FIM Licensing

January 13, 2014, 3:35 am

≫ Next: Redundancy FIM portal

≪ Previous: Hyper-V replication for FIMSync

$

0

0

Experts,

I am in over a confusion regarding licensing of FIM. I do understand that FIM require server license as well as CAL(If FIM service, portal is used for each user managed).

I am not able to understand the difference between this two lines mentioned in Forefront Identity Manager license data sheet.

"
Each user managed by Forefront Identity Manager requires a Windows Server Client Access License (CAL). Go to www.microsoft.com/en-us/server-cloud/windows-server/2008-r2-buy.aspx for information.

&

For each user for whom the Forefront Identity Manager software issues or manages identity information, a CAL is required. A CAL is also required to manage each smart card and to issue and manage each user's access to a digital certificate.
"

What is the difference between this two lines.

Thanks,
Mann

---

Redundancy FIM portal

January 13, 2014, 4:17 am

≫ Next: some users are not synced with dirsync

≪ Previous: FIM Licensing

$

0

0

Hello 

i had installer FIM Service/portal in SrvA in FIM Synchro in SrvB

i want to have  two FIM service/portals in order to switch when the server is down. 

what i have to need is only to install FIMService/portal and use the existing database FIMService ? 

Any idea ? 

Is any one has a best practice for this 

Thanks 

some users are not synced with dirsync

January 13, 2014, 4:42 am

≫ Next: Best Practices for AD Import into FIM MV

≪ Previous: Redundancy FIM portal

$

0

0

hi all,

i have installed the dirsync tool to sync my on-premises AD with office 365, i have some users located in one OU some of them are synced and the others not, the strange thing when i move the users to another OU they sync.

Thanks

Best Practices for AD Import into FIM MV

January 13, 2014, 10:03 am

≫ Next: Can FIM connect to Iplanet directory server in a same manner as FIM connects to Sun-One directory Server.

≪ Previous: some users are not synced with dirsync

$

0

0

 I'm working on a project which will require AD users to be imported into FIM and then be shown in the FIM portal. I know I could import users from a specific OU, but what I'm not sure about is how FIM and the MV keeps track of users.

For example:

I configure "john.doe" in OU "London" and then import the account into the MV.
john.doe is moved into the Hong Kong OU and I run a delta sync - can FIM track this change?

Would I be better off using an anchor on objectsid to deal with user account moves and users changing names\logons?

Thanks

Can FIM connect to Iplanet directory server in a same manner as FIM connects to Sun-One directory Server.

January 13, 2014, 11:05 pm

≫ Next: PostProcessing workflow

≪ Previous: Best Practices for AD Import into FIM MV

$

0

0

Sun-One Directory Server formerly known as Iplanet Directory Server.

I know FIM can connect to SUN ONE DIRECTORY SERVER.

so can FIM connect to IPLANET DIRECTORY SERVER as well?

if yess....that would be in the same manner??

need suggetion or link or helpful answer......

PostProcessing workflow

January 14, 2014, 2:31 am

≫ Next: FIM 2010 R2 SAP Web Service for password reset

≪ Previous: Can FIM connect to Iplanet directory server in a same manner as FIM connects to Sun-One directory Server.

$

0

0

hello , 

i have a workflow wich calculates display name firstname + lastname classic , i have a wird issue 

when i modify for example the firstname the displayname is calculated correctry but the wf still in postprocessing - the wf is about modifying the firstname and the second one which update the displayname is terminated. 

any idea ? 

I have this erreor in the event viewer

Microsoft.ResourceManagement.Service: Microsoft.ResourceManagement.WebServices.Exceptions.EndpointUnavailableException: Other ---> System.Data.SqlClient.SqlException: Cannot generate SSPI context.
   at Microsoft.ResourceManagement.Utilities.ExceptionManager.ThrowException(Exception exception)
   at Microsoft.ResourceManagement.Data.Exception.DataAccessExceptionManager.ThrowException(SqlException innerException, TransactionAndConnectionScope scope)
   at Microsoft.ResourceManagement.Data.DatabaseConnection.Open(SqlConnection connection)
   at Microsoft.ResourceManagement.Data.DatabaseConnection.Open(String connectionString)
   at Microsoft.ResourceManagement.Data.DatabaseConnection.Open(DataStore store)
   --- End of inner exception stack trace ---
   at Microsoft.ResourceManagement.Data.DatabaseConnection.Open(DataStore store)
   at Microsoft.ResourceManagement.Data.TransactionAndConnectionScope..ctor(Boolean createTransaction, IsolationLevel isolationLevel, DataStore dataStore)
   at Microsoft.ResourceManagement.Data.TransactionAndConnectionScope..ctor(Boolean createTransaction)
   at Microsoft.ResourceManagement.Data.DataAccess.RetrieveExpiredTimerIdsForServiceHost(Int16 serviceId, Int32 workflowDefinitionVersionKey, Boolean isHosted, List`1 workflowTypes, Int32 maxWorkflowsToLoadOnTimerExpiration)
   at Microsoft.ResourceManagement.Workflow.Hosting.ResourceManagementSqlWorkflowPersistenceService.LoadExpiredTimerWorkflowIds()
   at Microsoft.ResourceManagement.Workflow.Hosting.ResourceManagementSqlWorkflowPersistenceService.ExecuteTimerBasedOperations()
   at Microsoft.ResourceManagement.Utilities.PeriodicBase.Execute(Object input)

FIM 2010 R2 SAP Web Service for password reset

January 14, 2014, 4:51 am

≫ Next: RCDC for AccountName and mail-enable distribution groups

≪ Previous: PostProcessing workflow

$

0

0

hello Everyone, 

i'm currently workin on implementing SAP password reset through the FIM 2010 R2 SP1 connector for web services,

has anyone had any experience with that ? 

truth is i don't even know what the users will be shown for them to reset their password !!

any help would be greatly appreciated

cheers

---

Hitch Bardawil

RCDC for AccountName and mail-enable distribution groups

January 14, 2014, 5:19 am

≫ Next: FIM 2010 with wss3.0 to FIM 2010 R2 SP1 with Sharepoint 2010 Foundation

≪ Previous: FIM 2010 R2 SAP Web Service for password reset

$

0

0

Hi *.*,

I almost finished a FIM 2010 R2 implementation, and it looks like it's working nicely. However, I want to use it for mail-enabled distribution and security groups management and I'm facing two typical issues:

• AccountName attribute is not visible nor populated with creating newDG, I can't even chose if it's mail enabled or not. i would like a behavior similar to when creatingSG.
• In both cases, DG and SG, only mailNickname(E-mail Alias) attribute is popuplated, leaving behind the Emailone that I use for syncing back to Active Directory. Without that the groups is not truly mail-enabled.

I have taken a peek to the RCDC XML "Configuration for Group Creation". I can perfectly identify theEmailEnabling and Alias controls, but I don't get the logic that decides if it is going to be shown (SG) or not (DG).

So my questions:

• How do I make AccountName, EmailEnabling and Alias show in DG creation form?
• Why the Email field is not there and it is not populated?

Thank you so much,
Carlos

PD: For example, identified EmailEnabling control in RCDC, in case you want to comment it:

<my:Control my:Name="EmailEnabling" my:TypeName="UocCheckBox" my:Caption="%SYMBOL_EmailEnablingCaption_END%" my:Description="%SYMBOL_EmailEnablingDescription_END%" my:AutoPostback="true" my:RightsLevel="{Binding Source=rights, Path=Email}"><my:Properties><my:Property my:Name="Text" my:Value="%SYMBOL_EmailEnablingValue_END%"/></my:Properties><my:Events><my:Event my:Name="CheckedChanged" my:Handler="OnChangeEmailEnabling"/></my:Events></my:Control>

---

FIM 2010 with wss3.0 to FIM 2010 R2 SP1 with Sharepoint 2010 Foundation

January 14, 2014, 6:28 am

≫ Next: Can Password Change Notification Service sync password changes from one domain to another without FIM?

≪ Previous: RCDC for AccountName and mail-enable distribution groups

$

0

0

Hi,

In my DEV environment, I have all the FIM components running on the same box:

FIM Portal, Service, and Sync Service version 4.0.3573.2

WSS 3.0 version 12.0.0.6421

We want to upgrade to FIM 2010 R2 SP1 with Sharepoint Foundation 2010

This is what I have done so far (I appreciate I could have done an in-place upgrade of WSS3.0 to Sharepoint 2010, but I think I followed the instructions on some forum to do this:

a) Uninstalled FIM Portal (which also uninstalled the FIM service)

b) Uninstalled WSS3.0

I have done the 2 steps listed above. As per the instructions on another thread, the next steps should be:

c) Install Sharepoint Foundation 2010

d) Install FIM Portal 2010 R2 SP1

Is this the right way to proceed? Unfortunately, we don't have a snapshot to revert to (we had tried to take a snapshot, but looks like it wasn't successful - thankfully it's just the dev environment).

Any tips/suggestions?

Thanks a lot

Can Password Change Notification Service sync password changes from one domain to another without FIM?

January 14, 2014, 12:11 pm

≫ Next: SQL 2012 Always On Availability Groups

≪ Previous: FIM 2010 with wss3.0 to FIM 2010 R2 SP1 with Sharepoint 2010 Foundation

$

0

0

Is it possible to use Password Change Notification Service to sync user passwords from one domain directly to another domain without the use of MIIS/FIM?

I'm following this installation guide.  When looking at the Service Principal Name configuration, it leads me to believe FIM/MIIS is required.  Can this be pointed to a DC in the other directory instead?

Setspn.exe -a<user defined named for target MIIS 2003 server>/<fully qualified domain name of the server running MIIS 2003>\<domain\user name of the MIIS 2003 service account>

SQL 2012 Always On Availability Groups

January 14, 2014, 8:08 pm

≫ Next: IPLANET DIRECTORY SERVER MANAGEMENT AGENT

≪ Previous: Can Password Change Notification Service sync password changes from one domain to another without FIM?

$

0

0

Has anyone configured FIM SYnc, FIM Service and MSF in SQL 2012 Always On Availability groups

I do not believe we can configure the SQL connection string for FIM Sync or FIM Service to include "multisubnetfailover"

TIA

Nigel

IPLANET DIRECTORY SERVER MANAGEMENT AGENT

January 13, 2014, 11:05 pm

≫ Next: install language pack failure

≪ Previous: SQL 2012 Always On Availability Groups

$

0

0

Sun-One Directory Server formerly known as Iplanet Directory Server.

I know FIM can connect to SUN ONE DIRECTORY SERVER.

so can FIM connect to IPLANET DIRECTORY SERVER as well?

if yess....that would be in the same manner??

need suggetion or link or helpful answer......

install language pack failure

January 15, 2014, 3:14 am

≫ Next: RCDC dynamic validation

≪ Previous: IPLANET DIRECTORY SERVER MANAGEMENT AGENT

$

0

0

hello 

i have this error when i try to install language pack 



any idea please 

RCDC dynamic validation

January 15, 2014, 4:17 am

≫ Next: Lotus Domino MA and provisioning roaming user (no dbs)

≪ Previous: install language pack failure

$

0

0

Hi,

Can anyone tell how to read the value of the text box dynamically before the submitting the user creation.

For example I have attribute job title ,how can I read the value of the job title attribute and combined it in department attribute of the same user.

Job title : Consultant, than my department should "consultant-Delivery".

I need it dynamically.

Thanks in advance

Sridhar 

Lotus Domino MA and provisioning roaming user (no dbs)

January 15, 2014, 5:32 am

≫ Next: Trying to refresh schema for BHOLD management agent. Getting error

≪ Previous: RCDC dynamic validation

$

0

0

Hi,

I try to provision roaming user on a Domino System (8.5.3 FP2) with the Lotus Domino MA (Build 5.3.721.0).
Everything looks fine, except that the "roaming dbs on the server will not be created"

Here a snipit from the provisioningcode:

 ' Set the property values to provision the object.
                csentry.DN = connectedma.EscapeDNComponent(DNNAme + "/O=TEST-RG").Concat("NAB=names.nsf")

                csentry("LastName").Value = mventry("sn").Value
                csentry("_MMS_Certifier").Value = DNCertifier
                csentry("_MMS_IDRegType").IntegerValue = 1  ' US User

                csentry("_MMS_IDStoreType").IntegerValue = 1 ' ID File as a file

                csentry("_MMS_UseAdminP").BooleanValue = False

                ' The next two properties must have a value for a user with an
                ' identification file.
                csentry("_MMS_IDPath").Value = mventry("employeeID").Value
                csentry("_MMS_Password").Value = "Testnotes1"
                csentry("HTTPPassword").Value = "Testnotes1"

                ' The next two properties must have a value for a user to access
                ' e-mail through the Lotus Notes client or Web browser.
                csentry("MailServer").Value = "CN=testnotes1/O=test-brg/C=AT"
                csentry("MailFile").Value = "mail\" & mventry("employeeID").Value

                'csentry("_MMS_Roaming_Files_InBackground").BooleanValue = True

                csentry("shortName").Value = mventry("employeeID").Value
                csentry("InternetAddress").Value = mventry("givenName").Value + "." + mventry("sn").Value + "@test-rg.local"

                csentry("RoamAB").Value = "names.nsf"
                csentry("RoamingUser").Value = "1"
                csentry("RoamMode").Value = "0"
                csentry("RoamSrvr").Value = "CN=testnotes1/O=test-rg/C=local"
                csentry("RoamSubdir").Value = "roaming\" & mventry("employeeID").Value
                csentry("RoamExtFiles").Values.Add("localfeedcontent.nsf")
                csentry("RoamExtFiles").Values.Add("roamingdata.nsf")
                csentry("RoamCleanPer").IntegerValue = 0

                ' Finish creating the new connector.
                csentry.CommitNewConnector()
    
Any ideas?

thanks for help

Axel

---

axel ciml

---

Trying to refresh schema for BHOLD management agent. Getting error

January 15, 2014, 6:51 am

≫ Next: Trouble with anchor attributes and reference attributes...

≪ Previous: Lotus Domino MA and provisioning roaming user (no dbs)

$

0

0

Greetings,

I'm piloting the BHOLD suite to see if it will meet our company's needs.

I added some attributes in the BHOLD core configuration pages (web site).

Now in the FIM sync service, I need to refresh the schema to see them. The Schema refresh fails with the following error logged in the event log. Any ideas?

-Doug

Log Name:      Application
Source:        FIMSynchronizationService
Date:          1/15/2014 8:42:27 AM
Event ID:      6801
Task Category: Server
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      xxxxx
Description:
The extensible extension returned an unsupported error.
 The stack trace is:
 
 "System.ObjectDisposedException: Cannot access a disposed object.
Object name: 'WindowsIdentityImpersonationFactory'.
   at Microsoft.AccessManagement.BHOLDConnector.Context.WindowsIdentityImpersonationFactory.CreateImpersonation()
   at Microsoft.AccessManagement.BHOLDConnector.DataAccess.IntegratedSecurityDataAccess..ctor(String serverName, String databaseName, String username, String password, String domain)
   at Microsoft.AccessManagement.BHOLDConnector.BHOLDConnector.GetDataAccess(KeyedCollection`2 configParameters)
   at Microsoft.AccessManagement.BHOLDConnector.BHOLDConnector.GetSchema(KeyedCollection`2 configParameters)
Forefront Identity Manager 4.1.3114.0"
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="FIMSynchronizationService" />
    <EventID Qualifiers="49152">6801</EventID>
    <Level>2</Level>
    <Task>3</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-01-15T14:42:27.000000000Z" />
    <EventRecordID>110324</EventRecordID>
    <Channel>Application</Channel>
    <Computer>xxxxx</Computer>
    <Security />
  </System>
  <EventData>
    <Data>System.ObjectDisposedException: Cannot access a disposed object.
Object name: 'WindowsIdentityImpersonationFactory'.
   at Microsoft.AccessManagement.BHOLDConnector.Context.WindowsIdentityImpersonationFactory.CreateImpersonation()
   at Microsoft.AccessManagement.BHOLDConnector.DataAccess.IntegratedSecurityDataAccess..ctor(String serverName, String databaseName, String username, String password, String domain)
   at Microsoft.AccessManagement.BHOLDConnector.BHOLDConnector.GetDataAccess(KeyedCollection`2 configParameters)
   at Microsoft.AccessManagement.BHOLDConnector.BHOLDConnector.GetSchema(KeyedCollection`2 configParameters)
Forefront Identity Manager 4.1.3114.0</Data>
  </EventData>
</Event>

Trouble with anchor attributes and reference attributes...

January 15, 2014, 1:43 pm

≫ Next: Trouble with anchor and reference attributes combined with a Correlation ID

≪ Previous: Trying to refresh schema for BHOLD management agent. Getting error

$

0

0

Greetings, I'm a little green on FIM and looking for some advice.

We have an HR system where we store the information on Contractors, Interns, and Employees.

The business process for converting Contractors and Interns to Employees is to terminate the Contractor and re-hire as an Employee. This gives us a different employee number for the "live" entry in the HR system.

Also, there is a "Supervisor No" attribute that is a Reference attribute for their manager. This is their employee number.

What do I do in FIM? If the Employee number is the anchor, won't the system consider the employee a new object? Is there a way to connect the new employee record to the metaverse object that was a contractor or intern, and update the anchor attribute (the new employee number)?

I was thinking of using a different custom field in the HR system as the FIM_Sync. But just realized that if this became the anchor, then no managers would connect since the Supervisor No is an Employee number.

Thanks in advance for helping.

-Doug

Trouble with anchor and reference attributes combined with a Correlation ID

January 15, 2014, 1:43 pm

≫ Next: fim Synchronization service 2010 r2

≪ Previous: Trouble with anchor attributes and reference attributes...

$

0

0

Greetings, I'm a little green on FIM and looking for some advice.

We have an HR system where we store the information on Contractors, Interns, and Employees.

The business process for converting Contractors and Interns to Employees is to terminate the Contractor and re-hire as an Employee. This gives us a different employee number for the "live" entry in the HR system.

Also, there is a "Supervisor No" attribute that is a Reference attribute for their manager. This is their employee number.

What do I do in FIM? If the Employee number is the anchor, won't the system consider the employee a new object? Is there a way to connect the new employee record to the metaverse object that was a contractor or intern, and update the anchor attribute (the new employee number)?

I was thinking of using a different custom field in the HR system as the FIM_Sync. But just realized that if this became the anchor, then no managers would connect since the Supervisor No is an Employee number.

Thanks in advance for helping.

-Doug

*** Update ***

I read some of the articles on Correlation ID that are in the 2003 version of MIIS the TechNet library. So a follow up question would be what happens between the CS and MV when the HR object changes.. Assuming I have this FIM_Sync attribute to be my Correlation ID.

• Contractor is created. Employee ID is anchor and FIM_Sync field is populated.
• New object in CS
• Projected into MV
• Provisioned out to AD and other systems, but they don't have the FIM_Sync attribute in their schema.

• Business Event.. Contactor converted to Employee:
• Contractor in HR system terminated (employment_state) and FIM_Sync entry removed.
• Employee record created in HR system and FIM_Sync value populated with what it was in the contractor record
• New Employee object in CS
• Does Contractor get disconnected?
• Does the Employee CS object get joined to existing MV object?

fim Synchronization service 2010 r2

January 16, 2014, 4:40 am

≫ Next: FIM Web Service connector

≪ Previous: Trouble with anchor and reference attributes combined with a Correlation ID

$

0

0

hello,

I am running FIM Synchronization service  with different management agents. sometimes thing goes wrong. how can i monitor those tasks? I want to use powershell for than because i have a lot of other hings that i monitor that way.

is it possible to "GET" the status and dates with some kind of FIM cmdlets? or maybe via event log? 

third-party modules is no option.  

I hope one of u guys can point me in the right direction.

Kind regards

Harm Schutte 

FIM Web Service connector

January 16, 2014, 6:13 am

≫ Next: SharePoint Services 3.0 SP 3 Installation Generates Event Log Errors

≪ Previous: fim Synchronization service 2010 r2

$

0

0

Hello 

I'am trying to implement a web service connector for custom application with "Web Service Configuration Tool" 

Is there someone who has implemented something like that for a custom web service ? 

Thanks