Hi Everyone,
With one of my clients FIM box I am facing issue while trying to create new user account onto FIM Portal. It os showing following error:
Please suggest !!!!!
If My Answer helps you do not forget to check helpful post and If answers your question do not forget to "Mark it as an Answer" Thanks~ Giriraj Singh Bhamu
Hi Everyone,
With one of my clients FIM box I am facing error while trying to create new users on FIM Portal via source. User deletion and modification is fine but creation is not working and throwing following error:
Please help !!!!!!
If My Answer helps you do not forget to check helpful post and If answers your question do not forget to "Mark it as an Answer" Thanks~ Giriraj Singh Bhamu
Hi,
We recently upgraded to FIM 2010 R2 SP1 and after upgrading, ran a Full Import, Full Sync on FIM MA.
Most of the objects in the metaverse have 3 sync rules in the EREs. When we did the Full Sync on FIM MA after upgrading to SP1, it gave us a lot of errors "ma-extension-error". On clicking on the error, we can see that 1 of the sync rules in the ERE is now failing to apply because one of the attributes it must export to the connected data source is null. This is correct behaviour.
However, what is happening is that it the Full Sync is also changing the status for the other 2 sync rules from "Applied" to "Not Applied" when those two have nothing to do with the attribute that is missing for the 3rd sync rule.
We did not have this behaviour in the previous installation of FIM 2010.
Can anyone shed some light on this? we performed an "in-place"upgrade to FIM 2010 R2 SP1.
Any tips/help would be greatly appreciated.
Hey people!
Does anybody know if the RemoveMembers.aspx uses a Search Scope to display members? I want to limit the view of members based on a users organization reference, but im starting to think its hard coded somewhere.
Thanks
/Remi
Regards, Remi www.iamblogg.com
I had the SSPR working fine, now i wanted to add a notification for the user after the password was reset. i have followed this
http://social.technet.microsoft.com/forums/forefront/en-US/1ac1f8e4-d8d5-4672-aa58-d6db869e88dc/sspr-email-notification
Now i have added a notification step under the Password Reset Action Workflow. Now i am getting the error below
Requestor: urn:uuid:b0b36673-d43b-4cfa-a7a2-aff14fd90522
Correlation Identifier: f542ab53-73b0-4cf1-9d74-f270812caa57
Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---> Unable to retrieve a workflow instance with the specified identifier 'f67bc2b4-dadb-499a-9cac-387402e147fc'.
--- End of inner exception stack trace ---
Can anyone help ?
Hany George | Consultant | IDC S.p.A | MCITP: Lync Server | MCITP: Exchange 2010 | MCTS: OCS | Blog: http://dusk1911.wordpress.com/ | If this post has been useful please click the green arrow to the left or click Propose as answer
I'd like to know if FIM can be used to monitor and manage service accounts who are spreading world wide over member servers, or if domain membership is required for the usage of FIM.
We'd like to manage the following:
As well as domain user administration.
Best regards.
Infrastructure Management Sr. Analyst | MCSA Windows Server 2012
I am looking for a way to send an email notification, for the users that have Laptop.
These laptops information are existing on "System Center Configuration Manager
, I don't know how can integrate that with FIM to get the users list so I can use FIM to send them the notification.
Any Ideas,
Thanks
Hi Guys,
I am trying to extract the list of users who have one-time password email address in FIM or users who have registered with one-time password reset authentication workflow. I need to get their email addresses in CSV file.
Regards
Sarwar
Sarwar
Hi,
I have a client that has multiple Active Directory Forests and they have a single Office 365 Tenant. They want for the other Active Forests to be able to access their SharePoint online sites on their Office 365 Tenant.
They already have ADFS 2.0 and Dirsync in place. Is it just a case of setting up Active Directory Forests Trusts or do I need to deploy FIM 2010?
I would very much appreciate all help regarding this.
Thank you.
Hi,
We are introducing FIM into an environment consisting of an HR system and AD, with no so happy data. I know that data integrity is key, but there are people above that want some results....so....
The only match between the existing HR and AD data we can find is the 'firstname' & 'surname' attributes. Lets assume for now that there are no duplicate 'firstname' & 'surname' attributes in HR and AD...could we join the records on 2 attributes of 'firstname' & 'surname'?
Once the records are joined, we would then flow the 'employeeID' attribute from HR to AD.
Could we then remove the 'firstname' & 'surname' join rule and replace it with 'employeeID' attribute join rule?
Thank you,
SK
Hi Team,
I know that this issue has been reported a few times but none of them helped me resolve the problem. Please let me know if I missed anything.
I have cross domain and forest structure. Domain A and Domain B (both with single DC and in separate forest). FIM is installed in Domain B. Domain A is the source for password changes.
Followed below steps to setup PNCS, referred http://social.technet.microsoft.com/wiki/contents/articles/1597.troubleshooting-pcns.aspx
1. Installed PCNS on Domain A.
2. Enabled the verbose logging on FIM sync in Domain B and AD in Domain A.
3. Ensured the clock is in Sync on all the servers
4. Name resolution is working fine from Domain A to B and vise varsa.
5. There is no firewall between the severs.
6. Account used in Target MA has account operators + reset password rights
7. PCNScfg list shows following result.
Targets
Target Name...........: fim-labmachine
Target GUID...........: 3BA26260-4537-4B84-BAD3-B045F6SDERAD
Server FQDN or Address: fim-labmachine.b.com
Service Principal Name: PCNSCLNT/fim-labmachine.B.com
Authentication Service: Kerberos
Inclusion Group Name..: B\Domain Users
Exclusion Group Name..: B\Domain Admins
Keep Alive Interval...: 600 seconds
User Name Format......: 1
Queue Warning Level...: 20
Queue Warning Interval: 60 minutes
Disabled..............: False
8. SETSPN -L for FIM Sync service account gives following result.
PCNSCLNT/fim-labmachine.goglab.com
9. Password synchronization is enabled in FIMSync
10. Ensured that there is no duplicate SPNs
10. Password source sync is enabled on source ad destination as per figure in above mentioned article.
11. Though I don't think it was necessary but I have created one way external trust where Domain B trusts accounts from Domain A. It's validated and working fine.
12. Also increased the "KdcWaitTime" to 60 seconds
13. Forest and Domain functional level for both the domains is same.
14. PCNS is installed only in Source AD
Error:
Password Change Notification Service received an RPC exception attempting to deliver a notification.
The password change notification target could not be authenticated.
.
.
0x00000721 - A security package specific error occurred.
.
.
Status is -2146893053 - The specified target is unknown or unreachable.
Hello Everyone,
hope you can help me figure something out
i had an IIFP Galsync synchronising users and contacts between 2 exchange 2003 environment and now i would like to switch to fim 2010 and Exchange 2010,
from what i tried just exporting and importing the IIFP configuration to FIM 2010 works, but from what i know exchange 2003 is provisioned through vb code and exchange tools and exchange 2010 through remote powershell, is there anything to change in the original galsync extension code to enable exchange 2010 provisioning ?
thanks !!
Hitch Bardawil
Have the FIM trial installed. Using it to migrate accounts from one Domain to Another.
We purchased the Full version.
How can i move from Trial to Full. Any docs on this ? need to make sure nothing happens to migration or i go on unemployment line :)
Hi
I'd like to get some feedback from those who have used this product before. We are investigating synchronising from 5 authoritative ADDS instances to a single AD LDS instance. I have demo'ed FIM and see some value in how it handles duplicates, reporting and so on. What we are after is simply a common LDAP directory that we can point applications to for basic contact information.
Now FIM comes at a cost of around 18USD per CAL which isn't extortionate but also not cheap. For you experts out there, what are some of the reasons one would motivate for using a tool like this versus ADSI scripts?
Hi,
I am trying to create the FIM Service Management Agent and its failing every time. The message: Failed to retrieve schema keeps popping up. The error I get is as follows:
mscorlib: System.ServiceModel.EndpointNotFoundException: There was no endpoint listening athttp://fim01:5725/ResourceManagementService/MEX that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details. ---> System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond fim01:5725
at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)
--- End of inner exception stack trace ---
at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context)
at System.Net.HttpWebRequest.GetRequestStream()
at System.ServiceModel.Channels.HttpOutput.WebRequestHttpOutput.GetOutputStream()
--- End of inner exception stack trace ---
Server stack trace:
at System.ServiceModel.Channels.HttpOutput.WebRequestHttpOutput.GetOutputStream()
at System.ServiceModel.Channels.HttpOutput.Send(TimeSpan timeout)
at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.SendRequest(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at System.ServiceModel.Description.IMetadataExchange.Get(Message request)
at Microsoft.ResourceManagement.WebServices.MetadataClient.Get(String dialect, String identifier)
at Microsoft.ResourceManagement.WebServices.Client.ResourceManagementClient.SchemaManagerImplementation.RefreshSchema()
at Microsoft.ResourceManagement.WebServices.Client.ResourceManagementClient.SchemaManagerImplementation.get_Instance()
at Microsoft.ResourceManagement.WebServices.Client.ResourceManagementClient.get_SchemaManager()
at MIIS.ManagementAgent.RavenMA.DoGetColumnInformation()
Please assist on how to get past this error.
With thanks.
Hey all,
I'm trying to find the ECMA 2.2 MA. I thought it was part of one of the hotfixes. I downloaded the 3441 and 3508 hotfixes and installed the parts of 3508 that would run. The FIMService msp installed without error. The FIMSyncService ran, but returned an error related to not have enough permissions to set WMI. I can type the detailed error message, if that's relevant.
The remainder of the msp s in the hot fix wouldn't install. I got a Windows Installer error suggesting that my computer not have the correct upgrade patch.
I'm not sure if any of these messages are relevant to my issue, but that was my experience.
So, is the ECMA 2.2 MA included in that hotfix? If not, where do I get that.
Thanks in advance
Greg
Dear Friends,
I am facing an strange issue in outbound Sync rule for provisioning of users in AD. I have set the following two conditions on to create users in two different OUs however only first condition works and the second doesn't work. There is no error message and
both OUs are checked in ADMA container and same required permission assigned.
IFF(CustomExpression(Eq(employeeType,"Full Time Employee")),(CustomExpression "CN="+accountName+",OU=Employee,DC=dev,DC=local"),(CustomExpression(Null()))+IFF(CustomExpression(Eq(employeeType,"Contractor")),(CustomExpression("CN="+accountName+",OU=Contractor,DC=dev,DC=local"),(CustomExpression(Null())
I have created through the GUI options and the details are as follow:
1.
Function
Function name
IFF
condition:Boolean
Eq(employeeType,"Full Time Employee")
ValueTrue:Object
"CN="+accountName+",OU=Employee,DC=dev,DC=local"
ValueFalse:Object
Null()
2.
Function
Function name
IFF
condition:Boolean
Eq(employeeType,"Contractor")
ValueTrue:Object
"CN="+accountName+",OU=Contractor,DC=dev,DC=local"
ValueFalse:Object
Null()
Regards
Sarwar
Sarwar
I've had a go at setting FIM up (all on a single server), and the portal doesn't work from remote machines, it works on the server though, which leads me to believe I've made some sort of error with the SPN's or delegation which is affecting kerboros? It displays the following error:
'Service Not Available'
I've used the following accounts
SA-FimSync -Synchronisation account (runs 'Forefront Identity Manager Synchronisation Service')
SA-FimService- Mail enabled service account for Fim (runs 'Forefront identity Manager Service)
SA-FimAgent -Agent account.
SA-SharePoint - Runs SharePoint app pool for the portal.
I've configured the following SPN's:
setspn -S FIMService/FIMService.local.mydomain.sch.uk ATS\SA-FimService
setspn -S FIMService/FIMService ATS\SA-FimService
setspn -S HTTP/FIMPortal.local.mydomain.sch.uk ATS\SA-SharePoint
setspn -S HTTP/FIMPortal ATS\SA-SharePoint
setspn -S HTTP/PWReg.local.mydomain.sch.uk ats
and have the following DNS records all pointing to the same server:
FIMservice
Fimportal
PwReg
PwReset
The delegation is set to:
ATS\SA-SharePoint to ATS\SA-FimService
ATS\SA-FimService to ATS\SA-FimService
I'm really not sure where to look next to solve this issue and would appreciate any guidance.
Hi,
Technet describes everything about this FIM Automation Module, except on whether its part of FIM or whether one has to download it and from where? Also is it run from FIM Sync or Portal server?
Here's the link: http://technet.microsoft.com/en-us/library/ff394179.aspx
Thanks,
SK
