I need to put some control around the display name attribute (for all objects in the system). However, when I go to administration => schema management => all attributes => display name, I see the regular expression text field under validation tab is disabled for display name. How can I enable this? I see there is already an MPR called "Administration - Schema: Administrators can change selected attributes of schema related resource" which is granting admins to change the schema of the display name attribute, but it does not seem to help for the above scenario. Can someone please help?
How to enable regex validation for display name attribute?
↧
↧
Many Connector Space Objects to One Metaverse Object in the Same Management Agent
When implementing this:
http://msdn.microsoft.com/en-us/library/windows/desktop/ms696034(v=vs.100).aspx
does it mandate that you use Full Synchronization or can you still run Delta's?
Ed Bell - Specialist, Network Services, Convergys
↧
Wipe a mobile device before disabling a user
Has anyone tried to tackle the issue of remote wiping ActiveSync devices before disabling a user account with FIM?
We have an issue when we terminate a user and disable the account and we reset the password for good measure, the phone will not receive a remote wipe command since that user on that phone will no longer authenticate.
Curious if anyone has thought of a work around or some solution to wipe mobile devices. Short of an MDM that will do this via an installed app on the phone.
Kirk
↧
FIM SSPR Client - Chinese Language Pack - Selected Keyboard Language Ignored
We're currently deploying the FIM 2010 R2 SP1 SSPR client and Chinese Language Pack to our Asia Pacific users. We have had several of our test users report that the currently selected keyboard language, they have the option of switching between English and Chinese Traditional, is ignored and defaults to English when entering challenge question answers.
The Chinese Traditional Language Pack is installed and matches the Server Side language packs version. End users have no problem registering and resetting their passwords, via the web portals, in Chinese, but when using the SSPR client the Keyboard Language always defaults to English and there seems to be no way to force the Chinese keyboard character set to be enforced.
Any help would be greatly appreciated!
Austin
↧
FIM Web Service client
Hello,
I want to use the Web Service of FIM to force user to register his password when he connects to his FIM.
Can i redirect page or something else , is anyone has an experience of that
Any idea ?
Thanks
↧
↧
How to dereference objects during export flow
Hello!
I would like to export information from a referenced object during export flow but the referenced object is not part of the connector space object of the affected management agent. This is my demo configuration:
testEmployeeData:
- employeeId (anchor)
- personId (reference to testPerson object)
- telephoneNumber
- uid
testPerson:
- displayName
- givenName
- sn
- uid (anchor)
- employeeData (multi-value reference to testEmployeeData recors; can be null)
I have an SQL agent ("HR") that imports person and employeeData objects into the metaverse. The references seem to work as I can see them in the Sync Service Manager and they point to the right objects too. Now I would like to access some of the referenced objects' data during export attribute flow. I have configured an export-only "Persons" agent that should export the personal data into an attribute-value file. This is what I would like the export flow to look like:
displayName <- testPerson.displayName
employeeId (multi-value) <- testEmployeeData.employeeId (*)
firstName <- testPerson.firstName
lastName <- testPerson.sn
uid <- testPerson.uid
The problem is now the advanced attribute flow marked with (*). The testPerson.employeeData field contains a multi-valued reference to all matching employeeData records which contain the employeeId. The output file should contain all matching employeeIds instead of the reference values (GUIDs) but I can't get this to work. When I try to configure an advanced export flow rule flowing testPerson.employeeData to person.employeeId I just receive an error message stating that metaverse reference attributes cannot be defined as source attributes.
Do I have to create an appropriate connector space object for this to work? Or is there some other way to dereference objects in order to get certain attributes? By the way, the person connector space object in the "Persons" agent is created by
provisioning code based on testPerson metaverse objects.
Regards,
Philipp
↧
Windows Azure Active Directory Connector - Password Synchronisation
Hi All,
New to FIM - apologies if this has been answered already elsewhere.
Reading the technet articles - it mentions the azure active directory connector does not synchronise passwords when it does the account synchronisation between onpremise AD to Azure Active Directory.
So the question is - is this still the case?
Do we still need to use AD FS to provide Single Sign On for cloud applications via the on premise AD?
or, are there potential solutions available?
I understand DirSync does password hash synchronisation but is unsuitable for multiple forest, multiple exchange scenarios. Unfortunately, we are such an organisation. Hence, DirSync does not seem to be an option.
Please advise.
Regards,
Ajay Suri
↧
Resource SID not populated on new users
Im having a problem in FIM 2010 R2 SP1 where the Resource SID is not being populated for new users that are synced and, thus, they cannot acccess the password registration portal with the error "The current user account is not recognized by Forefront Identity Manager. Please contact your help desk or system administrator. (Error 3003) ".
I can verify this by searching for the users in the FIM Portal, then Provisioning --> Advanced View --> Extended Attributes. Resource SID says "No value specified for this attribute." I can fix this problem with this script, but Id like it automated.
In my FIMMA I have Person: objectSID export to Person: objectSID
In my ADMA I have user: objectSID import to Person: objectSID
I searched around quite a bit but cannot find the resolution for this. Im fairly new to FIM and would appreciate any guidance on this problem.
Thanks!
↧
Forefront Identity Manager Service does not start
I have (or had) a functioning FIM environment until yesterday when the FIM Service stopped. The service will not start automatically and when I try to start it manually I get the error
"The ForeFront Identity Manager Service service on Local Computer started and then stopped..."
The following entries appear in the error log when I try to restart the FIM Service
- "Workload Monitor failed to start. Workload Manager functionality will be turned off. As a result, you may notice decreased performance in the FIM portal or in policy application scenarios. The detailed error information is in the following error report. If you correct the underlying error and restart the service, Workload Manager functionality will be turned on."
- "mscorlib: System.OverflowException: Arithmetic operation resulted in an overflow."
- "System.ServiceModel: System.InvalidOperationException: Cannot find the X.509 certificate using the following search criteria: StoreName 'My',..."
There are other recent FIM related errors in the Log that are not directly related to restarting the FIM Service but I suspect are associated with the issue.
- "mscorlib: System.ServiceModel.EndpointNotFoundException: There was no endpoint listening at http://localhost:5725/ResourceManagementService/MEX that could accept the message. This is often caused by an incorrect address or SOAP action...."
- "The Forefront Identity Manager Service could not bind to its endpoints. This failure prevents clients from communicating with the Web services.
A most likely cause for the failure is another service, possibly another instance of Forefront Identity Manager Service, has already bound to the endpoint. Another, less likely cause, is that the account under which the service runs does not have permission to bind to endpoints.
Ensure that no other processes have bound to that endpoint and that the service account has permission to bind endpoints. Further, check the application configuration file to ensure the Forefront Identity Manager Service is binding to the correct endpoints."
Nothing has changed in the FIM environment except for a reboot of the SQL Server where the FIM dbs Live. Also, we recently updated the cert that is bound to the FIM portal. However, that happened a month ago and the portal was working fine up until yesterday. As far as I know no other change has taken place on the server so I am at a bit of a loss to explain what has happened. Any suggestions would be appreciated
As an aside, I have seen several posts where people have reported some of the error messages I listed above. But in all cases, it appears the the issue was associated with SharePoint UPS, which we are not using.
Thanks
↧
↧
SUN/Oracle directory user entry DN rename (move)
Hi,
Version FIM2010R2SP1 with latest publicly available hotfix rollup applied.
Use case: Legacy enterprise directory (SUN iPlanet 5.2) has users in different (ou) branches under the same tree depending on their current job. If they are transferred to another part of the organisation in the HR system, the requirement is to move their user entry in this directory into a different ou.
MA/Connector: Out of the box Sun/Oracle directory MA
e.g. (dn) uid=hsmith001, ou=Sales,o=MyOrg.com
moved to:
(dn) uid=hsmith001, ou=Cleaners,o=MyOrg.com
When the export is run to the connected directory, the "move" does actually happen in the connected source (the SUN directory server). So far so good.
The connector space object is now marked as 'Awaiting exportconfirmation' (which is meant to occur on the next import).
When an import is run, instead of the expected confirmation, FIM creates a new connector space object with the new (renamed) dn but retains the existing object i.e. it doesn't join up the existing object that is awaiting export confirmation. At the same time it reports an error "ambiguous-import-flow-from-multiple-connectors" because it is seeing two objects with the same RDN.
It appears that with this connector connected to Sun Directory v5.1 and newer , you don't get to choose which attribute(s) you use for the anchor - it chooses the dn.
It's puzzling why this issue exists in a technology set that has been around for years, so we are assuming that there is workaround or solution to this problem.
N.B. This problem has been replicated on two completely independent environments by different people in our organisation.
Any help/advice/suggestions would be most welcome.
David.
↧
FIM authorization and attestation of user access?
Hi,
Does FIM (out of the box) allow for authorization and attestation of user access requests?
thanks
DW
↧
Can one migrate SSPR without requiring registered users to re-register?
Hi,
Assume a lab environment was used for a SSPR POC (Question & Answer) - Can one migrate a FIM SSPR solution without requiring registered users to re-register?
thanks
dw
↧
FIM R2 SP1 & Sharepoint Designer 2013
Hello all,
We installed successfully FIM R2 SP1 on Sharepoint Foundation 2013.
The portal is running and at the first glance it looks fine.
Unfortunately we have no chance to open the FIM site via SharePoint Designer.
We receive following Error Message: "Object moved: Object moved to here"
Any ideas or suggestions?
Kind regards Fatih
↧
↧
Requests not generating with Built in Sync Account on FIM Portal
Hello All,
While exporting the attributes to FIM Portal, for few attributes the request is not generating from built in sync account which was being generated earlier. Has anyone seen any such scenario in which the requestor - built in sync account is not able to generate the requests in FIM portal? Despite the fact, the attribute's value is being updated for the user in the FIM Portal and I can see the attribute's updated value and the time in metaverse is changed too for the same attribute. As of now i believe that whenever any attribute of user changes and requestor is FIM Portal Administrator/Built In Sync Account/any other requestor, the request is generated but in our production environment the requests are not generating properly when exporting the changes to FIM Portal specially from built in sync account.
Can anyone help me with this? Quick replies are highly appreciated in advance.
Regards,
Manuj Khurana
↧
Encrypted email notifications
Is it possible to have the email notifications sent by FIM to be encrypted?
↧
PowerShell MA: Cannot bind argument to parameter 'String' because it is null.
Hi,
I'm trying to get started with the PowerShell MA. I successfully installed the MA, and am trying to run the sample O365 scripts that were made available with the MA. I am able to successfully run the Import.ps1 script from the PowerShell ISE, and see my users in my O365 tenant, but when I try to run a Full Import on my PowerShell MA, it fails with "stopped-extensible-extension-error". In Event Viewer, I see a number of errors and warnings, one of which says "Cannot bind argument to parameter 'String' because it is null."
Any ideas? Thanks in advance. The full script is below (scrubbed):
param
(
$Username="admin@tenant.onmicrosoft.com",
$Password="password"
)
Import-Module
MSOnline-Force
$SecurePassword
=ConvertTo-SecureString$Password-AsPlainText-Force
$Creds
=New-ObjectSystem.Management.Automation.PSCredential$Username,$SecurePassword
Connect-MsolService
-Credential$Creds
$Threshold
=0
$users
=Get-MsolUser-MaxResults20000|Where-Object{($_.isLicensed)-and($_.UserPrincipalName-match'contoso.com$')}
if
($Users.Count-lt$Threshold)
{
throw"Less users than expected returned from MSOnline"
}
#Always pass objects as hash table in pipeline
foreach
($Userin$Users)
{
$obj=@{}
$obj.Add("Id",$User.UserPrincipalName)
$obj.Add("objectClass","user")
$obj.Add("IsLicensed",$User.IsLicensed)
$obj
}
↧
DIstribution List & Members & E-mail
Hi there,
I have a scenario- How to do that activity?
DL : DG1 , DG2 , DG3 (all have email attribute's value)
Members : M1,M2,M3,M4,M5
DLs | Members
DG1 | M1,M2
DG2 | M1,M3,M5
DG3 | M3,M4
I want ONLY M1,M3 members can SEND E-MAILS to DLs(DG1,DG2,DG3).
How to perform that activity?
↧
↧
FIM for System Access Management
Hi All,
New to FIM - so, apologies for asking if it has already been answered elsewhere.
I have an understanding to some level of what FIM architecture components are.
I have a particular scenario and I wanted to discuss if and how FIM can support it please.
If there is an internal system with in the company, let us say a web application with SQL server database.
Assume the users for this application are managed locally in the database in a users table.
The web application has a module for user management that admins can use to manage users.
Let us assume the account on the system consists of account name, password, profile and a set of 10 roles that user can chose from.
If I want to use FIM to manage user access to this system (and get rid of admin function on the application itself), will I be able to create a system on FIM portal with add, modify, delete and password reset functions. SO that user's can make applications accordingly. I would like to use FIM's built in application forms, workflow, approval processes and I am ready to build a custom adaptor that synchronization service will use to call a user management web service written by the developers of this application.
Users dont get access to this application by default. They only apply if their job requires them to.
Please advise.
Regards,
Ajay Suri
↧
OTP SSPR greyed out email address not showing
Hi,
According to http://technet.microsoft.com/en-us/library/jj134288(v=ws.10).aspx#email_gate if the SSPR Registration mode is set to Read-Only then the user will be presented with the screen showing them their registered email address in read only/greyed out mode.
However, we have just deployed this solution in both lab and production, and neither displays the greyed-out registered email - has one of the service packs/hotfixes changed this?
thanks,
dw
↧
How to cretae powershell variabels from hash table?
How to cretae powershell variabels from hash table?
I get from the function evaluator a hast table thet looks like this:
Name Value
---- -----
samid 123456
pw Pa$$1234
I need to convert it into PowerShell variabels with values:
$samid = 123456
$pw = Pa$$1234
How to?
GH
↧
More Pages to Explore .....
