Articles on this Page
- 03/07/16--22:44: _Register Portal err...
- 03/08/16--03:36: _Synchronize User an...
- 03/08/16--05:18: _Where is the Passwo...
- 03/08/16--09:37: _Configure FIM deleg...
- 03/08/16--20:50: _Mailbox De-Provisio...
- 03/08/16--20:53: _AD Replication via FIM
- 03/08/16--22:20: _Adding New fields i...
- 03/09/16--00:18: _display name is not...
- 03/09/16--13:15: _Attibute update fro...
- 03/09/16--22:06: _Is it possible to S...
- 03/09/16--22:08: _FIM Portal Lockout ...
- 03/09/16--23:33: _Update user (reques...
- 03/10/16--04:56: _MIM 2016 + SSPR OTP...
- 03/10/16--06:44: _aadconnect: disconn...
- 03/10/16--08:49: _PCNSSVC error 7000 ...
- 03/10/16--09:33: _extension dll excep...
- 03/10/16--12:00: _Manager field relat...
- 03/10/16--17:18: _Populating domain a...
- 03/10/16--19:13: _Create Exchange mai...
- 03/11/16--02:07: _Is there a way to g...
- 03/08/16--09:37: Configure FIM delegation using FIM portal!
- 03/08/16--20:50: Mailbox De-Provisioning VIA FIM 2010
- 03/08/16--20:53: AD Replication via FIM
- 03/08/16--22:20: Adding New fields in the "New User" form in FIM Portal?!
- 03/09/16--00:18: display name is not flowed from MV to FIM portal
- 03/09/16--13:15: Attibute update from connector space to Metaverse not happening
- 03/09/16--22:08: FIM Portal Lockout settings and AD Group policy lockout settings!
- 03/09/16--23:33: Update user (requestor) attribute in approval workflow
- 03/10/16--04:56: MIM 2016 + SSPR OTP Email + SharePoint farm + SMTP Relay
- 03/10/16--06:44: aadconnect: disconnect object from metaverse
- 03/10/16--08:49: PCNSSVC error 7000 with invalid user object DN
- 03/10/16--09:33: extension dll exception when filtering out synced users
- 03/10/16--12:00: Manager field related logic
- 03/10/16--19:13: Create Exchange mail account Flowing Custom Expression homeMDB
using register portal with a user show error '
The current user account is not recognized by Forefront Identity Manager. Please contact your help desk or system administrator. (Error 3003) '
after that i went to this link:
that expert says make sure samaccountname, domain exist in portal. i can see the user is in portal and active directory. do i need to have both inbound/outbound sync rule for ad to fim? because at the moment, there is outbound rule from fim to AD. i suspect that portal does not have sid of the user in active directory and the reason is there is no inbound rule from AD to fim portal.
I am not an expert with FIM/MIM Synchronization. And I want to know if the following is possible with the Synchronization Service and what tools we have to use additional
We have three forests: User forest and two Resource Forests (all trusted). Today we have a synchronization and provisioning of new users (from one OU) from the account forest to the Resource Forest1 in place. Works great with the MRE from S.Granfeldt
Now, "ALL" the users from the Account Forest must be synchronized to an additional Resource Forest 2. The Distribution lists must be synchronized also and the users, which are synchronized (in a former step) to Resource Forest 1, must be appear as contacts in Resource Forest 2. I assume that it is not possible to convert a user object to a contact object, therefore the users must be new-created as contact objects in the Resource Forest 2. We want to have all the users shown up in the GAL
I just want to get a feeling of what is the best way to manifacture this. And what extensions (eg. MRE or the PowerShell MA) we have to investigate and to play with to let this work. We don't have the FIM Service. We have only the Synchronization Service
and our development must be codeless (except PowerShell)
Trying to use/understand this FIM Password Registration and Reset feature.
I have followed the FIM/MIN install guide from the article: https://technet.microsoft.com/en-us/library/mt219040.aspx
The FIMServer hostname I am using is MIMONE and its FQN is mimone.mimtest.local
I followed to the letter the install guide above.
To get the Password registration and reset feature to work, I had to edit the web.config files so the base address is in each case
http://mimone:5725 (the install process seemed to add an extra "http")
I can access the Registration page fine, IF I enter the URL: http://mimone:8080
The Reset works as well IF I enter the URL http://mimone:8088
BUT... From the Portal Home page, if I click on the Register for password reset link, it generates the URL: http://mimone.mimtest.local:8080 (which is what the install guide advised) which gives me a bad request invalid hostname error.
How do I fix this JS to send requests for Password Registration to: http://mimone:8080 and not mimone.mimtest.local:8080 ?
How to configure FIM delegation using FIM portal!
There's a requirement for disabling the mailbox only for few users, there's not any specific attribute for doing this like UAC. Can anyone help me in understanding and if there's some custom way of doing it then can anyone put some light on that too?
There is a requirement for synchronizing a fresh new AD with an old AD taking the old AD as the source for all the objects. The requirement is to have all the information & data to be pulled from one AD and provisioned to the new AD but with FIM. Can anyone help me in this in the optimised way possible.
I want to Add new fields in the "New User" form in FIM Portal?!
For example I need to add ID number, passport number and other options for the users, so how can I acheive this?
i am going through provision users from AD to fim portal. after running the profiles, user is imported in metaverse and connector space, but after running export, user displayname,accountname is not flowed. because when i look at the user in fim portal, he does not have displayname and samaccountname.
this picture is how it looks like:
and these is my attribute flow from FIM MA:
why is happening. user in metaverse has all attributes but after export to fim, some attributes are empty.
I am new to FIM. I have created a custom MA which has both export and import flow with all mapping of attributes being 'Direct'. I have a updated value in one of the attributes which comes in the connector space but even after running 'Full Sync' does not go further to Metaverse. I have tried this with other attributes but same issue. No error while running the profiles.
Please suggest where should i look up next.
Suppose I want to configure the lockout settings using FIM portal, is it possible to sync it with other systems like HR, ERP.
The AD lockout settings and the FIM portal settings are same? can they be synced? if not can we sync them? and do they make any issues if I have a conflict between FIM lockout and A lockout?
I have a requirement in which a user who raises a request to become part of a DL on the FIM Portal, should also become a part of another Set once all the approval levels in the authorization workflow are successfully approved.
So a user raises a request to join a DL on the FIM Portal. The normal approval workflow gets triggered and then I need to use an activity in the WF which will modify/update the attribute of the user who has raised the request (Requestor). However, in the Destination field of Function Evaluator activity, I only see "Target" and "WorkflowData" as the options in the look up.
Is there any other way to achieve this? Or is there any other solution for the above requirement?
Have anyone configured an environment, which is using SMTP relay for email sending with SSPR OTP. We are facing an issue where normal emails are sent correctly, but using SSPS with OPT fails.
We are getting this kind of errors:
Microsoft.IdentityManagement.CredentialManagement.Portal: System.Web.HttpUnhandledException: ScriptManager_AsyncPostBackError ---> System.Web.HttpException: Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.
Microsoft.IdentityManagement.CredentialManagement.Portal: System.Web.HttpUnhandledException: ScriptManager_AsyncPostBackError ---> Microsoft.IdentityManagement.CredentialManagement.Portal.Exceptions.OneTimePasswordDeliveryException: ValidationError:UnableToSendSecurityCode ---> System.ServiceModel.FaultException: ValidationError:UnableToSendSecurityCode at Microsoft.ResourceManagement.WebServices.SecurityTokenServiceClient.RequestSecurityToken(Message request) at Microsoft.ResourceManagement.WebServices.SecurityTokenServiceClient.RequestSecurityToken(RequestSecurityTokenType request, ClientOptionsHelper clientOptionsHelper, MessageBuffer& messageBuffer) at Microsoft.ResourceManagement.WebServices.Client.AuthenticationRequiredException.Authenticate(AuthenticationChallengeResponseType authenticationChallengeResponses, MessageBuffer& messageBuffer, ClientOptionsHelper clientOptionsHelper) at Microsoft.IdentityManagement.CredentialManagement.Portal.Common.ResetProxy.GetChallenge(String domain, String userName, ChallengeContext gateChallengeResponse) at Microsoft.IdentityManagement.CredentialManagement.Portal.Common.ResetProxy.GetNextChallenge(String domain, String userName, ChallengeContext gateChallengeResponse, FaultExceptionHandlerDelegate faultExceptionHandler) --- End of inner exception stack trace --- at Microsoft.IdentityManagement.CredentialManagement.Portal.Common.ResetProxy.GetNextChallenge(String domain, String userName, ChallengeContext gateChallengeResponse, FaultExceptionHandlerDelegate faultExceptionHandler) at Microsoft.IdentityManagement.CredentialManagement.Portal.Components.ResetDriver.InitiatePasswordReset(String domain, String username) at Microsoft.IdentityManagement.CredentialManagement.Portal.Reset.MoveToAuthenticationGates() at System.Web.UI.WebControls.Button.OnClick(EventArgs e) at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) --- End of inner exception stack trace --- at Microsoft.IdentityManagement.CredentialManagement.Portal.Site.ScriptManager_AsyncPostBackError(Object sender, AsyncPostBackErrorEventArgs eventArgs) at System.Web.UI.ScriptManager.OnAsyncPostBackError(AsyncPostBackErrorEventArgs e) at System.Web.UI.PageRequestManager.OnPageError(Object sender, EventArgs e) at System.Web.UI.TemplateControl.OnError(EventArgs e) at System.Web.UI.Page.HandleError(Exception e) at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest() at System.Web.UI.Page.ProcessRequest(HttpContext context) at ASP.default_aspx.ProcessRequest(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()Also how MIM process the OTP emails? A little bit differently than normal emails...
i can't figure out how to disconnect an object from metaverse as described here (for later versions):
anyone knows how to do that with aadconnect?
we face a very strange issue:
On a domain controller (running Server 2008 R2 SP1 with PCNS v4.1.3634) I see an error event 7000 with the message
An unexpected error occurred.
<a href="ldap:///CN=John">LDAP://<DomainController>/CN=John Doe,OU=UserAccounts,DC=domain,DC=compwdLastSet
Very strange is the distinguished name: The attribute name "pwdLastSet" is appended to DN.
If the PCNS service is indeed using this invalid DN then it MUST run into an issue, of course. But why would it append "pwdLastSet"???
And: It is not a permanent issue:
I got these errors between events 2100 that report "password notification has been delivered to all targets."
I have already de- and re-installed PCNS (with restarts after each action of course), but this didnt resolve it.
Do you have any ideas?
I have these 2 active directory connector syncing users from one domain to another,
I now have to filter some users out of the sync process so I added a filter on the source connector, and as soon as I add this filter I get an extension dll exception for all users that meet the filtering criteria :
System.Exception: Attribute "st" is not present.
at Mms_Metaverse.MVExtensionObject.Microsoft.MetadirectoryServices.IMVSynchronization.Provision(MVEntry mventry) in C:\Fim source code\mvextension\MVExtension\MVExtension.cs:line 142
this attribute is present for the user and zhen I re;ove the filter the sync zorks fine,
also if I preview the user account I see that it has an attribute recall and repopulation thing it's trying to do... no idea why !
anyone can help ?
Is there a way to have some FIM logic along these lines:
"If person X is a Manager, then perform the following logic"
I do not believe FIM has a field associated with the person object like "isManager".
Has anyone done something similar perhaps?
I'm trying to use the Function "ConvertSidToString" with the CustomExpression:
However, I get the error: The return type(Object) of function IIF is not Binary
hi , I’m trying to flow user email account to respective Exchange mail DB, base on their company attribute.
I only required to create email account only of.
company = TEST1 OR company = TEST2
also email account need to be on respective ExchangeDB .
Note: I don’t need to create email accounts users other than this 2 companies.
Is there a way to grant the rights for some custom object to a group of users (security group or distribution list). I tried to create a grant right MPR that use the SET as requestors and that set have the group (security group) as manually added member.
But this doesn't seem to work, most probably due to the fact, that in the SET there is a group, so the group is authorized to perform the allowed action but not the group members. Is there any way to grant rights the members of group (of course without building much additional logic) ?