Generic LDAP Connector against Oracle OID using TLS

December 12, 2013, 1:43 pm

≫ Next: How to query the users that are not registered in the Self Service Password Registration

≪ Previous: filter-based outbound rule not applied

We are using the new Generic LDAP ECMA2 connector to manage an Oracle OID LDAP directory. We are able to connect and make it work with a simple BIND without SSL or TLS. We need to sync passwords so we need to make it work with TLS. When we choose the TLS option in the Bind setting on the Connectivity property panel the GUI insists that we also provide a certificate. We need to use TLS and authenticate with a DN and password. We cannot use a certificate to authenticate. Nevertheless, if we go ahead and provide a certificate and try to connect it times out. With Wireshark we see that 17 packets go back and forth. The second to last packet includes a Microsoft-specific OID value of 1.3.6.1.4.1.1466.20037. This is for an extended LDAP call named LDAP_SERVER_START_TLS_OID that is specific to Windows. We have no reason to believe that the Oracle LDAP system will understand this method of initiating a TLS session.

We know our OID system can handle TLS because we are able to make TLS connections using Softerra’s LDAP Browser and we’ve watched the TLSv1 handshake with Wireshark.

We need documentation that explains how to accomplish a secure session using the Generic LDAP Connector and Oracle OID

↧

How to query the users that are not registered in the Self Service Password Registration

December 12, 2013, 2:25 pm

≫ Next: Can a script be 'triggered' when a new object is created in the Metaverse?

≪ Previous: Generic LDAP Connector against Oracle OID using TLS

Hello all,

I am deploying the SSPR, but in this case the user is asking to use only the Web options for registration, so no client agent is going to be deployed in the workstations.

SO in order to know programmatically (VBScript, powershell) is there a way to query or to get a list of usersthat are no registered in the Self Service Password Registration?

Any help is appreciated

Regards

↧

Can a script be 'triggered' when a new object is created in the Metaverse?

December 13, 2013, 3:18 am

≫ Next: How do I setup a small FIM/Active Directory Lab?

≪ Previous: How to query the users that are not registered in the Self Service Password Registration

Hello,

We are new to FIM 2010 and are thinking of an opportunity where it may help us.

When a new 'production' user is created in a directory, can this event 'trigger' a script which would provision drives for this user?

What we thought here is an MA would run against our production directory. When a new User account is created, a script would be triggered to provision home drives.

Could this be done using FIM? If so, can you point me to references to understand how we would implement?

Thanks for your help! SdeDot

↧

How do I setup a small FIM/Active Directory Lab?

December 13, 2013, 4:59 am

≫ Next: FIM SSPR - Change the sharepoint application pool account to use SPservice

≪ Previous: Can a script be 'triggered' when a new object is created in the Metaverse?

Hello,

New to FIM and I want to setup a small lab with just FIM, the Sync Manager, and 1 Active Directory Source MA and 1 Active Directory Target MA. I want to do this so I can learn FIM better and test specific scenarios. I would set this up in a VM environment as well.

Any suggestions on Step-by-Step Instructions for this small implementation? I've seen instructions for larger implementations, but Im looking to build this very small environment just to learn and test.

Thanks for your help! SdeDot

↧

FIM SSPR - Change the sharepoint application pool account to use SPservice

December 13, 2013, 1:57 pm

≫ Next: Problem in person view and edit RCDC or service authentication

≪ Previous: How do I setup a small FIM/Active Directory Lab?

Trying to install FIM 2010 r2 using sharepoint foundation 2010. Design involves two servers: server1 & server2.

Server1 will host spf 2010, fim portal, fim sync, fim sync services.

Server2 will host registration and reset portals

I have been following this document mostly

http://technet.microsoft.com/en-us/library/hh322882(v=ws.10).aspx

The portion that says "Change the sharepoint application pool account to use CORP\SPservice" : as outlined i went to configure service accounts and then looked at the drop down list. There is no "Web Application Pool - SharePoint 80".

The install of spf 2010 was a complete one and I chose to create a new farm

Is "Web Application Pool - SharePoint 80" differently named for a complete install in a new farm? If not, what am I missing?

Thanks!

↧

Problem in person view and edit RCDC or service authentication

December 14, 2013, 12:21 pm

≫ Next: FIM GalSync Run Profile, Two-way Synch

≪ Previous: FIM SSPR - Change the sharepoint application pool account to use SPservice

I am doing some work for a client (on my own time - not STLCC) who has two different FIM Service/Portal sites configured. On the sync server is a portal addressed by fimadmin.instution.edu and another by fim.institution.edu. There are actually three servers: a sync/service/portal server, and two FIM service/portal servers which are behind a load balancer. Each server has a local hosts file entry pointing to itself for the site/service that it hosts.

On the fimadmin site, the display of user details works fine. There are additional tabs of user information configured.

On the fim site, the loading of the user details stops with an error and the custom tabs do not appear. At the bottom of the pop-up in red text: "There's an error in the Person display configuration. Please contact your system administrator." When I turn on debug logging for the portal, I often see the error: "The address of the security token issuer is not specified. An explicit issuer address must be specified in the binding for target 'http://fim.institution.edu:5725/ResourceManagementService/Enumeration' or the local issuer address must be configured in the credentials." The two load-balanced servers are where the problem seems to be. I ruled out a name association problem by putting in a fim.institution.edu entry in local hosts for the sync server (which is normally fimadmin) and it displayed the user detail just fine when accessed locally there. The two problem servers also have SSL certs applied so that users accessing them can usehttps://fimadmin.institution.edu to reach the site and protect data, but it also is reachable by http and this really seems to be a problem in the authentication to the service and not to the web site.

Does anyone have a suggestion as to what might cause that kind of error, or what I could do to try to resolve it?

Thanks!

Chris

↧

FIM GalSync Run Profile, Two-way Synch

December 15, 2013, 2:01 pm

≫ Next: FIM Portal Self Service User Provision Frequency

≪ Previous: Problem in person view and edit RCDC or service authentication

Hello, may I ask a few questions please;

How is the Run Profile order to creating contact with FIM Galsync? What is the best practice on this subject?

For the xyz mailbox at the Contoso Forest, the contact will be formed as xyz created at Nevada forest. I wonder, if this contact will be deleted when the mailbox at Contoso forest? Or, if any changes made on the mailbox are these information updated automatically on the contact in Nevada?

There is a sync as: Contoso Forest,Mailbox --> Nevada Forest, Contact. To make just the opposite of the above, do we need to set up FIM at Nevada forest?

Thank you in advance.

↧

FIM Portal Self Service User Provision Frequency

December 16, 2013, 12:50 am

≫ Next: FIM Reporting, 3 servers needed?

≪ Previous: FIM GalSync Run Profile, Two-way Synch

Hi All,

I have a question about fim portal self service.If a user updates their AD attributes (i.e telephone number) in the portal, how long before it appears in AD? Presumably it's dependent on a management agent run profile? If so can this be automatically triggered?

On the other hand, I assume automatic triggerring in a production environment is a bad idea due to load and frequency?

thanks

↧

FIM Reporting, 3 servers needed?

December 16, 2013, 4:47 am

≫ Next: Possible via codeless?

≪ Previous: FIM Portal Self Service User Provision Frequency

Hi all,

Very short question. For FIM 2010R2 reporting you need 2 additional components:

-SCSM Dataware house server

-SCSM Management

I know we can't install SCSM & Dataware house on the same server. Is the following topology supported:?

Server1: SCSM Dataware house

Server2: FIM Service, Portal and SCSM Management

Or do I need another server(let's say Server3) dedicated for SCSM Management?

Kind regards.

Find me on linkedin: http://nl.linkedin.com/in/tranet

↧

Possible via codeless?

December 16, 2013, 8:03 am

≫ Next: Installing FIM 2010 Add-ins and Extensions via GPO

≪ Previous: FIM Reporting, 3 servers needed?

Here is my goal:

1) Read UserA metaverse object to gather the attribute "ManagerEmployeeID".

2) Go to the MV object for the Manager (UserB), grab a stored attribute "SimpleDisplayName"

3) Write this data back into a new attribute within UserA, "ManagerEmployeeID.SimpleDisplayName"

Is this possible with codeless or do I need to work with a Rules Extension?

Thank you,

-Fred

↧

Installing FIM 2010 Add-ins and Extensions via GPO

December 16, 2013, 11:53 am

≫ Next: When do "CompositeType" Requests get generated vs regular requests?

≪ Previous: Possible via codeless?

Hi,

I have been trying to install the FIM Client using Group Policy software installation using the following link : http://social.technet.microsoft.com/wiki/contents/articles/2236.how-to-prepareexecute-installation-of-fim-2010-add-ins-and-extensions-via-gpo.aspx

The crucial section missing on this page is what property to add/modify using Orca so that the install can proceed silently using an MST file which provides the registration_portal_url, RMS_location and addlocal properties for the FIM client install.

If I install the client manually using the following command, msiexec /i "Add-ins and extensions.msi" transforms=client.mst /q, the client install proceeds silently which is what I expect.

The UILevel=2 property is supposed to tell Windows installer to proceed silently as per http://msdn.microsoft.com/en-us/library/aa372096%28v=vs.85%29.aspx, however when I set this property in Orca for the transform file and then I execute the msiexec command, the UI still comes up and prompts me for selecting the different options for installing the client.

Has anybody successfully deployed FIM client through group policy?

Thanks!

↧

When do "CompositeType" Requests get generated vs regular requests?

December 16, 2013, 12:10 pm

≫ Next: I am unable to install FIM synchronization service after uninstalling which evaluation has previously been installed on this server and the expiration period is now expired.

≪ Previous: Installing FIM 2010 Add-ins and Extensions via GPO

In the FIM 2010 R2 release notes there is this segment:

FIM Service: New resource type CompositeType may interfere with custom Action workflows
A new resource type CompositeType has been introduced for A Request issued by the Build-in Synchronization Account. It may interfere with any custom Action workflows that parse request targets. To find the actual targets you will need to modify these workflows to parse the Request Parameters of a CompositeType.

How does the FIM Service determine when to perform a CompositeType request versus a regular request? Is this configurable in the FIM web services config file?

↧

I am unable to install FIM synchronization service after uninstalling which evaluation has previously been installed on this server and the expiration period is now expired.

December 17, 2013, 3:47 am

≫ Next: Email Templates localization

≪ Previous: When do "CompositeType" Requests get generated vs regular requests?

Hi There,

I am unable to install FIM synchronization service after uninstalling which evaluation has previously been installed on this server and the expiration period is now expired.

I have unstalled properly & deleted registry entries from reqistry even though i anable to install.

I want install evaluation version only because i dont have license vesrion to test but i am able to install other fim server components like FIM serive & Porta. certificate management etc..

Please could you help on this.

Thanks very much in Advance.

Thanks

Veerappa

↧

Email Templates localization

December 17, 2013, 6:38 am

≫ Next: lack of details on sharepoint services connector for fim

≪ Previous: I am unable to install FIM synchronization service after uninstalling which evaluation has previously been installed on this server and the expiration period is now expired.

Hi,

Is there any elegant way to have localized Email Templates (in multi national environment)?

Language Pack doesn't help in that case even in single languege (different than English).

Borys Majewski, Identity Management Solutions Architect (Blog: IDArchitect.NET)

↧

lack of details on sharepoint services connector for fim

December 17, 2013, 9:15 am

≫ Next: Forefront Product News (FIM and UAG)

≪ Previous: Email Templates localization

no information on MA configuration is included

↧

Forefront Product News (FIM and UAG)

December 17, 2013, 9:16 am

≫ Next: FIM Service and Portal Install - FIM Reporting Service Manager management server name

≪ Previous: lack of details on sharepoint services connector for fim

http://blogs.technet.com/b/server-cloud/archive/2013/12/17/important-changes-to-the-forefront-product-line.aspx

↧

FIM Service and Portal Install - FIM Reporting Service Manager management server name

December 17, 2013, 9:45 am

≫ Next: Adding attributes to password reset registration

≪ Previous: Forefront Product News (FIM and UAG)

Trying to install SSPR using 2 servers.

Server1 for fim sync, fim portal, and fim service
Server2 for password registration and reset.

Didn't install Systems Center as outlined in test lab.

During the install of the "Service and Portal", it asks for a Management Server name in the "Configure FIM Reporting Service Manager management server connection" option.

What would be my management server in absence of scsm?

↧

Adding attributes to password reset registration

December 17, 2013, 1:51 pm

≫ Next: FIM Portal - FIM service could not be contacted. Please contact your administrator.

≪ Previous: FIM Service and Portal Install - FIM Reporting Service Manager management server name

Hi,

Is it possible, when a user registers for password reset in the portal, to add another field? For example, I have users in AD which also exist in a HR system, but there's no unique key, so I was hoping that I could match the two by asking users to enter their employee ID when they register for password reset.

Is this possible?

Thanks

IT Support/Everything

↧

FIM Portal - FIM service could not be contacted. Please contact your administrator.

December 18, 2013, 5:46 am

≫ Next: Moving config from fim 2010 to fim 2010 R2

≪ Previous: Adding attributes to password reset registration

Hello,

I have an issue with FIM where I can access the fim portal in it's entirety on the fim server itself using my domain admin credentials, but if I try to connect in from another server I can get the FIM homepage, but clicking through various menus I receive a "service could not be contacted error".

I've setup fim as shown below:

http://technet.microsoft.com/en-us/library/ff512685(v=ws.10).aspx

vm-fim08-01 --- fim service + portal (uses SharePoint foundation 2010)
DNS Alias "fimportal" for vm-fim08-01
SharePoint - 80 application account: service.spportal
FIM service account - service.fim

vm-fim-sync -- fim sync service + sql 2008 R2
vm-fim-sql08 -- contains SQL 2008 R2 DB for fim service

SPNs configured as shown below (setspn -l):

service.fim
FIMService/fimportal
FIMService/fimportal.domaina.local
mssqlsvc/vm-fim-sql-01:1433

service.spportal
HTTP/fimportal.domaina.local
HTTP/fimportal

Delegation setup as shown in the pics on the two service accounts only.

http://fimportal/IdentityManagement/default.aspxfrom the fim portal server (vm-fim08-01) works OK without a login prompt for full portal access (I don't received the service could not be contacted message). Using the fqdn fimportal.domaina.local from the same server this time asks for a login prompt, I enter my current Windows credentials, get the home page, but I soon receive "The FIM service could not be contacted".

Using a different server with the fqdn I'm prompted for a login (using the alias logs me in immediately). Either way, whenever I use a different server other than the fim portal server I soon receive "The FIM service could not be contacted".

On the fim portal server's application event logs I see

The Portal cannot connect to the middle tier using the web service interface. This failure prevents all portal scenarios from functioning correctly. The cause may be due to a missing or invalid server url, a downed server, or an invalid server firewall configuration. Ensure the portal configuration is present and points to the resource management service."

I'm pretty sure this is down to an authentication failure, but changing delegation settings have not helped (I've tried setting my service accounts and computer accounts to delegate for any service, but it didn't help). I've checked my SPNs which look right to me. Any advice is much appreciated.

Thanks in advance

↧

Moving config from fim 2010 to fim 2010 R2

December 18, 2013, 6:09 am

≫ Next: a

≪ Previous: FIM Portal - FIM service could not be contacted. Please contact your administrator.

I am taking a old, stressed install of FIM and planning to move it to a FIM 2010 R2 environment where the Database Role and the service and portal are built on R2 and are separated as per best practices.

Can I:

Import FIM 2010 MA's , schema and config into the new FIM 2010 R2 environment.

Do I build the new environment to the same spec as the old one, then do the config changeover, then upgrade to R2.

After do the discovery imports on the setup and verify sync.

Is there an easy way to do this :)

I mean, I am unsure the current environment will survive or have enough resources to take the R2 upgrade. I would prefer to build the new setup and get the rules from the old server over.

Thoughts would be greatly appreciated.

Rob

↧

Latest Images