FIM Password Registration Portal Error 3008

April 8, 2014, 10:12 am

≫ Next: workflow powershell activity - postprocessing

≪ Previous: Problem exporting to PowerShell MA - The DN must be set before calling CSEntry.CommitNewConnector.

$

0

0

Team,

I have my FIM Service/FIM Portal in a separate server and FIM Password Registration and Password Reset portal in another server. Installation is successful. I have also followed MS docs to configure the workflows and MPRs for password reset and registration. When I login to a test machine and open the url http://passwordregistration.x.com, it prompts for username/password. Once authentication, it gives me "next" button to continue registration. When i press Next it throws error 3008 and says unable to communicate to FIM Service. Can someone please help. I am badly stuck.

Thanks,

---

workflow powershell activity - postprocessing

April 8, 2014, 4:00 pm

≫ Next: AD MA Provisioning - "The parameter is incorrect"

≪ Previous: FIM Password Registration Portal Error 3008

$

0

0

I have sleep command in the script, that could make the script run for 30 minutes. If the powershell script runs for long time, would it get stuck? The script completes sometimes, but sometimes, it is just postprocessing.

param( $AcctName, $OwnerName)
Import-Module ActiveDirectory
$ADUser = Get-ADUser -LDAPFilter "(sAMAccountName=$AcctName)" -SearchBase "OUpath" -Server "dcname"
while ($ADUser -eq $Null){

Start-Sleep -Second 180
$ADUser = Get-ADUser -LDAPFilter "(sAMAccountName=$AcctName)" -SearchBase "OUpath" -Server "dcname"

}
If($ADUser -ne $Null)
{
Start-Sleep -Second 360
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010
Set-mailbox $AcctName -Type Shared
Add-MailboxPermission -Identity $AcctName -User $OwnerName -AccessRights 'FullAccess'
}

AD MA Provisioning - "The parameter is incorrect"

April 8, 2014, 5:14 pm

≫ Next: ReplaceString for brackets

≪ Previous: workflow powershell activity - postprocessing

$

0

0

I'm attempting to provision users with the AD Domain Services MA in FIM 2010R2, and hitting an error "constraint-violation" - connected data source error = "The parameter is incorrect".  If I click "Validate object against schema..." it comes up with no errors.  Not seeing anything useful in the Event Log or the MA log.  Can anyone suggest how to debug/trace this to find out what's wrong here?  FWIW the AD MA is working for updates to existing users, just provisioning new ones that is the problem

Thanks

Simon

ReplaceString for brackets

April 8, 2014, 6:40 pm

≫ Next: Users are not getting provisioned into AD

≪ Previous: AD MA Provisioning - "The parameter is incorrect"

$

0

0

Hi, I've been trying to replace a bracket in the sync rule, i.e.

ReplaceString(ReplaceString(someattribute,"(","#"),")","#")

but FIM is complaining the function ReplaceString is not correctly formatted.

Also I notice

If I use CustomExpression 

ReplaceString(someattribute,"(","#")

FIM fails with ReplaceString is not correctly formatted.

but if I select FIM function -> ReplaceString and enter oldstring as ) and newstring as #, FIM would happily accept.

Any idea how I can get around this?

Thanks,

John

Users are not getting provisioned into AD

April 8, 2014, 9:58 pm

≫ Next: How Questions are displayed by user’s (Finnish, English, German, French, Spanish, Chinese (simplified), Russian) in these language.

≪ Previous: ReplaceString for brackets

$

0

0

Hi Everyone,

I am trying to provision users from HR System to AD. But getting error for few users. Few are getting into AD very fine but few are not getting provisioned and showing "Constrain-violation error" on ADMA Export. If I click to see details on error it is stating "Required attribute "cn" is missing". 

I tried to run FIMMA Sync manually and found that into AD connector 'dn' for AD is getting deleted into Export attribute flow and FIM is trying to remove old connector and adding a new one. Also, I looked for event viewer and it is throwing no error at all.

Please suggest!!!

---

Thanks~ Giriraj Singh Bhamu

How Questions are displayed by user’s (Finnish, English, German, French, Spanish, Chinese (simplified), Russian) in these language.

April 8, 2014, 10:27 pm

≫ Next: FIM Sync Service and group memberships

≪ Previous: Users are not getting provisioned into AD

$

0

0

Hi,

How Questions are displayed by user’s (Finnish, English, German, French, Spanish, Chinese (simplified), Russian) in these language.whether in SSPR Portal or Window Login(Ctrl+Alt+Del)

Please provide any solution in Steps by Steps detail.

Regards

Anil Kumar

FIM Sync Service and group memberships

April 9, 2014, 8:56 am

≫ Next: Why so many disconnectors?

≪ Previous: How Questions are displayed by user’s (Finnish, English, German, French, Spanish, Chinese (simplified), Russian) in these language.

$

0

0

Hi everybody

I'm new to FIM and are trying to setup a synchronization between our HR system and AD, using the FIM sync service only (no portal). I have successfully set up an import of a csv file from the HR system, and created the users and groups in AD using an extension and C# code. What I'm stuck on is adding the users to the created groups.

A direct mapping in the FIM gui seems not to be possible due to the member variable is a reference variable, so I tried to add group membership to my user creation code (see below), but thats not working at all. I'm guessing it's because I don't have access to all objects in the agents space, only what is currently being created.

Any help or pointers as to where I can put the code to do this is much appreciated

My user creation code. What's not working is the last two lines where I try to lookup the Department Group and add the new user to it. It says the Object (DN) for the groups does not exist, even though it does (exist)

void IMVSynchronization.Provision (MVEntry mventry)
        {
            ConnectedMA managementAgent;
            int connectors = 0;
            CSEntry csentry;
            ReferenceValue DN;

            managementAgent = mventry.ConnectedMAs["AD-user"];
            connectors = managementAgent.Connectors.Count;

            if (connectors == 0)
            {
                if (mventry.ObjectType == "person")
                {
                    string ansattNr = mventry["employeeId"].Value;
                    string username = "lds" + ansattNr;                   
                    string fullname = mventry["displayName"].Value;

                    DN = managementAgent.EscapeDNComponent("CN=" + fullname).Concat("OU=Managed-users,OU=Users,DC=test,DC=local");

                    csentry = managementAgent.Connectors.StartNewConnector("user");

                    csentry.DN = DN;
                    csentry["CN"].Value = fullname;
                    csentry["employeeID"].Value = ansattNr;
                    csentry["SamAccountName"].Value = username;
                    csentry["userPrincipalName"].Value = username + "@test.local";
                    csentry.CommitNewConnector();       

            ReferenceValue groupDN = managementAgent.EscapeDNComponent("CN="+ mventry["department"].Value).Concat("OU=IDM-Departments,OU=Users,DC=test,DC=local");

            managementAgent.Connectors.ByDN[groupDN]["member"].Values.Add(DN);    

Why so many disconnectors?

April 9, 2014, 4:14 pm

≫ Next: FIM Portal URL is not consistent on all the Servers

≪ Previous: FIM Sync Service and group memberships

$

0

0

Hi,

In the FIM terminology, a connector space object, if it is linked to a metaverse object is known asconnector and disconnector if it is not linked.

So, under which circumstances would a FIM system develop disconnectors?

One I can think of is if the deprovisioning rule is set to "Explicit disconnector".

Also, all the OUs from the AD MA scope are represented as disconnectors - doesn't this impact performance when doing a Sync operation?

What else would create a disconnector?

thank you.

---

FIM Portal URL is not consistent on all the Servers

April 9, 2014, 4:25 pm

≫ Next: Confirming FIM setup information.

≪ Previous: Why so many disconnectors?

$

0

0

Hi All,

Hope you all well,

My Current FIM environment is:-

1). Server A (FIM Portal 1)

2). Server B (FIM Portal 2)

3). Server C (Both FIM Portals pointing to FIM Service Server C)

4). Server  D (FIM Sync Server)

 Now my question is, I am facing error "Service not available" while accessing the FIM Portal 2 or FIM Portal 1 from server C and D. Actually, FIM Portal URL's is not accessible consistently on all the servers. Some time it works, some times not.

I have checked by setting the SPN for FIM Service account but in vain.

For reference Please find the below screen shot.



Any help would be appreciated.

Thanks

---

ajay kumar

Confirming FIM setup information.

April 10, 2014, 3:10 am

≫ Next: FIM Synchronization Service - How to provsion a group to another object type

≪ Previous: FIM Portal URL is not consistent on all the Servers

$

0

0

Hi,

 I setup FIM 2010 portal and sync service on a couple of servers a few months ago and now it's time to add in the SSPR server. Unfortunately I can't remember the URLs and accounts I entered on the setup wizard which specified the SSPR server and account name. Rather than re-run the setup wizard and risk cocking something up, is there an XML or config file I can use on the FIM server to check this information?

Thanks

FIM Synchronization Service - How to provsion a group to another object type

April 10, 2014, 4:43 am

≫ Next: Updating employeeJobFamily from Manager

≪ Previous: Confirming FIM setup information.

$

0

0

Hi,

i'm new to fim and use just the fim2010 synchronization engine with some rules extensions.

I have 2 ActiveDirectories and want to Provision a Group(used as Distribution list) from ActiveDirectory A as a contact object in ActiveDirectory B with the SMTP address of the Group as the targetaddress of the contact.

Can you give me a hint how to accomplish that?

Should i use the ShouldProjectToMV() Method in the rulesextension from the AD Connector of Domain A and out the Group as a Special mvtype? How do i join (what anchor to use) the Group to Domain B if i also sync normal contact objects as well?

Thanks you for your help!

Updating employeeJobFamily from Manager

April 10, 2014, 9:37 am

≫ Next: Granfeldt PowerShell MA Import-PSSession?

≪ Previous: FIM Synchronization Service - How to provsion a group to another object type

$

0

0

I am new to FIM,

I have an attribute named "employeeJobFamily" it is user type.

I am trying to update all users that have thevalue = "General" in that attribute by the value in their manager"employeeJobFamily" Attribute.

1)I created a Set that can get all these users, 

2) trying to create a WF that can get the value for this Attribute"employeeJobFamily" from the Manager.

I need help with how I can query another person attribute and retrieve this value.

I am open to any other idea

Thanks

Apkarino

Granfeldt PowerShell MA Import-PSSession?

April 10, 2014, 12:41 pm

≫ Next: Cross forest password reset

≪ Previous: Updating employeeJobFamily from Manager

$

0

0

Firstly Søren Granfeldt thank you for writing and releasing this MA! I'm using it for Account Expiration dates already!! My issue is when trying to connect to Exchange Online (O365) to manage mailboxes.

I'm using the Granfeldt PowerShell MA to access data in Office 365 but not just the dirsync (is the user licensed) but also properties on the Exchange Online.

I can connect to Exchange Online (O365)  when running the script as the service account (FIMService). It connects using stored credentials to Exchange Online using Remote PowerShell and Importing the session with -AllowClobber. However I get an error on the Import-PSSession line saying that $Session is undefined / Null when the MA Runs it.

I have a couple of questions.

1) If I edit the import.ps1 script (Import Script) do I need to refresh the PowerShell MA Schema for it to pick up the changes or does it load and run this on the fly?

2) Has any one ran an Import-PSSession with the Granfeldt  PowerShell and gotten a script Error: Script error in line 24: [Cannot validate argument on parameter 'Session'. The argument is null. Supply a non-null argument and try the command again.] - (At {REMOVED}
+     Import-PSSession -Session $mySession -AllowClobber -WarningAction SilentlyCo ...

The error is under the $mySession variable, it should connect just fine, I've gone so far as hard coding the password into the script.

3) Is there any way to make the import script "Run as Admin / Elevated" ?

Thanks in advance!!!!

Jonathan Manley

Cross forest password reset

April 10, 2014, 7:05 pm

≫ Next: Unable to install FIM service Portal!!!!!!!!!!

≪ Previous: Granfeldt PowerShell MA Import-PSSession?

$

0

0

Hi,

We have FIM Sync, Portal, SSPR Registration, SSPR Reset deployed in Forest A.

Users currently exist in Forest B. There is a 2-way trust between Forest A & B.

Forest B users can successfully Register for SSPR (by enrolling in the questions/answers) from workstations in Forest B.

When a user in Forest B tries to Reset their password, they successfully answer the questions, but when they try to type in the new password the following error appears:

Could someone please point us in the right direction as to why its failing?

thank you,

sk

Unable to install FIM service Portal!!!!!!!!!!

April 10, 2014, 7:49 pm

≫ Next: Integrating FIM 2010 R2 with Symantec VIP for user validation/authentication purposes

≪ Previous: Cross forest password reset

$

0

0

Hi Everyone,

While installing Fim Service Portal i am gertting an Error: Service 'Forefront Identity Manager Service' (FIMService) failed to start. Verify that you have sufficient privileges to start system services.

 

Please find the below Screenshots:

Please Help!!

 

---

Thanks~ Giriraj Singh Bhamu

---

Integrating FIM 2010 R2 with Symantec VIP for user validation/authentication purposes

April 10, 2014, 10:58 pm

≫ Next: DeleteAdds in Export Statistics of a SQL MA

≪ Previous: Unable to install FIM service Portal!!!!!!!!!!

$

0

0

I am setting up FIM 2010 R2 and required to integrate Symantec VIP to be used at the SMS OTP gate instead of FIM's SMS OTP gate. Does anyone know how I can achieve this? I have never tried this before and have no clue on how to go about it.

I will greatly appreciate your help here

DeleteAdds in Export Statistics of a SQL MA

April 10, 2014, 11:35 pm

≫ Next: Delete-Add Permission Denied errors for an Active Directory MA

≪ Previous: Integrating FIM 2010 R2 with Symantec VIP for user validation/authentication purposes

$

0

0

Hello,

I need to understand what does DeleteAdds statistics will define ?

And when the identity will be identified both to Delete and Add ?

We tried to delete an identity from Metaverse and from connected database as well, deprovision rule is defined. the identity got deleted from Metaverse but when the same was exported to SQL the identity was marked as DeleteAdd and it didnt get deleted from the connected DB.

Regards,

Jyothishree SP

Delete-Add Permission Denied errors for an Active Directory MA

April 10, 2014, 11:54 pm

≫ Next: Using sysdate in Inbound Rule

≪ Previous: DeleteAdds in Export Statistics of a SQL MA

$

0

0

I'm currently seeing some export errors on my AD MA. In my user source (an custom MA) I had 4 deletions and 6 adds in one import run. This caused 4 MV objects to be deleted and 6 MV objects to be added.

Now it seems that my unique username function (MV extension) re-used some AD AccountNames as the MV stated that these were no longer in use.

Now I think the problem lies in the fact that my AD MA users have their DN based upon CN=sAMAccountName,OU=...". The ones being deleted and added have the same DN and this probably results in a delete-add.

Should the AD MA be able to handle this or should I think of a different DN strategy?

---

http://setspn.blogspot.com

Using sysdate in Inbound Rule

April 11, 2014, 4:51 am

≫ Next: MSOL Created AD Account and Group -

≪ Previous: Delete-Add Permission Denied errors for an Active Directory MA

$

0

0

Expert,

I am creating Inbound Rule for data coming from a text file.

For employee status logic is:-

employee end date>today's date=Active

Employee end date<today's date=Inactive

How do I get today's date in Inbound Rule?

Thanks,

Mann 

MSOL Created AD Account and Group -

April 11, 2014, 5:07 am

≫ Next: SSPR Rich Client on Wireless Laptop

≪ Previous: Using sysdate in Inbound Rule

$

0

0

I've recently installed Forefront Identity Manager 2010 R2 and we are in the process of creating a tenant connection to Office 365 and setting up Exchange Federation.

I have installed FIM 2010 R2 and have setup DIRSYNC, and we've noticed an account and group were automatically created in the AD Domain USERS OU.

MSOL_xxxxxxxxxxxxxx (user)

MSOL_AD_Sync_Richcoexixtence (group) with the MSOL user the only member.

2 questions:

1). What is this User/Group used for? (as during the install I had to supply another AD Domain credential which I would have thought would have been used for the SYNC process.

2). Can this MSOL user/group be pre-created or have the password modified in some fashon? (our Security folks want to "set" the password on the MSOL user to a known value?)?

THANKS