Quantcast
Channel: Forum Microsoft Identity Manager
Viewing all 4767 articles
Browse latest View live

MIM Licensing

0
0

Hello All,

Need Suggestion.

We are currently using FIM 2010 R2 ver 4.1.3613 SSPR. We want to upgrade our environment to MIM 2016.

I want to know about the licencing of MIM 2016. Can we use the same licence of FIM 2010 R2 in MIM 2016.

Regards,

Suman


PAM functionality questions

0
0

Hi,

Just reviewed the PAM FAQ, and have a few questions (https://social.technet.microsoft.com/wiki/contents/articles/33363.mim-2016-privileged-access-management-pam-faq.aspx)

  1. FAQ states: "You cannot require multiple approvers; only one PAM approver is needed" - from a distance, it looks like PAM is a component of the MIM Service, so why can there not be multiple approvers? This will be very limiting.
  2. FAQ states: "The approval process does not allow references. For example, you can not require
    approval of the caller's manager" - again, it appears that PAM is part of the MIM service, so why are reference attributes for approvals not supported? This will definitely be very limiting.

Thank you,

SK


Unable to Login to MIM 2016 After Installation

0
0

Hello There,

i just concluded an single server install of MIM 2016 on SP 2013 Foundation SP1/SQL 2014 as per the product documentation. Authentication fails when I attempt to login to the MIM Service Portal using either the domain administrator or the account used to install the SP 2013 SP1.

I see here a similar problem posted but yet to be reported resolved

https://social.technet.microsoft.com/Forums/en-US/69ae1c15-3abd-40f2-9993-144e9d94c1ab/cannot-login-to-microsoft-identity-manager-2016-portal?forum=ilm2

I have followed the guidance below.

# Set a reference to the MIM portal website
$MIM = Get-SPWeb -Identity http://[MIM_PORTAL_NAME]/IdentityManagement

# Display the list of users
$MIM.Users

I could see NT AUTHORITY\authenticated users in the list that returns

Any further help will be appreciated


Akinzo

Synchronize Active Directory with Microsoft Identity Manager

0
0

Hello guys,

this is my first entry in this forum :)

I want to install Microsoft Identity Manager and so far i have followed those instructions:

https://docs.microsoft.com/en-us/microsoft-identity-manager/deploy-use/microsoft-identity-manager-deploy

I have two Windows Server 2012 - one as a domain controller with Active Directory and the other one with SQL Server 2014 and SharePoint Server 2013 installed on it. On the second Server i installed MIM Synchronization Service and MIM Service and Portal without any errors or warnings. 

So now i wanted to synchronize Active Directory with MIM Service by creating a MIM management agent. When i try to open the Synchronization Service Manager the following error message appears:

"Unable to connect to the Synchronization Service.

Some possible reasons are:

1) The service is not started

2) Your account is not a member of a required security group.

See the Synchronization Service documentation for details."

The services Forefront Identity Manager Service and Forefront Identity Manager Synchronization Service are both running. I am not sure what the second error message means. Does it refer to the local administrator account, the domain administrator account or to any other account? What are the required security groups this account has to be a member of?

Thank you for your help!

Upgrading customised FIM to MIM - process and things to be aware of

0
0

Hello,
 We currently have FIM 2010 R2 in place and we're looking at upgrading MIM 2016. We're using FIM 2010 R2 4.1.3733.0 installed on Windows Server 2008 R2 as follow:

fimsync01 - FIM Sync Server + sync DB (SQL 2008 R2)
fimserviceDB01 - SQL 2008 R2 SQL DB for FIM service
fimportal01 - FIM portal server (also runs SharePoint Foundation 2010)

 My plan is to do the following in a lab environment first:

1. Upgrade all FIM 2010 R2 server components to the latest version (presumably this will not functionality with the client  component).
2. Deploy a new server to replace fimportal01. This will be a Windows 2012 R2 server with Share Point Foundation 2013.
2a. MIM portal will be installed on the new 2012 R2 server, but I'll point the installer to look at my existing 2008 R2 SQL DB.

I'll be using this guide or similar
https://blogs.msdn.microsoft.com/connector_space/2015/08/05/performing-an-in-place-upgrade-of-fim-2010-r2-to-microsoft-identity-manager-2016-service-and-portal/

I have a few questions:

1. I have extended the FIM portal schema to add new objects and attributes, will this cause an upgrade issue?
2. I've automated run profiles using scheduled tasks and scripts, these scripts reference GUIDs on the sync server - presumably I need to  
   amend these scripts?
3. I have customised the FIM portal, presumably I'll need to customise the portal again?
4. Is MIM compatible with existing FIM client plugins? We're using the SSPR plugin.

Thanks in advance

Import deletion limit

0
0

Hello,

I have setup a deletion limit of 50 users on one of my MA on the Full Import (stage only) step.

The deletion limit do the job, it delete only 50 users during the run but continue to run with the next MA.

That means, when all the agents have run, at the next cycle, the first MA will run again and will delete 50 more users.

And the issue I have is that I would like the first MA where the deletion limit is setup, stop to run in a stand by mode, and wait for a manual action to continue.

I know that's the case on the export step, the MA stop and does not export anything. I would like the same thing on the import step.

Is it possible ?

Thanks,
Bruno

SSPR and Captcha

0
0

Hi,

Has anyone modified SSPR with a Captcha?

How easy was it?

Are there any recommendations?

Thanks,

SK

MIM 2016 and SQL 2016

0
0
I see MIM supports up to sQL 2014 SP1

https://docs.microsoft.com/en-us/microsoft-identity-manager/plan-design/microsoft-identity-manager-2016-supported-platforms

Is there any indication from Microsoft about if/when there will be support for SQL 2016?  I've looked but haven't found anything.  Also, has anyone tried MIM on SQL 2016?

FIM BP Analyzer

0
0

Hi,

We are searching for the FIm BP Analyzer but no way to download it, the link seems to be broken.

http://www.microsoft.com/en-us/download/details.aspx?id=30419

Is there anyway to get it ?

BR,


Emmanuel IT

Extract "Row Errors" in FIM using SQL query.

0
0

Hi, Good afternoon,

Referring to Sync Service Manager console, how can i extract/copy all the errors shown in "Row Errors" (after a failed MA run) using SQL? (SQL is used in FIM backend for db).
There were a few tables inside the database such as the "dbo.mms_Connectorspace", "dbo.mms_Management_Agent" etc, but i could not identify which one would contain the "Row Errors" info that i need.

Thanks in advance!

r0m3ll


r0m3llm

sync a new custom attribute (User emp number) from flat file database (*.CSV) to FIM to Active directory

0
0

FIM is already deployed and functional in the environment for the user object and its attribute to flow from data source (*.CSV file) to FIM and export in to Target i.e. Active directory.
New custom attribute will be published in the CSV file for each user object. What steps needs to be performed on the Forefront Identity manager so that the new attribute is imported from CSV file and gets exported to Target (AD)

please provide the technical steps

Multiple Certificates in a Smart Card - FIM CM 2010 R2

0
0

Hi, 

I am trying to see if its possible for me to have multiple active certificates for two AD user accounts installed in the same smart card. I have two user accounts, one for admin purposes and the other one for my activities as a normal user in the organization and would like to check the feasibility of having certificates for both the user accounts installed in the same smart card. 

The version of FIM which I am using is FIM 2010 R2. 

Thanks in advance. 


-- JPM


Declarative vs classic rules

0
0

Hello!

I have some questions about MIM concepts.

  1. Can I do something like "sync preview" for all of my object? As I think, this can be useful when deploying in existing environments.
  2. Can anybody explain difference between attribute flows in Portal (Declarative) and in Synchronizations Service Manager(Classic) ? Pros and cons for every method?

Attribute flows can be declared in two places.

Portal:

+  We can make a separate inbound and outbound rule for attribute flows. This can simplify a sync process.

+  MS is recommending this type of sync

-     We need to make an extra “import cycle” for MIM MA to import declared rule and get it to work

- Can't make export of configuration.

Synchronizations Service Manager:

+ Extensions in C# and VB with more complicated rules

+ Simple export of all configuration

-      Only one place to declare sync rules, so this is can be + or – at the same time.

But, if you google for guides in Internet about provisioning users from AD to MIM there are many guides which are using for this a declarative rules in portal, but as I think more faster in this case is to use a classic flows in Sync Service Manager(a less mouse button clicks) :)

And declaring 2 rule flows in different places can be difficult to undestand.

So, what do you think about this situation, which methods are you preffer?

Thanks!


1



High CPU usage

0
0

Hi,

We have deployed a FIM configuration with 2 database sources for "input".

Synchronization rules are working and "populating" the MV database. FIM output is also populated. In this "inbound" phase, all seems to work correctly, but when export to FIM is started, the FIM database server gets high CPU usage (95 to 100%).

This state occurs during all the export phase.

We have tried to separate FIMService and FIMSynchronization databases on different servers, and the only one impacted is FIMService.

Is it known issue or configuration mistake that may explain this problem ?

BR,


Emmanuel IT

How to delete an "orphaned" metaverse object in SQL

0
0

We had three "export-phantom" errors occurring on the FIMMA Export run operation.

The errors indicated missing attributes in the metaverse objects.  Unfortunately, we could not re-present the three objects in the Oracle Database MA to attempts a Join.  So we had to look at the tables in the FIMSynchronization Database.

First, we took a snapshot of the FIM 2010 R2 server, a VMware virtual machine.

This is the SQL we used, after some investigation:

-- Find incomplete metaverse object and copy it's object_id for next step
SELECT accountName, email, mailcontacttype, mailNickname, CN, object_id   FROM [FIMSynchronizationService].[dbo].[mms_metaverse] where object_type = 'contact' and accountName = 'SGBS123UFA';
-- Returns this record:
-- accountName email mailcontacttype mailNickname CN object_id
-- SGBSEDPSUFA SGBS1123SUFA@sefkekskail.ok.or NULL NULL NULL 5DBA9A28-FD7F-E611-9C88-005056913B1F

-- 1.  Delete object from mms_metaverse table
DELETE FROM [FIMSynchronizationService].[dbo].[mms_metaverse] where object_id = '5DBA9A28-FD7F-E611-9C88-005056913B1F';

-- 2.  Delete record from mms_metaverse_lineageguid
DELETE FROM [FIMSynchronizationService].[dbo].[mms_metaverse_lineageguid] where object_id like '5DBA9A28-FD7F-E611-9C88-005056913B1F';

-- 3.  Delete record from mms_metaverse_lineagedate
DELETE FROM [FIMSynchronizationService].[dbo].[mms_metaverse_lineagedate] where object_id = '5DBA9A28-FD7F-E611-9C88-005056913B1F';
 
-- Find record in mms_csmv_link using
SELECT mv_object_id, cs_object_id FROM [FIMSynchronizationService].[dbo].[mms_csmv_link] where mv_object_id = '5DBA9A28-FD7F-E611-9C88-005056913B1F';
-- Returns this record: 
-- mv_object_id cs_object_id
-- 5DBA9A28-FD7F-E611-9C88-005056913B1F 01113ADC-6B80-E611-9C88-005056913B1F
-- 4.  Delete record from mms_csmv_link
DELETE FROM [FIMSynchronizationService].[dbo].[mms_csmv_link] where mv_object_id = '5DBA9A28-FD7F-E611-9C88-005056913B1F';

-- 5.  Delete record from mms_connectorspace
DELETE FROM [FIMSynchronizationService].[dbo].[mms_connectorspace] where object_id = '01113ADC-6B80-E611-9C88-005056913B1F';

We deleted records from five tables to effectively delete the incomplete metaverse objects.

The sequence of run operations were run and the "export-phantom" errors did not occur.

Has anybody else attempted working directly with SQL to delete a metaverse object?  Any comments on the five tables?

 



Provision of users to AD OU

0
0

Hi!

I am looking for ways how we can make users account flow to different ou, based on user department field.

We have an HR DB with DepartmentID field аnd a file (Excel) with relations departmentID and AD OU.

I can see such ways to get it to work:

1. Attribute valued text file with fields DepartmentID and AD OU relations. Fast and easy to add/delete new OU's.

2. Using some coding like this:

https://blog.kloud.com.au/2016/02/03/dynamic-active-directory-user-provisioning-placement-ou-using-the-granfeldt-powershell-management-agent/

PowerShell or C# code to export user to correct OU. As I think, this is not simple to maintain such code.

Do you have any more ideas?

Maybe I can store somewhere in MIM table with DepartmentID and AD OU relations?

Thanks!

 

 


1

Accidentally deleted Administrator from Portal - now can't access

0
0

I've stupidly deleted the Administrator account from the MIM Portal and now I don't have access to Users, MPRs etc.

I was trying to re-import the administrator account and a few new accounts into the portal and thought I could just delete them out of the portal and import them back through the Synchronization Manager. This is clearly not the case!

I don't have any back ups of the Fim Database or anything to fall back on, so I was wondering if there was any powershell commands or any other way of getting the administrator back to how it was. 

I'm hoping I don't have to do a complete re-install! 

Can't believe I have done this! What an idiot!!!

Hoping for an easy fix :(

Deny all requests adding users from domain B to Security Groups in domain A

0
0

We have two domains in our forest, CORP and PARTNER. CORP-users are allowed to access PARTNER-resources, but PARTNER-users are not allowed to access CORP-resources. Also, most Security Groups in CORP are of scope "Global", so trying to add any PARTNER-users in them would fail.

We are managing Security Groups for both domains in the MIM Portal with full self-service for group owners. But I need to get a fail-safe switch in place to stop any owners/requestors from adding (or requesting to add) PARTNER-users to CORP-groups:

  • If the request target is a CORP-group, deny request if trying to add PARTNER-members
  • If the request target is a PARTNER-group, allow requests for both PARTNER and CORP-members

I guess I should utilize AuthZ somehow, but I'm really not sure how to sort it out. PS: I do have MIMWAL in place.

Any guidance is much appreciated, thanks!


Notify requestor when request has been approved by owner

0
0

I have a demand for sending a notification to the Requestor when the request is approved. Currently, MIM only notifies the requestor if the request is rejected by the owner (e.g. for joining a Security Group).

I tried adding a Notification task to the "Owner Approval Workflow", but that made all requests fail (error: the workflow encountered an internal error during processing) so I had to restore the Owner Approval Workflow XOML to the default value.

Any guidance on how I can make sure that requestors get an email when their request is approved?


Statistics not reflected for extensible connectivity 2.0 Management Agents

0
0

Hello,

For an Extensible Connectivity 2.0 file based MA, Export profile is configured and execution of the profile is success and also we can find the exported accounts available in the file.

But the statistics of the same is not reflected. Adds , Updates remain zero even-though we have changes and those changes have been exported successfully.

Can anyone please suggest possible reasons for this behaviour and resolution for the same.

Let me know if any further information is needed.

Regards,

Jyothishree SP 


Viewing all 4767 articles
Browse latest View live




Latest Images