My FIM version is 2010 R2 4.1.3733.0
I have an Oracle 11g client and MA. I need edit one attribute and change the nullable flag, but it is not posible from MA Properties.
How can I do?
FIM Edit Attribute
↧
↧
FIM MPR and Workrflows interaction
Hi!
I have a strange problem with MPR and Workflows interactions.
1. MPR with Trainsition In (ckecking for employee status - vacation/fired, do on) Action Type is working fine, I get email notifications and Requests are in Completed status.
2. MRP with Modify, Create Action Type(checking for user attributes changes) is workig strange. If only one user was modified - everything is OK. If there are 2-3 users are modified I get errors in Requests:
First error:
Update to msidmCompositeType: '' Request PostProcessingError Built-in Synchronization Account
<RequestParameter xmlns:q1="http://microsoft.com/wsdl/types/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="UpdateRequestParameter"><Target>bad9929a-6f4c-4515-9be2-c15f12c09c6b</Target><Calculated>false</Calculated><PropertyName>LastName</PropertyName><Value
xsi:type="xsd:string">User1-TXT333344222</Value><Operation>Create</Operation><Mode>Modify</Mode></RequestParameter>
------------------------------------------------------------
<RequestParameter xmlns:q1="http://microsoft.com/wsdl/types/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="UpdateRequestParameter"><Target>cc87859a-cafe-44fb-b109-e325762a53b3</Target><Calculated>false</Calculated><PropertyName>Department</PropertyName><Value
xsi:type="xsd:string">IT-TXT2222445511</Value><Operation>Create</Operation><Mode>Modify</Mode></RequestParameter>
Second Error: System Event Request PostProcessingError Forefront Identity Manager Service Account
Parent Request: Update to msidmCompositeType: ''
RequestParameter:
<RequestParameter xmlns:q1="http://microsoft.com/wsdl/types/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="SystemEventRequestParameter"><Target>bad9929a-6f4c-4515-9be2-c15f12c09c6b</Target><Calculated>false</Calculated><WorkflowDefinition><Value>747e22cc-0811-46dc-9717-fb43a4b87eff</Value></WorkflowDefinition></RequestParameter>
------------------------------------------------------------
RequestStatusDetail:
<RequestStatusDetail xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" DetailLevel="Information" EntryTime="2016-12-30T12:23:13.6990636Z">This unknown request parameter cannot be processed.</RequestStatusDetail>
Can anybody say haw this problem can be resolved?
Thanks!
↧
Who will be crowned the First FIM Guru of 2017!!
Time for a fresh start!
[The Guru is the means of realisation. "There is no knowledge without a teacher."]
We're looking for the first Gurus of 2017!!
All you have to do is add an article to TechNet Wiki from the field of your interest. Something that fits into one of the categories listed on the submissions page. Copy in your own blog post, a forum solution, a white paper, or just something you had to solve for your own day’s work today.
A snippet you share can make you a January 2017 TechNet Wiki Guru in your favorite category and this is official Microsoft TechNet recognition!
HOW TO WIN
Please copy over your Microsoft technical solutions and revelations to TechNet Wiki.
Add a link to it on THIS WIKI COMPETITION PAGE (so we know you’ve contributed).
Every month, we will highlight your contributions, and select a "Guru of the Month" in each technology.
If you win, we will sing your praises in blogs and forums, similar to the weekly contributor awards. Once "on our radar" and making your mark, you will probably be interviewed for your greatness, and maybe eventually even invited into other inner TechNet/MSDN circles!
Winning this award in your favorite technology will help us learn the active members in each community.
Feel free to ask any questions below.
More about TechNet Guru Awards.
Thanks,
If my reply is helpful please mark as Answer or vote asHelpful.
My blog |
Twitter | LinkedIn
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.
↧
BHOLD setup
what if we do not have HROrg(sample) table while setting bhold.(only to be used for attestation).
Any other way to achieve the same?
↧
GALSync, 2 domains, and 1 O365
Right now we're GALSyncing with MIM two forests. So far so good as Domain A's users, groups, and contacts get converted into contacts and put in Domain B. The same thing happens from Domain B to domain A. Domain B has their DLs ONLY in
O365 with AAD Sync syncing the AD users and contacts to O365. We can get the O365 DLs into MIM but the problem is we just want those DLs that get converted into Contacts into Domain A, not Domain B. Does anyone have any clue how to do this easily?
↧
↧
Time Based Application Access via Active Directory Groups using FIM 2010 R2
Hello,
In FIM 2010 R2, is there any way of achieving time based application access?
Scenario- A user to be allowed to access application for a certain duration only let's say for 1 month. The application is linked to Active Directory Group which has to be managed via FIM and user to be kept as member for the fixed duration only. If the user needs to have access for more time, user can request for extension.
Approach 1- Create 1 attribute("Valid Upto"-Datetime Type) and bind it with user object. Store the expiry date to future date for the users who need to have access to the application. Now, created one Criteria Based / RBAC Group mentioning the desired criteria based on "ValidUpto" attribute. As soon as the criteria doesn't match for any user, it will be thrown out of the group and for the ones whose dates will be extended will still remain a part of the group.
The above approach is challenged by client asking if they need to do this for 100 Applications, there would be a need to create 100 new attributes which will increase the data load for FIM Server as the present user count is approx - 50k(inactive) & 30k(active)
Is there any other standard way of achieving this in FIM 2010 R2, i.e. if there can be any attribute which can be created and bind to request object rather than user object which can be used commonly for all applications or the mentioned approach is standard in terms of industry best practice which won't hamper the database or any other feature of FIM 2010 R2.
Thanks.
Regards,
Manuj Khurana
↧
How to set NULL if attribute is empty in FIM web service configuration tool?
I get an error in sync manager in when I am trying to delta import empty attribute to portal. I need some code that will import in metaverse only null's if attributes are empty. After some research I found out that this might help, but I don't know how
to write code in web service configuration tool, can someone help with that or show me where to find examples?
↧
FIM 2010 R2 with AAD MA vs Azure AD Connect strategy.
Hi folks,
We use FIM 2010 R2 extensively and I'm at the point where I'm looking at topologies for integrating Office 365/Azure AD.
It's noted on the AAD MA download page that the MA is feature frozen with a recommendation to move to Azure AD Connect.
The immediate problems I believe I can see with this is it means provisioning becomes a double hop (MA -> on-premise AD -> Azure AD) and as a follow-on, rule extensions can't be used.
Are both of these intermediate conclusions correct and if so, how are people with established FIM/MIM footprints currently dealing with the double hop issue? I'm not keen on introducing this kind of disconnect into the topology if it's not completely necessary.
I'm also not particularly keen on treating FIM like an old backup product where I have to trigger post-execution jobs if I can avoid it. It's much cleaner both from a programmatic, efficiency and documentation (and therefore support and business continuity) perspective to keep everything coming from the source of truth to FIM, and then from FIM to the dependant system.
Cheers,
Lain
↧
FIM R2 SP1 to MIM SP1 upgrade broke MIM Pwd Reset Portal
Hi All,
After migrating from FIM R2 SP1 to MIM SP1 we are facing issue withpassword reset using the MIM Pwd Reset Portal.
Every time it is failing after weprovide the new password and confirmation password page. Below are the event viewer details.
[Note: Q & A and OTP isworking perfectly. Microsoft.CredentialManagement.ResetPortal]
If any one faced similar issue please share the experience. We tried few solution which was already posted in forum related to below error but no luck.
Error 1:Microsoft.IdentityManagement.CredentialManagement.Portal:System.Web.HttpUnhandledException: ScriptManager_AsyncPostBackError ---> Microsoft.IdentityManagement.CredentialManagement.Portal.Exceptions.NotAuthorizedException: The Request contains changes that violate system constraints. ---> The web service client has encountered the following class of error: SystemConstraint Details: Failed Attributes: Additional Text Details: The Request contains changes that violate system constraints. Correlation Identifier: f66c1f53-9634-4182-9e4c-a195147d144b Failure Message: Request Identifier: --- Endof inner exception stack trace --- at Microsoft.IdentityManagement.CredentialManagement.Portal.Common.ResetProxy.GetChallenge(String domain, String userName, ChallengeContext gateChallengeResponse) at Microsoft.IdentityManagement.CredentialManagement.Portal.Common.ResetProxy.GetNextChallenge(Stringdomain, String userName, ChallengeContext gateChallengeResponse, FaultExceptionHandlerDelegate faultExceptionHandler) at Microsoft.IdentityManagement.CredentialManagement.Portal.Components.ResetDriver.InitiatePasswordReset(String domain, String username) at Microsoft.IdentityManagement.CredentialManagement.Portal.Reset.MoveToAuthenticationGates() at System.Web.UI.WebControls.Button.OnClick(EventArgs e) at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) --- End of inner exception stack trace --- at Microsoft.IdentityManagement.CredentialManagement.Portal.Site.ScriptManager_AsyncPostBackError(Object sender, AsyncPostBackErrorEventArgs eventArgs) at System.Web.UI.ScriptManager.OnAsyncPostBackError(AsyncPostBackErrorEventArgs e) at System.Web.UI.PageRequestManager.OnPageError(Object sender, EventArgs e) at System.Web.UI.TemplateControl.OnError(EventArgs e)at System.Web.UI.Page.HandleError(Exception e) at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest() at System.Web.UI.Page.ProcessRequest(HttpContext context) at ASP.default_aspx.ProcessRequest(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously
Error: 2 The error page was displayed to the user. Details: Title: Access denied. Message: Error processing yourrequest: The operation was rejected because of access control policies. Source: The supplied request content violates system rules. Attributes: Details: The Request contains changes that violate system constraints. CorrelationId: f66c1f53-9634-4182-9e4c-a195147d144b RequestId: ErrorCode: 3001 CaughtTime: 01/02/2017 21:38:43 Web Portal: FIM Password Reset Portal Session Id: anxyhd55ox5lflbxcqszl155
Aswathy Raj
↧
↧
Custom resource
Is it possible to allow Custom Resource type to login into FIM portal?
↧
Import several CSEntry to one MultiValued attribute in Metaverse
Hi,
I need help to do a sync from a MA to a MV.
I explain the actual situation :
- I have one MA import from an active directory with user objets and contract objects (all are in the same ActiveDirectory).
-- I do projection with the user object to the MV
-- I do join with contract object to the user in the MV based on a rule extension that found the principal contract only
Now I want to have all contracts of a user in a mutlivalue attribute in the metaverse, How I can do that ?
Example :
AD user objects
Name - ID
User1 - 10001
User2 - 10002
AD contract objects
ID - Fonction - UserID
499990 - Manager - 10001
499991 - Sale assistant - 10002
499992 - IT assistant - 10002
The result must be in the MV
Name - ID - Fonction
User1 - 10001 - Manager
User2 - 10002 - Sale assistant, IT assistant
The attribute fonction must be multivalue
Somebody can give me way to do that ?
regards
↧
How to use FIM web service endpoint using JAVA?
Please share any idea or solution if you have tried.
↧
user profile and name
How do you change the user name at the start up of the pc
↧
↧
SSPR without domain name portion oddity
Hi all,
I have a customer who's rolling out SSPR, where some of their users are unable to perform password reset without prefixing their domain (i.e. they have to log in to the portal as domain\username) where the majority don't have to.
I wondered if there was a duplicate identity in the MIM service with the same user name but different domain for the affected users, but this isn't the case. For good measure, I deleted an affected user from the MIM portal and re-provisioned them but it's still the same.
Does anyone have any idea of how and when the domain is "assumed" or why this might not be working for some users within the exact environment where it works for others?
Thanks,
Paul.
↧
MIM 2016 Support for SQL server 2014 SP2
We are with MIM 2016 (4.3.2124.0 ) and SQL 2014 SP1 (12.0.4439) cluster . we need to update SQL cluster to SQL 2014 SP2 . as per the plan-design doc in here
SQL 2014 SP2 not listed as supported version for MIM 2016 (4.3.2124.0 )
can anyone advice on this?
Cheers
↧
How to remove transient object with no connector?
I had a problem when one person had two positions and one had "Test" system roles and the other did not. So metaverse was kind of confused and was going to delete and add the same person in "Test" system, but there was some errors,
so I disconnected person from that object which was going to be deleted and connected to the one which was added. So everything is fine now, except that first object stays in connector space as transient object and multiple cycles of that "Test"
systems MA does not delete it so in full sync I get completed transient objects error. How can I delete that object from connector space? (dont know if it matters but both that persons objects in connector space has the same dn, but one is connected and the
other is not)
↧
Microsoft MIM 2016 Bulck register for password reset
Hello,
we have implmeneted MIM 2016.
we have configured the self-services password reset to use SMS Gate with one-time-password.
we want the system to bulk register the users once they are synced from the AD to MIM.
all users have the following values in the AD:
- First Name
- Last Name
- Display Name
- Employee ID
- Mobile Phone
how can we bulk register the users for phone one-time-password, keeping in mind, the employees that we have are not capable of doing such small task.
regards,
↧
↧
create new group with multiple owners via powershell
Hello everyone,
I'm quite new to the FIM powershell module and right now I'm in the middle of testing bulk creations and modification via powershell.
Which is working fine so far but for me its not possible to create a group with multiple owners during the creation process.
After I created the new group I can update the owner , but I want to do this directly during the creation process.
Is this possible?
Thx for your help
Chris
↧
Oops! Something went wrong. The ajax calls failed, please contact your administrator. Status code: 500. Error: Internal Server Error.
I'm quite sure it's a bug in MIM 2016 sp1. I don't know about MIM 2016 RTM.
Using the PowerShell commandlet this way the request fails:
- Import-Module mimpam
- $r = Get-PAMRoleForRequest -DisplayName "Enterprise Admins"
- New-PAMRequest -Justification t1 -Role $r -Verbose
But, using it this way the request worksjust fine
- Import-Module mimpam
- $r = Get-PAMRoleForRequest -DisplayName "Enterprise Admins"
- New-PAMRequest -Justification t1 -Role $r -Verbose -RequestedTime (get-date).AddMilliseconds(3000)
Using the PAM-Portal to schedule the request for a minute later through the GUI also returns no error.
In my environment the REST API portal and the ACTIVATION PORTAL are separated.
So, do we really have a bug here?
There's a few posts already on the net regarding just that:
https://docs.microsoft.com/en-us/microsoft-identity-manager/reference/privileged-access-management-rest-api-service-details
https://social.technet.microsoft.com/Forums/en-US/2d20dbd9-16c2-4506-b6f8-a76376e7b3c7/mim2016-installing-pam-server?forum=ilm2
https://forums.iis.net/t/1228060.aspx?HTTP+Error+500+19+Internal+Server+Error+FIM+PAM+portal
GH
↧
Identity Manager licencing
Hi,
As explained in https://identityunderground.wordpress.com/2015/04/01/fim2010-licensing-model-is-changing-as-of-1st-of-april-2015 licensing is on eper user "crossing" the FIM Service/Portal.
Considering that FIM(Service + Synchronization Service) is used to create/update an Active Directory from a database, what kind of cal should be used ? It is a single standard cal like anyone used for AD as it was a manual creation in AD ?
BR,
Emmanuel IT
↧
More Pages to Explore .....
