Are you the publisher? Claim or contact us about this channel

Embed this content in your HTML


Report adult content:

click to rate:

Account: (login)

More Channels


Channel Catalog

Channel Description:

This forum is for IT Professionals who have questions/issues or other feedback about Forefront Identity Manager (FIM) 2010 suite

older | 1 | .... | 193 | 194 | (Page 195) | 196 | 197 | .... | 204 | newer

    0 0

    Hello community,

    I have one MIM 2016 SP1 server. Let's say I have an application with SQL server backend. The application is deployed in multiple environments (e.g. dev, test, prod). Each deployment has its own database connection string. A user can have an account in each environment.

    I would hate to have an agent and sync rules per tenant. Is there a way to use one agent instead of an agent per environment?

    Ahmed is an independent consultant in Ottawa, Canada specialized in .NET, Biztalk, WCF, WPF, TFS and other Microsoft technologies.


    Twitter: ahmedalasaad

    0 0


    I must say that I'm new to MIM

    I have two agents one AD and one HR.
    I project AD into MV
    I join on attribute SSN(AD) with SocialSecurityNumber(HR) in HR
    In AD db I have a column called initials and in HR db I have a column called middlename
    Direct import flow on Middlename to MV
    Direct import flow on initials to MV
    Direct import flow in HR on constant HRFeed with value HR
    Rules Extension export in AD initials  <-- HRFeed, initials, middlenamn      FlowRuleName=ExportInitials

    The export code in AD looks like this

    void IMASynchronization.MapAttributesForExport (string FlowRuleName, MVEntry mventry, CSEntry csentry)
                switch (FlowRuleName)
                    case "ExportInitials":   
                      if (mventry["middlename"].IsPresent)
                          csentry["Initials"].Value = mventry["middlename"].Value;
                      else if (!mventry["HRFeed"].IsPresent && mventry["Initials"].IsPresent)
                          csentry["Initials"].Value = mventry["Initials"].Value;
                      else if (mventry["HRFeed"].IsPresent && !mventry["middlename"].IsPresent)
                            csentry["Initials"].Value = mventry["Initials"].Value;

    Now to my question I think I can simplify this solution by using the allow null on export but don't
    know how.
    Can somebody guide me in the right direction.


    0 0

    Dear Tech fellows,

    we have a MIM 2016 VM and another separate VM for the databases.

    We need to uninstall MIM 2016 build 4.4.1237.0 (discontinued by Microsoft due to lots of bugs)
    and Install MIM 2016 build 4.4.1302.0 chosing the option "use Existing database"         

    Has anyone been through this process ***using existing databases*** ?
    - are all MIM components actually stored on the Databases ?
      "Management Agents/Sync Rules/MPRs/Workflows/Sets...."
    - any points to focus on / except backing up the database encryption key ?
    - Is there any official guide released for such (or even previous version to 2016 upgrade) 
    - According to the MIM 2016 operational Guide, "chosing to use existing database" mean
      that no manual repopulation of the MIM Sync service metaverse would be needed

    - does this mean that MIM is ready for use after the new binary install process ?
    - Should CSExport operations be performed to ensure no unwanted export happens  
    Any help would be much apreciated.


    If the provided answer is helpful, please click 'Propose as Answer' Managing Office 365, Identities and Requirements Windows Server Virtualization, Configuration

    0 0

    Hi Everyone,

    We have created a BAPI_Webservice in SAP to consume data in MIM, when accessing that web service with user which have SAP_ALL role in SAP, then we get a list of users with thousand of records, but whether we trying to access that web service with other user which have SAP_BC_WEBSERVICE_ADMIN, SAP_BC_WEBSERVICE_CONSUMER, SAP_BC_WEBSERVICE_SERVICE_USER, SAP_BC_WEBSERVICE_ADMIN_TEC role in SAP, but this user is not able to extract any record from SAP and list showing 0 records, due to which we get completed-no-object error in MIM while running full-import of sapMA.

    Can someone help me to know that which particular role i need to provide to extract complete data from SAP to MIM?

    BTW, we are using call-based ECMA2.0 to consume that webservice in MIM.

    0 0

    Hello Everyone,

    Can anyone guide me to implement the functionality of change password on SAP when AD password is changed.

    i had searched to implement functionality to change password on SAP using BAPI_USER_CHANGE function(when previous password not required),but didn't get anything helpful in C# .net to implement this functionality on pcnsExtension. 

    i just wanted to know that how to implement password change functionality on SAP using .net in pcns extension.

    0 0
  • 09/05/18--05:54: About exportflow
  • Hello!

    I have two agents HR and AD.
    AD is projected and HR is joined.

    In AD db I have 5 rows lets call them 1,2,3,4,5.
    I can join 1,2 and 3 with HR but 3 and 4 has no match in HR.
    I have a rules extension export flow on attribute initial in AD agent.
    When I run full sync on AD the MapAttributesForExport is called 5 times one for each object.

    When I call full sync on HR the MapAttributesForExport is called 3 times.
    I thought is would call MapAttributesForExport 5 times one for each.

    I assume it will only call MapAttributesForExport for those object that can be matched to AD.
    Is that correct understood?


    0 0


    it is possible to alter a metaverse schema adding an attribute without breaking a working system ? 

    After modifying the scheme, I would modify the synchronization rules and proceed to a Full Sync
    The connector space actualy has more then 40.000 objects

    Thanks in advance

    After modifying the scheme, I would modify the synchronization rules and proceed to a complete synchronization.

    0 0

    Hi, I can see the old wmi interface from FIM is in AADC so I should be able to query it for a connectorspace object by doing:

    Get-WmiObject -namespace "root\microsoftidentityintegrationserver" -query "select * from miis_csobject where DN = '<aDN>' and maguid = '<anMAGuid>'"

    This works but then when I want to look for all the connector space objects that have the same mvguid as the connectorspace object I found above by doing the below, I get an error: Access Denied.

    Get-WMIObject -Query "Select * from miis_csobject where mvguid = '<anMVGUID>'" -namespace "root\microsoftidentityintegrationserver"

    I don't think permissions are a problem since the first query works but I checked wmimgmt.msc anyway and I have the following permissions: Execute Methods; Provider Write; Enable Account; Remote Enable; What I don't have is Full Write; Partial Write; Read Security; Edit Security;

    I'm aware I can use csexport and csexportanalyzer to get some csv dumps of the connectorspaces and I may have to go down that route but I want something a little more targeted. Any ideas?

    0 0


    I have a source for HR and one for AD and two agents. In AD I have a unique attribute called SSN and in HR I have a unique attribute called SocialSequrityNumber.
    I project HR because these owns the data and then I join AD.
    I have some persons that doesn't join with HR because these only exist in AD and I want to find them and write them to a file.
    I have also some persons that only exist in HR and I also want to find them and write them to a file.
    As a summary I want to find all the persons that doesn't join.

    I don't use any portal I only use Synchronization Service Manager.

    How do I best solve this ?


    0 0

    What is TechNet Guru Competition?

    Each month the TechNet Wiki council organizes a contest of the best articles posted that month. This is your chance to be announced as MICROSOFT TECHNOLOGY GURU OF THE MONTH!

    One winner in each category will be selected each month for glory and adoration by the MSDN/TechNet Ninjas and community as a whole. Winners will be announced in dedicated blog post that will be published in Microsoft Wiki Ninjas blog, a tweet from the Wiki Ninjas Twitter account, links will be published at Microsoft TNWiki group on Facebook, and other acknowledgement from the community will follow.

    Some of our biggest community voices and many MVPs have passed through these halls on their way to fame and fortune.

    If you have already made a contribution in the forums or gallery or you published a nice blog, then you can simply convert it into a shared wiki article, reference the original post, and register the article for the TechNet Guru Competition. The articles must be written in September 2018 and must be in English. However, the original blog or forum content can be from before September 2018.

    Come and see who is making waves in all your favorite technologies. Maybe it will be you!

    Who can join the Competition?

    Anyone who has basic knowledge and the desire to share the knowledge is welcome. Articles can appeal to beginners or discusse advanced topics. All you have to do is to add your article to TechNet Wiki from your own specialty category.

    How can you win?

    1. Please copy/Write over your Microsoft technical solutions and revelations to TechNetWiki.
    2. Add a link to your new article on THIS WIKI COMPETITION PAGE (so we know you've contributed)
    3. (Optional but recommended) Add a link to your article at the TechNetWiki group on Facebook. The group is very active and people love to help, you can get feedback and even direct improvements in the article before the contest starts.

    Do you have any question or want more information?

    Feel free to ask any questions below, or Join us at the official MicrosoftTechNet Wiki groups on facebook. Read More about TechNet Guru Awards.

    If you win, people will sing your praises online and your name will be raised as Guru of the Month.

    PS: Above top banner came from Paul Long.

    Thanks in advance!
    Ninja [Kamlesh KumarTechNet Wiki Council

    Kamlesh Kumar

    If my reply is helpful please mark as Answeror vote as Helpful.

    My blog | Twitter | LinkedIn

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    0 0

    Once saw a document that explained how to have the ADMA set passwords over LDAP(s)?  Fighting with No-Logon-Server error

    0 0

    I've made a test installation of Microsoft Identity Manager, and when I try to create an Oracle MA I get this error:

    Could not find any resources appropriate for the specified culture or the neutral culture.  Make sure "Microsoft.DirectoryServices.MetadirectoryServices.UI.PropertySheetBase.MMSErrorMessages.resources" was correctly embedded or linked into assembly "PropertySheetBase" at compile time, or that all the satellite assemblies required are loadable and fully signed.

    I've tried installing Oracle Instant client, both v12 and v11, but I keep getting the same error.

    I tried opening a DB connection with some .NET code, and that worked.

    Is there a list of requirements or an installation guide for the Oracle MA?


    Paolo Tedesco -

    0 0

    Hi guys,

    I'm currently deploying Microsoft Identity Manager 2016 for a customer and I'm at the point where I need to configure Hybrid Reporting in Azure (working in the Dev/Test environment at the moment). I have checked the prerequisites/requirements for this configuration on the Official Microsoft Documentation but I just need to be sure of something:

    Will there be any need to perform any Directory or Identity Synchronization across Azure and on-premises to actualize this?

    Your kind answers are welcome.


    0 0

    Hi my FIM notifications have stopped working a couple of days ago.  I checked the configuration file and notified my email admin and inquired about the mail server value and the email admin states it's still working.

        <!-- Setup adds entries -->

        <add key="mailServer" value="https://XXXXXX/ews/exchange.asmx" />

        <add key="isExchange" value="1" />

    He mentioned to look for an IP address in my setup, stating that a server was decommissioned a couple of days ago. Is there another place to look for that?

    0 0


    We have Microsoft Forefront Identity Manager 2010 R2

    I have an xml file below and I know it's possible to run this xml file instead of manually run each profile but how do I run it.
    I use only the "Synchronization Service Manager"
    The xml file below might not be correct but I hope you understand what I mean.

    <?xml version="1.0" encoding="ISO-8859-1"?>
    <!-- Kör skript som körs med xxxx.cmd konsole app -->
    <!-- Har stöd för att köra en grupp agenter både parallellt eller serielt -->
        <name>Tony testar</name>

        <version>1.0.0, b01</version>
          <Doc>Synka alla agenter</Doc>     
          <run>Projekt - personal      /Full Import</run>
          <run>Projekt - personal /Full Sync</run>
          <run>Projekt - AD /Full Sync</run>


    0 0


    I have read some articles About Attribute Flow Precedence but I have a question about this.
    Here is what I do.

    My agent AD source is just a simple database.
    I have two agent called agent HR and agent AD
    For agent HR I have done full import.
    I have also a import flow on attribute uid in agent HR like this
    LastName, FirstName, SSN  --> uid

    I now do a full sync on agent HR to get data into MV.
    This data is projected into MV.
    This will also cause that I do provision for agent AD which also run the export flow for this agent.

    Agent AD has this import flow LoginAccount ---> uid defined
    and the export flow is LoginExport <--- uid.

    In Configure Attribute Flow Precedence I have this.
    Order   MA              ObjectType     SourceAttribute                  MappingType
    1         Agent AD      Katalog            LoginAccount                       Direct
    2         Agent HR      Person             LastName,FirstName,SSN      Rules Extension

    When I do an export on agent AD the attribute LoginAccount is not exported.
    I know I can fix this by mark the field "use equal precedence"

    I know that the reason that the attribute LoginAccount is not exported has to do with Attribute Flow Precedence.
    Just for testing if I just remove the import flow which is this LoginAccount ---> uid
    from agent AD than attribute LoginAccount will be exported.

    But I mean agent AD has not done this LoginAccount ---> uid because agent AD has not done any import flow.

    So can somebody explain how this Attribute Flow Precedence cause the attribute LoginAccount not to be exported if I have
    defined both import and export for agent AD like this LoginAccount ---> uid (import flow)
    LoginExport <--- uid  (export flow)


    0 0


    I am trying to create a new RCDC  where RequestFilter attribute consists of valid XPath. I need to populate UocFilterBuilder with RequestFilter, make Preview button visible and populate UocListView with RequestFillter rendered values only when Preview button is clicked. My code looks like below.

    The issue is the Button does not work  when I click it

    <my:Control my:Name="ComplexFilterBuilder" my:TypeName="UocFilterBuilder" my:RightsLevel="{Binding Source=rights, Path=RequestFilter}" my:ExpandArea="true"><my:Properties><my:Property my:Name="PermittedObjectTypes" my:Value="Person,Group" /><my:Property my:Name="Value" my:Value="{Binding Source=object, Path=RequestFilter, Mode=TwoWay}" /></my:Properties><my:Events><my:Event my:Name="PreviewClicked" my:Handler="OnClickPreview"/></my:Events></my:Control><my:Control my:Name="FilterBuilderwithpreview" my:TypeName="UocListView" my:RightsLevel="{Binding Source=rights, Path=RequestFilter}" my:ExpandArea="true"><my:Properties><my:Property my:Name="ColumnsToDisplay" my:Value="DisplayName,ObjectType,AccountName" /><my:Property my:Name="EmptyResultText" my:Value="There is no members according to the filter definition." /><my:Property my:Name="PageSize" my:Value="10" /><my:Property my:Name="ShowTitleBar" my:Value="false" /><my:Property my:Name="ShowActionBar" my:Value="false" /><my:Property my:Name="ShowPreview" my:Value="false" /><my:Property my:Name="ShowSearchControl" my:Value="false" /><my:Property my:Name="EnableSelection" my:Value="false" /><my:Property my:Name="SingleSelection" my:Value="false" /><my:Property my:Name="ItemClickBehavior" my:Value=" ModelessDialog "/><my:Property my:Name="ReadOnly" my:Value="true"/></my:Properties>

    0 0


    I want to learn more above MIM 2016 (with SP1) so I thought I would download the evaluation version and install it in a LAB.

    However I see it needs Active Directory (already built a 2016 DC), an SQL Server, SharePoint, Exchange (options) as outlined here

    First question is can I install the SQL Server on the same Server as SharePoint, or should I install SQL on the Domain Controller (its only a LAB) ?

    I am used to setting up SQL, but not SharePoint, when it comes to installing SharePoint I take it I need to install the SQL Server first as SharePoint will likely want a database ? 

    Also with the SharePoint installation do I just perform a basic next, next, next installation e.g. accepting the default ?



    0 0

    I only use the Synchronization Service Manager
    I assume that I start with open the dialog "Configure Object Deletion Rule" and select the Rules extension
    When I have done this I want this method

    DeprovisionAction IMASynchronization.Deprovision (CSEntry csentry) to being called but does'n know how.

    Can you give a small example because I'm new to MIM.

    I have also read that it's not possible to delete any object from MV by using some code.
    Is that correct?
    So I assume the only way to remove object from MV is to delete object from CS and as a result of this the MIM itself will remove the MV object if the rule say so.



    0 0

    Hi All,

    I am currently implementing Password Synchronization from PCNS on AD to a connected MS SQL Data source. From the event viewer logs (on DC and MIM Sync Server) I can confirm that the password synchronization flow works well from the DC to the MS SQL Data source Management Agent. However I get the error below after triggering a password change for a user object.

    Error Code:0x80230730
    ErrorString:(The password extension does not implement the entry point)

    Being MS SQL, I have implemented and compiled the password extension using the guidance below verbatim, really did not add any other piece of code.

    Is there anything I might be missing ? I specified connection details to the DataSoure on the SQL MA Configuration

    A working sample or snippet could be helpful as well

    Thanks in anticipation for your help


older | 1 | .... | 193 | 194 | (Page 195) | 196 | 197 | .... | 204 | newer