Delete from CS not working

February 8, 2016, 10:07 pm

≫ Next: Add New Users to Default Groups Assistance

≪ Previous: FIM portal MPR triggered only when Employee EndDate was changed at least 1 year behind

Hi All,

I have 3 MAs and using FIM 2010 R2 .

CSV file ma -> employees , creates in AD

AD ma

SQL ma -> contractors are created from here and contains all users (emp and contractor ) .

Now when i am trying to delete contractor record from SQL , it is not triggering a delete in MV and AD.

So i wanted to delete a record in SQL --> that should delete record from MV and AD

After deleting the record from SQL , when i run FI , it says unchanged 2280 ( count is decreased after deleting the record from SQL ) however it doesnot trigger a delete in MV after FS

de provisioning setting :

csv : make them disconnector

AD : stage a delete

SQL : make them disconnector

I have also tried deleting CS of SQL but that also did not help

Please help , any suggetsions..

Regards

Aditya

AdiKumar

↧

Add New Users to Default Groups Assistance

February 9, 2016, 6:24 am

≫ Next: Anyone ever faced any issues in FIM 2010 after servers moved to TLS 1.1 or TLS 1.2?

≪ Previous: Delete from CS not working

MIM 2016 – I have a sync rule, WF and MPR that adds users to the applicable OU by way of company code on user creation from Oracle. Now I need to add these users to some default groups. I have imported the AD groups into the MV. Just not sure how I can get these new users into the groups. Can I work off my current sync rule, WF and MPR or do I need an additional sync rule, WF and MPR. Any guidance is appreciated. Thank you!

kathy4270

↧

Anyone ever faced any issues in FIM 2010 after servers moved to TLS 1.1 or TLS 1.2?

February 9, 2016, 11:15 am

≫ Next: Why can't I have duplicates AccountName in FIM Portal for different user objects from different MAs?

≪ Previous: Add New Users to Default Groups Assistance

Hi All,

Just wanted to check if anyone ever came across any issues when FIM 2010 servers were updated to use TLS 1.1 or TLS 1.2?

Thank you in adavance.

Best Regards,

Rajan Shrivastava

↧

Why can't I have duplicates AccountName in FIM Portal for different user objects from different MAs?

February 10, 2016, 7:07 am

≫ Next: Custom FIM Portal attribute not showing/recognized in the built-in Function Evaluator

≪ Previous: Anyone ever faced any issues in FIM 2010 after servers moved to TLS 1.1 or TLS 1.2?

Hi all,

I just hit the wall with this error:

===============

Fault Reason: The request message contains errors that prevent processing the request.\r\n\r\nFault Details: <RepresentationFailures xmlns="http://schemas.microsoft.com/2006/11/ResourceManagement" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><AttributeRepresentationFailure><AttributeType>AccountName</AttributeType><AttributeValue></AttributeValue><FailureMessage>Exception: ValueViolatesUniqueness Target(s): TESTP

The specified attribute value must be unique for this Resource

===============

Seems that exporting from MV to FIM Service for objects that have the same AccountName is not allowed.

I have 4 AD MAs to 4 different forests and simple Sync Setup is projection from 3 source forests and join from the 4th target forest.

Join rule is not based on AccountName and also in multiforest sync it is normal to have sometimes duplicates on AccountName for objects in different domains.

In MV everything is OK , i have different objects there regardless they have the same AccountName

When I run Export on FIM MA the first one is successfuly created in the portal but the rest complains with the error above.

Quick Googling shows that there is a mechanism in FIM service to not allow duplicates on AccountName with combination with "Domain" attribute.

Just a remark about the sources ADMAs - I don't flow "Domain" attribute.

My question is: Is it possible to modify somehow this behaviour to allow duplicates on AccountName or any other approaches.

I want to achieve the same result in FIM Portal as it is in MV - different objects with the same AccountName.

↧

Custom FIM Portal attribute not showing/recognized in the built-in Function Evaluator

February 11, 2016, 2:56 am

≫ Next: Identity Manager 2016 licensing questions

≪ Previous: Why can't I have duplicates AccountName in FIM Portal for different user objects from different MAs?

Hi,

I have a problem, added a new attribute (AttributeType) and want to use it in some custom expression in the function evaluator but seems that I cannot when I use the attribute name (System Name) it state that the attribute is not valid. I even cannot see this attribute on the dropdown list (although I can see there a lot of custom attributes added in the past which doesn't differ from the new one).

But maybe I have missed something, should the new attribute show up/be available after adding a new attribute type to the system or something else need to be done ?

↧

Identity Manager 2016 licensing questions

February 11, 2016, 8:42 am

≫ Next: Unable to export users from FIM to AD due to missing registry keys

≪ Previous: Custom FIM Portal attribute not showing/recognized in the built-in Function Evaluator

I need to know if I need CAL's or "External connector" licenses to use Identity Manager 2016 under this scenario:

We are currently using the old Microsoft IIFP (Free version of MIIS Server from back in the 2005 timeframe) which as you know is LONG end of life, to connect to 5 completely separate business units in Different AD Forests. What I am doing is connecting to these AD's and synchronizing all AD User Objects in the remote Forests to AD Contact Objects in my forest. This is for the purpose of Exchange GAL Syncs. I also synchronize all of my AD User objects in my Forest and push/synchronize those out to the remote Forests as AD Contact Objects in THEIR forest.

I run a separate Exchange script to make these Contact objects available in the GAL, as do the Exchange Admins of the other AD Forests

I am only syncing objects, not passwords and users themselves, no users interact with Identity Manager itself, and no users "log in" using any of these Contact Objects (obviously).

On Microsoft documentation, it says this "A CAL is not required for customersonly using the Forefront Identity Manager synchronization service.".

I need confirmation that what I am trying to do falls within the scope of the above statement. My Microsoft reseller cannot give me a straight answer on this. I know their job is to sell licenses, but they are not being helpful, so I need to ask here.

↧

Unable to export users from FIM to AD due to missing registry keys

February 11, 2016, 11:28 am

≫ Next: converting DN to lowercase using custom Expressions in FIM

≪ Previous: Identity Manager 2016 licensing questions

Hi All,

I have been trying to export users from FIM 2010 R2 to ADDS but have not been successful.

I get to see a lot of errors on the event logs. The major being missing registry keys 1. ADMADoNormalization 2. ADMARecursiveUserDelete 3. ADMAUseACLSecurity

I could not find these registry keys on reistrykey Db. 'ADMADoNormalization' needs to be present under SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters\PerMAInstance\<ma
name> but I cannot find any other folder after Parameters. How and when are these keys created? what do I need to do to fix these errors?

some of the other errors

1. HRESULT: '0x80230703' Source:
'd:\bt\800\private\source\miis\cntrler\cntrler.cpp(2354)' Thread ID: '0x1038'
Additional Info: ''

2. HRESULT: '0x80230808' Source:
'd:\bt\800\private\source\miis\ma\ldapcore\ldapmaexportcore.cpp(635)' Thread
ID: '0x1038' Additional Info: 'EndExportSession called before export session was
initialized

3. HRESULT: '0x0' Source:
'd:\bt\800\private\source\miis\cntrler\cntrler.cpp(3729)' Thread ID: '0x1038'
Additional Info: 'Controller Export failed with hr= 80230703.

4. HRESULT:
'0x80230703' Source: 'd:\bt\800\private\source\miis\cntrler\cntrler.cpp(3562)'
Thread ID: '0x1038' Additional Info: ''

5. HRESULT: '0x80230703' Source:
'd:\bt\800\private\source\miis\ma\ldapcore\ldapmaexportcore.cpp(585)' Thread
ID: '0x1038' Additional Info: ''

6. HRESULT: '0x80230703' Source:
'd:\bt\800\private\source\miis\scrhost\scripthost.cpp(20031)' Thread ID:
'0x23E0' Additional Info: ''

7. HRESULT: '0x80004002' Source:
'd:\bt\800\private\source\miis\scrhost\scripthostloader.cpp(790)' Thread ID:
'0x23E0' Additional Info: ''

8. HRESULT: '0x0' Source:
'D:\bt\800\private\source\MIIS\ma\shared\inc\MAUtils.h(58)' Thread ID: '0x1038'
Additional Info: 'Failed getting registry value 'ADMARecursiveUserDelete', 0x2

9. HRESULT: '0x80070002' Source:
'D:\bt\800\private\source\MIIS\ma\shared\inc\MAUtils.h(59)' Thread ID: '0x1038'
Additional Info: 'Win32 API failure: 2

↧

converting DN to lowercase using custom Expressions in FIM

February 11, 2016, 9:53 pm

≫ Next: FIM 2010 R2 - Requests takes up to 30 minutes to finish - SQL Deadlocks

≪ Previous: Unable to export users from FIM to AD due to missing registry keys

Our requirement is to convert DN (distinguished Name) of a particular OU and its sub OU's to lower case using FIM .

Is there any way we can select a particular OU and convert it to Lowercase using custom expressions ?
Is it possible to call a powershell script in synchronization rules.
EX:- We have a script to convert DN to lower case in AD LDS. Can we call that script in FIM synchronization rules.

↧

FIM 2010 R2 - Requests takes up to 30 minutes to finish - SQL Deadlocks

February 11, 2016, 11:22 pm

≫ Next: MIM PAM Powershell set-pamuser

≪ Previous: converting DN to lowercase using custom Expressions in FIM

We are facing issues with SQL deadlocks. The problem is that we are really confused about the root cause.

We have noticed that some requests takes up to 30 minutes to finish. And those request are simple, add sync rule for a person etc.

But could we assume that there is something wrong with the SQL because of the long finishing times of requests?

↧

MIM PAM Powershell set-pamuser

February 12, 2016, 2:04 am

≫ Next: SharePoint Services Connector for FIM 2010 R2

≪ Previous: FIM 2010 R2 - Requests takes up to 30 minutes to finish - SQL Deadlocks

Hi !

I'm trying to use the set-pamuser cmdlet to deactivate users remotely but i receive the following error message.

Strangely, i'm able to use the new-pamuser remotely.

Regards,

Yannick

$remote = get-credential
$session = new-pssession -connectionUri "http://pamsrv.private.local:5985/wsman" -Credential $remote -Authentication Credssp
Invoke-Command -session $session -scriptBlock {set-pamuser -user (get-pamuser -SourceAccountName FRAEV04) -PrivAccountActive $true}

Log Name:      Privileged Access Management
Source:        Microsoft.IdentityManagement.PamPowerShell
Date:          12/02/2016 10:35:08
Event ID:      338
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      PAMSRV.private.local
Description:
[Id: b99a7c53-11a2-4cc1-a10f-27169e03ce1f]

User attributes of 'FRUSER' could not be modified.
Exception:
The server is unwilling to process the request.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Microsoft.IdentityManagement.PamPowerShell" />
    <EventID Qualifiers="0">338</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2016-02-12T09:35:08.000000000Z" />
    <EventRecordID>27610</EventRecordID>
    <Channel>Privileged Access Management</Channel>
    <Computer>PAMSRV.private.local</Computer>
    <Security />
</System>
<EventData>
    <Data>[Id: b99a7c53-11a2-4cc1-a10f-27169e03ce1f]

User attributes of 'FRAEV04' could not be modified.
Exception:
The server is unwilling to process the request.
</Data>
</EventData>
</Event>

↧

SharePoint Services Connector for FIM 2010 R2

February 14, 2016, 3:08 am

≫ Next: PowerShell Script to Bulk update multivalued attributes of group objects in FIM 2010

≪ Previous: MIM PAM Powershell set-pamuser

What versions of SharePoint does this support?

↧

PowerShell Script to Bulk update multivalued attributes of group objects in FIM 2010

February 14, 2016, 8:31 pm

≫ Next: FIM Reports using scripts

≪ Previous: SharePoint Services Connector for FIM 2010 R2

Hi all,

Has anybody written any PS script to bulk update multivalued attributes including[Displayed Owner], [Owner], [Filter] for a Criteria-based Group and [Members] for a Manual Group in FIM? I really don't like to reinvent the wheel.

Really appreciate your help on this and thanks in advance

/Jerry

Aravinth Jerry Microsoft Identity Consultant

↧

FIM Reports using scripts

February 14, 2016, 11:27 pm

≫ Next: New-PAMDomainConfiguration: The Netdom trust command returned the following error:

≪ Previous: PowerShell Script to Bulk update multivalued attributes of group objects in FIM 2010

I am trying to generate the default FIM reports which we get from the Reporting tool. However, the client does not want us to use or install the tool and we have to use some form of scripts to get the work done. I am looking for the following reports:

Group Membership Change
Set Membership Change
Group History
Set History
User History
Request History
Management Policy Rule History

Can someone help me with the scripts or point me in the right direction for it? Thanks!

↧

New-PAMDomainConfiguration: The Netdom trust command returned the following error:

February 15, 2016, 1:31 am

≫ Next: Microsoft Identity Management 2016 Documentation

≪ Previous: FIM Reports using scripts

I have been following the MIM PAM lab guide here: https://technet.microsoft.com/en-us/library/mt488766.aspx

When I reach the point at which to use the New-PAMDomainConfiguration command, I get an error stating that the Netdom trust command returned the following error:

However, no error is presented. Running the command with -Debug, it just provides a little more information stating that the trust between priv.contoso.local and contoso failed.

The preceding command - to set up the one way forest trust work just fine - using the same credential object.

Have any others seen this issue and found a resolution?
Can anyone provide some ideas for further debugging?
What changes does the New-PAMDomainConfiguration cmdlet make on the target domain?

Regards,

Jon.

↧

Microsoft Identity Management 2016 Documentation

February 15, 2016, 8:07 am

≫ Next: Internet Explorer 11 support for FIM 2010 R2 SP1

≪ Previous: New-PAMDomainConfiguration: The Netdom trust command returned the following error:

Is there any plans to release documentation for Microsoft Identity Manager 2016, specifically the Certificate Management area? The MIM 2010 / 2010 R2 guides are pretty good (not great) but I can't find much at all about MIM 2016 and what might be different.

Moreover, I finding quite a few references to '2010' and '2015' within MIM 2016 wizards and webpages. I'm questioning the QA that went into it's release. Is this really safe to use in an enterprise environment?

Bryan Berns

↧

Internet Explorer 11 support for FIM 2010 R2 SP1

February 15, 2016, 10:24 am

≫ Next: Error while provisioning user to ADLDS server through FIM

≪ Previous: Microsoft Identity Management 2016 Documentation

As per pre-requisite documentation FIM portal 2010 R2 SP1 supports Internet Explorer 9,8,7 and 6.
Is Internet Explorer 11 officially supported for FIM Portal 4.1.3419 ( 2010 R2 SP1) running on Windows 2008 R2 SP1?

If not, can you suggest the FIM version that supports IE 11.

↧

Error while provisioning user to ADLDS server through FIM

February 16, 2016, 2:44 am

≫ Next: MIM 2016 with SMTP gateway instead of Exchange

≪ Previous: Internet Explorer 11 support for FIM 2010 R2 SP1

Hello,

We are encountering "The modification was not permitted for security reasons" error while provisioning user to ADLDS. The objecttype is userProxyFull

ObjectSid attribute imported into FIM through a direct flow and also exported to ADLDS server from FIM through an direct mapping.

We can see ObjectSid value updated in connector space of ADLDS after synchronization but when Export profile is executed we are facing below error and export to server is failed.

Can anyone please assist in this.

Regards,

Jyothishree SP

↧

MIM 2016 with SMTP gateway instead of Exchange

February 16, 2016, 3:53 am

≫ Next: Provision objects with MVExtension to two connected MA's at the same time

≪ Previous: Error while provisioning user to ADLDS server through FIM

If I want to use a smtp gateway instead of a Exchange web services, how shoud I configure the Microsoft.ResourceManagement.Service.exe.config file?

I got a these from my MailAdmin:

gateway smart host address: server.domain.com

port tcp/25

no authentication

These are Microsoft.ResourceManagement.Service.exe.config configurations.

<p><addkey="mailServer"value="server.domain.com"/><addkey="isExchange"value="0"/></p><p>Should I configure SMTP E-mail in IIS too to get this working?</p><p>Now when MIM tries to send email, it just says</p><preclass="prettyprint">System.Net.Mail.SmtpFailedRecipientException: Mailbox unavailable. The server response was: 5.7.1 Unable to relay.

↧

Provision objects with MVExtension to two connected MA's at the same time

February 16, 2016, 2:55 pm

≫ Next: Identity Manager Service and Portal installation ended prematurely

≪ Previous: MIM 2016 with SMTP gateway instead of Exchange

Hello. I'm working on syncing the same contact objects to two separate AD LDS instances. The instances are not replicating, so FIM will do the provisioning/deprovisioning in both instances at the same time. I have created two separate AD LDS Management Agents with the same settings, "AD-LDS 1" and "AD-LDS 2".

Note that I don't have the FIM portal installed. So I have written a MVExtension doing the provisioning to "AD-LDS 1", which works fine. Now I want to add provisioning for the same contacts to "AD-LDS 2" in the same process - how should I do that in the MVExtension?

void IMVSynchronization.Provision (MVEntry mventry)
        {
            if (mventry.ObjectType.Equals("contact"))
            {
                ConnectedMA ManagementAgent = mventry.ConnectedMAs["AD-LDS 1"];

...

Is it possible to add "AD-LDS 2" within "mventry.ConnectedMAs" like so: mventry.ConnectedMAs["AD-LDS 1;AD-LDS 2"]; ? Or should I just copy the provisioning code for "AD-LDS 1" and paste it below for "AD-LDS 2"? I couldn't find any details on what "ConnectedMAs" supports.

Any tips are appreciated, thanks!

↧

Identity Manager Service and Portal installation ended prematurely

February 16, 2016, 8:05 pm

≫ Next: Problem in Exchange Provisioning (2010) with FIM - "no-start-ma"

≪ Previous: Provision objects with MVExtension to two connected MA's at the same time

Hi,

I am new to this field, I am trying to deploy this MIM 2016 and try to install using the disc image file. So I used Virtual Clone Drive. I am trying to install into hyper-V virtual machine.

Following the guide, I am told that I should start with Installation of Microsoft Identity Manager Service and Portal. But it presents error.

"Microsoft Identity Manager Service and Portal Setup Wizard ended prematurely because of an error. your system has not been modified. To install this program at a later time, run Setup Wizard again."

So did I miss something? Please advice.. Thanks

Regard,

AzureTechGuy

↧

Latest Images