I have created an ECMA 2.0 management agent to connect to an application.
On successful exports , the accounts are updated and created properly.But how FIM synchronization service knows the export is successful.IS there any attribute which stores the export results or errors.
shakti
Hello Experts,
I am using Web Service Configuration tool to create config file and use that to connect FIM to SAP to create users in SAP. The Default SAP ECC config file doesn't have any samples for add method in Export Workflow. I have to pass username and password to create users in SAP using BAPI_USER_CREATE Method. Kindly help me with your guidence.
Hello, I am researching the best way to load balance our FIM Service infrastructure and I wanted to get some advice from others who have been down this road. Here is our current set up and what we are trying to to achieve:
Cheers!
I have installed fim password registration and fim password reset portal on a separate server from fim service and portal.
The portals are using 80 and 8080 as their ports.But when i browse the websites it is not opening."Page cannot be displayed".
I have checked the application pool,website everything seems proper.
Any suggestions on why this is happening?
shakti
While running OID MA(Open LDAP XMA) we are facing "Stopped-ma-timeout" error. we have arround 1400,000 user object in OID which we are trying to get those object in MA connector space.
Please provide inputs.
Hi Everyone,
I have one requirement for one of my clients. I need to do the OU movement and I have to use a value from a multi-valued attribute. such as:
1) One multi-valued attribute into Meta-verse multitest has "123 345 346" values.
2) I need to use value "345" to send user into particular OU into Active Directory.
3) I tried to do this by using : IIF(Eq(multitest,"345"),"CN="+accountName+",ou=accounts,dc=b,dc=c","CN="+accountName+",ou=users,dc=b,dc=c")
But I was unable to search this value into multi valued attribute.
Is there any other way or function to get a value from multi valued attribute. I know I can do this in Rule extension but I am looking for Sync Rule based solution.
There must be something that I can use.
Thanks in advance.
If My Answer helps you do not forget to check helpful post and If answers your question do not forget to "Mark it as an Answer" Thanks~ Giriraj Singh Bhamu
Mike Crowley | MVP
My Blog --
Planet Technologies
Target Value: [//Target/DisplayName]
Conflict Filter: /Person[DisplayName='[//Value]' and not (ObjectID='[//Target/ObjectID]')]
ProperCase(RegexReplace([//Target/FirstName],"[^A-Za-z0-9]",""))+" "+ProperCase(RegexReplace([//Target/LastName],"[^A-Za-Z0-9]",""))+" CTR"
Now before just a tie breaker can a Middle Initial be entered via an IIF so a null will be if there is no MI ?
I am running FIM 2010 to sync passwords between two forests. I think I have everything configured properly, Yet, I am still getting an 6025 error. I'll paste the full text of that error at the bottom. There is a two way Forest level trust. The FIM server is running in the target forest and PCNS is running in the source forest. The "Forefront Identity Manager Synchronization Service" is running under the AD account target\FIMSynchronization.
In the target forest AD domain functional and forest level is 2008. PCNS is not installed on any DC in the target forest. I used this setspn command:
setspn.exe -A PCNSCLNT/FIM2010.target.priv target\FIMSynchronization
In the source forest AD domain functional level is 2008 and the forest level is 2003. PCNS is installed on all AD servers. I used the following pcnscfg command which points to the FIM server in the target forest and uses a security group from the source forest:
pcnscfg ADDTARGET /N:FIM2010 /A:FIM2010.target.priv /S:PCNSCLNT:FIM2010.target.priv /FI:"source\PasswordSyncUsers-source" /f:3
In FIM2010 under Tools/Options password sync is enabled. On the AD_Source MA in "Configure Directory Partitions" the "Enable this partition as a password synchronization source" is checked and the target is set to AD_Target MA. On the AD_Target MA under "Configure Extensions" "Enable Password Management" is checked.
I have verified there are no duplicate PCNSCLNT SPNs in the target forest and there are no PCNSCLNT SPNs in the source forest.
In the source forest the pcnscfg -list command yeilds:
Targets
Target Name...........: FIM2010
Target GUID...........: B690C791-5C91-4885-A053-279015BF2206
Server FQDN or Address: FIM2010.target.priv
Service Principal Name: PCNSCLNT:fim2010.target.priv
Authentication Service: Kerberos
Inclusion Group Name..: source\PasswordSyncUsers-source
Exclusion Group Name..:
Keep Alive Interval...: 0 seconds
User Name Format......: 3
Queue Warning Level...: 0
Queue Warning Interval: 30 minutes
Disabled..............: False
Total targets: 1
On the FIM2010 server the command setspn -L target\fimsynchronization yeilds:
Registered ServicePrincipalNames for CN=FIM Synchronization,OU=FIM2010,OU=Service Accounts,DC=target,DC=priv:
PCNSCLNT/fim2010.target.priv
Applog Error: Event 6025, PCNSSVC
Password Change Notification Service received an RPC exception attempting to deliver a notification.If am deploying Microsoft's Forefront Identity Management (FIM) on a Single server environment (this means that FIM Service & FIM Synchronization Service will be installed on a single system which is running Windows server
2008 or Windows Server 2008 R2) and I want to use IBM DB2 & IBM Directory Server or Oracle Database and Sun/Oracle Directory server , Do I have to install Active Directory (AD DS) on the Windows Server 2008 where FIM service and FIM Synchronization Service
will be installed ?
And, How will this work if I want to deploy in a Cluster Environment ?
Say, My FIM Service is installed on Machine A, -- FIM Synchronization Service is set-up on Machine B. Can I install the Database (DB2/Oracle)
and Directory Server (IBM/Oracle) on either of them (i.e Machine A or B) ? Or Can I Install this on a third system i.e Machine C ?
If Installed on 3 systems, do we require AD DS anyways for these 3 systems to communicate? Or Will it work if these 3 systems are set-up as windows local servers ?
If answer to the first part of the question above (in Bold) is YES, and FIM deployment is planned in a cluster Environment, and I plan to use other vendors Database & Directory Server, Irrespective of installing DB2/Oracle Database & IBM/Oracle Directory server will I have to install Active Directory Domain Services ?
Running FIM 2010 R2 4.1.3508.0
SQL Server 2012 R2
In my environment i have all the FIM Components connected to a SQL cluster.
When i completed the installation of FIM, it installed SQL Server agent jobs to one of the SQL Server in the cluster.
the sql server agent job were not on the second SQL server in the cluster.
We have moved the SQL Agent jobs manually to the second SQl Server in the cluster.
Is the SQL server agent job smart enough to know only to run on the main server?
are the job smart enough to start up manually on the second server if failover of the first server goes down?
Thank you,
I would like to flow an attribute based on the difference between another attribute's current vs. new value.
For example:
If the MV (source) "city" is not equal to the target "city", flow "yes" to "hasMoved". If the MV/target match, make no change to "hasMoved"
I would like to avoid a rules extension if possible. Can someone provide a sample?
Mike Crowley | MVP
My Blog --
Planet Technologies
I have 175 conflict contact objects in an OU in a 2008 AD forest. These objects are not accessible via ADUC, ADSIedit, or LDP. They can be retrieved via the dirsync control using FIM or via Powershell using the dirsync control.
How can I delete these objects?
This powershell retrieves them but any attempt to retrieve one with ordinary ldap fails.
$domaininfo = new-object DirectoryServices.DirectoryEntry("LDAP://somedomain.com/dc=somedomain,dc=com","somedomain\dirsyncaccount",'Pa$$w0rd')
$directorySearcher = New-Object System.DirectoryServices.DirectorySearcher($domaininfo)
$directorySearcher.Filter = "(cn=*\0ACNF:*)"
$directorySearcher.DirectorySynchronization = New-Object System.DirectoryServices.DirectorySynchronization
$directorySearcher.FindAll()
Hi,
We are using FIM 2010 to provision our IODS users to Gmail, We have almost 700,000 user objects in IODS so running full sync profiler for IODS to get the user objects in meta verse is taking a lot of time.So i am thinking if there is any powershell script which we can user to provision users in Gmail.
Thanks,
Rakesh
The Windows PowerShell Connector for FIM 2010 R2 Technical Reference webpage (http://technet.microsoft.com/en-us/library/dn640417(v=ws.10).aspx) says:
To simplify the creation of Schema, the FIMPowerShellConnectorModule Windows PowerShell Module provided in Appendix A includes the following cmdlets:
But I can't find "Appendix A" (or any other appendix) anywhere.
Also, I've installed the MSI package, and I see the "Powershell (Microsoft)" MA type in the dropdown, but when I try to create one, I get an error that the schema can't be loaded because the anchor value can't be a reference or Boolean and that a multivalue attribute can't be a Boolean. But I've defined no anchor (or any other attributes!).
The above error has been reported in a number of places, but no one has posted an explanation or a solution.
Help? Please?
Ed Bell - Specialist, Network Services, Convergys
Hi ,
I am using group provisioning from AD to FIM portal . The inbound sync rule allowed me to synchronize AD groups in the FIM portal .
While all the attributes got mapped correctly , the group members are not copied and the group in the FIM Portal shows no members. Iused the mapping member -> member in the FIM Service Management agent and the Sync rule designed for group provisioning as well .
Please help as it is urgent.
Regards ,
Divye
Hi All,
User is report to Manager (M1) and Manager Report to his Manager (M2), Can We have MPR which allow both manager M1 and M2 to update attribute for the user.
Thank You in Advance,
Anirban Singha
Hi all,
I'm working on an "old-style" call-based extensible management agent, which implements the IMAExtensibleFileImport and IMAExtensibleCallExport interfaces.
If I raise an ExtensibleExtensionException exception from the ExportEntry method, the run terminates with code "success", and displays no error.
If I check the event log, I see an event log entry saying "The extensible extension returned an unsupported error."
Both these behaviors are not coherent with what is stated here: IMAExtensibleCallExport::ExportEntry Method.
I'm using FIM R2, version 4.1.3510.0.
Are old-style XMAs still fully supported in FIM R2?
Should I throw another exception type instead?
Thanks,
Paolo
Paolo Tedesco - http://cern.ch/idm
I have run into a very strange issue that I am uncertain how to fix.
I have one 2008 R2 server running SQL 2008 R2/FIM Service/FIM Sync Service. One 2008 R2 server running the pwdreg/pwdreset portals.
I have 19 MAs, one for the FIMMA and one for each domain in the forest for the static 'domain' attribute. Everything works as expected. The users are imported into the MV and then into FIM from the ADMAs. All users can register with the registration portal. Only two domains are immediately able to use the reset portal. All of the other users in the other 16 domains receive an error for which the event logs states 'Password Reset Activity could not find Mv record for user'. I have verified the users with this issue are in the MV, all attributes flowed correctly.
Here comes the strange part. Once I log into the FIM portal as that user, they are then able to reset their password. We have thousands of users with new student accounts added almost daily. It is not possible to each morning log in using their default passwords into the portal just so they can then register/reset their own passwords later. Again, this does not happen for two of the domains. All delegated permissions are the same across the board as noted by the successful pwd reset after the account has logged into the FIM portal.
What could possibly be causing this?
