ECMA agent and multi-tenancy applications

September 3, 2018, 9:55 am

≫ Next: How can I change to allow null on export in my solution

≪ Previous: How to control the update to attribute

$

0

0

Hello community,

I have one MIM 2016 SP1 server. Let's say I have an asp.net application with SQL server backend. The application is deployed in multiple environments (e.g. dev, test, prod). Each deployment has its own database connection string. A user can have an account in each environment.

I would hate to have an agent and sync rules per tenant. Is there a way to use one agent instead of an agent per environment?

---

Ahmed is an independent consultant in Ottawa, Canada specialized in .NET, Biztalk, WCF, WPF, TFS and other Microsoft technologies.

Blog: http://lajak.wordpress.com

Twitter: ahmedalasaad

---

How can I change to allow null on export in my solution

September 4, 2018, 1:56 am

≫ Next: Uninstall MIM 2016 build 4.4.1237.0 / Install MIM 2016 build 4.4.1302.0 using existing database

≪ Previous: ECMA agent and multi-tenancy applications

$

0

0

Hello!

I must say that I'm new to MIM

I have two agents one AD and one HR.
I project AD into MV
I join on attribute SSN(AD) with SocialSecurityNumber(HR) in HR
In AD db I have a column called initials and in HR db I have a column called middlename
Direct import flow on Middlename to MV
Direct import flow on initials to MV
Direct import flow in HR on constant HRFeed with value HR
Rules Extension export in AD initials  <-- HRFeed, initials, middlenamn      FlowRuleName=ExportInitials

The export code in AD looks like this

void IMASynchronization.MapAttributesForExport (string FlowRuleName, MVEntry mventry, CSEntry csentry)
        {
            switch (FlowRuleName)
            {
                case "ExportInitials":   
                  if (mventry["middlename"].IsPresent)
                  {
                      csentry["Initials"].Value = mventry["middlename"].Value;
                  }
                  else if (!mventry["HRFeed"].IsPresent && mventry["Initials"].IsPresent)
                  {
                      csentry["Initials"].Value = mventry["Initials"].Value;
                  }
                  else if (mventry["HRFeed"].IsPresent && !mventry["middlename"].IsPresent)
                  {
                        csentry["Initials"].Value = mventry["Initials"].Value;
                  }
                         
                  break;
            }
        }

Now to my question I think I can simplify this solution by using the allow null on export but don't
know how.
Can somebody guide me in the right direction.

//Tony

Uninstall MIM 2016 build 4.4.1237.0 / Install MIM 2016 build 4.4.1302.0 using existing database

September 4, 2018, 7:33 pm

≫ Next: Required Role for SAP user Id to fetch data from SAP ECC6.0 to MIM 2016.

≪ Previous: How can I change to allow null on export in my solution

$

0

0

Dear Tech fellows,

we have a MIM 2016 VM and another separate VM for the databases.

We need to uninstall MIM 2016 build 4.4.1237.0 (discontinued by Microsoft due to lots of bugs)
and Install MIM 2016 build 4.4.1302.0 chosing the option "use Existing database"         

Has anyone been through this process ***using existing databases*** ?
- are all MIM components actually stored on the Databases ?
  "Management Agents/Sync Rules/MPRs/Workflows/Sets...."
- any points to focus on / except backing up the database encryption key ?
- Is there any official guide released for such (or even previous version to 2016 upgrade) 
- According to the MIM 2016 operational Guide, "chosing to use existing database" mean
  that no manual repopulation of the MIM Sync service metaverse would be needed

- does this mean that MIM is ready for use after the new binary install process ?
- Should CSExport operations be performed to ensure no unwanted export happens  
Any help would be much apreciated.

Thanks.

---

If the provided answer is helpful, please click 'Propose as Answer' Managing Office 365, Identities and Requirements Windows Server Virtualization, Configuration

Required Role for SAP user Id to fetch data from SAP ECC6.0 to MIM 2016.

September 5, 2018, 2:24 am

≫ Next: How to implement PCNS functionality of MIM on SAP.

≪ Previous: Uninstall MIM 2016 build 4.4.1237.0 / Install MIM 2016 build 4.4.1302.0 using existing database

$

0

0

Hi Everyone,

We have created a BAPI_Webservice in SAP to consume data in MIM, when accessing that web service with user which have SAP_ALL role in SAP, then we get a list of users with thousand of records, but whether we trying to access that web service with other user which have SAP_BC_WEBSERVICE_ADMIN, SAP_BC_WEBSERVICE_CONSUMER, SAP_BC_WEBSERVICE_SERVICE_USER, SAP_BC_WEBSERVICE_ADMIN_TEC role in SAP, but this user is not able to extract any record from SAP and list showing 0 records, due to which we get completed-no-object error in MIM while running full-import of sapMA.

Can someone help me to know that which particular role i need to provide to extract complete data from SAP to MIM?

BTW, we are using call-based ECMA2.0 to consume that webservice in MIM.

How to implement PCNS functionality of MIM on SAP.

September 5, 2018, 2:46 am

≫ Next: About exportflow

≪ Previous: Required Role for SAP user Id to fetch data from SAP ECC6.0 to MIM 2016.

$

0

0

Hello Everyone,

Can anyone guide me to implement the functionality of change password on SAP when AD password is changed.

i had searched to implement functionality to change password on SAP using BAPI_USER_CHANGE function(when previous password not required),but didn't get anything helpful in C# .net to implement this functionality on pcnsExtension. 

i just wanted to know that how to implement password change functionality on SAP using .net in pcns extension.

About exportflow

September 5, 2018, 5:54 am

≫ Next: Adding Metaverse Attrribute in production

≪ Previous: How to implement PCNS functionality of MIM on SAP.

$

0

0

Hello!

I have two agents HR and AD.
AD is projected and HR is joined.

In AD db I have 5 rows lets call them 1,2,3,4,5.
I can join 1,2 and 3 with HR but 3 and 4 has no match in HR.
I have a rules extension export flow on attribute initial in AD agent.
When I run full sync on AD the MapAttributesForExport is called 5 times one for each object.

When I call full sync on HR the MapAttributesForExport is called 3 times.
I thought is would call MapAttributesForExport 5 times one for each.

I assume it will only call MapAttributesForExport for those object that can be matched to AD.
Is that correct understood?

//Tony

Adding Metaverse Attrribute in production

September 6, 2018, 11:49 am

≫ Next: Azure AD Connect WMI Interface

≪ Previous: About exportflow

$

0

0

Hi,

it is possible to alter a metaverse schema adding an attribute without breaking a working system ? 

After modifying the scheme, I would modify the synchronization rules and proceed to a Full Sync
The connector space actualy has more then 40.000 objects

Thanks in advance

After modifying the scheme, I would modify the synchronization rules and proceed to a complete synchronization.

Azure AD Connect WMI Interface

September 6, 2018, 6:28 pm

≫ Next: How to find those persons that don't join

≪ Previous: Adding Metaverse Attrribute in production

$

0

0

Hi, I can see the old wmi interface from FIM is in AADC so I should be able to query it for a connectorspace object by doing:

Get-WmiObject -namespace "root\microsoftidentityintegrationserver" -query "select * from miis_csobject where DN = '<aDN>' and maguid = '<anMAGuid>'"

This works but then when I want to look for all the connector space objects that have the same mvguid as the connectorspace object I found above by doing the below, I get an error: Access Denied.

Get-WMIObject -Query "Select * from miis_csobject where mvguid = '<anMVGUID>'" -namespace "root\microsoftidentityintegrationserver"

I don't think permissions are a problem since the first query works but I checked wmimgmt.msc anyway and I have the following permissions: Execute Methods; Provider Write; Enable Account; Remote Enable; What I don't have is Full Write; Partial Write; Read Security; Edit Security;

I'm aware I can use csexport and csexportanalyzer to get some csv dumps of the connectorspaces and I may have to go down that route but I want something a little more targeted. Any ideas?

---

How to find those persons that don't join

September 6, 2018, 11:40 pm

≫ Next: Who will be announced as the next FIM Guru? Read more about September 2018 competition!!

≪ Previous: Azure AD Connect WMI Interface

$

0

0

Hello!

I have a source for HR and one for AD and two agents. In AD I have a unique attribute called SSN and in HR I have a unique attribute called SocialSequrityNumber.
I project HR because these owns the data and then I join AD.
I have some persons that doesn't join with HR because these only exist in AD and I want to find them and write them to a file.
I have also some persons that only exist in HR and I also want to find them and write them to a file.
As a summary I want to find all the persons that doesn't join.

I don't use any portal I only use Synchronization Service Manager.

How do I best solve this ?

//Tony

Who will be announced as the next FIM Guru? Read more about September 2018 competition!!

September 2, 2018, 8:50 am

≫ Next: Once saw a document that explained how to have the ADMA set passwords over LDAP(s)? Fighting with No-Logon-Server error

≪ Previous: How to find those persons that don't join

$

0

0

What is TechNet Guru Competition?

Each month the TechNet Wiki council organizes a contest of the best articles posted that month. This is your chance to be announced as MICROSOFT TECHNOLOGY GURU OF THE MONTH!

One winner in each category will be selected each month for glory and adoration by the MSDN/TechNet Ninjas and community as a whole. Winners will be announced in dedicated blog post that will be published in Microsoft Wiki Ninjas blog, a tweet from the Wiki Ninjas Twitter account, links will be published at Microsoft TNWiki group on Facebook, and other acknowledgement from the community will follow.

Some of our biggest community voices and many MVPs have passed through these halls on their way to fame and fortune.

If you have already made a contribution in the forums or gallery or you published a nice blog, then you can simply convert it into a shared wiki article, reference the original post, and register the article for the TechNet Guru Competition. The articles must be written in September 2018 and must be in English. However, the original blog or forum content can be from before September 2018.

Come and see who is making waves in all your favorite technologies. Maybe it will be you!

---

Who can join the Competition?

Anyone who has basic knowledge and the desire to share the knowledge is welcome. Articles can appeal to beginners or discusse advanced topics. All you have to do is to add your article to TechNet Wiki from your own specialty category.

---

How can you win?

1. Please copy/Write over your Microsoft technical solutions and revelations to TechNetWiki.
2. Add a link to your new article on THIS WIKI COMPETITION PAGE (so we know you've contributed)
3. (Optional but recommended) Add a link to your article at the TechNetWiki group on Facebook. The group is very active and people love to help, you can get feedback and even direct improvements in the article before the contest starts.

---

Do you have any question or want more information?

Feel free to ask any questions below, or Join us at the official MicrosoftTechNet Wiki groups on facebook. Read More about TechNet Guru Awards.

If you win, people will sing your praises online and your name will be raised as Guru of the Month.

PS: Above top banner came from Paul Long.

Thanks in advance!
- Ninja [Kamlesh Kumar] TechNet Wiki Council

---

Thanks,
Kamlesh Kumar

If my reply is helpful please mark as Answeror vote as Helpful.

My blog | Twitter | LinkedIn

This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

Once saw a document that explained how to have the ADMA set passwords over LDAP(s)? Fighting with No-Logon-Server error

September 7, 2018, 1:30 pm

≫ Next: Cannot create Oracle Management Agent

≪ Previous: Who will be announced as the next FIM Guru? Read more about September 2018 competition!!

$

0

0

Once saw a document that explained how to have the ADMA set passwords over LDAP(s)?  Fighting with No-Logon-Server error

Cannot create Oracle Management Agent

September 13, 2018, 1:09 am

≫ Next: Configuring Hybrid Reporting on Microsoft Identity Manager 2016

≪ Previous: Once saw a document that explained how to have the ADMA set passwords over LDAP(s)? Fighting with No-Logon-Server error

$

0

0

I've made a test installation of Microsoft Identity Manager, and when I try to create an Oracle MA I get this error:

Could not find any resources appropriate for the specified culture or the neutral culture.  Make sure "Microsoft.DirectoryServices.MetadirectoryServices.UI.PropertySheetBase.MMSErrorMessages.resources" was correctly embedded or linked into assembly "PropertySheetBase" at compile time, or that all the satellite assemblies required are loadable and fully signed.

I've tried installing Oracle Instant client, both v12 and v11, but I keep getting the same error.

I tried opening a DB connection with some .NET code, and that worked.

Is there a list of requirements or an installation guide for the Oracle MA?

Thanks,
Paolo

---

Paolo Tedesco - http://cern.ch/idm

Configuring Hybrid Reporting on Microsoft Identity Manager 2016

September 13, 2018, 7:42 am

≫ Next: FIM notification stopped working

≪ Previous: Cannot create Oracle Management Agent

$

0

0

Hi guys,

I'm currently deploying Microsoft Identity Manager 2016 for a customer and I'm at the point where I need to configure Hybrid Reporting in Azure (working in the Dev/Test environment at the moment). I have checked the prerequisites/requirements for this configuration on the Official Microsoft Documentation but I just need to be sure of something:

Will there be any need to perform any Directory or Identity Synchronization across Azure and on-premises to actualize this?

Your kind answers are welcome.

Thanks.

FIM notification stopped working

September 13, 2018, 11:43 am

≫ Next: How do I run an xml file containing some profile

≪ Previous: Configuring Hybrid Reporting on Microsoft Identity Manager 2016

$

0

0

Hi my FIM notifications have stopped working a couple of days ago.  I checked the configuration file and notified my email admin and inquired about the mail server value and the email admin states it's still working.

    <!-- Setup adds entries -->

    <add key="mailServer" value="https://XXXXXX/ews/exchange.asmx" />

    <add key="isExchange" value="1" />

He mentioned to look for an IP address in my setup, stating that a server was decommissioned a couple of days ago. Is there another place to look for that?

How do I run an xml file containing some profile

September 13, 2018, 11:21 pm

≫ Next: About accessing an attribute uid from 2 agent

≪ Previous: FIM notification stopped working

$

0

0

Hello!

We have Microsoft Forefront Identity Manager 2010 R2

I have an xml file below and I know it's possible to run this xml file instead of manually run each profile but how do I run it.
I use only the "Synchronization Service Manager"
The xml file below might not be correct but I hope you understand what I mean.

<?xml version="1.0" encoding="ISO-8859-1"?>
<!-- Kör skript som körs med xxxx.cmd konsole app -->
<!-- Har stöd för att köra en grupp agenter både parallellt eller serielt -->
<start>
  <schema>
    <name>Tony testar</name>

    <version>1.0.0, b01</version>
    <logFile>C:\Users\tony\MyLogfile.txt</logFile>
    <step>
      <Doc>Synka alla agenter</Doc>     
      <run>Projekt - personal      /Full Import</run>
      <run>Projekt - personal /Full Sync</run>
      <run>Projekt - AD /Full Sync</run>
    </step>
  </schema>
</start>

  //Tony

---

About accessing an attribute uid from 2 agent

September 14, 2018, 5:58 am

≫ Next: FIM RCDC UocFilterBuilder and UocListView

≪ Previous: How do I run an xml file containing some profile

$

0

0

Hello!

I have read some articles About Attribute Flow Precedence but I have a question about this.
Here is what I do.

My agent AD source is just a simple database.
I have two agent called agent HR and agent AD
For agent HR I have done full import.
I have also a import flow on attribute uid in agent HR like this
LastName, FirstName, SSN  --> uid

I now do a full sync on agent HR to get data into MV.
This data is projected into MV.
This will also cause that I do provision for agent AD which also run the export flow for this agent.

Agent AD has this import flow LoginAccount ---> uid defined
and the export flow is LoginExport <--- uid.

In Configure Attribute Flow Precedence I have this.
Order   MA              ObjectType     SourceAttribute                  MappingType
1         Agent AD      Katalog            LoginAccount                       Direct
2         Agent HR      Person             LastName,FirstName,SSN      Rules Extension

When I do an export on agent AD the attribute LoginAccount is not exported.
I know I can fix this by mark the field "use equal precedence"

I know that the reason that the attribute LoginAccount is not exported has to do with Attribute Flow Precedence.
Just for testing if I just remove the import flow which is this LoginAccount ---> uid
from agent AD than attribute LoginAccount will be exported.

But I mean agent AD has not done this LoginAccount ---> uid because agent AD has not done any import flow.

So can somebody explain how this Attribute Flow Precedence cause the attribute LoginAccount not to be exported if I have
defined both import and export for agent AD like this LoginAccount ---> uid (import flow)
LoginExport <--- uid  (export flow)

//Tony

FIM RCDC UocFilterBuilder and UocListView

September 14, 2018, 11:55 am

≫ Next: Which components of MIM 2016 can I install on the same Server in a LAB

≪ Previous: About accessing an attribute uid from 2 agent

$

0

0

Hi,

I am trying to create a new RCDC  where RequestFilter attribute consists of valid XPath. I need to populate UocFilterBuilder with RequestFilter, make Preview button visible and populate UocListView with RequestFillter rendered values only when Preview button is clicked. My code looks like below.

The issue is the Button does not work  when I click it

<my:Control my:Name="ComplexFilterBuilder" my:TypeName="UocFilterBuilder" my:RightsLevel="{Binding Source=rights, Path=RequestFilter}" my:ExpandArea="true"><my:Properties><my:Property my:Name="PermittedObjectTypes" my:Value="Person,Group" /><my:Property my:Name="Value" my:Value="{Binding Source=object, Path=RequestFilter, Mode=TwoWay}" /></my:Properties><my:Events><my:Event my:Name="PreviewClicked" my:Handler="OnClickPreview"/></my:Events></my:Control><my:Control my:Name="FilterBuilderwithpreview" my:TypeName="UocListView" my:RightsLevel="{Binding Source=rights, Path=RequestFilter}" my:ExpandArea="true"><my:Properties><my:Property my:Name="ColumnsToDisplay" my:Value="DisplayName,ObjectType,AccountName" /><my:Property my:Name="EmptyResultText" my:Value="There is no members according to the filter definition." /><my:Property my:Name="PageSize" my:Value="10" /><my:Property my:Name="ShowTitleBar" my:Value="false" /><my:Property my:Name="ShowActionBar" my:Value="false" /><my:Property my:Name="ShowPreview" my:Value="false" /><my:Property my:Name="ShowSearchControl" my:Value="false" /><my:Property my:Name="EnableSelection" my:Value="false" /><my:Property my:Name="SingleSelection" my:Value="false" /><my:Property my:Name="ItemClickBehavior" my:Value=" ModelessDialog "/><my:Property my:Name="ReadOnly" my:Value="true"/></my:Properties>

Which components of MIM 2016 can I install on the same Server in a LAB

September 15, 2018, 5:56 am

≫ Next: About calling method Deprovision in the MAR

≪ Previous: FIM RCDC UocFilterBuilder and UocListView

$

0

0

Hello

I want to learn more above MIM 2016 (with SP1) so I thought I would download the evaluation version and install it in a LAB.

However I see it needs Active Directory (already built a 2016 DC), an SQL Server, SharePoint, Exchange (options) as outlined here

https://docs.microsoft.com/en-us/microsoft-identity-manager/microsoft-identity-manager-deploy

First question is can I install the SQL Server on the same Server as SharePoint, or should I install SQL on the Domain Controller (its only a LAB) ?

I am used to setting up SQL, but not SharePoint, when it comes to installing SharePoint I take it I need to install the SQL Server first as SharePoint will likely want a database ? 

Also with the SharePoint installation do I just perform a basic next, next, next installation e.g. accepting the default ?

Thanks

CXMelga

About calling method Deprovision in the MAR

September 17, 2018, 1:28 am

≫ Next: PCNS Synchronization to SQL Connected Datasource

≪ Previous: Which components of MIM 2016 can I install on the same Server in a LAB

$

0

0

Hello!
I only use the Synchronization Service Manager
I assume that I start with open the dialog "Configure Object Deletion Rule" and select the Rules extension
When I have done this I want this method

DeprovisionAction IMASynchronization.Deprovision (CSEntry csentry) to being called but does'n know how.

Can you give a small example because I'm new to MIM.

I have also read that it's not possible to delete any object from MV by using some code.
Is that correct?
So I assume the only way to remove object from MV is to delete object from CS and as a result of this the MIM itself will remove the MV object if the rule say so.

 

//Tony

PCNS Synchronization to SQL Connected Datasource

September 18, 2018, 12:00 am

≫ Next: Transient Objects after sync

≪ Previous: About calling method Deprovision in the MAR

$

0

0

Hi All,

I am currently implementing Password Synchronization from PCNS on AD to a connected MS SQL Data source. From the event viewer logs (on DC and MIM Sync Server) I can confirm that the password synchronization flow works well from the DC to the MS SQL Data source Management Agent. However I get the error below after triggering a password change for a user object.

Error Code:0x80230730
ErrorString:(The password extension does not implement the entry point)

Being MS SQL, I have implemented and compiled the password extension using the guidance below verbatim, really did not add any other piece of code.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms695379(v=vs.100).aspx

Is there anything I might be missing ? I specified connection details to the DataSoure on the SQL MA Configuration

A working sample or snippet could be helpful as well

Thanks in anticipation for your help

---

Akinzo