Cannot Delete MA - The image or delta doesn't have an Anchor

August 21, 2013, 8:57 am

≫ Next: If we enable run in separate process in each MA in FIM , it increase memory usage and how about speed and SQL server max memory limit ?

≪ Previous: Creating a Custom Workflow Activity with no input controls

I have an Export only ECMA 2 management that provisions data to an external data source via a web service. During testing I ran into an issue where a full sync on the authoritative data source (a SQL MA) caused the error 'The image or delta doesn't have an Anchor'. The error has persisted after

- Doing a full import/full sync on the authoritative data source

- Deleting the content of all MA's

- Ensure that the latest hotfix has been applied to the Sync Service

- Clearing the content in the mms_metaverse, mms_csmv_link and mms_connectorspace tables

I can still see the record that is causing the issue in the MV and apparently it still has a connector to the ECMA 2 mgmt agent. However, I cannot remove the connector on account of the error. If I try to delete the MA I get the same error. Any suggestions on how I can resolve this issue?

Thanks

↧

If we enable run in separate process in each MA in FIM , it increase memory usage and how about speed and SQL server max memory limit ?

August 21, 2013, 5:50 pm

≫ Next: PowerShell Management 5.0 released

≪ Previous: Cannot Delete MA - The image or delta doesn't have an Anchor

We plan to introduce FIM for galsync.

We set max memory usage of SQL2008 to 4GB.

If we enable run in separate process in each MA in FIM ,and run Sync,

each MA create each process and increase memory usage rather than run in same process ?

how about speed to process synching and what is merit and demerit of run in separate process ?

If we enable run in separate process , those processes are out of SQL server max memory limit ?

↧

PowerShell Management 5.0 released

August 22, 2013, 1:32 am

≫ Next: Failed Requests in FIM 2010 R2

≪ Previous: If we enable run in separate process in each MA in FIM , it increase memory usage and how about speed and SQL server max memory limit ?

I'm happy to annouce that a new version of my PowerShell Management Agent is released. You can read more about it here - http://blog.goverco.com/2013/08/powershell-50-management-agent-released.html

Regards, Soren Granfeldt
blog is at http://blog.goverco.com | facebook https://www.facebook.com/TheIdentityManagementExplorer | twitter at https://twitter.com/#!/MrGranfeldt

↧

Failed Requests in FIM 2010 R2

August 22, 2013, 2:05 am

≫ Next: Password Reset with AD LDS in FIM 2010 R2

≪ Previous: PowerShell Management 5.0 released

Dear All,

I am facing a problem, for Create (User)Profile request on FIM 2010. Whenever multiple requests are being approved in one go the action workflow is not applied to it and the request status becomes 'Failed'. But whenever, the approver approves it one by one it works fine. For all these 'Failed' Requests, I have to Create (User)Profile manually. For this I have created two Workflows (Authorization + Action) and using single MPR for these two Workflows which includes Email Notification Activity which is triggered after Request Submission(Part of Authorization Workflow), then after Approvals(Part of Authorization Workflow), then After Succesfull Creation of Profile(Part of Action Workflow).

Following is more detail of scenarios:

1. Request Status : Failed & Action Workflow : Blank.

2.Request Status : Authorizing& Action Workflow :Blank but Authorization Workflow is Completed.

3. Request Status : PostProcessingError& Error : Permission Denied on Action Workflow

PLease suggest do I need to change some MPR/Workflow Design or is there any other way to solve this.

Thanks in Advance

↧

Password Reset with AD LDS in FIM 2010 R2

August 22, 2013, 3:27 pm

≫ Next: Password Reset with AD LDS in FIM 2010 R2

≪ Previous: Failed Requests in FIM 2010 R2

Hi everybody:

I have some question, Password Reset can be executed from AD LDS?

Thanks in advanced

↧

Password Reset with AD LDS in FIM 2010 R2

August 22, 2013, 3:29 pm

≫ Next: SSPR Portal Installation

≪ Previous: Password Reset with AD LDS in FIM 2010 R2

Hi everybody:

I have some question, Password Reset can be executed from AD LDS?

Thanks in advanced

↧

SSPR Portal Installation

August 23, 2013, 3:53 am

≫ Next: Culture 'en' is a neutral culture..Error after installing the FIM Outlook plugin for group management

≪ Previous: Password Reset with AD LDS in FIM 2010 R2

I am in process of installing SSPR for a customer. PLEASE help me with initial pre-requisites...It will be of GREAT help to me. Below is my actual production scenario. I started with following the technet guides...and had to stop as I could undertstand a bit after few steps. I am going to write the exact replica of my environment and SAs which I created till now.

Hardware

1. 1 FIM Server

2. 1 FIM Sync Server

3. 1 FIM Portal Server (includes FIM Portal and FIM Password Reset Portal)..I have also installed WSS 30. SP2 on this server.

which means that I have seperate servers for every FIM service.

Service Account

1. FIM Service Account - SAFIMsvc

2. FIM Sync Account - SAFIMSyncsvc

3. FIM Portal Account - SAFIMPortal

4. FIM Sharepoint Services Account - SAFIMSPsvc

5. FIM Mgmt Account - FIMMA

6. FIM Installation Account - SAFIMInstall....only this account is part of local admin group on all servers and also part of sysadmin group on SQL Server. Basis on above information, I have following questions...

a. Now can someone please help me as the prerequisites will be satisfied. For example : The SPNs. I am stuck at "Establishing the SPN" step in the technet deployment guide...can someone help me write these commands for writing the SP using the above information.

b. If I am installing WSS 3.0 on FIM Portal...I am not sure which SA to use...when registering the SPN. The WSS SA or the FIM Portal SA

c. If I do the installation with above SAs on the FIM Servers...will I be able to register the SPNs later or twaek things later.

d. Really appreciate if somebody can share step by step (not technet) matching my requirements...that will be of great help.

e. Please suggest any best practices required for this installation.

↧

Culture 'en' is a neutral culture..Error after installing the FIM Outlook plugin for group management

August 23, 2013, 8:31 am

≫ Next: Validate access rights with FIM 2010 R2

≪ Previous: SSPR Portal Installation

Hello,

We are installing the FIM outlook plugin to manage groups in outlook across our Enterprise, we are receiving this error message on some(20) client machine and would like hear if there is a resolution to this issue?

Client configuration:

FIM Version: 2010 R2

OS versions & patch level: XP SP3 and Win7

Outlook version: Outlook 2007 SP3

Machine type: Laptop, Desktop

Full text of error message:

************** Exception Text **************

System.NotSupportedException: Culture 'en' is a neutral culture. It cannot be used in formatting and parsing and therefore cannot be set as the thread's current culture.

at System.Globalization.CultureInfo.CheckNeutral(CultureInfo culture)

at System.Globalization.CultureInfo.get_NumberFormat()

at System.Globalization.NumberFormatInfo.GetInstance(IFormatProvider formatProvider)

at Microsoft.IdentityManagement.Client.Office.SolutionControl..ctor(SolutionControlType typeField)

at Microsoft.IdentityManagement.Client.Office.GroupManagementControlsBag..ctor()

at Microsoft.IdentityManagement.Client.Office.Connect.get_GroupManagementControls()

at Microsoft.IdentityManagement.Client.Office.ExplorerWrapper.HandleSelection(CommandBar CommandBar, Selection Selection)

at Microsoft.IdentityManagement.Client.Office.ExplorerWrapper.HandleSelection(Selection selection)

at Microsoft.IdentityManagement.Client.Office.ExplorerWrapperBase.OnSelectionSettledTimerTick(Object sender, EventArgs e)

at System.Windows.Forms.Timer.OnTick(EventArgs e)

at System.Windows.Forms.Timer.TimerNativeWindow.WndProc(Message& m)

at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)

************** Loaded Assemblies **************

mscorlib

Assembly Version: 2.0.0.0

Win32 Version: 2.0.50727.5472 (Win7SP1GDR.050727-5400)

CodeBase: file:///C:/Windows/Microsoft.NET/Framework/v2.0.50727/mscorlib.dll

----------------------------------------

ManagedAggregator

Assembly Version: 4.1.3114.0

Win32 Version: 4.1.3114.0

CodeBase: file:///C:/Program%20Files%20(x86)/Microsoft%20Forefront%20Identity%20Manager/2010/Add-in%20for%20Outlook/ManagedAggregator.DLL

----------------------------------------

Microsoft.IdentityManagement.Client.Office

Assembly Version: 4.1.3114.0

Win32 Version: 4.1.3114.0

CodeBase: file:///C:/Program%20Files%20(x86)/Microsoft%20Forefront%20Identity%20Manager/2010/Add-in%20for%20Outlook/Microsoft.IdentityManagement.Client.Office.DLL

----------------------------------------

System

Assembly Version: 2.0.0.0

Win32 Version: 2.0.50727.5467 (Win7SP1GDR.050727-5400)

CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System/2.0.0.0__b77a5c561934e089/System.dll

----------------------------------------

Extensibility

Assembly Version: 7.0.3300.0

Win32 Version: 7.00.9466

CodeBase: file:///C:/Windows/assembly/GAC/Extensibility/7.0.3300.0__b03f5f7f11d50a3a/Extensibility.dll

----------------------------------------

office

Assembly Version: 12.0.0.0

Win32 Version: 12.0.6425.1000

CodeBase: file:///C:/Windows/assembly/GAC/office/12.0.0.0__71e9bce111e9429c/office.dll

----------------------------------------

Microsoft.Office.Interop.Outlook

Assembly Version: 12.0.0.0

Win32 Version: 12.0.4518.1014

CodeBase: file:///C:/Windows/assembly/GAC/Microsoft.Office.Interop.Outlook/12.0.0.0__71e9bce111e9429c/Microsoft.Office.Interop.Outlook.dll

----------------------------------------

System.Configuration

Assembly Version: 2.0.0.0

Win32 Version: 2.0.50727.5473 (Win7SP1GDR.050727-5400)

CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Configuration/2.0.0.0__b03f5f7f11d50a3a/System.Configuration.dll

----------------------------------------

System.Xml

Assembly Version: 2.0.0.0

Win32 Version: 2.0.50727.5473 (Win7SP1GDR.050727-5400)

CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Xml/2.0.0.0__b77a5c561934e089/System.Xml.dll

----------------------------------------

System.Windows.Forms

Assembly Version: 2.0.0.0

Win32 Version: 2.0.50727.5468 (Win7SP1GDR.050727-5400)

CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Windows.Forms/2.0.0.0__b77a5c561934e089/System.Windows.Forms.dll

----------------------------------------

System.Drawing

Assembly Version: 2.0.0.0

Win32 Version: 2.0.50727.5467 (Win7SP1GDR.050727-5400)

CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Drawing/2.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll

----------------------------------------

stdole

Assembly Version: 7.0.3300.0

Win32 Version: 7.00.9466

CodeBase: file:///C:/Windows/assembly/GAC/stdole/7.0.3300.0__b03f5f7f11d50a3a/stdole.dll

----------------------------------------

System.Core

Assembly Version: 3.5.0.0

Win32 Version: 3.5.30729.5420 built by: Win7SP1

CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Core/3.5.0.0__b77a5c561934e089/System.Core.dll

----------------------------------------

CustomMarshalers

Assembly Version: 2.0.0.0

Win32 Version: 2.0.50727.5420 (Win7SP1.050727-5400)

CodeBase: file:///C:/Windows/assembly/GAC_32/CustomMarshalers/2.0.0.0__b03f5f7f11d50a3a/CustomMarshalers.dll

↧

Validate access rights with FIM 2010 R2

August 23, 2013, 10:13 am

≫ Next: Can FIM web service enable HTTPS?

≪ Previous: Culture 'en' is a neutral culture..Error after installing the FIM Outlook plugin for group management

Hi, I am new with FIM. I wan't to know if it's possible with FIM 2010 R2 to validate access rights for a specific folders on a file server ?

This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Certified Technology Specialist ﴾MCTS﴿ Windows Server® 2008 Active Directory, Configuration Windows Server® 2008 Applications Infrastructure, Configuration Windows Server® 2008 Network Infrastructure, Configuration Microsoft Certified Systems Engineer: Security Microsoft Certified Systems Engineer Microsoft Certified Systems Administrator Microsoft Certified Systems Administrator: Messaging Microsoft Certified Systems Administrator: Security Microsoft Certified Professional

↧

Can FIM web service enable HTTPS?

August 24, 2013, 5:34 pm

≫ Next: ApplicationHost.config file modification on FIM

≪ Previous: Validate access rights with FIM 2010 R2

Can FIM web service enable HTTPS?

↧

ApplicationHost.config file modification on FIM

August 25, 2013, 7:46 am

≫ Next: Error 25009 Install FIM Synchronization

≪ Previous: Can FIM web service enable HTTPS?

I am installating FIM 2010. The server on which I installing FIM Server/Portal...I am modifying theApplicationHost.config file as per the technet document. Now as per the document...it says that we will seewindowsAuthentication enabled=”true” just three times.

But In my case...I saw it 6 times and did the modification on these 6 instances as mentioned in technet document. I saved the file and tried to start the IIS. The service did not start and seems my IIS got crashed and started getting bunch of errors. I was not even able to uninstall the IIS. At last..I had copy theApplicationHost.config from other server and copy in the same location and restarted the server and eventually all services were started...looks like my IIS is working ok.

My question is - where did I go wrong. Should I see just 3 instances ofApplicationHost.config rather than 6. Or even if they are 6...where did go wrong...Please suggest.

↧

Error 25009 Install FIM Synchronization

August 26, 2013, 4:22 am

≫ Next: Adding Attribute To "All Eligible Resources" In Security Group, FIM Portal

≪ Previous: ApplicationHost.config file modification on FIM

Hello,

i try to install FIM Sync and i have a remote sql server but i have this error

Product: Forefront Identity Manager Synchronization Service -- Error 25009.The Forefront Identity Manager Synchronization Service setup wizard cannot configure the specified database. OLEDB Provider Information:

Description = 'Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.'

Failure Code = 0x80004005

Minor Number = 18452

<hr=0x80230406>

Any idea ?

Thanks

↧

Adding Attribute To "All Eligible Resources" In Security Group, FIM Portal

August 26, 2013, 5:20 am

≫ Next: Dependency Not declared error

≪ Previous: Error 25009 Install FIM Synchronization

Hi Everyone,

I need to add a Custom Attribute the "All Eligible Resources" section for setting a criteria based Security Group Membership. Please guide me the way.......Screenshot is shown below

Regards~
Deepak Arora
-------------------------------------

↧

Dependency Not declared error

August 26, 2013, 6:41 am

≫ Next: Export through delimited text file MA deletes all data in destination file

≪ Previous: Adding Attribute To "All Eligible Resources" In Security Group, FIM Portal

we have a export rule defined to export the data from Metaverse to AD.

Before any of the FlowRule , there is a check as below

if mventry("mail").Ispresent then

throw an error

End If

but when control is moving to this place we are getting error "Attribute<mail>" is not declared.

As we are getting error before any FlowRule will start, not understanding where to include the attribute in MA export attributeflow.

could anyone please do let us know what would be the issue here and how this can be resolved.

↧

Export through delimited text file MA deletes all data in destination file

August 26, 2013, 10:05 pm

≫ Next: Web Service Connector Password Reset issues

≪ Previous: Dependency Not declared error

Hello!

I am studing FIM 2010 R2 and now trying to work with delimited text file MA. The situation is following:

1. Configured DTF MA using template and run profiles. So i have some attributes, one of them is set as anchor;

2. Configured outbound syncronization rules, so i have outbound attribute flow, workflow and MPR;

3. Rules have successfully applied in FIM Sync Service and required users have been provisioned to DTF MA CS;

4. After running Export, all attributes have been written to destination file.

Then i have a strange behaviour:

If i am running export, without having some changes in DTF MA CS - all my data is deleting from destination file.

The same thing happens if i delete one object from MV, so this deletion is provisioned into DTF MA. Then, when i am running export all rows are deleted, instead of one required.

What i am doing wrong?

P.S. sorry my English and thanks in advance :)

↧

Web Service Connector Password Reset issues

August 27, 2013, 1:21 am

≫ Next: FIM SSPR

≪ Previous: Export through delimited text file MA deletes all data in destination file

Hi,

I am using FIM 2010 R2 version 4.1.3419.0 and version of Web Services Connector 5.3.407

I've successfully configured FIM for Password Synchronization and I'm trying to reset a password in SAP using Web Service Connector MA. I am running MA in-proc.

When resetting a password in FIM Password Reset Portal, I am able to reset it in AD, but when password notification is staged for synchronization, I received following error message from FIM Synchronization Service:

BAIL: MMS(24932): d:\bt\800\private\source\miis\ma\core\passwordext.cpp(322): 0x80230729 (The extension could not be loaded.)

In spite of having <supportedRuntime version="4.0"></supportedRuntime> in miiserver.exe.config startup configuration. Then I've tried to add WebService dlls to GAC (as proposed in http://social.technet.microsoft.com/Forums/en-US/dc22caf6-aa45-42d1-a150-e3dbe997760b/0x80230729-the-extension-could-not-be-loaded), and got System.UnauthorizedAccessException. Extension tried to create a file "generated.config" in Microsoft.IdentityManagement.MA.WebServices.dll GAC location.

Now, since I cannot have these dll's in GAC and apparently I am unable to load them from Extensions folder. I'd like to know how to diagnose why extension is not picked up by Synchronization Service. I've turned on Fusion log and apparently Microsoft.IdentityManagement.MA.WebServices.dll is loaded.

Any ideas, suggestions?

Thanks in advance.

↧

FIM SSPR

August 27, 2013, 4:24 am

≫ Next: Security Group Lifecycle Management

≪ Previous: Web Service Connector Password Reset issues

Hello ,

after installing FIM Password Reset and Registration when i try to browse them i have this error

For the moment i tried only to access with HTTP no certificate used for both.

Internet explorer is not able to display the page !!

Any idea

↧

Security Group Lifecycle Management

August 27, 2013, 1:18 pm

≫ Next: Get the attribute values of a CS object from within the PutExportEntries method of a ECMA2 Assembly

≪ Previous: FIM SSPR

I am looking to implement group managment via FIM within our organization. Along with this I would however like to add some lifecycle managment onto to these groups. Other than an setting an expiration date on the groups what other options are out there? I would obviously like to have this automated as possible. Major concerns are scenarios where a group owner gets terminated can this trigger a change in ownership of the group etc...

↧

Get the attribute values of a CS object from within the PutExportEntries method of a ECMA2 Assembly

August 27, 2013, 6:30 pm

≫ Next: Creating password reset for helpdesk in FIM 2010 R2

≪ Previous: Security Group Lifecycle Management

I am interested to know if there is a way to get the attribute values of a CS object from within the PutExportEntries method in an ECMA2 dll. The reason I am trying to do this is to deal with the following scenario.

I have an export only MA (ECMA2) for an external data source that is accessible via a web service. The data that gets exported to this data source (via FIM) comes from a user SQL DB. However, this data source also has a web interface that allows for the adding and removal of data directly. As the MA is export only FIM is totally unaware of when a record gets removed via this web interface. As such, a record could get updated in the SQL DB for which no matching record exists in the external data source. If FIM tried to export this change an error would result.

Within the PutExportEntries method I can check to see if the record is still present in the external data source and instead of issuing an update I could add the record anew. However, the parameter passed to PutExportEntires is a collection of CSEntiresChange objects and these objects only contain the values for attributes that have changed. If I am going to add a record anew to the external data source I will need to know the values for all the attributes of that record. These values reside in the CS and the MV. Hence my question, is it possible to read these values directly from the CS (or the MV) so that I can use them to recreate a record that was removed from an external data source?

Thanks

↧