Quantcast
Channel: Forum Microsoft Identity Manager
Viewing all 4767 articles
Browse latest View live

Account synchronisation fails to fully provision in FIM 2010 R2 for around 1% of users, I need to perform manual edits in the FIM portal

August 24, 2016, 7:19 am
$
0
0

Hi,

 I'm provisioning users to AD based on an input from a CSV file (it's actually a CSVDE). I've successfully synced around 6000 users and that has worked fine for a number of months. The process I'm using is as follows:

1. File MA --> Full import and delta sync (loads data from CSV file)
2. FIM MA --> Export, delta import and delta sync (provisions user to FIM portal)
(wait 10 minutes)
3. AD MA --> Export, delta import and delta sync (provisions user and mailbox in AD)
4. FIM MA --> Export, delta import and delta sync (updates domain attribute in FIM portal)

I'm using declarative rules, similar to this: https://technet.microsoft.com/en-us/library/ee534908(v=ws.10).aspx

The HR file is authoritative (i.e. takes precedence

Today I realised that around 50 users were provisioned to the MV, had a file MA connector and a FIM connector, but not a an AD connector. Looking at the account in the FIM portal I realised that the domain attribute was not populated for contoso and that an AD outbound sync rule was not pending.

I then decided to run the synchronisation steps at 1 to 4 above, but this time used full imports and full synchronisations. After doing this the number of accounts which did not have an AD MA connector dropped to around 10 (e.g. 40 additional accounts were provisioned to AD).

To provision the remaining 10 users, I firstly deleted the 10 users from my input CSV file and ran through the sync steps above. This ensured that the 10 users were removed from the MV and FIM portal. I then re-added the 10 users to my CSV and ran through the steps above, but this did not provision the 10 users! To ensure the 10 users and their mailboxes were created in AD/Exchange I did the following:

1. Logged on the FIM portal and checked to see if an AD outbound sync rule is pending (it's not).
2. Changed the user account employee type to "contractor" (bringing the user out of scope of a sync rule using the MPR\triple).
3. On the FIM MA, performed a delta import and delta sync. The MA shows an update, but prompts for a FIM MA export back to "FullTimeEmployee" for the user as the MV value takes precedence.
3b. I perform an export and delta import on the FIM MA.
4. The user account now shows as having an AD export sync rule pending.
5. If the synchronisation step in 3A shows an outbound sychronisation for the AD MA, I simply perform a:

5a. AD MA --> export, AD delta import & AD delta sync
5b FIM MA --> export, delta import & delta sync

If the synchronisation step in 3A does not show an outbound sychronisation for the AD MA, I do the following:

5c. Change the domain attribute for the user to "contoso" using the drop down in the FIM portal when clicking on the user.
5d. FIM MA --> delta import and delta sync (MA reports update due to 5c).
5e. FIM MA --> export, delta import and delta sync. 
5f. FIM MA --> delta import and delta sync (now the AD MA shows an outbound synchronisation)
5g. AD MA --> export, delta import and delta sync (user account and mailbox provisioned in AD)
5h. FIM MA --> export, delta import and delta sync (tidy up)

I don't know why these additional steps were required for the 10 users, it just feels as if they got stuck in the system! 

Any ideas on how to avoid this oddness would be appreciated in future...

On a slightly different note, am I right in thinking that full synchronisations and imports on valid existing objects simply updates the existing object if applicable, rather than delete and create new objects?

Thanks in advance

IT Support/Everything

Search

Can FIM send provisioning errors in email to administrator?

August 24, 2016, 8:58 am
$
0
0

Wondering if FIM can send email notifications of provisioning errors? Does an admin really have to log in daily to check the FIM Synch Service Manager for errors? I see that it throws an error into the event log, but just states how many records had errors, not the specific records or details on those errors. Is there any way to do this so emails could go out to our Helpdesk or FIM Administrators for certain MA provisioning errors?

Thanks!

Notification on change on ComputedMember in group filter

August 25, 2016, 2:01 am
$
0
0

Hi!

I need to send a notification to the group owner, when the membership of a dynamic group changes.

I have set up a basic MPR, firing on the 'ComputedMember' attribute, but it does not seem to react.

Anyone has an idea on how to set this up?

Thanks,

Søren


In FIM portal, in position window added new roles disapears after some time

August 25, 2016, 5:47 am
$
0
0
I open some position window, select roles tab, add new roles, submit them and after some time when all MA in sync updates,  roles that I added in that position are missing. What can cause this problem? Same goes with removing roles from position.

Exporting Employee Start Date on portal

August 22, 2016, 5:39 am
$
0
0

Hello!

I have a problem with updating Employee Start Date on MIM Portal.

What is in my setup:

1. SQL table with HIRE_D collumn.

2. In MV employeeStartDate is filled with data from SQL table as on example 2012-07-15 00:00:00

3.Inbound Sync rule from SQL table is in such format:

function

function name = DateTimeFormat

dateTimeString:String=HIRE_D

format:String = yyyy-MM-ddTHH:mm:ss.000

linked to employeeStartDate in MV

after this configurations I can't see anyone filled employee Start date on MIM portal.

Can anybody help?

Thanks!

1


Schema refresh problem with SQL MA

August 26, 2016, 12:57 am
$
0
0

Hello,

In our test FIM environment we connect to a MSSQL database for test HR data. The MA connects with a user who has db_owner permissions on the database (via an AD group). If I add a new record I can sync the data into FIM.

My problem is that if I add a new attribute in the database (right click columns and add new column) I cannot get it to show in the MA properties in FIM.

I can add a new user in MSSQL with the new column populated. Then, I choose "refresh schema" on the MA (using the same userid/password). The dialog box says there is a schema difference and it has applied it. However, when I go into MA properties and choose "Select Attributes" (making sure "Show All" is ticked) then the new attribute does not appear.

I have done a service restart as well as a Full Sync yet I still cannot get the attribute to show in the properties. When I choose "refresh schema" on the MA now it states "The schemas are the same. No update required".

Any help appreciated.

Thanks,

Dave.

Unable to delete Management Agents

August 26, 2016, 1:10 am
$
0
0

Hi All,

I have been given the task to delete redundant Management Agents within FIM 2010 R2. However, when I try and delete the Agent and select:

"Delete management agent and connector space"

I get the following error:

"Unable to delete the management agent. The management agent cannot be deleted or renamed because the working directory is in use".

It is worth noting that the Agent was for domain, which has now been decommissioned over a year ago. It serves no purpose, however there are Metaverse Retry Errors each morning: "Sync-rule-flow-provisioning-failed

Before the task came to me, I have had no FIM experience whatsoever, so appreciate all the help I can get here.

Regards,

Hugh

The Microsoft Identity Manager server database couldnot be sucessfully populated

August 26, 2016, 11:52 am
$
0
0

Dear All

I am following MIM deployment guide for a POC lab using SQLServer2012 as db. MIM service and Portal fails to complete installation with following error "The Microsoft Identity Manager server database couldnot be sucessfully populated"
and installer gets stuck with a open command window. The database was created during the installation and it appears the database population failed
MIM service account have mail attribute manually set since Exchange server is not installed and here is the line from log file

MSI (s) (24:38) [16:34:35:701]: Executing op: CustomActionSchedule(
 Action=DeployAndPopulateDatabase,
 ActionType=1026,
 Source=BinaryData,
 Target=installApp=FIM
 action=DeployAndPopulateDatabase
 databaseName=FIMService namespaceName="fim" 
 datFilesInstallDir="E:\Program Files\Microsoft Forefront Identity Manager\2010\Service\Data\BL" 
 sqlserverName=CORPIDM
 FIMServiceAccountDomain=contoso
 FIMServiceAccountName=MIMService
 SyncServiceAccountDomain=CONTOSO
 SyncServiceAccountName=MIMSync
 RunningUserDomain=CONTOSO
 RunningUserName=Administrator
 RunningUserEmail= 
 CreateDatabase=True,)

The installer rollback and event viewer has the following error after few minutes even if the database exists.

SQL Database 'SharePoint_Config' on SQL Server instance 'CORPIDM' not found. Additional error information from SQL Server is included below.""Cannot open database "SharePoint_Config" requested by the login. The login failed.Login failed for user 'CONTOSO\SharePoint."

Kindly help in fixing this error.
Thanks!

Search

When person surename is changed, why some systems does not update it?

August 28, 2016, 12:27 pm
$
0
0
When person surename is changed, some systems update it, but some does not. What can be the probem if those systems are configured pretty much the same.

Resizing MIM Portal windows?

August 28, 2016, 4:05 pm
$
0
0

Hi,

Is there a way to enlarge some of the MIM Portal windows?

For example, when creating a new User in the Portal, could the create RCDC pages be bigger so we don't scroll as much?

Same question for Creating, Editing Users, Groups, MPRs, workflows, etc etc

Thanks,

SK

Outbound Sync statistics not appearing in a full sync

August 28, 2016, 8:43 pm
$
0
0

I've installed the Gal Sync service of MIM 2016.

I've followed the guide to install (https://docs.microsoft.com/en-us/microsoft-identity-manager/deploy-use/microsoft-identity-manager-deploy) so I'm pretty sure the installation is correct.

On my 2 test MAs, I cannot see the outbound statistics. It's as if it didn't run the outbound sync at all.

I can see the test user account in both the Connector Space and the Metaverse.

I have 2 separate AD and Exchange forests. Exchange running 2013.

What could be the issue or how can I debug?

Dynamic RCDC

August 30, 2016, 12:42 am
$
0
0

Hi All,

I am aware that based on an existing boolean attribute value we can show/hide any field within a tab. Now my question is whether it is possible to show field "XYZ" as a drop down when existing boolean attribute(without any manual interference) is set to "TRUE" and field "XYZ" as a label when boolean attribute is set to "FALSE"?

I tried doing this by giving 2 control tags with the same name but RCDC errored out. Is there any other way to achieve this?

Also can dynamic RCDC behaviour be achieved only based on Boolean attribute? Is it not possible based on a "String" attribute?

Thanks,

Veena

Error removing custom object from FIM MA

August 31, 2016, 3:52 am
$
0
0

Hi,

I've previously created a custom object in the FIM Portal and synchronized it with the metaverse. I am now removing that object which is no longer used. I removed it from the selected object types and attribute flows in the FIM MA, removed it from the Synchronization Filter in the portal, refreshed the schema and ensured the object types, selected attributes and attribute flows are all gone in the FIMMA. I then click "OK" and get an error:

"Unable to update the management agent. The XML format of the join rules is invalid"

In event log:

The server encountered an unexpected error while performing an operation for a management agent.
 
 "ERR_: MMS(4400): d:\bt\11692\private\source\miis\server\rules\joinxml.cpp(1617): Join: Invalid cd object type cd-object-type for element <join-profile>
BAIL: MMS(4400): d:\bt\11692\private\source\miis\server\rules\joinxml.cpp(1618): 0x8023050d (The XML format of the join rules is invalid.)
BAIL: MMS(4400): d:\bt\11692\private\source\miis\server\rules\joinxml.cpp(1128): 0x8023050d (The XML format of the join rules is invalid.)
BAIL: MMS(4400): d:\bt\11692\private\source\miis\shared\xmlpe\xstack.cpp(409): 0x8023050d (The XML format of the join rules is invalid.)
BAIL: MMS(4400): d:\bt\11692\private\source\miis\shared\xmlpe\xparse.cpp(440): 0x8023050d (The XML format of the join rules is invalid.)
BAIL: MMS(4400): d:\bt\11692\private\source\miis\server\rules\joinxml.cpp(798): 0x8023050d (The XML format of the join rules is invalid.)
ERR_: MMS(4400): d:\bt\11692\private\source\miis\server\rules\join.cpp(140): Join: failed due to invalid XML configuration
BAIL: MMS(4400): d:\bt\11692\private\source\miis\server\rules\join.cpp(141): 0x8023050d (The XML format of the join rules is invalid.)
BAIL: MMS(4400): d:\bt\11692\private\source\miis\server\rules\join.cpp(73): 0x8023050d (The XML format of the join rules is invalid.)
ERR_: MMS(4400): d:\bt\11692\private\source\miis\server\mastate\mastate.cpp(12912): Error creating join rules object: 0x8023050d
BAIL: MMS(4400): d:\bt\11692\private\source\miis\server\mastate\mastate.cpp(13164): 0x8023050d (The XML format of the join rules is invalid.)
BAIL: MMS(4400): d:\bt\11692\private\source\miis\server\mastate\mastate.cpp(6238): 0x8023050d (The XML format of the join rules is invalid.)
BAIL: MMS(4400): d:\bt\11692\private\source\miis\server\server\ma.cpp(670): 0x8023050d (The XML format of the join rules is invalid.)
BAIL: MMS(4400): d:\bt\11692\private\source\miis\server\server\ma.cpp(928): 0x8023050d (The XML format of the join rules is invalid.)
Forefront Identity Manager 4.1.3479.0"

I have performed this task on another environment of the same configuration without error. Could it be the MA config has become corrupt? Any suggestions appreciated!

Is Microsoft EDGE Browser supported for FIM 2010 R2?

August 31, 2016, 4:43 am
$
0
0

Ik can't get no ,

information...  ;-)

GH

Parent Child Domains.

August 31, 2016, 8:24 am
$
0
0

I recently deployed a MIM2016/FIM dev environment. My test users seem to be working fine in the parent domain, but users in the child domain are getting unauthorized errors at the pw registration screen. When I look at users on the MIM portal I see all my test users in the parent and child domains. The domain listed for the child domain users is the parent domain instead of the child domain. If I click on one of the users I am unable to change the domain manually because only the parent domain is listed in the domain drop down window. My sync service manager is pointing to the child domain and OU and syncs with one of the child domain DC's successfully. The DN and CN are correct. Just not sure why its showing the parent domain as the domain rather then the child domain. Any help would be much appreciated.

***Update*** So it seems if I manually go into advanced view > Extended Attributes > Domain and type in the child domain it works. Im not sure why it isn't automatically assigned the child domain though.

Search

How can Help Desk Validate Users for Password Reset

August 31, 2016, 1:28 pm
$
0
0

We have implemented the MIM SSPR option to allow users to reset their own passwords or unlock their accounts. 

We are looking for a solution to allow the help desk to reset a users password if they need to call in to have the password reset.  The issue is how do you validate the user who is calling in.  How can we utilize MIM 2016 to help us with this.

For example, so scenarios:

Could be a user who is external and may know the answers to the questions (Or not) and does not have access to get their OTP, because their external email has changed or new phone number, etc.

Or

Maybe they have forgotten the answers to some of the questions as they register quite a while ago and have now forgotten



PAM Module of MIM

September 1, 2016, 1:01 am
$
0
0

Hi Gurus,

I have a query regarding the PAM module present in the MIM 2016 suite. Can we install the PAM module in the MIM used to mange Corporate Identities or do we need to have a separate MIM in a separate server for the PAM module implementation? Couldn't see any microsoft documentation on this scenario.

FIM Administration Portal - Unable to process your request

September 1, 2016, 2:45 am
$
0
0

Recently, I posted a question asking on how to delete management agents;

https://social.technet.microsoft.com/Forums/en-US/96cc60ec-baab-4e0f-be3d-609518f4c042/unable-to-delete-management-agents?forum=ilm2

After a few days of trying to find the Administrator Account to log into the Administration Portal to attempt to follow the steps outlined in the above link, I find myself with a new issue.

1. I am trying to log into the FIM Admin Portal, which I assume the URL is: http://SERVERNAME/IndentityManagement, is this correct?

2. I get the following error message after using credentials;

Not really sure what has gone wrong here, nor how to resolve this issue.

Thanks in advance for all advice here.

SSPR integration with no PCNS and password extensions

September 1, 2016, 3:59 am
$
0
0

Hi all,

I can't believe I'm having to ask this as I feel like it's something I should know, but here goes nothing...

Does FIM/MIM SSPR only reset the AD password and not recursively every supported, connected system?  We've developed a password extension for a web service implemented using ECMA and successfully tested that the password reset works when triggered through a WMI SetPassword call, but the password is not being reset when a user completes self service password reset.

Does it normally reset the password in AD, which gets communicated back using PCNS and changed in the other systems?  I guess that's not normally too much of an issue, as FIM/MIM is heavily AD-integrated, but it's interesting that I've only just come across this as an issue with our customer who is risk averse and still considering PCNS through change control in a hybrid test/development (I know, I know..), so at the moment their testing is failing.

Any clarification would be helpful just to support my findings.

Thanks,

Paul.

Hotfix rollup package for Microsoft Identity Manager 2016

September 1, 2016, 6:12 am
$
0
0
Hi, 

What are the proper installation instructions for the hotfix rollup packages? 
https://blogs.technet.microsoft.com/iamsupport/idmbuildversions/

Unzipping the hotfix leaves me with 16 msi and one language packs zip file.

I'm running a MIM 2016 installation with PAM and just AD and the FIM Service MAs. Should I install them all, to avoid a version mismatch or just install the relevant ones? If so.. which ARE the relevant ones for my (current) setup? 


Regards,
Andreas 
Viewing all 4767 articles
Browse latest View live
More Pages to Explore .....
Search

Latest Images

‘Pay day every day’ may become Shangri-La Group, BPOs’ secret to happy employees

‘Pay day every day’ may become Shangri-La Group, BPOs’ secret to happy employees

April 25, 2024, 5:51 am
Nonprofit donates custom home in this East Bay city for Marine injured in...

Nonprofit donates custom home in this East Bay city for Marine injured in...

April 23, 2024, 7:00 am
New private rooms on Tokaido Shinkansen change the way we travel from Tokyo...

New private rooms on Tokaido Shinkansen change the way we travel from Tokyo...

April 22, 2024, 6:00 am
Ukraine bans military from online gambling amid addiction concerns

Ukraine bans military from online gambling amid addiction concerns

April 22, 2024, 5:17 am
ಮಂಡ್ಯದಿಂದ ಸುಮಲತಾ ದೂರ; ಹೆಚ್‌ಡಿಕೆ ಪರ ಪ್ರಚಾರಕ್ಕಿಳಿಯದ ಸಂಸದೆ –ಬರ್ತಾರೆ ನೋಡೋಣ ಎಂದ...

ಮಂಡ್ಯದಿಂದ ಸುಮಲತಾ ದೂರ; ಹೆಚ್‌ಡಿಕೆ ಪರ ಪ್ರಚಾರಕ್ಕಿಳಿಯದ ಸಂಸದೆ –ಬರ್ತಾರೆ ನೋಡೋಣ ಎಂದ...

April 20, 2024, 8:08 pm
OCBC Bank Singapore Offers Up to 2.8% p.a. Fixed Deposit Promotion from 21...

OCBC Bank Singapore Offers Up to 2.8% p.a. Fixed Deposit Promotion from 21...

April 20, 2024, 12:38 pm
National Poetry Month 2024: Maxine Starr

National Poetry Month 2024: Maxine Starr

April 19, 2024, 9:56 am
Vegan Chicken Pot Pie

Vegan Chicken Pot Pie

April 19, 2024, 9:18 am
Firefox UX: On Purpose: Collectively Defining Our Team’s Mission Statement

Firefox UX: On Purpose: Collectively Defining Our Team’s Mission Statement

April 19, 2024, 7:03 am
New $4.5 million East Bay trail path will connect bicyclists, pedestrians to...

New $4.5 million East Bay trail path will connect bicyclists, pedestrians to...

April 18, 2024, 11:05 am