Are you the publisher? Claim or contact us about this channel


Embed this content in your HTML

Search

Report adult content:

click to rate:

Account: (login)

More Channels


Showcase


Channel Catalog


Channel Description:

This forum is for IT Professionals who have questions/issues or other feedback about Forefront Identity Manager (FIM) 2010 suite

older | 1 | .... | 196 | 197 | (Page 198) | 199 | 200 | .... | 204 | newer

    0 0

    Hi everybody,

    We have a PAM solution in place which works as designed. Still it seems something is not completely fine, on the server running the PAM Monitoring service warnings appears with eventIDs 872 & 824:

    Log Name: Priviliged Access Management
    Source: Microsoft.IdentityManagement.PamMonitoringService
    EventID: 872
    Level: Warning

    Failed to scan PAM group [group name]. Exception: System.InvalidOperationException: Operation is not valid due to the current state of the object.
       at Microsoft.ResourceManagement.WebServices.Client.Attribute.ReadValueAsBinary()
       at Microsoft.IdentityManagement.PamCmdlets.Managers.PamUserManager.GetPamUserByMimUser(ResourceManager corpMimUser, Boolean nonBlocking)
       at Microsoft.IdentityManagement.PamCmdlets.Managers.PamUserManager.RetrieveAllPAMUsersWithFilter(String filter, Boolean filterPamUsers, Boolean nonBlocking)
       at Microsoft.IdentityManagement.PamCmdlets.Managers.PamUserManager.RetrieveAllPAMUsersWithNameFilter(String sourceDisplayName, String sourceDomain, String sourceAccountName, String privDisplayName, String additionalFilter, Boolean nonBlocking)
       at Microsoft.IdentityManagement.PamMonitoring.PamSecurityScanner.GetActivePamRequests(String userSid)
       at Microsoft.IdentityManagement.PamMonitoring.PamSecurityScanner.IsMember(String principalSid, String groupSid)
       at Microsoft.IdentityManagement

    Log Name: Priviliged Access Management
    Source: Microsoft.IdentityManagement.PamMonitoringService
    EventID: 824
    Level: Warning

    There was an error while updating users and groups. Exception: System.InvalidOperationException: Operation is not valid due to the current state of the object.
       at Microsoft.ResourceManagement.WebServices.Client.Attribute.ReadValueAsBinary()
       at Microsoft.IdentityManagement.PamCmdlets.Managers.PamUserManager.GetPamUserByMimUser(ResourceManager corpMimUser, Boolean nonBlocking)
       at Microsoft.IdentityManagement.PamCmdlets.Managers.PamUserManager.RetrieveAllPAMUsersWithFilter(String filter, Boolean filterPamUsers, Boolean nonBlocking)
       at Microsoft.IdentityManagement.PamCmdlets.Managers.PamUserManager.RetrieveAllPAMUsersWithNameFilter(String sourceDisplayName, String sourceDomain, String sourceAccountName, String privDisplayName, String additionalFilter, Boolean nonBlocking)
       at Microsoft.IdentityManagement.PamMonitoring.PamUserHandlers.Monitor(IEnumerable`1 privUsers)
       at Microsoft.IdentityManagement.PamMonitoring.PamMonitoringManager.Run()

    Can anyone point me in the right direction what could be the cause of these warnings?

    Cheers

    Trumpeteer ;-)


    0 0
  • 10/10/18--02:41: BHOLD 2016 SP1 Installation
  • Hello,

    As per BHOLD  pre-requisites ,  we need an account to be  member of "Domain Admins" and local adminstrator on the server for installation of BHOLD MOdules.

    We have some queries regarding this:-

    • Why domain admin privileges required for bhold core installation ?
    • What impact/changes does it do in AD, if any during the installation  ?
    • Is "Domain Admin" privileges required temporarily only during installation or after that too ?

    Please could anyone provide the information as one of our customers is hesitant on giving domain admins access unless we have this info.


    0 0

    Hi,

    is there a possibility in MIM portal to send notifications from multiple from addresses.

    example :

    send password expiration notification from : aa@domain.com

    send group management notification from :  bb@domain.com

    and so on ..


    0 0

    When creating my security groups, I know its required to have an owner and a displayed owner. 

    My two MPRS for security group management are disabled which its intended to be.  Are there any other functionality for the owner and displayed owner if my MPR's are disabled?

    Currently my owner is the group itself.

    Thank you,


    0 0

    Hi,

    When setting up MIM and using MIM for notifications, the MIM Service account needs a mailbox.

    In the past this was easily done with Exchange being on-prem.

    Can this mailbox reside in Exchange Online though?

    Thx

    SK


    0 0
  • 10/10/18--20:18: SAP Connector
  • Hi,

    I have been asked to source a connector for SAP ECC6 EHP7.

    According to the below article the best seems to be web services?
    https://docs.microsoft.com/en-us/microsoft-identity-manager/supported-management-agents

    I have heard that doing provisioning/processioning direct into Oracle is a nightmare; so I'd prefer to avoid that if possible.

    Are there any other recommendations?

    Kind regards,

    Michael


    0 0
  • 10/11/18--03:42: Prerequisites
  • When we are Integrating MIM, MIM CM along with PAM what would be the suggested prerequisites we have to consider from Azure AAD Connector, AD, SQL Server and from Networking point of view? like creation of Service Accounts, Groups, SPN's , applying Permissions etc.



    0 0

    Hello,

    There is a requirement to import users and their access data from a database table/view into MIM portal.

    The db view contains userid, user email, roles etc.  And this need to be imported to mim portal . where it should have a relationship like users and what roles they have . Users can have multiple roles too.

    How can we achieve this in MIM. I have a DB management agent created but how to import roles and user-role relationships.

    Please elaborate


    0 0

    Hi guys,

    I've inherited a problem at a customer who has (apparently!) changed the passwords of the MIM service accounts and since they have, they get the "The requestor's identity was not found" error when logging on to the portal.  In the event log, no matter which user is attempting to log on, the missing identity is apparently the same: and it's that of thesync account. Services all look OK and are configured to use individual accounts, i.e. the sync service is using the sync account, MIM service has a MIMService AD account, and Sharepoint has its own too.

    If I turn off ASP.Net impersonation in IIS, the identity changes to that of the Sharepoint app pool, but still doesn't allow a user to log on, throwing the same error.

    I've checked Kerberos and SPNs look OK, as does delegation and there's no duplicate in the forest.  I've checked and togged requireKerberos=true in web.config and I've checked useAppPoolCredentials in applicationHost.config.

    Users look OK in SQL - the objectString and objectBinary tables suggest they have a domain, account name and a SID.

    Interestingly, Export-FIMConfig works OK which leads me to conclude that the user is definitely OK too.

    Any ideas? Especially where might it be configured to reference the sync account?

    Thanks,

    Paul.


    0 0

    Use-case: Online update triggered multiple emails to users, is there any way to get the email addresses of these users who still haven't done the execution of the update? Was thinking about the SQL database straightly, any ideas or thoughts?


    0 0

    Hello,

    I am using MIM 2016 SP1. I am trying to send emails as a different account. From my reading on other posts on this forum, I should be able to change sendAsAddress attribute in the service.exe.config file. I followed the steps in https://social.technet.microsoft.com/Forums/en-US/aec634d2-165e-49c9-960e-0eaa6625b040/can-mail-server-be-configure-in-fim-post-install?forum=ilm2

    I restarted the FIM service in services 

    But it seems that MIM is ignoring the email address and still sends the email using the MIM Service email account.

    I tried entering an invalid value (e.g. "aadddf"). I saw an error in the event viewer that the email format is not valid.

    My conclusion, MIM is validating the email address in the sendAsAddress  attribute but it is not using it when it is valid.

    Any idea what's going on?

    Thanks


    Ahmed is an independent consultant in Ottawa, Canada specialized in .NET, Biztalk, WCF, WPF, TFS and other Microsoft technologies.

    Blog: http://lajak.wordpress.com

    Twitter: ahmedalasaad


    0 0
  • 10/13/18--07:30: FIM stopped server error
  • Hi All,

    is there is way to deep down the error FIM stopped server error.

    Tried the below option as mentioned in the article

    https://social.technet.microsoft.com/wiki/contents/articles/11331.fim-2010-r2-troubleshooting-stopped-server-error-on-the-fim-service-management-agent.aspx

    Database index are fine and have enough free space in temdb and other drives for processing the records.

    Thanks,

    Anirban
    http://iam-ninja.blogspot.com/


    0 0

    Hello.

    I've today begun installing MIM 2016 on a brand new Windows Server 2016 server. I've followed the install instructions specified here: https://docs.microsoft.com/en-us/microsoft-identity-manager/install-mim-sync

    At the very end of Synchronization Service installation, there is a step to backup the encryption key. However, no matter where I attempted to save the key, I always got an error.

    “The Forefront Identity Manager Synchronization Service setup wizard was unable to back up the key set. <hr=0x80131904> … try again?”

    This error is also described on page https://idm4real.com/2013/07/31/error-saving-the-fim-sync-key-set/

    There it is said that the key can be exported later in the Synchronization Service Key Management tool. However, when I attempt to do so by using either MIMSync or MIMInstall user accounts, I receive another error.

    "A required privilege is not held by the client."

    I also attempted a repair install of Synchronization Service, that didn't help. Then I uninstalled Synchronization Service, removed the SQL database, rebooted the server and then ran the install again. Once again same issue.

    Please assist.


    0 0

    Hi everyone, I recently upgrade from FIM to the latest version of MIM.  I noticed the my:Description attribute in the RCDC no longer gets displayed in the browsers.  According to the latest documentation, this is still supported.

    Here is a sample line that I am trying to use, that worked previously.  Any idea's?

    my:Groupingmy:Name="ContentGroupingSample"my:Caption="Sample Content Grouping"my:Description="Some description"


    0 0

    I'm new to an existing MIM 2016 environment (and FIM in general) and trying to track down an issue we've been experiencing. In the Portal, group owners are attempting to modify membership which is being denied.

    Reason: The operation failed as a result of insufficient access rights.
    Attributes: MailNickname
    Details: No policy grants the Requestor permission to complete all changes.

    If the owner is removed and re-added, they are then able to successfully modify the group membership for some short period of time (less than 24 hours). When these requests are processed, there is no mention of E-mail Alias/MailNickname being modified.

    In each case, the Request appears to be using the same MPRs so I'm confused as to why it's trying to modify the E-mail Alias in one situation and not the other.

    Thanks
    Brett

    EDIT: There also appears to be a difference if the user opens the group and modifies the membership there (fails) rather than just selecting the group and then clicking Add Member or Remove Member buttons from the toolbar (succeeds).

    0 0

    Hi 

       We need to deploy MIM tool in a high availability environment where we have 2 MIM portals serving requests, with MIM service on the same sever. The MIM Sync service resides on a third server and then SQL is clustered with inbuilt high availability. I had tried to find a deployment guide in technet forums blogs etc. but was not able to find any. Can anyone guide how to deploy MIM on this kind of environment and while installing does the installer provides the options 


    0 0

    must give a group of employees (members of a particular AD group) the right to edit the mobile phones of all company employees on the MIM portal. Editing other fields is prohibited. What is the top-level scheme for the implementation of this task by means of MIM.

    Windows 2016


    C уважением к Вам, Я



    0 0

    I have an environment where a person can have an account in two different AD domains (Domain A and Domain B).  It is also possible for a user account from Domain A to be a member in a group in Domain B.  This is currently managed manually.  I'm working on a solution where this will be handled by FIM (actually MIM).  The solution I envisioned would have an MA for each AD domain.  Group membership will be determined by a third HR system so there will be an MA for that as well, which will be authoritative.  The person object in the MV would join to each AD MA, the FIM portal and the HR MA (ie 1 MV object per person).  The challenge with this design is that I'm not sure it's possible to  populate the Membership attribute of an AD group using a synchronization rule in a way that distinguishes which domain a group member comes from.  Does anyone know if this is possible and if so how would I set this up?  A solution that I think would work is to create multiple objects for a person in the MV (eg one for Domain A and one for Domain B).  But I would prefer not to do that.

    Thanks, 
    Moe

    0 0

    Hi,

    Could some one advise please how to check MIM Portal only boolean attribute value of a user in Outbound sync rules?

    We have a custom Portal only boolean attribute binded to user and need to check it making conditional export to AD if it is True before make Outbound sync to AD.

    IIF(PortalCustomDisplayNameAllowed, Null(), DisplayName)=>DisplayName

    I am not sure how to select Portal only current PortalCustomDisplayNameAllowed user attribute value. XPath filter?

    'PortalCustomDisplayNameAllowed' boolean attribute exists only at MIM Portal and does not exist at MV.

    It could be set at user properties portal Page simultaneously with new custom DisplayName. 


    0 0

    Dear All,

    what are limitations, if we use following setting?

    Configure mail server connection image

    Exchange Online * (Notification Only before build 4.4.1749.0

    Does it support Approval option for later versions?

    Identity Manager version release history:
    https://docs.microsoft.com/en-us/microsoft-identity-manager/reference/version-history  


older | 1 | .... | 196 | 197 | (Page 198) | 199 | 200 | .... | 204 | newer