FIM Password Expiration Notification E-Mail

February 15, 2014, 7:23 am

≫ Next: FIM 2010 R2 upgrade to FIM 2010 R2 SP1 upgrade

≪ Previous: Automating Criteria Based Group Membership

Within FIM 2010 R2 I have created 2 sets called "Password Expiration Notification (7 Days)" and "Password Expiration Notification (Tomorrow)", the criteria I have set to populate these sets is:

Select users that match all of the following conditions:

Password Last Set prior to 35 days

User account control = 512

and

Select users that match all of the following conditions:

Password Last Set prior to 41 days

User account control = 512

Our domain password policy stipulates passwords should be changed every 42 days.

I've have the sets populating correctly and have followed the tutorial here http://setspn.blogspot.co.uk/2010/10/fim-send-password-expiration.html to setup the workflows, email templates and MPRs to send an email to the user when they transition into one of the above sets.

It is sort of working, in the sense it is sending emailed but when I look at the System Event Requests that appear under Search Events emails are only being sent to users who password have already expired and not all of the members of the sets.

Anybody able to suggest a reason why emails are not being sent to all members of the sets?

↧

FIM 2010 R2 upgrade to FIM 2010 R2 SP1 upgrade

February 15, 2014, 8:34 am

≫ Next: DeclineMappingExecption and EAF Precedence

≪ Previous: FIM Password Expiration Notification E-Mail

I am trying to perform the FIM 2010 R2 to FIM 2010 R2 SP1 upgrade for one of my customer. I downloaded hotfix for it from Microsoft site (build 4.1.3419.0). My Current version of FIM is (4.1.2273.0). But when I am trying to run the .msp file to apply changes for FIM Sync it is showing the error "FIM Synchronization service can not be installed.Please run setup again to install update".

Is there any process to perform the up-gradation or I need to run the full setup again.

FYI, Event view is also now showing any detailed log just the logs stating about Setup error(...can not install), configuration error.

Please suggest!!!!

Thanks~ Giriraj Singh Bhamu

↧

DeclineMappingExecption and EAF Precedence

February 16, 2014, 8:46 pm

≫ Next: FIM GALSYNC Contact provisioning exclusion

≪ Previous: FIM 2010 R2 upgrade to FIM 2010 R2 SP1 upgrade

I have a situation where an attribute flow declined with DeclineMappingException does not seem to be yielding precedence.

Here is the scenario:

I have a large Active Directory and a business requirement for FIM to be authoritative for specific accounts in Active Directory. All accounts need to be visible in the FIM Portal, but only certain accounts may be updated from the FIM Portal. The specific accounts that FIM is authoritative for is arbitrary and is controlled by an attribute in the FIM Service. The desired behavior is that for accounts in which FIM is authoritative, data will flow from FIM to AD and for accounts FIM is not authoritative, data will flow from AD to FIM.

I have two management agents, one for the FIM Service and one for Active Directory. I have both inbound and outbound flows for my attributes between the FIM Service and the metaverse. I flow the “IsOwnedByFIM” flag from the FIM Service to the metaverse. On the AD side, I have rules extensions that for exports flow data from the metaverse to AD if the IsOwnedByFIM flag is set and throw a DeclineMappingExecption otherwise; and for imports, the extension flows data to the metaverse if the flag is not set and throws a DeclineMappingExecption otherwise.

Precedence is set so that AD has a higher precedence than FIM (AD first in the list, FIM second).

What I expect to happen is that for records not owned by FIM, the AD MA will contribute an attribute and since AD is first in the precedence list, the data will flow into the metaverse and out to the FIM Service. This works as expected.

For records owned by FIM I expect that the AD MA will not contribute an attribute due to DeclineMappingExecption being thrown in the rules extension, precedence should yield to the next potential contributor (FIM Service). This works and I see the data flow from the FIM Service to the metaverse in inbound flow. However, I also expect that on the outbound flow, data should flow from the metaverse out to AD. This is not happening and I get the “Skipped: Not Precedent” status in preview.

I am aware of Export Attribute Flow precedence and get that an attribute value coming from a lower precedence source will not overwrite a target value that has higher precedence. However, in this case since the “higher” precedence MA declined to provide a value, I find it strange that EAF precedence is blocking the outbound flow.

So my question is: When Export Attribute Flow precedence is calculated, is the sync engine supposed to consider whether or not an attribute wasactually contributed from a target before preventing overwriting of the target or does it only consider if it targetcould have contributed a lower precedence value? In other words, is the sync engine supposed to consider DeclineMappingExceptions when determining EAF precedence? And subsequently, is what I am seeing a bug or expected behavior?

For readers not familiar with EAF Precedence the following links are useful (but don’t talk about the case of DeclineMappingExeceptions):

http://social.technet.microsoft.com/Forums/en-US/2c4f5c39-de0b-4fed-9cdd-057d0394085b/about-attribute-flow-precedence?forum=identitylifecyclemanager

http://technet.microsoft.com/en-us/library/cc720559.aspx

↧

FIM GALSYNC Contact provisioning exclusion

February 16, 2014, 10:25 pm

≫ Next: PCNS in multi-forest?

≪ Previous: DeclineMappingExecption and EAF Precedence

I need to know how can FIM Galsync provisioning/joiner rule be configured with certain exceptions. For example if there are 4 forests participating in Galsync - Forests A, B, C & D. Forest A is where FIM server is deployed and it share the same smtp domain namespace with Forest B. Is it possible that Forest B provision contacts on all other forests except Forest A?

↧

PCNS in multi-forest?

February 16, 2014, 10:39 pm

≫ Next: Trigger a MPR on a specific time

≪ Previous: FIM GALSYNC Contact provisioning exclusion

Hi,

Assume we have 4 forests, Forest A, Forest B, Forest C and Forest D; with a planned eventual consolidation of user from Forest A,B, C into Forest D. The 4 forests do need to run together for some time.

Forest D has FIM Sync and user accounts from Forest A,B,C have been sync'ed and created in Forest D.

Can we install PCNS on Forest A,B,C,D to sync all password changes with respective accounts in Forest D (unidirectional), even though FIM Sync is running only in Forest D?

Thanks

↧

Trigger a MPR on a specific time

February 17, 2014, 5:43 am

≫ Next: SSPR OTP Verification

≪ Previous: PCNS in multi-forest?

Hi,

I have a requirement to trigger a MPR at exactly at 07h00, is this possible? and how? I have reviewed some of the articles on this topic, but they concentrate more on a specific date.

I have created a custom Workflow activity to send a SMS to a user when a password is about to expire. The TemporalEventsJob runs at 00h00 resulting in the SMS going out at about 01h00 in the morning, I want to change / delay the SMS to 07h00 without changing the schedule of the TemporalEventsJob.

Thanks

Johan Marais

JkM6228

↧

SSPR OTP Verification

February 17, 2014, 6:48 am

≫ Next: Users cannot access the FIM Portal unless they are a member of the local Group "Users" on the FIM Service server

≪ Previous: Trigger a MPR on a specific time

Has anyone successfully deployed OTP that during registration and verification email is sent to ensure the provided SMS/Email value is usable and actually the user at the keyboard?

↧

Users cannot access the FIM Portal unless they are a member of the local Group "Users" on the FIM Service server

February 17, 2014, 9:55 am

≫ Next: Temporal Sets using xs:dayTimeDuration

≪ Previous: SSPR OTP Verification

Hi,

I have an FIM 2010 R2 SP1 install on Windows 2012 infrastructure using SharePoint 2013. Roles are broken out so I have a separate server for FIM Service, FIM Sync and SQL backend.

I have populated users as required but they cannot access the FIM Portal unless they are members of the local security group "Users" on the FIM Service server itself. When not added to this group they get prompted for credentials repeatedly and after entering them repeatedly then I receive a message from the below link

"https://idmportal.company.com/_layouts/MSILM2/ErrorPage.aspx

Unable to process your request"

Once I add the user into the "Users" group on the FIM Service server then the user logs in with no issues.

Has anyone else come across this issue?

Thanks,

↧

Temporal Sets using xs:dayTimeDuration

February 17, 2014, 2:10 pm

≫ Next: Workflows in Web Service configuration Tool

≪ Previous: Users cannot access the FIM Portal unless they are a member of the local Group "Users" on the FIM Service server

I currently have FIM 2010 R2 installed and I'm trying to create a Temporal Set using xs:dayTimeDuration. The samples I have found on the Internet are using 'PnD' syntax, where n is the number of days. However for my use case, I need to be more restrictive, like 6 hours. Based on XPath 2.0 syntax linked from FIM 2010 R2 documentation, I would use this:

(ExpirationTime < op:subtract-dayTimeDuration-from-dateTime(fn:current-dateTime(), xs:dayTimeDuration('PT6H')))

When I manually run the "FIM_TemporalEventsJob" SQL Job, nothing happens. The UI doesn't support the syntax, so I don't know how to see if the object is part of the set. All I know is that my workflow doesn't execute. However, if I change the syntax to use 'P1D', everything works as expected...

My question is: is this a bug or FIM doesn't support the syntax?

Mark Remkiewicz

↧

Workflows in Web Service configuration Tool

February 17, 2014, 3:50 pm

≫ Next: ADMA failed-search timeout 0x55

≪ Previous: Temporal Sets using xs:dayTimeDuration

Hi everyone:

Somebody knows some documentation or example about to créate workflows in the web service configuration tool from connector web service in Forefront identity manager?

Thanks in advanced

Regards

FIM

↧

ADMA failed-search timeout 0x55

February 18, 2014, 4:31 am

≫ Next: Where is the best doc source for Config settings for Sync Manager?

≪ Previous: Workflows in Web Service configuration Tool

Run running a full import I'm getting a failed-search error with timeout 0x55 for the error information. There is nothing in the event logs nor import log when I enable it. I've tried playing with page/batch size and doubling/tripling/quadrupling the timeout with nothing seeming to help.

What other debugging tricks can I use to possibly find out what is going on?

↧

Where is the best doc source for Config settings for Sync Manager?

February 18, 2014, 4:34 am

≫ Next: Do we require 2 FIM Licence if installing FIM portal on 2 servers for HA

≪ Previous: ADMA failed-search timeout 0x55

Hello, We have Sync Manager, so what is the best doc source to explain the CentralConfigSettings such as settings in the 'AppSettings' section, MA settings, etc? Thanks.

Thanks for your help! SdeDot

↧

Do we require 2 FIM Licence if installing FIM portal on 2 servers for HA

February 18, 2014, 7:57 am

≫ Next: Problem with Full Import FIM MA

≪ Previous: Where is the best doc source for Config settings for Sync Manager?

Hi,

We are installing FIM portal on 2 windows servers for achieving HA.
Please help by sharing will it cost us two FIM Licence to do that.

Thanks,
Varun

↧

Problem with Full Import FIM MA

February 18, 2014, 8:16 am

≫ Next: How to solve placeholders of reference attribute - Fim 2010 R2

≪ Previous: Do we require 2 FIM Licence if installing FIM portal on 2 servers for HA

Hello,

i'm a beginner in FIM.

i want to understand why Full Import for FIM MA does not importing objects? i have these statistics in "Synchronization Statistics":

After Full Sync , i have these statistics :

No projections, no joins ? what are the probable causes for that ?

Regards

↧

How to solve placeholders of reference attribute - Fim 2010 R2

February 18, 2014, 8:58 am

≫ Next: Supported platforms in FIM 2010 R2 Sp1

≪ Previous: Problem with Full Import FIM MA

I am importing an object(person) from sql which has a reference to second object (department). The connector space search shows the second object type as placeholder and not as department. The department object was created in FIM portal and not joined by or connected to any other MA.

a) In Portal, there is an object called department. It has an attribute displayName which has Computer Services as value.

b) The FIMMA has the department object type flowing 4 to/from MV. Am I missing anything in this? Should the displayname be flowed to any other attribute?

dn<-- (sync rulemapping);MVObjectid<-- <objectid>; DisplayName-->displayName; <dn>-->cdObjectID

c)sql MA(person object) : has 2 attributes; empID ,dept(reference - department object) (123,Computer Services); import flow has dept to department in MV (direct flow). The preview is showing as Applied Deleted for department and connector space has placeholder.

Please help!

↧

Supported platforms in FIM 2010 R2 Sp1

February 18, 2014, 10:27 am

≫ Next: pcnscfg, domain wide setting?

≪ Previous: How to solve placeholders of reference attribute - Fim 2010 R2

I have FIM 2010 R2 Syncronization Server running on Windows 2008R2 OS. The available Galsync connectors that we have are Exchange 2003, 2007 and 2010. The FIM sync server runs on Exchange 2010 environment but in order to fulfill the requirements of establishing a connector with Exchange 2007 we followed the reference "http://social.technet.microsoft.com/wiki/contents/articles/3457.fim-how-to-export-to-an-exchange-2007-server-with-synchronization-server-in-an-exchange-2010-domain.aspx" to install Exchange 2007 EMC on the FIM Sync server. Now we have a new connector lined up to be added on our FIM server which is running on Exchange 2013 environment. I need to know how can we perform an upgrade from FIM 2010R2 to FIM 2010R2 SP1 without breaking the existing configuration especially with the connectors running legacy Exchange (2003 and 2007).

Jimmy George

↧

pcnscfg, domain wide setting?

February 18, 2014, 2:26 pm

≫ Next: PCNS and SSPR between 2 forests

≪ Previous: Supported platforms in FIM 2010 R2 Sp1

When you're implementing PCNS, once you have PCNS installed on all your DCs and you add a target using the Pcnscfg.exe addtarget command in the command prompt. Is this setting domain wide? Do you run it just once on one of the DCs and the value for the target FIM instance will replicate to all the others or do you need to run the command on each DC with PCNS installed?

↧

PCNS and SSPR between 2 forests

February 19, 2014, 12:23 am

≫ Next: FIM Reporting installation (where to put SQL Reporting Services?)

≪ Previous: pcnscfg, domain wide setting?

Hi,

We have a requirement to have the same users in 2 separate forests, Forest A and Forest B. So users from Forest A are also created in Forest B via FIM.

FIM Sync, Portal and SSPR is deployed in Forest A.

Users log unto workstation in Forest B, where they need to be able to change their passwords, using the traditional cntrl-alt-del routine; these passwords need to be replicated to Forest A.

Additionally users in Forest B must be able to reset their passwords using the FIM add-ins and extensions, as well as via the SSPR Portal which is hosted in Forest A. So effectively, password changes in Forest A must also be replicated to Forest B.

Since PCNS is unidirectional - is the above actually possible?

thanks,

↧

FIM Reporting installation (where to put SQL Reporting Services?)

February 19, 2014, 1:52 am

≫ Next: Custom Multivalued Reference Attribute

≪ Previous: PCNS and SSPR between 2 forests

Hi,

I'm installing FIM 2010 R2 SP1 with Reporting feature.

It is going to be installation with separate SQL and separate servers for SCSM DW and SCSM MS.

I have SQL where I prepared 3 instances (default one for FIM databases, one for SCSM SM databases, one for SCSM DW databases). My question is - which one of them should have SQL Reporting services installed?

Borys Majewski, Identity Management Solutions Architect (Blog: IDArchitect.NET)

↧