Powershell MA connector issues

October 11, 2016, 9:14 pm

≫ Next: Sending user's details in mail (MIMWAL)

≪ Previous: Sending user's details in mail

Hi All,

When I try to connect AD via Powershell MA I am getting below error for detailed logs(miisserver config file)

ConnectorsLog Verbose: 0 : Method Name : PowerShellRuntime : InvokePowerShell
InvokePowerShell completed
ConnectorsLog Error: 3 : Method Name : ImportBridge : GetImportEntries
Unable to run Import on PowerShell Connector

I can see the objects getting created but fails in creating objects in Connector space.It fails in the New-FIMGetImportEntriesResults method and pops the above error.

Any help would be appreciated.

↧

Sending user's details in mail (MIMWAL)

October 11, 2016, 7:46 am

≫ Next: FIM External Connector licensing

≪ Previous: Powershell MA connector issues

Hello!

Post was edited to include new information.

I have a problem with configuring initial password sending to user's manager by this article:

http://ithinkthereforeidam.com/mimwal-for-setting-and-communicating-password-for-new-users

Users are created in AD, but manager don’t receive a email.

I think that a problem somewhere in Outbound sync rule, maybe some flows needed (or don’t needed) in it.

As I understand, in Sync rule we also need two flows:

Some strong (temporary) password to create a user account, ie.

P@ssw0rd -> unicodePwd

And “checkbox” to recreate password at first user login:

0 -> pwdLastSet

After my sync cycle I get users in AD in enabled state, but with unknown password.

With this two options (without MIMWAL) users are created in AD with this password.

After I add MIMWAL functions users get a new password (which is unknown to me and manager).

Service account can get access to mailbox and send/receive emails.

My sync cycle is

MIM MA Delta-Import

MIM MA Delta-Sync

MIM MA Export

MIM MA Delta-Import

AD MA Export

AD MA Delta Import

After second run situation is same.

Does somebody have any ideas where is a problem?

↧

FIM External Connector licensing

October 12, 2016, 3:52 am

≫ Next: BHOLD Access Management Connector provisions inherited parent OU roles as disabled

≪ Previous: Sending user's details in mail (MIMWAL)

Hi,

Could anybody help me on my query. we have few users their emails are registered in other domains, but we are managing their identites in FIM SYNC for sharepoint and other application access. But, we are planning to to provide PWD registration and reset to our internal employees. As per my knowledge MS is charging FIM CALS for all the users in Metaverse. Please correct me if i am wrong. Is there any way to segregate external users and internal users. Can we give poral access only to our internal employees? what is the use of FIM External connector? Will it help in my case? Any suggestions are welcome.

↧

BHOLD Access Management Connector provisions inherited parent OU roles as disabled

October 12, 2016, 3:20 pm

≫ Next: MIM CM, what's new?

≪ Previous: FIM External Connector licensing

I noticed the fact that the Access Management Connector does not enable inherited parent OU roles on a FIM 2010R2 (hotfix 4.1.3766.0 applied) and another MIM 2016 (hotfix 4.3.2266.0 applied). Both installations are single server installs. The setup is as follows:

One MA getting users and departments from a HR database. Each department has a parent department, each department has a list of users. I am using the SQL management agent with a classic setup. Object type is determined by database attribute, database parent attribute contains parent department identifier, multivalue links multiple users with department

A second MA gets permissions from a test application. Each permission has tow attributes in the connector space, ID and name.

Further there is a BHOLD Access Management Connector with following attribute flows:

I have extension code that does the provisioning into the BHOLD connector space, the result of this provisioning is:

After export to BHOLD I notice that inherited roles are not enabled:

In this screen you can see that department 5 is a child of department 3. BHOLD picks correctly up that there is an inherited role "MR-Department 3", but the role is disabled.

According to the hotfix updates applied this issue should have been resolved, the information of the update packages tell me that:

Issue 3

When you use the Access Management Connector to provision new OUs with a parent OU, all the parent OU roles are inherited but are also disabled.

There is always the possibility that I am doing something wrong, but for me the issue still remains. Does anyone of you have the same issue or know how to resolve it?

Thank you in advance.

Wilke Jansoone

↧

MIM CM, what's new?

October 12, 2016, 6:58 pm

≫ Next: FIM

≪ Previous: BHOLD Access Management Connector provisions inherited parent OU roles as disabled

Hi,

I've worked with FIM CM quite a bit before, but havent had time to look at MIM CM.

Is there a place that lists what's new? what's changed? what's deprecated?

Does the UI still look the same?

Thanks,

↧

FIM

October 13, 2016, 2:10 am

≫ Next: Encryption keys

≪ Previous: MIM CM, what's new?

Is it possible to take the back up FIM database from different domains ?

FIM MA only uses classic attribute flow ?

CAN WE IMPORT THE SET WITH EXPLICIT REFERENCE TO PERSON OR GROUP TO EMPTY ENVIRONMENT?

ADDING A VALUE TO MULTIVALUED ATTRIBUTE IS A VALID OPERATION UNDER A REQUEST MPR ?

CORRECT STEP SEQUENCE TO ADD/EXECUTE ORGANIZATIONUNIT IN AD MA ?

P/W STORED IN RCSW FIELD QUEUES ARE ENCRYPTED UNTIL THEY ARE DELIVERED?

↧

Encryption keys

October 13, 2016, 4:50 am

≫ Next: Skip Provisioning

≪ Previous: FIM

Hi All,

I am facing an issue while exporting an encryption key of FIM sync service.

error "crdentials do not have access to MIIS encryption keys".

Kindly help.

Regards,

SUman

↧

Skip Provisioning

October 13, 2016, 10:44 pm

≫ Next: What does the Status Detail mean? "invalid_message_destination"

≪ Previous: Encryption keys

Hi All,

How can I skip provisioning objects to all Connector spaces when a Full Synch run one particular management Agent.

In other words,I don't want the provision method to run when a full Synch is run from one particular management agent and let the provision method run while running Synch cycles on other Management Agents.

I am not concerned about correctness of design as of one

↧

What does the Status Detail mean? "invalid_message_destination"

October 7, 2016, 10:58 am

≫ Next: SharePont 2016 licensing for MIM use

≪ Previous: Skip Provisioning

<samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"></samlp:StatusCode><samlp:StatusDetail><fim:FIMStatusDetail MessageID="invalid_message_destination"><fim:SubstitutionString>https://[idp]/login</fim:SubstitutionString><fim:SubstitutionString>https://[idp]/login</fim:SubstitutionString></fim:FIMStatusDetail></samlp:StatusDetail></samlp:Status>

What does the Status Detail mean?

"invalid_message_destination"

↧

SharePont 2016 licensing for MIM use

October 17, 2016, 4:09 am

≫ Next: MIM - Customise text in dialog boxes

≪ Previous: What does the Status Detail mean? "invalid_message_destination"

Hi,

Previously I've always used foundation versions of SharePoint for FIM/MIM which didn't require any licensing. MIM SP1 now supports SharePoint 2016, but there isn't a fondation version anymore.

Does anyone know if any SharePoint licenses are requried if it is just being for the MIM portal?

Mark

↧

MIM - Customise text in dialog boxes

October 17, 2016, 4:52 am

≫ Next: MIM SSPR questions

≪ Previous: SharePont 2016 licensing for MIM use

Hello,

Is it possible to customise the MIM dialog boxes, specifically the one that is displayed when the Self Service Password Reset Lockout Gate is triggered? It reads "FIM Password Reset : Your account has been locked out. You may have exceeded the allowed number of attempt to authenticate. Please try again later, or contact helpdesk if you remain locked out for a significant duration.”

I've looked through the TechNet document "Introduction to Configuring and Customizing the FIM Portal" but cannot see if this dialog box is customisable or if it is hard coded into the DLLs.

Thank you,

Alastair.

↧

MIM SSPR questions

October 17, 2016, 4:05 pm

≫ Next: MIM SSPR Account Unlock

≪ Previous: MIM - Customise text in dialog boxes

Hi,

Got a few MIM SSPR related questions:

Are the SSPR 'Answers' case-sensitive? (when using the QA Gate)
Do we need to deploy PCNS for SSPR? Our SSPR will only involve resetting AD passwords.
Does the MIM add-ins & extension client pop-up and ask you to enrol everytime you log on to a workstation or everytime you reboot a workstation? Will it keep prompting you until you enrol?
What happens if I enrol and answer 5 questions. Then someone deletes or changes those 5 questions. Will they still appear if I need to reset my password?

From what we understand an account can be locked in 2 places: Active Directory and MIM Portal
MIM SSPR provides the ability to 'unlock account' - does this feature unlock the account in both AD and MIM Portal?

Thanks you,

↧

MIM SSPR Account Unlock

October 17, 2016, 7:38 pm

≫ Next: Remove running workflows

≪ Previous: MIM SSPR questions

Hi,

Looking at the MIM SSPR account unlock screen:

Can this screen be customised? For example, we dont want this option to be available: "Keep your current password and unlock your account"

So in AD, when your account is locked, you cant log in...so how does this setting actually work?

"Keep your current password and unlock your account"

How is MIM able to pass an AD password to unlock the AD account?

Thanks,

↧

Remove running workflows

October 18, 2016, 1:16 am

≫ Next: MIM 2016 SP1 Portal displaying issue

≪ Previous: MIM SSPR Account Unlock

I've got thousands of running workflow activities banked up (for whatever reason), basically clogging the whole system.

Is there a way eg using powershell to remove all those workflow activities which have a status of 'running'?

Thanks JD

↧

MIM 2016 SP1 Portal displaying issue

October 18, 2016, 1:28 am

≫ Next: Syncing users from a source AD to a target AD

≪ Previous: Remove running workflows

i'm setiing up a MIM 2016 SP1 Environment with SharePoint 2013 and SQL 2008R2 on Windows Server 2012R2 Servers. After installation i want to open the MIM SharePoint-Website. I could open and login them. If i want to add a sync rule or a add a security group or so on i'm not able to do them, because the mouse click take no action.

I tested them with IE11 (Version 11.0.9600.18449 and 11.0.9600.18500) and Firefox 38.1 esr. Both Show the same issue. Javascript is enabled.

What i have to do so the portal shows the correct functions.

↧

Syncing users from a source AD to a target AD

October 18, 2016, 5:04 am

≫ Next: MIM 2016 SP1 Portal Issue (ListView Items per Page)

≪ Previous: MIM 2016 SP1 Portal displaying issue

I'm quite new to FIM/MIM and have the following two questions:

Is it possible to sync data (only users and theirpasswords) from one source Active Directory to another target Active Directory (in a different forest) without installing a FIM portal? Means only installing the sync services. Do I need to configure outbound synch rules? IS this possible without portal and/or coding?

Thx for help.

↧

MIM 2016 SP1 Portal Issue (ListView Items per Page)

October 19, 2016, 3:59 am

≫ Next: Provisioning AD Users in a Hybrid Office 365 Environment

≪ Previous: Syncing users from a source AD to a target AD

Hy everybody,

please be carefull if you update your MIM environments to SP1 when you have modify the ListView Items per Page.
We have an installation with a ListView Items per Page Configuration of 100 in the Portal Configuration.

The problems then are:

1. If you klick on the arrows (next, previous etc.) on the bottom of all Lists no action will be made.
2. The NavigationBar ends and empty whitespace will be displayed.

We tested with IE11.
Have anyone the same behavior?

Thanks for all discussions,
Thomas

↧

Provisioning AD Users in a Hybrid Office 365 Environment

October 19, 2016, 4:40 am

≫ Next: FIM CM Cannot issue Smart Card

≪ Previous: MIM 2016 SP1 Portal Issue (ListView Items per Page)

Have a customer who's migrating to Office365 and have decided to go the hybrid route. Currently trying to work out what my AD user provisioning requirements are to help facilitate this.

Reading this post, I am pretty confident that most of the Powershell can be avoided by simply setting the right attributes on the user. So, I imagine it would work like this:

Provision new user to AD with:
- msExchRecipientDisplayType = -2147483642
- msExchRecipientTypeDetails = 2147483648
- msExchRemoteRecipientType = 1
- targetAddress = SMTP:first.last@tenant.onmicrosoft.com
- mail = first.last@domain.com
- proxyAddresses = SMTP:first.last@domain.com; smtp:first.last@tenant.onmicrosoft.com;
- optional: msExchHideFromAddressBook = False (or True)
Execute Powershell script to run Enable-RemoteMailbox. This will configure the user on-prem to be a remote mail-user
Let AADConnect do its thing and sync the user to AAD
Execute Powershell script to apply the correct O365 license to the user in AAD, which will in turn create the actual remote mailbox

Was hoping someone could confirm for me that this is the right approach.

Regards,

Ross Currie

FIMSpecialist.com | MCTS: FIM 2010 | Now Offering ECMA1->ECMA2 Upgrade Services

↧

FIM CM Cannot issue Smart Card

October 19, 2016, 7:55 am

≫ Next: Metaverse Attribute Contributing MA

≪ Previous: Provisioning AD Users in a Hybrid Office 365 Environment

I have installed and configured FIM 2010 R2 SP1 and all is working, but I cannot issue a smart card. I get this error on the web page. Smart Card is a Gemalto USB "SmartCard Gemalto .net V2+"

I have the middleware and card reader installed and seem to be all in order.

After this screen, I get error below

I enabled logging locally and this is all I get.

CCardModuleImpl::BeginTransaction Began transaction

CCardModuleImpl::LoadOnReader ATR=3B1696417374726964

CCardModuleImpl::LoadOnReader Name=Axalto Cryptoflex .NET

CCardModuleImpl::LoadOnReader Provider=axaltocm.dll

CCardModuleImpl::LoadOnReader CSP Name=Microsoft Base Smart Card Crypto Provider

CCardModuleImpl::LoadOnReader CardId={3BBC36B9-9858-5F58-290C-81EA6707CDDE}

AdkDispatchMessages() 4

CCardModuleImpl::EndTransaction Ended transaction

AdkDispatchMessages() 6

CCardModuleImpl::BeginTransaction Began transaction

CCardModuleImpl::LoadOnReader ATR=3B1696417374726964

CCardModuleImpl::LoadOnReader Name=Axalto Cryptoflex .NET

CCardModuleImpl::LoadOnReader Provider=axaltocm.dll

CCardModuleImpl::LoadOnReader CSP Name=Microsoft Base Smart Card Crypto Provider

CCardModuleImpl::LoadOnReader CardId={3BBC36B9-9858-5F58-290C-81EA6707CDDE}

AdkDispatchMessages() 7

CCardModuleImpl::EndTransaction Ended transaction

AdkDispatchMessages() 3

> CSCardResourceManager::GetClientVersion

CSCardResourceManager::GetClientVersion retrieving module name

CSCardResourceManager::GetClientVersion retrieving FileVersionInfo

CSCardResourceManager::GetClientVersion querying version number

< CSCardResourceManager::GetClientVersion

CCardModuleImpl::BeginTransaction Began transaction

CCardModuleImpl::EndTransaction Ended transaction

AdkDispatchMessages() 5

CCardModuleImpl::BeginTransaction Began transaction

CCardModuleImpl::EndTransaction Ended transaction

CCardModuleImpl::BeginTransaction Began transaction

CCardModuleImpl::EndTransaction Ended transaction

CCardModuleImpl::BeginTransaction Began transaction

CCardModuleImpl::EndTransaction Ended transaction

< CCardManager::EndTransactionKeepAlive Started

SmartCardTransactionKeepAlive::EndTransactionKeepAlive

< CCardManager::EndTransactionKeepAlive Completed

< CCardManager::InitializeSecureSession

--- InitializeSecureSession.ValidateCertChain skipped

> CCardManager::InitializeSecureSession SUCCEEDED

CCardModuleImpl::BeginTransaction Began transaction

CCardModuleImpl::EndTransaction Ended transaction

AdkDispatchMessages() 7

CCardModuleImpl::BeginTransaction Began transaction

CCardModuleImpl::EndTransaction Ended transaction

AdkDispatchMessages() 4

CCardModuleImpl::BeginTransaction Began transaction

< CCardManager::StartTransactionKeepAlive Started

SmartCardTransactionKeepAlive::StartTransactionKeepAlive

SmartCardTransactionKeepAlive::StartTransactionKeepAlive Starting Keep Alive thread

SmartCardTransactionKeepAlive::StartTransactionKeepAlive Completed

< CCardManager::StartTransactionKeepAlive Successfuly started

< CCardManager::StartTransactionKeepAlive Completed

Nosh Mernacaj, Identity Management Specialist

↧

Metaverse Attribute Contributing MA

October 19, 2016, 4:30 pm

≫ Next: Finding portal attribute references

≪ Previous: FIM CM Cannot issue Smart Card

Hi All,

I have a person object with several contributing MAs, however, there is still contributing information from an MA that was disconnected, the settings for the disconnected MA were to recall the attributes or flow precedence should have picked up the information from the other contributing MAs.

How do I remove the Contributing MA from this user?

↧

Issue 3

Latest Images