Hellos.

Can it be arranged for a single MPR to be fired if a user Transitions out of Set A *AND* Transitions into Set B.

In other words the Workflows associated with this MPR should be run *only* if user Was in Set A and is Now in Set B.

Our customer is not unusual. He uses 3 status levels: Active, Passive, Suspended.

There are then 3! possible changes. Initially they only wanted Notification (and other stuff done) when a User became Suspended or when a User no longer was suspended. This was easy. Just the one Set of Suspended people and 2 rules. Transition In and Transition out of it.

However, the customer now wants to be Notified when a Person leaves the Passive state and becomes Active. However, He might move Passive to Active *OR* he might move Passive to Suspended. I thought of just creating a new Set of Passive people and having a pair of MPRs for Transition In and Transition Out of this.

But. If he moves Passive -> Suspended. I get both Workflows running, one for change from Passive and another for becoming Terminated. I *guess* FIM kicks them off at same time and they run in parallel. I am also afraid they interfere with each other.

What is best way to arrange a single Workflow to run and only run when user Leaves Set A and Joins Set B?

Experts,
I created two MA in newly installed FIM 2010 R2.
1. FIM Service MA
2. ADMA

I create users in FIM Service manually. When i run import and synch, i can see users in metaverse.

Then I created. Set>>workflow>>outbound synch rule for AD>MPR.

I am moving users into set manually. I can see the 'AD Bound Rule' applied in ERE and status pending.
Status is pending only although I ran all combination of 'run profiles'. no error during run of any
MA.

I think I created right mapping in 'outbound synch rule' and choose the option 'create resource in external system'.
I also enabled provisioning in FIM Synchronization service.

Any idea please.

Thanks,
Mann

When i try to configure Powershell MA on a Windows 2008 with FIM 2010R2 I get the following error :

Unable to retrive schema: Error: An anchor attribute defined by the extension must not be of type Reference or Boolean. A multivalued value defined by the extension must not be of type Boolean.

And the following eventlog message:

The extensible extension returned an unsupported error.
The stack trace is:
"Microsoft.MetadirectoryServices.ExtensionException: The Schema returned from the PowerShell compliant server is null
  at Microsoft.IdentityManagement.Connector.PowerShell.Bridge.ConfigBridge.GetSchema()
  Forefront Identity Manager 4.1.3508.0"

But when i tried to do the installation and configuration on Another lab server "Win2008" i got stuck on the first error and on this server it didn't help to create the powershell folder.

I could also see that it's not even run the GetSchema cmdlet, and this is the trace file generated from config

ConnectorsLog Verbose: 0 : Method Name : PowerShellConnector : .ctor
Initiated PowerShellConnector Constructor
ConnectorsLog Verbose: 0 : Method Name : BridgeBase : .ctor
Initiated BridgeBase constructor
ConnectorsLog Verbose: 0 : Method Name : BridgeBase : .ctor
Initiated ConfigParametersParser constructor
ConnectorsLog Verbose: 0 : Method Name : ConfigParametersParser : ParseConfigParams
Initiated the Parsing of the Configuration Parameters
ConnectorsLog Verbose: 0 : Method Name : ConfigParametersParser : ParseConnectivityParams
Initiated the Parsing of the Connectivity Page Parameters
ConnectorsLog Verbose: 0 : Method Name : ConfigParametersParser : ParseConnectivityParams
Parsing of the Connectivity Page Parameters completed
ConnectorsLog Verbose: 0 : Method Name : ConfigParametersParser : SetPSCredential
Constructing PowerShell credential object
ConnectorsLog Verbose: 0 : Method Name : ConfigParametersParser : SetPSCredential
Constructing PSCredential for user: lumaville\administrator
ConnectorsLog Verbose: 0 : Method Name : ConfigParametersParser : ParseConfigParams
Construction of the PowerShell credential object completed
ConnectorsLog Verbose: 0 : Method Name : ConfigParametersParser : ParseConfigParams
LogonType selected is None, ImpersonateConnectorAccount is False, LoadUserProfileWhenImpersonating is False
ConnectorsLog Verbose: 0 : Method Name : ConfigParametersParser : ParseConfigParams
Parsing of the Configuration Parameters completed
ConnectorsLog Verbose: 0 : Method Name : BridgeBase : IntializeContext
Initializing the PowerShell context with the following PowerShell credentials
ConnectorsLog Verbose: 0 : Method Name : PowerShellContext : IsScriptSigned
Script signed is False
ConnectorsLog Verbose: 0 : Method Name : PowerShellConnector : GetSchema
IntializeContext completed
ConnectorsLog Verbose: 0 : Method Name : PowerShellConnector : GetSchema
Initiated ConfigBridge constructor
ConnectorsLog Verbose: 0 : Method Name : BridgeBase : GeneratePSContentScript
Generating the temporary file path for the PowerShell script
ConnectorsLog Verbose: 0 : Method Name : BridgeBase : GeneratePSContentScript
Creating a file in the following temporary file path C:\Windows\TEMP\FIMPowerShellConnectorModule.psm1
ConnectorsLog Verbose: 0 : Method Name : BridgeBase : GeneratePSContentScript
The temporary file path for the PowerShell script created
ConnectorsLog Verbose: 0 : Method Name : BridgeBase : GeneratePSContentScript
Generating the temporary file path for the PowerShell script
ConnectorsLog Verbose: 0 : Method Name : BridgeBase : GeneratePSContentScript
Creating a file in the following temporary file path C:\Windows\TEMP\ss2xvrzw.ps1
ConnectorsLog Verbose: 0 : Method Name : BridgeBase : GeneratePSContentScript
The temporary file path for the PowerShell script created
ConnectorsLog Information: 1 : Method Name : ConfigBridge : GetSchema
Initiated GetSchema method
ConnectorsLog Verbose: 0 : Method Name : ParameterBuilder : .ctor
Initiated ParameterBuilder Constructor
ConnectorsLog Verbose: 0 : Method Name : ParameterBuilder : GetConfigCommandParameters
Fetching the configuration command parameters
ConnectorsLog Verbose: 0 : Method Name : ParameterBuilder : GetConfigCommandParameters
Script type : Schema
ConnectorsLog Verbose: 0 : Method Name : ParameterBuilder : GetConfigCommandParameters
GetConfigCommandParameters completed
ConnectorsLog Verbose: 0 : Method Name : ConfigBridge : GetSchema
Executing the Schema script present at the following path C:\Windows\TEMP\ss2xvrzw.ps1
ConnectorsLog Verbose: 0 : Method Name : PowerShellRuntime : InvokePowerShell
Invoke PowerShell to execute the PowerShell commands and get the output as PowerShell Object collection
ConnectorsLog Verbose: 0 : Method Name : PowerShellRuntime : Initialize
Creating a new PowerShell instance
ConnectorsLog Verbose: 0 : Method Name : PowerShellRuntime : Initialize
Creation of new PowerShell instance completed
ConnectorsLog Information: 1 : Method Name : PowerShellRun

Ulf Lindström

Hi,

We are testing an attribute workflow approval. When the approver reads the message in OWA 2013, expands 'action items' we see the following error...instead of the usual 'Approve' or 'Reject' buttons. This computer does not have Outlook, so we cannot deploy the FIM add-ins and extensions...but I dont think they are required if we're just using OWA?

Thank you

Hello!

I have FIM 2010 R2.

I created FIM agent and FIM sync rule for create user of domain from FIM portal - this working good.

I created FIM agent for export user from txt file to metaverse and I configured FIM agent for export data to FIM Portal.

The user export to metaverse from the txt file - this working good.

When I do export user from metaverse to FIM portal, on FIM portal created empty user.

Alex

Hello,

I have three forests; management, production and pre-production. I want to use FIM to provision accounts in all three. The users all live in the production forest with the management forest hosting the management infrastructure for all three forests.

What I'm thinking of doing is having the FIM Sync service in the management forest and the FIM Service and Portal in the production forest. I think this will work; i.e. the FIM Sync service will be able to use MA creds for each of the forests to be able to provision accounts etc.

The production and pre-production forests both trust the management forest but the management forest does not trust them.

Also there's a firewall between production and pre-production so FIM Sync in the prod forest can't get to pre-prod.

What do you think?

Hey Guys,

I have imported 130 users from a file management agent, some of those users (13 to be exact) started giveing the error below, while they have been created in in the portal, they also lack the display name. 

The users also gets synced to a central AD after that, and the error indicates something about the sync rule to AD 

There is nothing different about those users and the other imported within the same file. Any ideas about the this ?

Microsoft.MetadirectoryServices.FunctionEvaluationException: Error encountered during evaluation of Sync Rule: 'Central AD Outbound'. Details: Object reference not set to an instance of an object.
   at Microsoft.MetadirectoryServices.FunctionLibrary.AttributeFlowMappingHandler.ExecuteOutboundTransformation(CSEntry csentry, MVEntry mventry, String strSyncRuleGuid, String xmlExpression, String workflowParameterTypes, String workflowParameterValues)

If i look at the error i can see the below 

Hany George | Consultant | IDC S.p.A | MCITP: Lync Server | MCITP: Exchange 2010 | MCTS: OCS | Blog: http://dusk1911.wordpress.com/ | If this post has been useful please click the green arrow to the left or click Propose as answer

I am working on the following Use Case :

The employees get terminated on the basis of Employee End Date.Now I want the users to receive Email Notification as soon as the terminated date is set.

I have defined a Workflow the above case with the activity as Email Notification .But I am not sure what to add in therecipients field as the email should be sent to one particular user who is to be terminated.

Please help me out with this issue.

Thanks and Regards,

Shatadiya Saha

In case you missed today's announcement Microsoft Azure Active Directory
Premium now includes usage rights for FIM, including server licenses and
CALs.

http://blogs.technet.com/b/ad/archive/2014/03/25/identity-and-access-management-for-every-user-in-every-organization-using-any-service-on-any-device.aspx

Paul Adare - FIM CM MVP
"So instead, I toil through fields of various OSes, planting applications,
spraying patches to catch the bugs, and watching the databases grow."
-- D. Joseph Creighton

I have a "contacts" list that is being updated from a 2nd SharePoint Farm -- I have an ADLDS instance that contains the users that I have "mined" from inbound SAML assertion claims (this creates gives me the ability to build fine-grained SAML based permissions using those names. I also used the SAML sts from codeplex that fixes the people picker problem that validates claims against values in the ADLDS instance.. 

Now I'd like to be able to sync this contact list using the FIM/User Profile Sync so that all the people in the environment could be located via People Search..

I think this would be pretty straight forward using the Extensible Connectivity 2.0/2.2 Management Agent.  But it appears that this capability is only available in FIM 2010 R2.   

Thought? Suggestions? -

My fallback is an event handler on the contacts list that would perform adds/updates and deletes against the  ADLDS instance.. This scenario concerns me in that there's not a convenient way to batch the transactions so the performance would be terrible.

TIA

All science is either physics or stamp collecting

Hi,

I have just installed FIM Portal in two servers like:

server A - Primary

Server B - Secondary

Both the servers are in HA mode using F5.

Issue:

When i have faced some error in Server A while opening FIM Portal even FIM service is running andServer B FIM portal is running fine.

I just want that if Server A getting some issue to access FIM Portal thenF5 should take Server B as Primary but in my case, If service is running and FIM portal not working then F5 take Server A as Primary.

Can u give me any idea how we can configure F5 load balacing that if any FIM portal not working even FIM Service is running or not then F5 will take other one as primary.

Any help would be really appriciated

Thanks,

Ankit

Hi,

We are using Exchange 2013, Outlook 2013, FIM 2010 R2 SP1, client workstation with FIM add-ins and extensions.

Whenever we trigger an approval workflow, we see it in the Portal and can 'approve' or 'reject' it.

However, when opening the approval emails 'Action Item' in Outlook, it shows a 404 error message. We deployed the FIM add-ins and extension using the NetBIOS name of the FIM server, which works via either http or https from a browser...but not from within Outlook.

Also, inside the 'Action Item' 404 message window, there is a "Refresh Page" link. When this is clicked, the actual FIM Portal loads inside the 'Action Item'.

Is this a bug?

thanks,

SK

Hi,

Working through the environment prereqs for FIM Reporting.

Article http://technet.microsoft.com/en-us/library/jj133863%28v=ws.10%29.aspx states:

• All pre-requisite hotfixes have been deployed to the System Center Service Manager Management Server and Data Warehouse components.

What it fails to mention, however, is what these 'pre-requisite hotfixes' are.

Could someone please list the required System Center Service Manager Management Server and Data Warehouse hotfixes for FIM Reporting to work.

thanks,

SK

Hi,

Is there any benefit in combining Inbound and Outbound Flows in a single Sync Rule?

Or does it not matter if Inbound flows have their own Sync Rule and Outbound flows have their own Sync Rules?

Does either option generate more/less EREs/DREs?

Is either option better for performance reasons?

look forward to your comments, thank you

sk

As we all Know we have 3 Portal

We have

1) FIM Portal on port-80 :

    Internal URL- http://<appserver name>/IdentityManagement/default.aspx

2) FIM Password Registration Portal- Port 8080

    Internal URL- http://<appserver name>:8080/default.aspx 

3) FIM Password Reset Portal- Port 8081

     Internal URL- http://<appserver name>:8081/default.aspx 

I want these URLs to connect to Public Urls

1) fimportal.com

2) fimregportal.com

3) fimresportal.com

I have tried for FIM PORTAL- Alternate MAPPING USING DNS -- but it's goin to TEAM SITE and then we provide Credentials >> then All SITE CONTENT >> then Microsoft Forefront Identity

Then we have the portal.

We want whenever user browse "fimportal.com" >> goes to http://<appserver name>:8080/default.aspx  url >> ask for credentials >> Fim Portal.

Please suggest.

Experts,

I had three MA.

-File based MA

-fim service ma

- AD MA

Due to some problem now I am trying to start from starting. I deleted all MA but FIM Service MA is not getting deleted.

during import and export 498 records shows error. How to get rid of this 498 connector space object.

Can I ignore this errors. What impact this will have in future. Let this object in connector space.

I see following errors while in eventvwr when I run FIM Service MA.

Thanks,

Mann

Hi all,
we have implemented some FIM management agent that read information from different AD forest and the write email contacts into a destination forest. I looking for a tool, or powershell cmdlets I can use to export management agents errors.
I try to explain better, ope FIM Syncronization Service, click on operations button, select the row that reports errors and in pane below show erros details and informations. In my case DistinguishedName for the object that encountered errors. I would like to export this rows to have a list with all the Distinguishedname and the use that with a script to manage and resolve the issues. i hope to have explained my needed.
Thanks in advance for your help.

Regards

Hi All,

We have two Servers,

1). Server A (FIM Portal) 

2). Server B (FIM Service)

Please suggest which ports should be opened between these two servers for communication. After firewall off, its working fine but not after firewall on.

Please suggest.

Thanks

ajay kumar

What is the best tool to synchronize (nightly) Active Directory attributes, to include custom attributes that we created, from one forest to several other forests.  For example, we maintain an email directory, but the email address needs to be synched to other domains in other forests. Credential mapping is needed since the target account names, sAMAccountNames, etc. may differ from the source. Powershell, csvde etc. too basic, we need a commercial solution.

I've done some research here I understand consolidating to one forest would be best; however, politics and cost make that unfeasible. I just need to get some attributes over to these other domains.

I have a customer with on a CA running on Windows Server 2008 Standard edition - when trying to install the CA modules in as part of a CM deployment I get an error saying "This software requires Microsoft Windows Enterprise or Datacenter Edition".

I have not been able to find any documentation to explain this limitation;  does anyone have any explanation for this or any experience of installing on a 2008 or 2012 standard edition server?

If there is no choice but to install on an enterprise or datacentre server, can I install the CA modules onto a subordinate CA (with the root CA still running on a standard server)?

Thanks