Are you the publisher? Claim or contact us about this channel

Embed this content in your HTML


Report adult content:

click to rate:

Account: (login)

More Channels


Channel Catalog

Channel Description:

This forum is for IT Professionals who have questions/issues or other feedback about Forefront Identity Manager (FIM) 2010 suite

older | 1 | .... | 147 | 148 | (Page 149) | 150 | 151 | .... | 204 | newer

    0 0
  • 02/08/16--22:07: Delete from CS not working
  • Hi All,

    I have 3 MAs and using FIM 2010 R2 .

    CSV file ma -> employees , creates in AD

    AD ma 

    SQL ma -> contractors are created from here and contains all users (emp and contractor ) .

    Now when i am trying to delete contractor record from SQL , it is not triggering a delete in MV and  AD.

    So i wanted to delete a record in SQL --> that should delete record from MV and AD

    After deleting the record from SQL , when i run FI , it says unchanged 2280 ( count is decreased after deleting the record from SQL ) however it doesnot trigger a delete in MV after FS

    de provisioning setting : 

    csv : make them disconnector

    AD : stage a delete

    SQL : make them disconnector

    I have also tried deleting CS of SQL but that also did not help

    Please help , any suggetsions..




    0 0

    MIM 2016 – I have a sync rule, WF and MPR that adds users to the applicable OU by way of company code on user creation from Oracle. Now I need to add these users to some default groups.  I have imported the AD groups into the MV. Just not sure how I can get these new users into the groups.  Can I work off my current sync rule, WF and MPR or do I need an additional sync rule, WF and MPR. Any guidance is appreciated.  Thank you!


    0 0

    Hi All,

    Just wanted to check if anyone ever came across any issues when FIM 2010 servers were updated to use TLS 1.1 or TLS 1.2?

    Thank you in adavance.

    Best Regards,

    Rajan Shrivastava

    0 0

    Hi all,

    I just hit the wall with this error:


    Fault Reason: The request message contains errors that prevent processing the request.\r\n\r\nFault Details: <RepresentationFailures xmlns="" xmlns:xsi="" xmlns:xsd=""><AttributeRepresentationFailure><AttributeType>AccountName</AttributeType><AttributeValue></AttributeValue><FailureMessage>Exception: ValueViolatesUniqueness Target(s): TESTP

    The specified attribute value must be unique for this Resource


    Seems that exporting from MV to FIM Service for objects that have the same AccountName is not allowed.

    I have 4 AD MAs to 4 different forests and simple Sync Setup is projection from 3 source forests and join from the 4th target forest.

    Join rule is not based on AccountName and also in multiforest sync it is normal to have sometimes duplicates on AccountName for objects in different domains.

    In MV everything is OK , i have different objects there regardless they have the same AccountName

    When I run Export on FIM MA the first one is successfuly created in the portal but the rest complains with the error above.

    Quick Googling shows that there is a mechanism in FIM service to not allow duplicates on AccountName with combination with "Domain" attribute.

    Just a remark about the sources ADMAs - I don't flow "Domain" attribute.

    My question is: Is it possible to modify somehow this behaviour to allow duplicates on AccountName or any other approaches.

    I want to achieve the same result in FIM Portal as it is in MV - different objects with the same AccountName.


    0 0


    I have a problem, added a new attribute (AttributeType) and want to use it in some custom expression in the function evaluator but seems that I cannot when I use the attribute name (System Name) it state that the attribute is not valid. I even cannot see this attribute on the dropdown list (although I can see there a lot of custom attributes added in the past which doesn't differ from the new one).

    But maybe I have missed something, should the new attribute show up/be available after adding a new attribute type to the system or something else need to be done ?

    0 0

    I need to know if I need CAL's or "External connector" licenses to use Identity Manager 2016 under this scenario:

    We are currently using the old Microsoft IIFP (Free version of MIIS Server from back in the 2005 timeframe) which as you know is LONG end of life, to connect to 5 completely separate business units in Different AD Forests. What I am doing is connecting to these AD's and synchronizing all AD User Objects in the remote Forests to AD Contact Objects in my forest. This is for the purpose of Exchange GAL Syncs. I also synchronize all of my AD User objects in my Forest and push/synchronize those out to the remote Forests as AD Contact Objects in THEIR forest.

    I run a separate Exchange script to make these Contact objects available in the GAL, as do the Exchange Admins of the other AD Forests

    I am only syncing objects, not passwords and users themselves, no users interact with Identity Manager itself, and no users "log in" using any of these Contact Objects (obviously).

    On Microsoft documentation, it says this "A CAL is not required for customersonly using the Forefront Identity Manager synchronization service.".

    I need confirmation that what I am trying to do falls within the scope of the above statement. My Microsoft reseller cannot give me a straight answer on this. I know their job is to sell licenses, but they are not being helpful, so I need to ask here.

    0 0

    Hi All,

    I have been trying to export users from FIM 2010 R2 to ADDS but have not been successful.

    I get to see a lot of errors on the event logs. The major being missing registry keys 1. ADMADoNormalization 2. ADMARecursiveUserDelete 3. ADMAUseACLSecurity

    I could not find these registry keys on reistrykey Db. 'ADMADoNormalization' needs to be present under SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters\PerMAInstance\<ma
    name> but I cannot find any other folder after Parameters. How and when are these keys created? what do I need to do to fix these errors?

    some of the other errors

    1. HRESULT: '0x80230703' Source:
    'd:\bt\800\private\source\miis\cntrler\cntrler.cpp(2354)'  Thread ID: '0x1038'
    Additional Info: ''

    2. HRESULT: '0x80230808' Source:
    'd:\bt\800\private\source\miis\ma\ldapcore\ldapmaexportcore.cpp(635)'  Thread
    ID: '0x1038' Additional Info: 'EndExportSession called before export session was

    3. HRESULT: '0x0' Source:
    'd:\bt\800\private\source\miis\cntrler\cntrler.cpp(3729)'  Thread ID: '0x1038'
    Additional Info: 'Controller Export failed with hr=  80230703.

    4. HRESULT:
    '0x80230703' Source: 'd:\bt\800\private\source\miis\cntrler\cntrler.cpp(3562)' 
    Thread ID: '0x1038' Additional Info: ''

    5. HRESULT: '0x80230703' Source:
    'd:\bt\800\private\source\miis\ma\ldapcore\ldapmaexportcore.cpp(585)'  Thread
    ID: '0x1038' Additional Info: ''

    6. HRESULT: '0x80230703' Source:
    'd:\bt\800\private\source\miis\scrhost\scripthost.cpp(20031)'  Thread ID:
    '0x23E0' Additional Info: ''

    7. HRESULT: '0x80004002' Source:
    'd:\bt\800\private\source\miis\scrhost\scripthostloader.cpp(790)'  Thread ID:
    '0x23E0' Additional Info: ''

    8. HRESULT: '0x0' Source:
    'D:\bt\800\private\source\MIIS\ma\shared\inc\MAUtils.h(58)'  Thread ID: '0x1038'
    Additional Info: 'Failed getting registry value 'ADMARecursiveUserDelete', 0x2

    9. HRESULT: '0x80070002' Source:
    'D:\bt\800\private\source\MIIS\ma\shared\inc\MAUtils.h(59)'  Thread ID: '0x1038'
    Additional Info: 'Win32 API failure: 2

    0 0

    Our requirement is to convert DN (distinguished Name)  of a particular OU and its sub OU's to lower case using FIM .

    • Is there any way we can select a particular OU and convert it to Lowercase using custom expressions ?
    • Is it possible to call a powershell script in synchronization rules.
    • EX:- We have a script to convert DN to lower case in AD LDS. Can we call that script in FIM synchronization rules.

    0 0

    We are facing issues with SQL deadlocks. The problem is that we are really confused about the root cause.

    We have noticed that some requests takes up to 30 minutes to finish. And those request are simple, add sync rule for a person etc.

    But could we assume that there is something wrong with the SQL because of the long finishing times of requests?

    0 0

    Hi !

    I'm trying to use the set-pamuser cmdlet to deactivate users remotely but i receive the following error message.

    Strangely, i'm able to use the new-pamuser remotely.



    $remote = get-credential
    $session = new-pssession -connectionUri "http://pamsrv.private.local:5985/wsman" -Credential $remote -Authentication Credssp
    Invoke-Command -session $session -scriptBlock {set-pamuser -user (get-pamuser -SourceAccountName FRAEV04) -PrivAccountActive $true}
    Log Name:      Privileged Access Management
    Source:        Microsoft.IdentityManagement.PamPowerShell
    Date:          12/02/2016 10:35:08
    Event ID:      338
    Task Category: None
    Level:         Warning
    Keywords:      Classic
    User:          N/A
    Computer:      PAMSRV.private.local
    [Id: b99a7c53-11a2-4cc1-a10f-27169e03ce1f]
    User attributes of 'FRUSER' could not be modified.
    The server is unwilling to process the request.
    Event Xml:
    <Event xmlns="">
        <Provider Name="Microsoft.IdentityManagement.PamPowerShell" />
        <EventID Qualifiers="0">338</EventID>
        <TimeCreated SystemTime="2016-02-12T09:35:08.000000000Z" />
        <Channel>Privileged Access Management</Channel>
        <Security />
        <Data>[Id: b99a7c53-11a2-4cc1-a10f-27169e03ce1f]
    User attributes of 'FRAEV04' could not be modified.
    The server is unwilling to process the request.

    0 0

    What versions of SharePoint does this support?


    0 0

    Hi all,

    Has anybody written any PS script to bulk update multivalued attributes including[Displayed Owner], [Owner], [Filter] for a Criteria-based Group and [Members] for a Manual Group  in FIM? I really don't like to reinvent the wheel.

    Really appreciate your help on this and thanks in advance


    Aravinth Jerry Microsoft Identity Consultant

    0 0
  • 02/14/16--23:27: FIM Reports using scripts
  • I am trying to generate the default FIM reports which we get from the Reporting tool. However, the client does not want us to use or install the tool and we have to use some form of scripts to get the work done. I am looking for the following reports:

    1. Group Membership Change
    2. Set Membership Change
    3. Group History
    4. Set History
    5. User History
    6. Request History
    7. Management Policy Rule History

    Can someone help me with the scripts or point me in the right direction for it? Thanks!

    0 0

    I have been following the MIM PAM lab guide here:

    When I reach the point at which to use the New-PAMDomainConfiguration command, I get an error stating that the Netdom trust command returned the following error:

    However, no error is presented. Running the command with -Debug, it just provides a little more information stating that the trust between priv.contoso.local and contoso failed.

    The preceding command - to set up the one way forest trust work just fine - using the same credential object.

    • Have any others seen this issue and found a resolution?
    • Can anyone provide some ideas for further debugging?
    • What changes does the New-PAMDomainConfiguration cmdlet make on the target domain?



    0 0

    Is there any plans to release documentation for Microsoft Identity Manager 2016, specifically the Certificate Management area?  The MIM 2010 / 2010 R2 guides are pretty good (not great) but I can't find much at all about MIM 2016 and what might be different.

    Moreover, I finding quite a few references to '2010' and '2015' within MIM 2016 wizards and webpages.  I'm questioning the QA that went into it's release.  Is this really safe to use in an enterprise environment?

    Bryan Berns

    0 0

    As per pre-requisite documentation FIM portal 2010 R2 SP1 supports Internet Explorer 9,8,7 and 6. 
    Is Internet Explorer 11 officially supported for FIM Portal 4.1.3419 ( 2010 R2 SP1) running on Windows 2008 R2 SP1?

    If not, can you suggest the FIM version that supports IE 11.

    0 0


     We are encountering "The modification was not permitted for security reasons" error while provisioning user to ADLDS. The objecttype is userProxyFull

    ObjectSid attribute imported into FIM through a direct flow and also exported to ADLDS server from FIM through an direct mapping.

    We can see ObjectSid value updated in connector space of ADLDS after synchronization but when Export profile is executed we are facing below error and export to server is failed.

    Can anyone please assist in this.


    Jyothishree SP


    0 0

    If I want to use a smtp gateway instead of a Exchange web services, how shoud I configure the Microsoft.ResourceManagement.Service.exe.config file?

    I got a these from my MailAdmin:

    gateway smart host address:

    port tcp/25

    no authentication

    These are Microsoft.ResourceManagement.Service.exe.config configurations.

    <p><addkey="mailServer"value=""/><addkey="isExchange"value="0"/></p><p>Should I configure SMTP E-mail in IIS too to get this working?</p><p>Now when MIM tries to send email, it just says</p><preclass="prettyprint">System.Net.Mail.SmtpFailedRecipientException: Mailbox unavailable. The server response was: 5.7.1 Unable to relay.


    0 0

    Hello. I'm working on syncing the same contact objects to two separate AD LDS instances. The instances are not replicating, so FIM will do the provisioning/deprovisioning in both instances at the same time. I have created two separate AD LDS Management Agents with the same settings, "AD-LDS 1" and "AD-LDS 2".

    Note that I don't have the FIM portal installed. So I have written a MVExtension doing the provisioning to "AD-LDS 1", which works fine. Now I want to add provisioning for the same contacts to "AD-LDS 2" in the same process - how should I do that in the MVExtension?

    void IMVSynchronization.Provision (MVEntry mventry)
                if (mventry.ObjectType.Equals("contact"))
                    ConnectedMA ManagementAgent = mventry.ConnectedMAs["AD-LDS 1"];


    Is it possible to add "AD-LDS 2" within "mventry.ConnectedMAs" like so: mventry.ConnectedMAs["AD-LDS 1;AD-LDS 2"]; ? Or should I just copy the provisioning code for "AD-LDS 1" and paste it below for "AD-LDS 2"? I couldn't find any details on what "ConnectedMAs" supports.

    Any tips are appreciated, thanks!

    0 0


    I am new to this field, I am trying to deploy this MIM 2016 and try to install using the disc image file. So I used Virtual Clone Drive. I am trying to install into hyper-V virtual machine.

    Following the guide, I am told that I should start with Installation of Microsoft Identity Manager Service and Portal. But it presents error.

    "Microsoft Identity Manager Service and Portal Setup Wizard ended prematurely because of an error. your system has not been modified. To install this program at a later time, run Setup Wizard again."

    So did I miss something? Please advice.. Thanks



older | 1 | .... | 147 | 148 | (Page 149) | 150 | 151 | .... | 204 | newer