Failed to scan PAM Group - Operation is not valid due to the current state of the object

October 9, 2018, 2:18 am

≫ Next: BHOLD 2016 SP1 Installation

≪ Previous: Securing Passwords with ECMA for SQL Data Source

$

0

0

Hi everybody,

We have a PAM solution in place which works as designed. Still it seems something is not completely fine, on the server running the PAM Monitoring service warnings appears with eventIDs 872 & 824:

Log Name: Priviliged Access Management
Source: Microsoft.IdentityManagement.PamMonitoringService
EventID: 872
Level: Warning

Failed to scan PAM group [group name]. Exception: System.InvalidOperationException: Operation is not valid due to the current state of the object.
   at Microsoft.ResourceManagement.WebServices.Client.Attribute.ReadValueAsBinary()
   at Microsoft.IdentityManagement.PamCmdlets.Managers.PamUserManager.GetPamUserByMimUser(ResourceManager corpMimUser, Boolean nonBlocking)
   at Microsoft.IdentityManagement.PamCmdlets.Managers.PamUserManager.RetrieveAllPAMUsersWithFilter(String filter, Boolean filterPamUsers, Boolean nonBlocking)
   at Microsoft.IdentityManagement.PamCmdlets.Managers.PamUserManager.RetrieveAllPAMUsersWithNameFilter(String sourceDisplayName, String sourceDomain, String sourceAccountName, String privDisplayName, String additionalFilter, Boolean nonBlocking)
   at Microsoft.IdentityManagement.PamMonitoring.PamSecurityScanner.GetActivePamRequests(String userSid)
   at Microsoft.IdentityManagement.PamMonitoring.PamSecurityScanner.IsMember(String principalSid, String groupSid)
   at Microsoft.IdentityManagement

Log Name: Priviliged Access Management
Source: Microsoft.IdentityManagement.PamMonitoringService
EventID: 824
Level: Warning

There was an error while updating users and groups. Exception: System.InvalidOperationException: Operation is not valid due to the current state of the object.
   at Microsoft.ResourceManagement.WebServices.Client.Attribute.ReadValueAsBinary()
   at Microsoft.IdentityManagement.PamCmdlets.Managers.PamUserManager.GetPamUserByMimUser(ResourceManager corpMimUser, Boolean nonBlocking)
   at Microsoft.IdentityManagement.PamCmdlets.Managers.PamUserManager.RetrieveAllPAMUsersWithFilter(String filter, Boolean filterPamUsers, Boolean nonBlocking)
   at Microsoft.IdentityManagement.PamCmdlets.Managers.PamUserManager.RetrieveAllPAMUsersWithNameFilter(String sourceDisplayName, String sourceDomain, String sourceAccountName, String privDisplayName, String additionalFilter, Boolean nonBlocking)
   at Microsoft.IdentityManagement.PamMonitoring.PamUserHandlers.Monitor(IEnumerable`1 privUsers)
   at Microsoft.IdentityManagement.PamMonitoring.PamMonitoringManager.Run()

Can anyone point me in the right direction what could be the cause of these warnings?

Cheers

Trumpeteer ;-)

---

BHOLD 2016 SP1 Installation

October 10, 2018, 2:41 am

≫ Next: Send notifications from multiple FROM addresses

≪ Previous: Failed to scan PAM Group - Operation is not valid due to the current state of the object

$

0

0

Hello,

As per BHOLD  pre-requisites ,  we need an account to be  member of "Domain Admins" and local adminstrator on the server for installation of BHOLD MOdules.

We have some queries regarding this:-

• Why domain admin privileges required for bhold core installation ?
• What impact/changes does it do in AD, if any during the installation  ?
• Is "Domain Admin" privileges required temporarily only during installation or after that too ?

Please could anyone provide the information as one of our customers is hesitant on giving domain admins access unless we have this info.

Send notifications from multiple FROM addresses

October 10, 2018, 6:08 am

≫ Next: FIM Portal for security groups

≪ Previous: BHOLD 2016 SP1 Installation

$

0

0

Hi,

is there a possibility in MIM portal to send notifications from multiple from addresses.

example :

send password expiration notification from : aa@domain.com

send group management notification from :  bb@domain.com

and so on ..

FIM Portal for security groups

October 10, 2018, 10:52 am

≫ Next: MIM Service mailbox in Exchange Online?

≪ Previous: Send notifications from multiple FROM addresses

$

0

0

When creating my security groups, I know its required to have an owner and a displayed owner. 

My two MPRS for security group management are disabled which its intended to be.  Are there any other functionality for the owner and displayed owner if my MPR's are disabled?

Currently my owner is the group itself.

Thank you,

MIM Service mailbox in Exchange Online?

October 10, 2018, 6:11 pm

≫ Next: SAP Connector

≪ Previous: FIM Portal for security groups

$

0

0

Hi,

When setting up MIM and using MIM for notifications, the MIM Service account needs a mailbox.

In the past this was easily done with Exchange being on-prem.

Can this mailbox reside in Exchange Online though?

Thx

SK

SAP Connector

October 10, 2018, 8:18 pm

≫ Next: Prerequisites

≪ Previous: MIM Service mailbox in Exchange Online?

$

0

0

Hi,

I have been asked to source a connector for SAP ECC6 EHP7.

According to the below article the best seems to be web services?
https://docs.microsoft.com/en-us/microsoft-identity-manager/supported-management-agents

I have heard that doing provisioning/processioning direct into Oracle is a nightmare; so I'd prefer to avoid that if possible.

Are there any other recommendations?

Kind regards,

Michael

Prerequisites

October 11, 2018, 3:42 am

≫ Next: MIM - Collect user access data from a database table/view

≪ Previous: SAP Connector

$

0

0

When we are Integrating MIM, MIM CM along with PAM what would be the suggested prerequisites we have to consider from Azure AAD Connector, AD, SQL Server and from Networking point of view? like creation of Service Accounts, Groups, SPN's , applying Permissions etc.

MIM - Collect user access data from a database table/view

October 12, 2018, 3:42 am

≫ Next: MIM portal - The requestor's identity was not found for all users after service account password change

≪ Previous: Prerequisites

$

0

0

Hello,

There is a requirement to import users and their access data from a database table/view into MIM portal.

The db view contains userid, user email, roles etc.  And this need to be imported to mim portal . where it should have a relationship like users and what roles they have . Users can have multiple roles too.

How can we achieve this in MIM. I have a DB management agent created but how to import roles and user-role relationships.

Please elaborate

---

MIM portal - The requestor's identity was not found for all users after service account password change

October 12, 2018, 4:23 am

≫ Next: How to determine which users have pending FIMCM action approved but not executed yet?

≪ Previous: MIM - Collect user access data from a database table/view

$

0

0

Hi guys,

I've inherited a problem at a customer who has (apparently!) changed the passwords of the MIM service accounts and since they have, they get the "The requestor's identity was not found" error when logging on to the portal.  In the event log, no matter which user is attempting to log on, the missing identity is apparently the same: and it's that of thesync account. Services all look OK and are configured to use individual accounts, i.e. the sync service is using the sync account, MIM service has a MIMService AD account, and Sharepoint has its own too.

If I turn off ASP.Net impersonation in IIS, the identity changes to that of the Sharepoint app pool, but still doesn't allow a user to log on, throwing the same error.

I've checked Kerberos and SPNs look OK, as does delegation and there's no duplicate in the forest.  I've checked and togged requireKerberos=true in web.config and I've checked useAppPoolCredentials in applicationHost.config.

Users look OK in SQL - the objectString and objectBinary tables suggest they have a domain, account name and a SID.

Interestingly, Export-FIMConfig works OK which leads me to conclude that the user is definitely OK too.

Any ideas? Especially where might it be configured to reference the sync account?

Thanks,

Paul.

How to determine which users have pending FIMCM action approved but not executed yet?

October 12, 2018, 7:17 am

≫ Next: MIM 2016 SP1 ignoring sendAsAddress email

≪ Previous: MIM portal - The requestor's identity was not found for all users after service account password change

$

0

0

Use-case: Online update triggered multiple emails to users, is there any way to get the email addresses of these users who still haven't done the execution of the update? Was thinking about the SQL database straightly, any ideas or thoughts?

MIM 2016 SP1 ignoring sendAsAddress email

October 12, 2018, 2:39 pm

≫ Next: FIM stopped server error

≪ Previous: How to determine which users have pending FIMCM action approved but not executed yet?

$

0

0

Hello,

I am using MIM 2016 SP1. I am trying to send emails as a different account. From my reading on other posts on this forum, I should be able to change sendAsAddress attribute in the service.exe.config file. I followed the steps in https://social.technet.microsoft.com/Forums/en-US/aec634d2-165e-49c9-960e-0eaa6625b040/can-mail-server-be-configure-in-fim-post-install?forum=ilm2

I restarted the FIM service in services 

But it seems that MIM is ignoring the email address and still sends the email using the MIM Service email account.

I tried entering an invalid value (e.g. "aadddf"). I saw an error in the event viewer that the email format is not valid.

My conclusion, MIM is validating the email address in the sendAsAddress  attribute but it is not using it when it is valid.

Any idea what's going on?

Thanks

---

Ahmed is an independent consultant in Ottawa, Canada specialized in .NET, Biztalk, WCF, WPF, TFS and other Microsoft technologies.

Blog: http://lajak.wordpress.com

Twitter: ahmedalasaad

FIM stopped server error

October 13, 2018, 7:30 am

≫ Next: Problem exporting encryption key

≪ Previous: MIM 2016 SP1 ignoring sendAsAddress email

$

0

0

Hi All,

is there is way to deep down the error FIM stopped server error.

Tried the below option as mentioned in the article

https://social.technet.microsoft.com/wiki/contents/articles/11331.fim-2010-r2-troubleshooting-stopped-server-error-on-the-fim-service-management-agent.aspx

Database index are fine and have enough free space in temdb and other drives for processing the records.

Thanks,

Anirban
http://iam-ninja.blogspot.com/

Problem exporting encryption key

October 15, 2018, 4:58 am

≫ Next: MIM 2016 - RCDC "my:Description" not displaying in browsers

≪ Previous: FIM stopped server error

$

0

0

Hello.

I've today begun installing MIM 2016 on a brand new Windows Server 2016 server. I've followed the install instructions specified here: https://docs.microsoft.com/en-us/microsoft-identity-manager/install-mim-sync

At the very end of Synchronization Service installation, there is a step to backup the encryption key. However, no matter where I attempted to save the key, I always got an error.

“The Forefront Identity Manager Synchronization Service setup wizard was unable to back up the key set. <hr=0x80131904> … try again?”

This error is also described on page https://idm4real.com/2013/07/31/error-saving-the-fim-sync-key-set/

There it is said that the key can be exported later in the Synchronization Service Key Management tool. However, when I attempt to do so by using either MIMSync or MIMInstall user accounts, I receive another error.

"A required privilege is not held by the client."

I also attempted a repair install of Synchronization Service, that didn't help. Then I uninstalled Synchronization Service, removed the SQL database, rebooted the server and then ran the install again. Once again same issue.

Please assist.

MIM 2016 - RCDC "my:Description" not displaying in browsers

October 15, 2018, 9:13 am

≫ Next: Update to Group membership denied trying to modify E-mail Alias/MailNickname

≪ Previous: Problem exporting encryption key

$

0

0

Hi everyone, I recently upgrade from FIM to the latest version of MIM.  I noticed the my:Description attribute in the RCDC no longer gets displayed in the browsers.  According to the latest documentation, this is still supported.

Here is a sample line that I am trying to use, that worked previously.  Any idea's?

my:Groupingmy:Name="ContentGroupingSample"my:Caption="Sample Content Grouping"my:Description="Some description"

Update to Group membership denied trying to modify E-mail Alias/MailNickname

October 15, 2018, 8:45 pm

≫ Next: Deployment Guide - MIM High Availability

≪ Previous: MIM 2016 - RCDC "my:Description" not displaying in browsers

$

0

0

I'm new to an existing MIM 2016 environment (and FIM in general) and trying to track down an issue we've been experiencing. In the Portal, group owners are attempting to modify membership which is being denied.

Reason: The operation failed as a result of insufficient access rights.
Attributes: MailNickname
Details: No policy grants the Requestor permission to complete all changes.

If the owner is removed and re-added, they are then able to successfully modify the group membership for some short period of time (less than 24 hours). When these requests are processed, there is no mention of E-mail Alias/MailNickname being modified.

In each case, the Request appears to be using the same MPRs so I'm confused as to why it's trying to modify the E-mail Alias in one situation and not the other.

Thanks
Brett

EDIT: There also appears to be a difference if the user opens the group and modifies the membership there (fails) rather than just selecting the group and then clicking Add Member or Remove Member buttons from the toolbar (succeeds).

---

Deployment Guide - MIM High Availability

October 15, 2018, 10:58 pm

≫ Next: Microsoft Identity Manager right for mobile phone

≪ Previous: Update to Group membership denied trying to modify E-mail Alias/MailNickname

$

0

0

Hi 

   We need to deploy MIM tool in a high availability environment where we have 2 MIM portals serving requests, with MIM service on the same sever. The MIM Sync service resides on a third server and then SQL is clustered with inbuilt high availability. I had tried to find a deployment guide in technet forums blogs etc. but was not able to find any. Can anyone guide how to deploy MIM on this kind of environment and while installing does the installer provides the options 

Microsoft Identity Manager right for mobile phone

October 17, 2018, 4:06 am

≫ Next: Add users from different domains to an AD group

≪ Previous: Deployment Guide - MIM High Availability

$

0

0

must give a group of employees (members of a particular AD group) the right to edit the mobile phones of all company employees on the MIM portal. Editing other fields is prohibited. What is the top-level scheme for the implementation of this task by means of MIM.

Windows 2016

---

C уважением к Вам, Я

Add users from different domains to an AD group

October 17, 2018, 8:24 am

≫ Next: Outbound sync rule with Custom Expression in MIM - is it possible to check boolean user portal only value?

≪ Previous: Microsoft Identity Manager right for mobile phone

$

0

0

I have an environment where a person can have an account in two different AD domains (Domain A and Domain B).  It is also possible for a user account from Domain A to be a member in a group in Domain B.  This is currently managed manually.  I'm working on a solution where this will be handled by FIM (actually MIM).  The solution I envisioned would have an MA for each AD domain.  Group membership will be determined by a third HR system so there will be an MA for that as well, which will be authoritative.  The person object in the MV would join to each AD MA, the FIM portal and the HR MA (ie 1 MV object per person).  The challenge with this design is that I'm not sure it's possible to  populate the Membership attribute of an AD group using a synchronization rule in a way that distinguishes which domain a group member comes from.  Does anyone know if this is possible and if so how would I set this up?  A solution that I think would work is to create multiple objects for a person in the MV (eg one for Domain A and one for Domain B).  But I would prefer not to do that.

Thanks, 
Moe

Outbound sync rule with Custom Expression in MIM - is it possible to check boolean user portal only value?

October 17, 2018, 4:25 pm

≫ Next: using Exchange Online Mailbox for MIMService Account

≪ Previous: Add users from different domains to an AD group

$

0

0

Hi,

Could some one advise please how to check MIM Portal only boolean attribute value of a user in Outbound sync rules?

We have a custom Portal only boolean attribute binded to user and need to check it making conditional export to AD if it is True before make Outbound sync to AD.

IIF(PortalCustomDisplayNameAllowed, Null(), DisplayName)=>DisplayName

I am not sure how to select Portal only current PortalCustomDisplayNameAllowed user attribute value. XPath filter?

'PortalCustomDisplayNameAllowed' boolean attribute exists only at MIM Portal and does not exist at MV.

It could be set at user properties portal Page simultaneously with new custom DisplayName. 

using Exchange Online Mailbox for MIMService Account

October 8, 2018, 12:40 am

≫ Next: Why is not the connector existing

≪ Previous: Outbound sync rule with Custom Expression in MIM - is it possible to check boolean user portal only value?

$

0

0

Dear All,

what are limitations, if we use following setting?

Exchange Online * (Notification Only before build 4.4.1749.0

Does it support Approval option for later versions?

Identity Manager version release history:
https://docs.microsoft.com/en-us/microsoft-identity-manager/reference/version-history