reset features?

September 1, 2016, 6:16 am

≫ Next: MIM 2016 - Portal Connectivity after IIS bindings

≪ Previous: Hotfix rollup package for Microsoft Identity Manager 2016

I installed MIM 2016 from media. Installed MIM Portal/service, Password Registration, Password Reset and MIM Sync. Tested OK.

I did not install any add-ins or extensions.

Then I obtained the latest hotfix and patched the MIM Service and MIM Sync (now on build 4.3.2266.0)

Since then I have had hard times getting the Password Registration to work without 401 errors. I do not see in the Hotfix492580 folder any patch installers for Password Registration and/or Password reset. Are there any?

The only way I have found to get the Password registration to work once more is to switch in IIS8 the order Negotiate NTLM to be NTLM Negotiate.

The documentation says I should keep all parts of MIM at the same patch level... where is the PW reg hotfix???

↧

MIM 2016 - Portal Connectivity after IIS bindings

September 1, 2016, 6:18 am

≫ Next: How to use PowerShell to List the Sets in which a FIM Portal (MIM) user is a member

≪ Previous: How do I patch/hotfix the MIM 2016 password registration/reset features?

Hi,

I am currently following the MIM 2016 handbook by David Steadman and Jeff Ingalls. After adding the bindings for the password portals, whenever I try to get to the main MIM portal, it seems to get stuck in the "Waiting...." loop.

I have tried removing all of the bindings and accessing the MIM Portal again but it just seems to be hanging.

I'm not sure why it has stopped working - both the registration and reset portal were accessible without issues and are still accessible via http after removing the https bindings.

Is there anything I can try to sort this out - i'm fearing a complete rebuild again (I've done this 5 times now!)

Hope someone can help.

Many thanks,

Stephen

↧

How to use PowerShell to List the Sets in which a FIM Portal (MIM) user is a member

September 1, 2016, 4:20 pm

≫ Next: Preparing PAM Server & .Net Framework issues

≪ Previous: MIM 2016 - Portal Connectivity after IIS bindings

FIM Community Information Center Article

Wiki Page: How to use PowerShell to List the Sets in which a FIM Portal (MIM) user is a member

Go to the FIM Community Information Center

David Lundell, Get your copy of FIM Best Practices Volume 1 http://blog.ilmbestpractices.com/2010/08/book-is-here-fim-best-practices-volume.html

↧

Preparing PAM Server & .Net Framework issues

September 1, 2016, 5:14 pm

≫ Next: Unable to establish PAM Trust

≪ Previous: How to use PowerShell to List the Sets in which a FIM Portal (MIM) user is a member

Hi,

I am following this guide to deploy PAM server (Win 2012 R2):

https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/step-3-prepare-pam-server

I am at the stage of installing SharePoint Foundation 2013.

Ran the SPS pre-req installer and here are the results of the SPS pre-req installer:

• Microsoft .NET Framework 4.5: equivalent products already installed (no action taken)
• Windows Management Framework 3.0: equivalent products already installed (no action taken)
• Application Server Role, Web Server (IIS) Role: configured successfully
• Microsoft SQL Server 2008 R2 SP1 Native Client: equivalent products already installed (no action taken)
• Windows Identity Foundation (KB974405): was already installed (no action taken)
• Microsoft Sync Framework Runtime v1.0 SP1 (x64): was already installed (no action taken)
• Windows Server AppFabric: was already installed (no action taken)
• Microsoft Identity Extensions: equivalent products already installed (no action taken)
• Microsoft Information Protection and Control Client: equivalent products already installed (no action taken)
• Microsoft WCF Data Services 5.0: equivalent products already installed (no action taken)
• Microsoft WCF Data Services 5.6: was already installed (no action taken)
• Cumulative Update Package 1 for Microsoft AppFabric 1.1 for Windows Server (KB2671763): was already installed (no action taken)

Here is the error when I try to next install SharePoint Foundation:

Has anyone seen this before? How do we fix it?

Thanks

↧

Unable to establish PAM Trust

September 1, 2016, 9:44 pm

≫ Next: GALSYNC: is there a way to deposit contacts into separate OUs

≪ Previous: Preparing PAM Server & .Net Framework issues

Hi,

Busy working through https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/step-5-establish-trust-between-priv-corp-forests.

Just got to the part where I need to establish the PAM Trust - everything thus far has passed successfully.

I log to PAMSrv as Domain Admin.

this cmdlet works fine

$ca = get-credential
New-PAMTrust -SourceForest "contoso.local" -Credentials $ca

This one however does not work

$ca = get-credential
New-PAMDomainConfiguration -SourceDomain "contoso" -Credentials $ca

I am using the same credentials for both...why would it work for one cmdlet and not the other? Are the steps in the guide incorrect?

↧

GALSYNC: is there a way to deposit contacts into separate OUs

September 1, 2016, 10:37 pm

≫ Next: HOW to configure MIM 2016 Password Reset to enforce AD Password Policy?

≪ Previous: Unable to establish PAM Trust

I'm using MIM 2016 GalSync with Exchange 2013 and Exchange 2010.

In a default GALSync installation, the MAs will deposit all contacts into a single OU.

I've seen the article How to Provision Contacts to Specific OU Units Based Upon an Originating Forest but the article is old an the method to update the GALSYNC solution is not working for me. Plus the attributemsExchOriginatingForest is not available in our schema.

I would like contacts from different MAs to go into separate OUs. How can I achieve that?

↧

HOW to configure MIM 2016 Password Reset to enforce AD Password Policy?

September 2, 2016, 3:48 am

≫ Next: S/MIME signing certificates after migration from Exchange 2010 to 2016?

≪ Previous: GALSYNC: is there a way to deposit contacts into separate OUs

I am looking at the article https://support.microsoft.com/en-us/kb/2443871

"FIM 2010 Self Service Password Reset now supports Enforcement of all domain password policies"

It seems I need to set a Registry Key. [FIM] documentation says:

Registry Key
SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters\PerMAInstance\<ma name>
Registry Value Name Values Class Created by Explain
ADMAEnforcePasswordPolicy dword HKLM Admin 1- true, everything else is false

Setting this value to “1” will cause the AD MA to verify the password history before it will reset a password during password reset.

Note:

This setting is only supported on FIM build version 4.0.3561.2 and later versions.

Note:

This is only supported where the domain controller is as follows:
· Windows Server 2008 R2 with KB2386717
· Windows Server 2008 R2 SP1
· Windows Server 2008 with KB2386717

Our Windows 2008 DomainControllers are patched. ldp.exe works over SSL.I have MIM. version 4.3.2266.0

BUT I cannot locate that registry key in SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters

What must I do for MIM 2016 to enforce the AD Password Policy. Testers complain that SSPR works but allows old passwords.

↧

S/MIME signing certificates after migration from Exchange 2010 to 2016?

September 2, 2016, 7:23 am

≫ Next: Reusing extensions in FIM

≪ Previous: HOW to configure MIM 2016 Password Reset to enforce AD Password Policy?

Hi,

During planning for MS PKI WS 2012 + MIM 2016, I'm trying to estimate the ordial future Exchange migration from 2010 to 2016 ver. would have on primarily e-mail digital signature user certificates?
Is the migration seamless on the certificate/Outlook side, does it require (re)import of existing certificates or issuing of new ones?

If so, I would go with the Exchange migration first, PKI next.

E-mail encryption certs are not planned, but please share any thoughts on that context as well.

Any experiences appreciated...

↧

Reusing extensions in FIM

September 2, 2016, 7:50 am

≫ Next: Protecting Access to the MIM Self-Service Portal with MFA

≪ Previous: S/MIME signing certificates after migration from Exchange 2010 to 2016?

Can anybody say, how I can make reusable extension in FIM?

I have 3 functions to replace chars (diacritics) in First Name, Last Name and Initials.

For example (part of code):

case "LASTEN":

if (csentry["LAST"].IsPresent)
  {
   string LAST = csentry["LAST"].Value;
   string LAST_EN;
   LAST_EN = Regex.Replace(LAST, "[Б]", "B");
   LAST_EN = Regex.Replace(LAST, "[Ж]", "Zh");
   LAST_EN = Regex.Replace(LAST, "[Ю]", "Yu");
   LAST_EN = Regex.Replace(LAST, "[П]", "P");

mventry["lastNameEN"].Value = LAST_EN;
                    }

I want to use this code for 3 times First Name, Last Name and Initials, how I can do it without using 3 "tables" of changing chars?

Thanks!

↧

Protecting Access to the MIM Self-Service Portal with MFA

September 3, 2016, 3:11 am

≫ Next: stopped-extension-dll-exception fim 2010 R2 ( version 4.1.3469.0) while full Import from Office365

≪ Previous: Reusing extensions in FIM

Hello

I have a requirement to introduce additional layer of authentication before users Login to the MIM Self-Service Portal. (The requirement at this stage is not the SSPR MFA). Can this be achieved within MIM or will there be a need to integrate with an External or third party MFA solution ? or Can MIM make API calls to third party MFA solution to achieve this ?

Appreciate feedback

Akinzo

↧

stopped-extension-dll-exception fim 2010 R2 ( version 4.1.3469.0) while full Import from Office365

September 3, 2016, 8:37 am

≫ Next: Scenario MIM 2016

≪ Previous: Protecting Access to the MIM Self-Service Portal with MFA

Hi,

I'm trying to do a Full Import on Office365 connector MA on FIM 2010 R2 ( version 4.1.3469.0). However each time it reaches specific number of objects the process terminates due to "stopped-extension-dll-exception". Below are my configurations:

Eventlog Error:

FIM SYNC Engine :

↧

Scenario MIM 2016

September 3, 2016, 5:10 pm

≫ Next: Seeking suggestion on methods to integrate SuccessFactors employee central (cloud based) with MIM/FIM

≪ Previous: stopped-extension-dll-exception fim 2010 R2 ( version 4.1.3469.0) while full Import from Office365

Hello everyone

I need of direction about a scenario. I've the MIM 2016 installed, and configured to the provisioning of users of one specific OU.

What the best practice to the provisioning of users in different OUs.

MIM 2016 + Portal with sharepoint? - or it's possible make this, using just the MIM 2016 Synchronization service, and create different scripts? or only one script?

Thanks

Wilsterman Fernandes

↧

Seeking suggestion on methods to integrate SuccessFactors employee central (cloud based) with MIM/FIM

September 5, 2016, 5:47 am

≫ Next: row-fetch-failure with Oracle MA

≪ Previous: Scenario MIM 2016

Seeking suggestion on how to integrate SuccessFactors employee central (cloud based) with MIM/FIM

↧

row-fetch-failure with Oracle MA

September 5, 2016, 6:48 am

≫ Next: Portal MPR, SET Transition, Action Workflow with a Function Evaluator to copy datetime attribute to another datetime attribute

≪ Previous: Seeking suggestion on methods to integrate SuccessFactors employee central (cloud based) with MIM/FIM

Hi!

I have an Oracle MA to DB (view) with 1 anchor and 1 reference (to managerID) in it and other data.

When I try to make Full Import I get an error row-fetch-failure 0x80004005, after 500 objects.

Previously, this MA was working fine. DBA make a change in schema, I already made a refresh of schema and get this error.

I have created another MA to test this situation with only one attribute flow and also get this error.

Any ideas?

Thanks!

↧

Portal MPR, SET Transition, Action Workflow with a Function Evaluator to copy datetime attribute to another datetime attribute

September 5, 2016, 7:17 am

≫ Next: Manager to accountname resolving in extension

≪ Previous: row-fetch-failure with Oracle MA

Hi,

I am trying to copy a datetime attribute to another datetime attribute within the FIM portal using an action workflow and function evaluator.

e.g. Target [//Target/TargetDate]

Conactenate Value

SourceDate attribute.

The workflow creates fine but gives an internal error when the set transition occurs. Can this be done? Can you suggest a straightforward workaround if not.

Thanks,

↧

Manager to accountname resolving in extension

September 6, 2016, 4:39 am

≫ Next: Adding partitions or renaming the object in a ECMA when the dnStyle is "None"

≪ Previous: Portal MPR, SET Transition, Action Workflow with a Function Evaluator to copy datetime attribute to another datetime attribute

I have an Oracle MA with table with collumns:

UserID / UserFIRSTName / ManagerID (reference)

01 / Jack / 02

02 / Bill / (null)

I need to create extension in c# to resolve ManagerID to his accountname to write this attribute in special parameter in AD.

Manager account name I can get from AD using UserID.

Can somebody say how it can be done?

Thanks!

↧

Adding partitions or renaming the object in a ECMA when the dnStyle is "None"

September 6, 2016, 4:40 pm

≫ Next: Identity management/MIM - application authentication - clarification?

≪ Previous: Manager to accountname resolving in extension

We have several ECMA MAs where the MA Capability dnStyle is “None”. We are adding additional Object types into these various MAs for an RBAC model. The anchors on the MAs are GUIDs.

We want to take advantage of adding partitions in the existing MAs. This will give us the ability to run a particular partition on demand and to allow references within the CS to be used between the object types in the MAs.

To have partitions in a MA requires a rename of the objects to create a dnStyle of LDAP/Generic style from None. Renames of objects are not allowed when using a NonednStyle
(See https://msdn.microsoft.com/en-us/library/windows/desktop/hh859564(v=vs.100).aspx).

If anyone has a creative idea how to rename the objects, or get partitions into a MA that has adnStyle of None, or other solution would be appreciated.

Thank you, Robin

↧

Identity management/MIM - application authentication - clarification?

September 6, 2016, 6:09 pm

≫ Next: Renaming AD and ADLDS accounts due to name changes

≪ Previous: Adding partitions or renaming the object in a ECMA when the dnStyle is "None"

With identity management, something like Microsoft Identity Manager, does this mean that if you have an application on-premise, and you have A.) an Active Directory, and B.) an ADLDS also on-premise, that the application can authenticate a user from both A and B by connecting to an identity management server via LDAP instead?
Is there a meta-verse where their login is created and password is sync'd from ADLDS or AD, and it the application authenticates against the meta-verse/MIM database?

↧

Renaming AD and ADLDS accounts due to name changes

September 6, 2016, 8:42 pm

≫ Next: PAM & Windows 2016

≪ Previous: Identity management/MIM - application authentication - clarification?

I have people who like to change their names for various reasons (marriage, divorce, gender reassignment) and therefore need to change their cn, account name, dn, display name etc. Most of these change just fine but when it comes to changing the account name/cn I get a Modify-naming-attribute error "The attribute cannot be modified because it is owned by the system."

Currently one of the MA's is a very basic MA just flowing attributes directly the other has some Sync rules.

I have been doing some research and it said to have two entries for the dn, one for the initial flow and one for the renames. I have this already and it's not working.

Is it possible to do renames without extensible dlls? how?

Thanks

↧

PAM & Windows 2016

September 6, 2016, 11:42 pm

≫ Next: FIM Portal reinstall

≪ Previous: Renaming AD and ADLDS accounts due to name changes

Hi,

Just wondering what are the major changes/enhancements when Windows 2016 launches and Privileged Access Management (PAM). No need for a bastion forest anymore?

Thx

↧

Latest Images