Quantcast
Channel: Forum Microsoft Identity Manager
Viewing all 4767 articles
Browse latest View live

msidmCompositeType Request Denied

0
0

Hi,

We are running a full sync this weekend and I noticed that on the FIM MA export the msidmCompositeTypes all return “Denied” as a status.

The FIM web service reports a SQL timeout expired session.

I am able to put FIM in pre-asynchronous mode and the exports complete but take a long time.

We have the timeout on the web service set to 20 minutes. The msidmCompositeType requests hang in a validating state until the 20 minutes are up and then report the Denied status.

Ever seen this before? It doesn’t appear to be a permissions issue and SQL is definitely responding when the requests are issued in single file.

I am going to try adjusting the length of the aggregationThreshold to see if that helps, but appreciate any ideas. Tried to figure this out yesterday to no avail.

Thanks,

Sami

Requestor: urn:uuid:fb89aefa-5ea1-47f1-8890-abe7797d6497

Correlation Identifier: b1c67faf-aa01-465d-90b8-d47d7299c18c

Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---> System.Data.SqlClient.SqlException: Timeout expired.  The timeout period elapsed prior to completion of the operation or the server is not responding.

   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean isChildRequest, Guid cause, Boolean doEvaluation, Nullable`1 serviceId, Nullable`1 servicePartitionId, UniqueId messageIdentifier, UniqueIdentifier requestContextIdentifier, Boolean maintenanceMode)

   at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Put(Message request)

   --- End of inner exception stack trace ---

.Net SqlClient Data Provider: System.Data.SqlClient.SqlException: Timeout expired.  The timeout period elapsed prior to completion of the operation or the server is not responding.

   at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection)

   at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)

   at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)

   at System.Data.SqlClient.SqlDataReader.ConsumeMetaData()

   at System.Data.SqlClient.SqlDataReader.get_MetaData()

   at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString)

   at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async)

   at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, DbAsyncResult result)

   at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method)

   at System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior, String method)

   at System.Data.SqlClient.SqlCommand.ExecuteReader()

   at Microsoft.ResourceManagement.Data.DataAccess.DoRequestCreation(RequestType request, Guid cause, Guid requestMarker, Boolean doEvaluation, Int16 serviceId, Int16 servicePartitionId)


Slow SQL MA and Error - Guid should contain 32 digits and 4 dashes

0
0

FIM 2010 R2 SP1 - Initial load. First SQL MA projected all employee data (35000 records ) in 90 minutes. When processing full synch on second SQL MA (40000 records) (joins with MV objects from first SQL MA) one record showed up under flow errors list as "unexpected-error". 

On opening the error record, it does not show any stack trace or error details on "synchronization error" tab. On lineage tab it shows up as connector and on click of "metaverse Object properties" button a message pops up as"Guid should contain 32 digits with 4 dashes (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)".

I tried stopped full synch and ran full import to see if it gets resolved but it did not and then tried deleting the source record but it does not go away. <<I guess this must be a corrupted record. Has anyone seen such error with MIIS/ILM/FIM ?

Second thing is second SQL MA performance, it is processing 100 records per hour. I have 2 join conditions, one as direct (unique ID ) and second as rules extension (employee id - to strip leading zeros on MV record). All the records that are joining are using the first condition. When I preview a record it is very fast but unable to figure out why it is so slow during run profile execution. <<Any suggestions to improve performance or debugging?

Attributes in join conditions are MV indexed. SQL server tempdb is resized to 1 GB. No pending exports in FIMService MA.

Thanks

FIM and Web Application Proxy integration (WS 2012 R2)

0
0

Hi,

I've spent the last three days working with the Web Authentication Proxy component of Windows Server 2012 R2 and it will start to solve some of my problems in replacing the ISA and TMG servers I manage.

That said, given the new extensibility of ADFS with plugins, such as phone factor (which would be way to expensive for me to use with 10,000 students on one campus and 40,000 on another), there is a fantastic opportunity for the FIM team to create an extension.

I ideally needed one extra pieces of functionality with ISA/TMG but gave up when they were killed off. It was to be able to customise the login page so there would be a link to the FIM password reset port as that would save me thousands of Help desk calls.

With WAP I see an opportunity for two extra pieces of functionality.

a)The ability to link to the password reset portal directly from the WAP login page.

b)The ability for a subset of the password reset portal questions to be used for Multi-Factor authentication plugged into WAP.

Our biggest issue is people answering emails and giving out there passwords which results in us spamming everyone else and us being blocked from sending emails.

I can't blame the students as it's always, 100% of the time, a lecturer but I now see this on a weekly basis and I see this as a place where you guys can really add some value both to password reset and multi-factor auth.

If this is the wrong place to post this, someone let me know and I'll ask elsewhere.

Kind regards,

Jason Bailey

FIM event Handler

0
0

In Group RCDC there are certain no of events handlers defined like:- 

  • OnChangeDomain
  • OnChangeMembershipType
  • OnLeaveBasicInfoGrouping

Where is the definition and declaration of these event handlers?

All Owner Approval

0
0

I would like to require that ALL OWNERS approve membership change on a group.  Is that possible (without a custom WF Activity)?

If I set the approval threshold above the number of owners on a group, the approval process never completes (because it never reaches the threshold).

I would like to facilitate this with 1 workflow applying to all groups (each with a different, & potentially changing number of owners).  I realize that I could create a WF, Set, & MPR dedicated to each number of possible owners.  Seems like a lot of overhead.

Your thoughts and/or suggestions are appreciated.

Thanks!

-Ryan

Issue w/ ambiguous-import-flow-from-multiple-connectors

0
0

My current issue is not so much with why am I getting an ambiguous-import-flow-from-multiple-connectors error message, but why I am not.

I am using the Active Directory Domain Services MA for FIM 2010 R2 (Version 4.1.3441.0).

I have a join rule using the employeeID metaverse attribute--String (Indexable); Multi-valued: No; Indexed: Yes.

In one ADDS MA used to manage regular users, I am using the AD employeeID attribute to join to the employeeID metaverse attribute. I will get the following error if an AD object is already connected to the metaverse object, which is what I expect:

"Import flow was rejected because the destination metaverse object had multiple connectors from the source management agent."

In another ADDS MA used to manage administrative accounts, I am using the AD extensionAttribute1 attribute to join to the employeeID metaverse attribute. With this MA I am able to connect multiple connector space objects from this admin MA to a single metaverse object, which is what I don't want.

Note that these ADDS MAs are connected to the same metaverse object. There should be not more than one regular user ADDS (ADDS MA 1) CS object and one admin ADDS (ADDS MA 2) CS object connected to a single person metaverse object.

Has anyone else encountered this issue? For importantly, has anyone resolved this?

Provisioning for of GAL MA in FIM

0
0

In the GAL MA configuration of FIM , there is Provisioning for setting.

1

What is Provisioning for setting ?

2

What should I set for Exchange 2007 RUS server and , Exchange 2010 RPS URI ?

Customize Password Reset Portal -linebreaks

0
0

Hi

I need to display password policy in text to the user when he enters a new password in SSPR. Is it possible to get line breaks in the text that is put inside the value tag? Or can I do it anotherway? 

<data name="FinishingDescription" xml:space="preserve">
    <value> Some text </value>

/Mikael


Enabling FIM Portal Access for Normal User Accounts

0
0

Hi There,

Good Morning/evening,

Normal users can access FIM Portal site only when provisioned users from Active Directory to FIM Portal by inbound synchronization rule, but when users provisioned from FIM Portal to Active Directory by Outbound Synchronization rule, normal users cannot access the FIM Portal.

In both activity we are able to populate objectsid,accountname & domain so don’t know exactly only users provisioned back to FIM Portal with objectsid,accountname & domain from AD can access the FIM Portal.

Could you please help me on this why users can access only when provisioned from Active Directory to FIM Portal, but not able populate objestSID when provision users from FIM Portal to Active Directory.

getting below error,

Thanks & Regards

Veerappa Kammar

PowerShell Workflow Activity - Strange happenings when trying to use Target's (Person) ObjectSID

0
0

Hello, 

I am using FIM 2010 R2 and the latest version of thePowerShell Workflow Activity 

I am having trouble when retrieving the Target's (Person) ObjectSID 

At first I tried to add it as a value in the Workflow Dictionary using a Function Evaluator before the PowerShell activity. However every time I did this the PowerShell wouldn't fire...? I confirmed that ObjectSID was the issue by running the same PowerShell Activity but changing and/or removing ObjectSID lookups... All those in the 'test' set have an ObjectSID as imported from Active Directory 

I next tried to use the ObjectSID as retrieved when you retrieve the entire Target object. The following is an example of that code:

$Target= Export-FimConfig -Custom ("/*[ObjectID='{0}']" -F $fimwf.TargetId.Guid) | Convert-FimExportToPSObject
$Target.ObjectSID
AQUAAAAAAAUVAAAA1u7/iCIBtngCifraqe4CAA==

The final line of text is the format with which SIDs are being returned.... I need to be able to double check against Active Directory this user exists and cannot do that with the SID in its 'current' format...

Does anyone know why my first attempt happened or ideally how to get the expected SID format from what I currently have...? 


Thanks 
M12

FIM 2010 R2 - Can System Email Security Answers if User forgets.

0
0

A user will need to provide answers to their security questions prior to resetting their password.

However, can FIM 2010 R2 email users their security answers if they forget both their password and their security answers? Is there an option available in the system?

I believe if the user forgets both, then the admin has to manually reset the password. Correct me if I am wrong. Thanks.


"I'd rather direct than produce. Any day. And twice on Sunday." Director Steven Spielberg

Cannot use custom activities - failed to load toolbox item

0
0

Was working on a workflow activity today and hit this annoying error:

Cannot use custom activities - failed to load toolbox item

It had the unpleasant effect of crashing Visual Studio (2012).  The workaround was to remove the workflow DLL from the GAC (the one that I was working on), then re-open Visual Studio and try again.  Worked like a charm after that.


CraigMartin – Edgile, Inc. – http://identitytrench.com

How do I re-do the Sync of Groups from a Source to a Target domain due to incorrect OU mapping?

0
0

Hello,

For the first time, I 'Sync'ed' groups from a Source domain to a Target domain, however my OU mapping is incorrect.  I need to correct/adjust the OU mapping in the Target domain?  What steps are generally needed to remove the groups from the Target domain and 're Sync' the groups from the Source to the Target after I've corrected my OUMapping file?


Thanks for your help! SdeDot


As a note, the process I used to 'Sync' the groups was a FI, then a FS on the Source Domain Management Agent, followed by a E-DI-DS on the Target Domain Management Agent.

Change attribites metaverse or AD while deprovision.

0
0

Hi

I have many MA one to a view of ORACLE. I can't modify the view.

When a row is remove from this view. I must to change de OU and the UserAccountControl of the AD_USER to disable.

I try to use de deprovision in the MA of ORACLE to change the data in the MV or in other AD_MA but I can´t connect to the others MA

Somebody have any idea to do that.<o:p></o:p>


Is an Export of many Attributes to a FIMMA object an atomic operation?

0
0

Hellos.

Customer wants Email Notification messages sent when a FirstName or LastName or AccountName changes

No problem. We can set MPRs to fire workflow when these attributes change.

But. On the Email Template we would have [//Target/FirstName] [//Target/LastName] [//Target/AccountName] etc.

What I would like to know is when all 3 of these attributes change in MetaVerse and are exported to FIMMA ...

Does the FIMMA object get updated in ONE operation and then the MPRs fired, or is it possible for the FIMMA object to get updated 3 times triggering MPRs each time.

There is a possible difference in the text in the Email Notifications depending which way FIM works.


Provisioning permissions to BHOLD

0
0

Hello,

I'm trying to flow member attribute of Group object from MV to BHOLD (for example, when corresponding group membership had changed in FIM or AD MAs) via Access Management MA. So, export to BHOLD makes no errors, but permissions in BHOLD Core are not changed. What i'm doing wrong?

Are there any ways to change user's permissions in BHOLD, when they are changed in some connected systems?

How to up the timeout setting to solve password reset portal error "Authentication gate timed out waiting for a challenge response"?

0
0

Hi Everyone,

We have the password portal up and running on one box and another server with FIM R2 and SharePoint 2010.  All is good with the exception that our end users typically get distracted during the password registration and/or reset process and receive:"An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3000) ".  The timeout kicks in after 5 minutes of inactivity in the browser.

The FIM Service log shows the following:

"Authentication gate timed out waiting for a challenge response".

I have confirmed that the default password portal web.config setting is <add key="SessionTimeoutInMinutes" value="20" />.  

We have also updated Microsoft.ResourceManagement.Service.exe.config per thisarticle to the following but with no luck:

<resourceManagementClient resourceManagementServiceBaseAddress="myAddress" timeoutInMilliseconds="600000" />
  <resourceManagementService externalHostName="myHost" dataReadTimeoutInSeconds="600" dataWriteTimeoutInSeconds="600"/> 

  1. We did not update the Windows SharePoint Servicesweb.config setting per the article about since we are on SharePoint 2010.  
  2. There is no NLB or firewall in front on this server.

If anyone has any solution to how to solve this on FIM R2/SharePoint 2010 please let me know.

Cheers!


New FIM blog

0
0

Hello,

I've started my blog focused on IDM and mainly FIM a few days around.
Hope you will find it useful to your work.

It's time to give something back to the community as I learned a lot from other blogs and this forum, which was very useful in my daily work.

http://justIDM.wordpress.com

The first two posts are online, more to come in near future.

@Moderators: Hope this is ok to post, as i saw another thread with announcing a blog, if not, so please feel free to remove this post.

Regards
Peter


Peter Stapf - Doeres AG - My blog:JustIDM.wordpress.com

Forefront Password Registration

0
0

Hello,

Is there any possibilities that user can make registration from internet for their forefront password registration without including domain name ? for e.g instead of domain\username I want only username or domain name include automatically so that user will only enter their username and password. ?

Reagrds

Sarwar


Sarwar

Lotus Domino 8.x Connector Error KeyFileName in notes.ini

0
0

Hi,I'm currently trying to configure a Lotus Notes 8.x management agent on a fresh FIM 2010 R2 SP1 install.

Everything is well installed and I can even connect to the Lotus Notes database I want, with the service account I want to use through the Lotus Notes client 8.5.3.

But when I start the Management Agent configuration and fill the Domino server info, UserId file and password when I click Next to go further I get the following dialog box error:

Synchronization service Manager

Value cannot be null.
Parameter name: Key File name value is missing in notes.ini

I'm wondering which notes.ini FIM is looking for as notes.ini is stored into user profile folders and how I can troubleshoot this. I didn't found anything in technet doc and in the forum so I'm wondering if someone has an idea before I open a call to Microsoft.

Thanks


Philippe

Viewing all 4767 articles
Browse latest View live




Latest Images