader reader, Int64& resultCount, Boolean& endOfSequence)
at Microsoft.ResourceManagement.Query.QueryProcessor.ExecuteQuery(Query query, Nullable`1 maximumTime, Boolean& endOfSequence, Boolean countResultsOnly, Int64& resultCount, Int64& executionTime)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecutePullActionImpl(PullRequestParameter pullParameter)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteEnumerateAction(RequestType request)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction(RequestType request)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction[ResponseBodyType](RequestType request)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request, Guid requestIdentifier, Object redispatchSingleInstanceKey, Boolean isRedispatch)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request)
at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Enumerate(Message request)
--- End of inner exception stack trace ---
Hello. We have FIM 2012 R2 SP1 v 4.1.3646.0 installed
We are having a strange behavior with an ECMA 1.0 MA, in which the Full Import run profile gets into an infinite loop and consumes almost all the CPU. The FIM console does not show any updated numbers (and there should be) for the operation, as the CS is not getting populated, and after a long time in the “in-progress” state with no progresses we need to stop the run. Then, the console immediately shows the“stopped-user-termination-from-wmi-or-ui” state.
This MA works fine in ILM 2007, but not on FIM 2012 R2 (tested on several FIMs with same results).
This MA was initially configured for import and export. Then the FI (Staging only) run profile was created (along with several export profiles), and after that the MA was reconfigured to have interface for export only. That way, export are processed by the dll (call based) and the FI by FIM.
Any ideas? Thanks!!
The MIMWAL is a Workflow Activity Library (WAL) for building complex workflows in the Microsoft Identity Manager (MIM) 2016 and Forefront Identity Manager (FIM) 2010 R2 solution.
The WAL is a powerful solution accelerator for MIM / FIM that provides foundational activities which can be combined to create complex workflows to implement business processes within a MIM / FIM solution simply by configuration instead of coding for days and months.
MIMWAL Features
More information
Please visit the MIMWAL site athttp://aka.ms/MIMWAL for information on project source code, releases and documentation, and discussion forums.