Migrating Tivoli Identity Manager to Microsoft Identity Manager - Tool for Migrating TIM Life cycle Rules and Operations

September 27, 2016, 7:19 pm

≪ Previous: Statistics not reflected for extensible connectivity 2.0 Management Agents

I am currently engaged in discovering use cases , life cycle rules and associated operations (workflows) of a Tivoli Identity Manager solution for which no requirements, as built or use case are available.

With the use of TIM admin access and TIM tools I am documenting the current configuration but wanted to consider the next phase.

Is anyone aware of a tool to migrate ??? LCR - > MPR's ; Operations to MIM Workflows, Views and ACI -> RCDC?

I am starting to sense a correlation between some Operations elements and MIM elements but would love to use (or develop) a solution to assist with migration. Something like we had in the good old days for Notes to SP migration - anyone remember Casahl ?

TIA

Nigel

↧

AD Sync - Disconnectors

September 28, 2016, 12:35 am

≫ Next: FIM and two domains configuration.

≪ Previous: Migrating Tivoli Identity Manager to Microsoft Identity Manager - Tool for Migrating TIM Life cycle Rules and Operations

Hello all,

Hope I have the correct forum category for this. I see disconnectors when I do an import from AD in AD Sync (about 800) and I think that this could be some issue, because this states that there are a lot of accounts in the CS that do not have a connection anymore with an object in the metaverse. I wonder how I can effectively find out if this is an issue and what kind of objects that are.

↧

FIM and two domains configuration.

September 28, 2016, 4:49 am

≫ Next: Export FIM MA very slow

≪ Previous: AD Sync - Disconnectors

Hello!

I have an interesting question about two domain and MIM configuration.

We have one PROD domain and one TEST domain.

In PROD we have HR DB and MS AD with prod users. AD users were syncronized to MIM.

In TEST we have only MS AD with TEST users.

We want to test provision of users to TEST domain before deploying them in PROD.

As I understand, we can do it with 2 AD MA (AD MA PROD and AD MA TEST) for this domains.

In addition, I need to create a Sync rule in Portal with use of AD MA (TEST) to provision users to TEST domain.

We don’t need to synchronize passwords and so on for this scenario.

What else I need to do to test this case?

Thanks!

↧

Export FIM MA very slow

September 28, 2016, 6:51 am

≫ Next: Oracle Finance and PeopleSoft authenticate to azure ad

≪ Previous: FIM and two domains configuration.

Hi,

We use FIM 2010 R2 SP1 to sync a user database with AD. As explained in official links

https://technet.microsoft.com/en-us/library/ee534902(v=ws.10).aspx, but db in place of file)

and official installation guides

https://technet.microsoft.com/en-us/library/hh322906(v=ws.10).aspx

https://docs.microsoft.com/fr-fr/microsoft-identity-manager/deploy-use/microsoft-identity-manager-deploy)

sync process may be DB import, DB Sync, FIM export, ...

Howerver we noticed on the third step (FIM Export) a such slow behaviour. As far as we know, we have respected all of the guides requirements, and the server hardware configuration is quite "strong" (4 cpu x 4 cores, 16 Gb), but here are some performance data.

Considering 1000 entries, in a fresh FIM environnement (only one sync rule inserted in configuration, no MPR, no workflow) :

- DB import (from db to db connector space): 18 seconds (~55 entries/s)

- DB sync (from db connector space to MV, including FIM MA provisionning for export) : 19 seconds (~53 entries/s)

- FIM Export : 180 seconds (5 entries/s) !!!!!!!!!!!!!!!!!!!!!!!!

Considering we have to work with about 300 000 entries for real, and that a full cycle is such longer (after FIM Export, we may have FIM sync, AD export, AD import, AD Sync, FIM Export) with EREs and DREs to sync with FIM...

There is something missing, something we cannot see, but what ? Anyone had similar issues ? Any way to solve this slow slow behaviour ?

We have noticed a real cpu increase during export too. 2 or 3% during import and sync, but 40 to 50 % during export !!!

BR,

Emmanuel IT

↧

Oracle Finance and PeopleSoft authenticate to azure ad

September 28, 2016, 8:33 pm

≫ Next: Password Registration Issue

≪ Previous: Export FIM MA very slow

Hi Team,

in my customer i have two oracle application, peoplesoft campus solution and oracle finance

my customer want to implement single sign on, they already have office 365 and no Active Directory on premise

My company propose solution using azure graph API, to authenticate directly to azure. like this schenario

http://www.asp.net/identity/overview/getting-started/developing-aspnet-apps-with-windows-azure-active-directory

https://www.youtube.com/watch?v=dXMrIjNGYqw

is it posible to do single authentication with oracle application using universal API?

can you share the workflow and logic ?

thanks

regards

↧

Password Registration Issue

September 29, 2016, 7:01 am

≫ Next: SSPR options questions

≪ Previous: Oracle Finance and PeopleSoft authenticate to azure ad

Hello All,

Need help!

We have implemented SSPR in our environment and there are workflows set for a each user as per their language.

But for one of the user while registration security question are coming in english and other description on the page is coming in his regional language.

Kindly suggest.

Regards,

Suman

↧

SSPR options questions

September 29, 2016, 8:35 pm

≫ Next: Powershell MA - connect to AD

≪ Previous: Password Registration Issue

Hi,

When deploying MIM SSPR, can we:

1. Provide one set of users with the OTP option, and another set of users with the Question & Answer option on the same MIM SSPR Portal (Registration and Reset Portal)? Or do we need multiple Registration and Reset Portals deployed linked to different Sets?

2. Can we offer a user the both options at Registration (Question&Answer or OTP) and they can pick which one they want to register for?

3. Say a user is registered for BOTH 'Question&Answer' and 'OTP', do they have to get both correct in order to reset their password, or is there a way for them to only get one of them correct?

Thank you,

↧

Powershell MA - connect to AD

September 30, 2016, 1:51 am

≫ Next: SharePoint 2016 User Sync Problem

≪ Previous: SSPR options questions

Hi All,

When I try to connect AD via Powershell MA I am getting below error

The extensible extension returned an unsupported error.
The stack trace is:

"System.NullReferenceException: Object reference not set to an instance of an object.
at Microsoft.IdentityManagement.Connector.PowerShell.Bridge.ConfigBridge.GetSchema()
Forefront Identity Manager 4.1.3441.0"

I get this error with both impersonation and without it.What is the access required for the impersonated account or the FIM Sync account without impersonation.Below Schema file works in other environment but not in one.

Schema File

[CmdletBinding()]

param(
[System.Collections.ObjectModel.KeyedCollection[[string],[Microsoft.MetadirectoryServices.ConfigParameter]]]$ConfigParameters,
[System.Management.Automation.PSCredential]$PSCredential
)

Function LogWrite
{
Param ([string]$logstring)

Add-content $Logfile -value $logstring
}

$Logfile = "C:\Temp\SchemaLog.txt"

Set-StrictMode -Version 3

LogWrite "Start"

Import-Module (Join-Path -Path ([Environment]::GetEnvironmentVariable('TEMP', [EnvironmentVariableTarget]::Machine)) -ChildPath 'FIM.MTAD.psm1') -Verbose:$false

LogWrite "Import module"

$Schema = New-FIMSchema

LogWrite "Setup user schema"

$SchemaType = New-FIMSchemaType -Name 'user'
$SchemaType | Add-FIMSchemaAttribute -Name 'distinguishedName' -Anchor -DataType 'String' -SupportedOperation ImportOnly
$SchemaType | Add-FIMSchemaAttribute -Name 'sAMAccountName' -DataType 'String' -SupportedOperation ImportOnly
$SchemaType | Add-FIMSchemaAttribute -Name 'name' -DataType 'String' -SupportedOperation ImportOnly

$Schema.Types.Add($SchemaType)

LogWrite "Setup group schema"

$SchemaType = New-FIMSchemaType -Name 'group'
$SchemaType | Add-FIMSchemaAttribute -Name 'distinguishedName' -Anchor -DataType 'String' -SupportedOperation ImportOnly
$SchemaType | Add-FIMSchemaAttribute -Name 'sAMAccountName' -DataType 'String' -SupportedOperation ImportOnly
$SchemaType | Add-FIMSchemaAttribute -Name 'name' -DataType 'String' -SupportedOperation ImportOnly
$SchemaType | Add-FIMSchemaAttribute -Name 'Members' -DataType 'Reference' -MultiValued -SupportedOperation ImportExport

$Schema.Types.Add($SchemaType)

LogWrite "Setup computer schema"

$SchemaType = New-FIMSchemaType -Name 'computer'
$SchemaType | Add-FIMSchemaAttribute -Name 'distinguishedName' -Anchor -DataType 'String' -SupportedOperation ImportOnly
$SchemaType | Add-FIMSchemaAttribute -Name 'sAMAccountName' -DataType 'String' -SupportedOperation ImportOnly
$SchemaType | Add-FIMSchemaAttribute -Name 'name' -DataType 'String' -SupportedOperation ImportOnly

$Schema.Types.Add($SchemaType)

$Schema

↧

SharePoint 2016 User Sync Problem

September 30, 2016, 12:24 pm

≫ Next: MIM 2016 support for SQL 2012 SP3

≪ Previous: Powershell MA - connect to AD

Hello,

I have setup Identity Manager for the first time to use with a new SharePoint 2016 environment. I had tried to use the default AD sync but could not pictures to work there way over. I have followed a few instructions on getting MIM installed, hot fix applied, SharePoint connector installed, GitHub files downloaded, and scripts run. I am running in the issue where I cannot get the ADMA and SPMA to run successfully with the following command.

Start-SharePointSync -Confirm:$false

When I do I am getting two different Return Values.

The first is for the ADMA FullSync. I get stopped-extension-dll-file-not-found. The dll listed in the ADMA Agent is SharePointSynchroniation.dll. When I navigate to the extensions folder it is not listed. Tried another extension that was and received the same error. Event viewer giving this:

The server encountered an unexpected error:"Could not load file or assembly 'file:///C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Extensions\SharePointSynchronization.dll' or one of its dependencies. The system cannot find the file specified.

   at System.Reflection.RuntimeAssembly._nLoad(AssemblyName fileName, String codeBase, Evidence assemblySecurity, RuntimeAssembly locationHint, StackCrawlMark& stackMark, IntPtr pPrivHostBinder, Boolean throwOnFileNotFound, Boolean forIntrospection, Boolean suppressSecurityChecks)
   at System.Reflection.RuntimeAssembly.InternalLoadAssemblyName(AssemblyName assemblyRef, Evidence assemblySecurity, RuntimeAssembly reqAssembly, StackCrawlMark& stackMark, IntPtr pPrivHostBinder, Boolean throwOnFileNotFound, Boolean forIntrospection, Boolean suppressSecurityChecks)
   at System.Reflection.RuntimeAssembly.InternalLoadFrom(String assemblyFile, Evidence securityEvidence, Byte[] hashValue, AssemblyHashAlgorithm hashAlgorithm, Boolean forIntrospection, Boolean suppressSecurityChecks, StackCrawlMark& stackMark)
   at System.Reflection.Assembly.LoadFrom(String assemblyFile)
   at Microsoft.MetadirectoryServices.Impl.ScriptHost.InitializeWorker(InitializeArguments pArgs)


InnerException=>
none"

On the SPMA FullImport, Export, and DeltaImport I am seeing extensible-connector-refresh-required. No clue on this one as I have no support I can locate.

I have deleted and recreated the Run Profiles and Updated the Management Agents no avail. No users appear in the Metaverse search and no user data is getting to SharePoint from AD. Looking for advice and direction.

↧

MIM 2016 support for SQL 2012 SP3

October 2, 2016, 8:54 am

≫ Next: MIM SSPR and Azure MFA prerequisites?

≪ Previous: SharePoint 2016 User Sync Problem

Dear all,

Is MIM 2016 supported to be installed on SQL 2012 SP3 for synchronization and fim service components? TechNet article state SQL 2012 SP2 but do they mean this is the minimum requirement on SQL 2012?

thanks.

↧

MIM SSPR and Azure MFA prerequisites?

October 2, 2016, 7:07 pm

≫ Next: FIM upgardation to MIM

≪ Previous: MIM 2016 support for SQL 2012 SP3

Hi,

Busy reading on how to enable on-prem MIM 2016 SSPR SMS/Phone Gate to use Azure MFA - https://docs.microsoft.com/en-us/microsoft-identity-manager/deploy-use/working-with-self-service-password-reset

The article does not mention anything about whether it is required that the user identities also exist in Azure AD, via AADConnect.

So based on this article, I dont need any Azure identities for this SSPR Azure MFA solution to work then? Is that correct?

Thank you,

↧

FIM upgardation to MIM

October 3, 2016, 2:03 am

≫ Next: Issues with provisioning groups to FIM Portal

≪ Previous: MIM SSPR and Azure MFA prerequisites?

Hello All,

We have currently two environment(test and Prod) and below is there our environment .

1) win 2008 R2

2) .NET 3.5

3) SQL native client 9.0

4) SP 2007

5) FIM versions 4.1.3613, and 4.1.3559

Can any one please help is these versions can be supported while i am upgrading to MIM 2016.???

Regards,

Suman

↧

Issues with provisioning groups to FIM Portal

October 3, 2016, 10:40 am

≫ Next: MIM CA Files Installation on CA Server 2008 32 Bit fails.

≪ Previous: FIM upgardation to MIM

I'm running MIM2016 / FIM Portal. I am having trouble getting groups, security and DL, showing up in the FIM Portal. I have them in my test ou and I can see they were adds when I ran a Full Import on my ADMA. But when I run the MIM MA they are not provisioned to the FIM Portal. They are not listed as projections, joins, updates ... I cant seem to figure out my problem. I think I have my sync rule setup correctly, but I'm thinking that is where my problem lies. Any help would be appreciated.

↧

MIM CA Files Installation on CA Server 2008 32 Bit fails.

October 3, 2016, 2:00 pm

≫ Next: Connecting MIM Connector to Web Services Data Sources

≪ Previous: Issues with provisioning groups to FIM Portal

I am trying to install MIM CA Files on a 2008 32 bits CA Server, where CLM was installed and worked fine. Here is a snipped of the log, where it failing.

Thanks in advance for your help!

-----------------------------------

MSI (s) (14:7C) [15:09:36:226]: Executing op: RegisterSharedComponentProvider(,,File=F_CENTRAL_msvcr100_x86.F1DD796A_B984_3DCA_A68D_6B352BDC86F3,Component={9983C931-37BE-3C6E-AD32-8B6E789B6881},ComponentVersion=10.0.30319.460,ProductCode={54FA4EE1-74BE-4154-BFC7-B02EFDD5D545},ProductVersion=4.4.1237,PatchSize=0,PatchAttributes=0,PatchSequence=0,SharedComponent=0,IsFullFile=0)
MSI (s) (14:7C) [15:09:36:242]: Executing op: RegisterSharedComponentProvider(,,File=F_CENTRAL_msvcp100_x86.F1DD796A_B984_3DCA_A68D_6B352BDC86F3,Component={E822F933-C70D-3CF4-A92D-7263B8ACCF30},ComponentVersion=10.0.30319.460,ProductCode={54FA4EE1-74BE-4154-BFC7-B02EFDD5D545},ProductVersion=4.4.1237,PatchSize=0,PatchAttributes=0,PatchSequence=0,SharedComponent=0,IsFullFile=0)
MSI (s) (14:7C) [15:09:36:242]: Executing op: CacheRTMFile(SourceFilePath=E:\Software\Certificate Management\x86\System32\Win\System\msvcp100.dll,FileKey=F_CENTRAL_msvcp100_x86.F1DD796A_B984_3DCA_A68D_6B352BDC86F3,,ProductCode={54FA4EE1-74BE-4154-BFC7-B02EFDD5D545},ProductVersion=4.4.1237,Attributes=512,,,,CopierFlags=0,FileSize=421200,,,,,)
MSI (s) (14:7C) [15:09:36:258]: Note: 1: 2318 2: C:\Windows\Installer\$PatchCache$\Managed\1EE4AF45EB474514FB7C0BE2DF5D5D54\4.4.1237\F_CENTRAL_msvcp100_x86.F1DD796A_B984_3DCA_A68D_6B352BDC86F3
MSI (s) (14:7C) [15:09:36:289]: Executing op: CacheRTMFile(SourceFilePath=E:\Software\Certificate Management\x86\System32\Win\System\msvcr100.dll,FileKey=F_CENTRAL_msvcr100_x86.F1DD796A_B984_3DCA_A68D_6B352BDC86F3,,ProductCode={54FA4EE1-74BE-4154-BFC7-B02EFDD5D545},ProductVersion=4.4.1237,Attributes=512,,,,CopierFlags=0,FileSize=768848,,,,,)
MSI (s) (14:7C) [15:09:36:289]: Note: 1: 2318 2: C:\Windows\Installer\$PatchCache$\Managed\1EE4AF45EB474514FB7C0BE2DF5D5D54\4.4.1237\F_CENTRAL_msvcr100_x86.F1DD796A_B984_3DCA_A68D_6B352BDC86F3
MSI (s) (14:7C) [15:09:36:320]: Executing op: CacheSizeFlush(,)
MSI (s) (14:7C) [15:09:36:320]: Executing op: ActionStart(Name=REGISTERCMEVENTS,,)
Action 15:09:36: REGISTERCMEVENTS. .
MSI (s) (14:7C) [15:09:36:320]: Executing op: CustomActionSchedule(Action=REGISTERCMEVENTS,ActionType=3073,Source=BinaryData,Target=CAQuietExec,CustomActionData="WevtUtil.exe" im "E:\Program Files\Microsoft Forefront Identity Manager\2010\Certificate Management\Bin\CertificateManagementEventsManifest.man" /rf:"E:\Program Files\Microsoft Forefront Identity Manager\2010\Certificate Management\Bin\Microsoft.Clm.Configuration.dll" /mf:"E:\Program Files\Microsoft Forefront Identity Manager\2010\Certificate Management\Bin\/Microsoft.Clm.Configuration.dll")
MSI (s) (14:24) [15:09:36:320]: Invoking remote custom action. DLL: C:\Windows\Installer\MSI4731.tmp, Entrypoint: CAQuietExec
MSI (s) (14:A4) [15:09:36:320]: Generating random cookie.
MSI (s) (14:A4) [15:09:36:336]: Created Custom Action Server with PID 7580 (0x1D9C).
MSI (s) (14:3C) [15:09:36:382]: Running as a service.
MSI (s) (14:3C) [15:09:36:382]: Hello, I'm your 32bit Elevated Non-remapped custom action server.
CAQuietExec: Invalid option rf. Option is not supported. The parameter is incorrect.
CAQuietExec: Error 0x80070057: Command line returned an error.
CAQuietExec: Error 0x80070057: CAQuietExec Failed

Nosh Mernacaj, Identity Management Specialist

↧

Connecting MIM Connector to Web Services Data Sources

October 3, 2016, 2:05 pm

≫ Next: FIM 2010 CAL license query

≪ Previous: MIM CA Files Installation on CA Server 2008 32 Bit fails.

Hello,

i wish to use MIM to connect to Data sources with Web Services exposed. Can I use

1. The PowerShell MA to achieve this ? How Reliable\efficient is this approach ?

2. Can i customize the Web Services Connector to achieve this for my various application identity data sources, even though the default Web Services Connector Projects are specific to Oracle, SAP, PeopleSoft etc.

Thanks

Akinzo

↧

FIM 2010 CAL license query

October 3, 2016, 11:17 pm

≫ Next: MIM SP1 - dialog boxes are not showing properly

≪ Previous: Connecting MIM Connector to Web Services Data Sources

Hi Guys,

Our client Is actually a museum/ Exhibition still not operational. We are managing identities based on user webmember registration. Basically if any visitor comes to our museum/Exhibition and if he subscribe any membership we will create a AD user account and provide access to application based on his subscription. The number of managing identities through FIM Sync engine is keep on increasing. That’s not a problem. The problem is we are going to hire 600 staffs. We want to manage 600 staffs through FIM Portal, and we plan to provide password reset portal and group management. But, in FIM Sync MV will have all web registers and 600 staffs. So, do we need to purchase only 600 CAL license or we need to buy CAL for all the users in Metaverse? Currently we have only FIM server license. Without Purchasing CAL license can we implement SSPR atleast?

↧

MIM SP1 - dialog boxes are not showing properly

October 4, 2016, 6:26 am

≫ Next: Fim 2010 R2 to MIM 2016 sp1 upgrade problem

≪ Previous: FIM 2010 CAL license query

Hi,

Recently I updated FIM -> MIM SP1 for one of my customers (happily first in TEST environment). After upgrade when I open portal locally on MIM server dialog boxes are not showing any data (they are empty, infinitely "loading"). When I try to open portal from another server it is showing dialog box but if I'm trying to select something in identity picker, second dialog box is opening empty. Accessing portal from third server everything works ...

Anyone seen something similar? As there are not errors in event log I assume it is some client issue. Are there any requirements for browser for use with MIM SP?

These servers are as follows:

MIM server - Win 2012 Data Center, IE 10

other server - Win 2018 R2 SP1, IE 8

third server - Win 2012 Data Center, IE 10

Borys Majewski, Identity Management Solutions Architect (Blog: IDArchitect.NET)

↧

Fim 2010 R2 to MIM 2016 sp1 upgrade problem

October 4, 2016, 9:26 am

≫ Next: MIM Synch Service install issue

≪ Previous: MIM SP1 - dialog boxes are not showing properly

hi all,

I have performed an upgrade from FIM 2010 R2 to MIM 2016 SP1 sync and service and portal. All setups finished without any error. however, when I try a refresh schema on the FIMMA or any other MA it fails with incompatible version.

did anyone of you encounter this problem?

↧

MIM Synch Service install issue

October 4, 2016, 9:37 am

≫ Next: FIM to MIM Upgrade Visual Studio Version

≪ Previous: Fim 2010 R2 to MIM 2016 sp1 upgrade problem

I'm in the process of setting up a new MIM Synchronization Service instance as an upgrade from FIM 2010 R2. I've installed the software, imported the database from my FIM 2010 R2 server, but I'm getting a weird error when I try to modify the MA for an Oracle Database. Anytime I try to make a change, I get this: