If an Organisation wants a User (lets Say- Paul Walker) to act as a Sub-Administrator, Who can see the Security Groups or My SGs or My SGs Membership in its Naigation Resource Bar in Fim Portal and the Search Scope as well to view that Data.
Found a Solution.
I work in a university environment and I'm working on getting FIM 2010 R2 SSPR set up to allow students and employees to register for and reset their own passwords, replacing an existing 10+ year old system. I've more or less identified how to
pre-register accounts with PowerShell using the same data we currently use for first-time use of accounts. Currently, first time users are asked for ID # (which they are provided ahead of time), last 4 digits of SSN and date of birth. My challenge
is that I'd like subsequent password resets to use a different set of questions (or at least potentially questions from a larger set than we pre-populated answers for). Does anybody have thoughts on how this might be accomplished? I'm open to reasonably
secure alternative suggestions as well.
Hi all.
I start follow example
http://technet.microsoft.com/en-us/library/hh859456%28v=ws.10%29.aspx
and i create profile as "Full Export Profile" but when i run Export statistic don't show any thing.
Export Statistic
Adds :0
Updates :0
Renames :0
Deletes :0
Delete Adds :0
Here is my code
I create a class implement some interface as
Public Class EzmaExtension
Implements IMAExtensible2CallExport, IMAExtensible2CallImport, IMAExtensible2GetCapabilities, IMAExtensible2GetParameters, IMAExtensible2GetSchema
..
and this is body
Public ReadOnly Property Capabilities As MACapabilities Implements IMAExtensible2GetCapabilities.Capabilities
Get
Dim myCapabilities As New MACapabilities()
myCapabilities.ConcurrentOperation = True
myCapabilities.ObjectRename = False
myCapabilities.DeleteAddAsReplace = True
myCapabilities.DeltaImport = False
myCapabilities.DistinguishedNameStyle = MADistinguishedNameStyle.None
myCapabilities.ExportType = MAExportType.AttributeUpdate
myCapabilities.NoReferenceValuesInFirstExport = False
myCapabilities.Normalizations = MANormalizations.None
myCapabilities.FullExport = True
Return myCapabilities
End Get
End Property
Public Function PutExportEntries(csentries As IList(Of CSEntryChange)) As PutExportEntriesResults Implements IMAExtensible2CallExport.PutExportEntries
Dim exportEntriesResults As New PutExportEntriesResults
Try
Dim exportfiles() As String = {"T054.xml", "T100.xml", "T101.xml", "T120.xml"}
'Dim exportfiles() As String = {"T054.xml", "T100.xml"}
For Each exportfile As String In exportfiles
xmlSettings.Encoding = System.Text.Encoding.GetEncoding(&H6FAF)
m_xmlWriterExport = XmlTextWriter.Create(MAUtils.MAFolder + "\" + exportfile, xmlSettings)
m_xmlWriterExport.WriteStartElement(Nodes.Root)
For Each csEntryChange As CSEntryChange In csentries
If csEntryChange.ObjectModificationType = ObjectModificationType.Add OrElse csEntryChange.ObjectModificationType = ObjectModificationType.Replace
Then
m_xmlWriterExport.WriteStartElement(Nodes.Item)
Select Case exportfile.ToUpper
Case "T054.XML"
m_xmlWriterExport.WriteElementString(Nodes.IDTEXT, If((csEntryChange.AttributeChanges.Contains("IDTEXT")),
csEntryChange.AttributeChanges("IDTEXT").ValueChanges(0).Value.ToString(), ""))
m_xmlWriterExport.WriteElementString(Nodes.OID, If((csEntryChange.AttributeChanges.Contains("OID")),
csEntryChange.AttributeChanges("OID").ValueChanges(0).Value.ToString(), ""))
m_xmlWriterExport.WriteElementString(Nodes.STRPOS, If((csEntryChange.AttributeChanges.Contains("STRPOS")),
csEntryChange.AttributeChanges("STRPOS").ValueChanges(0).Value.ToString(), ""))
m_xmlWriterExport.WriteElementString(Nodes.STRPAR, If((csEntryChange.AttributeChanges.Contains("STRPAR")),
csEntryChange.AttributeChanges("STRPAR").ValueChanges(0).Value.ToString(), ""))
Case "T100.XML"
m_xmlWriterExport.WriteElementString(Nodes.PNUMID, csEntryChange.DN.ToString())
m_xmlWriterExport.WriteElementString(Nodes.EFTERNAMN, If((csEntryChange.AttributeChanges.Contains("EFTERNAMN")),
csEntryChange.AttributeChanges("EFTERNAMN").ValueChanges(0).Value.ToString(), ""))
m_xmlWriterExport.WriteElementString(Nodes.FOERNAMN, If((csEntryChange.AttributeChanges.Contains("FOERNAMN")),
csEntryChange.AttributeChanges("FOERNAMN").ValueChanges(0).Value.ToString(), ""))
Case "T101.XML"
m_xmlWriterExport.WriteElementString(Nodes.PNUMID, csEntryChange.DN.ToString())
m_xmlWriterExport.WriteElementString(Nodes.ADDRESS1, If((csEntryChange.AttributeChanges.Contains("ADDRESS1")),
csEntryChange.AttributeChanges("ADDRESS1").ValueChanges(0).Value.ToString(), ""))
m_xmlWriterExport.WriteElementString(Nodes.POSTNR, If((csEntryChange.AttributeChanges.Contains("POSTNR")),
csEntryChange.AttributeChanges("POSTNR").ValueChanges(0).Value.ToString(), ""))
m_xmlWriterExport.WriteElementString(Nodes.POSTADR, If((csEntryChange.AttributeChanges.Contains("POSTADR")),
csEntryChange.AttributeChanges("POSTADR").ValueChanges(0).Value.ToString(), ""))
m_xmlWriterExport.WriteElementString(Nodes.TELNR1, If((csEntryChange.AttributeChanges.Contains("TELNR1")),
csEntryChange.AttributeChanges("TELNR1").ValueChanges(0).Value.ToString(), ""))
m_xmlWriterExport.WriteElementString(Nodes.MOBIL, If((csEntryChange.AttributeChanges.Contains("MOBIL")),
csEntryChange.AttributeChanges("MOBIL").ValueChanges(0).Value.ToString(), ""))
'm_xmlWriterExport.WriteElementString(Nodes.ADRART, "") 'csEntryChange.AttributeChanges("ADRART").ValueChanges(0).Value.ToString())
m_xmlWriterExport.WriteElementString(Nodes.ADRART, If((csEntryChange.AttributeChanges.Contains("ADRART")),
csEntryChange.AttributeChanges("ADRART").ValueChanges(0).Value.ToString(), ""))
Case "T120.XML"
m_xmlWriterExport.WriteElementString(Nodes.PNUMID, csEntryChange.DN.ToString())
m_xmlWriterExport.WriteElementString(Nodes.OID, If((csEntryChange.AttributeChanges.Contains("OID")),
csEntryChange.AttributeChanges("OID").ValueChanges(0).Value.ToString(), ""))
m_xmlWriterExport.WriteElementString(Nodes.FTGOID, If((csEntryChange.AttributeChanges.Contains("FTGOID")),
csEntryChange.AttributeChanges("FTGOID").ValueChanges(0).Value.ToString(), ""))
m_xmlWriterExport.WriteElementString(Nodes.ANSTDAT, If((csEntryChange.AttributeChanges.Contains("ANSTDAT")),
csEntryChange.AttributeChanges("ANSTDAT").ValueChanges(0).Value.ToString(), ""))
m_xmlWriterExport.WriteElementString(Nodes.ARBHEL, If((csEntryChange.AttributeChanges.Contains("ARBHEL")),
csEntryChange.AttributeChanges("ARBHEL").ValueChanges(0).Value.ToString(), ""))
End Select
m_xmlWriterExport.WriteEndElement()
For Each attributeChange As AttributeChange In csEntryChange.AttributeChanges
If Not csEntryChange.ChangedAttributeNames.Contains(attributeChange.Name) Then
csEntryChange.ChangedAttributeNames.Add(attributeChange.Name)
End If
Next
Dim csEntryChangeResult As CSEntryChangeResult = csEntryChangeResult.Create(Guid.NewGuid(), csEntryChange.AttributeChanges,
MAExportError.Success)
exportEntriesResults.CSEntryChangeResults.Add(csEntryChangeResult)
End If
Next
m_xmlWriterExport.WriteEndElement()
m_xmlWriterExport.Close()
Next
Catch ex As Exception
Finally
If Not m_xmlWriterExport Is Nothing Then
m_xmlWriterExport.Close()
End If
End Try
Return exportEntriesResults
End Function
Public Function GetSchema(configParameters As KeyedCollection(Of String, ConfigParameter)) As Schema Implements IMAExtensible2GetSchema.GetSchema
Dim personType As Microsoft.MetadirectoryServices.SchemaType = Microsoft.MetadirectoryServices.SchemaType.Create("person", False)
personType.Attributes.Add(SchemaAttribute.CreateAnchorAttribute("PNUMID", AttributeType.String))
personType.Attributes.Add(SchemaAttribute.CreateSingleValuedAttribute("IDTEXT", AttributeType.String))
personType.Attributes.Add(SchemaAttribute.CreateSingleValuedAttribute("OID", AttributeType.String))
personType.Attributes.Add(SchemaAttribute.CreateSingleValuedAttribute("STRPOS", AttributeType.String))
personType.Attributes.Add(SchemaAttribute.CreateSingleValuedAttribute("STRPAR", AttributeType.String))
personType.Attributes.Add(SchemaAttribute.CreateSingleValuedAttribute("BIRTHDATE", AttributeType.String))
personType.Attributes.Add(SchemaAttribute.CreateSingleValuedAttribute("EFTERNAMN", AttributeType.String))
personType.Attributes.Add(SchemaAttribute.CreateSingleValuedAttribute("FOERNAMN", AttributeType.String))
personType.Attributes.Add(SchemaAttribute.CreateSingleValuedAttribute("ADDRESS1", AttributeType.String))
personType.Attributes.Add(SchemaAttribute.CreateSingleValuedAttribute("POSTNR", AttributeType.String))
personType.Attributes.Add(SchemaAttribute.CreateSingleValuedAttribute("POSTADR", AttributeType.String))
personType.Attributes.Add(SchemaAttribute.CreateSingleValuedAttribute("TELNR1", AttributeType.String))
personType.Attributes.Add(SchemaAttribute.CreateSingleValuedAttribute("MOBIL", AttributeType.String))
personType.Attributes.Add(SchemaAttribute.CreateSingleValuedAttribute("ADRART", AttributeType.String))
personType.Attributes.Add(SchemaAttribute.CreateSingleValuedAttribute("FTGOID", AttributeType.String))
personType.Attributes.Add(SchemaAttribute.CreateSingleValuedAttribute("ANSTDAT", AttributeType.String))
personType.Attributes.Add(SchemaAttribute.CreateSingleValuedAttribute("ARBHEL", AttributeType.String))
Dim sch As Schema = Schema.Create()
sch.Types.Add(personType)
Return sch
End Function
Structure Nodes
Public Const Root As String = "root"
Public Const PartitionDN As String = "partition-dn"
Public Const FullExport As String = "full-export"
Public Const Item As String = "item"
Public Const IDTEXT As String = "IDTEXT"
Public Const OID As String = "OID"
Public Const STRPOS As String = "STRPOS"
Public Const STRPAR As String = "STRPAR"
Public Const PNUMID As String = "PNUMID"
Public Const BIRTHDATE As String = "BIRTHDATE"
Public Const EFTERNAMN As String = "EFTERNAMN"
Public Const FOERNAMN As String = "FOERNAMN"
Public Const ADDRESS1 As String = "ADDRESS1"
Public Const POSTNR As String = "POSTNR"
Public Const POSTADR As String = "POSTADR"
Public Const TELNR1 As String = "TELNR1"
Public Const MOBIL As String = "MOBIL"
Public Const ADRART As String = "ADRART"
Public Const FTGOID As String = "FTGOID"
Public Const ANSTDAT As String = "ANSTDAT"
Public Const ARBHEL As String = "ARBHEL"
End Structure
Please help me.
Thanks
Greetings,
I am trying to provision security groups from an oracle database where i have a view that contains:
Department_Code
Department_Name
DepParent_Code
The view has a recursive relation between Department_Code and DepParent_Code (1 to many).
The view will lead to a Tree that has departments and sub-departments, i want to provision this data into FIM then to AD as security groups reserving the same hierarchy.
Any help would be appreciated.
Mohamad Chahla
Hello
is there anyone who had used ADFS for Self Service Password Registration Portal ?
Thanks
Hi,
I'm looking at a fim design for around 10,000 users with the following:
1 x sql server for fim portal DB
1 x fim server for fim service + fim portal
1 x fim sync server with sync service + sync DB
I need to incorporate FIM password registration and reset in as well. I'm unsure of whether to add the password reset and registration portal on the same server as the fim service and portal.
My understanding is that the main reason to separate the SSPR from the fim service and portal is due to external access for external users (i.e. security). However what I'm not sure about if external users are not relevant and if I'm to put SSPR and fim portal on the same server, then how should the IIS sites and app pools be configured? Will 3 separate IPs, IIS sites and app pools be required?
Thanks
Experts,
How to provide read only access in MIIS?
Thanks,
Manohar
Hi,
I have following usage scenerio:
Will have new object type on the portal - let's call it "application".
Such object will have number of other related objects (groups).
User can open such application and see the list of the groups, following the link he can open group (in read only mode).
Customer wants to be able to request to be member of the group from that level. How to achive this in ergonomic way? Any ideas welcome ...
Borys Majewski, Identity Management Solutions Architect (Blog: IDArchitect.NET)
I have FIM 2010 R2 environment (fully patched) that provisions Distribution Groups to AD and then Exchange 2010 would come along and create and email address for it. Then it would show up in the GAL as expected. Then I added an Exchange 2013 server and removed the Exchange 2010 server. This is where my issue begins. I'm not 100% sure this is or isn't a FIM issue, but everything worked fine until Exchange 2013 entered the picture. FIM still creates the DG as expected in AD and I can even see it in the 2013 ECP, but it never gets an email address. In the top half of this screen shot you can see the "test" group without an email address. The same thing happened to the other two groups. I manually went into them and assigned an address and then they were fine. In the bottom half of the screen shot you can see the powershell command to get the DG versions. It looks to me that Exchange 2013 is not assigning an email address because it thinks the DG is too old. Once I manually assign the email address the version jumps up to v14.0.100.0 and I am interested if anyone else has seen this before.http://social.technet.microsoft.com/Forums/getfile/392034
Hi,
I want to create new MPR in FIM 2010 but i am unable to create new MPR in FIM portal and give error:
policy creation request failed so please provide the solution why this happen.
Regards
Anil Kumar
How can I do a export-fimconfig and get an object based on ObjectId? The below generates "cannot filter as requested" error, where using AccountName does work. I must be missing something simple.
Thanks!
PS C:\> export-fimconfig -uri $URI -onlyBaseResources -customconfig "/Person[ObjectId='d4bdf413-2396-40e0-81ca-5160b1133
581']"
export-fimconfig : Failure on making enumeration web service call.
Filter = /Person[ObjectId='d4bdf413-2396-40e0-81ca-5160b1133581']
Error= Microsoft.ResourceManagement.WebServices.Faults.ServiceFaultException:cannot filter as requested
Kind regards,
Freek Berson
The Microsoft Platform
Twitter
Linked-in
Wortell company website
Hi,
I'm looking at implementing FIM 2010 R2 to sync user information from an Oracle DB to AD. I don't want to use classic rules I don't have the experience or knowledge of C to code my own DLLs. My understanding is that to do this using declarative rules, I'd need at least 3 MA and configure them as follows:
Oracle MA - import, sync & export
FIM MA - import, sync & export
AD MA - import, sync & export
In the above scenario all my Oracle user information would be imported into the FIM portal and exported to AD.
Is it possible to simplify the above when using declarative sync rules so that I go directly from the Oracle data source to AD, without using the portal?
Thanks
J
I tried using powershell, vbscript, and c# calls and everytime the ecma is called, the ma run step finishes and never goes to the next run step.
Basically it never returns a run status to whatever calls the schedule and just hangs.
I have several ecmas and 2 of them behave this way, the others are packaged ecmas.
All other schedulng with the fim ma,adma's and the packaged ecmas work fine..
Any ideas? Im running out of them a I have tried rebuilding the ma's.. building packages, rebuilding wmi.. doing a rollup udare and nothing works.. This also occurs in dev.Any help is appreciated.
Thanks
Joe Stepongzi - Identity Management Consultant ilmXframework.codeplex.com
Hi,
I'm looking to setup a proxy server in our DMZ for our Outlook Anywhere clients and I noticed that Microsoft doesn't offer any firewall software anymore. Is there a replacement product for ISA/TMG?
We have a Unix-hosted application (Business Objects) which is only able to do simple bind, is hosted internally. It needs to map users and group memberships for both Internal and DMZ, and authenticate users. DMZ trusts Internal, one way, AD LDS on 2008r2, server is in the DMZ (less trusted domain, obviously).
Firewall hole is in place (using 50636 and 50389) to the ADLDS Server from the internal B.O. servers which do ldap/s connections and then a simple bind using the internal LDS userproxy object for the application ID (the only way we could seem to make it work). Because (although it supposedly can chase referrals) the B.O. system was never able to Directory includes Internal and external users and groups which do not overlap (e.g. external users and groups are all in unique OU's) and are created as UserProxy objects. B.O. allows us to specify specific DN's for searches, which I'm told has been done (i have no access to the Unix systems or the application configuration).
No 'expensive' searches have been revealed by LDAP Interface Events level 4 or 6, w/ Field Engineering at 5 or any other levels. DMZ is very small, with only the main Site and a DR site across town. AD LDS servers on subnet defined as main Site and NLTEST confirms they're directed to the two DC's in it.
Ldap bind time when we originally deployed was not noticably long, and ldp.exe could connect and do searches (Softerra also could). However when we turned it over to developers to begin testing, they found authentications were taking around 30 seconds to complete. About a month later *cough* we were informed there was a problem with logins taking too long.
Now when I go to the perfmon counter for the instance, and find every LDAP metric available is as low as we could possibly hope (e.g. searches log as complete in 0-12ms in the ADAM app log). But LDAP Bind time is off the charts, from 8000-14000ms from the moment we attempt a bind. Even with ldp.exe after connecting (SSL), not doing a query, just a simple bind takes about 10 seconds.
I feel like the only explanation is that the entire directory and every group is enumerated every time we do so. How can I tell? Any suggestions?
Much Obliged,
Trevor.
Happy New Year!
Time for a fresh start!
We're looking for the first Gurus of 2014!!
This is your chance to make your mark on the Microsoft developer community.
All you have to do is add an article to TechNet Wiki from your own specialist field. Something that fits into one of the categories listed on the submissions page. Copy in your own blog posts, a forum solution, a white paper, or just something you had to solve for your own day's work today.
Drop us some nifty knowledge, or superb snippets, and become MICROSOFT TECHNOLOGY GURU OF THE MONTH!
This is an official Microsoft TechNet recognition, where people such as yourselves can truly get noticed!
HOW TO WIN
1) Please copy over your Microsoft technical solutions and revelations toTechNet Wiki.
2) Add a link to it on THIS WIKI COMPETITION PAGE (so we know you've contributed)
3) Every month, we will highlight your contributions, and select a "Guru of the Month" in each technology.
If you win, we will sing your praises in blogs and forums, similar to the weekly contributor awards. Once "on our radar" and making your mark, you will probably be interviewed for your greatness, and maybe eventually even invited into other inner TechNet/MSDN circles!
Winning this award in your favoured technology will help us learn the active members in each community.
Feel free to ask any questions below.
More about TechNet Guru Awards
#PEJL
Got any nice code? If you invest time in coding an elegant, novel or impressive answer on MSDN forums, why not copy it over to the one and onlyTechNet Wiki, for future generations to benefit from! You'll never get archived again!
If you are a member of any user groups, please make sure you list them in the
Microsoft User Groups Portal. Microsoft are trying to help promote your groups, and collating them here is the first step.
Hi,
When we run Export run profile of ADMA Management Agent then we get fallowing error
kerberos-no-logon-server
and all user that provisioned in AD OU in disabled mode and also taking more time for provisioning.
please provide any solution.
Regards
Anil Kumar
Hello All,
We have 200 static security groups that were sitting in our active directory one for each department that have not been updated in a while. I spoke it over with my manager and we decided to convert these static groups into FIM dynamic
security groups. I have successfully imported these groups into FIM and am now trying to execute Markus Vilcinskas "
How to Use Powershell to Turn Static Groups into Dynamic Groups" script but am running into an error upon
executing the script.
The error I'm receiving is below:
Import-FIMConfig : The URI is not in a recognized format. URI = At C:\static.ps1:98 char:34+ $importObject | Import-FIMConfig <<<< -Uri $URI+ CategoryInfo : InvalidArgument: (:) [Import-FIMConfig], InvalidOperationException+ FullyQualifiedErrorId : ExportConfig,Microsoft.ResourceManagement.Automation.ImportConfig
I've gone over my csv file and cant seem to find anything wrong with it, but I've included a bit of it just to be on the safe side.
DisplayName Filter Alumni Association /Person[(Department = 'Alumni Association') and (EmployeeStatus = 'Disabled')] Applied Sciences /Person[(Department = 'Applied Sciences') and (EmployeeStatus = 'Disabled')]
If anybody has an suggestions please I welcome your assistance.
Hi gurus
I have a couple of quick questions. I want to set up FIM sync to synchronize accounts to a webservice. I believe http://www.microsoft.com/en-us/download/details.aspx?id=29943 is the way to do it. However the documentation specifies the use of a wsconfig file to set up the synchronization. My first question is, where do I find the wsconfig file? I want to sync with an external webservice and the developers have provided me with a wsdl file. Can I create a wsconfig file from that? If I don't have a wsconfig file, how can I set up the synchronization?
Also I have set up SSPR on another server. I have certain questions about that too. I have set up the SSPR on a separate server. I have a third party certificate, and when I point my browser to the URL, it gives me HTTP 403 Forbidden error. This is the URL that I specified as the Registration Portal URL and has the certificate associated with. I can go to https://<servername>/IdentityManagement. I did observe that in the IIS the FIM Password Registration Site is in stopped state. There is another site that is called FIM Password Registration Site_5 and that is started. I don't know how the second site got there. Any ideas as to how to resolve this?
Lastly, I wanted to know that for SSPR, can I use an existing SharePoint installation. MS documentation mentions that it is a pre-req for SSPR. However, if I have an existing SharePoint installation on a different server can I leverage that? Or does the SharePoint installation needs to be local?
Any help will be greatly appreciated.
Regards,
