Register Portal error: The current user account is not recognized by Forefront Identity Manager. Please contact your help desk or system administrator. (Error 3003)

March 7, 2016, 10:44 pm

≫ Next: Synchronize User and Distribution List between forests and convert user object to contact objects

≪ Previous: what is Breadcrumbing in FIM/MIM?

hello

using register portal with a user show error '

The current user account is not recognized by Forefront Identity Manager. Please contact your help desk or system administrator. (Error 3003) '

after that i went to this link:

http://social.technet.microsoft.com/wiki/contents/articles/20213.troubleshooting-fim-sspr-error-3003-the-current-user-account-is-not-recognized-by-forefront-identity-manager-please-contact-your-help-desk-or-system-administrator.aspx

that expert says make sure samaccountname, domain exist in portal. i can see the user is in portal and active directory. do i need to have both inbound/outbound sync rule for ad to fim? because at the moment, there is outbound rule from fim to AD. i suspect that portal does not have sid of the user in active directory and the reason is there is no inbound rule from AD to fim portal.

any ideas?

↧

Synchronize User and Distribution List between forests and convert user object to contact objects

March 8, 2016, 3:36 am

≫ Next: Where is the Password Registration URL stored/generated from the Portal Home page?

≪ Previous: Register Portal error: The current user account is not recognized by Forefront Identity Manager. Please contact your help desk or system administrator. (Error 3003)

Hello,

I am not an expert with FIM/MIM Synchronization. And I want to know if the following is possible with the Synchronization Service and what tools we have to use additional

Currently:
We have three forests: User forest and two Resource Forests (all trusted). Today we have a synchronization and provisioning of new users (from one OU) from the account forest to the Resource Forest1 in place. Works great with the MRE from S.Granfeldt

Our Plan:
Now, "ALL" the users from the Account Forest must be synchronized to an additional Resource Forest 2. The Distribution lists must be synchronized also and the users, which are synchronized (in a former step) to Resource Forest 1, must be appear as contacts in Resource Forest 2. I assume that it is not possible to convert a user object to a contact object, therefore the users must be new-created as contact objects in the Resource Forest 2. We want to have all the users shown up in the GAL

I just want to get a feeling of what is the best way to manifacture this. And what extensions (eg. MRE or the PowerShell MA) we have to investigate and to play with to let this work. We don't have the FIM Service. We have only the Synchronization Service and our development must be codeless (except PowerShell)

Thanks

Klaus

↧

Where is the Password Registration URL stored/generated from the Portal Home page?

March 8, 2016, 5:18 am

≫ Next: Configure FIM delegation using FIM portal!

≪ Previous: Synchronize User and Distribution List between forests and convert user object to contact objects

Trying to use/understand this FIM Password Registration and Reset feature.

I have followed the FIM/MIN install guide from the article: https://technet.microsoft.com/en-us/library/mt219040.aspx

The FIMServer hostname I am using is MIMONE and its FQN is mimone.mimtest.local

I followed to the letter the install guide above.

To get the Password registration and reset feature to work, I had to edit the web.config files so the base address is in each case

http://mimone:5725 (the install process seemed to add an extra "http")

Ok.

I can access the Registration page fine, IF I enter the URL: http://mimone:8080

The Reset works as well IF I enter the URL http://mimone:8088

BUT... From the Portal Home page, if I click on the Register for password reset link, it generates the URL: http://mimone.mimtest.local:8080 (which is what the install guide advised) which gives me a bad request invalid hostname error.

Hovering over the link shows it as Javascript:PwdRegister();

How do I fix this JS to send requests for Password Registration to: http://mimone:8080 and not mimone.mimtest.local:8080 ?

↧

Configure FIM delegation using FIM portal!

March 8, 2016, 9:37 am

≫ Next: Mailbox De-Provisioning VIA FIM 2010

≪ Previous: Where is the Password Registration URL stored/generated from the Portal Home page?

Dears,

How to configure FIM delegation using FIM portal!

↧

Mailbox De-Provisioning VIA FIM 2010

March 8, 2016, 8:50 pm

≫ Next: AD Replication via FIM

≪ Previous: Configure FIM delegation using FIM portal!

There's a requirement for disabling the mailbox only for few users, there's not any specific attribute for doing this like UAC. Can anyone help me in understanding and if there's some custom way of doing it then can anyone put some light on that too?

Regards,
Manuj Khurana

↧

AD Replication via FIM

March 8, 2016, 8:53 pm

≫ Next: Adding New fields in the "New User" form in FIM Portal?!

≪ Previous: Mailbox De-Provisioning VIA FIM 2010

There is a requirement for synchronizing a fresh new AD with an old AD taking the old AD as the source for all the objects. The requirement is to have all the information & data to be pulled from one AD and provisioned to the new AD but with FIM. Can anyone help me in this in the optimised way possible.

Regards,
Manuj Khurana

↧

Adding New fields in the "New User" form in FIM Portal?!

March 8, 2016, 10:20 pm

≫ Next: display name is not flowed from MV to FIM portal

≪ Previous: AD Replication via FIM

Dears,

I want to Add new fields in the "New User" form in FIM Portal?!

For example I need to add ID number, passport number and other options for the users, so how can I acheive this?

Thanks

Regards

↧

display name is not flowed from MV to FIM portal

March 9, 2016, 12:18 am

≫ Next: Attibute update from connector space to Metaverse not happening

≪ Previous: Adding New fields in the "New User" form in FIM Portal?!

i am going through provision users from AD to fim portal. after running the profiles, user is imported in metaverse and connector space, but after running export, user displayname,accountname is not flowed. because when i look at the user in fim portal, he does not have displayname and samaccountname.

this picture is how it looks like:

and these is my attribute flow from FIM MA:

why is happening. user in metaverse has all attributes but after export to fim, some attributes are empty.

merci beaucope

↧

Attibute update from connector space to Metaverse not happening

March 9, 2016, 1:15 pm

≫ Next: Is it possible to Sync Lockout Settings from FIM portal to other Systems!

≪ Previous: display name is not flowed from MV to FIM portal

Hi All,

I am new to FIM. I have created a custom MA which has both export and import flow with all mapping of attributes being 'Direct'. I have a updated value in one of the attributes which comes in the connector space but even after running 'Full Sync' does not go further to Metaverse. I have tried this with other attributes but same issue. No error while running the profiles.

Please suggest where should i look up next.

-GD

↧

Is it possible to Sync Lockout Settings from FIM portal to other Systems!

March 9, 2016, 10:06 pm

≫ Next: FIM Portal Lockout settings and AD Group policy lockout settings!

≪ Previous: Attibute update from connector space to Metaverse not happening

Dears,

Suppose I want to configure the lockout settings using FIM portal, is it possible to sync it with other systems like HR, ERP.

↧

FIM Portal Lockout settings and AD Group policy lockout settings!

March 9, 2016, 10:08 pm

≫ Next: Update user (requestor) attribute in approval workflow

≪ Previous: Is it possible to Sync Lockout Settings from FIM portal to other Systems!

Dears,

The AD lockout settings and the FIM portal settings are same? can they be synced? if not can we sync them? and do they make any issues if I have a conflict between FIM lockout and A lockout?

Thanks

Regards

↧

Update user (requestor) attribute in approval workflow

March 9, 2016, 11:33 pm

≫ Next: MIM 2016 + SSPR OTP Email + SharePoint farm + SMTP Relay

≪ Previous: FIM Portal Lockout settings and AD Group policy lockout settings!

I have a requirement in which a user who raises a request to become part of a DL on the FIM Portal, should also become a part of another Set once all the approval levels in the authorization workflow are successfully approved.

So a user raises a request to join a DL on the FIM Portal. The normal approval workflow gets triggered and then I need to use an activity in the WF which will modify/update the attribute of the user who has raised the request (Requestor). However, in the Destination field of Function Evaluator activity, I only see "Target" and "WorkflowData" as the options in the look up.

Is there any other way to achieve this? Or is there any other solution for the above requirement?

↧

MIM 2016 + SSPR OTP Email + SharePoint farm + SMTP Relay

March 10, 2016, 4:56 am

≫ Next: aadconnect: disconnect object from metaverse

≪ Previous: Update user (requestor) attribute in approval workflow

Have anyone configured an environment, which is using SMTP relay for email sending with SSPR OTP. We are facing an issue where normal emails are sent correctly, but using SSPS with OPT fails.

We are getting this kind of errors:

Microsoft.IdentityManagement.CredentialManagement.Portal: System.Web.HttpUnhandledException: ScriptManager_AsyncPostBackError ---> System.Web.HttpException: Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.

Microsoft.IdentityManagement.CredentialManagement.Portal: System.Web.HttpUnhandledException: ScriptManager_AsyncPostBackError ---> Microsoft.IdentityManagement.CredentialManagement.Portal.Exceptions.OneTimePasswordDeliveryException: ValidationError:UnableToSendSecurityCode ---> System.ServiceModel.FaultException: ValidationError:UnableToSendSecurityCode
   at Microsoft.ResourceManagement.WebServices.SecurityTokenServiceClient.RequestSecurityToken(Message request)
   at Microsoft.ResourceManagement.WebServices.SecurityTokenServiceClient.RequestSecurityToken(RequestSecurityTokenType request, ClientOptionsHelper clientOptionsHelper, MessageBuffer& messageBuffer)
   at Microsoft.ResourceManagement.WebServices.Client.AuthenticationRequiredException.Authenticate(AuthenticationChallengeResponseType[] authenticationChallengeResponses, MessageBuffer& messageBuffer, ClientOptionsHelper clientOptionsHelper)
   at Microsoft.IdentityManagement.CredentialManagement.Portal.Common.ResetProxy.GetChallenge(String domain, String userName, ChallengeContext gateChallengeResponse)
   at Microsoft.IdentityManagement.CredentialManagement.Portal.Common.ResetProxy.GetNextChallenge(String domain, String userName, ChallengeContext gateChallengeResponse, FaultExceptionHandlerDelegate faultExceptionHandler)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityManagement.CredentialManagement.Portal.Common.ResetProxy.GetNextChallenge(String domain, String userName, ChallengeContext gateChallengeResponse, FaultExceptionHandlerDelegate faultExceptionHandler)
   at Microsoft.IdentityManagement.CredentialManagement.Portal.Components.ResetDriver.InitiatePasswordReset(String domain, String username)
   at Microsoft.IdentityManagement.CredentialManagement.Portal.Reset.MoveToAuthenticationGates()
   at System.Web.UI.WebControls.Button.OnClick(EventArgs e)
   at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)
   at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityManagement.CredentialManagement.Portal.Site.ScriptManager_AsyncPostBackError(Object sender, AsyncPostBackErrorEventArgs eventArgs)
   at System.Web.UI.ScriptManager.OnAsyncPostBackError(AsyncPostBackErrorEventArgs e)
   at System.Web.UI.PageRequestManager.OnPageError(Object sender, EventArgs e)
   at System.Web.UI.TemplateControl.OnError(EventArgs e)
   at System.Web.UI.Page.HandleError(Exception e)
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest()
   at System.Web.UI.Page.ProcessRequest(HttpContext context)
   at ASP.default_aspx.ProcessRequest(HttpContext context)
   at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()

Also how MIM process the OTP emails? A little bit differently than normal emails...

↧

aadconnect: disconnect object from metaverse

March 10, 2016, 6:44 am

≫ Next: PCNSSVC error 7000 with invalid user object DN

≪ Previous: MIM 2016 + SSPR OTP Email + SharePoint farm + SMTP Relay

Hi,

i can't figure out how to disconnect an object from metaverse as described here (for later versions):

http://blog.hosebei.ch/2014/01/28/windows-azure-directory-remove-no-longer-synced-objects/

anyone knows how to do that with aadconnect?

thanks.

↧

PCNSSVC error 7000 with invalid user object DN

March 10, 2016, 8:49 am

≫ Next: extension dll exception when filtering out synced users

≪ Previous: aadconnect: disconnect object from metaverse

Hi,
we face a very strange issue:
On a domain controller (running Server 2008 R2 SP1 with PCNS v4.1.3634) I see an error event 7000 with the message
An unexpected error occurred.
<a href="ldap:///CN=John">LDAP://<DomainController>/CN=John Doe,OU=UserAccounts,DC=domain,DC=compwdLastSet

Very strange is the distinguished name: The attribute name "pwdLastSet" is appended to DN.

If the PCNS service is indeed using this invalid DN then it MUST run into an issue, of course. But why would it append "pwdLastSet"???

And: It is not a permanent issue:
I got these errors between events 2100 that report "password notification has been delivered to all targets."
I have already de- and re-installed PCNS (with restarts after each action of course), but this didnt resolve it.

Do you have any ideas?
Thank you

↧

extension dll exception when filtering out synced users

March 10, 2016, 9:33 am

≫ Next: Manager field related logic

≪ Previous: PCNSSVC error 7000 with invalid user object DN

hello everyone,

I have these 2 active directory connector syncing users from one domain to another,

I now have to filter some users out of the sync process so I added a filter on the source connector, and as soon as I add this filter I get an extension dll exception for all users that meet the filtering criteria :

System.Exception: Attribute "st" is not present.
at Mms_Metaverse.MVExtensionObject.Microsoft.MetadirectoryServices.IMVSynchronization.Provision(MVEntry mventry) in C:\Fim source code\mvextension\MVExtension\MVExtension.cs:line 142

this attribute is present for the user and zhen I re;ove the filter the sync zorks fine,

also if I preview the user account I see that it has an attribute recall and repopulation thing it's trying to do... no idea why !

anyone can help ?

thanks !

Hitch Bardawil

↧

Manager field related logic

March 10, 2016, 12:00 pm

≫ Next: Populating domain attribute into FIM. The return type(Object) of function IIF is not Binary

≪ Previous: extension dll exception when filtering out synced users

Hi,

Is there a way to have some FIM logic along these lines:

"If person X is a Manager, then perform the following logic"

I do not believe FIM has a field associated with the person object like "isManager".

Has anyone done something similar perhaps?

Thanks,

↧

Populating domain attribute into FIM. The return type(Object) of function IIF is not Binary

March 10, 2016, 5:18 pm

≫ Next: Create Exchange mail account Flowing Custom Expression homeMDB

≪ Previous: Manager field related logic

I'm trying to use the Function "ConvertSidToString" with the CustomExpression:

IIF(Eq(Left(ConvertSidToString(objectSid),41),"S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx"),"DOMAINA",IIF(Eq(Left(ConvertSidToString(objectSid),41),"S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx"),"DOMAINB",IIF(Eq(Left(ConvertSidToString(objectSid),41),"S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx"),"DOMAINC","Unknown")))

However, I get the error: The return type(Object) of function IIF is not Binary

↧

Create Exchange mail account Flowing Custom Expression homeMDB

March 10, 2016, 7:13 pm

≫ Next: Is there a way to grant rights to a group members instead of set of users

≪ Previous: Populating domain attribute into FIM. The return type(Object) of function IIF is not Binary

hi , I’m trying to flow user email account to respective Exchange mail DB, base on their company attribute.

I only required to create email account only of.

company = TEST1 OR company = TEST2

also email account need to be on respective ExchangeDB .

Note: I don’t need to create email accounts users other than this 2 companies.

EX: IIF(Eq(company,"TEST1"),"MAILBOX1",IIF(Eq(company,"TEST2"),"MAILBOX2"))

Thanks

<o:p></o:p>

↧

Is there a way to grant rights to a group members instead of set of users

March 11, 2016, 2:07 am

≫ Next: FIM 2010 GALSync - attribute mapping for proxyAddress

≪ Previous: Create Exchange mail account Flowing Custom Expression homeMDB

Hello,

Is there a way to grant the rights for some custom object to a group of users (security group or distribution list). I tried to create a grant right MPR that use the SET as requestors and that set have the group (security group) as manually added member.

But this doesn't seem to work, most probably due to the fact, that in the SET there is a group, so the group is authorized to perform the allowed action but not the group members. Is there any way to grant rights the members of group (of course without building much additional logic) ?

Thanks

↧

Latest Images