Quantcast
Channel: Forum Microsoft Identity Manager
Viewing all 4767 articles
Browse latest View live

Extension-DLL-exception when doing a full sync

0
0

Basically what I'm trying to do is basically sync AD attributes of users from one forest to a resource forest using FIM. I have created the necessary management agent as well as workflows, sets, MPR and sync rules.

The configuration I made is working on a dev environment but when I try to replicate it to our PROD executing a full sync will give out a lot of error pertaining to extension DLL exception. I have drilled down on a particular user and tried to generate a preview but the error points to the DN.



I did read a article to trim the custom expression that is mapped to the DN but to no avail.

Thanks. 


FIM 2010 R2 to MIM 2016 SP1 upgrade paths

0
0

https://docs.microsoft.com/en-us/microsoft-identity-manager/understand-explore/microsoft-identity-manager-2016-sp1-release-notes mentions that I have to upgrade FIM 2010 R2 SP1 to MIM 2016 before upgrading to MIM 2016 SP1, is this only applicable when doing in-place upgrades on the same server? I've searched quite a bit and haven't been able to find out if it's supported to do a MIM2016 SP1 deploy to new windows servers, reusing the FIM R2 SP1 sync & service DB's... I'd like to end up on Windows 2016 servers, but since that is only supported with SP1 I'd like to avoid having to install a separate 2012 server just for the FIM R2->MIM RTM upgrade...

Anyone know what the official word is?

FIM 2010 R2 - IFF and Custom Expression - Error

0
0

Hi

I am using this kind of IIF in outbound syncronization rule:

IIF(Eq(PaymentGroup,10),3,IIF(Eq(PaymentGroup,322),3,IIF(Eq(PaymentGroup,11),0,IIF(Eq(PaymentGroup,323),0,Null()))))

Destination attribute is EmploymentType which is number-attribute in sql view. Everything goes well, but when running a sync from FIMMA, connector update shows an error. See the picture.

So the only place to see this error is to run sync preview. Running normal sync doesn't give any errors and export to connected destination doesn't give any errors either. So I am wondering is the IIF syntax correct? PaymetGroup (metaverse attribute) attribute and destination attributes are both number/integer attributes.

The destination attribute value doesn't flow to the destination system. Other attributes are flowing ok.

MIM 2016, SQL Server 2016 and "Server and Portal Setup Wizard ended prematurely"

0
0

I am testing migrating FIM 2010 R2 / SQL 2012 to MIM 2016 SP1 / SQL 2016.  We set up virtual environment to facilitate this test.  The in-place upgrade of FIM to MIM went relatively smoothly as did porting the FIMSynchronizationService DB from SQL 2012 to SQL 2016 environment.  However, i've gotten suck on updating the the portal to use the DB in SQL 2016.  A 'Change' install of the Service and Portal is failing with the message "Server and Portal Setup Wizard ended prematurely". The install log indicates that

System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Runtime.InteropServices.COMException (0x800706BA): The RPC server is unavailable.

The  error is basically the same as the one in this article http://www.fimspecialist.com/fim-r2-sp1-fim-service-and-portal-setup-wizard-ended-prematurely/

Unfortunately, the solutions presented there do not resolve my issue. I've also tried uninstalling / re-installing the FIM portal with the same results.  

What's weird is that I can no longer get the FIM portal to install using the DB that was set up on SQL 2012 either.  My FIM virtual environment is set up in a HyperV cluster and is on it's own virtual network.  I wouldn't think any of this would cause problems with the FIM set up but 'RPC server unavailable' error does seem like it's network related. 

Any suggestions on how to resolve this issue or how to further investigate the root cause of 'RPC server is unavailable' would be greatly appreciated.

Thanks

ADFS 3.0 issue while authenticating to third party web application using WS-Federation

0
0

I need one help regarding ADFS set up in our project.

  1. We are using Liferay Portal in our application for authenticating the users and SSO using SAML.
  2. We have another requirement to authenticate an application from Liferay. But that new application will not support SSO using SAML token.
  3. Hence we are trying to bring ADFS 3.0 in between Liferay and the third party application
    1. User login to Liferayàclick on third party app iconàGenerate SAML tokenàHit ADFSàConvert to KerberosàAuthenticate application.
  4. Liferay authenticates via AD (A) and third party application sits on another AD (B). Both ADs share same forest and have a trust between them.
  5. We have configured everything but facing an issue while redirecting to application. Below are the details of the error.

Sharepoint Timer Service Issue on Forefront Identity Manager Server 2010 R2

0
0

Hello All,

There is a rapid growth in log files upto 21 GB per file under C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\LOGS which makes the C drive full in server that hold Forefront Identity Manager 2010 R2.

On checking, one of the log files it shows below entry which is repeating multiple times which makes log files increase.

Message in Log:

12/08/2016 15:30:59.99  OWSTIMER.EXE (0x3838)                    0x13DC Windows SharePoint Services    Timer                         5uuf Monitorable The previous instance of the timer job 'Config Refresh', id '<id>' for service '<service>' is still running, so the current instance will be skipped.  Consider increasing the interval between jobs. 

Kindly help us on this how to resolve this rapid log file increase.

Thanks

PowerShell to show who has not registered for SSPR

0
0

Hi,

The following script shows who has registered for SSPR (this script works)...but how do I modify it to show who hasnt registered for SSPR?

set-variable -name URI -value “http://localhost:5725/resourcemanagementservice’ ” -option constant

set-variable -name CSV -value “RegistredResetPassUsers.csv”

clear

If(@(Get-PSSnapin | Where-Object {$_.Name -eq “FIMAutomation”} ).count -eq 0) {Add-PSSnapin FIMAutomation}

$WFDFilter = “/WorkflowDefinition[DisplayName=’Password Reset AuthN Workflow’]”

$curObjectWFD = export-fimconfig -uri $URI –onlyBaseResources -customconfig ($WFDFilter) -ErrorVariable Err -ErrorAction SilentlyContinue

$WFDObjectID = (($curObjectWFD.ResourceManagementObject.ResourceManagementAttributes | Where-Object {$_.AttributeName -eq “ObjectID”}).value).split(“:”)[2]

$Filter = “/Person[AuthNWFRegistered = ‘$WFDObjectID’]”

$curObject = export-fimconfig -uri $URI –onlyBaseResources -customconfig ($Filter) -ErrorVariable Err -ErrorAction SilentlyContinue

[array]$users = $null

foreach($Object in $curObject)

{

 $ResetPass = New-Object PSObject

 $UserDisplayName = (($Object.ResourceManagementObject.ResourceManagementAttributes | Where-Object {$_.AttributeName -eq “DisplayName”}).Value)

 $ResetPass | Add-Member NoteProperty “DisplayName” $UserDisplayName

 $Users += $ResetPass

}

$users | export-csv -path $CSV

Thank you


Sync AD and Custom Attributes from SQL to SharePoint User profile - FIM/MIM

0
0

We are working on the Sync process using FIM/MIM to sync AD and Custom attributes from sql server to SharePoint user profile.

So far I have done :

  1. Created management agent for AD , SQL Server and SharePoint.
  2. Created Custom Attributes in Metaverse.
  3. Map and defined the attributes flow from SQL Server Agent to Metaverse.
  4. Map and defined the attributes flow from Metaverse to SharePoint agent.

but after running the full sync cycle, custom attributes are not getting updated in sharepoint user profile.

please let me know if i am missing any steps.


    MIM Hybrid Reporting - Azure Password Reset Activity Report does not show Failed audit events

    0
    0

    Is it expected for the QA Password Reset AuthN Workflow to end in a Terminated state because of an exception, if the questions are answered incorrectly?

    Is anyone using Hybrid reporting and seeing all their failed events uploaded?

    Because...

    We have Deployed Microsoft Identity Manager 2016 SP1 on Windows Server 2012 R2 and the Microsoft Identity Manager Hybrid Report Agent and the MIM Extensions to our clients to enable SSPR.

    The agent is installed successfully and events are being shipped to Azure and appearing in the Password Reset Activity Report. However, while the report contains all SUCEEDED events, only ONE of the many tested FAILED events appear in Azur, as seen using the Classic Portal, under the "Subscription Reports - Password Reset Activity - Source = Identity Manager.

    Looking at the "Identity Manager Request Log"  on the on premise server, I can see that there are 4121 Events written to the log for unsuccessful events, however, these events are not being shipped to Azure.

    This reporting is required to provide an audit trail of users’ successful and unsuccessful attempts to undertake SSPR.

    Looking at the JSON data in the 4121 event that is consumed by the Hybrid Reporting Agent, there is an Exception logged, I wonder if the event is mangled and that is why the agent is failing to upload it?  There is a corresponding Event ID 2 in the FIM Event log "Exception of type 'System.Workflow.ComponentModel.WorkflowTerminatedException' was thrown."

    The following is extracted from the parsed JSON in the 4121 event of the FAILED events that are not uploaded :

       DisplayName : Password Reset AuthN Workflow
       ObjectType : WorkflowInstance
       WorkflowStatus : Terminated
       WorkflowStatusDetail : EXCEPTION DATA\\r\\n\\r\\nMESSAGE: Exception of type    'System.Workflow.ComponentModel.WorkflowTerminatedException' was thrown.\\r\\n\\r\\n"

    While troubleshooting this over the last few days, I have discovered the Azure AD Reporting API and by using an example script for auditing and rooting through the Azure AD Graph API have been able to show that we do have 4121 "Failed" events in the event log that are not being uploaded to Azure.

    The difference between the event that is uploaded and the events that are not uploaded is the status of the Password Reset Workflow.  For the event that is uploaded, the workflow is in the "completed" state.  All other Failed events are in the Terminated state, due to experiencing the exception shown.

    I enabled MIM tracing, which is new to me, this appears to be where the exception is thrown and the workflow terminated:

    "Query: QueryProcessor.ExecuteQuery.ExecuteReader.Enter"
    "Query: QueryProcessor.ExecuteQuery.ExecuteReader.Exit"
    "Request 'd29d0b6d-32bc-466a-99cd-e4e6cc0de074' updates have been persisted to permanent storage."
    "Workflow Instance 'c50c3e4b-0e0b-4eae-8083-db8e5b44bcbc' [Description: ] recorded the following event: Persisted at 08/12/2016 16:50:31."
    "XPathDialectParser.ParseXPathExpression.Enter(/Request[ObjectID='d29d0b6d-32bc-466a-99cd-e4e6cc0de074'])"
    "XPathDialectParser.Enumerate.BuilderResult(/Request[ObjectID = 'd29d0b6d-32bc-466a-99cd-e4e6cc0de074'])"
    "XPathDialectParser.ParseXPathExpression.Exit(/Request[ObjectID = 'd29d0b6d-32bc-466a-99cd-e4e6cc0de074'])"
    "Query: QueryProcessor.ExecuteQuery.ExecuteReader.Enter"
    "Query: QueryProcessor.ExecuteQuery.ExecuteReader.Exit"
    "The authentication workflow instance was in an unexpected state: Terminated"
    "Workflow Instance 'c50c3e4b-0e0b-4eae-8083-db8e5b44bcbc' status 'Terminated' has been committed to permanent storage. Exception: 'EXCEPTION DATA\r\n\r\nMESSAGE: Exception of type 'System.Workflow.ComponentModel.WorkflowTerminatedException' was thrown.\r\n\r\n'."
    "Current request cache does not contain request 'd29d0b6d-32bc-466a-99cd-e4e6cc0de074'."
    "XPathDialectParser.ParseXPathExpression.Enter(/Request[ObjectID='d29d0b6d-32bc-466a-99cd-e4e6cc0de074'])"
    "XPathDialectParser.Enumerate.BuilderResult(/Request[ObjectID = 'd29d0b6d-32bc-466a-99cd-e4e6cc0de074'])"
    "XPathDialectParser.ParseXPathExpression.Exit(/Request[ObjectID = 'd29d0b6d-32bc-466a-99cd-e4e6cc0de074'])"
    "Query: QueryProcessor.ExecuteQuery.ExecuteReader.Enter"
    "Query: QueryProcessor.ExecuteQuery.ExecuteReader.Exit"
    "Request 'd29d0b6d-32bc-466a-99cd-e4e6cc0de074' updates have been persisted to permanent storage."
    "HostActivator refreshing active host cache."
    "HostActivator finished refreshing active host cache."
    "Post Processing Manager is checking Requests for completion."
    "The scan to check for Completed Requests started with Request Key '37073' and ended at Key '0'."
    "Post Processing Manager has finished checking Requests for completion.

    ---

    Thank you,

    Alastair.

    Cannot run any management agent after MIM 2016 SP1 upgrade

    0
    0

    i have recently upgraded a FIM 2010 R2 installation to MIM 2010 SP1. The upgrade setup for FIM sync, service and portal went fine. however, after that i cannot run any management agent profile. 

    As soon as i choose a run profile, the error "unable to run the management agent" appears with no additional information or error log in event viewer. 

    i tried to create a new management agent for FIMMA and run it, it ran succesfully with no problem. however my concern is that if i will create new management agents for the others, i will break the sync rule attribute flow. 

    anyone faced this before?


    MM

    MIM2016SP1 - Generic SQL Connector - using 2 Object Types and setting reference Error: Unable to retrieve schema 0x80231343

    0
    0

    Hello, 

    Having an error while configuring Generic SQL Connector: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-aadconnectsync-connector-genericsql 

    Using 2 fixed Object Types coming from MySQL or MSSQL Data sources tables. When schema  4 tab Reference attribute Selection datatype is changed to not default and the reference partition is chosen, as an example, an error is occurred on next button press, error states:

    Unable to retrieve schema. Error: Exception from HRESULT: 0x80231343

    No errors in Windows event logs or whatever.

    Config:

    MIM 2016 SP1

     

    Import group membership from HR system

    0
    0

    The company's HR system not only is the source of truth for managed users but also is a source for the membership of a sub set of groups used within AD

    A SQL view of the group membership is available with a basic structure of GroupName, UserID

    The FIM solution currently uses a codeless / declarative setup.

    As expected the HR MA is a SQL connector

    Tried to setup a SQL MA for group object type with an inbound sync rule in FIM hoping that the user will be added to the member attribute in the group object - but not much success

    What is the best way to achieve this please without necessarily resorting to using a PowerShell MA. Details and not just a high level overview would be appreciated

    Thanks

    upgrade from fim 2010 r2 to mim 2016 sp1

    0
    0

    hello , i got a problem when upgrading from fim 2010 R2 to MIm 2016 sp1,
    the sync service , the service and the portal were upgraded successfully with no errors,
    but when opening the sync service and running a management agent , im getting the following error:0x80230020
    any idea?



    Customize Azure AD Connector

    0
    0

    Hello Friends,

    I am in a process where our management wants to migrate all FIM Management Agents to Azure AD Connector. Is it possible to customize all FIM MA to AzureAD Connector ? If yes, can any one please guide me or share any documentation would be appreciated and really helpful to me.

    Currently we have ADMA, SQLMA, Lotus Notes MA, Azure MA (DirSync) and Azure License MA (Powershell ) 

    Thanks & Regards,

    Pramod Chandra Das | IND


    With Best Regards, Pramod Chandra Das

    Default Disconnect accounts reporvisioned

    0
    0

    Hi,

    I know this might sound like a noobie question

    but when I Disconnect (Default) an object, why does FIM reprovision the account?

    should I use an explicit disconnect?

    after a time we need to rejoin the account but it only looks at the new provisioned account, and never picks up the old account


    BHOLD delegation not working in BHOLD self service

    0
    0

    Hi All,

    The delegation calendar is not showing in the BHOLD self service. Any settings which needs to be enabled for the same. I only get a checkbox for checking Delegate. The Delegate to period doesnt come.

    Issue with establishing PAM trust

    0
    0

    Hi All,

    I am facing issues while establishing PAM trust.

    Here is my scenario. I have a root domain(RD) and under that a sub domain(SD). The SD contains all the groups and users. Tree root trust already exist between RD and SD. I am trying to establish PAM trust. I gave new PAM trust to SD by giving the Source domain as SD. But it is failing stating that the username or password is incorrect. i had provided SD\domain admin credentials.

    If i give the same credentials to establish trust between RD and PRIV then it is success. I wanted to know if it is the expected behavior.

    I performed the netdom command alternative to establish trust to SD and it worked. But the Test-PAMtrust fails and also the New-PAMGroup fails stating that the username or password is incorrect. I checked the Audit logs of the SD and the Audit Success logs are getting registered for the account I am trying to use. Please let me know how to debug/fix this issue.

    Who will be crowned the last FIM Guru of 2016!!

    0
    0

    Calling all wise men!

    Join us and rejoice!

    THE FINAL CHALLENGE OF 2016!!

    December 2016 Guru, it’s time to share great skills as a TechNet Wiki article and WIN medal(s). Medals? Yes, you can share multiple articles in the same or different categories! Now, navigate to TechNet Guru Competition December 2016  to choose your categories and if it’s not listed add your content in Miscellaneous Category!

    New and last month of the year 2016. It’s time for us to wave hands to say "bye bye 2016" by winning TechNet Wiki Guru medals. Let’s make this December to Remember! 

    All you have to do is add an article to TechNet Wiki from the field of your interest. Something that fits into one of the categories listed on the submissions page. Copy in your own blog post, a forum solution, a white paper, or just something you had to solve for your own day’s work today.

    A snippet you share can make you a December 2016 TechNet Wiki Guru in your favorite category and this is official Microsoft TechNet recognition!

    HOW TO WIN

    1) Please copy over your Microsoft technical solutions and revelations to TechNet Wiki.

    2) Add a link to it on THIS WIKI COMPETITION PAGE (so we know you’ve contributed)

    3) Every month, we will highlight your contributions, and select a “Guru of the Month” in each technology.

    If you win, we will sing your praises in blogs and forums, similar to the weekly contributor awards. Once “on our radar” and making your mark, you will probably be interviewed for your greatness, and maybe eventually even invited into other inner TechNet/MSDN circles!

    Winning this award in your favorite technology will help us learn the active members in each community. 

    Feel free to ask any questions below.

    More about TechNet Guru Awards.

    You Share We Care!

    TechNet Wiki Addict Chen V and ...


    Thanks,

    If my reply is helpful please mark as Answer or vote asHelpful.

    My blog | Twitter | LinkedIn

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    CN and attribute flow

    0
    0

    Hello!

    I'm writing a sync rule wint DN attribute flow.

    It looks like this:

    IIF(Eq(employeeStatus,"0"),"cn="+displayName+",OU=NotActive,DC=test,DC=lab",

    IIF(Eq(employeeStatus,"1"),"cn="+displayName+",ounit_mv",

    "cn="+displayName+",OU=Disabled,DC=test,DC=lab")) ->dn

    ounit_mv generated in extension rule and looks like OU=Working,DC=test,DC=lab

    I get a error what CN is not correct.

    "cn=user1fn user1ln,ounit_mv" is not valid.

    How I need to change my sync rule?

    Thanks!


    1


    Possible bug: MIM 2016 PAM and removal of Shadow Principal membership

    0
    0

    TL;DR: 
    Users do not get removed from shadow principals by PAM Component Service upon manual deactivation of PAM role membership. Removal from regular security groups works as intended. TTL based group membership also works. Correct access has been granted to the service account. 


    So I have a 2016 AD domain/forest (PRIV) with MIM 2016 SP1 and PAM configured (4.4.1302.0). I also have a 2012 domain (CORP - One-way trust). 

    I have configured PAM groups and roles using the cmdlets, which creates a shadow principal object as expected. Any accses requests through the API results in the user being added to the shadow principal (with a TTL as expected). So far so good.

    But if the role is manually deactivated before the TTL has expired, I can see all the request go through successfully (the TTL of the PAM request is set to 0 and it is expired). However the user is never removed from the shadow principal by the PAM Component service. Yes, the service account has been granted the proper permissions to do so, and no failure audit is logged. It simply seems as it never even tries to remove it from the shadow principal at all. The ETW trace shows a few log messages saying that it found an expired/closed membership and that the user was removed from the shadow principal, so it knows that it's dealing with a shadow principal and not a security group at this stage. 

    "User 'sAMAccountName', (Priv SID 'S-1-5-21-PRIV-SID-1688') was removed fromshadow principal CORP.GroupName (SID 'S-1-5-21-CORP-SID-131870')"

    However no removal (or failure events in MIM/Event logs) actually occur. 

    If I on the other hand create a regular security group and assign a role to it, the above procedure works. The user is added to the group when requested, and if the request is manually closed, the user is removed from the security group by the PAM Component service. 

    User 'sAMAccountName', (Priv SID 'S-1-5-21-PRIV-SID-1688') was removed from group GroupName (SID 'S-1-5-21-PRIV-SID-3106')

    So in other words, log wise everything looks OK, but when it's dealing with a shadow principal nothing actually happens even though the logs state that 'the user was removed'. 

    Has anyone else run into this and perhaps can shed some light on this behavior? 


    Andreas

    Viewing all 4767 articles
    Browse latest View live




    Latest Images