I am pretty new to FIM & I want to know if there any step-by step instruction to achieve One way user sync between 2 active directores using FIM 2010. I need the users to get synchronized. When I creat a new user in one AD the same user should get replicated in other AD
This is what I intend to do.
Pull users from Forest A to Forest B. Its a 1 way Sync Forest A -----> Forest B.
Apreciate if i can get any help
regards
vadiraj
Hello Everyone,
I wanted to create a Custom asp.net webpage for UserEditing in FIM Portal. What I want to do is create UserEditing.aspx page with custom Asp.net controls and deploy it into the FIM protal and once user click to edit or view the user in FIM Portal, I want to read the ResourceID from the QueryString and propulate\Update the UserEditing.aspx controls values basis ResourceID.
Please suggest.
Regards~
Deepak Arora
We are facing some issue for adding Custom Activity in FIM Workflow. It will be great help for us if you provide some suggestion/hints to resolve this issue.
Issue description:
• Case with Activity which was already present: When we tried adding activity in workflow, it is displayed in the activity selector. But as long as we save the workflow, and again open it, activity no longer exists.
• Newly created Activity: Activity is not available even in activity selector in workflow
Troubleshooting steps followed:
1. To start with we did make sure that the custom activity dll is present in GAC in both the servers(portal and service servers) and did an IISRESET on the server where portal is hosted and restarted the FIM service
on the server where it is hosted. This didn’t help.
2. Re-created the “Activity Information Configuration” resource which we thought is corrupted. Then followed the step 1. Next we tried creating a workflow which would use newly created “Activity Information Configuration”.
But this time we could not see the newly created activity.
3. After trying all above minor troubleshooting steps, we started the deployment activity from start and followed following steps:1. Uninstalled the custom activity dlls from GAC from both the
servers.
2. Opened the solution code in Visual Studio and Built the solution. This created a new dll for custom activity.
3. Installed this dll on both service and portal servers. And did IISRESET and restarted the FIM service.
4. Created new “Activity Information Configuration” and repeated above step(step 3)
5. Now activity is not available even in activity selector
Tim Macaulay Security Identity Support Team Support Escalation Engineer
We recently migrated from ILM 2007 to FIM 2010.We have an SQL Server MA.Adds/Updates are Exported while export and confirmed back while Delta Import to SQL Server.We have a view defined for delta values from SQL Server.<o:p></o:p>
The issue is for the second time when the Delta Import profile is run the values are getting fetched from SQL Server as updates where I expect them to be in Unchanged,even though there are no adds/updates.In the Subsequent cycles after the second cycle the records are coming in unchanged.<o:p></o:p>
Has anyone encountered such issue?Please help.<o:p></o:p>
In the example below I want to remove RequestParameter that contains the modification of the attribute called ModificationDate. I want to do this in a custom workflow activity. ModificationDate is a custom attribute on the Group resource.
RequestType currentRequest = this.ReadCurrentRequestActivity_CurrentRequest;
DateTime modificationDate = getModificationDate(currentRequest);
UpdateRequestParameter paramRequestParameters = new UpdateRequestParameter();
paramRequestParameters.PropertyName = "RequestParameter";
paramRequestParameters.Mode = UpdateMode.Remove;
string s = "";
s += "<RequestParameter xmlns:q1=\"http://microsoft.com/wsdl/types/\" ";
s += "xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" ";
s += "xsi:type=\"UpdateRequestParameter\"><Target>";
s += currentRequest.Target.GetGuid().ToString(); // e.g. "0f8d8335-916f-4574-b6e4-286b879498a7"
s += "</Target>";
s += "<Calculated>false</Calculated><PropertyName>ModificationDate</PropertyName>";
s += "<Value xsi:type=\"xsd:dateTime\">";
s += modificationDate.ToUniversalTime().ToString("yyyy'-'MM'-'dd'T'HH':'mm':'ss"); // e.g. "2013-06-03T08:16:00";
s += "</Value><Operation>Create</Operation>";
s += "<Mode>Modify</Mode></RequestParameter>";
paramRequestParameters.Value = s;
UpdateRequest.UpdateParameters = new UpdateRequestParameter[1];
UpdateRequest.UpdateParameters[0] = paramRequestParameters;
...
private DateTime getModificationDate(RequestType currentRequest)
{
// Read ModificationDate from the request parameters
ReadOnlyCollection<UpdateRequestParameter> requestParameters = currentRequest.ParseParameters<UpdateRequestParameter>();
DateTime modificationDate = DateTime.MinValue;
foreach (UpdateRequestParameter requestParameter in requestParameters)
{
if (requestParameter.PropertyName == "ModificationDate")
{
if (requestParameter.Value != null)
{
modificationDate = ((DateTime)requestParameter.Value).ToLocalTime();
}
}
}
return modificationDate;
}This works and the Request resource seems to be updated correctly. In the request details I see that the request parameter ModificationDate is not available. Only parameter left is the change of the descriptipon attribute, which was done in this particular example.
The problem is, that after the request is processed, the ModificationDate is set on the Group resource.
Again, the request object does not contain ModificationDate in the RequestParameters. It seems that the RequestParameters cannot be changed, i.e. they are changed on the UI, but FIM request pipeline does not "see" this chenge. The strange thing is that I can update the RequestStatusDetail attribute of the request resource in the same way (as described inhttp://www.wapshere.com/missmiis/updating-requeststatusdetail).
The question is:
Is it possible to update RequestParameter attribute of the Request resource in a custom workflow activity?
Thanks in advance for your answers.
Milos
In FIM 2010 (NOT R2 version) the Management Agent for Active Directory Domain Services I have tried to create a Attribute mapping between HR EmployeeID (NdsPerson) and Active Directory EmployeeID
(USER object)
The first time the MA runs everything is working perfectly. The EmployeeID is written to the user object. The second time the MA runs, it fails on every user in AD.
[REFERENCE] How to flow msExchHideFromAddressList but filter if the value is true:http://social.technet.microsoft.com/wiki/contents/articles/17707.reference-how-to-flow-msexchhidefromaddresslist-but-filter-if-the-value-is-true.aspx
Tim Macaulay Security Identity Support Team Support Escalation Engineer
[Troubleshooting] FIM Service upgrade fails on 'GetCertThumbprintFromName'
Tim Macaulay Security Identity Support Team Support Escalation Engineer
Hello,
I want to make some MPR right to deny to view some attributs in the creation Form , is it possible ?
Thanks
Hi folks -
We have an environment with 2 AD forests, and 'other' LDAP-type directories that support applications. We also have an AD LDS instance that is considered the authoritative source for all identities in the environment. Managing users and groups within the environment is cumbersome currently, so we're looking to FIM to help sync identity information between directories, provide a self service capability so that users could update their information in one location, and help manage group memberships for each of the component directories.
So far with a single FIM service and sync engine, we have found that we are unable to manage group memberships across these forests and directories for reasons that might seem obvious to those with extensive experience in trying to do so. What it seems we may need to do is stand up a FIM service for each forest and LDAP directory, and I'm just doing a check to see if there are other options out there (possible outside the FIM world) toward managing groups within multiple directories.
Thanks!
Our AD GPO stipulates users can reset password every 3 days only and cannot reuse last 25 passwords.
I was able to circumvent these 2 policies thru SSPR but it did stop a user from creating a password that does not meet min length.
found this articles http://setspn.blogspot.com/2010/11/fim-2010-sspr-enforces-password-history.html and
http://setspn.blogspot.com/2010/12/fim-sspr-password-history-enforcement.html
| we have FIM sync, FIM service and Portal v 4.1.3114.0 2010 R2 | |||||||||
I have checked with AD domain admin about hotfix KB2386717 and KB2443871, they do not apply to our PDC , since we have newer ones already updated. I checked on KB2417774which is for FIM 2010 , we have newer version on that front also. the below patch KB2417774_Rev5 is for old vesion , is there one for our build? please help
|
Hi,
We have recently migrated from ILM 2007 to FIM 2010.
After migration we noticed that when clicked on 'Operations' tab of the Synchronization Service Manager it is taking very long time to load the run profiles.
Same size of data is present in the connectors as it was in ILM 2007, but in ILM it is fast but in FIM 2010 it is very slow.
But all the MA's are running in expected speed without any problem.
Has anyone faced this kind of issue, could you please help me in understanding why this happens and how this can be solved.
The environment is as follow:
We have the following scenario:
When I look at the events/request and approvals I found the following:
Have checked the SQL Server date and time all is ok.
Other Approvals are normal except for 2 approvals which Nominated Approver attribute has change.
Has anybody encounter such an escalation approval where the escalation date/time has not been passed?
Regards Andre van der Westhuizen
Hi,
In ILM2007 we have noticed that referential intigrity , where after synchronisation completes also sync will be running but without any updates, Now we need to know whether this feature is still persists in FIM 2010 as well.
Any advice on the following would be greatly appreciated..
I have been tasked with setting up MS FIM 2010 R2 to enable "GalSync" between two Organisations (OrgA being my own organisation and OrgB being one of our "Partner" Organisations) --- There is currently no AD connectivity/trusts in place between us ... and I believe the solution that I'm trying to achieve should be possible without Trusts being established...
From reading the whitepapers and various forums, it seems that MS FIM 2010 R2 is best sited within my Internal network, as it needs access to an SQL server (and we have internal SQL Farms) plus AD etc.. however, my Network/Security colleagues have a different opinion .. i.e. they maintain that as the "synchronization service" is going to be talking to both internal and external domains .. the FIM Server should be in our DMZ...
So - the question - if anybody has experience of such a set up is ... where is the "best" place for the MS FIM 2010 R2 server to reside ? and why ?
Regards
Steve Morris
Hi,
We have deployed FIM 2010 R2 in our client requirement. Now, clients wants to use the BHOLD Attestation module for verifying and controlling their user accesses. In our test environment, we have FIM and SQL server on the same server, saySERVER1 and we are installing BHOLD core module on a separate machine saySERVER2. Both the servers (Server1 and server2) belongs to the same domain sayDOMAIN1.
we have performed all the prerequisites steps for installing BHOLD CORE module but still the installer is unable to create the BHOLD database (named as B1). we are getting the below error:
Error -2147217843: Installation failed to create the database B1.
Login failed for user Username Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors.
Can somebody help me in identifying the issue? has anybody encountered this issue before?
Quick response will be really helpful.
Thanks,
Sanjog
Hi,
Could any one please suggest and guide How to synchronize the password between SAP and AD(From SAP to AD and from AD to SAP) using FIM 2010.
Also which SAP version can support the password synchronization using FIM. Please share document and link if available.
Thanks in Advance and appreciate early response on it.
Thanks
Harry
I'm trying to create a custom workflow that updates groupmemberships in AD (this particular case can't be done via SyncRules, long story^^). For that I've created a new user attribute (in the portal) "memberOf".
Now I want to create an AuthZ-Workflow that gets triggered when this attribute is modified. That all works well. My problem is how to figure out which values were added and which were removed to the multi-value attribute.
I've tried this:
var requestParameters = ReadCurrentRequestActivity_CurrentRequest.ParseParameters<UpdateRequestParameter>();
using (TextWriter writer = File.CreateText(newValueFilePath))
{
foreach (UpdateRequestParameter requestParameter in requestParameters)
{
writer.Write(requestParameter.PropertyName + ":");
writer.WriteLine("Type: " + requestParameter.Operation);
writer.WriteLine();
writer.Write(requestParameter.Value);
writer.WriteLine();
writer.WriteLine();
}
}This correctly gives me all the values that were added and removed. I was assuming the "Operation" property would tell me if the value was added or remove. But it always is "Create".
So is there another "easy" way to figure this out? Two more complicated possibilities come to mind:
- using a "ReadResourceActivity" to get the old value and then "manually" compute the changes
- creating two different activity workflows, one for adding and one for removing; then I could create two seperate MPRs for the two cases
They would probably work, but I think there has to be a "better" way.
Thx
Hello All,
Provisioning mailboxes to multiple Exchange in the environment, Is it possible to provision mailbox for the user in 2010,2007 and 2003 at the same time in FIM, the environment is a mix type having all these exchange version, Currently user are provisioning with customization code, can it be configured in FIM Portal and what would be the challenge?
Regards,
Anirban Singha(Bangalore,India).
