Workflow data parameters not flowing to sync rule

February 1, 2017, 12:28 am

≫ Next: PCNS error

≪ Previous: Azure AD Connector

$

0

0

I am using MIM 2016 and for provisioning AD I use a MPR / Set / Workflow. The MPR is set for transition in triggering the workflow

In the workflow I have used some MIMWAL including Generate Unique Values (for accountname) and Function to populate WorkflowData parameters (vAccountName, vHomeDirectory)

In the workflow I then use an update resources to set the Target/AccountName to the workflowdata/AccountName value 

In the sync rule I flow the AccountName to sAMAccountname and also the WorkflowData/vHomeDirectory

The problem I have is that any value that is set through a Workflow parameter when used in the sync rule has a final value of null

Have been over everything several times and tried different ways but still the same issue. 

I do need to set these values in the workflow as opposed to the sync rule directly so looking for the solution more so then a workaround please

---

PCNS error

February 1, 2017, 3:43 am

≫ Next: MIM GALSync - possible to label imported contacts?

≪ Previous: Workflow data parameters not flowing to sync rule

$

0

0

Hi,

We are using Forefront Identity Manager to sync 2 Active Directory domains.

Let's call it DomainA and DomainB. A FIM server has been installed in the DomainA. Users and groups are synced between DomainA and DomainB, all works great.

Now we want to use password sync from B to A. As mentioned in https://technet.microsoft.com/en-us/library/jj590288(v=ws.10).aspx, PCNS agent has been installed on all domain controlers for B.

Password change from DomainB (which does NOT hosts FIM Server) to DomainA = error.

We have configured FIM as explained, created a SPN entry on DomainB and target.

But when a password is changed on DomainB, it is captured by PCNS, and send to the FIM server (domainA) and the errors occurs :  Status is -2146893053 -  The target is unknown

On server side, we can find this log : An error has occurred during authentication to the password notification source.

0x80070534: no mapping between account names and security IDs...

Indeed, when configuring spn, we created on domain B

setspn.exe -a PCNS/server.domainb.local DOMAINB\MIMSync which may be unknown on domain A.

What should be the way to sync password when the FIM server is not in the source domain ?

BR,

---

Emmanuel IT

MIM GALSync - possible to label imported contacts?

February 1, 2017, 6:16 am

≫ Next: Password reset is not working

≪ Previous: PCNS error

$

0

0

I'm syncing GAL's between two Exchange organizations and I'd like the contact in each Forest to have something appended to the Display Name so they stand out.  Is this possible to do?

Password reset is not working

February 1, 2017, 8:41 pm

≫ Next: FIM 2010 RTM to FIM 2010 R2 SP1 side-by-side Migration (Certificate Management)

≪ Previous: MIM GALSync - possible to label imported contacts?

$

0

0

I tried to reset my password via FIM SSPR and I was able to successfully register for a password reset but unable to reset the password, while doing it I am getting error like access denied.

Kindly assist me in this.



FIM 2010 RTM to FIM 2010 R2 SP1 side-by-side Migration (Certificate Management)

February 2, 2017, 3:14 am

≫ Next: Want to be the Microsoft TechNet FIM Guru for February 2017?

≪ Previous: Password reset is not working

$

0

0

Hi,

My current FIM 2010 RTM installed on server 2008 and CA's are 2008 R2.

I use FIM CM only.

I have Installed new CA's hierarchy (2012 R2) and copied the certificate templates settings as I needed.

I plan to upgrade to FIM 2010 R2 SP1 on server 2012 R2, from what I could find, the upgrade is supported. but I couldn't find any other documentation about side-by-side migration since I want to install the FIM 2010 R2 SP1 on a fresh vanilla server 2012 R2.

I have several questions regarding the desired configuration:

1. I need to Install FIM RTM on the vanilla server 2012 R2 before installing the FIM 2010 SP1? any documentation/guidelines for FIM upgrade process and DB upgrade will be much appreciated!

2. after the FIM upgrade to 2010 R2 SP1, I'm planning to change the Certificate Template in an existing smart card Profile Template, this certificate template will be from the new (2012 R2) CA's hierarchy. after I will do so, I will be able to renew smart card certificates through this "updated" profile template?

I hope I'm understandable :)

thanks in advance!

Gal

Want to be the Microsoft TechNet FIM Guru for February 2017?

February 2, 2017, 9:22 am

≫ Next: MIM 2016 Office365 provisioning (Soren Granfeldt PSMA)

≪ Previous: FIM 2010 RTM to FIM 2010 R2 SP1 side-by-side Migration (Certificate Management)

$

0

0

February 2017 Guru, it’s time to share great skills as a TechNet Wiki article and WIN medal(s). Medals? Yes, you can share multiple articles in the same or different categories! Now, navigate to TechNet Guru Competition February 2017 to choose your categories and if it’s not listed add your content in Miscellaneous Category!

All you have to do is add an article to TechNet Wiki from the field of your interest. Something that fits into one of the categories listed on the submissions page. Copy in your own blog post, a forum solution, a white paper, or just something you had to solve for your own day’s work today.

A snippet you share can make you a February 2017 TechNet Wiki Guru in your favorite category and this is official Microsoft TechNet recognition!

HOW TO WIN

1) Please copy over your Microsoft technical solutions and revelations to TechNet Wiki.
2) Add a link to it on THIS WIKI COMPETITION PAGE (so we know you’ve contributed).
3) Every month, we will highlight your contributions, and select a "Guru of the Month" in each technology.

If you win, we will sing your praises in blogs and forums, similar to the weekly contributor awards. Once "on our radar" and making your mark, you will probably be interviewed for your greatness, and maybe eventually even invited into other inner TechNet/MSDN circles!

Winning this award in your favorite technology will help us learn the active members in each community. 

Feel free to ask any questions below.

More about TechNet Guru Awards.

---

Thanks,

If my reply is helpful please mark as Answer or vote asHelpful.

My blog | Twitter | LinkedIn

This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

MIM 2016 Office365 provisioning (Soren Granfeldt PSMA)

February 3, 2017, 1:47 am

≫ Next: MIM 2016 SP1 with PAM and Skype for Business RBAC

≪ Previous: Want to be the Microsoft TechNet FIM Guru for February 2017?

$

0

0

Hi!

I have a task to manage user accounts and assign/revoke a licenses for Office365 users.

This is my first expirience with such integration, so, as I understand I need to do 2 main tasks:

1. Import current licensing information

2. Assign and revoke licenses with information regarding user plans in metaverse.

So, now I'm trying to make first part to work.

I get this article:

https://blog.kloud.com.au/2016/08/26/office365-licensing-management-agent-for-microsoft-identity-manager/

and trying to run full import run profile, but I getting this error:

DN is unavailable / missing-anchor-value / No value provided for anchor attribute

In this thread 

https://social.technet.microsoft.com/Forums/en-US/3bf23eb9-fc1f-4f56-85aa-0c730c019a6c/missinganchorvalue-error-using-powershell-ma-soren-granfeldt?forum=ilm2

I found what the problem can be in import script, but script already have a such statement ($obj2.Add("objectClass","LicensePlans")), so I think that this is not a problem.

Any ideas?

Thanks!

---

1

MIM 2016 SP1 with PAM and Skype for Business RBAC

February 3, 2017, 6:04 am

≫ Next: Are there any C# MA extension rule 'connector filter' examples in Technet?

≪ Previous: MIM 2016 Office365 provisioning (Soren Granfeldt PSMA)

$

0

0

Hi, 

I can't seem to find any information regarding delegating access (RBAC) to Skype for Business across a forest trust ("bastion forest"). Have anyone of you tried this and succeeded? 

Just creating a PAM group of the CsAdministrator group does not work (the group membership is listed by whoami /groups as expected when logged on) and I don't see an equivalent of Microsoft Exchange's "LinkedForeignGroup". 

Any tips, thoughts or ideas?

Andreas

---

Are there any C# MA extension rule 'connector filter' examples in Technet?

February 3, 2017, 6:12 am

≫ Next: PermissionDeniedException when creating bulk security groups through Powershell

≪ Previous: MIM 2016 SP1 with PAM and Skype for Business RBAC

$

0

0

We need to build somehow a connector filter rule to filter on a Date attribute.

The oob basic criteria option has things like Ispresent, Startswith Equals and so on. Nothing like IsAfter IsBefore.

I understand we need write code in the FilterforDisconnection Method... but where is an example? Hunted all over with Google and Bing but no luck.

Has anyone an example I can use as a basepoint?

PermissionDeniedException when creating bulk security groups through Powershell

February 3, 2017, 6:23 am

≫ Next: how to provision "departement" information from HR to FIM Portal to AD

≪ Previous: Are there any C# MA extension rule 'connector filter' examples in Technet?

$

0

0

I am using the script from the following link, with the variables set to my environments.

Technet Script

Everything seems to work until the last part "Import-FIMConfig" where it fails due to the following error message at the bottom of this post. I know it has something to do with the account I am using (called FIMInstall) but I can't figure out where it does not have permissions to do this. I have read elsewhere to check the MPR "Security Group Management: Users can create Static Security Groups" and make sure FIMInstall is listed under the Requestors "Specific Set of Requestors". There is a group there, which FIMInstall is confirmed in. This MPR is also enabled. Screenshots below. 

Any ideas what I am doing wrong? I tried running Powershell as Administrator and as FIMInstall and get the same message regardless. 

Import-FIMConfig : Failure when making web service call. SourceObjectID = c21b0e01-faba-4eed-90b0-b8aa3b22f003 Error = Microsoft.ResourceManagement.WebServices.Client.PermissionDeniedExcepti on: Policy prohibits the request from completing. ---> Microsoft.ResourceManage ment.WebServices.Faults.ServiceFaultException: Policy prohibits the request fro m completing.    at Microsoft.ResourceManagement.WebServices.ResourceFactoryClient.Create(Mes sage request)    at Microsoft.ResourceManagement.WebServices.ResourceFactoryClient.Create(Cre ate createBody, Guid identifier, String synchronizationSequenceIdentifier)    at Microsoft.ResourceManagement.WebServices.Client.ResourceTemplate.CreateRe source(Guid identifier, String synchronizationSequenceIdentifier)    --- End of inner exception stack trace ---    at Microsoft.ResourceManagement.WebServices.Client.ResourceTemplate.CreateRe source(Guid identifier, String synchronizationSequenceIdentifier)   at Microsoft.ResourceManagement.WebServices.ResourceManager.CreateResource()    at Microsoft.ResourceManagement.Automation.ImportConfig.Create(String object Type, List`1 changeList)    at Microsoft.ResourceManagement.Automation.ImportConfig.EndProcessing() At C:\FIMScripts\MassGroupCreate.ps1:87 char:31 +   $newGroup | Import-FIMConfig <<<<  -uri $URI     + CategoryInfo          : InvalidOperation: (:) [Import-FIMConfig], Invali    dOperationException    + FullyQualifiedErrorId : ImportConfig,Microsoft.ResourceManagement.Automa    tion.ImportConfig

 

how to provision "departement" information from HR to FIM Portal to AD

February 3, 2017, 7:09 am

≫ Next: LDAP query to Xpath filter

≪ Previous: PermissionDeniedException when creating bulk security groups through Powershell

$

0

0

Hi,

i need your help to configure/synchronize specific information from HR to FIM Portal, then to AD attribute: the specific information which we need to upload it in AD (in departement attribute) is "the Residence" from HR DB.

We configured already the synchronization rules  as described below,and  the attribute flow which configured on AD MA and HR MA.

1. HR to FIM Portal synchronization rule

 

 2. FIM to AD synchronization rule:

 The attribute flow are configured as below (on AD Management agent and HR Management agent):

 

ADMA:

 

 

 

 

 

HR HR MA:

iff

i

 

LDAP query to Xpath filter

February 3, 2017, 12:44 pm

≫ Next: MPR behavior with changing sets

≪ Previous: how to provision "departement" information from HR to FIM Portal to AD

$

0

0

We are doing a conversion from a system that uses LDAP queries for setting dynamic groups, is there a way to convert these queries into Xpath filters easily, or do I have to do it manually for the groups?

I know that the languages have similarities, but have yet to find a way to easily do it for the 7000 groups I am converting

---

Russell Lema

MPR behavior with changing sets

February 6, 2017, 2:53 am

≫ Next: MIM 2016 SP1 and FIM 2010 Granfeldt Workflow Activity Library - Couldn't compile Compile Error: CS2032 in Ln 0 Col 0-Character

≪ Previous: LDAP query to Xpath filter

$

0

0

Hello!

Can somebody explain some MPR logics?

I have MRP (Transition In) + Workflow for AD provisioning users. They are using sync rule with Initial flow for password generation for users and emails to manager with account information. I’m using a set with static defined user set (with employeeID numbers)

 

As I understand if I make “Disable” and “Enable” at MPR I will get reapplied MPR, right? Moreover, all my users will receive new passwords and managers will receive emails. This is not acceptable, because system is going to production.

I need to change my test static set to “All People” production set, how it can be safely done? Thanks!

---

1

MIM 2016 SP1 and FIM 2010 Granfeldt Workflow Activity Library - Couldn't compile Compile Error: CS2032 in Ln 0 Col 0-Character

February 6, 2017, 5:03 am

≫ Next: Group Creation RCDC change - Lost Membership Type Radio Buttons

≪ Previous: MPR behavior with changing sets

$

0

0

So, we are running a C# code with MIM 2016 SP1 using FIM 2010 Granfeldt Workflow Activity Library.

The code itself should work because it works with FIM 2010 R2 and also FIM 2010 R2 updated to MIM 2016 (not SP1).

Are there any known compatibility issues between MIM 2016 SP1 and FIM 2010 Granfeldt Workflow Activity Library?

See the error messsages:

PostProcessingError:
Couldn't compile Compile Error: CS2032 in Ln 0 Col 0-Character '

Evet Viewer:
System.Exception: Couldn't compile
Compile Error: CS2032 in Ln 0 Col 0-Character '

   at Granfeldt.FIM.ActivityLibrary.CodeRunActivity.CompileCode_ExecuteCode(Object sender, EventArgs e)
   at System.Workflow.ComponentModel.Activity.RaiseEvent(DependencyProperty dependencyEvent, Object sender, EventArgs e)
   at System.Workflow.Activities.CodeActivity.Execute(ActivityExecutionContext executionContext)
   at System.Workflow.ComponentModel.ActivityExecutor`1.Execute(T activity, ActivityExecutionContext executionContext)
   at System.Workflow.ComponentModel.ActivityExecutor`1.Execute(Activity activity, ActivityExecutionContext executionContext)
   at System.Workflow.ComponentModel.ActivityExecutorOperation.Run(IWorkflowCoreRuntime workflowCoreRuntime)
   at System.Workflow.Runtime.Scheduler.Run()

Group Creation RCDC change - Lost Membership Type Radio Buttons

February 6, 2017, 11:42 am

≫ Next: Avoid Null Value to be synced to AD

≪ Previous: MIM 2016 SP1 and FIM 2010 Granfeldt Workflow Activity Library - Couldn't compile Compile Error: CS2032 in Ln 0 Col 0-Character

$

0

0

Hello,

I was attempting to add a basic text box, bound to an attribute I've mapped to the Group objects ("groupType"), to the group creation RCDC.  All I did was copy the existing Description control, paste that under the Description control and change the "description" values in the new control node to my new attribute "groupType".  But, when I imported the new RCDC, my new control showed up in the RCDC, like I expected, but the MembershipType control disappeared. I went back to the original RCDC (I exported and saved it off before I started changing it).  My "groupType" attribute is gone, as I expected, but so is the MembershipType control. So, I'm stuck. I don't know what to do to get those three radio buttons back. I've restarted IIS, rebooted the MIM server, and still no membership type control on the RCDC.

Any ideas?

Greg

---

Avoid Null Value to be synced to AD

June 22, 2018, 12:40 am

≫ Next: failed-modification-via-web-services

≪ Previous: Group Creation RCDC change - Lost Membership Type Radio Buttons

$

0

0

Dear All,

We have created logic for group (Dynamic/Static).

When we are trying to export attributes to AD. null values always shows in Export. So how can we avoid it.

Note: Not enabled Allow null values

Need Your Help!

Thanks,

Shashidhar

failed-modification-via-web-services

June 22, 2018, 1:39 am

≫ Next: Supported SQL Server version for MIM 2016

≪ Previous: Avoid Null Value to be synced to AD

$

0

0

Dear All,

Getting following error when tries to export MIMMA.

================================

Fault Reason: The request message contains errors that prevent processing the request.\r\n\r\nFault Details: <RepresentationFailures xmlns="http://schemas.microsoft.com/2006/11/ResourceManagement" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="<AttributeRepresentationFailure><AttributeType>AccountName</AttributeType><AttributeValue></AttributeValue><FailureMessage>Exception">http://www.w3.org/2001/XMLSchema"><AttributeRepresentationFailure><AttributeType>AccountName</AttributeType><AttributeValue></AttributeValue><FailureMessage>Exception: ValueViolatesUniqueness Target(s): MT MUM7010202 (Trainee)
Stack Trace: Microsoft.ResourceManagement.WebServices.Exceptions.InvalidRepresentationException: ValueViolatesUniqueness
   at Microsoft.ResourceManagement.Utilities.ExceptionManager.ThrowException(Exception exception)
   at Microsoft.ResourceManagement.Data.Exception.DataAccessExceptionManager.ThrowException(SqlException innerException, TransactionAndConnectionScope scope)
   at Microsoft.ResourceManagement.Data.DataAccess.ProcessRequest(RequestType request)
   at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.ProcessInputRequest(RequestType request)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction(RequestType request)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction[ResponseBodyType](RequestType request)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request, Guid requestIdentifier, Object redispatchSingleInstanceKey, Boolean isRedispatch)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest(RequestType request)
   at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Put(Message request)</FailureMessage><AttributeFailureCode>ValueViolatesUniqueness</AttributeFailureCode><AdditionalTextDetails>The specified attribute value must be unique for this Resource Type.</AdditionalTextDetails></AttributeRepresentationFailure><CorrelationId>88135c63-622b-4cfe-a73b-7cb02a1fff7a</CorrelationId></RepresentationFailures>

===================================================

Need Your Help!

Thanks,

Shashidhar

Supported SQL Server version for MIM 2016

June 22, 2018, 12:30 pm

≫ Next: ambiguous-import-flow-from-multiple-connectors

≪ Previous: failed-modification-via-web-services

$

0

0

Hi,

We are planning to upgrade from FIM 2010 R2 to the latest version of MIM. We are mainly using FIM Synchronization service and the database server is currently on SQL Server 2012.

Is there official support for MIM to work reliably with the latest service pack of SQL Server 2012 (currently SP4)?

This link (https://docs.microsoft.com/en-us/microsoft-identity-manager/microsoft-identity-manager-2016-supported-platforms) lists SQL Server 2012 SP2 for the MIM Sync database.

Does that mean that only SP2 and HIGHER service packs of SQL Server 2012 are supported by MIM?

Or, does this mean that only SP2 and LOWER service packs of SQL Server 2012 are supported by MIM?

All Microsoft support for SQL Server 2012 SP2 and older has already ended in 2017, including extended support. SQL Server 2012 SP4 still has extended support.

I am wondering if it'd be safe to upgrade SQL Server to 2012 with SP4 and use it for in-place upgrade to MIM.

Best regards,
Radu Popa

---

Radu Popa

ambiguous-import-flow-from-multiple-connectors

June 25, 2018, 12:39 pm

≫ Next: Physical to Virtual Migration of FIM server

≪ Previous: Supported SQL Server version for MIM 2016

$

0

0

Hi ,

I am not good in FIM,but in my environment I have found an error for one of the Active DirectoryMA Sync. The error is "ambiguous-import-flow-from-multiple-connectors". What I could see when I went to preview is that below . I can't understand why the error comes.

Can anyone familiar with FIM explain me how the value  below related with the issue and what is the fix for this ?

Condition	Status	DataSourceAttribute	MappingType	MetaverseAttribute	Value	Matches
1	No Match
Aplied	HRGPN	Direct	HRGPN	INK10J28
2	No Match
Extension No Value	HRGPN,Mail	Rule Extension	Mail
3	Match
Applied	HRGPN	Direct	HRGPN	INK10J28

Physical to Virtual Migration of FIM server

June 25, 2018, 12:50 pm

≫ Next: Generic SQL Connector - Export Type: Object Replace option

≪ Previous: ambiguous-import-flow-from-multiple-connectors

$

0

0

Hi,

I have a FIM physical server , that is going to migrate soon.

May I know what all thing need to be taken care before and after migration ?

Any help is much appreciated.