Is there a limit to the number of Conditions and/or SubConditions in a Set membership Criteria?

January 22, 2016, 4:41 am

≫ Next: Export users from AD to FIM Portal

≪ Previous: Active Directory User attribute "userSharedFolder"

I need to solve a problem where an MPR/Workflow needs to be triggered when a user becomes a member of a Security Group.

I would rather not write MV extension C# code but try and use a simple Transition into a Set.

There are HUNDREDS of these security groups, but they are all dependent on being CostCenter/Id dependent so I can link them to FIM criteria based SGs.

I am trying a Set criteria like :-

Select user that matches all of the following conditions

ObjectSid starts with %

TestforSGmembership is True

Any of the following

Id is 1

Id is 2

Id is 3

and so on and so on...

It seems to work for 10 'or' sub-conditions

However, My query is just how many "OR" type sub-conditions can I have in my criteria?

↧

Export users from AD to FIM Portal

January 24, 2016, 10:09 am

≫ Next: MIM 2016 .NET Framework Version to Build against for custom workflow activities WITH SharePoint 2013?

≪ Previous: Is there a limit to the number of Conditions and/or SubConditions in a Set membership Criteria?

I've been messing with FIM all week trying to get a POC working and got stuck where I didn't think I'd have a problem. I'm trying to use FIM to provision users from a bunch of different AD DS MA's into the portal, and then provision the users to a different AD DS from the portal. I've gotten most of it setup and working where I have all my MA's on the same server as my Portal, but I'm wanting to have each domain run its own Synchronization Service with an MA that just exports users to the one common Portal, and then let the portal provision from there. Essentially how the Office 365 DirSync tool works. It's how to get multiple external MA's to connect to my portal that I'm having trouble. Should each external MA connect to FIM using the built-in FIM connector, or should they be using some custom method with an ECMA like Office 365 uses? It seems strange and insecure to have them directly connect to the SQL database and it doesn't seem to even let me do it once another Synchronization Service is connected anyway.

Essentially my intended flow is: AD DS->Metaverse->FIM Portal <--WAN Link--> FIM Portal->AD DS

Doing this all on one server has worked fine, where I'm essentially pulling LDAP over the WAN link, but I want to be able to do this via a "push" method from the source into the portal as opposed to the portal side "pulling" it.

↧

MIM 2016 .NET Framework Version to Build against for custom workflow activities WITH SharePoint 2013?

January 24, 2016, 12:06 pm

≫ Next: SharePoint Connector

≪ Previous: Export users from AD to FIM Portal

We have MIM with the latest patch installed and the portal is on SharePoint 2013.

The PowerShell custom workflow activity is not running. I'm guesisng it may be due to a .NET framework mis-match.

Does anyone know what version of the .NET framework to build aginst for MIM with the portal on SharePoint Foundation 2013?

Thanks;

Jon

↧

SharePoint Connector

January 25, 2016, 12:35 am

≫ Next: Directory-Sync Issues

≪ Previous: MIM 2016 .NET Framework Version to Build against for custom workflow activities WITH SharePoint 2013?

The SharePoint Connector Reference web page states that it "expects a specific FIM build to be installed on your FIM synchronization server". Does anyone know why there is this restriction, and whether it will work (or can be encouraged to work) on MIM 2016?

↧

Directory-Sync Issues

January 26, 2016, 1:36 pm

≫ Next: extension-unexpected-attribute-value

≪ Previous: SharePoint Connector

Hello,

I am a new System Admin and I am having some trouble with Directory-Sync. It was suggested to post here. To keep from retyping everything, I used this post:

https://community.office365.com/en-us/f/613/t/427750

Basically, the passwords do not sync and an error message displays about a missing publicFolder when a manual sync is initiated.

I appreciate any assistance and thank you,

Shawn

↧

extension-unexpected-attribute-value

January 26, 2016, 1:39 pm

≫ Next: FIM CM 2010 R2 Error: The version of OLE on the client and server machines does not match. (Exception from HRESULT: 0x80010110)

≪ Previous: Directory-Sync Issues

Hello,

I was wondering if anyone had any insight out there in regards to this error. All I did to repro the issue was hide a contact in exchange and then unhide that contact and now I get a sync error for that contact.

The error:

Stack Trace info:

Microsoft.MetadirectoryServices.UnexpectedDataException: Provisioning without cn, mailNickName or targetAddress
   at Microsoft.MetadirectoryServices.GALSync.Synchronizer.LogAndThrowUnexpectedDataException(String ExceptionString)
   at Microsoft.MetadirectoryServices.GALSync.MVSynchronizer.AddOrRenameConnector(ConnectedMA& MA, GALMA& MAConfig, MVEntry mventry, CSEntry csentry)
   at Microsoft.MetadirectoryServices.GALSync.MVSynchronizer.Provision(MVEntry mventry)

I would be happy to provide more information if it helps.

I am kinda at a loss here as I don't see any reason why it shouldn't work. I disabled, recreated, moved the account but no change. I ensured my sync removed the contacts in case it was holding on to them in the remote AD but the contact is currently not in the remote AD and it's not syncing back either due to this error.

Please note: I am only using the Synchronization Service and not the portal.

Any advice?

Thank you in advance.

John

Event viewer shows:

↧

FIM CM 2010 R2 Error: The version of OLE on the client and server machines does not match. (Exception from HRESULT: 0x80010110)

January 26, 2016, 9:36 pm

≫ Next: Can MIM Client be used with Azure AD SSPR?

≪ Previous: extension-unexpected-attribute-value

I get this error intermittently while executing the enrollment requests in FIM 2010 CM R2. Sometimes it auto resolves but during other times I will have to restart the IIS to get this working again. My environment earlier had FIM 2010 and was upgraded to FIM 2010 R2. Did I forget some configuration? Please help.

-- JPM

↧

Can MIM Client be used with Azure AD SSPR?

January 27, 2016, 6:51 pm

≫ Next: User Logon Name - AD

≪ Previous: FIM CM 2010 R2 Error: The version of OLE on the client and server machines does not match. (Exception from HRESULT: 0x80010110)

Hi,

We have an on-premise AD, DirSync and Azure AD (its synchronizing user accounts).

If we deploy Azure AD SSPR (in Azure) and setup the MIM Client (on-premise) - can domain joined computers use the MIM Client to register and reset their passwords? Or do we also need MIM deployed on-premise?

Thanks,

↧

User Logon Name - AD

January 29, 2016, 1:21 pm

≫ Next: FIM Reporting

≪ Previous: Can MIM Client be used with Azure AD SSPR?

I would appreciate if someone could assist me with this.

In the properties of a user in AD under the Account Tab, there is a drop down box next to user logon name. The drop down contains our domain: @domain.com.

Do you know what attributes I need to match and customize to populated this when I run my sync rule.

I have tried accountname+@domain.com = UserPrincipleName however this does not work.

New to FIM and help is appreciated.

Thank you.

kathy4270

↧

FIM Reporting

January 30, 2016, 9:23 am

≫ Next: full sync and delta sync error. user not provisioned

≪ Previous: User Logon Name - AD

I am trying to add FIM Reporting on the existing FIM Service. I have 3 servers running separately for Service, Service Manager and Datawarehouse. My FIM version is 2010 R2 and I am using SCSM 2010 SP1. During the installation wizard, after I enter the Management Server Name, I got the pop up saying, "The System Center Service Manager update (KB2561430) is not installed on this computer." I have installed the hotfix to all the above 3 servers. Still I am getting the same error. Please help if you know the reason or solution to this error.

Thanks.

↧

full sync and delta sync error. user not provisioned

January 31, 2016, 3:55 am

≫ Next: Microsoft Identity Manager 2016 - Extension-DLL-Exception

≪ Previous: FIM Reporting

hello,

every time i want to sync initiate a full sync i have below error:

Microsoft.MetadirectoryServices.FunctionEvaluationException: Error encountered during evaluation of Sync Rule: 'AD Users Outbound'. Details: Object reference not set to an instance of an object.
at Microsoft.MetadirectoryServices.FunctionLibrary.AttributeFlowMappingHandler.ExecuteOutboundTransformation(CSEntry csentry, MVEntry mventry, String strSyncRuleGuid, String xmlExpression, String workflowParameterTypes, String workflowParameterValues)

I looked at so many links but my sync rule seems to be ok! here is a screen shot of my sync rule:

↧

Microsoft Identity Manager 2016 - Extension-DLL-Exception

February 1, 2016, 4:16 am

≫ Next: Having problem syncing with new MIM 2016 installation

≪ Previous: full sync and delta sync error. user not provisioned

I am trying to run a full synchronization however since upgrading to the latest build 4.3.2064.0 I get the following extension-dll-exception. The stack trace is below:

System.ArgumentException: parsing "<![CDATA[^([\!#\$%&'\*\+/\=?\^`\{\|\}~a-zA-Z0-9_-]+[\.]?)*[\!#\$%&'\*\+/\=?\^`\{\|\}~a-zA-Z0-9_-]+@{1}((([0-9A-Za-z_-]+)([\.]{1}[0-9A-Za-z_-]+)*([A-Za-z]){1,6})|(([0-9]{1,3}[\.]{1}){3}([0-9]{1,3}){1}))$]]>.Value" - Too many )'s.
at System.Text.RegularExpressions.RegexParser.ScanRegex()
at System.Text.RegularExpressions.RegexParser.Parse(String re, RegexOptions op)
at System.Text.RegularExpressions.Regex..ctor(String pattern, RegexOptions options, TimeSpan matchTimeout, Boolean useCache)
at Microsoft.MetadirectoryServices.GALSync.Synchronizer.IsMailValid(String& MailAddress)
at Microsoft.MetadirectoryServices.GALSync.MVSynchronizer.AddOrRenameConnector(ConnectedMA& MA, GALMA& MAConfig, MVEntry mventry, CSEntry csentry)
at Microsoft.MetadirectoryServices.GALSync.MVSynchronizer.Provision(MVEntry mventry)

↧

Having problem syncing with new MIM 2016 installation

February 1, 2016, 7:46 am

≫ Next: Unable to rename non-leaf object. - extension dll exception - .FunctionEvaluationException

≪ Previous: Microsoft Identity Manager 2016 - Extension-DLL-Exception

Hi guys,

First off all, if any of you (maybe some Idenitity MVPs) have access to an internal MS DL, or if MS is monitoring this thread, the installation guide of MIM 2016 is by far the worst documentation guide ever :-)

https://technet.microsoft.com/en-us/library/mt219040.aspx

Being a Office Servers and Services MVP, I know it can by hard something to come out with some good documentation but following the step by step guide of MIM 2016, will never get you up and running...

Back to my problem;

A customer of mine wants to use the SSPR on their Win7/8 logon screen (Ctrl-Alt-Del)

So my goal is only to deploy the SSPR portion, sync from AD and export to MIM DB....seems pretty simple.I have decided to follow some FIM install guide instead of MIM:https://technet.microsoft.com/en-us/library/ff575965(v=ws.10).aspx

I have up to a point where the sync rules works but in the SSPR portal, if I do a search on the user, this is what I see:

I cannot seems to match the displayname somewhere...

Any tips and trick or just a quick guide will be more than helpful.

Cheers

Jean-Philippe

If a post is helpful, please take a second to hit the green arrow on the left, or mark as answer, thanks.

Jean-Philippe Breton | Senior Microsoft Consultant | MCTS, MCITP, MCT, Lync MVP

↧

Unable to rename non-leaf object. - extension dll exception - .FunctionEvaluationException

February 1, 2016, 8:34 am

≫ Next: How have others solved this? FIM portal custom object - request access to a system for end user

≪ Previous: Having problem syncing with new MIM 2016 installation

I changed the AD OSR so that DN is flowed out to AD all the time(in addition to initial flow what we already had). All sync rules are throwing error for just one user. I could see many other objects where the DN got changed. I am not able to find the root cause of this issue. I even tried matching the dn in AD to be same as that of FIM.

Extensionfile name: FuctionLibrary.dll

Extension-Type:export-flow

Microsoft.MetadirectoryServices.FunctionEvaluationException: Error encountered during evaluation of Sync Rule: 'AD OSR - User - Create/Delete'. Details: Unable to rename non-leaf object.
at Microsoft.MetadirectoryServices.FunctionLibrary.AttributeFlowMappingHandler.ExecuteOutboundTransformation(CSEntry csentry, MVEntry mventry, String strSyncRuleGuid, String xmlExpression, String workflowParameterTypes, String workflowParameterValues)

↧

How have others solved this? FIM portal custom object - request access to a system for end user

February 1, 2016, 12:15 pm

≫ Next: Anyone use ObjectRename in a custom MA?

≪ Previous: Unable to rename non-leaf object. - extension dll exception - .FunctionEvaluationException

All,

I am just starting my research and wanted to see how others have solved this problem before I go too far down this road. I have a requirement to create a custom object in the FIM portal that allows a user to request access to other systems.

The preference is to have a separate custom object (MySystemRequests) instead of modifying the primary user object in the portal. Easy enough.
The new custom object "MySystemRequests" will contain several fields including a multi-value check box called "Request System Access" to request access to systems like payroll, accounts receivables, etc... Again pretty straight forward.
Here's where it might get tricky. An a separate approval for each system selected on the "Request System Access" should be created when the MySystemRequests is submitted. Each selected item may have its own approval workflow and automation that it needs to follow - hence the need for separate approvals.

My question is, short of writing a custom activity is there a way to spawn multiple approvers for a multi-value checkbox? Any thoughts and insights would be appreciated.

↧

Anyone use ObjectRename in a custom MA?

February 1, 2016, 1:55 pm

≫ Next: Advanced import attribute flow for reference attribute "member" for "group" object

≪ Previous: How have others solved this? FIM portal custom object - request access to a system for end user

I'm looking to deal with our HR system and the "renaming" of employee objects when they change the employee number. I've found that there is a MACapabilies property for ObjectRename, but I haven't found anyone who has worked with it when set to true.

https://msdn.microsoft.com/en-us/library/microsoft.metadirectoryservices.macapabilities.objectrename(v=vs.100).aspx

Anyone use it like this?

MACapabilities.PObjectRename = True

↧

Advanced import attribute flow for reference attribute "member" for "group" object

February 1, 2016, 9:30 pm

≫ Next: question about roles and workflow

≪ Previous: Anyone use ObjectRename in a custom MA?

Hi Folks,

We have a scenario that when a group is created in AD with members in it, it should flow the members for the first time to metaverse and then to FIM Portal. After this, if members are added/removed in AD for the group these changes should not flow in to the metaverse and members in FIM Portal must override the changes done directly in AD. We thought we could achieve this with a rules extension but learnt that advanced flow rules for reference attributes is not allowed.

Any suggestions on how this can be achieved?

Any help would be appreciated.

Thanks,

Veena

↧

question about roles and workflow

February 2, 2016, 1:40 am

≫ Next: MIM PAM Powershell

≪ Previous: Advanced import attribute flow for reference attribute "member" for "group" object

hello,

what we are planing to do is to allow some users to create user accounts in FIM portal and after, their request to create user accounts needs to be sent to a moderator before actual provisioning to AD? if that moderator accept the request then that is allowed to go in provisioning process.

any ideas how do i can implement this?

↧

MIM PAM Powershell

February 2, 2016, 2:14 am

≫ Next: SSPR Enforce Password policy on AD server 2012

≪ Previous: question about roles and workflow

Hi Guys,

I would like to use the command new-pamuser from a computer in the corp domain, but the client add-ins doesn't provide this command.

Is there a way to do this remotely?

Best regards,

Yannick

↧

SSPR Enforce Password policy on AD server 2012

February 2, 2016, 10:11 am

≫ Next: You could be our Fabulous February FIM Guru!

≪ Previous: MIM PAM Powershell

Hi All,

I have below server OS configuration:

AD server - 2012.
FIM server- 2012.
SQL server- 2012 R2.

Also, below are FIM component versions:

FIM version- 4.1.3419
SQL server version- MSSQL server 2012 with build 11.0.5343

Please do let me know if SSPR will support Enforce Password Policy with this configuration or not?

Thanks in Advance.

If My Answer helps you do not forget to check helpful post and If answers your question do not forget to "Mark it as an Answer" Thanks~ Giriraj Singh Bhamu

↧

Latest Images