I'm planning on implementing FIM in the near future, on a single server. I'm not 100% clear on SPN's i will need, as I've not used them before. I would appreciate any pointers.
I'm planning on using the following URL's.
FIMPortal.local.mydomain.com
passwordresetregistration.local.mydomain.com
passwordreset.local.mydomain.com
With the following users setup:
SA-FimSync
SA-FimService (email enabled)
SA-FimAgent
Given the previous information what SPN's do i actually need?
Experts,
How can I create a group based on DRE values. Requirement is simple, add user into 'abc' group after creation of AD account.
I am creating AD through Configuration triple(set, workflow and MPR). I can see 'AD outbound' in ERE as well as DRE.
I am able to create a SET based on DRE but not group.
Thanks,
Mann
Hello Guys,
First of all, I would like to say thanks to everyone who has been contributing in this forum as I have found it really worthy and effective. I got solution to my questions and that is the reason I have come again to gain knowledge from guys.
I am trying to register account with OTP AuthN Workflow automatically, I mean when account created in FIM it automatically get registered with Password AuthN Workflow.
I would be grateful if you guys could advise me.
Regards
Sarwar
Sarwar
Hi,
We are trying to trigger a mail once user reset his successfully. would like to confirm, is it Mandatory to install the exchange console on FIM server only for email notification in case of successful password reset and OTP on email.
If exchange console is mandatory to be installed on FIM server, How does FIM interacts with exchange console to trigger a email?
Thanks
Harry
Hello,
this is a code created by WmiCodeCreator, but I'k not able to translate it to powershell:
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\MicrosoftIdentityIntegrationServer")
' Obtain an instance of the the class
' using a key property value.
Set objShare = objWMIService.Get("MIIS_RunHistory.key='{03CB28B8-F9B5-4CFB-8D02-527B55E4A569}-102'")
' no InParameters to define
' Execute the method and obtain the return status.
' The OutParameters object in objOutParams
' is created by the provider.
Set objOutParams = objWMIService.ExecMethod("MIIS_RunHistory.key='{03CB28B8-F9B5-4CFB-8D02-527B55E4A569}-102'", "RunDetails")
' List OutParams
Wscript.Echo "Out Parameters: "
Wscript.echo "ReturnValue: " & objOutParams.ReturnValue
Could you please help me to translate it into powershell cmdlets ?
Thanks a lot!!!!!
Hello!
I have working Group objects deletion rule which deletes group objects which has some string in the Display name. I had to delete the manually created group. I have placed it in to the appropriate set which is dedicated for Expiration groups. The Expiration workflow was executed immediately but with code Access denied in Search requests view (The group did not have required string in the Display name).
After that:
It seems that FIM ignores changes I have made - there is no Expiration workflow execution seen in Search requests view after that. How can I force the Expiration Workflow run again?
Thanks!
Hi!
I am syncing user object to a SQL MA. In one field, i need the Managers employeenumber. So i achieved this with a sync rule Parameter as follows:
[//Target/Manager/employeenumber]
Now there are some user object that have no Manager. It is my understanding that i receive the following eventlog error for that reason:
System.ArgumentException: Cannot deference on non-instantiated Attribute Manager
Can someone give me a hint how i can check if a Manager is present and only then select the employeenumber?
I Vision the following:
IIF(ispresent(//Target/Manager),//Target/Manager/employeenumber,"")
Thanks for your time
Martin
Dear All,
apologies in advance if product announcements are not welcome in this forum. I'll keep it short: based on our experiences deploying and integrating FIM CM, we built a cross-browser custom front end for Registration Officers and PKI Admins that offers a simplified UI and a number of additional features such as machine certificate management, signature for processes and mail notification on request denial.
More info at OpenFIM.com, also I'm happy to answer any questions.
Best regards
Nils Loeber
I am trying to copy the three FIM CM service account certificates from the first node and onto the second node of my FIM CM cluster. The service accounts are agent, enragent, kragent and the private keys for their certificates are protected by a Thales HSM.
I have successfully imported the certificates for all three of these accounts. I have successfully re-associated the private key for agent and kragent (using certutil -f -user -repairstore my "cert serial number").
However, when I try this command for the enragent certificate if get the following error:
-------------------------------------------
No key provider information
Cannot find the certificate and private key for decryption
Certutil: -repairstore command FAILED: 0x80090010 (-2146893808)
Certutil: Access denied
---------------------------------------------
When I run certutil -verify my "enragent cert serial number", on the first node it verifies successfully (so we know there is not a problem with the cert or key_mscapi files).
I have re-exported and imported the certificate from the first node
I have re-copied the key_mscapi files from the first node
Unfortunately, repairstore still fails on the second node (I suspect it can't find the key material file(s) even though it has worked successfully for the other two certificates).
Can anyone help please ?
I am currently looking at implementing FIM in an enterprise environment. I am specifically looking at the password management piece. We have numerous mobile users who rarely connect to the corporate network. I am curious what capabilities FIM has for managing passwords and accounts for users who are not connected to the corporate network. For example, I recently read that Hitachi's Password Manager comes with an installer that will launch a GUI to connect to available wi-fi networks and then launch a temp VPN session before the Windows login back to your corporate network. It will then logon with a localadmin account that the password manager software previously created and launch a kiosk mode browser to the self service web portal. At the web portal, the user can answer security questions to reset their network password and unlock their account. Once the network password has been reset, an ActiveX control is launched and updates the locally cached password.
Does FIM have any capability like this? Or would a pre-login VPN and local admin account have to be manually scripted with the credential provider that FIM provides? Any information is appreciated.
I have a list of questions in a file and want them to be displayed for the user registration portal instead of the one's provided out-of-box in FIM.
Is this possible?
Thanks
Experts,
I want to give general user access to create user accounts in FIM however I want account_id/employee-id for such users generated sequentially.
Like xyz1 then xyz2 and so on.
Is it possible to generate sequence in FIM?
Thanks,
Mann
Mayday! Mayday!
A distress signal is being sent out to all past, present and future Gurus!
We need more of your awesomeness!
The TechNet Guru Competitions have become BIG news within Microsoft circles, drawing in more and more departments. Over the last year or so, we have found new and old talent emerging from the community. This is your chance to come out of the shadows of daily grind and take your rightful place in the sun. Come bask in the glory we bestow upon our winners. Build a reputation and promote your own awesomeness to the world (and potential employers).
So bring us your snippets, black holes and revelations. Enlighten us with your factoids and work-arounds. Thrill us with your nifty walk-throughs, overviews and analysis.
Not forgetting Star Wars day!
May the 4th be with you!
All you have to do is add an article to TechNet Wiki from your own specialist field. Something that fits into one of the categories listed on the submissions page. Copy in your own blog posts, a forum solution, a white paper, or just something you had to solve for your own day's work today.
Drop us some nifty knowledge, or superb snippets, and become MICROSOFT TECHNOLOGY GURU OF THE MONTH!
This is an official Microsoft TechNet recognition, where people such as yourselves can truly get noticed!
HOW TO WIN
1) Please copy over your Microsoft technical solutions and revelations toTechNet Wiki.
2) Add a link to it on THIS WIKI COMPETITION PAGE (so we know you've contributed)
3) Every month, we will highlight your contributions, and select a "Guru of the Month" in each technology.
If you win, we will sing your praises in blogs and forums, similar to the weekly contributor awards. Once "on our radar" and making your mark, you will probably be interviewed for your greatness, and maybe eventually even invited into other inner TechNet/MSDN circles!
Winning this award in your favoured technology will help us learn the active members in each community.
Feel free to ask any questions below.
More about TechNet Guru Awards
#PEJL
Got any nice code? If you invest time in coding an elegant, novel or impressive answer on MSDN forums, why not copy it over to the one and onlyTechNet Wiki, for future generations to benefit from! You'll never get archived again!
If you are a member of any user groups, please make sure you list them in the
Microsoft User Groups Portal. Microsoft are trying to help promote your groups, and collating them here is the first step.
Experts,
I want to give managers access to create account for new users in FIM Portal.
However manager should be able to select limited number of attributes during creation and update process.
Challenges:-
a - How to create a set of managers?
b - What type of MPRs should I create?
I tries with few MPRs but it works only when i select 'all attributes' when I just select few attributes it does not work and gives me the error
access denied.
Kindly suggest.
Thanks,
Mannn
Experts,
I have installed FIM Portal on two servers. Sharepoint farm but different.
I am able to access FIM Portal on addresses
https://server1.domain.com/identitymanagement
and
https://server2.domain.com/identitymanagement
All works well. Now when i configured NLB and made a common URL https://company/identitymanagement.
https://company/identitymanagement is not accessible. I always keep asking password but does not login.
Kindly suggest.
Thanks,
Mann
Hi,
My FIM 2010 R2 architecture uses 4 servers as follows:
1 x fim server, 1 x fim sql DB (fim service DB), 1 x sync server + fim SQL DB and 1 x SSPR
I have a PowerShell sync scripts running every 5 minutes which take fim portal changes and export those changes to AD.
I've created some PowerShell scripts for removing old run profiles, but am not sure how many run profiles to keep? Reading online I came across one blog post which mentions that Ms recommend no more than 10,000 run profile history entries - about 4 days worth (although I can't find official Ms recommendations).
I'm assuming it's OK, but are there any issues with one script running a run profile at the same time as another script which deletes older run profiles?
On a side note, if anyone has any tips for speeding up fim portal access I'd be glad to hear them - each page in my environment takes about 30 seconds to load, regardless of the number of users connected.
thanks in advance
IT Support/Everything
Hi,
In certain cases, does FIM determine what the Anchor ID is? For example, looking at the AD MA, ADLDS MA or FIM MA, I can not see anything that says 'this is the Anchor ID'.
In a File MA or SQL MA, it seems I can set the Anchor myself.
I currently don't have any more MAs deployed, but are they all different? Do some have preconfigured Anchors and some not? For those that are preconfigured, is there a list somewhere for us to see what they are?
thank you,
SK
Hello,
We have been having issues with FIM Reporting, the ETL Process for some reason seems to be failing, we further drilled down and found that there was a SQL Query running on the SCSM database Server for a very long time.
"CREATE PROCEDURE dbo.[p_GroomManagedEntity] ( @TargetId uniqueidentifier, @RetentionPeriodInMinutes int, @GroomingCriteria nvarchar(max), @BatchSize int ) AS BEGIN DECLARE @LastErr int; DECLARE @RowCount int = 1; DECLARE @TotalRowCount int = 0; DECLARE @RetentionDateTime DATETIME; DECLARE @SelectEntitiesToBeGroomedStmt nvarchar(max); DECLARE @CoreDeleteTypedEntitiesTable TypedManagedEntityType; DECLARE @TimeGenerated DATETIME = getutcdate(); DECLARE @Command nvarchar(MAX) DECLARE @GroomHistoryId bigint DECLARE @Comment nvarchar(max); SET @Command = N'Exec dbo.p_GroomManagedEntity ' + CAST(@TargetId AS nvarchar(40)) + ', ' + CAST(@RetentionPeriodInMinutes AS nvarchar(10)) + ', ' + CAST(@GroomingCriteria AS nvarchar(100)) + ', ' + CAST(@BatchSize AS nvarchar(10)) -- Call the grooming history insert sproc EXEC @LastErr = dbo.p_InternalJobHistoryInsert @Command, @GroomHistoryId OUT IF @LastErr <> 0 GOTO Err; CREATE TABLE #BaseManagedEntitiesToDelete ( BaseManagedEntityId uniqueidentifier ); -- Figure out the retention datetime SELECT @RetentionDateTime = DATEADD(mi, -@RetentionPeriodInMinutes, getutcdate()) -- Execute the grooming filter statement, hence populate the table variable, with "BatchSize" many entities. WHILE (@RowCount > 0) BEGIN INSERT #BaseManagedEntitiesToDelete EXEC sp_executesql @GroomingCriteria, N'@Retention DATETIME,@TargetTypeId uniqueidentifier,@NumOfEntities INT', @Retention = @RetentionDateTime, @TargetTypeId = @TargetId, @NumOfEntities = @BatchSize; SELECT @LastErr = @@ERROR, @RowCount = @@ROWCOUNT; IF @LastErr <> 0 GOTO Err; IF (@RowCount > 0) BEGIN -- Convert the BMEIds to TMEIds. INSERT @CoreDeleteTypedEntitiesTable SELECT TME.TypedManagedEntityId FROM #BaseManagedEntitiesToDelete D JOIN dbo.TypedManagedEntity TME ON D.BaseManagedEntityId = TME.BaseManagedEntityId WHERE TME.IsDeleted = 0; SELECT @LastErr = @@ERROR; IF @LastErr <> 0 GOTO Err; -- Use existing DDP code to delete the instances captured in the temp table. EXEC @LastErr = dbo.p_DDPWrapperForGroomManagedEntity @TimeGenerated, @CoreDeleteTypedEntitiesTable; IF @LastErr <> 0 GOTO Err; TRUNCATE TABLE #BaseManagedEntitiesToDelete; SELECT @LastErr = @@ERROR; IF @LastErr <> 0 GOTO Err; END SET @TotalRowCount = @TotalRowCount + @RowCount; END -- Call the grooming history insert sproc to update status to success SET @Comment = N'BaseManagedEntity: ' + CAST(@TotalRowCount AS nvarchar(10)) EXEC @LastErr = dbo.p_InternalJobHistoryUpdate @GroomHistoryId, 1, @Comment IF @LastErr <> 0 GOTO Err; RETURN 0 Err: -- Call the grooming history insert sproc to update status to failure. SET @Comment = N'BaseManagedEntity: ' + CAST(@TotalRowCount AS nvarchar(10)) EXEC @LastErr = dbo.p_InternalJobHistoryUpdate @GroomHistoryId, 2, @Comment IF @LastErr <> 0 GOTO Err; RETURN 1 END"Can somebody advise on what this query is really about and what is its fuction, we are thinking of killing this query since it has been running for a very long time, will that hamper or cause the database to corrupt.
Rgds,
Abhishek.
The official line is that database mirroring is not a supported architecture for the FIM deployment. I am not proposing using this, however I'd like to understand 1) What the issues really would be with a mirrored database deployment, 2) Will support ever be added for this, and will it come in the form of SQL AlwaysOn?
Really appreciate help and input.
Rgds,
David
