Are you the publisher? Claim or contact us about this channel

Embed this content in your HTML


Report adult content:

click to rate:

Account: (login)

More Channels


Channel Catalog

Channel Description:

This forum is for IT Professionals who have questions/issues or other feedback about Forefront Identity Manager (FIM) 2010 suite

older | 1 | .... | 170 | 171 | (Page 172) | 173 | 174 | .... | 204 | newer

    0 0

    I installed MIM 2016 from media. Installed MIM Portal/service, Password Registration, Password Reset and MIM Sync. Tested OK.

    I did not install any add-ins or extensions.

    Then I obtained the latest hotfix and patched the MIM Service and MIM Sync (now on build 4.3.2266.0)

    Since then I have had hard times getting the Password Registration to work without 401 errors. I do not see in the Hotfix492580 folder any patch installers for Password Registration and/or Password reset. Are there any?

    The only way I have found to get the Password registration to work once more is to switch in IIS8 the order Negotiate NTLM to be NTLM Negotiate.

    The documentation says I should keep all parts of MIM at the same patch level... where is the PW reg hotfix???

    0 0


    I am currently following the MIM 2016 handbook by David Steadman and Jeff Ingalls. After adding the bindings for the password portals, whenever I try to get to the main MIM portal, it seems to get stuck in the "Waiting...." loop.

    I have tried removing all of the bindings and accessing the MIM Portal again but it just seems to be hanging.

    I'm not sure why it has stopped working - both the registration and reset portal were accessible without issues and are still accessible via http after removing the https bindings. 

    Is there anything I can try to sort this out - i'm fearing a complete rebuild again (I've done this 5 times now!) 

    Hope someone can help.

    Many thanks,


    0 0



    David Lundell, Get your copy of FIM Best Practices Volume 1

    0 0


    I am following this guide to deploy PAM server (Win 2012 R2):

    I am at the stage of installing SharePoint Foundation 2013.

    Ran the SPS pre-req installer and here are the results of the SPS pre-req installer:

    • Microsoft .NET Framework 4.5: equivalent products already installed (no action taken)
    • Windows Management Framework 3.0: equivalent products already installed (no action taken)
    • Application Server Role, Web Server (IIS) Role: configured successfully
    • Microsoft SQL Server 2008 R2 SP1 Native Client: equivalent products already installed (no action taken)
    • Windows Identity Foundation (KB974405): was already installed (no action taken)
    • Microsoft Sync Framework Runtime v1.0 SP1 (x64): was already installed (no action taken)
    • Windows Server AppFabric: was already installed (no action taken)
    • Microsoft Identity Extensions: equivalent products already installed (no action taken)
    • Microsoft Information Protection and Control Client: equivalent products already installed (no action taken)
    • Microsoft WCF Data Services 5.0: equivalent products already installed (no action taken)
    • Microsoft WCF Data Services 5.6: was already installed (no action taken)
    • Cumulative Update Package 1 for Microsoft AppFabric 1.1 for Windows Server (KB2671763): was already installed (no action taken)

    Here is the error when I try to next install SharePoint Foundation:

    Has anyone seen this before? How do we fix it?


    0 0


    Busy working through 

    Just got to the part where I need to establish the PAM Trust - everything thus far has passed successfully.

    I log to PAMSrv as Domain Admin.

    this cmdlet works fine

    $ca = get-credential
    New-PAMTrust -SourceForest "contoso.local" -Credentials $ca

    This one however does not work

    $ca = get-credential
    New-PAMDomainConfiguration -SourceDomain "contoso" -Credentials $ca

    I am using the same credentials for both...why would it work for one cmdlet and not the other? Are the steps in the guide incorrect?

    0 0

    I'm using MIM 2016 GalSync with Exchange 2013 and Exchange 2010.

    In a default GALSync installation, the MAs will deposit all contacts into a single OU.

    I've seen the article How to Provision Contacts to Specific OU Units Based Upon an Originating Forest but the article is old an the method to update the GALSYNC solution is not working for me. Plus the attributemsExchOriginatingForest is not available in our schema.

    I would like contacts from different MAs to go into separate OUs. How can I achieve that?

    0 0

    I am looking at the article

    "FIM 2010 Self Service Password Reset now supports Enforcement of all domain password policies"

    It seems I need to set a Registry Key. [FIM] documentation says:

    Registry Key
    SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters\PerMAInstance\<ma name>
    Registry Value Name    Values    Class    Created by    Explain
    ADMAEnforcePasswordPolicy    dword    HKLM    Admin    1- true, everything else is false

    Setting this value to “1” will cause the AD MA to verify the password history before it will reset a password during password reset.


    This setting is only supported on FIM build version 4.0.3561.2 and later versions.


    This is only supported where the domain controller is as follows:
    · Windows Server 2008 R2 with KB2386717
    · Windows Server 2008 R2 SP1
    · Windows Server 2008 with KB2386717

    Our Windows 2008 DomainControllers are patched. ldp.exe works over SSL.I have MIM. version 4.3.2266.0

    BUT I cannot locate that registry key in SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters

    What must I do for MIM 2016 to enforce the AD Password Policy. Testers complain that SSPR works but allows old passwords.

    0 0


    During planning for MS PKI WS 2012 + MIM 2016, I'm trying to estimate the ordial future Exchange migration from 2010 to 2016 ver. would have on primarily e-mail digital signature user certificates?
    Is the migration seamless on the certificate/Outlook side, does it require (re)import of existing certificates or issuing of new ones?

    If so, I would go with the Exchange migration first, PKI next.

    E-mail encryption certs are not planned, but please share any thoughts on that context as well.

    Any experiences appreciated...

    0 0
  • 09/02/16--07:50: Reusing extensions in FIM
  • Can anybody say, how I can make reusable extension in FIM?

    I have 3 functions to replace chars (diacritics) in First Name, Last Name and Initials.

    For example (part of code):

    case "LASTEN":
    if (csentry["LAST"].IsPresent)
       string LAST = csentry["LAST"].Value;
       string LAST_EN;
       LAST_EN = Regex.Replace(LAST, "[Б]", "B");
       LAST_EN = Regex.Replace(LAST, "[Ж]", "Zh");
       LAST_EN = Regex.Replace(LAST, "[Ю]", "Yu");
       LAST_EN = Regex.Replace(LAST, "[П]", "P");
    mventry["lastNameEN"].Value = LAST_EN;

    I want to use this code for 3 times First Name, Last Name and Initials, how I can do it without using 3 "tables" of changing chars?



    0 0


    I have a requirement to introduce additional layer of authentication before users Login to the MIM Self-Service Portal. (The requirement at this stage is not the SSPR MFA). Can this be achieved within MIM or will there be a need to integrate with an External or third party MFA solution ? or Can MIM make API calls to third party MFA solution to achieve this ?

    Appreciate feedback


    0 0


    I'm trying to do a Full Import on Office365 connector MA on FIM 2010 R2 ( version 4.1.3469.0). However each time it reaches specific number of objects the process terminates due to "stopped-extension-dll-exception". Below are my configurations:

    Eventlog Error:

    FIM SYNC Engine :

    0 0
  • 09/03/16--17:10: Scenario MIM 2016
  • Hello everyone

    I need of direction about a scenario. I've the MIM 2016 installed, and configured to the provisioning of users of one specific OU.

    What the best practice to the provisioning of users in different OUs.

    MIM 2016 + Portal with sharepoint? - or it's possible make this, using just the MIM 2016 Synchronization service, and create different scripts? or only one script?


    Wilsterman Fernandes

    0 0

    Seeking suggestion on how to integrate  SuccessFactors employee central (cloud based) with MIM/FIM

    0 0


    I have an Oracle MA to DB (view) with 1 anchor and 1 reference (to managerID) in it and other data.

    When I try to make Full Import I get an error row-fetch-failure 0x80004005, after 500 objects.

    Previously, this MA was working fine. DBA make a change in schema, I already made a refresh of schema and get this error.

    I have created another MA to test this situation with only one attribute flow and also get this error.

    Any ideas?



    0 0


    I am trying to copy a datetime attribute to another datetime attribute within the FIM portal using an action workflow and function evaluator.

    e.g. Target [//Target/TargetDate]  

    Conactenate Value

    SourceDate attribute.

    The workflow creates fine but gives an internal error when the set transition occurs.  Can this be done?  Can you suggest a straightforward workaround if not.



    0 0

    I have an Oracle MA with table with collumns:

    UserID / UserFIRSTName / ManagerID (reference)

    01 /  Jack / 02

    02  /  Bill / (null)

    I need to create extension in c# to resolve ManagerID to his accountname to write this attribute in special parameter in AD.

    Manager account name I can get from AD using UserID.

    Can somebody say how it can be done?



    0 0

    We have several ECMA MAs where the MA Capability dnStyle is “None”.  We are adding additional Object types into these various MAs for an RBAC model. The anchors on the MAs are GUIDs.

    We want to take advantage of adding partitions in the existing MAs. This will give us the ability to run a particular partition on demand and to allow references within the CS to be used between the object types in the MAs. 

    To have partitions in a MA requires a rename of the objects to create a dnStyle of LDAP/Generic style from None.  Renames of objects are not allowed when using a NonednStyle

    If anyone has a creative idea how to rename the objects, or get partitions into a MA that has adnStyle of None, or other solution would be appreciated.

    Thank you, Robin

    0 0

    With identity management, something like Microsoft Identity Manager, does this mean that if you have an application on-premise, and you have A.) an Active Directory, and B.) an ADLDS also on-premise, that the application can authenticate a user from both A and B by connecting to an identity management server via LDAP instead?   
    Is there a meta-verse where their login is created and password is sync'd from ADLDS or AD, and it the application authenticates against the meta-verse/MIM database?

    0 0

    I have people who like to change their names for various reasons (marriage, divorce, gender reassignment) and therefore need to change their cn, account name, dn, display name etc.  Most of these change just fine but when it comes to changing the account name/cn I get a Modify-naming-attribute error "The attribute cannot be modified because it is owned by the system."

    Currently one of the MA's is a very basic MA just flowing attributes directly the other has some Sync rules.  

    I have been doing some research and it said to have two entries for the dn, one for the initial flow and one for the renames.  I have this already and it's not working.

    Is it possible to do renames without extensible dlls?  how?


    0 0
  • 09/06/16--23:42: PAM & Windows 2016
  • Hi,

    Just wondering what are the major changes/enhancements when Windows 2016 launches and Privileged Access Management (PAM). No need for a bastion forest anymore?


older | 1 | .... | 170 | 171 | (Page 172) | 173 | 174 | .... | 204 | newer