Quantcast
Channel: Forum Microsoft Identity Manager
Viewing all 4767 articles
Browse latest View live

FIM2010 R2 Sharepoint Farm mode


Users and Group Owners are unable to see their groups

0
0

Hello all,

     I have an issue where security group owners are unable see/read any groups that they own. I have enabled the following  MPR's but still nothing please help.

Group management: Group administrators can create and delete group resources
Group management: Group administrators can read attributes of group resources
Group management: Group administrators can update group resources
Security group management: Owners can read selected attributes of group resources
Security group management: Owners can update and delete groups they own
Security group management: Users can read selected attributes of group resources

Also when a user logs into the portal they are unable to see any Security groups listed under MY SG Membership. However when we check the group membership they are indeed part of the group both in FIM portal and AD.




Microsoft FIM, Sharepoint and Single Sign on

0
0

Hi Gurus

I wanted to ask you a few questions about a solution I am working on at the moment. I shall appreciate any assistance in this regard. The solution is based around Sharepoint 2010 and FIM 2010.

A brief synopsis of the solution:

The customer has a working ADFS solution in place. They have a SharePoint site where users will come, click on a URL and get redirected to a partner portal, where they will be logged in without being prompted for their credentials. At the moment the customer has no way of identifying users in the SharePoint site. We are working closely with the partner to integrate their portal in the customer environment. Their portal is Single Sign on and Security Assertion Markup Language (SAML) aware. Insight will also be delivering a FIM infrastructure with the Synchronization and Password Reset Portal services enabled. The plan is to have the FIM sync the account details from the customer’s AD, and submit it to the partner portal’s web service. The Partner will not be providing access to their LDAP directory to CUSTOMER. Rather they will be providing a web service (a Clearview web server) for FIM server to send the AD account info to. The partner will manage the data from their end to keep their LDAP directory in sync with the customer AD. The single sign on solution of the partner works on the assumption that the users need to be authenticated when they click on the URL so that their session information can be passed to the partner portal. 

The questions I have are as follows: 

SharePoint questions –

  • To authenticate external/internal users to the Sharepoint site, should claims based authentication be used in SharePoint? Do you believe that there are any other options than Claims based authentication?
    • Can SharePoint leverage the existing ADFS implementation or will the claims based authentication mandate users to login again using their credentials when they arrive at the SharePoint site?
  • If we wanted to notify the users Can the users be reminded/notified about the impending expiry of their password? Can that be done natively through SharePoint or this needs to be done at the AD level? That is, to inform the users of password expiry, can there be a SharePoint page or can they be informed by AD?

                FIM questions -

  • If the notification can be configured, then in the notification, can the URL for the Password Reset Portal be included? That is, if it is a SharePoint page then it needs to display the URL of the password portal. The same for the email notification.
    • Alternatively if the password has already expired can the users be redirected to the portal instead of telling them that the password has expired?
  • Will we be able to manually trigger sending a password reset link to an email address not tied to the user’s AD account? This is for first time external users who will not have an email account in the customer’s environment.
  • Considering the situation where FIM Synchronization service is sending the account information to a web service, the question is can FIM Directory Sync do that out of the box? Partner has indicated that no customization will be needed on the FIM, but I wanted to confirm.
    • For the FIM server to work with the web service, does it need to communicate over a VPN tunnel or just normal HTTPS traffic over port 443 can work as well? What is the supported and suggested method to do this? 

Please let me know what you think. Thanks in advance

Forefront Identity Manager 2012 R2, Exchange 2013 and exchangeUtils

0
0

Is it possible to use exchangeUtils.CreateMailbox to provision users and mailboxes on an Exchange 2013 environment using FIM 2010R2 (latest version, which is 4.1.3461.0 as I am writing this)?

I get all kinds of conflicting and vague information when looking for the answer.

I know of serveral powershell workarounds, but would really prefer to use exchangeutils if at all possible.


---Sig---

FIM 2010 R2 SP1 - SCSM 2012 R2 support

0
0

Hello. I know with FIM 2010 R2 SP1 support for System Center Service Manager 2012 was added. Does anyone know if 2012 R2 is also supported or not at this time?

Thanks, Joe

Announcing General Availability of Windows Azure Active Directory, Generic LDAP, and SharePoint UPS Connectors for FIM2010R2

0
0

We are pleased to announce that we have released three new Connectors for FIM2010R2 for public General Availability.

Windows Azure Active Directory Connector

This Connector can be used in scenarios not supported by DirSync, for example multi-forest or non-AD. We still recommend to use DirSync as the primary solution to synchronize AD to AAD and use it whenever possible. The Connector comes with sample code and configuration for a resource/account-forest scenario. For more information, please refer to the TechNet documentation:http://go.microsoft.com/fwlink/?LinkID=330371.

Generic LDAP

This Connector will allow you to connect to an LDAPv3 compliant directory. It currently supports the same LDAP directories (IBM, Novell, and Oracle) we ship with FIM2010R2 and will over time replace the built-in LDAP Management Agents. For more information, please refer to the TechNet documentation: http://go.microsoft.com/fwlink/?LinkID=270179.

SharePoint User Profile Store

This Connector will connect to the SharePoint User Profile Store and can be used as a replacement for the built-in synchronization engine which comes with SharePoint, for example in mulit-forest or non-AD scenarios. For more information, please refer to the TechNet documentation: http://go.microsoft.com/fwlink/?LinkID=331344.

/Andreas


Password sync to another forest not working

0
0

I have configured MIIS 2003 to target another forest for password syncs and continually get the below error. I've setup everything as requested by the doco and can successfully sync AD accounts between the forests. But for some reason the password set in the target domain does not work!

Has anyone experienced this? MIIS is running on Windows Server 2003. The forest it lives in is Windows 2003 functional level. The target forest (FORESTB) is 2008 functional level. The DC I am using is Windows Server 2008 R2 SP1

An unexpected error has occured during a password set operation.

 "BAIL: MMS(4304): dnutils.cpp(1326): 0x800700b7 (Cannot create a file when that file already exists.): Cannot add partition CN=Configuration,DC=ROOT,DC=FORESTB to the list because it already exists at position 0

BAIL: MMS(4304): dnutils.cpp(1326): 0x800700b7 (Cannot create a file when that file already exists.): Cannot add partition DC=DomainDnsZones,DC=ROOT,DC=FORESTB to the list because it already exists at position 1

BAIL: MMS(4304): dnutils.cpp(1326): 0x800700b7 (Cannot create a file when that file already exists.): Cannot add partition DC=ForestDnsZones,DC=ROOT,DC=FORESTB to the list because it already exists at position 2

BAIL: MMS(4304): utils.cpp(734): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2

BAIL: MMS(4304): utils.cpp(788): 0x80070002 (The system cannot find the file specified.)

ERR: MMS(4304): admaexport.cpp(3095): The Kerberos change operation failed: 0xc000005e

ERR: MMS(4304): ma.cpp(7694): ExportPasswordSet failed with 0x80004005

Microsoft Identity Integration Server 3.2.1005.0"

Groups & Sets, FIM_TemporalEventsJob : unable to correct "cached membership"

0
0

Hi,

 

We have some weird behavior regarding the execution of our temporal set job and we cannot determine if there is a bug or if something is wrong with our design.

 

  1. TheFIM_TemporalEventsJob runs at 1:00 am every night.
  2. There are warning in the      Event Viewer (Windows Logs/Application) for the sourceMicrosoft.ResourceManagement.ServiceHealthSource regarding some groups and      sets.
  3. Here is a sample message for      a group, stating that an attempt to remove a member has been done (eventid34).

"The Forefront Identity Manager Service identified and corrected an error in the cached membership of a dynamic group: 10AEE3CE-FE3D-4FF8-81FD-483B044F3752.

 

Correction:  Removal

Member: 9153AC48-9AAE-48FE-AF52-51C180ADDCBF".

 

Weird Behavior 1

Every night, exactly the same execution occurs (i.e. same sets and groups corrected with the same members removal) in the Event Viewer! The job seems to be unable to remove the users from this so called "cache". This is contradictory with the event IDs logged.

 

Weird Behavior 2 (probably linked to #1)

If I log-in to the portal and check one set ("View Members" button) the so-called corrected member is not listed as a member. That set is typically used in a transition-in MPR that determines the user status (active/inactive). In our case the user is never de-activated.

If I change manually the attributes that determines the set membership (en date in the future and then back in the past), the user end-up being deactivated.

If I re-run the SetTemporalJob again, the same event id occurs and the user ends being reactivated.

 

Q1 : What's this "membership cache" ?

Q2 : Any idea regarding how to fix this annoying behavior ?

 

Thanks in advance for your help,

Sylvain


Edit (product version) : FIM 2010 R2 SP1 (build 4.1.3441.0)

ECMA 2.2 development & testing

0
0

Hi,

In ECMA 2.2 you can instantiate MA without Sync Server for test&dev purposes.

Is there any guide for that?


Borys Majewski, Identity Management Solutions Architect (http://IDArchitect.NET)

Selective Filtering for Export

0
0
1. I have users and contacts in AD. THey are synced to the MV as PERSON objects
2. I would like to export the AD users to the FIM MA but not the AD contacts. Any way to prevent the contacts from being Exported? 

External Attribute Lookup

0
0

Hi all,

Apologies if this is a silly question but I am quite new to FIM.  The use case I have is as follows.

I have data flowing in to FIM from a file based MA.  When a user falls into the set "All Employees" for example, they automatically get provisioned to Active Directory.  This I have working today but what I need to do is to enhancement this.  A user will have a department ID, the user needs to be provisioned into the corresponding OU which is named after the department (i.e. Dept ID = 1, OU=Department 1; Dept ID=2, OU=Department 2).  In FIM what would be considered the best practice in this situation?

In previous IDM systems I have made a dynamic lookup to an external database table - how would I go about such a thing in FIM?

Thanks a lot for any help.

Use FIM Function Evaluator to update boolean attribute

0
0

Been a while since i was in here, great to be back :)

I'm trying to use the FIM Function Evaluator to update [//Target/BooleanAttribute], but not sure how to do it, or if it can be done. I tried just using constant:
"String:true"
but that does not seem to work.

How to do it?


/Frederik Leed

Normal user can not acces portal resources

0
0

I am using FIM 2010 R2 SP1 on SharePoint 2013 Foundation.

Users can login to the portal

The problem is that normal user can login to the portal (no errors) but cannot access resources.

The title bar is visible as is "Welcome <user>". The search bar is there but search within is empty. There is no side menu or the home menu.

The policies: "User management: Users can read attributes of their own" and "User management: Users can read selected attributes of other users" are both enabled.

If I place the user in the administrators group the portal is normal. When removed from the administrators set it is empty again.


FIM 2010 R2 Sp1 and Certificate Management

0
0

Hello.  I’ve been reading up on FIM as we’ve had this on our plate for implementation for a bit and it’s time to get it in production and off the list.  The main reason for using FIM is for the Certificate Management piece as we are currently supporting many certificates on a daily basis.  In researching the latest information, I am finding very little in regards to just the Certificate piece.  We currently use scripts to check and e-mail when certs are going to expire, but want this to be managed a bit better.  A hesitation is what I’ve seen about only 1 e-mail delivery when and item runs through the workflow, so that won’t work.  Other thoughts?  How many of you actually use FIM to manage certificates?  If you have used FIM but moved to another product, why?  Thanks for your feedback, it will help in designing this app to work properly to address our needs.  Thanks.

Provisioning O365 Hybrid Licenses During FIM On-Boarding Process

0
0

My organization just moved to O365 Wave 15 in a hybrid environment.  We use FIM On-boarding to provision new users and create their on-prem mailboxes.  Is there a way to use FIM to assign new users' O365 licenses in the cloud?  We're trying to make that process as automated as possible without invoking a lot of scripting and scheduled tasks, if at all possible.

Thank you.

Ian Kahn
Sr. Consultant
InfraScience, LLC
ikahn@infrascience.com


Create set of users in custom reference attribute on group resource

0
0

Hi

I'm trying to create a set of users in a custom reference attribute on a specific group. Sort of like "Specific group members set"

What i have is:
/Person[ObjectID = /Group[ObjectID='348eb3ac-6367-4ca0-ac0c-626cc6dde846']/CustomReferenceAttribute]

but the UI does not allow this. How do i?


/Frederik Leed

Management Agent for Web service using Windows authentication

0
0

Hi,

I have a web service using Windows authentication and I want to connect it to my MA. MA provides Basic, None or Certificate as a Client credential type. When running MA Import profile in WebServiceConnector.log I get:

2013-11-26T13:03:31 [2444:1488] Error   - WebServiceCallActivity:EndExecute : Failed to complete login operation. 
--------- Outer Exception Data ---------
Message: Exception has been thrown by the target of an invocation.
Exception root Exception type: System.Reflection.TargetInvocationException
Source: mscorlib
Stack Trace:    at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
   at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments)
   at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at System.RuntimeType.InvokeMember(String name, BindingFlags bindingFlags, Binder binder, Object target, Object[] providedArgs, ParameterModifier[] modifiers, CultureInfo culture, String[] namedParams)
   at Microsoft.IdentityManagement.MA.WebServices.Activities.WebServiceCallActivity.EndExecute(AsyncCodeActivityContext context, IAsyncResult result)
Target Site: InvokeMethod
 --------- Inner Exception Data ---------
 Message: The HTTP request is unauthorized with client authentication scheme 'Basic'. The authentication header received from the server was 'Negotiate,NTLM'.
 Exception root Exception type: System.ServiceModel.Security.MessageSecurityException
 Source: mscorlib
 Stack Trace: 
Server stack trace: 
   at System.Runtime.AsyncResult.End[TAsyncResult](IAsyncResult result)
   at System.ServiceModel.Channels.ServiceChannel.SendAsyncResult.End(SendAsyncResult result)
   at System.ServiceModel.Channels.ServiceChannel.EndCall(String action, Object[] outs, IAsyncResult result)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeEndService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]: 
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at fvsdu.LemmingWsInterface.Endlogin(IAsyncResult result)
 Target Site: HandleReturnMessage
  --------- Inner Exception Data ---------
  Message: The remote server returned an error: (401) Unauthorized.
  Exception root Exception type: System.Net.WebException
  Source: System
  Stack Trace:    at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
   at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelAsyncRequest.CompleteGetResponse(IAsyncResult result)
  Target Site: EndGetResponse

Password synch from AD to FIM

0
0
Experts,
 
My requirement is synch password from AD to FIM.
 
Whenever user changes his or her network account password(Active Directory
password), same password should get updated in FIM.
 
Kindly suggest if FIM supports this and if yes please refer some
resources.
 
Thanks,
Mann

Unable to see Exchange Tab in configure extension, need to provision user in exchange.

0
0

Hi Everyone,

I am facing weird issue with FIM Sync Server,  I am unable to see the Exchange Tab, I need to configure the exchange provisioning to my existing project wherein we didn't have Exchange provisioning already.  But since I am unable to see that, I don't think I will be able to do it:


Regards~
Deepak Arora
------------------------------------- 

List of all default MPRs

0
0

Experts,
There are many default MPRs available in FIM after installation.

I am not able to get document having list of all defaults MPRs.

Please refer to any such document.

Thanks,
Mann

Viewing all 4767 articles
Browse latest View live




Latest Images