Placeholder should not be a placeholder

May 5, 2014, 9:27 am

≫ Next: Unique AD username

≪ Previous: Lack of support for FIM database mirroring

$

0

0

I have at least two connected objects (AD MA) that were moved to a AD container that was not in-scope so they became placeholders.  After these changes were sync'd the objects were moved back and a full import performed on the AD MA.  the FIM CS still shows these objects in the out-of-scope OU as placeholders even though they are clearly sitting in an in-scope OU.  I am also using a declared import filter and there are other objects that reside in the same OU with out issue.  the only difference here (that I can tell) is that the good objects (not placeholders) were not moved.  Anyone seen this and if so have you been able to fix?

Thank you!

---

Paul N Smith

---

Unique AD username

May 5, 2014, 4:55 pm

≫ Next: FIM 2010 R2 Self Password Reset Portal

≪ Previous: Placeholder should not be a placeholder

$

0

0

Hi,

IMHO, its the most common issue when provisioning users to AD (via FIM) and yet there is nothing out-of-the-box in FIM.

Have found this option, and was wondering if anyone has used this, as I got a few questions: http://uniqueaccountnamefim2010.blogspot.in/

1. The blog talks about creating multiple functions: Option1, Option2, Option3, etc

    So are these the 'Options' simply the various username options? And one would need to create quite a few of them to ensure uniqueness.

2. Where does this activity check for username uniqueness? does it check the FIM Portal, or Active Directory?

3. Our username convention is: 1st letter of firstName+surname+number (if there are conflicts) - limited to 20 characters as I recall for AD username. What would the custom expression be for this?:

• Option 1: Custom Expression Left(FirstName,1)+Left(LastName,6)
  
• Option 2: Custom Expression Left(FirstName,1)+Left(LastName,6)+String(1)
• Option 3: Custom Expression Left(FirstName,1)+Left(LastName,6)+String(2)
• etc

4. Will this work with R2's Filter Based Outbound Sync Rules?

Thank you,

SK

PS. Would be nice if the new FIM (MIM) version ships with a 'GenerateUniqueUsername' function :)

FIM 2010 R2 Self Password Reset Portal

May 6, 2014, 3:33 am

≫ Next: FIM 2010 R2 Self Password Reset Portal

≪ Previous: Unique AD username

$

0

0

I have created a separate lab to test the FIM 2010 R2 Self Password Reset Portal. It has installed successfully but while clicking on 'Password Registration Portal' it is showing page cannot be displayed

FIM 2010 R2 Self Password Reset Portal

May 6, 2014, 5:43 am

≫ Next: Owner approval request using Distribution List without Exchange Server

≪ Previous: FIM 2010 R2 Self Password Reset Portal

$

0

0

I have created a separate lab to test the FIM 2010 R2 Self Password Reset Portal. It has installed successfully but while clicking on 'Password Registration Portal' it is showing page cannot be displayed

Owner approval request using Distribution List without Exchange Server

May 6, 2014, 7:18 am

≫ Next: Owner Approval in Distribution List Management using smtp server

≪ Previous: FIM 2010 R2 Self Password Reset Portal

$

0

0

1. Ower approval request in DL management is not completed it is in authorizing status while check in Search Request, and user will not be a member in requested DL when request sent by individual owner however it is working while i am using service account, we are not using Exchange with FIM for notification. i have also checked Event viewer and found some errors related to Email notification

i.e. warning :

WorkflowInstance 'cb25e1ff-4559-4b3f-87bb-47d24e60a87e' could not send mail message in activity 'approvalActivity1.sendApprovalEmail'.

Error:

EmailNotificationDataExchange caught an exception while trying to send an email. The email was not sent. See the trace immediately following for exception contents.

If anyone have any idea it will be really helpful.

Thanks - Ankit Gupta

Owner Approval in Distribution List Management using smtp server

May 6, 2014, 8:53 am

≫ Next: Extending SharePoint UserProfile Synchronization Service with additional Management Agents

≪ Previous: Owner approval request using Distribution List without Exchange Server

$

0

0

 can it be possible that we can use owner approval in Distribution list management in FIM 2010 Portal???

Customer not using Exchange in their environment we have use another solution for ower approval.

It would be really apriciated if some can help on this.

Thanks- Ankit Gupta

Extending SharePoint UserProfile Synchronization Service with additional Management Agents

May 7, 2014, 5:24 am

≫ Next: how to trigger email notification when users fail to give correct answers to reset your password in fim 2010 r2

≪ Previous: Owner Approval in Distribution List Management using smtp server

$

0

0

Hi all

is it allowed (per license?) and technically possible to add other Management Agents to the User Profile Synchronization Service that comes with SharePoint? Can I easily exchange the MetaVerse and/or Management Agent Extensions? Do I run into trouble doing this when I apply SharePoint updates later?

Thanks, Henry  

how to trigger email notification when users fail to give correct answers to reset your password in fim 2010 r2

May 7, 2014, 6:31 am

≫ Next: Calling AttributeChange.CreateAttributeAdd() on an attribute that does not exist or is not included in an objecttype does not genereate a NoSuchAttributeInObjectTypeException

≪ Previous: Extending SharePoint UserProfile Synchronization Service with additional Management Agents

$

0

0

Hi,

How to trigger email notification when users fail to give correct answers to reset your password in fim 2010 r2

Senario:I want put wrong answering to the Questions that i was during registration if i give wrong answers to the questions then a Email Notification should be trigger to Users.

Regards

Anil Kumar

---

Calling AttributeChange.CreateAttributeAdd() on an attribute that does not exist or is not included in an objecttype does not genereate a NoSuchAttributeInObjectTypeException

May 7, 2014, 7:27 am

≫ Next: Reference (DN) type not flowing from a custom MA

≪ Previous: how to trigger email notification when users fail to give correct answers to reset your password in fim 2010 r2

$

0

0

Hi

I'm building ECMA 2.1 agents and a stumbled on a problem. In earlier builds of R2 SP1 like 4.1.3114 you would get a NoSuchAttributeInObjectTypeException if you tried to call csentry.AttributeChanges.Add(AttributeChange.CreateAttributeAdd("ATTRNAME","ATTRVALUE")); on an attribute retrieved from the datasource that doesn't exists in the MA or is not seleted. This seems to have been changed in build 4.1.3508? I recently upgraded my testenvironment and a customers environment and after that upgrade I no longer get this NoSuchAttributeInObjectTypeException. Instead I am allowed to add this attribute and it's value to the csentry, but when the syncengine continues to process this further I get this exception:

The server encountered an unexpected error while performing an operation for a management agent.

 

 "Microsoft.MetadirectoryServices.NoSuchAttributeInObjectTypeException: Attribute "HiddenFromAddressListsEnabled" is not usable with the object type in question.

   at Microsoft.MetadirectoryServices.Impl.Ecma2ConversionServices.AddAttributeToDImage(CDImage* pdimage, String attributeName, AttributeModificationType attributeModificationType, IList`1 attributeValueChanges, Int32 escapeReferenceDNValues)

So now I have no possibility to handle this.....

Does anyone have any thoughts or insight on this? Is this a bug or is there a reason for changing this behavour? How should we handle this scenario in ECMA code? Even if I would search the schema I have no way of determine if an attribute is selected, or is there?

Regards

Patrik

Reference (DN) type not flowing from a custom MA

May 7, 2014, 10:07 am

≫ Next: SSPR Asterix (*) Secret Answers and Allow Users to Pick Optional Questions

≪ Previous: Calling AttributeChange.CreateAttributeAdd() on an attribute that does not exist or is not included in an objecttype does not genereate a NoSuchAttributeInObjectTypeException

$

0

0

Hello!

I have a FIM 2010 setup with an AD management agent that is successfully importing users, contact, and groups into our Metaverse. It then goes on to export email data to a AD LDS LDAP server. This all works great.

I have created a custom management agent (Extensible Connectivity 2.0) that I am attempting to use to sync contacts from a non-AD source. For the most part this works fine, all the data syncs into the metaverse except for a reference field called Owners.

I am using the Secretary field in AD to track user accounts that own the particular resource. In my custom MA I am able to retrieve the DN for the multi-valued reference field. The data is making it to the connector space but will not sync to the metaverse. No errors are generated but the DN in the reference field becomes a placeholder in the connector space.

Is this because the connector space does not know about the user it is trying to reference since this connector space only has contacts?

Another issue I notice is that the DN in the connector space has all the commas escaped with a backslash '\'. This may be mute if the above question is true but I think I need to set the field value to a ReferenceType and not a string but haven't figured that part out yet.

Thank you!
Karl

SSPR Asterix (*) Secret Answers and Allow Users to Pick Optional Questions

May 7, 2014, 11:46 am

≫ Next: use imported attribute to reference different meta data for export

≪ Previous: Reference (DN) type not flowing from a custom MA

$

0

0

Hi,

Is it possible to asterix out (***) answers to FIM SSPR Registration questions as they're typed?

Also, is it possible to present the user with a single gate of 8 questions but force the users to only have to answer 3 questions on a single registration screen? I don't want to force the user to jump through multiple gates or screens.

Thanks

use imported attribute to reference different meta data for export

May 7, 2014, 2:35 pm

≫ Next: ADLDS MA & SSL Connectivity for PCNS

≪ Previous: SSPR Asterix (*) Secret Answers and Allow Users to Pick Optional Questions

$

0

0

our HR system only provides the three letter country code and i would like to export to AD the two letter country code and the spelled out country name. 

maybe someone can provide the best way to do this. some questions i have had around trying to solve this are

can you have a connector space object joined to multiple metaverse objects? a one to many relationship?

could i create a new object_type country and have the person reference the country metaverse object? 

i'm trying to avoid adding more code, let me know if there is a way to configure what i am trying to do either in the sync engine or the fim portal.

Thank You!

edit: if it is helpful i have no problem importing the ISO-3166 data from a source like http://opengeocode.org/download/countrynames.txt into fim.

ADLDS MA & SSL Connectivity for PCNS

May 7, 2014, 4:47 pm

≫ Next: AD attributes and passwords not setting correctly

≪ Previous: use imported attribute to reference different meta data for export

$

0

0

Hi,

According to Technet,, ADLDS requires that you set up a Secure Sockets Layer (SSL) or Transport Layer Security (TLS) connection between the client and server when you set passwords (http://technet.microsoft.com/en-us/library/jj590329%28v=ws.10%29.aspx)

However, we are using PCNS to sync AD passwords to an ADLDS instance (via ADLDS MA), and even though we have not configured SSL on ADLDS and the ADLDS MA connects on TCP:389 - password syncs are working.

Isn't this contradictory to the Technet statement above?

Additionally, if we need SSL certs and since we may need to update multiple DNs on the same ADLDS instance, does ADLDS support wildcard certificates.

Thank you,

SK

AD attributes and passwords not setting correctly

May 7, 2014, 8:46 pm

≫ Next: Error resolving Domain Name when user try to reset password from Self-Service Password Reset

≪ Previous: ADLDS MA & SSL Connectivity for PCNS

$

0

0

I am running FIM 2010 R2 build 4.1.3479.0 with AD servers at 2008 forest level.  I have set up the ADMA for staff to set passwords and the userprincipalname attribute (among others).  I have custom code in the MVextension.dll that does this.  I am having two issues going on that I believe to be related somehow.  

1) These initial passwords are not being set and

2) although the userprinciplename attribute is set correctly when you look in ADUC on the "Attribute Editor" tab, it is not being displayed correctly on the "Account" tab.  The User logon name and the upnsuffix fields are blank. The pre-win2k fields are displaying correctly.  

I have done a lot of work trying to figure out what is going on here and I have checked that there are no issues with rights in AD and the code.  I have another ADMA that populates a different set of users in another OU and that fills out the UPN and password and everything works as it should.  The code differences between the two areas are very minimal.

The code for this is as follows:

         csentry["userPrincipalName"].StringValue = mventry["accountName"].StringValue + emailExtension;

         if (mventry["CPIT_InitialPassword"].IsPresent)
                 {
                  csentry["unicodePwd"].StringValue = mventry["CPIT_InitialPassword"].StringValue; // defaultPassword;                               }
        else
                  {
                  csentry["unicodePwd"].StringValue = Custom_Extensions.Custom_Extensions.GenerateRandomPassword();
                  }

Any ideas what to look at to try and figure out what the heck is going on would be really helpful please!

Thanks

Erica

Error resolving Domain Name when user try to reset password from Self-Service Password Reset

May 7, 2014, 6:01 pm

≫ Next: FIM Portal RCDC Change Postcode based on Address

≪ Previous: AD attributes and passwords not setting correctly

$

0

0

Hi Guys,

One of my users is having the following error when trying to reset password using FIM  Self-Service Password Reset Portal.

Access Denied

Ensure you enter your user name correctly. If you still cannot reset your password, please contact your helpdesk for assistance. (Error 3001)

Go to Self-Service Password Reset home page

Details:

Microsoft.IdentityManagement.CredentialManagement.Portal.Exceptions.AccessDeniedException: The FIM Password Reset Portal encountered an error while resolving Domain Namebac.cde@y7mail.com Web Portal: FIM Password Reset Portal Session Id: ocwfst441so3445knch2a89 IP Address: XXX.XXXX.XXX.XXX at Microsoft.IdentityManagement.CredentialManagement.Portal.Common.NameResolutionUtilities.ParseDomainUsername(String identityName, String& domain, String& username) at Microsoft.IdentityManagement.CredentialManagement.Portal.Reset.MoveToAuthenticationGates() at System.Web.UI.WebControls.Button.OnClick(EventArgs e) at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint

Anybody has any idea when is this happening with one use while working fine with others ?

Regards
Sarwar

---

Sarwar

---

FIM Portal RCDC Change Postcode based on Address

May 8, 2014, 3:37 am

≫ Next: Integrating companies - single mv object or multiple?

≪ Previous: Error resolving Domain Name when user try to reset password from Self-Service Password Reset

$

0

0

Hi,

 I'd like to allow users the ability to pick their address from an RCDC control with drop down values - straight forward enough, however I'd also like the ability for users to be able to automatically have the correct post code selected.

Lets say address 1 = "10 Downing Street" with post code "ABC 123", then as soon as someone enters 10 Downing Street, the correct postcode is populated - is this possible without writing a custom UI?

Thanks

Integrating companies - single mv object or multiple?

May 8, 2014, 7:26 am

≫ Next: FIMMA di/ ds getting stuck

≪ Previous: FIM Portal RCDC Change Postcode based on Address

$

0

0

We are in the beginning stages of integrating a new company we purchased. I want to add their AD into our FIM implementation and am trying to decide the best way to do this.

• We will have a single, consolidated HR source. 
• We have a single AD forest; they have three (3).
• Most users will have a single ID, in one of the four (4) forests, but there will be some users with an ID in more than one.
• Initially, at least, I will only be doing IAF from their forests, but might later do EAF. Doing provisioning is also possible, further down the road.

My primary question is: should I use the default 'person' MV object for everyone or should I clone the 'person' object, creating a new one for users in their forest(s)?  If the latter, do I create a 'person' object per forest?

Eventually, we will be doing an AD consolidation into a single forest, in case that makes a difference.

Just looking for opinions.

---

Ed Bell - Specialist, Network Services, Convergys

FIMMA di/ ds getting stuck

May 8, 2014, 8:58 am

≫ Next: Create Set with Access Denied with filter permissons correct

≪ Previous: Integrating companies - single mv object or multiple?

$

0

0

For some reason, FIMMA di or ds is getting stuck. During this time period, the password change is not also not working. We have to do a FIM sync service or server restart to get the di or ds working. Any idea why this is happening? Also, is there a way that we can track fimma di running for a longer time (more than 5 mins or so)?

Create Set with Access Denied with filter permissons correct

May 9, 2014, 8:48 am

≫ Next: export to sql - splitting a string

≪ Previous: FIMMA di/ ds getting stuck

$

0

0

I am standing up a FIM lab and need to create a set. I'm logged in as an administrator and the attribute I want to use in the SET's filter is "HR Effective Status." I give the set a name, create the filter with the HR Effective Status attribute and view the members with no problems. However, when I click the submit button, I get an access denied error (see screen shot). Prior to creating the set, I had added this HR Effective Status attribute to both the Filter permission objects (Administration-->All Resources-->Filter Permission), but this does not seem to be the problem. Both MPRs that are kicked off seem to be set properly too. Any ideas on what the problem might be?

Thank you in advance for any help!

 

 

 

export to sql - splitting a string

May 9, 2014, 1:11 pm

≫ Next: FIMMA export is showing failed creation via web services

≪ Previous: Create Set with Access Denied with filter permissons correct

$

0

0

In FIM, I have a department string attribute in the format deptNumber(space)|(space)deptName.

example: 78596 | IT

In exporting the data to sql table, I need to split the value into two different attributes deptNumber and deptName. I guess I have to do MV coding. Can someone help me how to do this through code please?