Sync rules saying '' is not a valid attribute when custom expression contains a string with comma

July 18, 2014, 5:06 am

≪ Previous: pass username and password adfs without using query string

Hi all,

I feel like I must be missing something obvious, but I have a CustomExpression sync rule that looks like this:

IIF(IsPresent(staff_title),UpperCase(staff_surname)+" "+staff_knownas+" ("+staff_title+")",UpperCase(staff_surname)+", "+staff_knownas)

FIM won't let me save it - it says '' is not a valid attribute.

If I change the rule to:

IIF(IsPresent(staff_title),UpperCase(staff_surname)+" "+staff_knownas+" ("+staff_title+")",UpperCase(staff_surname)+" "+staff_knownas)

It works fine. I've tried lots of other characters; full stops, hyphens all work fine. But the comma breaks it. A colleague suggested flowing statically the comma to every user as an attribute and referring to the attribute name, but surely that's not a good workaround.

Please tell me I'm doing something stupid!

Thanks,

Paul.

↧

Rename of FIM Security Groups

July 18, 2014, 7:17 am

≫ Next: ECMA Import Logic

≪ Previous: Sync rules saying '' is not a valid attribute when custom expression contains a string with comma

Hi,

While installing the FIM, 5 security groups needs to be created on the active directory. Are these five groups needs to created same as mention in the FIM documents

FIMSyncAdmins

FIMSyncOperators

FIMSyncJoiners

FIMSyncBrowse

FIMSyncPasswordSet

Can we add prefix or suffix any word in the above groups to follow the naming convention.

Like FIMGroup-FIMSyncAdmins-abc. Will it impact if rename the 5 security groups name before installation of FIM?

Can we rename the security groups after installation and again run the FIM setup to replicate the new security groups?

Thanks

Harry

↧

ECMA Import Logic

July 18, 2014, 9:29 am

≫ Next: The version of OLE on the client and server machines does not match. (Exception from HRESULT: 0x80010110)

≪ Previous: Rename of FIM Security Groups

I have an ecma that uses an avp file. The file contains a comma delimited string that needs to be imported to a multivalue string in the connector space. Is there a format that the ecma needs the string to be in to recognize that it is a multivalue string or is there and logic I can run on that attribute during the import?

↧

The version of OLE on the client and server machines does not match. (Exception from HRESULT: 0x80010110)

July 21, 2014, 3:41 am

≫ Next: Group membership alterations timeout

≪ Previous: ECMA Import Logic

Good Morning,

I installed FIM CM 2010 R2 SP1 on Windows server 2008 R2 Enterprise SP1 64bit. I created some profile templates and if I try to execute a request on the FIM CM server, it works, but not on a windows 7 Enterprise SP1 64bit client.

I receive always the following error:

The version of OLE on the client and server machines does not match. (Exception from HRESULT: 0x80010110).

I tried to execute requests with different kind of user, but they don't work on client machine.

Could you help me in order to resolve this issue?

Best regads

↧

Group membership alterations timeout

July 21, 2014, 3:48 am

≫ Next: FIM Synchronization Server Migration

≪ Previous: The version of OLE on the client and server machines does not match. (Exception from HRESULT: 0x80010110)

Hello,

I've imported about 100 security groups with their members from AD to FIM and have altered precedence so that FIM now manages these groups. I want to change the groups to criteria based membership and have successfully done so in a number of cases, however I am finding that groups with more than apx. 700 members are causing an error in the portal.

Event viewer says that the diagnostic log may contain more information but it does not. It also suggests checking the SharePoint log but unfortunately I have been unable to find an appropriate log.

I've had this error occur before in similar circumstances and my guess is that there is some sort of timeout cancelling the operation.

Does anyone know of a fix for this? Is there a way to empty the group memberships?

Many thanks

Portal error:

"Unable to process your request. Please contact your help desk or system administrator."

Event viewer:

"The portal was unable to complete a request and showed a user the default error page.

An unhandled exception was caught.

Check the product diagnostic log file and then check the SharePoint log file."

↧

FIM Synchronization Server Migration

July 21, 2014, 6:21 am

≫ Next: FIM license

≪ Previous: Group membership alterations timeout

HI,

In our environment FIM Synchronization Server is used to synchronise the user attributes and creation of mailbox on exchnage server. 4 AD MA are configured to sync the configured to sync the user attributes and rule extension(.net source code) is used to create a mailbox on exchnage server.
Existing infrastructure:FIM 2010 R2 SP-1 and OS is 2008 and database SQL Server 2008.

We are migrating the existing FIM environment to new plateform windows 2012 and database 2012.
There are two approach as below.Please confirm which will be better and any other points to be taken care.

Approach 1:
1. Create new service account and security groups before new installation.
2. Install the FIM Synchronization server using the new database sql 2012.
3. Export the schema from old FIM environment and import to new environment.
4 Export the all the MA from old environment and import in new environment.
5. Uncheck the deprovision option and check the precedence of attributes.
6. Move the rule extension dll files from old env to new env.
7. Change the service account used in the MA.
8. Run the full import of the 4 AD MA.
9. Run the Full sync of 4 AD MA.
10.RUN the export for 4 AD.
11.Once it works fine, schedule the task scheduler.

------------------
Approach 2:
1. Move the old FIM database to new sql server 2012.
2. Install the FIM Synchronization and select option reuse existing database.
3. Uncheck the deprovision option.
4. Move the rule extension dll files from old environment to new server.
5. Run the full import,sync and export profile.

However,I don't know the credentails of old MA, encryption key. So password of the service account can be reset directory on the AD and then reset the password in the configured MA.

Thanks

Harry

↧

FIM license

July 22, 2014, 3:17 am

≫ Next: Integration with Oracle DB

≪ Previous: FIM Synchronization Server Migration

Hi,

As we are planning to use the FIM Synchronization Server only to manage/synchronize the user attributes using the 6 Active directory Management agents. FIM Sync server will be installed on the 3 Server only as an active passive mode.

Can you please suggest about the license.

Do we need license for 3 Server only or we need the license for the number of user which will be synchronized?

We are planning not to install the FIM Portal and any other FIM components.

Regards

Harry

↧

Integration with Oracle DB

July 22, 2014, 5:43 am

≫ Next: How to export an user from FIM to SAP using Web Service Connector? Not able to set value for BAPIPWD

≪ Previous: FIM license

Dears,

I have installed the FIM and I need to make it creating an Identity directly to Oracle users' table, i.e the same impact of create user command

Regards,

↧

How to export an user from FIM to SAP using Web Service Connector? Not able to set value for BAPIPWD

July 22, 2014, 5:57 am

≫ Next: Cannot remove export-phantom

≪ Previous: Integration with Oracle DB

Hello Experts,

I am using web services connector to connect to SAP system and I am using UserCreate web method to create user in SAP system. It needs 2 mandatory parameters which are username and password.

Here username is a string variable so I can pass user name with out any issues, password is a type of BAPIPWD so I couldnt set the password in config file created for SAP MA.

I am using export workflow and try to export the users from FIM to SAP. how to set the initial password in the export and kindly let me know how to convert the password string into BAPIPWD type.

Do I need to use Password Set workflow along with Export workflow? what is the use of the attribute 'export_password' which I can see in the MA.

Kindly help me.

Thanks,
Nallasivan

↧

Cannot remove export-phantom

July 22, 2014, 9:20 am

≫ Next: FIMCM Provision through Powershell

≪ Previous: How to export an user from FIM to SAP using Web Service Connector? Not able to set value for BAPIPWD

I have a user that was deleted from the metaverse during testing, but one of the AD connected data sources was not set to stage a delete on the object. Now, there is a delete-add that causes an export-phantom error that I can't seem to get rid of. All provisioning is done via sync rules, and there is no MV extension in this deployment.

Here's what I've tried:

Uncheck Enable Sync Rules Provisioning, and run full round of syncs. Still there in CS.
Deleted connector space: failed to delete- error says cannot delete this object because there is no metaverse object
Delete connector space and MA: same thing, failed to remove MA and CS because of the error on this object
Re-provisioning the account: the provisioning sync rules fail, because it detects an object in the CS with the same dn. I've tried manually adding the account into the domain, hoping join it manually, but cannot do so because there is no metaverse object for it to join to.

Am I missing anything here? Anyone have any suggestions?

Cheers,

Rob

↧

FIMCM Provision through Powershell

July 22, 2014, 12:02 pm

≫ Next: FIM 2010 R2 - Watched This YouTube video - I have questions re: FIM 2010 R2.

≪ Previous: Cannot remove export-phantom

I'm interested in building my own FIMCM management agent using Granfeldt's excelent PSMA extension for FIM. What I want to do is to create a smart card enrollment request ready for the enrollment (Execute) after the user has been provisioned to Active Directory.

Now the problem comes with how to do this.. I have little pieces of information, this is is acting like my starting point: http://www.integrationtrench.com/2010/11/use-fim-cm-provision-api-from.html now the question goes, how do I configure this to work through https, remotely (FIM and FIMCM are on separate servers) and using kerberos?

If someone has any examples or working solution already, it would be very helpful... thanks!

↧

FIM 2010 R2 - Watched This YouTube video - I have questions re: FIM 2010 R2.

July 22, 2014, 3:18 pm

≫ Next: Find all Connector Space Objects That Were Provisioned

≪ Previous: FIMCM Provision through Powershell

Jeff Staiman

I just watched this video and have a few questions.
http://www.youtube.com/watch?v=T-p41Ze9ewA

We have a large WAN, if a person is under a lockout timeout will a password change reset this counter? I have a feeling normally user who forget their passwords, will lock it first, then attempt to create a new password via FIM.

Can users pick their own challenge questions?

Where will the FIM 2010 password change occur? Again w/ a large WAN environment w/ many remote DCs (ie NOT read-only DCs) can the change be instantly replicated? Can the password occur at the users remote site, ie at their %logonserver%, so they can log in faster after a password change?

Can we use some programmatically entered fields, but also allow the user to enter some more challenge questions. Ie say we know the end users last 4 of ss#, and drivers license #, etc can we use those so FIM is ready to go out of the box but optionally have the user add more questions (ie non-programmatically) at a later time?

What happen if some 'hackers' try over and over to guess the way to challenge question answers? Will FIM lock the account and disable self-service requests for that user going forward, or for some FIM lockout duration?

Can we add a CAPTCHA to the public facing portal so bots and scripts dont try to guess Anna favorite teachers name, etc and try to reset her password?

↧

Find all Connector Space Objects That Were Provisioned

July 22, 2014, 3:47 pm

≫ Next: Exchange 2013 Provisioning - remote powershell through load balancer

≪ Previous: FIM 2010 R2 - Watched This YouTube video - I have questions re: FIM 2010 R2.

I'm trying to run a query on the FIM Synchronization Database to find all of the objects in a connectorspace that were created there via provisioning rules. Some objects in the connectorspace have joined and some have been created via provisioning but I can't find the field in the FIM Sync DB for where this is specified. Anyone know how I can pull this information?

Cheers,

Dan

↧

Exchange 2013 Provisioning - remote powershell through load balancer

July 22, 2014, 8:03 pm

≫ Next: Email Notification on User Provision

≪ Previous: Find all Connector Space Objects That Were Provisioned

We currently are on FIM 2010 R2 SP1 and provisioning against Exchange 2010. When we set this up, we followed the steps to set up SPNs for our CAS array so we could point it at that CAS array name, and not a single server. Like here: http://setspn.blogspot.com/2010/08/exchange-2010-enable-kerberos-on-cas.html

We are not moving to Exchange 2013, and we have a name on our load balancer we would like to use sitting in front of all of our Exchange 2013 servers (ie: webmail.domain.com) RPS would be https://webmail.domian.com/powershell/

However, since webmail isn't any any of the servers default SPNs, you can't use Kerberos to connect to it unless you make a connection to the actually server: https://servername.domain.com/powershell/ (I have tested this using remote power shell from my client)

So my question is, do we need to follow the steps again for Exchange 2013 from the article above to point FIM at our load balancer? Or is this support built in now? I can't find ANY information from Microsoft on configuring FIM for Exchange 2013 provisioning!

↧

Email Notification on User Provision

July 22, 2014, 10:59 pm

≫ Next: In our Prod and test env we are getting this error during the user profiles' sync

≪ Previous: Exchange 2013 Provisioning - remote powershell through load balancer

Hey Guys,

I have users imported from Different Active Directory forests that are synced to a central forest. Now the question is how would i set the outbound provisioning workflow to send a notification email to a specific users with the details of all the users that are being synced.

The real question is the last part. What Attribute to use inorder to have the workflow list ALL the users that are being synced

↧

In our Prod and test env we are getting this error during the user profiles' sync

July 23, 2014, 3:04 am

≫ Next: FIM 2010 R2 Password reset coexistence with FIM 2010 password reset

≪ Previous: Email Notification on User Provision

Hi,

We are getting this error

6803 in the event viewer and the same error is of type stopped-dll-exception in MIIS

The management agent "MOSS-359dfd13-4e32-4d7d-853d-7ea685d48f95" failed on run profile "MOSS_FULLIMPORT_cc8dc694-fc8f-405b-aa2d-62091e61da8b" because the server encountered errors.

Tried many links but could not find the relevant solution for this problem.

Please help

↧

FIM 2010 R2 Password reset coexistence with FIM 2010 password reset

July 23, 2014, 3:23 am

≫ Next: ECMA 2 File Export Stats Missing

≪ Previous: In our Prod and test env we are getting this error during the user profiles' sync

Hi,

As of now we have fim 2010 password reset setup in our environment.In this setup , users user fim password reset addin 2010 to register and reset their password.

But we have upgraded fim service and fim sync service 2010 to R2 version.And we are planning now to introduce FIM 2010 R2 password rest portal and registration portal for the end users.

We have decided to use a separate machine to setup the FIM 2010 R2 password registration and fim password reset portals.

Would like to understand, will setting up of "FIM 2010 R2 password registration and fim password reset portals" will effect the existing setup of FIM 2010 password reset.?

And also we have a lot of customizations in fim portal.Will it reinstall the portal?

shakti

↧

ECMA 2 File Export Stats Missing

July 23, 2014, 7:56 am

≫ Next: How to Pass BAPIPWD from Export workflow in Web Services Connector MA

≪ Previous: FIM 2010 R2 Password reset coexistence with FIM 2010 password reset

I saw an earlier thread where this was noted as a known issue for Full Export, but I'm seeing the same thing on a simple file-based ECMA 2 running normal (delta) exports. How do I get my ECMA to report export stats? Do I need to mix Call-based and File-based methods? E.g. use IMAExtensible2FileImport to read my file and IMAExtensible2CallExport to write my file if I want stats, or am I missing something?

Cheers,

Dave

↧

How to Pass BAPIPWD from Export workflow in Web Services Connector MA

July 24, 2014, 2:05 am

≫ Next: HR Data Synchronization with FIM 2010 r2

≪ Previous: ECMA 2 File Export Stats Missing

Hello,

I need to export users from FIM to SAP using web services connector. I have created Export Work flow and added the values like user name , first name, last name and etc. I couldnt set the value for password because the data type is BAPIPWD. Could you please tell me how to create a user in SAP from FIM using Export Workflow and how to pass the password parameter.

Thanks,
Nallasivan

↧

HR Data Synchronization with FIM 2010 r2

July 24, 2014, 2:46 am

≫ Next: FIM-How FIM identifies a record has been sucessfully exported and updated

≪ Previous: How to Pass BAPIPWD from Export workflow in Web Services Connector MA

Hey all ,

I am trying to synchronise user data from HR Application ( txt , csv file) into FIM portal , but i am not able to find any suitable guide for doing that .

Can i get any help regarding this. Its urgent.

Regards ,

Divye

↧

Latest Images