Oracle Internet Directory Management Agent

June 25, 2014, 3:34 pm

≫ Next: Email notification to admin when account is deprovisioned or disabled

We have created an LDAP XMA in our environment when we are running full import to get the user from OID to FIM we are getting "unmappable object -type" error as show in the below screenshot

Any help would be appreciable.

Thanks,

Rakesh

↧

Email notification to admin when account is deprovisioned or disabled

June 25, 2014, 4:42 pm

≫ Next: FIM 2010 Sync not running with status "Stopped-extension-dll-exception"

≪ Previous: Oracle Internet Directory Management Agent

Hi Guys,

I am trying to set an email notification to Admin when account is deprovisioned from SQL or disabled in AD either through Rule Extension or Sync Rule. Any solution will be helpful.

Regards

Sarwar

↧

FIM 2010 Sync not running with status "Stopped-extension-dll-exception"

June 25, 2014, 7:13 pm

≫ Next: Please Help Me !!! I want to Reference about "FIM can set time for update data from Database to FIM"

≪ Previous: Email notification to admin when account is deprovisioned or disabled

we are getting the following error for all our extensions when trying to run the Sync Operations. All extensions have similar errors with event ID 6159 generated in the application event log. They all started occurring after I deleted a attribute flow rule in one of the agents. This is happening in Production and are facing lot of other issues because of this.

The management agent "Peoplesoft" failed on run profile "Full Import Full Synch" because of a problem with the initialize method on the extension object. The extension dll is "PeoplesoftExtension.dll" and the stack trace is:

Microsoft.MetadirectoryServices.UnexpectedDataException: String or binary data would be truncated.

The statement has been terminated.

at Mms_ManagementAgent_PeoplesoftExtension.ExtFunctions.RunSQLCommand(String commandstring)

at Mms_ManagementAgent_PeoplesoftExtension.ExtFunctions.AddSentEmailsRecord(String sAMAccountName, String MessageSubject, String MessageBody, Int16 DelayDays)

at Mms_ManagementAgent_PeoplesoftExtension.ExtFunctions.CheckDoNotDisableInactiveGroup()

at Mms_ManagementAgent_PeoplesoftExtension.ExtFunctions.LoadConfigSettings()

at Mms_ManagementAgent_PeoplesoftExtension.ExtFunctions.InitializeCommon()

at Mms_ManagementAgent_PeoplesoftExtension.MAExtensionObject.Initialize()

Please advise on how to fix this as I have no clue where to start and am new to FIM.

Only Full Import(Staging ONLY) is successful.

↧

Please Help Me !!! I want to Reference about "FIM can set time for update data from Database to FIM"

June 25, 2014, 9:47 pm

≫ Next: setting SPN for FIM Portal

≪ Previous: FIM 2010 Sync not running with status "Stopped-extension-dll-exception"

I know that FIM2010 can set time for update or manual Synchronize Data but I want to web page for this reference.

Please help me if you know where are link

↧

setting SPN for FIM Portal

June 25, 2014, 11:44 pm

≫ Next: FIMSynchronizationService restarting after a WMI call

≪ Previous: Please Help Me !!! I want to Reference about "FIM can set time for update data from Database to FIM"

Experts,

We set spn for http request.

like setspn http/servername domain\account.

Do we also need to set SPN for HTTPS request? Kindly suggest.

Thanks,

Mann

↧

FIMSynchronizationService restarting after a WMI call

June 26, 2014, 1:03 am

≫ Next: PCNS Support for 2012 R2 Domain Controllers

≪ Previous: setting SPN for FIM Portal

Is there a way to prevent the FIM Synchronization service to stop auto-starting when it's queried by WMI? I'm working on an MA scheduling application. When I test stopping the service while remotely invoking the WMI MA execute method via my app, the sync service stops and immediately starts again. I can run an MA on the server manually and stop the service without problems. It seems that WMI calls directed at FIM causes the sync service to start if it's not. I can disable the service before stopping it, but that's not really what I'm after.

↧

PCNS Support for 2012 R2 Domain Controllers

June 26, 2014, 12:16 pm

≫ Next: hope you enjoy the show in movie now

≪ Previous: FIMSynchronizationService restarting after a WMI call

Is this supported?

Does anybody have this working today?

Does the functional level of the forest effect anything with FIM?

Any help is appreciated.

Thanks

Joe Stepongzi - Identity Management Consultant ilmXframework.codeplex.com

↧

hope you enjoy the show in movie now

June 26, 2014, 2:40 pm

≫ Next: Søren Granfeldt PowerShell MA Export

≪ Previous: PCNS Support for 2012 R2 Domain Controllers

http://affenklappe.de/index.php?option=com_kunena&view=topic&catid=49&id=561&Itemid=170#617
http://affenklappe.de/index.php?option=com_kunena&view=topic&catid=49&id=562&Itemid=170#618
http://affenklappe.de/index.php?option=com_kunena&view=topic&catid=49&id=565&Itemid=170#621
http://affenklappe.de/index.php?option=com_kunena&view=topic&catid=49&id=567&Itemid=170#623
http://affenklappe.de/index.php?option=com_kunena&view=topic&catid=49&id=568&Itemid=170#624
http://affenklappe.de/index.php?option=com_kunena&view=topic&catid=49&id=569&Itemid=170#625
http://affenklappe.de/index.php?option=com_kunena&view=topic&catid=49&id=572&Itemid=170#628
http://affenklappe.de/index.php?option=com_kunena&view=topic&catid=49&id=574&Itemid=170#630
http://affenklappe.de/index.php?option=com_kunena&view=topic&catid=49&id=575&Itemid=170#631
http://affenklappe.de/index.php?option=com_kunena&view=topic&catid=49&id=577&Itemid=170#633
http://affenklappe.de/index.php?option=com_kunena&view=topic&catid=49&id=579&Itemid=170#635
http://affenklappe.de/index.php?option=com_kunena&view=topic&catid=49&id=581&Itemid=170#637
http://affenklappe.de/index.php?option=com_kunena&view=topic&catid=49&id=582&Itemid=170#638
http://affenklappe.de/index.php?option=com_kunena&view=topic&catid=49&id=585&Itemid=170#641
http://affenklappe.de/index.php?option=com_kunena&view=topic&catid=49&id=587&Itemid=170#643
http://affenklappe.de/index.php?option=com_kunena&view=topic&catid=49&id=590&Itemid=170#647
http://affenklappe.de/index.php?option=com_kunena&view=topic&catid=49&id=591&Itemid=170#648
http://affenklappe.de/index.php?option=com_kunena&view=topic&catid=49&id=594&Itemid=170#651
http://affenklappe.de/index.php?option=com_kunena&view=topic&catid=49&id=595&Itemid=170#652
http://affenklappe.de/index.php?option=com_kunena&view=topic&catid=49&id=597&Itemid=170#654
http://affenklappe.de/index.php?option=com_kunena&view=topic&catid=49&id=598&Itemid=170#655
http://affenklappe.de/index.php?option=com_kunena&view=topic&catid=49&id=601&Itemid=170#658
http://affenklappe.de/index.php?option=com_kunena&view=topic&catid=49&id=603&Itemid=170#660
http://affenklappe.de/index.php?option=com_kunena&view=topic&catid=49&id=605&Itemid=170#662
http://affenklappe.de/index.php?option=com_kunena&view=topic&catid=49&id=608&Itemid=170#665

↧

Søren Granfeldt PowerShell MA Export

June 26, 2014, 11:21 pm

≫ Next: Use Granfeldts Create Object to create dynamic groups

≪ Previous: hope you enjoy the show in movie now

Hello everyone!

I have the following strange behavior with Søren Granfeldt PowerShell MA on Export:

I am using CSEntryChange objects on Export, so i want to determine only changed values in multivalue attributes.

Here is the example of export:

To display changed values in debug file i am using following powershell code:

$atrChng = $_.ChangedAttributeNames
foreach ($can in $atrChng)
{
"Name: $can" | Out-File $DebugFile -Append
foreach ($ValueChange in $_.AttributeChanges[$can].ValueChanges)
{
$val = $ValueChange.Value
$valmodt = $ValueChange.ModificationType
"Value: $val $valmodt " | Out-File $DebugFile -Append
}
}

In my debug file i have the following result:

Name: members
Value: u6000041 Add
Value: u6000042 Add
Value: u6000048 Add

This means that all attributes, even those that not have been changed are display as added attributes.

I have an idea that this behavior is because of Object Replacement type export of this MA. If i am right, does this mean, that there are no ways for me to get only changed values instead of sort out all of them? In my case i should exactly know changed values to execute the target system API functions AddUserToGroup() or DeleteUserFromGroup() for each.

The other option is that i am doing something wrong :)

Thanks in advance for any help!

↧

Use Granfeldts Create Object to create dynamic groups

June 27, 2014, 5:09 am

≫ Next: "STOPPED ENTRY EXPORT ERROR" WHILE DOING AD EXPORT

≪ Previous: Søren Granfeldt PowerShell MA Export

Trying to use Sorens Granfeldts, Create Object WF activity to create dynamic groups.

In a standard function evaluator activity I generate the Filter as [//WorkflowData/Filter]
The "string" I set it to is:
<Filter xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" Dialect="http://schemas.microsoft.com/2006/11/XPathFilterDialect" xmlns="http://schemas.xmlsoap.org/ws/2004/09/enumeration">/Person[ObjectID = /*[ObjectID = '8dfcb5e8-ff01-400c-8ca7-2a0002d2d2d4']/ComputedMember]</Filter>

In the CreateObject activity I then just have [//WorkflowData/Filter],Filter among the initial values.

The creation works if I remove this attribute so the rest of the attributes seems to be working.

The creation fails however end I get the error below in the Forefront Identity Manager event log.

System.NullReferenceException: Object reference not set to an instance of an object.
   at Microsoft.ResourceManagement.WFActivities.Resolver.GetDisplayStringFromGuid(Guid id, String[] expansionAttributes)
   at Microsoft.ResourceManagement.WFActivities.Resolver.ReplaceGuidWithTemplatedString(Match m)
   at System.Text.RegularExpressions.RegexReplacement.Replace(MatchEvaluator evaluator, Regex regex, String input, Int32 count, Int32 startat)
   at System.Text.RegularExpressions.Regex.Replace(String input, MatchEvaluator evaluator)
   at Microsoft.ResourceManagement.WFActivities.Resolver.GetStringAttributeValue(Object attribute)
   at Microsoft.ResourceManagement.WFActivities.Resolver.ResolveEvaluatorWithoutAntiXSS(String match, ResolverOptions resolveOptions)
   at Microsoft.ResourceManagement.WFActivities.Resolver.ResolveEvaluatorForWithAntiXSS(String match, ResolverOptions resolveOptions)
   at Microsoft.ResourceManagement.WFActivities.Resolver.ReplaceMatches(String input, Boolean useAntiXssEncoding, ResolverOptions resolveOptions)
   at Microsoft.ResourceManagement.Workflow.Hosting.ResolverEvaluationServiceImpl.ResolveLookupGrammar(Guid requestId, Guid targetId, Guid actorId, Dictionary`2 workflowDictionary, Boolean encodeForHTML, String expression)
   at Microsoft.ResourceManagement.Workflow.Activities.ResolveGrammarActivity.Execute(ActivityExecutionContext executionContext)
   at System.Workflow.ComponentModel.ActivityExecutor`1.Execute(T activity, ActivityExecutionContext executionContext)
   at System.Workflow.ComponentModel.ActivityExecutor`1.Execute(Activity activity, ActivityExecutionContext executionContext)
   at System.Workflow.ComponentModel.ActivityExecutorOperation.Run(IWorkflowCoreRuntime workflowCoreRuntime)
   at System.Workflow.Runtime.Scheduler.Run()

Have anyone used this WF activity to create dynamic groups and can tell how to set the Filter?

↧

"STOPPED ENTRY EXPORT ERROR" WHILE DOING AD EXPORT

June 27, 2014, 9:46 am

≫ Next: Flow Error for FIMMA Full Sync

≪ Previous: Use Granfeldts Create Object to create dynamic groups

Hi Everyone,

I am Unable to do AD export and it is showing Stopped entry export error and due to which it is unable to reflect any updates in the AD.I have checked in the Connector Space of ADMA and the required attributes are present but while doing EXport it is having a problem.

The Major issue what I can see is the Home drive path which is showing in Connector Space is not getting reflected in AD.

Kindly help your response is highly appreciated.

Thanks,

Aman Khanna

↧

Flow Error for FIMMA Full Sync

June 28, 2014, 1:47 am

≫ Next: SSPR with OTP Email is not working

≪ Previous: "STOPPED ENTRY EXPORT ERROR" WHILE DOING AD EXPORT

Hi,

we do have a FIM 2010 R2 (4.1.3496.0) over here and are trying to get our users and Groups to the mv.

The first step was successfull, we got all our users, then we proceeded with the next step (Group sync)

http://social.technet.microsoft.com/wiki/contents/articles/649.how-do-i-synchronize-groups-from-active-directory-domain-services-to-fim.aspx#Creating_the_management_agents

now we get an error at the init your Environment step while running fimma full sync.

Error: sync-rule-scoping-filter-invalid-xml

Synch Rule Error: Could not infer the type from the attribute referened in <csAttribute>. Please verify that it is defined in the schema and has a supported type.

By using preview i have the following on "Join and Projection"

i tried to get back to the previous state, but was not sucessful ...

p.s. i tried to update the Schema, no changes...

Any hint would be helpful!

Best regards

Chris

↧

SSPR with OTP Email is not working

June 28, 2014, 11:17 pm

≫ Next: Service Account for FIM 2010 R2 Installation.

≪ Previous: Flow Error for FIMMA Full Sync

Hi Everyone,

I am facing issue with FIM SSPR OTP Email based with one of My FIM Deployments. First of All I explain environment:

We have two different type of Users: For One Type of users We need QA Gate based Password Reset and For Other set of Users We need OTP email based Password Reset.

NOTE: FIM Portal, Service & SSPR are in HA.

What Approach I have followed:

1) For QA Type User, I kept one Default "Anonymous User Can reset their Password" and in target resources selected "Specific Set for those Users" and In requester I kept "Anonymous User".

2) For OTP Mail Type Users, I created a new MPR and Password Auth Workflow(Read Only OTP Activity) and Action workflow (Active Directory Password Reset Activity). And In MPR, in target resources selected "Set for this Type Of Users". and In requester I kept "Anonymous User".

This approach was working in My personal Test lab which was not in HA. But now In HA, QA Based Password Reset is working fine and OTP based Password reset is throwing error. I am getting OTP mail but after entering reset Password, My process is unable to process successfully. On FIM Portal, in search request: This requeste is getting PostProcessingError. And Request is stating that "The Workflow instance ****** encountered an internal error during processing" and In applied policies it is showing MPR which I created.

Please help.

If My Answer helps you do not forget to check helpful post and If answers your question do not forget to "Mark it as an Answer" Thanks~ Giriraj Singh Bhamu

↧

Service Account for FIM 2010 R2 Installation.

June 30, 2014, 8:43 am

≫ Next: FIM Sync EventID 6313: Unable to Load Performance Counters for Management Agent

≪ Previous: SSPR with OTP Email is not working

Hi,

I have already installed and configured all setting in FIM 2010 R2 with fallowing Accounts and all is working fine.

fimsyncservice,FIMService,FIMMA,FIMPassword,Adma,fimsharepoint

but now for Naming convention i want to change my Service Account name so i want to know that can we change these service account name without uninstalled FIM 2010 R2 Component that will take affect or not if not where i change these Service Account name in configuration files manually.

Regards

Anil Kumar

↧

FIM Sync EventID 6313: Unable to Load Performance Counters for Management Agent

June 30, 2014, 9:44 am

≫ Next: User Management with IDM

≪ Previous: Service Account for FIM 2010 R2 Installation.

This error is flooding my event-log and I want to know why.

I know there is a solution to this problem, see: http://social.technet.microsoft.com/wiki/contents/articles/16631.troubleshooting-fim-sync-eventid-6313-unable-to-load-performance-counters-for-management-agent.aspx

There are also two other topics on this forum concerning the error-event:
http://social.technet.microsoft.com/Forums/en-US/ad9dd388-c9fe-4542-b833-e4c73c2015c5/performance-counters-will-not-be-available-for-this-management-agent?forum=ilm2

http://social.technet.microsoft.com/Forums/en-US/dce5a19a-61db-4022-9414-c8f461ad0843/how-to-restore-fim-sync-service-performance-counters?forum=ilm2

I want to know the root cause of this problem and why all of sudden it start to flood my event-log. Anyone here that have more insight of this problem?

Peace.

↧

User Management with IDM

June 30, 2014, 10:04 am

≫ Next: new attribute in gropu object

≪ Previous: FIM Sync EventID 6313: Unable to Load Performance Counters for Management Agent

I am implementing an IDM solution from another vendor. The consultant is telling me that all user group management must now be accomplished with the IDM solution. And if group membership is changed with another method (ADUC or PowerShell), it will be overwritten by IDM upon the next change within IDM. the app wants to lead now that it is in place.

I find real issue with this. I am loath to give up powershell and ADUC. Is this true? Do all IDM solutions require you to use them for all ongoing user management? Note: I am talking about group management mostly, not every possible aspect of user management.

Is this how FIM works?

Thanks,

Paul

↧

new attribute in gropu object

June 30, 2014, 11:47 pm

≫ Next: FIM client causes SSPR portal page to pop up when users login

≪ Previous: User Management with IDM

Team,

I need to extend schema of group object in metaverse and FIMService DB also.
I added into Metaverse and i am able to update the attribute coming from a SQL source. However I am not able to send export to FIM Service MA.

I created the attribute with same name in metavere and FIM Service. New attribute is binded to group object in FIM Service. Defined the mapping
in FIM Service MA also.

Can anyone suggest. Is this some MPR permission issue?

Thanks,
Mann

↧

FIM client causes SSPR portal page to pop up when users login

July 1, 2014, 5:47 am

≫ Next: FIM WMI Query

≪ Previous: new attribute in gropu object

Hi,

The FIM 2010 R2 client has been deployed by sccm to 100 users, about 10% of our users claim that post client install, once they've logged into Windows, IE automatically pops up and opens the SSP Registration page. Upon registering the users never have the IE prompt again. The FIM client was installed with the default options only for SSPR, not the Outlook plugin.

Can someone point me in the right direction of turning these automatic regsitration pop ups off?

Thanks

↧

FIM WMI Query

July 1, 2014, 11:08 pm

≫ Next: Disable AD account if inactive for a period of time

≪ Previous: FIM client causes SSPR portal page to pop up when users login

Hi,

I am trying to Query the WMI and want to generate the report for the user having errors , When i query the run history it is not showing the user details of the user. How would I populate these fields?

Is there is a way to check. I have tried to search the SQl table with MAGuid, but so far no go for me.

PS C:\Users\Administrator> $FIMRunHistory = get-wmiobject -Namespace "root\MicrosoftIdentityIntegrationServer" -class "MIIS_RunHistory"

PS C:\Users\Administrator> $FIMRunHistory

__GENUS : 2
__CLASS : MIIS_RunHistory
__SUPERCLASS :
__DYNASTY : MIIS_RunHistory
__RELPATH : MIIS_RunHistory.key="{310C94DE-BC32-4A8D-859B-8E050FD8C798}-68"
__PROPERTY_COUNT : 8
__DERIVATION : {}
__SERVER : WIN-D4KM7QJQBST
__NAMESPACE : root\MicrosoftIdentityIntegrationServer
__PATH : \\WIN-D4KM7QJQBST\root\MicrosoftIdentityIntegrationServer:MIIS_RunHistory.key="{310C94DE-BC32-4A8D-8
59B-8E050FD8C798}-68"
key : {310C94DE-BC32-4A8D-859B-8E050FD8C798}-68
MaGuid : {310C94DE-BC32-4A8D-859B-8E050FD8C798}
MaName : HRMA
RunEndTime : 2014-06-29 11:15:19.757
RunNumber : 68
RunProfile : FullSync
RunStartTime : 2014-06-29 11:15:18.887
RunStatus : completed-sync-errors

Thanks and Regards,
Anirban Singha(Bangalore)

↧

Disable AD account if inactive for a period of time

July 2, 2014, 12:40 am

≫ Next: FIM 2010 R2 Error while trying to reset the password

≪ Previous: FIM WMI Query

Hi,

Its easy to find a powershell script to disable an AD account that has been inactive for a given period of time.

However, just trying to figure out how this would work with a typical FIM deployment, where HR is authoritative for user data which is provisioned to AD via FIM. If we were to implement a daily "look for inactive users and disabled them and move them to disabled OU" AD powershell script, we effectively would make AD authoritative for these values - DN & userAccountControl?

At the moment DN is determined by "location" values in HR, and userAccountControl by employeeStatus values in HR.

With equal precedence being deprecated, just wondering if anyone has had a similar scenario, and how you have dealt with it?

thank you,

↧