Are you the publisher? Claim or contact us about this channel

Embed this content in your HTML


Report adult content:

click to rate:

Account: (login)

More Channels


Channel Catalog

Channel Description:

This forum is for IT Professionals who have questions/issues or other feedback about Forefront Identity Manager (FIM) 2010 suite

older | 1 | .... | 176 | 177 | (Page 178) | 179 | 180 | .... | 204 | newer

    0 0

    Hi All,

    When I try to connect AD via Powershell MA I am getting below error for detailed logs(miisserver config file) 

    ConnectorsLog Verbose: 0 : Method Name : PowerShellRuntime : InvokePowerShell 
    InvokePowerShell completed
    ConnectorsLog Error: 3 : Method Name : ImportBridge : GetImportEntries 
    Unable to run Import on PowerShell Connector

    I can see the objects getting created but fails in creating objects in Connector space.It fails in the New-FIMGetImportEntriesResults method and pops the above error.

    Any help would be appreciated.

    0 0


    Post was edited to include new information.


    I have a problem with configuring initial password sending to user's manager by this article:


    Users are created in AD, but manager don’t receive a email.

    I think that a problem somewhere in Outbound sync rule, maybe some flows needed (or don’t needed) in it.

    As I understand, in Sync rule we also need two flows:

    Some strong (temporary) password to create a user account, ie.

    P@ssw0rd -> unicodePwd

    And “checkbox” to recreate password at first user login:

    0 -> pwdLastSet

    After my sync cycle I get users in AD in enabled state, but with unknown password.


    With this two options (without MIMWAL) users are created in AD with this password.

    After I add MIMWAL functions users get a new password (which is unknown to me and manager).

    Service account can get access to mailbox and send/receive emails.


    My sync cycle is

    MIM MA Delta-Import

    MIM MA Delta-Sync

    MIM MA Export

    MIM MA Delta-Import

    AD MA Export

    AD MA Delta Import

    After second run situation is same.

    Does somebody have any ideas where is a problem?

    0 0


    Could anybody help me on my query. we have few users their emails are registered in other domains, but we are managing their identites in FIM SYNC for sharepoint and other application access. But, we are planning to to provide PWD registration and reset to our internal employees. As per my knowledge MS is charging FIM CALS for all the users in Metaverse. Please correct me if i am wrong. Is there any way to segregate external users and internal users. Can we give poral access only to our internal employees? what is the use of FIM External connector? Will it help in my case? Any suggestions are welcome.

    0 0

    I noticed the fact that the Access Management Connector does not enable inherited parent OU roles on a FIM 2010R2 (hotfix 4.1.3766.0 applied) and another MIM 2016 (hotfix 4.3.2266.0 applied). Both installations are single server installs. The setup is as follows:

    One MA getting users and departments from a HR database. Each department has a parent department, each department has a list of users. I am using the SQL management agent with a classic setup. Object type is determined by database attribute, database parent attribute contains parent department identifier, multivalue links multiple users with department

    A second MA gets permissions from a test application. Each permission has tow attributes in the connector space, ID and name.

    Further there is a BHOLD Access Management Connector with following attribute flows:

    I have extension code that does the provisioning into the BHOLD connector space, the result of this provisioning is:

    After export to BHOLD I notice that inherited roles are not enabled:

    In this screen you can see that department 5 is a child of department 3. BHOLD picks correctly up that there is an inherited role "MR-Department 3", but the role is disabled.

    According to the hotfix updates applied this issue should have been resolved, the information of the update packages tell me that:

    Issue 3

    When you use the Access Management Connector to provision new OUs with a parent OU, all the parent OU roles are inherited but are also disabled.

    There is always the possibility that I am doing something wrong, but for me the issue still remains. Does anyone of you have the same issue or know how to resolve it?

    Thank you in advance.

    Wilke Jansoone

    0 0
  • 10/12/16--18:58: MIM CM, what's new?
  • Hi,

    I've worked with FIM CM quite a bit before, but havent had time to look at MIM CM.

    Is there a place that lists what's new? what's changed? what's deprecated?

    Does the UI still look the same?



    0 0
  • 10/13/16--02:10: FIM
  • Is it possible to take the back up FIM database from different domains ?

    FIM MA only uses classic attribute flow ?





    0 0
  • 10/13/16--04:50: Encryption keys
  • Hi All,

    I am facing an issue while exporting an encryption key of FIM sync service.

    error "crdentials do not have access to MIIS encryption keys".

    Kindly help.



    0 0
  • 10/13/16--22:44: Skip Provisioning
  • Hi All,

    How can I skip provisioning objects to all Connector spaces when a Full Synch run one particular management Agent.

    In other words,I don't want the provision method to run when a full Synch is run from one particular management agent and let the provision method run while running Synch cycles on other Management Agents.

    I am not concerned about correctness of design as of one

    0 0

    <samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"></samlp:StatusCode><samlp:StatusDetail><fim:FIMStatusDetail MessageID="invalid_message_destination"><fim:SubstitutionString>https://[idp]/login</fim:SubstitutionString><fim:SubstitutionString>https://[idp]/login</fim:SubstitutionString></fim:FIMStatusDetail></samlp:StatusDetail></samlp:Status>

    What does the Status Detail mean?


    0 0


    Previously I've always used foundation versions of SharePoint for FIM/MIM which didn't require any licensing. MIM SP1 now supports SharePoint 2016, but there isn't a fondation version anymore.

    Does anyone know if any SharePoint licenses are requried if it is just being for the MIM portal?


    0 0


    Is it possible to customise the MIM dialog boxes, specifically the one that is displayed when the Self Service Password Reset Lockout Gate is triggered?  It  reads "FIM Password Reset : Your account has been locked out. You may have exceeded the allowed number of attempt to authenticate.  Please try again later, or contact helpdesk if you remain locked out for a significant duration.”

    I've looked through the TechNet document "Introduction to Configuring and Customizing the FIM Portal" but cannot see if this dialog box is customisable or if it is hard coded into the DLLs.

    Thank you,


    0 0
  • 10/17/16--16:05: MIM SSPR questions
  • Hi,

    Got a few MIM SSPR related questions:

    • Are the SSPR 'Answers' case-sensitive? (when using the QA Gate)
    • Do we need to deploy PCNS for SSPR? Our SSPR will only involve resetting AD passwords.
    • Does the MIM add-ins & extension client pop-up and ask you to enrol everytime you log on to a workstation or everytime you reboot a workstation? Will it keep prompting you until you enrol?
    • What happens if I enrol and answer 5 questions. Then someone deletes or changes those 5 questions. Will they still appear if I need to reset my password?

    • From what we understand an account can be locked in 2 places: Active Directory and MIM Portal
    • MIM SSPR provides the ability to 'unlock account' - does this feature unlock the account in both AD and MIM Portal?

    Thanks you,


    0 0
  • 10/17/16--19:38: MIM SSPR Account Unlock
  • Hi,

    Looking at the MIM SSPR account unlock screen:

    Can this screen be customised? For example, we dont want this option to be available: "Keep your current password and unlock your account"

    So in AD, when your account is locked, you cant log how does this setting actually work?

    "Keep your current password and unlock your account"

    How is MIM able to pass an AD password to unlock the AD account?



    0 0
  • 10/18/16--01:16: Remove running workflows
  • I've got thousands of running workflow activities banked up (for whatever reason), basically clogging the whole system.

    Is there a way eg using powershell to remove all those workflow activities which have a status of 'running'?

    Thanks JD

    0 0


    i'm setiing up a MIM 2016 SP1 Environment with SharePoint 2013 and SQL 2008R2 on Windows Server 2012R2 Servers. After installation i want to open the MIM SharePoint-Website. I could open and login them. If i want to add a sync rule or a add a security group or so on i'm not able to do them, because the mouse click take no action.

    I tested them with IE11 (Version 11.0.9600.18449 and 11.0.9600.18500) and Firefox 38.1 esr. Both Show the same issue. Javascript is enabled.

    What i have to do so the portal shows the correct functions.

    0 0

    I'm quite new to FIM/MIM and have the following two questions:

    Is it possible to sync data (only users and theirpasswords) from one source Active Directory to another target Active Directory (in a different forest) without installing a FIM portal? Means only installing the sync services. Do I need to configure outbound synch rules? IS this possible without portal and/or coding?

    Thx for help.

    0 0

    Hy everybody,

    please be carefull if you update your MIM environments to SP1 when you have modify the ListView Items per Page.
    We have an installation with a ListView Items per Page Configuration of 100 in the Portal Configuration.

    The problems then are:

    1. If you klick on the arrows (next, previous etc.) on the bottom of all Lists no action will be made.
    2. The NavigationBar ends and empty whitespace will be displayed.

    We tested with IE11.
    Have anyone the same behavior?

    Thanks for all discussions,

    0 0

    Have a customer who's migrating to Office365 and have decided to go the hybrid route. Currently trying to work out what my AD user provisioning requirements are to help facilitate this.

    Reading this post, I am pretty confident that most of the Powershell can be avoided by simply setting the right attributes on the user. So, I imagine it would work like this:

    1. Provision new user to AD with:
      • msExchRecipientDisplayType = -2147483642
      • msExchRecipientTypeDetails = 2147483648
      • msExchRemoteRecipientType = 1
      • targetAddress =
      • mail =
      • proxyAddresses =;;
      • optional: msExchHideFromAddressBook = False (or True)
    2. Execute Powershell script to run Enable-RemoteMailbox. This will configure the user on-prem to be a remote mail-user
    3. Let AADConnect do its thing and sync the user to AAD
    4. Execute Powershell script to apply the correct O365 license to the user in AAD, which will in turn create the actual remote mailbox

    Was hoping someone could confirm for me that this is the right approach.


    Ross Currie | MCTS: FIM 2010 | Now Offering ECMA1->ECMA2 Upgrade Services

    0 0

    I have installed and configured FIM 2010 R2 SP1 and all is working, but I cannot issue a smart card. I get this error on the web page.  Smart Card is a Gemalto USB "SmartCard Gemalto .net V2+"

    I have the middleware and card reader installed and seem to be all in order.

    After this screen, I get error below

    I enabled logging locally and this is all I get.

    CCardModuleImpl::BeginTransaction Began transaction

    CCardModuleImpl::LoadOnReader ATR=3B1696417374726964

    CCardModuleImpl::LoadOnReader Name=Axalto Cryptoflex .NET

    CCardModuleImpl::LoadOnReader Provider=axaltocm.dll

    CCardModuleImpl::LoadOnReader CSP Name=Microsoft Base Smart Card Crypto Provider

    CCardModuleImpl::LoadOnReader CardId={3BBC36B9-9858-5F58-290C-81EA6707CDDE}

    AdkDispatchMessages() 4

    CCardModuleImpl::EndTransaction Ended transaction

    AdkDispatchMessages() 6

    CCardModuleImpl::BeginTransaction Began transaction

    CCardModuleImpl::LoadOnReader ATR=3B1696417374726964

    CCardModuleImpl::LoadOnReader Name=Axalto Cryptoflex .NET

    CCardModuleImpl::LoadOnReader Provider=axaltocm.dll

    CCardModuleImpl::LoadOnReader CSP Name=Microsoft Base Smart Card Crypto Provider

    CCardModuleImpl::LoadOnReader CardId={3BBC36B9-9858-5F58-290C-81EA6707CDDE}

    AdkDispatchMessages() 7

    CCardModuleImpl::EndTransaction Ended transaction

    AdkDispatchMessages() 3

    > CSCardResourceManager::GetClientVersion

    CSCardResourceManager::GetClientVersion retrieving module name

    CSCardResourceManager::GetClientVersion retrieving FileVersionInfo

    CSCardResourceManager::GetClientVersion querying version number

    < CSCardResourceManager::GetClientVersion

    CCardModuleImpl::BeginTransaction Began transaction

    CCardModuleImpl::EndTransaction Ended transaction

    AdkDispatchMessages() 5

    CCardModuleImpl::BeginTransaction Began transaction

    CCardModuleImpl::EndTransaction Ended transaction

    CCardModuleImpl::BeginTransaction Began transaction

    CCardModuleImpl::EndTransaction Ended transaction

    CCardModuleImpl::BeginTransaction Began transaction

    CCardModuleImpl::EndTransaction Ended transaction

    < CCardManager::EndTransactionKeepAlive Started


    < CCardManager::EndTransactionKeepAlive Completed

    < CCardManager::InitializeSecureSession

    --- InitializeSecureSession.ValidateCertChain skipped

    > CCardManager::InitializeSecureSession SUCCEEDED

    CCardModuleImpl::BeginTransaction Began transaction

    CCardModuleImpl::EndTransaction Ended transaction

    AdkDispatchMessages() 7

    CCardModuleImpl::BeginTransaction Began transaction

    CCardModuleImpl::EndTransaction Ended transaction

    AdkDispatchMessages() 4

    CCardModuleImpl::BeginTransaction Began transaction

    < CCardManager::StartTransactionKeepAlive Started


    SmartCardTransactionKeepAlive::StartTransactionKeepAlive Starting Keep Alive thread

    SmartCardTransactionKeepAlive::StartTransactionKeepAlive Completed

    < CCardManager::StartTransactionKeepAlive Successfuly started

    < CCardManager::StartTransactionKeepAlive Completed

    Nosh Mernacaj, Identity Management Specialist

    0 0

    Hi All,

    I have a person object with several contributing MAs, however, there is still contributing information from an MA that was disconnected, the settings for the disconnected MA were to recall the attributes or flow precedence should have picked up the information from the other contributing MAs.

    How do I remove the Contributing MA from this user?

older | 1 | .... | 176 | 177 | (Page 178) | 179 | 180 | .... | 204 | newer