MIM Removing Users from Groups randomly?

December 10, 2018, 10:13 am

≫ Next: MIM2016 Attribute not declared as a dependency

≪ Previous: MIM Access - Two Different AD domains

Hey all,

So, not entirely sure what happened - using the basic documented MIM AD and FIM Agents in Sync tool, followed up by the Inbound / Outbound Group Sync rules in portal. All of a sudden a few random users were removed from Groups and I am not sure why, or even where to look for a logical explanation.

MIM Is getting all AD users INbound

MIM Is getting a selected OU for Groups (other groups exist outside of this OU)

MIM Outbound rule is pointing to a specific OU to create Groups from the portal.

The groups get created in the Metaverse but don't show up in AD, but running it will remove some users from Groups that are not in this "specific OU" just in the "In Bound Groups OU" -

Any ideas?

Thanks!

↧

MIM2016 Attribute not declared as a dependency

December 12, 2018, 1:00 pm

≫ Next: Implementing Enterprise RBAC System

≪ Previous: MIM Removing Users from Groups randomly?

In the connector flow the field userPrincipalName is checked under Select Attributes

Under Configure Attribute Flow the field is defined as follows:

When I process new imports I get the following error:

Microsoft.MetadirectoryServices.AttributeNotDefinedAsSourceException: Attribute "userPrincipalname" is not declared as a dependency.

at Microsoft.MetadirectoryServices.Impl.EntryState.GetAttribute(String attributeName, IMacroCollectionBase collection)

at GTI.IDAM.IDHubSync.MIMConnector.MFAADIafAnygtMemberfirmID(CSEntry csentry, MVEntry mventry) in C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\SourceCode\GTI.IDAM.IDHubSync.Dev\GTI.IDAM.IDHubSync\GTI.IDAM.IDHubSync.Import.cs:line 149

The code referenced on line 149 is:

if (csentry["userPrincipalName"].IsPresent)

So why am I getting the error that it is not declared ??

↧

Implementing Enterprise RBAC System

December 14, 2018, 7:05 am

≫ Next: What exactly does Enable Synchronization Rule Provisioning do?

≪ Previous: MIM2016 Attribute not declared as a dependency

Hi Everyone,

i wish to use FIM SET and Group as Enterprise RBAC. I have gone through the article at the link below. I wish to take this further by extending the application Role with attributes that will be required for entitlement (literally serving as permission) in the target application.

My question is how do I query the members of the Resultant Group to sync to the Target application such that iterating through the Group membership (users) actually surface the defined Permission attributes on the Group Object. I don't want to define the Custom attributes on the user object. Is this doable and Any XPATH query sample that can help ?

Help appreciated in advance

https://social.technet.microsoft.com/wiki/contents/articles/3982.fim-2010-use-sets-and-groups-as-enterprise-rbac-system.aspx

Akinzo

↧

What exactly does Enable Synchronization Rule Provisioning do?

December 14, 2018, 7:07 am

≫ Next: Does MIM 2016 REQUIRE SharePoint?

≪ Previous: Implementing Enterprise RBAC System

I've searched as much as I can but unable to find a clear definition. According to https://blogs.msdn.microsoft.com/connector_space/2014/12/30/understanding-the-fim-service-management-agent-fim-ma/

"For any resource type that has an Object Type Mapping with a metaverse resource type, any object projected to the metaverse will provision to the FIM MA connector space. Synchronization Rule Provisioning (tools->options) has no affect on this behavior"

If this is the case, what is the purpose of Sync Rule Provisioning?

Thanks

↧

Does MIM 2016 REQUIRE SharePoint?

December 14, 2018, 6:10 pm

≫ Next: Step by Step MIM 2016 installation?

≪ Previous: What exactly does Enable Synchronization Rule Provisioning do?

I am configuring an ESAE environment using MIM 2016. We will be using PowerShell scripts and the PAM commandlets to migrate admin accounts from the corporate domain to the red forest, migrate groups to create the shadow principles in the red forest, and manage roles. I do not want to use SharePoint. All ESAE installation instructions include the installation of SharePoint with MIM. Is SharePoint REQUIRED or can the MIM be installed without SharePoint?

Robert

↧

Step by Step MIM 2016 installation?

December 14, 2018, 7:05 pm

≫ Next: Distribution group provisioning to AD

≪ Previous: Does MIM 2016 REQUIRE SharePoint?

Hello,

I was wondering if anyone is happy to share their step by step MIM installation. I don't mind any of the version at this time as i just need to get one working. i have tried multiple documents online including doc.microsoft.com and i still cant get it to work. It all looks like there is always something missing in everydocumentation i have used.

i've had tried rebuilding my dev environment 12 times but i still cant get it to work. I'm not sure if its is permission issues or the steps i am following is wrong but the major hurdle has always beenMIM portal which end prematurely. There are someSharepoint steps not mentioned in Microsoft's documentation but exist is some blogs for previous installations.I'm not sure if that has changed or the documentation is not complete.

i'll really appreciate your help if anyone can sharetheir owndocumentation on how to install MIM.

↧

Distribution group provisioning to AD

December 16, 2018, 10:25 pm

≫ Next: Question regarding migrated users in MIMPAM

≪ Previous: Step by Step MIM 2016 installation?

Greetings all,

Straight to the point. MIM/FIM is not provisioning distribution groups to AD. Strange is that it is provisioning security groups but not distribution groups.

Does anybody have any clue, what could be causing this?

Thanks,

zzeet

↧

Question regarding migrated users in MIMPAM

December 18, 2018, 9:48 am

≫ Next: Net SqlClient Data Provider: System.Data.SqlClient.SqlException (0x80131904): Could not find stored procedure 'fim.IsServiceBrokerEnabled'

≪ Previous: Distribution group provisioning to AD

I am setting up an ESAE environment using MIM 2016. I made the following assumptions when i started the project:

An administrative account migrated to the privileged AD domain (a.k.a. red forest domain) as a PAM Object would be able to manage multiple corporate domains based on the roles the account is associated with.
Once a user get's an admin account in the privileged AD domain, the user's admin account in corporate domains could get deleted if all of the associated functionality is also migrated to the privileged AD domain. In other words, if the user's admin account in corporate domains is no longer a member of any group, then delete the account.
If a new user requests an administrative account, simply create the PAM object and the MIM record

I question if those assumptions are correct because the MIM record for the administrative account maintains the source account name and source domain name of the original corporate admin account. I have had some odd results with the set-pamrole command to add a user to the candidates list if the user is not in the corporate domain.

Thoughts?

Robert

↧

Net SqlClient Data Provider: System.Data.SqlClient.SqlException (0x80131904): Could not find stored procedure 'fim.IsServiceBrokerEnabled'

December 18, 2018, 10:14 am

≫ Next: MIM SharePoint Connector for User Profiles, Support for SP2019

≪ Previous: Question regarding migrated users in MIMPAM

I am in the process of migrating FIM 2010 - 2010 R2 - MIM 2016. Everything seemed to go well as no errors during the Synchronization service. However I ran into an issues and I am stuck. Performed the migration, all looked good except that when I run the FIMMA Full Import (after successfully running ADMA Full import and Full synch) it triggers the following event:
Log Name: Forefront Identity Manager Management Agent
Source: ForefrontIdentityManager.ManagementAgent
Date: 12/18/2018 11:49:43 AM
Event ID: 3
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: PSC-MIM-01.mso.intranet
Description:
.Net SqlClient Data Provider: System.Data.SqlClient.SqlException (0x80131904): Could not find stored procedure 'fim.IsServiceBrokerEnabled'

My SQL admin checked and did not find the 'fim.IsServiceBrokerEnabled' in neither of the old or new databases. New SQL Database is SQL 2012 R2.

↧

MIM SharePoint Connector for User Profiles, Support for SP2019

December 19, 2018, 3:11 am

≫ Next: Synchronizing groups between AD forests

≪ Previous: Net SqlClient Data Provider: System.Data.SqlClient.SqlException (0x80131904): Could not find stored procedure 'fim.IsServiceBrokerEnabled'

Hello,

I have a question regarding "support" of the MIM SharePoint Connector for User Profile Service:

The document say "supported versions 2016 and 2019"

https://docs.microsoft.com/en-us/sharepoint/administration/deployment-considerations-for-implementing-microsoft-identity-manager-with-share

While the download (last version from 2016) says "supported versions 2013 and 2016"

https://www.microsoft.com/en-us/download/details.aspx?id=41164

So can we assume that SharePoint 2019 is supported to use with the MIM SharePoint Connector ?

/Peter

Peter Stapf - ExpertCircle GmbH - My blog:JustIDM.wordpress.com

↧

Synchronizing groups between AD forests

December 21, 2018, 6:30 pm

≫ Next: Initial Load for AD Users to MIM Portal

≪ Previous: MIM SharePoint Connector for User Profiles, Support for SP2019

We have a need to synch groups between two AD forests, using only the Synchronization Service.

I can import the groups in one forest into the MV, with the members, and I can provision a group with the same name in the second forest, but I need to lookup the equivalent user ID in the second forest and add them as members to the provisioned group. But since the member attribute is a ReferenceValue, nothing I try works.

I know that Group Management in the Synch Service has never been a robust feature, but is there any way to make this work?

Ed Bell - Specialist, Network Services, Convergys

↧

Initial Load for AD Users to MIM Portal

December 22, 2018, 11:46 am

≫ Next: Only Export Run Profile Showing

≪ Previous: Synchronizing groups between AD forests

Hi All,

Just need some help/thoughts

My scenario is described as follows

1. Importing Records from HR (Authoritative SOR)
2. MPR/WFs process new records from HR before creation in MIM Portal/AD and other connected Data sources.The processing includes generating and deriving, accountName, dn, Display Name based on naming convention, initial AD password. mailbox location for Exchange Server etc.

What I want to achieve

1. I want to import the Initial Load of existing Users/Groups in AD to be created in the MIM Portal but want to exempt the existing records coming from AD, from being processed by the MPR/WFs in #2 above that processes every record that gets created in the MIM Portal.

In summary attributes from existing records in AD should remain unchanged, after initial load into the MIM Portal. Subsequent changes can be initiated from the HR SOR, via Join and sync actions.

How can I achieve this ?

Thoughts/Feedback appreciated

Akinzo

↧

Only Export Run Profile Showing

December 26, 2018, 3:43 pm

≫ Next: FIM MA creation error

≪ Previous: Initial Load for AD Users to MIM Portal

Hi All,

i am working on an ECMA MA, strangely it is only the Export Run Profile Option that is visible to be configured. The other options Full Import, Delta Sync etc. are not showing, so I cant create an Import Run for example.Any ideas/clues on what the issue could be ?

↧

FIM MA creation error

December 27, 2018, 3:08 am

≫ Next: Users unable to view security group details (e.g. membership list and owner)

≪ Previous: Only Export Run Profile Showing

Hi,

I am getting an error while creating FIM MA on synchronization service.

↧

Users unable to view security group details (e.g. membership list and owner)

December 27, 2018, 8:20 am

≫ Next: When running full import, I get stopped-extensible-extension-error in status.

≪ Previous: FIM MA creation error

Hey all, what are the steps required in order to allow normal (non-admin) users to view security group attributes such as the current membership list and owner in the FIM/MIM portal? So far I have tried the following:

Enabled MPR: Security group management: Users can read selected attributes of group resources
Validated that the target resource for the MPR is the set "All Security Groups" - and confirmed my groups are in this set
Modified the MPR so that members can see all group attributes
Added all my Users to the Set "Security Group Users" and modified the above MPR so that it applies to this Set

Still, when I log in as standard user I'm unable to see the current membership list as well as owner information. What am I missing?

Thanks in advance for any guidance!

↧

When running full import, I get stopped-extensible-extension-error in status.

December 28, 2018, 12:08 am

≫ Next: MIM 2016

≪ Previous: Users unable to view security group details (e.g. membership list and owner)

Hi,

I have a SAP inbound MA that is based on webservice configuration tool. I get stopped extensible extension error, when I run full import. I tested my sebservice in SOAPUI and was getting java.socket time out exception. But after changing the configuration in SOAPUI, error got fixed in soapui and webservice is working perfectly there.

So now it seems I need to change "service time out parameter" somewhere in MIM or web service configuration tool and I tried my best but I didn't find a place where I can do so.

I found a link, where it says that uncompress *.wsconfig file and do the changes in cfg.config file. Please see screen shot below:

But issue is that when I uncompress my file, I don't get any cfg.config file. I get only files shown in screen shot below:

So any help in this regard would be highly appreciated. As my webserivce is working fine on same server machine on SOAPUI but on mim i get this below error and I am sure that I just need to fix timeout parameter somewhere and it will start working.

--------- Inner Exception Data ---------
Message: The HTTP request to 'http://xxxxxxxx' has exceeded the allotted timeout of 00:00:59.7990000. The time allotted to this operation may have been a portion of a longer timeout.
Exception root Exception type: System.TimeoutException

Thanks & Regards

↧

MIM 2016

December 31, 2018, 1:36 am

≫ Next: MIM Portal RCDC Configurations with OfficeLocation, Country, City

≪ Previous: When running full import, I get stopped-extensible-extension-error in status.

Hi,

i'm trying to deploy MIM 2016 in infrastructure.

almost done with deployment part, like mim sync engine, SQL, share point, at last i got error while installing service and portal setup files.

even troubleshooted that issue but after installing service and portal the site is not accessible, which is created in sharepoint

what is the possible way to resolve issue?

NOTE: not the default site, the site which we create for mim portal access, that site is not accessible.

↧

MIM Portal RCDC Configurations with OfficeLocation, Country, City

January 1, 2019, 4:08 am

≫ Next: Who will be announced as the next FIM Guru? Read more about January 2019 competition!!

≪ Previous: MIM 2016

Hi Friends,

I was trying to design MIM Portal RCDC Configuration while creating the Joiner form, where I need to Auto populate the values ofOfficeLocation, Country and City. When I select the Countryall the Cities under that country should only populate the City Control in RCDCand same when i select only Office Location should be mapped with the OfficeLocation Control.

Ex: If i select India as country, then all the cities which belongs to India should come in the dropdown or picker or listview control.

Share your ideas how we can present this by implementing / or piece of design for a quick help.

Thanks to all.

↧

Who will be announced as the next FIM Guru? Read more about January 2019 competition!!

January 1, 2019, 7:41 pm

≫ Next: Additional 2016 MIM Portal & MIM Service

≪ Previous: MIM Portal RCDC Configurations with OfficeLocation, Country, City

What is TechNet Guru Competition?

Each month the TechNet Wiki council organizes a contest of the best articles posted that month. This is your chance to be announced as MICROSOFT TECHNOLOGY GURU OF THE MONTH!

One winner in each category will be selected each month for glory and adoration by the MSDN/TechNet Ninjas and community as a whole. Winners will be announced in dedicated blog post that will be published in Microsoft Wiki Ninjas blog, a tweet from the Wiki Ninjas Twitter account, links will be published at Microsoft TNWiki group on Facebook, and other acknowledgement from the community will follow.

Some of our biggest community voices and many MVPs have passed through these halls on their way to fame and fortune.

If you have already made a contribution in the forums or gallery or you published a nice blog, then you can simply convert it into a shared wiki article, reference the original post, and register the article for the TechNet Guru Competition. The articles must be written in January 2019 and must be in English. However, the original blog or forum content can be from beforeJanuary 2019.

Come and see who is making waves in all your favorite technologies. Maybe it will be you!

Who can join the Competition?

Anyone who has basic knowledge and the desire to share the knowledge is welcome. Articles can appeal to beginners or discusse advanced topics. All you have to do is to add your article to TechNet Wiki from your own specialty category.

How can you win?

Please copy/Write over your Microsoft technical solutions and revelations to TechNetWiki.
Add a link to your new article on THIS WIKI COMPETITION PAGE (so we know you've contributed)
(Optional but recommended) Add a link to your article at the TechNetWiki group on Facebook. The group is very active and people love to help, you can get feedback and even direct improvements in the article before the contest starts.