Hi,

We have deployed the default out of the box MIM 2016 SSPR solution.

When registering for SSPR, if a user types in a " " (i.e. space) for an answer, MIM does not respond with the expected error message of "your answer must be 4 characters or more".

Instead, MIM responds with the following wrong error message:

The password that you entered is incorrect.You must enter the correct password in order to register for Password Reset. (Error 3006)

Is this a MIM bug?

I know we can modify the 3000 message, but this clearly is the wrong error message being called by MIM. Also, I don't want to customise this error message, as it may give me the wrong message for another issue.

Any advise?

thank you,

sk

We are currently attempting to install the MIM Hybrid Reporting Agent, as detailed here : https://docs.microsoft.com/en-us/microsoft-identity-manager/deploy-use/working-with-identity-manager-hybrid-reporting

The install fails with Event ID 118 logged in the Application Event log (full details pasted below) "The HTTP request to 'https://policykeyservice.dc.ad.msft.net/clientregistrationmanager.svc/ClientRegistration/d07a5f73-f053-47f7-8aa8-1823d43a0e89/IMMIMSTPDVVW01/cade92aa-1db7-4c02-aabc-bf9830e10992' has exceeded the allotted timeout "

Proxy access is enabled and the Azure Powershell bits are installed on the server and I am able to connect to the tenant and run various commands to confirm connectivity.

I've enabled verbose MSI reporting and this seems to be the place where the install ends with error status 1603.

SI (s) (DC!48) [10:20:23:172]: Creating MSIHANDLE (37) of type 790531 for thread 9800
CAQuietExec64:  Error 0x80070001: CAQuietExec64 Failed
MSI (s) (DC!48) [10:20:23:172]: Closing MSIHANDLE (37) of type 790531 for thread 9800
CustomAction RegisterClient returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
MSI (s) (DC:E4) [10:20:23:172]: Closing MSIHANDLE (33) of type 790536 for thread 7588
Action ended 10:20:23: InstallFinalize. Return value 3.

...

...

[10:20:28:124]: Windows Installer installed the product. Product Name: Microsoft Identity Manager Hybrid Reporting. Product Version: 4.3.2041.0. Product Language: 1033. Manufacturer: Microsoft Corporation. Installation success or error status: 1603.

[Further Update...] I have now taken a network trace and can see three attempts to establish a connection tothe alias of pks.aadg.windows.net.nsatc.net -aadgc.aadg.windows.net.nsatc.net After the hostname is resolved, there is an attempt to send it a SYN for the first part of a 3 way handshake, none of which gets a response.  After which there is an “ICMP Destination Unreachable” from the firewall. Therefore, these attempts to connect are not going via the proxy but trying to go directly but are blocked by the firewall.  Should these attempts go via the proxy, or is direct connectivity required?

Is there a recommended method for validating if all the required network connectivity is in place?

Any suggestions for next troubleshooting steps would be gratefully received...

Alastair

-

Log Name:      Application
Source:        MIM Hybrid Reporting Monitoring Agent
Date:          21/11/2016 10:20:23
Event ID:      118
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      IMMIMSTPDVVW01.devswad.net
Description:
Agent.Main;Client activation failed:The request channel timed out while waiting for a reply after 00:01:00. Increase the timeout value passed to the call to Request or increase the SendTimeout value on the Binding. The time allotted to this operation may have been a portion of a longer timeout. The HTTP request to 'https://policykeyservice.dc.ad.msft.net/clientregistrationmanager.svc/ClientRegistration/d07a5f73-f053-47f7-8aa8-1823d43a0e89/IMMIMSTPDVVW01/cade92aa-1db7-4c02-aabc-bf9830e10992' has exceeded the allotted timeout of 00:01:00. The time allotted to this operation may have been a portion of a longer timeout.
System.TimeoutException: The request channel timed out while waiting for a reply after 00:01:00. Increase the timeout value passed to the call to Request or increase the SendTimeout value on the Binding. The time allotted to this operation may have been a portion of a longer timeout. ---> System ........

When I run the discovery tool I am getting the following error

What's weird is it completely reads the .WSDL file and returns all the info you would expect, then I get this error.

In the WSDL this is what I see as configured by the only binding in the service

Has anyone ever seen this before?

Hi,

We are looking at managing our Admin accounts using MIM.

However, when an Admin account is placed in any of the following groups, as listed in this article https://technet.microsoft.com/en-us/library/2009.09.sdadminholder.aspx, the AdminSDHolder attribute is set to 1....which means MIM cannot manage this account any more.

How have others used MIM/FIM to manage Admin accounts?

Thank you,

SK

Hi,

So our MIM 2016 (build 4.3.2266.0) SSPR lockout gate is configured as follows:

• Lockout duration after Lockout Threshold is reached (minutes): 15
• Lockout Threshold – number of times the user can fail to complete the workflow: 3
• Number of times the user can reach the Lockout Threshold before permanent lockout: 1

At logon, if a user clicks "Problems Logging In?", but DOES NOT complete the Answers and simply clicks the CANCEL button on the screen where the Questions are presented, MIM takes that as an incomplete set of Answers and locks the account in the MIM Portal.

Surely this is a MIM bug?

Regards,

SK

FIM will provision mailboxes based on the user's office location,If so Can you help us on the rule extension part/Sync rule/Work flow/PS wf activity to proceed further.

Please help us out on this.

thanks

Sivakama

I have thousands of errors in event viewer > applications and services logs > Forefront Identity Manager Synchronization > Operational. They are all very similar. What causes them?

HRESULT: '0x0' Source: 'd:\bt\25920\private\source\miis\server\mgmt\perfmon\prfdata.cpp(654)'  Thread ID: '0x213C' Additional Info: ''

HRESULT: '0x80070002' Source: 'd:\bt\25920\private\source\miis\server\mgmt\perfmon\prfdata.cpp(956)'  Thread ID: '0x213C' Additional Info: ''

HRESULT: '0x80230404' Source: 'd:\bt\25920\private\source\miis\server\sqlstore\csobj.cpp(8254)'  Thread ID: '0xCF4' Additional Info: ''

HRESULT: '0x80070002' Source: 'd:\bt\25920\private\source\miis\server\mgmt\perfmon\optex.cpp(245)'  Thread ID: '0x22AC' Additional Info: ''

I'm trying to sync groups (DL and Security) along with their membership from on AD to another AD. I'm referencing the sample https://technet.microsoft.com/en-us/library/ff686936(v=ws.10).aspx and I'm not able to find the "Scope" and "Type" attributes to map.

They are also not included in the "Show All" for the Select Attributes page.

Any idea what I'm missing?

Thank you.

David

David Downing

Dearest Microsoft Technologists!

This is your last minute call for November Gurus!

You have just over a week left to submit anything you post to TechNet Wiki, into our competition, and you could win BIG!

With the management in turmoil due to MVP Summits and RL interruptions, there has been low publicity this month for the competition.

This simply means any half decent submission to TechNet Wiki can win a medal... and a place in history!

Changes are under way in this competition, and medals will count towards REAL WORLD PRIZES in the new year...

So get in while you can, and start making a name for yourself in your favourite technologies

All you have to do is add an article to TechNet Wiki from your own specialist field. Something that fits into one of the categories listed on the submissions page. Copy in your own blog posts, a forum solution, a white paper, or just something you had to solve for your own day's work today.

Drop us some nifty knowledge, or superb snippets, and become MICROSOFT TECHNOLOGY GURU OF THE MONTH!

This is an official Microsoft TechNet recognition, where people such as yourselves can truly get noticed!

HOW TO WIN

1) Please copy over your Microsoft technical solutions and revelations toTechNet Wiki.

2) Add a link to it on THIS WIKI COMPETITION PAGE (so we know you've contributed)

3) Every month, we will highlight your contributions, and select a "Guru of the Month" in each technology.

If you win, we will sing your praises in blogs and forums, similar to the weekly contributor awards. Once "on our radar" and making your mark, you will probably be interviewed for your greatness, and maybe eventually even invited into other inner TechNet/MSDN circles!

Winning this award in your favoured technology will help us learn the active members in each community.

Feel free to ask any questions below.

More about TechNet Guru Awards

Thanks in advance!
Pete Laker - Azure MVP

#PEJL
Got any nice code? If you invest time in coding an elegant, novel or impressive answer on MSDN forums, why not copy it over toTechNet Wiki, for future generations to benefit from! You'll never get archived again, and you could win weekly awards!

Have you got what it takes o become this month's TechNet Technical Guru? Join a long list of well known community big hitters, show your knowledge and prowess in your favoured technologies!

Hi,

We have a requirement of Loading users into FIM using .CSV files. Currently we have implemented using FIM Sync. Below are the MA s we used to Export the users to FIM and then to FIM Sync.

SQL MA

FIM MA

ADDS Ma

We are looking into areas of improvising with respect to performance. What can be better approach for Bulk Load of users into FIM? Can we use FIM Client/FIM API instead of FIM Sync? Please Suggest.

Thanks

Prasanthi.

Hi,

We are running the MIM solution and SSPR (MIM v 4.3.2266.0).

Our AD Domain password policy has "Enforce Password History" set to 5.

When using the MIM SSPR client, "Enforce Password History" is totally ignored, and we are able to reuse the same password over and over.

When attempting to change password from the cntrl-alt-del screen, only then is password history enforced.

Is this a MIM SSPR bug?

thanks,

sk

Hi,

We have a requirement of Loading users into FIM using .CSV files. Currently we have implemented using FIM Sync. Below are the MA s we used to Export the users to FIM and then to FIM Sync.

SQL MA

FIM MA

ADDS Ma

We are looking into areas of improvising with respect to performance. What can be better approach for Bulk Load of users into FIM? Can we use FIM Client/FIM API instead of FIM Sync? Please Suggest.

Thanks

Prasanthi.

I am using the MIM 2016 Web Services Connector to get data from SAP ECC 6.  I can successfully pull users using the default import function in the SAP ECC 6 with User wsconfig.  However, none of the other object types work.  I've reduced my MA to just pull roles. In the standard event log I get the following information.

I'm trying to get more information about where in the connection this is failing out so I added logging in the workflow.  However, where I added logging is not actually generating any log messages.  I have all of the messages I added set to [Verbose] and [TRACE]

Then I followed the directions in the documentation to set the logging.xml file to enable verbose logging

<rules-extension-properties>
 <logging>
         <use-single-log>false</use-single-log>
         <file-name>WebServicesConnector.log</file-name>
         <logging-level>3</logging-level>
 </logging>
</rules-extension-properties>

However, even after closing the web services connector tool and resaving the .wsconfig I've been using plus restarting the sync service I am not getting any log entries in a file called WebServicesConnector.log as described in the documentation.  Any thoughts on why the logging isn't being produced.  Is there a "debug" setting that needs to go somewhere that's not in the documentation?

I've just done a fresh install of MIM 2016 SP1 Service and Portal. Normally I would expect to find its own event log under "Applications and Services Logs" in Event Viewer - but it's not there. Has this log been discontinued or is this a bug with the SP1 installer?

Carol

http://www.wapshere.com/missmiis

Dear All, 

I have a scenario where I have written a action work flow to perform. certain action on a AD user account. but before performing the action, the changes in FIM service database (portal) is supposed to be exported (updated) to the AD via ADMA.

1) how can I achieve the above  scenario.

 2) How can make sure that the ADMA doesn't re import the old data and synchronize this data back to Fim server, whilst the workflow is executing. 

best regards 

Sri

I'm looking at an issue in our FIM - we have been using FIM for a number of years and it mostly works but we have a specific issue at the moment with a group of users.  I'm very very new to FIM so excuse any terminology errors in the below.

We sync from "our_parent_company" reading AD objects from multiple domains into the MV.  Then the flow creates mail enabled contacts in our own AD in a specific OU for email purposes using a second management agent.

A few users from "our_parent_company" have moved domains and/or changed their office addresses recently and we're not getting updates in our contacts folder in our AD for these users, we're not sure how many but it's probably in the 10's.

I have tried explicit disconnects from the MV for the objects but they don't re-provision even into the MV from the "import connector".   New objects in our parent company AD provision OK in our contacts folder.  The issue just seems to impact users at our parent company who have had something substantial changed about their AD account, ie, domain, or office address etc.

We're not seeing any sync errors for these users and can verify them as existing with the correct info in the remote AD as we have visibility.

Could it be related to the moved/changed objects having the same CN values so the explicit disconnect is causing them to be ignored?  They wouldn't sync before we tried the explicit disconnect either but we're just trying what we know.

I've checked the attribute flow/attributes to check we're reading the correct values, but even if we weren't what would stop a changed AD object synching into the MV when new objects sync OK?

Many thanks

Andy

Andy CR

How do ADMA password sync work ?

ADMA change password (using old password set the new password)

OR

ADMA reset (set new password only)

FIM and PCNS are in source domain and target domain is non-trust domain. For both domain , ADMA is configured.  Can be FIM able to sync password on change in source domain to target domain ?

Dushyant Singh

Followed installation steps up to running the PAM install wizard after inputting all the data in the wizard the wizard just fails with a generic message, turned logging on.  the log shows the following error, any ideas on what is wrong.  Thanks.

MSI (s) (04:8C) [07:01:33:505]: Skipping action: NotValidServiceEmailAccountFormat (condition is false)
MSI (s) (04:8C) [07:01:33:505]: Doing action: EncryptExchangeOnlineAccountPassword
Action 7:01:33: EncryptExchangeOnlineAccountPassword.
Action start 7:01:33: EncryptExchangeOnlineAccountPassword.
MSI (s) (04:D4) [07:01:33:505]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIB0.tmp, Entrypoint: EncryptExchangeOnlineAccountPassword
SFXCA: Extracting custom action to temporary directory: C:\Windows\Installer\MSIB0.tmp-\
SFXCA: Binding to CLR version v2.0.50727
Calling custom action Microsoft.IdentityManagement.ServerCustomActions!Microsoft.IdentityManagement.ServerCustomActions.CustomActions.EncryptExchangeOnlineAccountPassword
Exception thrown by custom action:
System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Exception:Failed logon user while attempting to impersonate user: MIMService
   at Microsoft.IdentityManagement.ServerCustomActions.Impersonator.Impersonate(String domain, String userName, String password)
   at Microsoft.IdentityManagement.ServerCustomActions.CustomActions.Encrypt(String accountDomain, String accountName, String accountPassword, String unencryptedString)
   at Microsoft.IdentityManagement.ServerCustomActions.CustomActions.EncryptExchangeOnlineAccountPassword(Session session)
   --- End of inner exception stack trace ---
   at System.RuntimeMethodHandle._InvokeMethodFast(Object target, Object arguments, SignatureStruct& sig, MethodAttributes methodAttributes, RuntimeTypeHandle typeOwner)
   at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object parameters, CultureInfo culture, Boolean skipVisibilityChecks)
   at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object parameters, CultureInfo culture)
   at Microsoft.Deployment.WindowsInstaller.CustomActionProxy.InvokeCustomAction(Int32 sessionHandle, String entryPoint, IntPtr remotingDelegatePtr)
CustomAction EncryptExchangeOnlineAccountPassword returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)

Hilalh

I try to evaluate MIM PAM.
Everything works as expected so far except for the MIM PAM Management Portal Demo Application where users can manage their roles.
It only works when logged on locally at the PAM Server. When logged on to a different machine (in the RED forest or in the CORP forest) I can see an 401 error in the IIS log of the REST API Web Site. At the Client I get a logon window when clicking one the options: "Activate", "View History" or "Approvals".
One difference in IIS logs I can see is that all successful requests have IPv6 IP link-local addresses for client and server, while all lines with errors are IPv4 addresses. The bindings in IIS are "*:<port>" for both Web Sites and the redirec works as I see requests in the logs of both virtual servers.

Any help is appreciated.
Henry

Hi,

We are using FIM 2010 R2 version 4.1.3479.0.

Been looking over threads and for performance issues and have not been able to work out why our instance of FIM has all of a sudden gone quite slow, particularly the AD MA. From a month ago the AD MA FIFS was about 20 mins to run and now it's over an hour. We've only added an extra 300 users to sync in that time, we are syncing about 22k users for the AD MA.

As I write this the Full Import and Synchronization step is running at about an average 5 objects/s read rate.

The FIM sync and the FIM service servers are both looking very unstressed as is the SQL server they are connected to.

Have restarted the 2 FIM services and even the servers themselves.

Question is if the performance of the sql and the OS looks ok, is there any way to pin point in the FIM app what could be slowing the MA's down? Something like perhaps a lot of fails and retries perhaps.

Thanks!