FIM Sync Process - how to determine which items have been deleted

May 31, 2013, 4:40 am

≫ Next: Locked out of fim portal - the requester's identity was not found

≪ Previous: What purpose smtp suffix setting is used for ?

Hi,

I have a scenario where I’m using a CSV file to update AD from an external authorative data source (no changes will be made in the portal or AD – similar to http://technet.microsoft.com/en-us/library/ee534908(v=ws.10).aspx). Currently I have it working, but I’m not sure if my setup is optimal. I have the following Management agents

File MA, FIM MA, AD MA

For my scenario, I run the following run profiles in sequence to load users from my CSV to FIM and to AD:

File Import- full import & delta sync
FIM MA – export, delta import & delta sync
AD MA – export & delta import

This seems to work, butI’m not sure if this the best way to do it.

Is there a way to find out which objects have been deleted during the synchronization process? If I click on the deleted connections I can tell an object has beend deleted and the numbers are consistent with what I expect, however it would be useful to know which objects have been deleted.

Thanks

↧

Locked out of fim portal - the requester's identity was not found

May 31, 2013, 4:53 am

≫ Next: Change accountName regex

≪ Previous: FIM Sync Process - how to determine which items have been deleted

I'm not sure how I've done this, but I've managed to lock my domain admin account of the fim portal.

I'm syncing from an authorative data source to my AD target domain. I don't actually need to access users in the FIM portal and users do not need portal access. I simply need to upload my data source users into my target OU.

After completing several run profiles, I've ran into an issue where my domain admin account can't logon to:

http://fimserver/IdentityManagement/Default.aspx

I'm greeted with the message "Unable to process your request - the requester'd identity was not found"

I don't actually need my domain admin account to be in the portal (I'm not sure if it ever was tbh), but I do need it to have access to the portal for the purpose of editing sync rules.

How can I give my domain admin account access to the portal? I still have portal access via the installation service account.

I did see one answer online which suggests editing the underlying SQL database, but this is something I'd much rather avoid.

Thanks

↧

Change accountName regex

May 31, 2013, 7:27 am

≫ Next: Brief description about FIM 2010 R2 and ADFS on windows server 2012

≪ Previous: Locked out of fim portal - the requester's identity was not found

My client uses the numerals and hypens when provisioning resource account. When doing this in FIM the accounts are never added to the sync rule because the regex pattern for accountname in the portal does not include the number zero or a hyphen.

so the account ends up in the metaverse but never makes it into the connected data source.

How can i change the regex for the attribute accountname. Or do i really need to tell my customer that they need to change their business process to accommodate a technology?

↧

Brief description about FIM 2010 R2 and ADFS on windows server 2012

May 31, 2013, 9:35 am

≫ Next: FIM 2010 R2 - Cant Open Registration or Reset Portal from Client

≪ Previous: Change accountName regex

Hello Everyone

We have multiple domains in our company. And now we want to synchronize all domain's active directory users or groups onto one domain.

I searched little bit about FIM and found out that using FIM we can sync active directories of multiple domain or systems.

Can anyone please help me to understand how this process work in brief?

I appreciate your help

↧

FIM 2010 R2 - Cant Open Registration or Reset Portal from Client

May 31, 2013, 9:36 am

≫ Next: Unable to adjust precedence on Synchronization Rule

≪ Previous: Brief description about FIM 2010 R2 and ADFS on windows server 2012

Hello Everyone,

I´m presenting an issue trying to open the Registration and Reset Portals, were working fine, but now are presenting TimeOut when trying to access them from a Client, in the server works good with the same user, I've reviewed the Firewall and all the ports regarding FIM are open(5725, 5526 and Portals).

FIM Services are UP and i´ve reset the FIM Services.

In Client the error in EventView:

mscorlib: System.ServiceModel.EndpointNotFoundException: Could not connect to http://FIMPORTAL:5725/ResourceManagementService/MEX. TCP error code 10060: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 172.30.2.31:5725. ---> System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond

Will appreciate the help on this, regards

↧

Unable to adjust precedence on Synchronization Rule

May 31, 2013, 12:17 pm

≫ Next: Full sychronization shoud be run periodically ?

≪ Previous: FIM 2010 R2 - Cant Open Registration or Reset Portal from Client

When I try to increase the precedence on a synchronization rule, I get:

Log Name: Forefront Identity Manager
Source: Microsoft.ResourceManagement
Date: 5/30/2013 9:01:09 PM
Event ID: 3
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: FIM02.nauplius.local
Description:
Requestor: urn:uuid:7fb2b853-24f0-4498-9534-4e10589723c4
Correlation Identifier: 47e3597b-5aae-49d7-b866-18a4d428317a
Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---> System.IndexOutOfRangeException: Index was outside the bounds of the array.
at Microsoft.ResourceManagement.ActionProcessor.SyncRuleActionProcessor.AdjustPrecedence(Dictionary`2 syncRuleDictionary, Guid currentSyncRuleId, Int32 newPrecedence, Dictionary`2& updateParameterDict)
at Microsoft.ResourceManagement.ActionProcessor.SyncRuleActionProcessor.PreProcessUpdateRequest(RequestType request)
at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.DoRequestCreationPreProcessByObjectType(RequestType request)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean isChildRequest, Guid cause, Boolean doEvaluation, Nullable`1 serviceId, Nullable`1 servicePartitionId, UniqueId messageIdentifier, UniqueIdentifier requestContextIdentifier, Boolean maintenanceMode)
at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Put(Message request)
--- End of inner exception stack trace ---

Ideas on how to resolve this? I'm trying to move a rule from "1" to "2". I have 2 sync rules (one inbound, the other outbound) that cover the same attributes, but with different types of MAs.

SharePoint - Nauplius Applications
Microsoft SharePoint Server MVP
MCITP: SharePoint Administrator 2010

-----------------------
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

↧

Full sychronization shoud be run periodically ?

June 1, 2013, 8:55 am

≫ Next: Which version and edition of Visual Studio are usable to develop FIM2010 rule extensions ?

≪ Previous: Unable to adjust precedence on Synchronization Rule

We use MIIS for galsync.

We run Delta import and Delata sync daily and Full import and Delta sync weekly.

I wondered we should run Full import and Full sync weekly.

Full sychronization shoud be run periodically ?

↧

Which version and edition of Visual Studio are usable to develop FIM2010 rule extensions ?

June 1, 2013, 9:07 am

≫ Next: SSPR - Wrong user detected

≪ Previous: Full sychronization shoud be run periodically ?

Which version and edition of Visual Studio are usable to develop FIM2010 rule extensions ?

↧

SSPR - Wrong user detected

June 1, 2013, 9:13 am

≫ Next: Schema - Is "&" not accepted in indexed string

≪ Previous: Which version and edition of Visual Studio are usable to develop FIM2010 rule extensions ?

Hi have a weird issue going on in my FIM 2010 R2 - SP1 lab. To be honest, I don't really know how long this has been going on. The workstation I use the most is a Win8 machine (physical), so up until SP1 came out I have not had the SSPR add-in installed and didn't notice any SSPR registration issues for my non-privileged account. The other workstations are Win7 machines (physical) and I haven't logged on to them in quite some time using my non-privileged account.

Since this is a "lab" environment all FIM functions are installed on the same VM (2008 R2). Currently, I am only doing DG provisioning to AD (2012) and SSPR - nothing elaborate.

Anyway, my issue is this. When I logon to my Win8 machine with my non-privileged account the SSPR wizard pops-up in IE as it should the first time. I hit the Next button and the domain account shown is "DOMAIN\FIM-Admin" and not my domain account (yes I am logged on as my non-privileged domain account). However, if I logon to the same Win8 machine as any other non-privileged account SSPR work perfectly.

It appears that somehow, FIM thinks my non-privileged account is the FIM-Admin account. Is it possible that maybe some sort of ObjectID mapping went wrong in FIM ?!?

↧

Schema - Is "&" not accepted in indexed string

June 1, 2013, 5:02 pm

≫ Next: PowerShell Management Agent set Anchor during Export

≪ Previous: SSPR - Wrong user detected

I have "&" in the displayname of a reference type and a workflow copies that displayname to a indexed string attribute. RCDC is thowing error. Is '&' not accepted in indexed string? Thanks!

↧

PowerShell Management Agent set Anchor during Export

June 2, 2013, 11:38 pm

≫ Next: Fim - Managing Group Membership in the User-RCDC in the portal

≪ Previous: Schema - Is "&" not accepted in indexed string

Hi all

I'm using the PowerShell Management Agent to provision users to a target system. The target system will generate the anchor (Id) during the provisioning.

I can't find out how to set the anchor (Id) during the execution of the export script.

I already tried something like $_.Id = $newID but that isn't working.

Anyone got an idea ?

↧

Fim - Managing Group Membership in the User-RCDC in the portal

June 3, 2013, 2:35 am

≫ Next: type of group is changing automatically

≪ Previous: PowerShell Management Agent set Anchor during Export

Hi guys,

our client would like to be able to manage the group memberships of each user via the user view in the portal. The goal is to have something like a listview with checkboxes for every entry, listing all the available groups and beeing able the add or remove a group membership by changing the corresponding checkbox.

Well, I'm a little lost here. I've found some tutorials that describe how to add a new tab to the user RCDC, that lists all the groups the user is a member of. But as I said, I need to take it some steps further.

My idea is to add a "memberOf" attribute to the person object in the MV and then use a request based workflow, that gets triggered when the "memberOf" attribute changes and then adjusts the group memberships accordingly.

Would that approach be valid (i.e. could it work) or are there better (easier) ways to achieve that?

If that's the way to go, I would be interested in how you guys would try to get the "memberOf" AD-attribute imported to the MV. I was trying to use an LDIF-MA but it doesn't work yet.

Any help would be very appreciated. Thx

↧

type of group is changing automatically

June 3, 2013, 6:00 am

≫ Next: Launching external web page as a pop-up from FIM Portal Navigation Bar and Home Page

≪ Previous: Fim - Managing Group Membership in the User-RCDC in the portal

I have created a criteria based group in FIM, but it is changing to manual after some time automatically. Please help.

Regards

Saurabh Bangar

↧

Launching external web page as a pop-up from FIM Portal Navigation Bar and Home Page

June 3, 2013, 8:32 am

≫ Next: [Troubleshooting] Refresh Schema on FIM MA fails: Event ID 6331:

≪ Previous: type of group is changing automatically

I would like to be able to access a web page that is external to FIM (e.g., www.microsoft.com vs. the “My Profile” page) from the Navigation Bar and the Home Page…as a pop-up window. I can currently navigate to an external page via both the Navigation Bar and the Home Page by specifying the Navigation URL in either location, but I’ve not been able to accomplish this as a pop-up.

I have been able to successfully pop-up a custom resource form from the Navigation Bar. For example, I created a new resource called “Position”. I can pop-up the CREATE form from the Navigation Bar for this new resource by specifying the Display Name in the Navigation Bar configuration as follows (see picture below):

<a href=# onclick=javascript:PopupPage('/identitymanagement/aspx/customized/CreateCustomizedObject.aspx?type=PositionDefinition');>Create a new Position</a>

I can also successfully pop-up the same custom form from the Home Page by specifying the following as the Navigation URL:

javascript:PopupPage("/identitymanagement/aspx/customized/CreateCustomizedObject.aspx?type=PositionDefinition");

I tried to pop-up an external page (e.g., www.microsoft.com) on the Navigation Bar and the Home Page using these same approaches, but it doesn’t work. I can pop-up an external page from the “User” create/edit/view forms using the following XML:

<my:Control my:Name="ApplicationCredentialPage" my:TypeName="UocHyperLink" my:Caption="Application Credential Store Manager" my:Description="">

<my:Properties>

<my:Property my:Name="NavigateUrl" my:Value="https://sts.ngdev.net/csm/OtherDomains.aspx"/>

<my:Property my:Name="Text" my:Value="https://sts.ngdev.net/csm/OtherDomains.aspx"/>

</my:Properties>

</my:Control>

Ultimately, however, I would like to be able to pop-up an external page from the Navigation Bar and Home Page. Is there a way to do this?

Note that the pop-ups occur in two ways:

With the XML approach on the “User” form, the pop-up window opens as a new window that I can then iconify without losing access to my FIM Portal window.
The pop-ups that I did from the Navigation Bar and Home Page for the “Create a new Position” customized resource page cannot be iconified; the underlying access to FIM Portal is locked until the user submits or cancels from the pop-up window.

I would be interested in being able to pop-up an external page from the Navigation Bar and Home Page in either of these 2 ways. Thanks so much for your help!

Ramona Balke

↧

[Troubleshooting] Refresh Schema on FIM MA fails: Event ID 6331:

June 3, 2013, 4:28 pm

≫ Next: [Troubleshooting] BHOLD SP1 - Users are getting added to other user's personal roles:

≪ Previous: Launching external web page as a pop-up from FIM Portal Navigation Bar and Home Page

[Troubleshooting] Refresh Schema on FIM MA fails: Event ID 6331:

http://social.technet.microsoft.com/wiki/contents/articles/17658.troubleshooting-refresh-schema-on-fim-ma-fails-event-id-6331.aspx

Tim Macaulay Security Identity Support Team Support Escalation Engineer

↧

[Troubleshooting] BHOLD SP1 - Users are getting added to other user's personal roles:

June 3, 2013, 4:38 pm

≫ Next: [Troubleshooting] FIM Reporting - A Transport-level error has occurred during Initial Sync:

≪ Previous: [Troubleshooting] Refresh Schema on FIM MA fails: Event ID 6331:

[Troubleshooting] BHOLD SP1 - Users are getting added to other user's personal roles:

http://social.technet.microsoft.com/wiki/contents/articles/17659.troubleshooting-bhold-sp1-users-are-getting-added-to-other-user-s-personal-roles.aspx

Tim Macaulay Security Identity Support Team Support Escalation Engineer

↧

[Troubleshooting] FIM Reporting - A Transport-level error has occurred during Initial Sync:

June 3, 2013, 4:45 pm

≫ Next: [Troubleshooting] FIM Reporting Installation using System Center Service Manager 2012 Sp1:

≪ Previous: [Troubleshooting] BHOLD SP1 - Users are getting added to other user's personal roles:

[Troubleshooting] FIM Reporting - A Transport-level error has occurred during Initial Sync:

http://social.technet.microsoft.com/wiki/contents/articles/17660.troubleshooting-fim-reporting-a-transport-level-error-has-occurred-during-initial-sync.aspx

Tim Macaulay Security Identity Support Team Support Escalation Engineer

↧

[Troubleshooting] FIM Reporting Installation using System Center Service Manager 2012 Sp1:

June 3, 2013, 4:55 pm

≫ Next: FIM Group Creations issue.

≪ Previous: [Troubleshooting] FIM Reporting - A Transport-level error has occurred during Initial Sync:

[Troubleshooting] FIM Reporting Installation using System Center Service Manager 2012 Sp1: http://social.technet.microsoft.com/wiki/contents/articles/17662.troubleshooting-fim-reporting-installation-using-system-center-service-manager-2012-sp1.aspx

Tim Macaulay Security Identity Support Team Support Escalation Engineer

↧

FIM Group Creations issue.

June 3, 2013, 9:53 pm

≫ Next: FIM 2010 Baseline Configuration Analyzer

≪ Previous: [Troubleshooting] FIM Reporting Installation using System Center Service Manager 2012 Sp1:

We have created Subscribers Groups . We did member Selection asCriteria –based, however after some time( may be after 2 minutes +) if we check the Property of same group it automatically changed toManual.

So please suggest.

Thanks

Vinayak

↧