My FIM version is 2010 R2 4.1.3733.0
I have an Oracle 11g client and MA. I need edit one attribute and change the nullable flag, but it is not posible from MA Properties.
How can I do?
My FIM version is 2010 R2 4.1.3733.0
I have an Oracle 11g client and MA. I need edit one attribute and change the nullable flag, but it is not posible from MA Properties.
How can I do?
Hi!
I have a strange problem with MPR and Workflows interactions.
1. MPR with Trainsition In (ckecking for employee status - vacation/fired, do on) Action Type is working fine, I get email notifications and Requests are in Completed status.
2. MRP with Modify, Create Action Type(checking for user attributes changes) is workig strange. If only one user was modified - everything is OK. If there are 2-3 users are modified I get errors in Requests:
First error:
Update to msidmCompositeType: '' Request PostProcessingError Built-in Synchronization Account
<RequestParameter xmlns:q1="http://microsoft.com/wsdl/types/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="UpdateRequestParameter"><Target>bad9929a-6f4c-4515-9be2-c15f12c09c6b</Target><Calculated>false</Calculated><PropertyName>LastName</PropertyName><Value
xsi:type="xsd:string">User1-TXT333344222</Value><Operation>Create</Operation><Mode>Modify</Mode></RequestParameter>
------------------------------------------------------------
<RequestParameter xmlns:q1="http://microsoft.com/wsdl/types/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="UpdateRequestParameter"><Target>cc87859a-cafe-44fb-b109-e325762a53b3</Target><Calculated>false</Calculated><PropertyName>Department</PropertyName><Value
xsi:type="xsd:string">IT-TXT2222445511</Value><Operation>Create</Operation><Mode>Modify</Mode></RequestParameter>
Second Error: System Event Request PostProcessingError Forefront Identity Manager Service Account
Parent Request: Update to msidmCompositeType: ''
RequestParameter:
<RequestParameter xmlns:q1="http://microsoft.com/wsdl/types/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="SystemEventRequestParameter"><Target>bad9929a-6f4c-4515-9be2-c15f12c09c6b</Target><Calculated>false</Calculated><WorkflowDefinition><Value>747e22cc-0811-46dc-9717-fb43a4b87eff</Value></WorkflowDefinition></RequestParameter>
------------------------------------------------------------
RequestStatusDetail:
<RequestStatusDetail xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" DetailLevel="Information" EntryTime="2016-12-30T12:23:13.6990636Z">This unknown request parameter cannot be processed.</RequestStatusDetail>
Can anybody say haw this problem can be resolved?
Thanks!
Time for a fresh start!
[The Guru is the means of realisation. "There is no knowledge without a teacher."]
We're looking for the first Gurus of 2017!!
All you have to do is add an article to TechNet Wiki from the field of your interest. Something that fits into one of the categories listed on the submissions page. Copy in your own blog post, a forum solution, a white paper, or just something you had to solve for your own day’s work today.
A snippet you share can make you a January 2017 TechNet Wiki Guru in your favorite category and this is official Microsoft TechNet recognition!
HOW TO WIN
Please copy over your Microsoft technical solutions and revelations to TechNet Wiki.
Add a link to it on THIS WIKI COMPETITION PAGE (so we know you’ve contributed).
Every month, we will highlight your contributions, and select a "Guru of the Month" in each technology.
If you win, we will sing your praises in blogs and forums, similar to the weekly contributor awards. Once "on our radar" and making your mark, you will probably be interviewed for your greatness, and maybe eventually even invited into other inner TechNet/MSDN circles!
Winning this award in your favorite technology will help us learn the active members in each community.
Feel free to ask any questions below.
More about TechNet Guru Awards.
Thanks,
If my reply is helpful please mark as Answer or vote asHelpful.
My blog |
Twitter | LinkedIn
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.
what if we do not have HROrg(sample) table while setting bhold.(only to be used for attestation).
Any other way to achieve the same?
Hello,
In FIM 2010 R2, is there any way of achieving time based application access?
Scenario- A user to be allowed to access application for a certain duration only let's say for 1 month. The application is linked to Active Directory Group which has to be managed via FIM and user to be kept as member for the fixed duration only. If the user needs to have access for more time, user can request for extension.
Approach 1- Create 1 attribute("Valid Upto"-Datetime Type) and bind it with user object. Store the expiry date to future date for the users who need to have access to the application. Now, created one Criteria Based / RBAC Group mentioning the desired criteria based on "ValidUpto" attribute. As soon as the criteria doesn't match for any user, it will be thrown out of the group and for the ones whose dates will be extended will still remain a part of the group.
The above approach is challenged by client asking if they need to do this for 100 Applications, there would be a need to create 100 new attributes which will increase the data load for FIM Server as the present user count is approx - 50k(inactive) & 30k(active)
Is there any other standard way of achieving this in FIM 2010 R2, i.e. if there can be any attribute which can be created and bind to request object rather than user object which can be used commonly for all applications or the mentioned approach is standard in terms of industry best practice which won't hamper the database or any other feature of FIM 2010 R2.
Thanks.
Regards,
Manuj Khurana
Hi folks,
We use FIM 2010 R2 extensively and I'm at the point where I'm looking at topologies for integrating Office 365/Azure AD.
It's noted on the AAD MA download page that the MA is feature frozen with a recommendation to move to Azure AD Connect.
The immediate problems I believe I can see with this is it means provisioning becomes a double hop (MA -> on-premise AD -> Azure AD) and as a follow-on, rule extensions can't be used.
Are both of these intermediate conclusions correct and if so, how are people with established FIM/MIM footprints currently dealing with the double hop issue? I'm not keen on introducing this kind of disconnect into the topology if it's not completely necessary.
I'm also not particularly keen on treating FIM like an old backup product where I have to trigger post-execution jobs if I can avoid it. It's much cleaner both from a programmatic, efficiency and documentation (and therefore support and business continuity) perspective to keep everything coming from the source of truth to FIM, and then from FIM to the dependant system.
Cheers,
Lain
Hi All,
After migrating from FIM R2 SP1 to MIM SP1 we are facing issue withpassword reset using the MIM Pwd Reset Portal.
Every time it is failing after weprovide the new password and confirmation password page. Below are the event viewer details.
[Note: Q & A and OTP isworking perfectly. Microsoft.CredentialManagement.ResetPortal]
If any one faced similar issue please share the experience. We tried few solution which was already posted in forum related to below error but no luck.
Error 1:Microsoft.IdentityManagement.CredentialManagement.Portal:System.Web.HttpUnhandledException: ScriptManager_AsyncPostBackError ---> Microsoft.IdentityManagement.CredentialManagement.Portal.Exceptions.NotAuthorizedException: The Request contains changes that violate system constraints. ---> The web service client has encountered the following class of error: SystemConstraint Details: Failed Attributes: Additional Text Details: The Request contains changes that violate system constraints. Correlation Identifier: f66c1f53-9634-4182-9e4c-a195147d144b Failure Message: Request Identifier: --- Endof inner exception stack trace --- at Microsoft.IdentityManagement.CredentialManagement.Portal.Common.ResetProxy.GetChallenge(String domain, String userName, ChallengeContext gateChallengeResponse) at Microsoft.IdentityManagement.CredentialManagement.Portal.Common.ResetProxy.GetNextChallenge(Stringdomain, String userName, ChallengeContext gateChallengeResponse, FaultExceptionHandlerDelegate faultExceptionHandler) at Microsoft.IdentityManagement.CredentialManagement.Portal.Components.ResetDriver.InitiatePasswordReset(String domain, String username) at Microsoft.IdentityManagement.CredentialManagement.Portal.Reset.MoveToAuthenticationGates() at System.Web.UI.WebControls.Button.OnClick(EventArgs e) at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) --- End of inner exception stack trace --- at Microsoft.IdentityManagement.CredentialManagement.Portal.Site.ScriptManager_AsyncPostBackError(Object sender, AsyncPostBackErrorEventArgs eventArgs) at System.Web.UI.ScriptManager.OnAsyncPostBackError(AsyncPostBackErrorEventArgs e) at System.Web.UI.PageRequestManager.OnPageError(Object sender, EventArgs e) at System.Web.UI.TemplateControl.OnError(EventArgs e)at System.Web.UI.Page.HandleError(Exception e) at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest() at System.Web.UI.Page.ProcessRequest(HttpContext context) at ASP.default_aspx.ProcessRequest(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously
Error: 2 The error page was displayed to the user. Details: Title: Access denied. Message: Error processing yourrequest: The operation was rejected because of access control policies. Source: The supplied request content violates system rules. Attributes: Details: The Request contains changes that violate system constraints. CorrelationId: f66c1f53-9634-4182-9e4c-a195147d144b RequestId: ErrorCode: 3001 CaughtTime: 01/02/2017 21:38:43 Web Portal: FIM Password Reset Portal Session Id: anxyhd55ox5lflbxcqszl155
Aswathy Raj
Is it possible to allow Custom Resource type to login into FIM portal?
Hi,
I need help to do a sync from a MA to a MV.
I explain the actual situation :
- I have one MA import from an active directory with user objets and contract objects (all are in the same ActiveDirectory).
-- I do projection with the user object to the MV
-- I do join with contract object to the user in the MV based on a rule extension that found the principal contract only
Now I want to have all contracts of a user in a mutlivalue attribute in the metaverse, How I can do that ?
Example :
AD user objects
Name - ID
User1 - 10001
User2 - 10002
AD contract objects
ID - Fonction - UserID
499990 - Manager - 10001
499991 - Sale assistant - 10002
499992 - IT assistant - 10002
The result must be in the MV
Name - ID - Fonction
User1 - 10001 - Manager
User2 - 10002 - Sale assistant, IT assistant
The attribute fonction must be multivalue
Somebody can give me way to do that ?
regards
Hi all,
I have a customer who's rolling out SSPR, where some of their users are unable to perform password reset without prefixing their domain (i.e. they have to log in to the portal as domain\username) where the majority don't have to.
I wondered if there was a duplicate identity in the MIM service with the same user name but different domain for the affected users, but this isn't the case. For good measure, I deleted an affected user from the MIM portal and re-provisioned them but it's still the same.
Does anyone have any idea of how and when the domain is "assumed" or why this might not be working for some users within the exact environment where it works for others?
Thanks,
Paul.
We are with MIM 2016 (4.3.2124.0 ) and SQL 2014 SP1 (12.0.4439) cluster . we need to update SQL cluster to SQL 2014 SP2 . as per the plan-design doc in here
SQL 2014 SP2 not listed as supported version for MIM 2016 (4.3.2124.0 )
can anyone advice on this?
Cheers
Hello,
we have implmeneted MIM 2016.
we have configured the self-services password reset to use SMS Gate with one-time-password.
we want the system to bulk register the users once they are synced from the AD to MIM.
all users have the following values in the AD:
- First Name
- Last Name
- Display Name
- Employee ID
- Mobile Phone
how can we bulk register the users for phone one-time-password, keeping in mind, the employees that we have are not capable of doing such small task.
regards,
Hello everyone,
I'm quite new to the FIM powershell module and right now I'm in the middle of testing bulk creations and modification via powershell.
Which is working fine so far but for me its not possible to create a group with multiple owners during the creation process.
After I created the new group I can update the owner , but I want to do this directly during the creation process.
Is this possible?
Thx for your help
Chris
I'm quite sure it's a bug in MIM 2016 sp1. I don't know about MIM 2016 RTM.
Using the PowerShell commandlet this way the request fails:
But, using it this way the request worksjust fine
Using the PAM-Portal to schedule the request for a minute later through the GUI also returns no error.
In my environment the REST API portal and the ACTIVATION PORTAL are separated.
So, do we really have a bug here?
There's a few posts already on the net regarding just that:
https://docs.microsoft.com/en-us/microsoft-identity-manager/reference/privileged-access-management-rest-api-service-details
https://social.technet.microsoft.com/Forums/en-US/2d20dbd9-16c2-4506-b6f8-a76376e7b3c7/mim2016-installing-pam-server?forum=ilm2
https://forums.iis.net/t/1228060.aspx?HTTP+Error+500+19+Internal+Server+Error+FIM+PAM+portal
GH
Hi,
As explained in https://identityunderground.wordpress.com/2015/04/01/fim2010-licensing-model-is-changing-as-of-1st-of-april-2015 licensing is on eper user "crossing" the FIM Service/Portal.
Considering that FIM(Service + Synchronization Service) is used to create/update an Active Directory from a database, what kind of cal should be used ? It is a single standard cal like anyone used for AD as it was a manual creation in AD ?
BR,
Emmanuel IT