Calculate Set membership based on Group Membership

September 4, 2014, 6:51 am

≫ Next: Exclude new AD accounts from activating PCNS

≪ Previous: DirSync login as email address

$

0

0

I know this has been asked before, but I haven't really found a clear answer to the problem - so here's me re-igniting the fire!

I want to calculate set membership based on group membership? So, I have a set called "My Set" - its members should be all the members of the group "My Group" (The group is a Manual group, not a criteria based one). I know that Sets cannot refer to Groups when using "Resource ID" - bummer!

I guess this can be done using a custom action WF which triggers whenever a member is added to the Group and goes and it goes and updates the Set with the ExplicitMember reference, but I'm wondering if there's a more elegant solution using some OOTB activities?

Thanks

---

Exclude new AD accounts from activating PCNS

September 4, 2014, 10:22 am

≫ Next: Request stays in Authorizing state even after approval

≪ Previous: Calculate Set membership based on Group Membership

$

0

0

We are using FIM 2010 R2 to provision accounts to two different Active Directory domains.  We use codeless provisioning.

Users may start with an account in domain A or B only, and later on they get an account in the other AD domain.

So if a user is created in domain A first and later on they are provisioned to B, PCNS is picking up the initial password for the newly created domain B account and then users are getting their existing passwords overwritten if they have other accounts linked in FIM.

Besides adding sync rules to add a new account to a group recognized by PCNS for exclusion, is there another solution to prevent newly created AD accounts from triggering password changes?

Thanks.

Request stays in Authorizing state even after approval

September 4, 2014, 10:49 am

≫ Next: Error installing FIM Service and Portal R2

≪ Previous: Exclude new AD accounts from activating PCNS

$

0

0

I've been trying to debug this for days now and it completely breaks my lab - until it fixes itself after some random time and then breaks again

I created a simple approval workflow which seeks approval from [//Target/Owner] when joining an Owner Approval Group. The request makes it to the Group Owner, but when the group owner approves the request, it stays stuck in Authorizing state and the user doesn't become a member of the group. The WF also remains in Running status even after the request is approved. 

I've seen some similar problems around on the internet, and all seem to suggest Exchange related issues. I don't have an exchange setup in my lab, but I don't think not being able to send an email would completely break the approval process. Besides, it does seem to spring back to life randomly and it all starts working again before breaking - very intermittent.

I've been messing around with the PS WF activity (which I use to calculate custom approvers), but I have disabled that WF completely for now and I'm just using OOTB activities and approvers.

Any suggestions on what the issue could be (apart from exchange)? There are no errors in the event logs either, but there are loads of exchange related errors/warnings which are expected. Alternatively, is there somehow I can disable the "feature" where FIM tries to send an email?

Thanks

Error installing FIM Service and Portal R2

September 5, 2014, 5:45 am

≫ Next: Users leave a set but are still being affected by the Sync Rules...

≪ Previous: Request stays in Authorizing state even after approval

$

0

0

Trying to make a test FIM R2 installation, I get this error when I install the Service and Portal:

Action ended 14:41:10: CheckServiceEmailAccountFormat. Return value 1.
MSI (s) (68:BC) [14:41:10:973]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIE17.tmp, Entrypoint: IsSharepointAdminServiceRunning
Action start 14:41:10: CheckSharepointAdminServiceRunning.
SFXCA: Extracting custom action to temporary directory: C:\Windows\Installer\MSIE17.tmp-\
SFXCA: Binding to CLR version v2.0.50727
Calling custom action Microsoft.IdentityManagement.SharePointCustomActions!Microsoft.IdentityManagement.ManagedCustomActions.SharepointCustomActions.IsSharepointAdminServiceRunning
Exception thrown by custom action:
System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.NullReferenceException: Object reference not set to an instance of an object.
   at Microsoft.IdentityManagement.ManagedCustomActions.SharepointCustomActions.IsSharepointAdminServiceRunning(Session session)
   --- End of inner exception stack trace ---
   at System.RuntimeMethodHandle._InvokeMethodFast(Object target, Object arguments, SignatureStruct& sig, MethodAttributes methodAttributes, RuntimeTypeHandle typeOwner)
   at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object parameters, CultureInfo culture, Boolean skipVisibilityChecks)
   at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object parameters, CultureInfo culture)
   at Microsoft.Deployment.WindowsInstaller.CustomActionProxy.InvokeCustomAction(Int32 sessionHandle, String entryPoint, IntPtr remotingDelegatePtr)
CustomAction CheckSharepointAdminServiceRunning returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Action ended 14:41:11: CheckSharepointAdminServiceRunning. Return value 3.
Action ended 14:41:11: INSTALL. Return value 3.

I got this by running the msi from the command line, as otherwise no error message is reported in the installation or in the event log.

Any idea what could be the cause?

---

Paolo Tedesco - http://cern.ch/idm

Users leave a set but are still being affected by the Sync Rules...

September 5, 2014, 9:01 am

≫ Next: FIM password registration portal failure to connect to FIM

≪ Previous: Error installing FIM Service and Portal R2

$

0

0

I have a number of Sync Rules set up to write txt files that are sent to external partners.

Each one is set up with an MPR and Workflow and they all feed from the same Set that looks for a group of attributes, one being if the user is Active or Terminated.

If a user is Terminated, they are no longer a member of the set.

The issue is that the ERL is not getting updated. Therefore the T users are still getting exported.

Example:

A1-MPR

Type: Set Transition

Transition Set: A1Users-Set

Transition Type: Transition In

Action Workflow: A1Users-Workflow

A1Users-Workflow

Workflow Type: Action

Run On Policy Update: enabled

Activities: Add the target Resource to the Sync Rule A1Users-SyncRule

Action Selection: Add

A1Users-SyncRule

Data Flow: Outbound

MV Type: person

Ext System: A1Users.CSV

Ext Type: Person

Create resourse in external system: yes

Enable Deprovisioning: yes

Outbound attribute flow: yadda yadda yadda

Question: Do I need a separate MPR and Workflow to REMOVE these users from the Sync Rules being affected?

FIM password registration portal failure to connect to FIM

September 5, 2014, 11:23 am

≫ Next: ERROR FIM 2010 R2 SP 1 AFTER UPDATE HOTFIX AND EXCHANGE 2013 CU 5

≪ Previous: Users leave a set but are still being affected by the Sync Rules...

$

0

0

getting event ID 52   FIM password registration portal failure to connect to FIM

ERROR FIM 2010 R2 SP 1 AFTER UPDATE HOTFIX AND EXCHANGE 2013 CU 5

September 7, 2014, 8:24 pm

≫ Next: Adding a link to FIM's approval page on email templates - FIM 2010 R2

≪ Previous: FIM password registration portal failure to connect to FIM

$

0

0

Hi All,

i have some issues in fim 2010 R2 SP 1 with the following environment ;

1.  2 server cross forest domain (OLD FOREST named old.local AND NEW FOREST namednew.local)

2. 1 server fim 2010 R2 SP 1

3. 1 msexch 2013 in forest new.local

4. 1 msexch 2010 in forest old.local

everything is ok before, after i made some changes in my server FIM 2010r2 SP 1 to latest hotfix (build 4.1.3599) and update exch 2013 to CU 5.

i got the following error.

my questions are :

1. what does the hotfix changes with the existing FIM Server, does it changes any customs (GAL, MA, etc) ?

2. is it related to exchange 2013 CU update ?

3. how to roll back them to condition before update (uninstall hotfix) ? are there any way to do that ?

kindly let me know, what should i do with this error.

thanks

Adding a link to FIM's approval page on email templates - FIM 2010 R2

September 8, 2014, 12:52 am

≫ Next: Setting approvers to authenticate themselves by password before approving a request-FIM 2010 R2

≪ Previous: ERROR FIM 2010 R2 SP 1 AFTER UPDATE HOTFIX AND EXCHANGE 2013 CU 5

$

0

0

Hell everyone,

I would like approval notifications to have a link that directs approvers to the approval page on the FIM portal. This is to simplify the approver's process of having to open up the portal, and navigate to the approval page. Is there a way to achieve this?

I tried using the <a href=approval page link> </a> and it is not working.

An clues will be highly appreciated.

Thanks.

---

Setting approvers to authenticate themselves by password before approving a request-FIM 2010 R2

September 8, 2014, 5:56 am

≫ Next: SSPR form customization

≪ Previous: Adding a link to FIM's approval page on email templates - FIM 2010 R2

$

0

0

Hello,

Is it possible to have an approver in FIM 2010 R2 authenticate themselves before approving a request? Just to be sure that it is the right person approving a request and not anyone else. Like we have with password registration where the account name is recognized and the user is required to enter their password for validation before registration actually takes place.

Thanks.

SSPR form customization

September 8, 2014, 7:36 am

≫ Next: FIM CM Smart Card Printing

≪ Previous: Setting approvers to authenticate themselves by password before approving a request-FIM 2010 R2

$

0

0

Hello , 

is it possible to customize the forms in the SSPR page ? 

Is it possible to use FIM SSPR for multi-domain ? 

Regards

FIM CM Smart Card Printing

September 8, 2014, 4:32 pm

≫ Next: FIM CM Certificate Template Attributes

≪ Previous: SSPR form customization

$

0

0

Hi,

Can FIM CM by itself be used to print things like:

- Display Name

- Certificate Expiry date

- Photo

or do we need to purchase a 3rd party add-on? if yes, which ones work well?

thanks

sk

FIM CM Certificate Template Attributes

September 8, 2014, 7:41 pm

≫ Next: FIM CM inside FIM Portal

≪ Previous: FIM CM Smart Card Printing

$

0

0

Hi,

When FIM CM requests a certificate from ADCS, there are a number of attributes that FIM CM passes (can pass) to ADCS for inclusion in the certificate. Are these attributes set in stone, or can we add additional attributes for inclusion in the user smart card certificate?

Thanks,

SK

FIM CM inside FIM Portal

September 8, 2014, 8:23 pm

≫ Next: IIF custom expression in Workflow

≪ Previous: FIM CM Certificate Template Attributes

$

0

0

Hi,

Could I publish a "FIM CM" link on the left pane of the FIM Portal (beneath Administration), to open the FIM CM Portal in the main frame of the FIM Portal?

Or just publish the link to open FIM CM in a new tab/window?

Thanks,

SK

IIF custom expression in Workflow

September 9, 2014, 1:08 am

≫ Next: FIM Certificate Replacement and IIS Default Website

≪ Previous: FIM CM inside FIM Portal

$

0

0

Hi,

I am trying to use an IIF custom expression in FIM Authorization workflow.

Before the authorization , i am using IIF statement to decide the approver.

ex 0f the IIF statement:-

IIF(Eq(xyz,"abc"),"0a257fdc-d011-4120-9c12-e942250eec97","4fd09ef4-0f8b-482b-8cb9-189777f4329c")

xyz-user attribute and "abc"- value iam comparing to.

I want the xyz user's attribute to be of Target user's but it is taking the requestor's attribute ?

Any help on the above.

---

shakti

FIM Certificate Replacement and IIS Default Website

September 9, 2014, 9:09 am

≫ Next: Password Reset Portal SMS Gate Not Working

≪ Previous: IIF custom expression in Workflow

$

0

0

Hi,

I'm looking to replace the SSL certificates on my FIM Portal and SSPR servers. I believe this is a simple matter of making the relevant IIS changes. I suspect changing the IIS SSL website certs do not affect the function of FIM services at all (obviously I'll be using a trusted cert). I just wanted to check that I don't need to make any additional changes to accomodate an SSL certificate change.

In addition, can I remove the default website from my FIM portal and FIM SSPR server? I've stopped the default website on my FIM portal server.

I'm using a distributed architecture with separate FIM sync, FIM portal, a separate SQL DB and a separate SSPR server.

Thanks

---

Password Reset Portal SMS Gate Not Working

September 9, 2014, 10:07 pm

≫ Next: Setting an attribute in the portal to an empty string

≪ Previous: FIM Certificate Replacement and IIS Default Website

$

0

0

trying Microsoft code to enable One-Time Password with SMS Gate, no luck to make it work. Anyone can advise what's wrong of this code? 

Customer sms gateway requires POST method with 3 parameters: "password", "hp" and "smsmessage"

namespace Microsoft.IdentityManagement.Samples
{
    using System;
    using System.Collections.Generic;
    using System.Globalization;
    using System.Net;
    using System.Text;
    using Microsoft.IdentityManagement.SmsServiceProvider;
    using System.Web;
    using System.Security.Cryptography;
    using System.IO;

    public class SmsServiceProvider : ISmsServiceProvider
    {
        public void SendSms(string mobileNumber,
                            string message,
                            Guid requestId,
                            Dictionary<string, object> deliveryAttributes)
        {
            mySMSProvider.SendSms(mobileNumber, message);
        }
    }

    class mySMSProvider
    {
        static string RequestURL = "http://smsgw.abc.com/smsgateway/smsforad.php";
        mySMSProvider()
        {
        }
        public static int SendSms(string userMobileNumber, string message)
        {
            WebClient wc = new WebClient();
            string requestData;
            requestData = Microsoft.IdentityManagement.Samples.mySMSProvider.GetRequestData(userMobileNumber, message);
            byte[] postData = Encoding.ASCII.GetBytes(requestData);

            byte[] response = wc.UploadData(mySMSProvider.RequestURL, postData);
            string result = Encoding.ASCII.GetString(response);  // result contains the error text
            int returnValue = System.Convert.ToInt32(result.Substring(0, 6), NumberFormatInfo.InvariantInfo);
            return returnValue;
        }
        public static string GetRequestData(string mobile, string message)
        {
            string myrequestData;
            myrequestData = "password=" + "password123"
                 + "&hp=" + System.Web.HttpUtility.UrlEncode(mobile)
                 + "&smsmessage=" + System.Web.HttpUtility.UrlEncode(message);
            return myrequestData;
        }
    
    };
}

---

Jason

Setting an attribute in the portal to an empty string

September 10, 2014, 5:30 am

≫ Next: FIM client Management Policy Rule

≪ Previous: Password Reset Portal SMS Gate Not Working

$

0

0

Hi,

Is it possible to set an attribute value to an empty string (say a space character?)

I need to set an attribute to have some text value, but I prefer to put in just an empty space or an empty string (not null). I've tried setting &nbsp; and I've also tried setting " " on this attribute (via a function evaluator), but it takes those as string literals (e.g. " " gets set to &quot; &quot;)

any way to set a space character?

Thanks

FIM client Management Policy Rule

September 10, 2014, 7:28 am

≫ Next: How to update the windows cached password after SSPR?

≪ Previous: Setting an attribute in the portal to an empty string

$

0

0

Hello, 

i try to use the fim client, but when i test this code to get MPR i have an error cannot cast RmResource to RmManagementPolicyRule

    String filtre = "/ManagementPolicyRule";
                    ///AuthenticationWorkflowDefinition

                    foreach (RmManagementPolicyRule mprNew in client.Enumerate(filtre))
                        //foreach (RmResource mprNew in client.Enumerate("/ManagementPolicyRule[DisplayName='# MPR - Action - User Calculate location reference']"))
                    {

                        Console.WriteLine(mprNew.DisplayName);
                        Console.ReadLine();
                    }

Any idea ? 

How to update the windows cached password after SSPR?

September 10, 2014, 9:43 am

≫ Next: OU For Lync 2013 Central Forest deployment when using GAL Sync

≪ Previous: FIM client Management Policy Rule

$

0

0

Scenario: Windows 7 remote user forgets the cached password for her laptop and uses FIM 2010 R2's Reset Password invoked from the login screen. The domain password change is successful, but the user still cannot login to the laptop as the cached password has not been updated.

Question: How to update the cached windows logon password after SSPR to allow user to login with the new password.

Thanks 

OU For Lync 2013 Central Forest deployment when using GAL Sync

September 10, 2014, 1:08 pm

≫ Next: configuration FIM 2010 R2 between domains

≪ Previous: How to update the windows cached password after SSPR?

$

0

0

Hello,

We are attempting to set up Lync 2013 in a Central Forest configuration. We have a 2 way forest trust in place. The primary forest being A.com, the secondary forest being B.com. Exchange 2010 is deployed in both forests. Lync 2013 is deployed in forest A.com. We currently have FIM 2010 installed, using GAL Sync between both forests. For GAL Sync, we have an OU in Forest A.com active directory called GALSync. There are currently contacts in that OU that correspond with the user accounts in forest b.com. Here's my question:

When configuring FIM MA's for Lync 2013 Central Forest deployment, can I point the LCSCFG.xml file to the SAME GALSync OU we use for  GAL Sync? Will it see the contacts already exist and just update with the necessary attributes needed to provision the forest B.com users for Lync? Do I need to create a separate OU for the Lync MA to use? Or, am I going about this in the wrong way?

Any help you can provide will be greatly appreciated.

Thank you