I have a FIM setup in a domain

I have mycorp.com and a domain in the same forest contractor.mycorp.com (fictional setup)

I have 2 servers built in the contractors.mycorp.com domain

• Id1
• Id2

Id1 has the Service and portal on wss3 in SharePoint farm mode, Sp central admin is on this as well

Id2 has the service and is a load balanced SharePoint farm.

I have NLB setup and working the service name is identity.mycorp.com pointing at the IP of the NLB

I have a CNAME identity pointing at identity.mycorp.com

Identity.mycorp.com is used as the name of the Service and the Portal.

In the ApplicationHost.config I have

<system.webServer>

   <security>

      <authentication>

         <windowsAuthentication enabled="true" useKernelMode="true"useAppPoolCredentials="true" />

      </authentication>

   </security>

</system.webServer>

I have kernel mode enabled, and I have Windows authentication enabled in the IIS console on id1 and id2.

The app pool credentials are a domain account SPService for SharePoint Service, the app pool is set on both id1 and id2 servers. The root domain account mycorp\SPService us used.

In

c:\inetpub\wwwroot\wss\VirtualDirectories

I have set

<resourceManagementClientrequireKerberos="true"

I have registered the alternate URL mappings for SharePoint as

• Identity
• Identity.myCorp.com

I have registered SPN's for

• Setspn –S FIMService/identity.myCorp.com myCorp\FIMService
• Setspn –S FIMService/identity  myCorp\FIMService
• Setspn –S HTTP/identity.myCorp.com myCorp\SPService
• Setspn –S HTTP/identity myCorp\SPService

I have configured delegation for both accounts in ADUC for the identity.mycorp.com

So all is well and I installed everything fine.

Now my problem is that if I go to id1 and browse to http://identity/identitymanagement I get redirected , and authenticated with my admin account tohttp://id1/IdentityManagement/default.aspx

On id1 if I go to http://identity.myCorp.com/identitymanagement I get prompted for credentials, when I enter myCorp\FIMAdmin and my password I get redirected to the portal athttp://id1/IdentityManagement/default.aspx

If I try and authenticate to any of the previous URL's from other machines in my domain, including the load balanced box id2 I get "HTTP Error 401. The requested resource requires user authentication."

Even if I try and browse tohttp://id1/identitymanagement from another machine I am getting 401. Only onhttp://id1 am I getting a result, even if there is a prompt.

I am sure my SPN's are fine, there are no duplicate SPN's , I checked with the -x switch

So my load balanced portal and service are not working as I would have thought , I have looked at

http://blogs.msdn.com/b/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspx

http://social.technet.microsoft.com/Forums/en-US/484faae8-4df6-4b81-8b2d-9d75d5258e4f/fim-portal-http-error-401-the-requested-resource-requires-user-authentication?forum=ilm2

http://social.technet.microsoft.com/wiki/contents/articles/4473.fim-http-error-401-the-requested-resource-requires-user-authentication.aspx

http://setspn.blogspot.ie/2010/06/kerberos-basic-troubleshooting-tip-3.html

The only thing that I can think of is that the machine is in the contractors.myCorp.com domain which makes the machine  unique from where the SPN's are registered, but if that was the case then browsing to the portal fromhttp://id1 would certainly fail.

Can anyone see anything wrong with my approach ?

Normally I find SharePoint a pain, but this week it seems to be this.

When I ran the fim service install I specified identity.myCorp.com as the name of the server

Rob

Experts,

I am working on FIM design.

Through documentation I see that FIM has capability to reset user password by providing challenge questions and answers.

My requirement is that if same can be done by providing some kind of soft token information.

User just provide soft token and FIM either allows user to reset password or send password on mobile.

Any suggestion please.

Thanks,
Mann

I have a FIM instance that's synchronizing an AD domain to an AD LDS instance.

Some time ago, a conflict occurred in AD (there was a group with a "CNF" in the name followed by a GUID). The conflict object was removed from AD, but for some reason it remained in FIM, and it's causing errors when FIM tries to export it to AD LDS.

Full import / synch operations did not solve the problem either.

Any suggestions?

Thanks,
Paolo

Paolo Tedesco - http://cern.ch/idm

Hi,

***Problem

I encounter a problem with FIM (version 4.1.3441.0 and 4.1.3496.0) when I try to delete a User object (and only a User object) whatever if it ismanually/Expiration Workflow/Powershell.

Deleting a User object used to be perfectly functional and, without any product version modification, stopped working. I haven't neither deleted/modified or add a"Grant" MPR or any of the corresponding Sets since last time I saw it working.

Displayed error is "Request could not be dispatched" in FIM Portal and is referencing a stored procedure in Event Viewer.

***Error details

When I try to delete a User object, here is the output :

• Portal
  • "Processing error" on submit
    • with the following details 

• Request status is stuck at "Validating" until next restart of FIM Service (after what it becomes “Canceled”)
• Request’s “Applied Policy” tab does not contain any MPR where, at least, a “Grant” MPR is expected
  • As SQL Timeout is relatively high and error happens quickly, I don’t think there is a Timeout problem under that.

• Logs

• « Application »
  • The Portal cannot connect to the middle tier using the web service interface.  This failure prevents all portal scenarios from functioning correctly.

The cause may be due to a missing or invalid server url, a downed server, or an invalid server firewall configuration.

Ensure the portal configuration is present and points to the resource management service.

•  « Forefront Identity Manager »
  • Reraised Error 50000, Level 16, State 1, Procedure ReRaiseException, Line 37, Message: Reraised Error 1088, Level 16, State 12, Procedure CalculateRequestSetTransitionsAssembleStatements, Line 332, Message: Cannot find the object "#calculateRequestSetTransitionsAssembleStatementsPartition" because it does not exist or you do not have permissions.

Transaction count after EXECUTE indicates a mismatching number of BEGIN and COMMIT statements. Previous count = 1, current count = 0.

• Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---> System.Data.SqlClient.SqlException: Reraised Error 50000, Level 16, State 1, Procedure ReRaiseException, Line 37, Message: Reraised Error 1088, Level 16, State 12, Procedure CalculateRequestSetTransitionsAssembleStatements, Line 332, Message: Cannot find the object "#calculateRequestSetTransitionsAssembleStatementsPartition" because it does not exist or you do not have permissions.

Transaction count after EXECUTE indicates a mismatching number of BEGIN and COMMIT statements. Previous count = 1, current count = 0.

   at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection)

   at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)

   at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)

   at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString)

   at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async)

   at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, DbAsyncResult result)

   at System.Data.SqlClient.SqlCommand.InternalExecuteNonQuery(DbAsyncResult result, String methodName, Boolean sendToPipe)

   at System.Data.SqlClient.SqlCommand.ExecuteNonQuery()

   at Microsoft.ResourceManagement.Data.DataAccess.UpdateRequest(RequestType request, IEnumerable`1 updates)

   --- End of inner exception stack trace ---

• Requestor: urn:uuid:7fb2b853-24f0-4498-9534-4e10589723c4

Correlation Identifier: e7209633-46d0-4f4b-a59e-807649ef71ea

Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---> System.InvalidCastException: Specified cast is not valid.

   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean isChildRequest, Guid cause, Boolean doEvaluation, Nullable`1 serviceId, Nullable`1 servicePartitionId, UniqueId messageIdentifier, UniqueIdentifier requestContextIdentifier, Boolean maintenanceMode)

   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean isChildRequest, Guid cause, Boolean doEvaluation, Nullable`1 serviceId, Nullable`1 servicePartitionId, UniqueId messageIdentifier)

   at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Delete(Message request)

   --- End of inner exception stack trace ---

For information, a maintenance plan rebuild/reorganize indexes daily and this problem has occurred on servers with different performances.

Is any of you has already encounter this problem ?

Any help would be greatly appreciated,

Thanks in advance for your help,

Matthew

Hi!

Currently we are using FIM2010 R2 for smartcard management, but would like to use it for software certificates as well:

Current smart card enrollment workflow is as follows:

Self service enabled: false

Enrollment agent enabled: true

Number of approvals: 1

and everything works as expected - smartcard is enrolled with target user's Subject and SAN and is assigned to correct user.

I wanted to use similar workflow with same settings specified above for enrolling software certificates, bet the thing is:

Enrolled certificate is assigned to target user ,but it is enrolled with enrollment agent's Subject and SAN.

How can I get software certificate enrollment working like it does with smart cards(i.e. certificate contains target user's Subject and SAN instead of enrollment agent's)?

regards,

Arnis

I am trying to import data from an Oracle view into FIM as security groups.

After running an Import on the Oracle MA then a Sync then an Export on the FIM MA i have the below screen but no Security Groups are displayed at the FIM Portal.

and here is my IAFs

Mohamad Chahla

i have made a MYSQL_ECMA.dll (using sql_ecma.dll) but when i create that ECMA it is unable to create get_schemafrom my sql

Database=test

table=HR

 public Schema GetSchema(KeyedCollection<string, ConfigParameter> configParameters)
        {
            Microsoft.MetadirectoryServices.SchemaType personType = Microsoft.MetadirectoryServices.SchemaType.Create("Person", false);

            myServer = configParameters["Server"].Value;
            myDB = configParameters["Database"].Value;
            myTable = configParameters["Table"].Value;

           DataSet myData = this.MYSQLSchema(myServer, myDB, myTable);
            
            
           
            string[] MYSQLSchema =new string[myData.Tables["Columns"].Rows.Count];

            for (int i = 0; i <= myData.Tables["Columns"].Rows.Count - 1; i++)
            {

               
                MYSQLSchema[i]=myData.Tables["Columns"].Rows[i].ItemArray.GetValue(0).ToString().Trim();

                string myattrib=MYSQLSchema[i];

                if (myattrib == "EmployeeID")
                {
                    personType.Attributes.Add(SchemaAttribute.CreateAnchorAttribute(myattrib, AttributeType.String));
                }

                else
                {
                    personType.Attributes.Add(SchemaAttribute.CreateSingleValuedAttribute(myattrib, AttributeType.String));
                }

            }

            Schema schema = Schema.Create();
            schema.Types.Add(personType);

            return schema;
        }

        


        public DataSet MYSQLSchema(string server,string database, string table)
        {
            myconnectionc =("Server = '" + server + "';Initial Catalog='" + database + "';Integrated Security=True");
            conc =new MySqlConnection(myconnectionc);
            cmdc =new MySqlCommand();
            cmdc.CommandType=CommandType.Text;
            string cmdtextc="Select COLUMN_NAME from Information_Schema.Columns where TABLE_Name = '" + table + "'";
            cmdc.CommandText=cmdtextc;
            cmdc.Connection=conc;
            adapter =new MySqlDataAdapter(cmdc);
            dac =new DataSet();
            adapter.Fill(dac, "Columns");
            return dac;


            

        }

Hello

i have this error in event viewer ? 

HRESULT: '0x80004001' Source: 'd:\bt\5414\private\source\miis\cntrler\cntrler.cpp(2718)'  Thread ID: '0x1ec0' Additional Info: ''
HRESULT: '0x80070002' Source: 'D:\bt\5414\private\source\MIIS\ma\shared\inc\MAUtils.h(114)'  Thread ID: '0x1ec0' Additional Info: ''
HRESULT: '0x80070002' Source: 'D:\bt\5414\private\source\MIIS\ma\shared\inc\MAUtils.h(59)'  Thread ID: '0x1ec0' Additional Info: 'Win32 API failure: 2
HRESULT: '0x0' Source: 'D:\bt\5414\private\source\MIIS\ma\shared\inc\MAUtils.h(58)'  Thread ID: '0x1ec0' Additional Info: 'Failed getting registry value 'ADMAUseLVR', 0x2
HRESULT: '0x0' Source: 'D:\bt\5414\private\source\MIIS\ma\shared\inc\MAUtils.h(58)'  Thread ID: '0x1ec0' Additional Info: 'Failed getting registry value 'ADMAUseACLSecurity', 0x2
HRESULT: '0x80230404' Source: 'd:\bt\5414\private\source\miis\server\sqlstore\csobj.cpp(8241)'  Thread ID: '0x1ec0' Additional Info: ''
HRESULT: '0x80070057' Source: 'd:\bt\5414\private\source\miis\shared\ldaputils\session.cpp(4771)'  Thread ID: '0x1ec0' Additional Info: ''
HRESULT: '0x0' Source: 'd:\bt\5414\private\source\miis\shared\ldaputils\session.cpp(2227)'  Thread ID: '0x1ec0' Additional Info: ''
HRESULT: '0x80070005' Source: 'd:\bt\5414\private\source\miis\shared\ldaputils\session.cpp(4771)'  Thread ID: '0x1ec0' Additional Info: ''

Any idea 

Thanks

Hi,

Does FIM would allow an external person to go to a URL and create a user on their own? If not are there any add-ons that do this?

Hello All,

    I posted this question a while back but never got an answer so I thought I'd repost it. I've run into an issue where when a security group owner logs into the FIM portal they see the groups they are managing but are unable to see a list of members of the group. However when I log in as an FIM administration and I look at the same group I see all members. How do I allow the group owner to manage his own group by granting him access to read the membership. Is there a specific Search Scope or MPR that needs to be enabled besides the following.

Experts,

I understand that if we want to create an object in Metaverse during synch from CS, projection rule is required.

However what is the case during data flow from Metaverse to CS. If i just defined joining rule, will object get created in CS(If object is present in Metaverse) or do I need to create projection rule.

Kindly suggest I don't have hands-on experience on FIM.

Thanks,
Mann

Hello,

I have created a MPR to grant right for a specific set (set 1) of user to read somes attributes (DisplayName) of a specific set of objects (set 2).
For you information this set contains in fact all objects of a custom type.

I have created a RCDC for viewing this object.
In a first time the XML template of this RCDC contains only a control for the DisplayName attribute.

<my:Control my:Name="DisplayName" my:TypeName="UocLabel" my:Caption="{Binding Source=schema, Path=DisplayName.DisplayName}" my:Description="{Binding Source=schema, Path=DisplayName.Description}" my:RightsLevel="{Binding Source=rights, Path=DisplayName}"><my:Properties><my:Property my:Name="Text" my:Value="{Binding Source=object, Path=DisplayName, Mode=OneWay}" /></my:Properties></my:Control>

When I try to read the object with a user belonging to the set 1, I meet the error below. However if I modify my MPR to grant right on all attributes, I am able to read the RCDC. This is why I think the error is related to a permission issue.

Error page on the FIM web portal:
Unable to process your request.  
Please contact your help desk or system administrator. 
> Go to Forefront Identity Manager home page 

More information on the error in the Windows Event Viewer:
Requestor: urn:uuid:2dabeb0a-e780-447c-9f2b-6f715997f716
Microsoft.ResourceManagement.Service: Microsoft.ResourceManagement.WebServices.Exceptions.PermissionDeniedException: Exception of type 'Microsoft.ResourceManagement.WebServices.Exceptions.PermissionDeniedException' was thrown.
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteGetAction(RequestType request)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction(RequestType request)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction[ResponseBodyType](RequestType request)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request, Guid requestIdentifier, Object redispatchSingleInstanceKey, Boolean isRedispatch)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request)
   at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Get(Message request)

Does anyone have an idea of a way to solve this issue? Thank you ;)

Regards,

Serge

hello, 

i have a synchronization rule to export user to AD, i calculate the userAccountControl based in employeeStatus 

i create a user in FIM portal 

i run a Delta Import then a Delta Synchronization of FIM MA in the Add i have a user with userAccountControl = 512 

then when i run an Export in AD the user is created but his inactive !! 

Any idea ? 

Experts,

Although I think answer must be YES but asking to confirm as I have not worked on FIM.

Can FIM also create OU in Active Directory?

Thanks,

Mann

Can FIM Reporting be installed on 2 FIM servers/nodes of an F5 virtual server.

I am trying to verify if I install FIM reporting on both servers/nodes as would I with the FIMService.

I am concerned that that the FIMService on both Nodes might initiate the reporting job and what effect this might have.

TIA

Nigel

Hello,

I have been stuck with this error for a while now with no luck. I have looked all over the internet and forums, including this one but none of them provide a working solution. The closest solution I could get was this article,

http://kowalski.ms/2010/07/20/sharepoint-server-2010-supplementing-user-profile-imports-using-bcs/

But, according to it, I have done everything right. The values for MossJoinAttribute andBDCJoinAttribute are also correct.

I was wondering if anyone could throw some more light on the problem.

Here are the errors logged in various locations,

miisclient : stopped-extension-dll-exception

Event Viewer: 

The extensible extension returned an unsupported error.
 The stack trace is:

 "Microsoft.MetadirectoryServices.NoSuchObjectTypeException: No such object type "user".
   at Microsoft.MetadirectoryServices.Impl.TypeDescriptionCollectionImpl.get_Item(String Name)
   at Microsoft.Office.Server.UserProfiles.ManagementAgent.ProfileImportExportExtension.Microsoft.MetadirectoryServices.IMAExtensibleFileImport.GenerateImportFile(String fileName, String connectTo, String user, String password, ConfigParameterCollection configParameters, Boolean fFullImport, TypeDescriptionCollection types, String& customData)
Forefront Identity Manager 4.0.2450.5"

Here's What I am trying to do,

1. I have created a User Profile Service that imports profile information from AD.
2. We have a custom External Content type that we use to import additional Profile Properties from an ORACLE Database.
3. Initially everything worked fine. Import from AD as well as ORACLE was successful.
4. But, then we had to migrate to a different database. With the same Tables/Views/Columns
5. We changed the connection string that the External Content Type was using to import data from the ORACLE Database.
6. Ran Full Sync.
7. AD Import Works, but BCS Import fails with the errors mentioned earlier.

Thanks in advance.

hi

In QA Gate configuration "Password Reset AuthN Workflow"
Is there a way I can split the questions in multiple line so i can put one language per line.
now i have Q1 : US / FR / DE
and i wante to have
Q1 : US
       FR
       DE

Is FIMSync supported using Hyper-V replication?

If so what are the configuration issues?

i.e. low DNS TTL for the newly Hyper-V injected and DNS updated fqdn?

i.e MIIS activate is not required because FIMSync is an image not a standby?

Many thanks

Nigel