Sendkeys to convert explicit disconnectors to regulars

December 4, 2013, 9:55 am

≫ Next: PeopleSoft Web Connector - Failed to Update Discovery

I wrote the following shell script to convert hundreds of explicit disconnectors to regular disconnectors. Hopefully it can be used on the Joiner GUI if deleting the connector space is not a viable option, and the number of clicks is annoying. Documentation on sendkeys: http://msdn.microsoft.com/en-us/library/system.windows.forms.sendkeys.send(v=vs.110).aspx

Set WshShell = WScript.CreateObject("WScript.Shell")

WScript.Sleep 3000 ‘you have 3 seconds to click on the row below which the loop will run

for i=1 to 10 ‘number of explicit disconnectors that need to be converted to regular

WshShell.SendKeys "{DOWN}"

WshShell.SendKeys "{ENTER}"

WshShell.SendKeys "%A"

WshShell.SendKeys "{E}"

WshShell.SendKeys "{DOWN}"

WshShell.SendKeys "{ENTER}"

↧

PeopleSoft Web Connector - Failed to Update Discovery

December 4, 2013, 2:19 pm

≫ Next: request postprocessing

≪ Previous: Sendkeys to convert explicit disconnectors to regulars

All,

I am trying to use the web connector MA to talk to a PS 9.1 system. We have created all of the required CI's listed in the web connect PS document.

The PS web service has been published and I can open it in the browser at http://my.ipaddress:8080/PSIGW/PeopleSoftServiceListeningConnector/PSCONNECTORWEBSERVICE.2.wsdl
I tried modifying the the defaultPS project template that comes with the web connector tool. I put in the URL but let everything else the same.
All goes well and I can see the end points and target CI's
However when I press finish I get this after a long pause
I tried enabling logging per this document but nothing is written to the log in the web connector folder or the extensions folder after restarting the web connector tool and even the server.
I enable logging.xml and create a bogus PS web connector agent it fails - as expected - and does log to the extensions folder. It fails because the PSconnector project is still point at the sample URL in the project.
The URL will not update in the web config project because of the discovery update error.

If anyone has any thoughts on how to resolve this, it would be greatly appreciated!

Cheers!

↧

request postprocessing

December 5, 2013, 2:13 am

≫ Next: Password SSPR

≪ Previous: PeopleSoft Web Connector - Failed to Update Discovery

hello ,

when i try to update a person , i have my request in postprocessing there is one WF.

can i delete all Postprocessing workflow instance ?

I have also 200 postprocessing request since 15 days ?

why there are not expired ?

Any idea

Thanks

↧

Password SSPR

December 5, 2013, 3:42 am

≫ Next: FIM R2 training

≪ Previous: request postprocessing

Hello

I try to make FIM check history password by looking in SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters\PerMAInstance\<ma name>

but i did only find Parameters , where should i create the key ADMAEnforcePasswordPolicy

Thanks

↧

FIM R2 training

December 5, 2013, 7:16 am

≫ Next: ADS MA : the XML exported file (export to log file) doesn't export Distinguished Name in the attribute member for a group

≪ Previous: Password SSPR

please suggest me some 3rd party trainings offered for FIM - both classroom and online??

↧

ADS MA : the XML exported file (export to log file) doesn't export Distinguished Name in the attribute member for a group

December 5, 2013, 7:33 am

≫ Next: Ports required between SSPR server and FIM server?

≪ Previous: FIM R2 training

Hello,

I am facing a weird issue during the export of a group to a log file (xml).

I have configured my ADLDS management agent such as the export run profile exports data into a XML Ffile:

Everything is fine in the XML, I see my new accounts, the attributes updated for accounts but for an unknown reason the group which should contains accounts doesnot contain the DN values.

It contains the tags <dn-value> and <dn> but <dn> is empty

e.g:

<delta operation="update" dn="CN=GroupX,OU=Users,DC=ZZZZ">
<anchor encoding="base64">XDSQDQDQ</anchor>
<dn-attr name="member" operation="add" multivalued="true">
<dn-value>
<dn/>
</dn-value>
<dn-value>
<dn/>
</dn-value>
</dn-attr>

During the export, FIM updates the attribute "member" of the group:

Member attribute seems to be caught by FIM during synchro profile and export profil bt not translates correctly in the final xml file.

Any ideas?

Thanks for your reply.

↧

Ports required between SSPR server and FIM server?

December 5, 2013, 8:09 am

≫ Next: Manager Approved AD User account through FIM.....How to do this?

≪ Previous: ADS MA : the XML exported file (export to log file) doesn't export Distinguished Name in the attribute member for a group

I'm trying to set up FIM 2010 R2 SSPR for the first time. We've had FIM running without the password reset for quite a while. The portal is only used for FIM administration, not by customers ("users"). I'm trying to find docs on what ports need to be open between the SSPR server and the FIM server, and between the customer and the FIM server (assuming just https/443 between customer and SSPR). I found all kinds of references which seem to assume running the SSPR portal on the same box or in the same network/VLAN as the FIM server. Does anybody have pointers? If we have an AD management agent/connector already working on the FIM server (creating accounts, including setting passwords), are there additional ports needed between FIM and AD DCs for SSPR functionality? If it helps, I can try and post a diagram (ascii art?) or link to one.

-Robert

↧

Manager Approved AD User account through FIM.....How to do this?

December 5, 2013, 10:16 am

≫ Next: FIM 2010, Sharepoint and ADFS

≪ Previous: Ports required between SSPR server and FIM server?

i am new in FIM......please provide the simplest Answer

Any step by step guide....

and do i need Echange Server for that...i just want the communication between FIM & AD.

↧

FIM 2010, Sharepoint and ADFS

December 5, 2013, 8:43 pm

≫ Next: FIM 2010, Sharepoint and ADFS

≪ Previous: Manager Approved AD User account through FIM.....How to do this?

Hello Gurus

Firstly, apologies for the long post, but I am at the end of my knowledge in figuring out the following.

I am having problems with the following solution. I am a newbie to all the technologies and is having no luck in finding the right approach.

I have an existing ADFS installation which works as a SSO solution for O365 and Azure.

I want to host a link on sharepoint, which is internet facing. Users who are internal to the domain click on it and get redirected to a site which needs login. However because these users are already logged in they are allowed straight through. Users who are external to the domain also come to the sharepoint site, where they are prompted for login. The external users have accounts created on the AD and will login with those credentials. When the external users go to the link and click they are redirected to the same site as internal users. The idea is to allow those users to login to the site without being prompted for a second time. A separate Forefront Identity Manager Sync service and SSPR will be installed to manage the user passwords . So far what I have gathered is this:

1) The sharepoint site needs to be configured to use claims based authentication, for the users to be assigned a unique token, upon login to the sharepoint server which can then be used to identify them at the third party site. Is this true, if Sharepoint is configured with claims based authentication, what sort of claims need to be created? SAML based?

I will need the FIM sync service to synchronize account details from the customer AD to a webserver at the third party website and the SSPR to manage the password for users both internal and external. The plan is to install them on two separate servers. IMHO, the Microsoft documentation on FIM is hopelessly inadequate and talks about a solution that is very far from any real life scenario. Hence the following questions

I haven’t been able to find from anywhere that whether the FIM Synchronization Service can synchronize with a web service through a proxy. The customer allows all their web traffic to go through proxy. Can the FIM Synch Service communicate over a proxy? If so then how will this be configured? That is, will the FIM synch server inherit the IE settings to communicate? Can we explicitly tell the FIM server about the proxy and it tells the proxy to forward the traffic appropriately?
The Microsoft documentation mentions the integration of FIM SSPR with SharePoint Services 3.0 but not with SharePoint Server 2010. What are the configuration requirements because they will be different and so will be the pre-requisites.
For FIM SSPR and Synch service, it is a requirement to install Microsoft Exchange Server 2010 Management Console. But if the SSPR and the Synch service are installed on two separate systems, then the MC should be installed on one, or both?
For SSPR, for external users coming to the portal, is a third party certificate required? Because FIM
Do we need to create a mailbox for sending the email if the mail relay does not need authentication? That is on the install screen of SSPR to configure the FIM service account, can I just specify an email address without actually creating the corresponding mailbox in the Exchange server?
There is a section in http://technet.microsoft.com/en-us/library/gg637902(v=ws.10).aspx which talks about configuring IIS to use Kerberos Ticket Decryption. Performing this step breaks the IIS. Is this a mandatory requirement or can this step be skipped?

Any help will be greatly appreciated.

Thanks

↧

FIM 2010, Sharepoint and ADFS

December 5, 2013, 9:56 pm

≫ Next: Independent existence of FIM components

≪ Previous: FIM 2010, Sharepoint and ADFS

Hello Gurus

Firstly, apologies for the long post, but I am at the end of my knowledge in figuring out the following.

I am having problems with the following solution. I am a newbie to all the technologies and is having no luck in finding the right approach.

I have an existing ADFS installation which works as a SSO solution for O365 and Azure.

I haven’t been able to find from anywhere that whether the FIM Synchronization Service can synchronize with a web service through a proxy. The customer allows all their web traffic to go through proxy. Can the FIM Synch Service communicate over a proxy? If so then how will this be configured? That is, will the FIM synch server inherit the IE settings to communicate? Can we explicitly tell the FIM server about the proxy and it tells the proxy to forward the traffic appropriately?
The Microsoft documentation mentions the integration of FIM SSPR with SharePoint Services 3.0 but not with SharePoint Server 2010. What are the configuration requirements because they will be different and so will be the pre-requisites.
For FIM SSPR and Synch service, it is a requirement to install Microsoft Exchange Server 2010 Management Console. But if the SSPR and the Synch service are installed on two separate systems, then the MC should be installed on one, or both?
For SSPR, for external users coming to the portal, is a third party certificate required? Because FIM
Do we need to create a mailbox for sending the email if the mail relay does not need authentication? That is on the install screen of SSPR to configure the FIM service account, can I just specify an email address without actually creating the corresponding mailbox in the Exchange server?
There is a section in http://technet.microsoft.com/en-us/library/gg637902(v=ws.10).aspx which talks about configuring IIS to use Kerberos Ticket Decryption. Performing this step breaks the IIS. Is this a mandatory requirement or can this step be skipped?
Can I synchronize only particular users using FIM sync? The "special" users will have a owner data in their title attribute in AD and will be in OUs with other users.

Any help will be greatly appreciated.

Thanks in advance.

↧

Independent existence of FIM components

December 5, 2013, 10:51 pm

≫ Next: Microsfot Forefront Identity Manager Portal 3000 Error after update

≪ Previous: FIM 2010, Sharepoint and ADFS

Experts,

FIM is not one product but a family of products working together.
I was wondering what component can work individually and what would be purpose.

FIM Synch and FIM CM can work independently and uses are obvious.

I was wondering what other components that can work independently and if yes what would be scenario/uses for such implementations?

Kindly share your views.

Thanks,
Mann

↧

Microsfot Forefront Identity Manager Portal 3000 Error after update

December 6, 2013, 12:09 pm

≫ Next: Grandfelt Powershell Management Agent - Import paging

≪ Previous: Independent existence of FIM components

We are currently running Microsfot Forefront Identity Manager 2010 R2 with SP1 on a SQL 2012 database. We recently applied the hotfix package KB2814853 for both the portal, and the sync service. The updated version of FIM is 4.1.3419.0. The sync service updated without a problem, and is working just fine. The password reset portal however throws an error, strangely the account registration page which is part of the portal product works great. The error is:

Error
An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3000)
Go to Self-Service Password Reset home page

Details:
System.NullReferenceException: Object reference not set to an instance of an object. at Microsoft.IdentityManagement.CredentialManagement.Portal.Reset.OnInit(EventArgs e) at System.Web.UI.Control.InitRecursive(Control namingContainer) at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

The update cannot be uninstalled (no uninstall button in Microsoft update), and it is very confusing. There is very little on Google, does anyone have a suggestion to try before we contact Microsoft Support? Machine is a virtual machine, with plenty of ram and cpu so system reqs aren't the issue. Also uninstalling FIM isn't really an option. Any assistance would be helpful thanks!

↧

Grandfelt Powershell Management Agent - Import paging

December 6, 2013, 2:44 pm

≫ Next: Can I tell why a disconnect is occurring?

≪ Previous: Microsfot Forefront Identity Manager Portal 3000 Error after update

First off, GREAT add-on for FIM. Been using it for a few days and I already see the flexibility it provides when combined with ability to write into FIM MV. It's going to end up replacing my out-of-band powershell scheduled tasks.

I have my delta and full imports working great. However, my full import seems to stop at 1000 objects even though I have paging unchecked in the management agent config.

Ideas?

MA connects to o365 and runs a get-recipient to a forest with 20,000 objects.

-Ken

↧

Can I tell why a disconnect is occurring?

December 6, 2013, 6:26 pm

≫ Next: grammar check

≪ Previous: Grandfelt Powershell Management Agent - Import paging

Is there a way to programatically detect why a connector is being disconnected? Specifically, can I tell if it is because the actual connected data source has been deleted, versus a disconnection that is being done manually (as through the joiner)?

Thanks.

Ed Bell - Specialist, Network Services, Convergys

↧

grammar check

December 7, 2013, 11:03 am

≫ Next: How to restore ILM and bring back to normal state?

≪ Previous: Can I tell why a disconnect is occurring?

You have "this this" in the article when it should read "to this".

↧

How to restore ILM and bring back to normal state?

December 7, 2013, 2:00 pm

≫ Next: Portal setup problem

≪ Previous: grammar check

Hi,

i am facing one situation with ILM/FIM. i have a source AD LDS and a target AD(new diff forest). Any changes in source will be updated to target AD and anchor value is unique empid and deprovision rule in target set to "make them disconnector"

Now, the scenarios is that by mistakenly someone deleted around 100 ADLDS users and it got updated in ILM. As per MV rule, the MV objects got deleted and target CS objects become disconnectors. since that user got the deleted user lists and other details, he recreated those 100 users on the ADLDS.and we dont have backup of the ADLDA db.

What would be the right way to link this newly created object with the target CS disconnectors?

thanks

Prani.

Thanks, Preni.

↧

Portal setup problem

December 8, 2013, 9:24 am

≫ Next: Configure Exchange Without Re-Installation

≪ Previous: How to restore ILM and bring back to normal state?

Hi FIMsters

I'm trying to deploy FIM portal (separate from service) something I've done many times but this time of course it fails ... anyone had something like this:

(...)

SI (s) (80:5C) [16:43:14:272]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIDF91.tmp, Entrypoint: CAQuietExec
CAQuietExec: Microsoft.IdentityManagement.SolutionPackUtility.exe will deploy and/or retract the FIM solution packs. This operation may take long time in a SharePoint farm environment.
CAQuietExec: Executing all administrative timer jobs in preparation for FIM solution pack deployment.
CAQuietExec: An exception occurred while deploying/retracting FIM Portal solution packs. Exception : Exception has been thrown by the target of an invocation.
CAQuietExec: Error 0xfffffff9: Command line returned an error.
CAQuietExec: Error 0xfffffff9: CAQuietExec Failed
CustomAction InstallCommonPortal returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
12/08/2013 16:43:17.782 [2944]: Assembly Install: Failing with hr=80070005 at RemoveDirectoryAndChildren, line 398

12/08/2013 16:43:17.782 [2944]: Detailed info about C:\Windows\assembly\tmp\BBU39QJN\Microsoft.ResourceManagement.WorkflowContract.dll

12/08/2013 16:43:17.798 [2944]: File attributes: 00000080

12/08/2013 16:43:17.845 [2944]: Restart Manager Info: 1 entries

(...)

And managed to solve it? It looks like it fails with access denied on assembly registration ... trying all things and no luck so far.

Tomek Onyszko, memberOf Predica FIM Team (http://www.predica.pl), IdAM knowledge provider @ http://blog.predica.pl

↧

Configure Exchange Without Re-Installation

December 9, 2013, 1:54 am

≫ Next: svc-fimma managed by FIM

≪ Previous: Portal setup problem

Hi Everyone,

I need to configure Exchange Provisioning from FIM 2010, it was not configured during FIM setup as there was no requirement. FIM is already in production and we don't want to repair or re-install, please suggest how can we configure the exchange without it. Where do we have to add the configuration details and how.

Guide me configuration File where I need to mention the Exchange Details

Regards~
Deepak Arora
-------------------------------------
If you Find the Answer | Article | Blog Helpful Please Vote As Helpful / Mark As Answer

↧

svc-fimma managed by FIM

December 9, 2013, 5:15 am

≫ Next: LDAP Management Agent - Export Decimal values..

≪ Previous: Configure Exchange Without Re-Installation

I have a couple of questions

a)Can we have FIM managing all the FIM service accounts in AD (like how it manages the regular user account)? If not, what are the service accounts we shouldnot have in the portal?

b)I had the service accounts managed by FIM. When FIMMA FS ran, svc-fimma is throwing error saying the accounts already exists in AD management agent. Can someone tell me why this is occurring?

↧

LDAP Management Agent - Export Decimal values..

December 9, 2013, 5:31 am

≫ Next: Retrieve PeopleSoft Records from Web Service MA

≪ Previous: svc-fimma managed by FIM

Hello All,

I have a LDAP Management Agent [Oracle (previously Sun) directory servers] in my FIM 2010 R2 setup.

We have an attribute in LDAP which has decimal values for example (1.5, 2.5, 3.5) etc.
How can I export the value to LDAP from the metaverse. I don't seem to find an option to specify the format to export as a decimal value.

If I try to export it as IntegerValue, it fails with the below error: (csentry["managerlevel"].IntegerValue = mventry["managerlevel"].IntegerValue);

System.InvalidOperationException: Microsoft.MetadirectoryServices.IMASynchronization.MapAttributesForExport property can only be used on a integer attribute

↧

Latest Images