Are you the publisher? Claim or contact us about this channel

Embed this content in your HTML


Report adult content:

click to rate:

Account: (login)

More Channels


Channel Catalog

Channel Description:

This forum is for IT Professionals who have questions/issues or other feedback about Forefront Identity Manager (FIM) 2010 suite

older | 1 | .... | 76 | 77 | (Page 78) | 79 | 80 | .... | 204 | newer

    0 0

    I know this has been asked before, but I haven't really found a clear answer to the problem - so here's me re-igniting the fire!

    I want to calculate set membership based on group membership? So, I have a set called "My Set" - its members should be all the members of the group "My Group" (The group is a Manual group, not a criteria based one). I know that Sets cannot refer to Groups when using "Resource ID" - bummer!

    I guess this can be done using a custom action WF which triggers whenever a member is added to the Group and goes and it goes and updates the Set with the ExplicitMember reference, but I'm wondering if there's a more elegant solution using some OOTB activities?


    0 0

    We are using FIM 2010 R2 to provision accounts to two different Active Directory domains.  We use codeless provisioning.

    Users may start with an account in domain A or B only, and later on they get an account in the other AD domain.

    So if a user is created in domain A first and later on they are provisioned to B, PCNS is picking up the initial password for the newly created domain B account and then users are getting their existing passwords overwritten if they have other accounts linked in FIM.

    Besides adding sync rules to add a new account to a group recognized by PCNS for exclusion, is there another solution to prevent newly created AD accounts from triggering password changes?


    0 0

    I've been trying to debug this for days now and it completely breaks my lab - until it fixes itself after some random time and then breaks again

    I created a simple approval workflow which seeks approval from [//Target/Owner] when joining an Owner Approval Group. The request makes it to the Group Owner, but when the group owner approves the request, it stays stuck in Authorizing state and the user doesn't become a member of the group. The WF also remains in Running status even after the request is approved. 

    I've seen some similar problems around on the internet, and all seem to suggest Exchange related issues. I don't have an exchange setup in my lab, but I don't think not being able to send an email would completely break the approval process. Besides, it does seem to spring back to life randomly and it all starts working again before breaking - very intermittent.

    I've been messing around with the PS WF activity (which I use to calculate custom approvers), but I have disabled that WF completely for now and I'm just using OOTB activities and approvers.

    Any suggestions on what the issue could be (apart from exchange)? There are no errors in the event logs either, but there are loads of exchange related errors/warnings which are expected. Alternatively, is there somehow I can disable the "feature" where FIM tries to send an email?


    0 0

    Trying to make a test FIM R2 installation, I get this error when I install the Service and Portal:

    Action ended 14:41:10: CheckServiceEmailAccountFormat. Return value 1.
    MSI (s) (68:BC) [14:41:10:973]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIE17.tmp, Entrypoint: IsSharepointAdminServiceRunning
    Action start 14:41:10: CheckSharepointAdminServiceRunning.
    SFXCA: Extracting custom action to temporary directory: C:\Windows\Installer\MSIE17.tmp-\
    SFXCA: Binding to CLR version v2.0.50727
    Calling custom action Microsoft.IdentityManagement.SharePointCustomActions!Microsoft.IdentityManagement.ManagedCustomActions.SharepointCustomActions.IsSharepointAdminServiceRunning
    Exception thrown by custom action:
    System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.NullReferenceException: Object reference not set to an instance of an object.
       at Microsoft.IdentityManagement.ManagedCustomActions.SharepointCustomActions.IsSharepointAdminServiceRunning(Session session)
       --- End of inner exception stack trace ---
       at System.RuntimeMethodHandle._InvokeMethodFast(Object target, Object arguments, SignatureStruct& sig, MethodAttributes methodAttributes, RuntimeTypeHandle typeOwner)
       at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object parameters, CultureInfo culture, Boolean skipVisibilityChecks)
       at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object parameters, CultureInfo culture)
       at Microsoft.Deployment.WindowsInstaller.CustomActionProxy.InvokeCustomAction(Int32 sessionHandle, String entryPoint, IntPtr remotingDelegatePtr)
    CustomAction CheckSharepointAdminServiceRunning returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
    Action ended 14:41:11: CheckSharepointAdminServiceRunning. Return value 3.
    Action ended 14:41:11: INSTALL. Return value 3.

    I got this by running the msi from the command line, as otherwise no error message is reported in the installation or in the event log.

    Any idea what could be the cause?

    Paolo Tedesco -

    0 0

    I have a number of Sync Rules set up to write txt files that are sent to external partners.

    Each one is set up with an MPR and Workflow and they all feed from the same Set that looks for a group of attributes, one being if the user is Active or Terminated.

    If a user is Terminated, they are no longer a member of the set.

    The issue is that the ERL is not getting updated. Therefore the T users are still getting exported.



    Type: Set Transition

    Transition Set: A1Users-Set

    Transition Type: Transition In

    Action Workflow: A1Users-Workflow


    Workflow Type: Action

    Run On Policy Update: enabled

    Activities: Add the target Resource to the Sync Rule A1Users-SyncRule

    Action Selection: Add


    Data Flow: Outbound

    MV Type: person

    Ext System: A1Users.CSV

    Ext Type: Person

    Create resourse in external system: yes

    Enable Deprovisioning: yes

    Outbound attribute flow: yadda yadda yadda

    Question: Do I need a separate MPR and Workflow to REMOVE these users from the Sync Rules being affected?

    0 0

    getting event ID 52   FIM password registration portal failure to connect to FIM

    0 0

    Hi All,

    i have some issues in fim 2010 R2 SP 1 with the following environment ;

    1.  2 server cross forest domain (OLD FOREST named old.local AND NEW FOREST namednew.local)

    2. 1 server fim 2010 R2 SP 1

    3. 1 msexch 2013 in forest new.local

    4. 1 msexch 2010 in forest old.local

    everything is ok before, after i made some changes in my server FIM 2010r2 SP 1 to latest hotfix (build 4.1.3599) and update exch 2013 to CU 5.

    i got the following error.

    my questions are :

    1. what does the hotfix changes with the existing FIM Server, does it changes any customs (GAL, MA, etc) ?

    2. is it related to exchange 2013 CU update ?

    3. how to roll back them to condition before update (uninstall hotfix) ? are there any way to do that ?

    kindly let me know, what should i do with this error.


    0 0

    Hell everyone,

    I would like approval notifications to have a link that directs approvers to the approval page on the FIM portal. This is to simplify the approver's process of having to open up the portal, and navigate to the approval page. Is there a way to achieve this?

    I tried using the <a href=approval page link> </a> and it is not working.

    An clues will be highly appreciated.


    0 0


    Is it possible to have an approver in FIM 2010 R2 authenticate themselves before approving a request? Just to be sure that it is the right person approving a request and not anyone else. Like we have with password registration where the account name is recognized and the user is required to enter their password for validation before registration actually takes place.


    0 0
  • 09/08/14--07:36: SSPR form customization
  • Hello , 

    is it possible to customize the forms in the SSPR page ? 

    Is it possible to use FIM SSPR for multi-domain ? 


    0 0
  • 09/08/14--16:32: FIM CM Smart Card Printing
  • Hi,

    Can FIM CM by itself be used to print things like:

    - Display Name

    - Certificate Expiry date

    - Photo

    or do we need to purchase a 3rd party add-on? if yes, which ones work well?



    0 0


    When FIM CM requests a certificate from ADCS, there are a number of attributes that FIM CM passes (can pass) to ADCS for inclusion in the certificate. Are these attributes set in stone, or can we add additional attributes for inclusion in the user smart card certificate?



    0 0
  • 09/08/14--20:23: FIM CM inside FIM Portal
  • Hi,

    Could I publish a "FIM CM" link on the left pane of the FIM Portal (beneath Administration), to open the FIM CM Portal in the main frame of the FIM Portal?

    Or just publish the link to open FIM CM in a new tab/window?



    0 0


    I am trying to use an IIF custom expression in FIM Authorization workflow.

    Before the authorization , i am using IIF statement to decide the approver.

    ex 0f the IIF statement:-


    xyz-user attribute and "abc"- value iam comparing to.

    I want the xyz user's attribute to be of Target user's but it is taking the requestor's attribute ?

    Any help on the above.


    0 0


    I'm looking to replace the SSL certificates on my FIM Portal and SSPR servers. I believe this is a simple matter of making the relevant IIS changes. I suspect changing the IIS SSL website certs do not affect the function of FIM services at all (obviously I'll be using a trusted cert). I just wanted to check that I don't need to make any additional changes to accomodate an SSL certificate change.

    In addition, can I remove the default website from my FIM portal and FIM SSPR server? I've stopped the default website on my FIM portal server.

    I'm using a distributed architecture with separate FIM sync, FIM portal, a separate SQL DB and a separate SSPR server.


    0 0

    trying Microsoft code to enable One-Time Password with SMS Gate, no luck to make it work. Anyone can advise what's wrong of this code? 

    Customer sms gateway requires POST method with 3 parameters: "password", "hp" and "smsmessage"

    namespace Microsoft.IdentityManagement.Samples
        using System;
        using System.Collections.Generic;
        using System.Globalization;
        using System.Net;
        using System.Text;
        using Microsoft.IdentityManagement.SmsServiceProvider;
        using System.Web;
        using System.Security.Cryptography;
        using System.IO;

        public class SmsServiceProvider : ISmsServiceProvider
            public void SendSms(string mobileNumber,
                                string message,
                                Guid requestId,
                                Dictionary<string, object> deliveryAttributes)
                mySMSProvider.SendSms(mobileNumber, message);

        class mySMSProvider
            static string RequestURL = "";
            public static int SendSms(string userMobileNumber, string message)
                WebClient wc = new WebClient();
                string requestData;
                requestData = Microsoft.IdentityManagement.Samples.mySMSProvider.GetRequestData(userMobileNumber, message);
                byte[] postData = Encoding.ASCII.GetBytes(requestData);

                byte[] response = wc.UploadData(mySMSProvider.RequestURL, postData);
                string result = Encoding.ASCII.GetString(response);  // result contains the error text
                int returnValue = System.Convert.ToInt32(result.Substring(0, 6), NumberFormatInfo.InvariantInfo);
                return returnValue;
            public static string GetRequestData(string mobile, string message)
                string myrequestData;
                myrequestData = "password=" + "password123"
                     + "&hp=" + System.Web.HttpUtility.UrlEncode(mobile)
                     + "&smsmessage=" + System.Web.HttpUtility.UrlEncode(message);
                return myrequestData;


    0 0


    Is it possible to set an attribute value to an empty string (say a space character?)

    I need to set an attribute to have some text value, but I prefer to put in just an empty space or an empty string (not null). I've tried setting &nbsp; and I've also tried setting " " on this attribute (via a function evaluator), but it takes those as string literals (e.g. " " gets set to &quot; &quot;)

    any way to set a space character?


    0 0


    i try to use the fim client, but when i test this code to get MPR i have an error cannot cast RmResource to RmManagementPolicyRule

        String filtre = "/ManagementPolicyRule";
                        foreach (RmManagementPolicyRule mprNew in client.Enumerate(filtre))
                            //foreach (RmResource mprNew in client.Enumerate("/ManagementPolicyRule[DisplayName='# MPR - Action - User Calculate location reference']"))

    Any idea ? 

    0 0

    Scenario: Windows 7 remote user forgets the cached password for her laptop and uses FIM 2010 R2's Reset Password invoked from the login screen. The domain password change is successful, but the user still cannot login to the laptop as the cached password has not been updated.

    Question: How to update the cached windows logon password after SSPR to allow user to login with the new password.


    0 0


    We are attempting to set up Lync 2013 in a Central Forest configuration. We have a 2 way forest trust in place. The primary forest being, the secondary forest being Exchange 2010 is deployed in both forests. Lync 2013 is deployed in forest We currently have FIM 2010 installed, using GAL Sync between both forests. For GAL Sync, we have an OU in Forest active directory called GALSync. There are currently contacts in that OU that correspond with the user accounts in forest Here's my question:

    When configuring FIM MA's for Lync 2013 Central Forest deployment, can I point the LCSCFG.xml file to the SAME GALSync OU we use for  GAL Sync? Will it see the contacts already exist and just update with the necessary attributes needed to provision the forest users for Lync? Do I need to create a separate OU for the Lync MA to use? Or, am I going about this in the wrong way?

    Any help you can provide will be greatly appreciated.

    Thank you

older | 1 | .... | 76 | 77 | (Page 78) | 79 | 80 | .... | 204 | newer