Hello all,
I have defined two custom search scopes , but they are not visible in the main page
Is there a particular permissions need to given ? where and how? please suggest.
Regards,
Suman
Permissions for a custom search scope
↧
↧
Declarative approach - changing a sync target Transition Set in existing MPR's?
MIM novice: I have a single sync target - Transition Set that I use for 50+ identical outbound only ADMAs, workflows and Management Policy Rules. My sync target Transition Set is dynamic and uses a value stored in MSexchangeEntensionAttribute15 as the trigger. This lets me mark all users to be synced to ALL the remote forests easily.
Recently the requirements have changed and a few customer forests are requiring some different accounts to be synchronized.
I would like to create some new Transition Sets, about 3 that use the same dynamic queries - but also allow me to use the manually controlled memberships for those specific forests. Can I go modify the Management Policy Rules \ Transition in, Transition Out MPRs and change the Transition Set they use for the 3 specific forests and replace the Transition Set without any major issues?
Thanks, Stu
↧
csexport.exe fails. Error: The search token appears to be invalid. WHY?
We suffered a DoS attack recently. The admins upgraded the VM frmaware and since that time FIM has had problems.
I have isolated the [FIM] problem to a specific MA.
FIM Synchronization server fails whenever a full synchronization requires to read/write the connector space of the problematic MA.
I cannot dump the whole of the CS with csexport.exe
PS C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\bin> .\csexport.exe "User MA" c:\t
emp\userMAdump.xml
Microsoft Identity Integration Server Connector Space Export Utility v4.1.2273.0
© 2012 Microsoft Corporation. All rights reserved
[560/2944]Failed to export connector space.
Error: <error>The search token appears to be invalid.</error>
PS C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\bin>
I cannot search the whole CS using the FIM Sync GUI.
I cannot even delete the CS using the Delete CS only option from Delete MA option of FIM Sync GUI. !!
When I ran the csexport.exe, FIM Sync service stopped. In the Event Log I see these 3 error entries:
The server encountered an unexpected error creating performance counters for management agent "User MA".
Performance counters will not be available for this management agent.
Application: miiserver.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: exception code c0000005, exception address 000000007391E4F5
Faulting application name: miiserver.exe, version: 4.1.2273.0, time stamp: 0x4f91c0b8
Faulting module name: MSVCR90.dll, version: 9.0.30729.6161, time stamp: 0x4dace4e7
Exception code: 0xc0000005
Fault offset: 0x000000000001e4f5
Faulting process id: 0xf44
Faulting application start time: 0x01d1e7097503f47f
Faulting application path: C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Bin\miiserver.exe
Faulting module path: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251\MSVCR90.dll
Report Id: 8594fe56-5303-11e6-858f-005056bd2558
I want to scratch this User MA and all its connections to the MV and rebuild the MA again. What options do I have?
If I try to Delete the User MA (and its CS) and it fails, I guess only option thereafter is to restore the DataBases, but what about the FIM code?
↧
MIM - PUR / Additional software (BHold, SCSM DW, PCNS and so on)
Hi
The FIM 2010 R2 PUR (Product Use Rights) included a list of "additional software" included with the FIM license (appendix 3 in the PUR)
The PUR from aug 2014 lists:
|
|
With the new Product Terms list, I can't find a similar list for MIM. Where should I look? I am guessing that MIM includes equal usage rights as FIM 2010 R2, but a confirmation would be great.
FIM architect - Crayon AS - www.crayon.com
↧
Customizing Portal Header after Hotfix Build 4.3.2124 - how to?
Hey. I've been checking everywhere for more information on the following statement in the Hotfix Build 4.3.2124 information from Microsoft:
- This update adds the ability to fully customize the portal header. Replace the portal header section with custom HTML content (by adding the CustomPortalHeader.html file into the Customizations folder).
That's completely awesome, that we finally can do some more customization on the portal header without digging into the Sharepoint CSS files. However, I've been trying this out and have so far had zero success. Has anyone been able to try it out yet?
What I've done is to create a "Customizations" folder and added the CustomPortalHeader.html file there: C:\Program Files\Microsoft Identity Manager\2016\Portal\Customizations\CustomPortalHeader.html
After IISRESET, deleted client cache and even FIM Service restart, no changes in the header. What am I doing wrong?
Note: I have only added a few simple lines of HTML so far to see if I get it to work - does it expect something more spesific?
<html><body><h1>TEST</h1><p>Test 2</p></body></html>
↧
↧
FIM/AD SYNC
Hello There,
We are AD as an authorative source using which we are pushing user in FIM portal, but there are few users for whom "country" attribute is coming with value "-1". However this attribute is having value in AD (like India).. We have import sync rules defined in portal.
I have chekced in the AD connector space and there as well i have noticed value is coming as "-1" . Kindly suggest.
Regards,
Suman Baurai
↧
SharePoint 2013 ClickJacking Issue on Port 5725 & 5726 FIM Services
Hello,
We are running in a very critical issue. Need your kinds thoughts, please review below details.
Background : We are running SharePoint 2013 on premises farm with 2 WFEs, 2 APPs and 1 DB server. As per the architecture we are running User Profile Service on APP1 & APP2 and User Profile Synchronization Service on APP1 server. Everything is running smoothly and AD profiles are syncing with SharePoint 2013.
Problem : We ran a security scan using a third party tool which scanned the whole farm and pointed few Vulnerabilities in servers. Most of them are fixed. However its pointing to http://localhost:5725 or http://MyServerIP:5725 saying that its allowing ClickJacking on this URL. This Vulnerability is appearing only on the server that is running User Profile Synchronization Service (i.e APP1). I am unable to find this binding in IIS with any site or web service. Research on Google says that it belongs to Forefront Identity Manager Synchronization Service which connects with AD for User Profile Synchronization Service.
I can see Inbound Rules in firewall and found that this port is allowed with below name.
ILM Web Service - RMS (Port 5725)
ILM Web Service - STS (Port 5726)
Question : Any idea how i can get to source of this service or prevent from ClickJacking?
I'll glad to provide more details on it and really thankful for your kind thoughts.
Regards,
Muhammad Zeeshan Tahir
↧
MIM 2016 Portal - responsive
Do you guys know if the 2016 release or the current CTP has responsive design for the portal?
A case we are working on requires it.
↧
Generic SQL connector - Deleting all values of a multivalue reference attribute is not represented in export
Hello All,
TLDR; Upon deleting ALL entries of a multivalued reference attribute, the Generic SQL connector does not export the changes. Removing only some of the entries works fine. Reproduction steps at the end.
We have 3 management agents:
- MA connected to an authorative datasource for users
- Access Management MA connected to Bhold for Role Based Access Control
- Generic SQL MA connected to the destination datasource which is also the source of 'permissions' (being groups in MV & BHOLD)
We provide users from the first MA, and permissions from the Generic SQL MA. Then we use BHOLD to assign these permissions to the user roles. In the MetaVerse BHOLD permissions are translated into group objects. The users that have these permissions are stored in a multivalued reference attribute (called UserID) of each corresponding group object.
These group objects later update their permissions in the Generic SQL connectorspace via a basic attribute flow (allow nulls is checked). Afterwards they get exported to the destination datasource and we can verify that the permissions are assigned to the users.
Everything works like a charm except when we remove a certain permission from ALL users in BHOLD (removing the permissions from some users works fine). In the MetaVerse this translates in the removal of all values from the multivalued reference field (and again, leaving just 1 or more values present works fine).
This works like a charm and propagates properly to the datasource
This does not work (note that this screenshot was taken after we removed the first two entries shown in the screenshot above thus only one entry is present).
We expect the cause to be a not implemented scenario (bug?) in the Generic SQL connector. Upon debugging the code of the generic SQL connector using reflection we encountered the code below. Since we have a multivalued attribute we enter the first (highlighted) if-statement. Once inside it counts the 'ValueChanges' of the attribute, but apparently this count returns zero, causing the code to pass the two next if statements.
A result of this is represented in the export run profile logfile you can find below. The former logfile removes all but one entry of the reference field and the latter removes all of them. As you can see the '<dn-attr>' element in the latter is empty (which according to us is originating in the code above).
Export log file upon removing some entries:
<?xml version="1.0" encoding="UTF-16"?><mmsml xmlns="http://www.microsoft.com/mms/mmsml/v2" step-type="export"><directory-entries><delta operation="update" dn="CN=G01,OBJECT=role"><anchor encoding="base64">CAAAAEcAMAAxAAAACgAAAHIAbwBsAGUAAAA=</anchor><dn-attr name="UserID" operation="update" multivalued="true"><dn-value operation="delete"><dn>CN=U02,OBJECT=user</dn><anchor encoding="base64">CAAAAFUAMAAyAAAACgAAAHUAcwBlAHIAAAA=</anchor></dn-value><dn-value operation="delete"><dn>CN=U03,OBJECT=user</dn><anchor encoding="base64">CAAAAFUAMAAzAAAACgAAAHUAcwBlAHIAAAA=</anchor></dn-value></dn-attr></delta></directory-entries></mmsml>
Export log file upon removing ALL entries:
<?xml version="1.0" encoding="UTF-16"?><mmsml xmlns="http://www.microsoft.com/mms/mmsml/v2" step-type="export"><directory-entries><delta operation="update" dn="CN=G01,OBJECT=role"><anchor encoding="base64">CAAAAEcAMAAxAAAACgAAAHIAbwBsAGUAAAA=</anchor><dn-attr name="UserID" operation="delete" multivalued="true"></dn-attr></delta></directory-entries></mmsml>
Is this some mistake or a not implemented scenario in the Generic SQL connector, and if so, where do i report this? Since we only got part of the code using reflection is it possible to obtain the source code for the Generic SQL Connector so we can investigate further?
Reproduction Steps :
- Create accounts in the source system
- Create permissions in the destination system
- Import both the accounts and the permissions
- Synchronize both accounts and permissions to the MV (they will get provisioned to BHOLD through a MV-extension)
- Export to BHOLD
- Assign a couple of roles to the permissions in BHOLD
- Import from BHOLD
- Synchronize BHOLD MA (groups will contain their member ID's in the destination CS)
- Export the destination MA (+ confirming import)
- Remove all roles from the BHOLD permission
- Import from BHOLD (group objects will have no members in BHOLD CS)
- Synchronize BHOLD MA (group objects will have no members in the MV and destination CS)
- Export the destination MA
↧
↧
Default member and owner while Group creation
While creating a group in FIM, in the wizard, I see that my logged in account is added as the group member and owner by default. Every time I have to delete them and add members/owners as required. Is there a way to get rid of this default value?
↧
Deletion from connector space
Hi,
If I need to delete a single record from Connector Space, can I delete by executing delete command, something like:
delete from mms_connectorspace where rdn='xxx';
Is it the right process? Is there any impact if we directly remove entry from CS table? Please let me know. I need this in case some orphaned objects lying in connector space and their corresponding objects are removed from source. I can delete entire connector
space and rebuild it, but I want to know what should I do if I need to delete few objects instead of entire connector space. Please advise.
Thanks in advance!
Aritro Chattopadhyay
↧
Want to set supervisor for users in BHOLD
Hi All,
We have a requirement where we would require the line managers of users to manage their reportees roles through BHOLD self service. In BHOLD what i see is an option to provide Default Supervisor Role which doesn't distinguish between users. Is there an option to set a single user as a supervisor
↧
What parts need installation if I only want syc password cross forest?
I have two different forest with two-way trusted relationship, because of third part application software, I have to sync password for same user name which located different forest, my question is what part module need installation? I think needn't install every thing from FIM.
Thanks,
Peter
↧
↧
Password RESET site is unavailable
Hello,
I am receiving "This page cannot be displayed" while accessing SSPR sites. Please note that i have checke application pools and srvices are up and running.
Kindly suggets.
Regards,
Suman
↧
BHOLD FIM integration
Hi,
Does the B1 and FimService DBs have to be placed on the same sql instance? while installing the BHOLD FIM integration I'm getting an error that says 'Invalid object name FIMSERVICE.fim.Objects'. It's trying to create a view called FIM:Requests with a SELECT statement referencing FIMSERVICE.fim.[Objects]. any idea?
↧
MIM PAM - Get-PAMRoleForRequest PowerShell - The caller was not authenticated by the service
So I am following this manua https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/step-7-elevate-user-access
Import-module MIMPAM
$r = Get-PAMRoleForRequest | ? { $_.DisplayName –eq "CorpAdmins" }
New-PAMRequest –role $r
klist purgeThe powershell above gives me this kind of error:
Get-PAMRoleForRequest : The caller was not authenticated by the service.
At line:1 char:6+ $r = Get-PAMRoleForRequest | ? { $_.DisplayName -eq "CorpAdmins" }+ ~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo : NotSpecified: (:) [Get-PAMRoleForRequest], Secur
ityNegotiationException+ FullyQualifiedErrorId : GeneralServerError,Microsoft.IdentityManagement.
RequestorPamCmdlets.Commands.GetPamRolesCommand
So how the caller should authenticate or whats the problem? ↧
How to sync two active directory forest with FIM or MIM 2016.
Hello,
Please, I have a problem and would like to know if the FIM help me solve.
We have two Active Directory forests in the same company and single physical site, however we are implementing a third-party application that only allows LDAP integration with only a forest and not work with trust relationship.
To solve this issue I thought about synchronizing accounts that are in the forest A who need to access the system in forest B and thus not having to create user repeated in forest B and thus maintain synchronized accounts. Would it be possible?
Basically, this system would LDAP queries in forest B, but would be able to authenticate users of the forest that would be synchronized by the FIM.
Regards
William
↧
↧
Refrences Scoping
Hi
I have three entity Types within the same connector space (CS). Two are mapped to the same Metaverse (MV) Entity:
CS User -> MV Person
CS Contact -> MV Person
CS Organization -> MV Organization
Now my Problem: MV Organization references to a MV Person. I would like to flow that information to CS using Synch engine only (no FIMService, no syncRules, no Flow Scope - means coding, which is normally not a problem to me). Using direct flows I get ambiguous
flows as expected. So I need an advanced rule. But since I cannot use a MV Reference Attribute as Source-Attribute in an Advanced Export flow things get complicated.
What's the best option?
thanks for your help
Pirmin
↧
MIM and Oracle DB integration and existing users
Hi to all!
I'm in process of integration of existing AD and HR based on Oracle DB systems.
I want to make a sync users from Oracle to AD, but at this moment we have all users in AD.
How it would be better to make a such sync?
As I understand when we will start provisioning MIM will try to create in AD all users again?
Thanks!
1
↧
MIM 2016 - recommended scaleout for high volume installations
We have a scenario where we are looking at a installation of several thousands of users, what are the scaling recommendations for MIM 2016?
I mean like installing the components by them selves is a thought we have at the moment to do:
1+ windows 2012 server - mim sync
1+ windows 2012 server - mim service
1+ windows 2012 server - mim portal
Is it maybe wise also to have different database hosts for the MIM sync / service databases?
↧
More Pages to Explore .....
