Message: Connecting to remote server {cas array uri} failed with the following error message : The WinRM client received an HTTP status code of 403 from the remote WS-Management service. For more information, see the about_Remote_Troubleshooting Help topic.

This is actually an improvement as it was failing with a Kerberos error previously until I setup an Alternate Service Account for my CAS Array. I can connect with Outlook via Kerberos so I know Kerberos is working. Also, since the error changed to a HTTP 403 it seems I am at least getting my credentials through but there is now a permission problem.

The account that FIM is running under has AD permissions to create the object in the OU specified. I have also temporarily made it an Exchange Admin but I still get the error. I have not been able to find any info on permissions to grant or what else I might be doing wrong in this instance.

I am using code provisioning: ExchangeUtils.CreateMailEnabledContact

UPDATE:
I can reproduce the error trying to manually establish a PSSession:

$Ex2010Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUrihttps://{cas-array-uri}/powershell/ -Authentication Kerberos -Credential (Get-Credential)

This genetates the same error as above (HTTP 403)

Any hints?

Thank you!
Karl

↧

There is no such object on the server error running the FIM CM 2010 R2 Configuration Wizard

March 12, 2014, 3:31 pm

≫ Next: Lync online and DirSync

≪ Previous: Exchange 2010 provisioning via FIM fails with a HTTP 403 error using WinRM

Working on a lab.

When Running the FIM CM Configuration Wizard there is this error "There is no such object on the server"

The CM Application on the IIS is created, also the Database is created. All I have found is three DCOM 10028 Events on the System Event log, with this:

DCOM was unable to communicate with the computer OLDCAServer.domain using any of the configured protocols; requested by PID 87c (C:\Program Files\Microsoft Forefront Identity Manager\2010\Certificate Management\Bin\Microsoft.Clm.Config.exe).

This shows for 3 different CAComputer objects that are not longer on the lab.

Any ideas? or is there a way to create a diagnostic log when the Configuration Wizard is executing.

Thanks,

Andres Z.

andresz

↧

Lync online and DirSync

March 12, 2014, 7:13 pm

≫ Next: Attribute is read only: how to change value of mventry, not included in flow?

≪ Previous: There is no such object on the server error running the FIM CM 2010 R2 Configuration Wizard

Hi,

Its probably an easy question for most of you - can DirSync also provision a Lync Online account in O365 cloud...or is this something that has to be done via FIM?

thanks,

↧

Attribute is read only: how to change value of mventry, not included in flow?

March 13, 2014, 2:22 am

≫ Next: FIM portal accessible on http but not on https

≪ Previous: Lync online and DirSync

Hi!

I have the following problem:
I need to generate login attribute during importing employee data from HR system. The login attribute have next format:
Axx00zzz, where:
- A - constant letter;
- XX - code of employee's department;
- ZZZ - ordinal number of employee in department.
I decided to store the employeeQuantity attribute in department object and after generating login for a new employee, increment this value. So, i wrote MapAttributesForImport rule, to generate login:
1. Use department atribute of employee csentry and Utils.FindMVEntries to find appropriate mventry object of employee's department;
2. et departmentCode and employeeQuantity from this object and use them to generate login.
3. Then I need to increment(++) the value of employeeQuantity atribute of department mventry object but i got the attribute is read only error, because this attribute is not in flow. But i can not add in into flow, because i need to join person object and department object before that is not right at all.

Need any help and possible directions of solving problem.

Thanks in advance.

↧

FIM portal accessible on http but not on https

March 13, 2014, 3:37 am

≫ Next: WBEMTEST Returns no results with domain and account but three results with mvguid

≪ Previous: Attribute is read only: how to change value of mventry, not included in flow?

Experts,
After installation of FIM 2010 R2.

I am able to access portal at http://severname/identitymanagement but not onhttps://severname/identitymanagement.

Kindly suggest.

Thanks,
Mann

↧

WBEMTEST Returns no results with domain and account but three results with mvguid

March 13, 2014, 8:20 am

≫ Next: Password Syncronization

≪ Previous: FIM portal accessible on http but not on https

Hi,

In our development environment, password resets have stopped working.

The log file says that the "Password Reset Activity could not find Mv record for user."

Searching based on that error, I checked all the WMI configurations and ran WBEMTEST wit the FIM Service account.

The query returns no results with I search with this:

"SELECT * FROM MIIS_CSObject WHERE (Domain='Dev' and Account='JonesD')"

But I get three results when I search with this:

"SELECT * FROM MIIS_CSObject WHERE mvguid='{1DA04649-18AA-BD1B-005056A30072}'"

The account his the account name and domain populated in the metaverse.

If anyone has any guidance on this, I'd appreciate any help.

Many thanks,

Sami

↧

Password Syncronization

March 13, 2014, 10:27 am

≫ Next: Announcing General Availability of PowerShell Connector and Release Candidate of Generic SQL and SAP Roles/Users

≪ Previous: WBEMTEST Returns no results with domain and account but three results with mvguid

I am trying to configure password syncronization for my organization. We have two domains research and hospital. Each domain contains user accounts and admin accounts that join in the FIM metaverse, they do not join cross domain. We have successfully implemented password syncronization for the Hospital domain but cannot seem to get it working for the research domain. My question is for the SPN on PCSN would we need seperate SPNs on each domain even is the SPN we are using on the hospital domain is registered Forest-wide?

↧

Announcing General Availability of PowerShell Connector and Release Candidate of Generic SQL and SAP Roles/Users

March 13, 2014, 6:09 pm

≫ Next: Azure FIM for on-prem

≪ Previous: Password Syncronization

The FIM team is pleased to announce the availability of some additional Connectors for FIM2010R2.

General Availability of PowerShell Connector

The PowerShell Connector can be used to communicate with a system through PowerShell scripts. This allows an easy and flexible way to communicate with other systems but also to pre-/post-process data and files before handed over to the FIM Synchronization Service. We believe the community will help providing scripts for this Connector for various systems and will open a place where scripts can be published for reuse.

TechNet docs: http://go.microsoft.com/fwlink/?LinkID=393057

Download: http://go.microsoft.com/fwlink/?LinkID=393056

Release Candidate of Generic SQL Connector

The Generic SQL Connector will allow you to connect to any database where you have an ODBC driver available. It enables new features compared to the built-in MA such as support for Stored Procedures, running SQL scripts, built-in delta import support, import multiple object types, connect to multiple tables, and much more. This Connector is built on ECMA2.3 which allows schema discoverability to be customized in the Sync Engine UI. A pre-release of the next Sync Engine hotfix is included with the Connector download and is required for the Connector to work.

Download: https://connect.microsoft.com/site433/Downloads/DownloadDetails.aspx?DownloadID=52652

Release Candidate of SAP Users and Roles/Groups

The updated SAP templates for Users and Roles/Groups allows you to manage Users, Roles, and Groups in SAP. This also include password sync for Users to SAP. The Connector will make sure roles are represented as groups to make it possible to manage these with bhold. This template will require the previously published WebService Connector:http://go.microsoft.com/fwlink/?LinkID=235883.

Download: https://connect.microsoft.com/site433/Downloads/DownloadDetails.aspx?DownloadID=52651

If you have participated in any other Connector preview program you will have access to the Release Candidate downloads. If you have not participated before then to get access to the preview programs on Connect either join the program “Identity and Access Management”, “FIM Synchronization Service Connectors Pre-release” on http://connect.microsoft.com/directory or follow this link http://connect.microsoft.com/site433/SelfNomination.aspx?ProgramID=6709&pageType=1

We have also published an update to the Generic LDAP Connector adding support for some additional LDAP directories, seehttp://support.microsoft.com/kb/2936070/. If you have additional LDAP directories you think we should support, please feel free to contact me.

On behalf of the FIM Sync team,

/Andreas Kjellman

↧

Azure FIM for on-prem

March 13, 2014, 10:24 pm

≫ Next: WAAD Connector for FIM Problem

≪ Previous: Announcing General Availability of PowerShell Connector and Release Candidate of Generic SQL and SAP Roles/Users

Hi,
We have ADFS in our Onprem and we are planning to setup up ADFSP for Office 365 SharePoint. this also require Dirsync.
so we need to add three additional servers. two ADFSP and one FIM.
Main challenge is cost and we are trying to reduce it.
Now we have SalesForces hosted on Azure platform where we have Ad, ADFS, ADFSP, FIM. this is completely separate external environment and not connected with on-prem.
Question is can I use FIM sync hosted on Azure for my Office365 SharePoint requirement? can I connect my internal AD to Azure FIM and then Office 365 SharePoint ?

Thanks in advance.

↧

WAAD Connector for FIM Problem

March 14, 2014, 7:56 am

≫ Next: Exporting newly provisioned items to SQL

≪ Previous: Azure FIM for on-prem

I have a new FIM 2010 R2 box running v4.1.3496.0.

I have installed .Net4, sign-in assistant for WAAD and the latest version of the connector v1.0.6635.0069 from last month.

I managed to create a new MA in FIM no problem but when I tried out the first Full Import I am getting an odd error

Failure while importing entries from Windows Azure Active Directory. Exception: System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary.
   at System.Collections.Generic.Dictionary`2.get_Item(TKey key)
   at System.Collections.ObjectModel.KeyedCollection`2.get_Item(TKey key)
   at Microsoft.Azure.ActiveDirectory.Connector.Connector.GetConnectorSpaceEntryChange(SyncObject syncObject)
   at System.Linq.Enumerable.WhereSelectListIterator`2.MoveNext()
   at System.Collections.Generic.List`1.InsertRange(Int32 index, IEnumerable`1 collection)
   at Microsoft.Azure.ActiveDirectory.Connector.Connector.GetImportEntriesCore()
   at Microsoft.Azure.ActiveDirectory.Connector.Connector.GetImportEntries(GetImportEntriesRunStep getImportEntriesRunStep).

Can anyone tell me why I might be getting this error?

Thanks

andy

↧

Exporting newly provisioned items to SQL

March 14, 2014, 9:04 am

≫ Next: FIM Synchronization Service doesn't start

≪ Previous: WAAD Connector for FIM Problem

Hello All!

I have a SQL MA that I am using to hold mail enable AD objects. When I provision new items imported from AD in the SQL connector space they are exported cleanly to SQL. However, upon the next import on the SQL MA the newly exported items shows as Adds. The Anchor value is the same as originally created during provisioning. Once I perform a sync then they will show up as unchanged on subsequent imports.

Is this part of the process or is something odd going on? Here is my provisioning code (ID is anchor). I do believe I can remove the DN code but I get the same response.

CSEntry newCSEntry = this.Connectors.StartNewConnector(MVEntry.ObjectType);
ReferenceValue dn = this.CreateDN("{" + this.MVEntry.ObjectID.ToString().ToUpper() + "}");
newCSEntry.DN = dn;
newCSEntry["ID"].StringValue = "{" + this.MVEntry.ObjectID.ToString().ToUpper() + "}";
newCSEntry.CommitNewConnector();

UPDATE:
This also happens when I flow an update to an object already connected to both AD and SQL. I make a change in AD, it flows across and successfully updates SQL. Upon the next import from SQL it shows an update for same object and the same attributes are being modified. There is no duplicate objects so I am not understanding this process.

Thank you!
Karl

↧

FIM Synchronization Service doesn't start

March 17, 2014, 12:59 am

≫ Next: DirSync on 2012 servers wail DCs and ADFS and ADFS proxy are on 2008

≪ Previous: Exporting newly provisioned items to SQL

Hi,

Recently we have migreated FIM database from the local SQL server to an SQL 2012 Cluster. I used the following guide to configure DB related settings. Things worked fine.

http://social.technet.microsoft.com/wiki/contents/articles/5465.fimilm-how-to-move-the-backend-sql-server-synchronization-service-database.aspx

However after I uninstalled local SQL and rebooted the server FIM service doesn't start. The error message is:

The Forefront Identity Manager Sychronization Service depends the following service: MSSQLSERVER. This service might not be installed. (Event ID 7003).

How to fix this problem?

Thank you for your help.

↧

DirSync on 2012 servers wail DCs and ADFS and ADFS proxy are on 2008

March 17, 2014, 4:38 am

≫ Next: Issue with KB2913228 (build 4.1.3508.0)

≪ Previous: FIM Synchronization Service doesn't start

I have my DC forest and domain functional level @ 2008 server

now ADFS and ADFS Proxy will be on 2008 R2

I want to have dirSync on 2012 server

is that ok ?

↧

Issue with KB2913228 (build 4.1.3508.0)

March 17, 2014, 5:00 am

≫ Next: Check For How Many CSEntry Objects Before Import

≪ Previous: DirSync on 2012 servers wail DCs and ADFS and ADFS proxy are on 2008

I'm trying to install build 4.1.3508.0 on a RTM environment. Both FIM Sync & Service are on the same server and SQL is on another server.

The message I get is "Microsoft.ResourceManagement.Service: Microsoft.ResourceManagement.ResourceManagementException: Database is not compatible with this binary."

Before the update my fim.version is "1112, 4.1.2273.0" after it is "1112, 4.1.3508.0"

If I read the KB it states that this hotfix replaces ALL previous hotfixes so starting from RTM should be fine...

Anyone else encountered this?

Here are the last lines of databaseupgrade_tracelog.txt

Microsoft.ResourceManagement Verbose: 0 : Database upgrade : Out-of-box object upgrade completed.
    DateTime=2014-03-17T10:47:37.6458316Z
Microsoft.ResourceManagement Verbose: 0 : Database ugrade : Completed successfully.
    DateTime=2014-03-17T10:47:38.0677066Z
Microsoft.ResourceManagement Verbose: 0 : Database upgrade : Database version upgraded from: 1112 to: 1112
    DateTime=2014-03-17T10:47:38.0677066Z

Could it be that the last hotfix simply forgets to write a newer (1120) number to that field?

http://setspn.blogspot.com

↧

Check For How Many CSEntry Objects Before Import

March 17, 2014, 8:48 am

≫ Next: Add a new directory container (OU) to existing Galsync Management Agent.

≪ Previous: Issue with KB2913228 (build 4.1.3508.0)

All,

My implementation is all most 100% automated. I have several SQL Server management agents (some authoritative, some not). I've coded a "sanity" checks for the authoritative sources into the identity management system being replaced to abort if too many object change at once. This keeps me from turning off or deleted thousands of accounts at one time.

Is there a way to check to see how many object are going to be changed during an import, before the import starts? Or maybe, check it as the import runs and abort the entire import? I don't see anything obvious in the FIM classes that would make this possible.

Can this information be obtained before a sync runs?

I'm also open to other ideas and thoughts.

Thanks,

Greg Wilkerson

↧

Add a new directory container (OU) to existing Galsync Management Agent.

March 17, 2014, 11:17 am

≫ Next: Google MA fails To provision Users "Operation times out"

≪ Previous: Check For How Many CSEntry Objects Before Import

I have to include a new Container at source side to the Galsync Management Agent. Even after I selected the new container, it doesn't import user objects from there. My regular sync profile is scheduled for Delta Import & Export. Do I have to run a Full Import & Full Synchronization? Or Full Import (Stage Only) + Delta Synchronization will do the job.

MIIS 2007 environment.

Brajesh

↧

Google MA fails To provision Users "Operation times out"

March 17, 2014, 5:57 pm

≫ Next: New version of PowerShell Management Agent

≪ Previous: Add a new directory container (OU) to existing Galsync Management Agent.

Hi,

I am facing Problem while Exporting the User with Google MA I am using the MA provided at Codeplex

http://fim2010gapps.codeplex.com/

I have tried using both ECMA and ECMA2 for G apps provisioning but both the time I faced the issue of "Operation times out". After Doing lot of search I could not find any definite answer to my problem. To test the code I also created a console App which creates the users in Google Apps using AppService class available in Google Apps provisioning API's. Now when i try to run the this console app using my admin account the App successfully creates user in Google but When I try to run it through fim.sync account it fails and gives operation time out error. The same error which I started facing problem with. To perform a workaround to this issue I thought of calling the console process from within the MA and run it as admin. But somehow the fim Sync accounts only runs the application and my code is not getting applied.

Here is my code that i am using to run the console app as admin

Process process = new Process();

/process.StartInfo.FileName = \\the exe path
//process.StartInfo.UseShellExecute =true;
//process.StartInfo.CreateNoWindow = false;
//process.StartInfo.RedirectStandardInput = false;
//process.StartInfo.RedirectStandardOutput = false;
//process.StartInfo.Arguments = username + " " + firstname + " " + lastname + " " + password + "" + GoogleDomain + " " + AdminUsername + " " + AdminPwd;
//process.StartInfo.Verb = "runas";
//process.Start();

I have tried running this code from within Export entry method of the google MA but unfortunately it did no good. also I have tried to run the exe forcefull as admin by attaching the Manifest file. But it did no good to me.

Here is the error that I get when fim.sync accounts runs the code which creates users in Google Apps

The following information was included with the event:

Google.GData.Client.InvalidCredentialsException: Invalid credentials
at Google.GData.Client.Utilities.QueryClientLoginToken(GDataCredentials gc, String serviceName, String applicationName, Boolean fUseKeepAlive, IWebProxy proxyServer, Uri clientLoginHandler)
at Google.GData.Client.GDataGAuthRequest.QueryAuthToken(GDataCredentials gc)
at Google.GData.Client.GDataGAuthRequest.EnsureCredentials()
at Google.GData.Client.GDataRequest.EnsureWebRequest()
at Google.GData.Client.GDataGAuthRequest.EnsureWebRequest()
at Google.GData.Client.GDataGAuthRequest.CopyRequestData()
at Google.GData.Client.GDataGAuthRequest.Execute(Int32 retryCounter)
at Google.GData.Client.GDataGAuthRequest.Execute()
at Google.GData.Client.Service.EntrySend(Uri feedUri, AtomBase baseEntry, GDataRequestType type, AsyncSendData data)
at Google.GData.Client.Service.Insert(Uri feedUri, AtomEntry newEntry, AsyncSendData data)
at Google.GData.Client.Service.Insert[TEntry](Uri feedUri, TEntry entry)
at Google.GData.Apps.UserService.Insert(Uri feedUri, UserEntry entry)
at Google.GData.Apps.AppsService.CreateUser(String username, String givenName, String familyName, String password)
at GoogleProvisioningConsoleApp.Program.Main(String[] args) in c:\Users\accessadmin\Documents\Visual Studio 2012\Projects\GoogleProvisioningConsoleApp\GoogleProvisioningConsoleApp\Program.cs:line 49

the message resource is present but the message is not found in the string/message table

Any guidance or Idea would be greatly appreciated.

Thanks

↧

New version of PowerShell Management Agent

March 18, 2014, 2:41 am

≫ Next: FIM reporting -- Run FIMPostInstallScirptsForDatawarehouse.ps1 script

≪ Previous: Google MA fails To provision Users "Operation times out"

I just released a new version of my PowerShell Management Agent. It now supports two sets of credentials, allowing for greater flexibility for your scripts security contexts. Oh, and there is added script host robustness and a few bugfixes.

http://blog.goverco.com/2014/03/new-version-of-powershell-management.html

Regards, Soren Granfeldt
blog is at http://blog.goverco.com | facebook https://www.facebook.com/TheIdentityManagementExplorer | twitter at https://twitter.com/#!/MrGranfeldt

↧

Latest Images