- RSS Channel Showcase 7773305
- RSS Channel Showcase 1063669
- RSS Channel Showcase 1207915
- RSS Channel Showcase 8020292
Articles on this Page
- 02/01/17--00:28: _Workflow data param...
- 02/01/17--03:43: _PCNS error
- 02/01/17--06:16: _MIM GALSync - possi...
- 02/01/17--20:41: _Password reset is n...
- 02/02/17--03:14: _FIM 2010 RTM to FIM...
- 02/02/17--09:22: _Want to be the Micr...
- 02/03/17--01:47: _MIM 2016 Office365 ...
- 02/03/17--06:04: _MIM 2016 SP1 with P...
- 02/03/17--06:12: _Are there any C# MA...
- 02/03/17--06:23: _PermissionDeniedExc...
- 02/03/17--07:09: _how to provision "d...
- 02/03/17--12:44: _LDAP query to Xpath...
- 02/06/17--02:53: _MPR behavior with c...
- 02/06/17--05:03: _MIM 2016 SP1 and FI...
- 02/06/17--11:42: _Group Creation RCDC...
- 06/22/18--00:40: _Avoid Null Value to...
- 06/22/18--01:39: _failed-modification...
- 06/22/18--12:30: _Supported SQL Serve...
- 06/25/18--12:39: _ambiguous-import-fl...
- 06/25/18--12:50: _Physical to Virtual...
- 02/01/17--00:28: Workflow data parameters not flowing to sync rule
- 02/01/17--03:43: PCNS error
- 02/01/17--06:16: MIM GALSync - possible to label imported contacts?
- 02/01/17--20:41: Password reset is not working
- 02/02/17--09:22: Want to be the Microsoft TechNet FIM Guru for February 2017?
- 02/03/17--01:47: MIM 2016 Office365 provisioning (Soren Granfeldt PSMA)
- 02/03/17--06:04: MIM 2016 SP1 with PAM and Skype for Business RBAC
- HR to FIM Portal synchronization rule
- 02/03/17--12:44: LDAP query to Xpath filter
- 02/06/17--02:53: MPR behavior with changing sets
- 02/06/17--11:42: Group Creation RCDC change - Lost Membership Type Radio Buttons
- 06/22/18--00:40: Avoid Null Value to be synced to AD
- 06/22/18--01:39: failed-modification-via-web-services
- 06/22/18--12:30: Supported SQL Server version for MIM 2016
- 06/25/18--12:39: ambiguous-import-flow-from-multiple-connectors
- 06/25/18--12:50: Physical to Virtual Migration of FIM server
I am using MIM 2016 and for provisioning AD I use a MPR / Set / Workflow. The MPR is set for transition in triggering the workflow
In the workflow I have used some MIMWAL including Generate Unique Values (for accountname) and Function to populate WorkflowData parameters (vAccountName, vHomeDirectory)
In the workflow I then use an update resources to set the Target/AccountName to the workflowdata/AccountName value
In the sync rule I flow the AccountName to sAMAccountname and also the WorkflowData/vHomeDirectory
The problem I have is that any value that is set through a Workflow parameter when used in the sync rule has a final value of null
Have been over everything several times and tried different ways but still the same issue.
I do need to set these values in the workflow as opposed to the sync rule directly so looking for the solution more so then a workaround please
We are using Forefront Identity Manager to sync 2 Active Directory domains.
Let's call it DomainA and DomainB. A FIM server has been installed in the DomainA. Users and groups are synced between DomainA and DomainB, all works great.
Now we want to use password sync from B to A. As mentioned in https://technet.microsoft.com/en-us/library/jj590288(v=ws.10).aspx, PCNS agent has been installed on all domain controlers for B.Password change from DomainB (which does NOT hosts FIM Server) to DomainA = error.
We have configured FIM as explained, created a SPN entry on DomainB and target.
But when a password is changed on DomainB, it is captured by PCNS, and send to the FIM server (domainA) and the errors occurs : Status is -2146893053 - The target is unknown
On server side, we can find this log : An error has occurred during authentication to the password notification source.
0x80070534: no mapping between account names and security IDs...
Indeed, when configuring spn, we created on domain B
setspn.exe -a PCNS/server.domainb.local DOMAINB\MIMSync which may be unknown on domain A.
What should be the way to sync password when the FIM server is not in the source domain ?
I'm syncing GAL's between two Exchange organizations and I'd like the contact in each Forest to have something appended to the Display Name so they stand out. Is this possible to do?
I tried to reset my password via FIM SSPR and I was able to successfully register for a password reset but unable to reset the password, while doing it I am getting error like access denied.
Kindly assist me in this.
My current FIM 2010 RTM installed on server 2008 and CA's are 2008 R2.
I use FIM CM only.
I have Installed new CA's hierarchy (2012 R2) and copied the certificate templates settings as I needed.
I plan to upgrade to FIM 2010 R2 SP1 on server 2012 R2, from what I could find, the upgrade is supported. but I couldn't find any other documentation about side-by-side migration since I want to install the FIM 2010 R2 SP1 on a fresh vanilla server 2012 R2.
I have several questions regarding the desired configuration:
1. I need to Install FIM RTM on the vanilla server 2012 R2 before installing the FIM 2010 SP1? any documentation/guidelines for FIM upgrade process and DB upgrade will be much appreciated!
2. after the FIM upgrade to 2010 R2 SP1, I'm planning to change the Certificate Template in an existing smart card Profile Template, this certificate template will be from the new (2012 R2) CA's hierarchy. after I will do so, I will be able to renew smart card certificates through this "updated" profile template?
I hope I'm understandable :)
thanks in advance!
February 2017 Guru, it’s time to share great skills as a TechNet Wiki article and WIN medal(s). Medals? Yes, you can share multiple articles in the same or different categories! Now, navigate to TechNet Guru Competition February 2017 to choose your categories and if it’s not listed add your content in Miscellaneous Category!
All you have to do is add an article to TechNet
Wiki from the field of your interest. Something that fits into one of the categories listed on the submissions page. Copy in your own blog post, a forum solution, a white paper, or just something you had to solve for your own day’s work today.
A snippet you share can make you a February 2017 TechNet Wiki Guru in your favorite category and this is official Microsoft TechNet
HOW TO WIN
1) Please copy over your Microsoft technical solutions
and revelations to TechNet
2) Add a link to it on THIS WIKI COMPETITION PAGE (so we know you’ve contributed).
3) Every month, we will highlight your contributions, and select a "Guru of the Month" in each technology.
If you win, we will sing your praises in blogs and forums, similar to the weekly contributor awards. Once "on our radar" and making your mark, you will probably be interviewed for your greatness, and maybe eventually even invited into other inner TechNet/MSDN circles!
Winning this award in your favorite technology will
help us learn the active members in each community.
Feel free to ask any questions below.
More about TechNet Guru Awards.
If my reply is helpful please mark as Answer or vote asHelpful.
My blog | Twitter | LinkedIn
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.
I have a task to manage user accounts and assign/revoke a licenses for Office365 users.
This is my first expirience with such integration, so, as I understand I need to do 2 main tasks:
1. Import current licensing information
2. Assign and revoke licenses with information regarding user plans in metaverse.
So, now I'm trying to make first part to work.
I get this article:
and trying to run full import run profile, but I getting this error:
DN is unavailable / missing-anchor-value / No value provided for anchor attribute
In this thread
I found what the problem can be in import script, but script already have a such statement (, so I think that this is not a problem.
I can't seem to find any information regarding delegating access (RBAC) to Skype for Business across a forest trust ("bastion forest"). Have anyone of you tried this and succeeded?
Just creating a PAM group of the CsAdministrator group does not work (the group membership is listed by whoami /groups as expected when logged on) and I don't see an equivalent of Microsoft Exchange's "LinkedForeignGroup".
Any tips, thoughts or ideas?
We need to build somehow a connector filter rule to filter on a Date attribute.
The oob basic criteria option has things like Ispresent, Startswith Equals and so on. Nothing like IsAfter IsBefore.
I understand we need write code in the FilterforDisconnection Method... but where is an example? Hunted all over with Google and Bing but no luck.
Has anyone an example I can use as a basepoint?
I am using the script from the following link, with the variables set to my environments.
Everything seems to work until the last part "Import-FIMConfig" where it fails due to the following error message at the bottom of this post. I know it has something to do with the account I am using (called FIMInstall) but I can't figure out where it does not have permissions to do this. I have read elsewhere to check the MPR "Security Group Management: Users can create Static Security Groups" and make sure FIMInstall is listed under the Requestors "Specific Set of Requestors". There is a group there, which FIMInstall is confirmed in. This MPR is also enabled. Screenshots below.
Any ideas what I am doing wrong? I tried running Powershell as Administrator and as FIMInstall and get the same message regardless.
Import-FIMConfig : Failure when making web service call. SourceObjectID = c21b0e01-faba-4eed-90b0-b8aa3b22f003 Error = Microsoft.ResourceManagement.WebServices.Client.PermissionDeniedExcepti on: Policy prohibits the request from completing. ---> Microsoft.ResourceManage ment.WebServices.Faults.ServiceFaultException: Policy prohibits the request fro m completing. at Microsoft.ResourceManagement.WebServices.ResourceFactoryClient.Create(Mes sage request) at Microsoft.ResourceManagement.WebServices.ResourceFactoryClient.Create(Cre ate createBody, Guid identifier, String synchronizationSequenceIdentifier) at Microsoft.ResourceManagement.WebServices.Client.ResourceTemplate.CreateRe source(Guid identifier, String synchronizationSequenceIdentifier) --- End of inner exception stack trace --- at Microsoft.ResourceManagement.WebServices.Client.ResourceTemplate.CreateRe source(Guid identifier, String synchronizationSequenceIdentifier) at Microsoft.ResourceManagement.WebServices.ResourceManager.CreateResource() at Microsoft.ResourceManagement.Automation.ImportConfig.Create(String object Type, List`1 changeList) at Microsoft.ResourceManagement.Automation.ImportConfig.EndProcessing() At C:\FIMScripts\MassGroupCreate.ps1:87 char:31 + $newGroup | Import-FIMConfig <<<< -uri $URI + CategoryInfo : InvalidOperation: (:) [Import-FIMConfig], Invali dOperationException + FullyQualifiedErrorId : ImportConfig,Microsoft.ResourceManagement.Automa tion.ImportConfig
i need your help to configure/synchronize specific information from HR to FIM Portal, then to AD attribute: the specific information which we need to upload it in AD (in departement attribute) is "the Residence" from HR DB.
We configured already the synchronization rules as described below,and the attribute flow which configured on AD MA and HR MA.
2. FIM to AD synchronization rule:
The attribute flow are configured as below (on AD Management agent and HR Management agent):
HR HR MA:
We are doing a conversion from a system that uses LDAP queries for setting dynamic groups, is there a way to convert these queries into Xpath filters easily, or do I have to do it manually for the groups?
I know that the languages have similarities, but have yet to find a way to easily do it for the 7000 groups I am converting
Can somebody explain some MPR logics?
I have MRP (Transition In) + Workflow for AD provisioning users. They are using sync rule with Initial flow for password generation for users and emails to manager with account information. I’m using a set with static defined user set (with employeeID numbers)
As I understand if I make “Disable” and “Enable” at MPR I will get reapplied MPR, right? Moreover, all my users will receive new passwords and managers will receive emails. This is not acceptable, because system is going to production.
I need to change my test static set to “All People” production set, how it can be safely done? Thanks!
So, we are running a C# code with MIM 2016 SP1 using FIM 2010 Granfeldt Workflow Activity Library.
The code itself should work because it works with FIM 2010 R2 and also FIM 2010 R2 updated to MIM 2016 (not SP1).
Are there any known compatibility issues between MIM 2016 SP1 and FIM 2010 Granfeldt Workflow Activity Library?
See the error messsages:
PostProcessingError: Couldn't compile Compile Error: CS2032 in Ln 0 Col 0-Character ' Evet Viewer: System.Exception: Couldn't compile Compile Error: CS2032 in Ln 0 Col 0-Character ' at Granfeldt.FIM.ActivityLibrary.CodeRunActivity.CompileCode_ExecuteCode(Object sender, EventArgs e) at System.Workflow.ComponentModel.Activity.RaiseEvent(DependencyProperty dependencyEvent, Object sender, EventArgs e) at System.Workflow.Activities.CodeActivity.Execute(ActivityExecutionContext executionContext) at System.Workflow.ComponentModel.ActivityExecutor`1.Execute(T activity, ActivityExecutionContext executionContext) at System.Workflow.ComponentModel.ActivityExecutor`1.Execute(Activity activity, ActivityExecutionContext executionContext) at System.Workflow.ComponentModel.ActivityExecutorOperation.Run(IWorkflowCoreRuntime workflowCoreRuntime) at System.Workflow.Runtime.Scheduler.Run()
I was attempting to add a basic text box, bound to an attribute I've mapped to the Group objects ("groupType"), to the group creation RCDC. All I did was copy the existing Description control, paste that under the Description control and change the "description" values in the new control node to my new attribute "groupType". But, when I imported the new RCDC, my new control showed up in the RCDC, like I expected, but the MembershipType control disappeared. I went back to the original RCDC (I exported and saved it off before I started changing it). My "groupType" attribute is gone, as I expected, but so is the MembershipType control. So, I'm stuck. I don't know what to do to get those three radio buttons back. I've restarted IIS, rebooted the MIM server, and still no membership type control on the RCDC.
We have created logic for group (Dynamic/Static).
When we are trying to export attributes to AD. null values always shows in Export. So how can we avoid it.
Note: Not enabled Allow null values
Need Your Help!
Getting following error when tries to export MIMMA.
Fault Reason: The request message contains errors that prevent processing the request.\r\n\r\nFault Details: <RepresentationFailures xmlns="http://schemas.microsoft.com/2006/11/ResourceManagement"
ValueViolatesUniqueness Target(s): MT MUM7010202 (Trainee)
Stack Trace: Microsoft.ResourceManagement.WebServices.Exceptions.InvalidRepresentationException: ValueViolatesUniqueness
at Microsoft.ResourceManagement.Utilities.ExceptionManager.ThrowException(Exception exception)
at Microsoft.ResourceManagement.Data.Exception.DataAccessExceptionManager.ThrowException(SqlException innerException, TransactionAndConnectionScope scope)
at Microsoft.ResourceManagement.Data.DataAccess.ProcessRequest(RequestType request)
at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.ProcessInputRequest(RequestType request)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction(RequestType request)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction[ResponseBodyType](RequestType request)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request, Guid requestIdentifier, Object redispatchSingleInstanceKey, Boolean isRedispatch)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest(RequestType request)
at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Put(Message request)</FailureMessage><AttributeFailureCode>ValueViolatesUniqueness</AttributeFailureCode><AdditionalTextDetails>The specified attribute value must be unique for this Resource Type.</AdditionalTextDetails></AttributeRepresentationFailure><CorrelationId>88135c63-622b-4cfe-a73b-7cb02a1fff7a</CorrelationId></RepresentationFailures>
Need Your Help!
We are planning to upgrade from FIM 2010 R2 to the latest version of MIM. We are mainly using FIM Synchronization service and the database server is currently on SQL Server 2012.
Is there official support for MIM to work reliably with the latest service pack of SQL Server 2012 (currently SP4)?
This link (https://docs.microsoft.com/en-us/microsoft-identity-manager/microsoft-identity-manager-2016-supported-platforms) lists SQL Server 2012 SP2 for the MIM Sync database.
Does that mean that only SP2 and HIGHER service packs of SQL Server 2012 are supported by MIM?
Or, does this mean that only SP2 and LOWER service packs of SQL Server 2012 are supported by MIM?
All Microsoft support for SQL Server 2012 SP2 and older has already ended in 2017, including extended support. SQL Server 2012 SP4 still has extended support.
I am wondering if it'd be safe to upgrade SQL Server to 2012 with SP4 and use it for in-place upgrade to MIM.
I am not good in FIM,but in my environment I have found an error for one of the Active DirectoryMA Sync. The error is "ambiguous-import-flow-from-multiple-connectors". What I could see when I went to preview is that below . I can't understand why the error comes.
Can anyone familiar with FIM explain me how the value below related with the issue and what is the fix for this ?
|Extension No Value||HRGPN,Mail||Rule Extension|
I have a FIM physical server , that is going to migrate soon.
May I know what all thing need to be taken care before and after migration ?
Any help is much appreciated.