Systems Administrator & MS SharePoint Administrator
Systems Administrator
↧
↧
Employee End Date attribute flow for account deprovisioning
Hi All,
At my current client, we read the HR data in the form of a file extract and use it for account provisioning and deprovisioning. In particular, the deprovisioning activity is triggered by the employee end date attribute which is supplied in the HR extract - when this end date passes the user object is disabled and moved to the disabled users OU. Further, we also flow this to the accountExpires AD attribute (coded a RE do to that)
Now, the IT team have requested that they be able to overwrite this end date in the portal since sometimes the end dates in HR are incorrect, leading to disabling active users. We initially got around this by setting this attribute to equal precedence between the HR extract and the FIM portal (I know equal precedence is being deprecated in future releases, but thats a separate topic of discussion). Now this works fine, except that when we do a full import + full sync on the HR extract (once a day on a task schedule), it overrides the end date in the Portal with the HR data and the IT team have do again go an re-enable this account. They are looking for an option to permanently override the end date unitl it changes in the HR extract, in which case the HR extract date should be used.
IF we use delta syncs all the time then this is fine and the last value changed will be the one used, however when we do a full sync on the HR MA then that value always overrides the FIM value. I tried to do a RE for this by trying to query the HR connector space object for the user to see when was the last modification time stamp of this attribute and if it is greater than the one in the metaverse then flow it in, however I cannot query the timestamp of the attributes in the CS.
Any suggestions on how to best go about this?
Thanks in advance and sorry for the long post!
↧
Self Service Password Reset and Registration in FIM 2010 R2 - Error 3003
Hi,
Users who are trying to make password registration in FIM 2010 R2 they receive the following error:
*************************************
Unrecognized User
Unrecognized User
The current user account is not recognized by Forefront Identity Manager. Please contact your help desk or system administrator. (Error 3003)"
*************************************
With fimservice account (account that is used to install and configure FIM 2010 R2) everything is working fine, but the error is displayed to other domain users.
I created two management agents (AD and FIMMA) on Synchronization Service Manager and added appropriate attributes at the Attribute Flow section, such as AccountName, Display Name, ObjectSID, Domain, First Name, LastName, etc.
Also I created Inbound Synchronization Rule in FIM Portal with appropriate attributes.
Then I executed agents (AD and FIMMA) on Synchronization Service Manager in proper order. After that user's information are displayed on FIM Portal.
Then I made all the steps from the source: http://technet.microsoft.com/en-us/library/hh824694(v=ws.10).aspx
But still users aren't able to make password registration and password reset!
Still they are getting error 3003. This is strange!
If anyone can help me regarding this issue, I would be grateful.
Thank you in advance.
↧
Active Directory Containers
Hello,
i am trying to use FIM Sync Service to synchronize data (accounts) from IBM Ldap to Active Directory.
when i try to configure AD Management Agent, in "configure directory partitions" in "select containers for this partition";
the containers of AD are not be shown in FIM, i created a OU in AD(the OU supposed to contain new account created via FIM),
i do a refresh of schema but this OU is missing.
i am a beginner in FIM and i hope that you help me to resolve this issue.
Regards.
↧
Outbound Sync Scope Rule Relationship Criteria
Hi,
Using the latest build 4.1.3508.0.
Trying to create an Outbound Sync Scope Rule. When I setup the Sync Rule, I select 'employeeID' as the relationship criteria.
I then complete the Sync Rule, and Submit.
When I return to the Sync Rule, the Relationship Criteria is greyed out and blank:
Further, when I try to create the associated Workflow, the Sync Rule does not appear in the drop down box:
I have restarted IIS and FIMService a few times; even rebooted the computer.
Is this a config error or a software bug?
thanks,
sk
↧
↧
PCNS multi-forest config?
Hi,
Forest A contains FIM services, and a copy of the users from Forest B (via FIM provisioning).
Forest B contains the users, and this is where users will change passwords from workstations.
We would like passwords to replicate from Forest B to Forest A.
Have setup a 2 way trust between the forests, and then:
- Have installed PCNS in Forest B only
- Then, ran the following in Forest A: setspn -A PCNSCLNT/DC1.ForestA.com ForestA\FIMSyncService
- Then,, ran the following in Forest B: pcnscfg.exe ADDTARGET /N:FIMServer /A:FIM.ForestA.com /S:PCNSCLNT/DC1.ForestA.com /FI:"Domain Users" /FE:"Domain Admins" f:3
Are the above steps correct?
Thank you,
SK
↧
Verify existing multivalued attribute values using powershell
I am writing a powershell script which will add value to a multivalued reference attribute ( This multivalued reference attribute name is "Admins" and is binded to person object).
Suppose I am adding value "Test"(Reference attribute) to multivalued reference attribute ("Admins").
I want to check whether the value "Test" is already present in "Admins" before adding this value to multivalued reference attribute ("Admins"). Can someone please guide me on this.
↧
How to configure 2 different SSPRs?
Hi,
I'd like to configure 2 different SSPRs. One for Staff and one for Students.
I have installed SSPR onto 2 different servers, and Staff and Students have different URLs (for registration and reset).
Staff will be the typical Q&A; while Students will be the OTP route (with auto registration).
How do I configure the FIM Portal for 2 different scenarios, and make sure the right config is associated with the correct staff and student server & URL?
thanks,
sk
↧
how to trigger email notification when users fail to reset your password in fim 2010 r2.
Hi,
how to trigger email notification when users fail to reset your password in fim 2010 r2
Regards
Anil Kumar
↧
↧
Windows Azure Active Directory MA - Maximum number of items that can be serialized or deserialized in an object graph is '500000'. Change the object graph or increase the MaxItemsInObjectGraph quota.
Trying to use WAAD with FIM 2010 R2 SP1 (4.1.3496.0) and during export several objects cause a warning/info with:
Maximum number of items that can be serialized or deserialized in an object graph is '500000'. Change the object graph or increase the MaxItemsInObjectGraph quota.
I looked, this appears hard coded into the MA, anyone know what causes this? My best guess is something like a large group membership? Does anyone know what the limits around the WAAD MA are?Here is the indepth error logged during the failure:
ProvisioningServiceAdapter::ExecuteWithRetry: Action: Export, Attempt: 0, Exception: Microsoft.Online.Coexistence.ProvisionRetryException: Unable to communicate with the Windows Azure Active Directory service. Tracking ID: e94e6020-8434-4aa7-9a29-b2edf7fe6b2e See the event log for more details. ---> System.ServiceModel.CommunicationException: There was an error while trying to serialize parameter http://schemas.microsoft.com/online/aws/change/2010/01:syncObjects. The InnerException message was 'Maximum number of items that can be serialized or deserialized in an object graph is '500000'. Change the object graph or increase the MaxItemsInObjectGraph quota. '. Please see InnerException for more details. ---> System.Runtime.Serialization.SerializationException: Maximum number of items that can be serialized or deserialized in an object graph is '500000'. Change the object graph or increase the MaxItemsInObjectGraph quota.
at System.Runtime.Serialization.XmlObjectSerializerContext.IncrementItemCount(Int32 count)
at WriteArrayOfstringToXml(XmlWriterDelegator , Object , XmlObjectSerializerWriteContext , CollectionDataContract )
at System.Runtime.Serialization.CollectionDataContract.WriteXmlValue(XmlWriterDelegator xmlWriter, Object obj, XmlObjectSerializerWriteContext context)
at System.Runtime.Serialization.XmlObjectSerializerWriteContext.SerializeAndVerifyType(DataContract dataContract, XmlWriterDelegator xmlWriter, Object obj, Boolean verifyKnownType, RuntimeTypeHandle declaredTypeHandle, Type declaredType)
at System.Runtime.Serialization.XmlObjectSerializerWriteContext.SerializeWithXsiType(XmlWriterDelegator xmlWriter, Object obj, RuntimeTypeHandle objectTypeHandle, Type objectType, Int32 declaredTypeID, RuntimeTypeHandle declaredTypeHandle, Type declaredType)
at System.Runtime.Serialization.XmlObjectSerializerWriteContext.InternalSerialize(XmlWriterDelegator xmlWriter, Object obj, Boolean isDeclaredType, Boolean writeXsiType, Int32 declaredTypeID, RuntimeTypeHandle declaredTypeHandle)
at System.Runtime.Serialization.XmlObjectSerializerWriteContext.InternalSerializeReference(XmlWriterDelegator xmlWriter, Object obj, Boolean isDeclaredType, Boolean writeXsiType, Int32 declaredTypeID, RuntimeTypeHandle declaredTypeHandle)
at WriteSyncObjectGroupToXml(XmlWriterDelegator , Object , XmlObjectSerializerWriteContext , ClassDataContract )
at System.Runtime.Serialization.ClassDataContract.WriteXmlValue(XmlWriterDelegator xmlWriter, Object obj, XmlObjectSerializerWriteContext context)
at System.Runtime.Serialization.XmlObjectSerializerWriteContext.SerializeAndVerifyType(DataContract dataContract, XmlWriterDelegator xmlWriter, Object obj, Boolean verifyKnownType, RuntimeTypeHandle declaredTypeHandle, Type declaredType)
at System.Runtime.Serialization.XmlObjectSerializerWriteContext.SerializeWithXsiType(XmlWriterDelegator xmlWriter, Object obj, RuntimeTypeHandle objectTypeHandle, Type objectType, Int32 declaredTypeID, RuntimeTypeHandle declaredTypeHandle, Type declaredType)
at System.Runtime.Serialization.XmlObjectSerializerWriteContext.InternalSerialize(XmlWriterDelegator xmlWriter, Object obj, Boolean isDeclaredType, Boolean writeXsiType, Int32 declaredTypeID, RuntimeTypeHandle declaredTypeHandle)
at System.Runtime.Serialization.XmlObjectSerializerWriteContext.InternalSerializeReference(XmlWriterDelegator xmlWriter, Object obj, Boolean isDeclaredType, Boolean writeXsiType, Int32 declaredTypeID, RuntimeTypeHandle declaredTypeHandle)
at WriteArrayOfSyncObjectToXml(XmlWriterDelegator , Object , XmlObjectSerializerWriteContext , CollectionDataContract )
at System.Runtime.Serialization.CollectionDataContract.WriteXmlValue(XmlWriterDelegator xmlWriter, Object obj, XmlObjectSerializerWriteContext context)
at System.Runtime.Serialization.DataContractSerializer.InternalWriteObjectContent(XmlWriterDelegator writer, Object graph, DataContractResolver dataContractResolver)
at System.Runtime.Serialization.DataContractSerializer.InternalWriteObject(XmlWriterDelegator writer, Object graph, DataContractResolver dataContractResolver)
at System.Runtime.Serialization.XmlObjectSerializer.WriteObjectHandleExceptions(XmlWriterDelegator writer, Object graph, DataContractResolver dataContractResolver)
at System.ServiceModel.Dispatcher.DataContractSerializerOperationFormatter.SerializeParameterPart(XmlDictionaryWriter writer, PartInfo part, Object graph)
--- End of inner exception stack trace ---
Server stack trace:
at System.ServiceModel.Dispatcher.DataContractSerializerOperationFormatter.SerializeParameterPart(XmlDictionaryWriter writer, PartInfo part, Object graph)
at System.ServiceModel.Dispatcher.DataContractSerializerOperationFormatter.SerializeParameter(XmlDictionaryWriter writer, PartInfo part, Object graph)
at System.ServiceModel.Dispatcher.DataContractSerializerOperationFormatter.SerializeParameters(XmlDictionaryWriter writer, PartInfo[] parts, Object[] parameters)
at System.ServiceModel.Dispatcher.DataContractSerializerOperationFormatter.SerializeBody(XmlDictionaryWriter writer, MessageVersion version, String action, MessageDescription messageDescription, Object returnValue, Object[] parameters, Boolean isRequest)
at System.ServiceModel.Dispatcher.OperationFormatter.OperationFormatterMessage.OperationFormatterBodyWriter.OnWriteBodyContents(XmlDictionaryWriter writer)
at System.ServiceModel.Channels.Message.OnWriteMessage(XmlDictionaryWriter writer)
at System.ServiceModel.Channels.BufferedMessageWriter.WriteMessage(Message message, BufferManager bufferManager, Int32 initialOffset, Int32 maxSizeQuota)
at System.ServiceModel.Channels.BinaryMessageEncoderFactory.BinaryMessageEncoder.WriteMessage(Message message, Int32 maxMessageSize, BufferManager bufferManager, Int32 messageOffset)
at System.ServiceModel.Channels.HttpOutput.SerializeBufferedMessage(Message message)
at System.ServiceModel.Channels.HttpOutput.Send(TimeSpan timeout)
at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.SendRequest(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at Microsoft.Online.Coexistence.Schema.IProvisioningWebService.Provision(SyncObject[] syncObjects)
at Microsoft.Online.Coexistence.ProvisionHelper.InvokeAwsAPI[T](Func`1 awsOperation, String opsLabel)
--- End of inner exception stack trace ---
at Microsoft.Online.Coexistence.ProvisionHelper.CommunicationExceptionHandler(CommunicationException ex)
at Microsoft.Online.Coexistence.ProvisionHelper.InvokeAwsAPI[T](Func`1 awsOperation, String opsLabel)
at Microsoft.Azure.ActiveDirectory.Connector.ProvisioningServiceAdapter.<>c__DisplayClass1.<Export>b__0()
at Microsoft.Azure.ActiveDirectory.Connector.ProvisioningServiceAdapter.ExecuteWithRetry(String actionName, Action action).
↧
FIM Modification type
We're using FIM to bring over attributes from account forests into an exchange 2010 resource forest. Over the past few weeks we noticed that updates to existing users in the accounts domain are not coming through. When looking under Management
Agent Operations we noticed that when changes to existing users in the accounts domain are trying to sync the modification type is set to Add instead of None. This results in the attribute changes not coming across b/c FIM thinks this is a new user in
resource forest. How do I change it so the modification type goes back to none instead of add.
↧
FIM CM Client and Server 20 12
Attempting to renew certificates for Smartcards on Server 2012 FIM CM Client 64 Bit is installed on both client and manager.
When clicking on the "Show the details of my smartcard" there is no response in IE 64 BIT
Ran IE in IE 10 Compatibility mode and it responds only to give the following error:
Base CSP smart card self-service control is not installed or the current site is not specified in the allowed sites list by your Administrator. Please contact your system admin. Additional info: Automation server can't create object.
NOTE: This works in Server 2008 R2 with no issues with what appears to be the same set up as the 2012 Server, apparently I'm missing something. Thanks in advance.
IE is in the trusted sites, all IE settings appear to be the same for both 2008 and 2012 servers.
↧
FIM 2010 across multiple servers for HA
Experts,
For a very HA of FIM 2010 R2 following option is considered. Ideas is to have separate partition for administrative tasks and general users.
Admin partition:-
FIM Service and FIM Portal for admin partition
server1 & server2 (NLB name say FIM_SERVICE_ADMIN)
Server3 & server4 (NLB name say FIM_Portal_ADMIN)
User partition:-
FIM Service and FIM Portal for users
Server5 & Server6 (NLB name say FIM_SERVICE_Users)
Server7 & Server8 (NLB name say FIM_Portal_Users)
I am confused on how to go for installation.
1. What about the service account for FIM Service. Do I need to create two service account for FM Service. Using one account while installing FIM Service admin partition and using other service account while installing the FIM Service user partition? Is it possible?
2. What about share point foundation? Do I need to create two default website, one for admin partition and one for user partition? and again two service account for sharepoint application pool?
3. How SPN setting will go on?
Many more :(
Kindly guide me please.
Thanks,
Mann
For a very HA of FIM 2010 R2 following option is considered. Ideas is to have separate partition for administrative tasks and general users.
Admin partition:-
FIM Service and FIM Portal for admin partition
server1 & server2 (NLB name say FIM_SERVICE_ADMIN)
Server3 & server4 (NLB name say FIM_Portal_ADMIN)
User partition:-
FIM Service and FIM Portal for users
Server5 & Server6 (NLB name say FIM_SERVICE_Users)
Server7 & Server8 (NLB name say FIM_Portal_Users)
I am confused on how to go for installation.
1. What about the service account for FIM Service. Do I need to create two service account for FM Service. Using one account while installing FIM Service admin partition and using other service account while installing the FIM Service user partition? Is it possible?
2. What about share point foundation? Do I need to create two default website, one for admin partition and one for user partition? and again two service account for sharepoint application pool?
3. How SPN setting will go on?
Many more :(
Kindly guide me please.
Thanks,
Mann
↧
↧
Custom PCNS-like Service
I have a hypothetical situation where I want the same functionality that the PCNS service provides for connected AD domains but I want that functionality to work against an HR application. Are there any guides or anything on how to do this?
The service would need to detect when a password is changed in the application, get some ID of the user that changed their password and then the tricky part - replicate the PCNS behaviour, sending the password back to FIM using an SPN and RPC. Apart from that vague description, I don't really know where to start. Any ideas?
↧
Cross-forest PCNS issues
Hi,
We have 2 forests, ForestA and ForestB.
FIM is deployed in ForestA.
FIM is synchronising users from ForestB (via ForestB MA) to ForestA (via ForestA MA).
ForestA and ForestB are connected via a 2 way Kerberos Trust.
All firewalls have been disabled between the virtual machines.
In ForestB we have deployed PCNS and ran the following command: pcnscfg ADDTARGET /N:FIMServer /A:FIM01.forestA.com /S:PCNSCLNT:FIM01.forestA.com /FI:"Domain Users" /f:3
In ForestA we have registered the SPN as: setspn -A PCNSCLNT/FIM01.forestA.com ForestA\FIMSyncService
FIM is importing users from ForestB and successfully provisioning them in ForestA.
FIM is configured as follows:
- FIM/Tools/Options/ Enable Password Synchronization is selected
- ForestB MA is configured as the Password Synchronization source / with ForestA selected as the Target MA
- ForestA MA / Configure Extensions / Enable Password Management is enabled
However, when a user changes their password in ForestB, event viewer on ForestB domain controller errors with:
Password Change Notification Service received an RPC exception attempting to deliver a notification.
The password change notification target could not be authenticated.
Additional Details:
Thread ID: 4300
Tracking ID: ad7d5acb-74ca-448e-9496-a4944260b955
User GUID: b6d8f3f9-d115-4331-816a-8af98683beda
User: FORESTB\test1
Target: FIMServer
Delivery Attempts: 460
Queued Notifications: 1
0x00000721 - A security package specific error occurred.
ProcessID is 2100
System Time is: 4/7/2014 5:58:46:284
Generating component is 2
Status is 1825 - A security package specific error occurred.
Detection location is 1710
Flags is 0
NumberOfParameters is 1
Long val: 0
ProcessID is 2100
System Time is: 4/7/2014 5:58:46:284
Generating component is 2
Status is 1825 - A security package specific error occurred.
Detection location is 1461
Flags is 0
NumberOfParameters is 0
ProcessID is 2100
System Time is: 4/7/2014 5:58:46:284
Generating component is 2
Status is 1825 - A security package specific error occurred.
Detection location is 141
Flags is 0
NumberOfParameters is 1
Long val: -1073741413
ProcessID is 2100
System Time is: 4/7/2014 5:58:46:284
Generating component is 3
Status is -1073741413
Detection location is 140
Flags is 0
NumberOfParameters is 4
Long val: 16
Long val: 6
Unicode string: PCNSCLNT/FIM01.FORESTA.COM
Long val: 68126
Any ideas?
↧
Using Smart Cards for SSPR
I'm working on ForeFront Identity Manager 2010. I'd like to enable AD users to use Smart Cards to reset their passwords. I looked at this video www.youtube.com/watch?v=b4aGLnZHZN4. From this video (minute 2), it's said that we could use smart cards to authenticate to Self-service Password Reset instead of Q/A gate. However I don't know how to configure this (or maybe I need to write a custom authentication gate). Can somebody help me?
Thanks,
Hai
↧
How to kill/ delete workflows ruuning for many days
I recently found that there were a few powershell workflow activities running for many days. I guess it is because of bad powershell command, How can I kill/ terminate all those workflows?
↧
↧
Issue with asymmetrical attribute flow and delta sync
I am seeing an interesting behavior with the sync engine and I am not sure if it is a bug or a feature.
I have a situation where a user created in the FIM Service may or may not have a user-assigned AD account name. If an account name is specified I need to use the specified name, otherwise I need to generate an account name for the person.
My solution is to have an optional “Account Name Requested” attribute in the FIM Service that when specified is used as the account name during provisioning (and later in synchronization to handle account name changes).
The native “Account Name” attribute in the FIM Service contains the actual account name in AD and is not editable by the user.
My setup is:
- In the FIM Service, I have AccountName and AccountNameRequested
- In the Sync engine, I have the same attributes.
- On the FIM MA:
- AccountNameRequested flows from the FIM MA to the Sync engine.
- AccountName flows from the Sync engine to the FIM MA
- On the AD MA:
- AccountNameRequested flows out to sAMAccountName if AccountNameRequested has a value (via a rules extension)
- sAMAccountName flows in to AccountName
- Provisioning code uses the value for AccountNameRequested if it is present; otherwise, it generates an account name.
Provisioning works properly.
The issue is when an account name needs to be changed: A user updates the Account Name Requested attribute in the FIM Service. It flows properly to the sync engine and it flows out to sAMAccountName in AD. The following confirming delta import shows the update to sAMAccountName as applied in AD. Unfortunately, the delta import (containing the change in AD) is not recognized as a delta, so a subsequent delta sync does not process the record (and does not flow the new value for sAMAccountName back into the AccountName attribute in the metaverse.) A full import will properly flow the sAMAccountName back in from AD.
So the question is: If in the metaverse you have attribute A that flows outbound to attribute B in a connected directory and that same attribute B in the connected directory also flows inbound to attribute C in the metaverse, should a change in attribute A that is exported to B and successfully imported back from B be considered a delta change in the connector space so that a subsequent delta sync flows B into C?
If the answer to the above is “Yes, it should be considered a delta”, then I need to open a support case, otherwise it is a “feature” and I need to solve the problem another way (probably by having workflow reach out directly to AD, which I would prefer not to do.)
Thanks,
Rex↧
Sync Distribution groups between 2 forests
Hi All,
I have 2 forests that I am syncing users between, now I was wondering if it is possible to sync groups from one domain to the second including the members and if it is possible what would be the procedures overview ?
Hany George | Consultant | IDC S.p.A | MCITP: Lync Server | MCITP: Exchange 2010 | MCTS: OCS | Blog: http://dusk1911.wordpress.com/ | If this post has been useful please click the green arrow to the left or click Propose as answer
↧
Problem exporting to PowerShell MA - The DN must be set before calling CSEntry.CommitNewConnector.
Hello,
I'm currently in the process of implementing FIM for the first time and am struggling with something which I feel should be fairly simple. I'm trying to export data to a text file and am using Søren Granfeldt's PowerShell MA to do so. I'm exporting three attributes - the accountname (which is the anchor), an accountid (an integer), and the email address. I've setup the MA and run profiles, and have created an Outbound-only synchronisation rule which uses the Outbound System Scoping Filter to filter by a string, which is set to 'Valid.'
When I perform a full sync on the FIM Service MA, in order to get the sync engine to work out which objects need to be exported, all of the objects that should be exported report a sync-rule-flow-provisioning-failed error. A stack trace on this presents me with: Microsoft.MetadirectoryServices.ProvisioningBySyncRuleException: The DN must be set before calling CSEntry.CommitNewConnector.
I'm stuck. Does any have any specific advice on these errors, or just general advice on how to do what I want to do?
Thanks,
Sean.
↧
More Pages to Explore .....
