Migrate FIM password portal to new domain

September 23, 2014, 4:50 am

≫ Next: status of FIM 2010 Notifications when Exchange Server service stops mid cycle.

Hi there,

At my current customer we are migrating to a new domain based on Windows server 2012r2. The new domain has it's own new DMZ zone.

They are using FIM 2010 Password reset portal which needs to be migrated to the new environment. The environment is too big for a "big bang" so we will have a 2 domain environment for some period.

Can anyone recommend me a scenario to achieve this migration?

Do I need to build a new separate FIM environment, which leaves me with 2 portals... Or can I move the current FIM infra to the new domain and still reset password in the old domain? And so on...

What is the recommended setup regarding DMZ, is it possible to only place the portal website role in the DMZ?

I also read that the web portal needs to be installed in Sharepoint foundation 2013. Is this true? Or can it be installed on IIS as well?

I have no experience with FIM, so all answers and advice are welcome :-)

Thanks in advance,

Bart

Bart Scheltinga | www.bartsp34ks.nl | MCSA

↧

status of FIM 2010 Notifications when Exchange Server service stops mid cycle.

September 23, 2014, 6:55 am

≫ Next: FIM 2010 performance testing

≪ Previous: Migrate FIM password portal to new domain

Hellos.

We have 2 exchange servers mail01 and mail02. FIM is configured to use mail02.

During a processing cycle, a User was created in HR and exported to FIM. mail02 service seemed to stop. The new user in FIM started Workflow OK. The new user notification tried to use mail02 - all that happened was a whole load of Event Viewer messages.

When exporting to ADMA I got a dll-exception.

OK. Easy to fix. configure FIM to use mail01 and edit the AD MA exchange extension to use mail01 and rerun the Sync Operations.

My problem is where exactly is that new user Notification? Its fairly important as it shows the initial Password of the AD account.

I tried to log in as FIMService using the url https://mail01/owa and see what is there... but there are no send entries!

How do I get the new user Notification to be resent??? Will it appear in a weeks time when mail02 is fixed/restarted/rebooted?

↧

FIM 2010 performance testing

September 23, 2014, 7:38 am

≫ Next: Can you restrict creation of user types in Portal?

≪ Previous: status of FIM 2010 Notifications when Exchange Server service stops mid cycle.

Hi All,

I'm looking for information on FIM load testing and the best way to achieve this?

Currently FIM allows users to logon to the FIM portal and update some attributes (i.e. phone number) which are then updated in AD by the synchronisation service (setup for an automated sync to run every 5 minutes).

What I'd like to know if how would my environment cope with 30, 100 or 1000 users simultaneously access the portal and attempting to update an AD attribute?

I've read the documentation which gives sizing examples and guidelines, but doesn't detail how to simulate a significant workload.

Please advise.

Thanks

IT Support/Everything

↧

Can you restrict creation of user types in Portal?

September 23, 2014, 2:08 pm

≫ Next: ERP to AD user creation

≪ Previous: FIM 2010 performance testing

Hi,

Is it possible to give a group of users the ability to just create 'Vendor' accounts in the Portal?

While another group of users the ability to just create 'Contractor' accounts in the Portal?

...and other group of users to create just another 'type' of users in the Portal?

Thanks,

↧

ERP to AD user creation

September 23, 2014, 7:39 pm

≫ Next: Interop.AUTOGROUPLib.dll object invoke failed

≪ Previous: Can you restrict creation of user types in Portal?

We have Dynamics NAV 2013 R2 (ERP software) and would like to have active directory user accounts created automatically when an employee is added in the ERP software. I'm looking for a solution that is built to handle that type of process, does anyone know of any products that can handle this for us?

Would FIM work for this, if so, how could we use this product to make it possible?

Thank you,

Stangride

↧

Interop.AUTOGROUPLib.dll object invoke failed

September 24, 2014, 5:48 am

≫ Next: Does FIM 2010 R2 Support Active Directory 2012 R2 Forest/Functional Levels

≪ Previous: ERP to AD user creation

we have web service which is using Interop.AUTOGROUPLib.dll to added users to group in IDwebForefront Identity Manager.

but currently that object invoke is getting faild.

can someone help what will be the problem with ForeInterop.AUTOGROUPLib.dll .

Vijayanand Gawle vijayanand.gawle@gmail.com www.vijayanand.tk +91-9866492976

↧

Does FIM 2010 R2 Support Active Directory 2012 R2 Forest/Functional Levels

September 24, 2014, 5:55 am

≫ Next: completing-referential-updates 0%

≪ Previous: Interop.AUTOGROUPLib.dll object invoke failed

FIM 2010 R2 SP1 adds Active Directory 2012 support, but it does not mention 2012 R2 domain/forest functional level support. Is this supported? If not, will support be added prior to the next major release of FIM?

Thanks!

Jim

↧

completing-referential-updates 0%

September 24, 2014, 6:38 am

≫ Next: Lotus Domino Connector 5.3.1003.0 Logging

≪ Previous: Does FIM 2010 R2 Support Active Directory 2012 R2 Forest/Functional Levels

Hello,

When i try a Full Sync on the FIM MA it is stuck for more than 6 hours and is giving completing-referential-updates 0% as in the below screenshot.

Any Advise would be appreciated.

Mohamad Chahla

↧

Lotus Domino Connector 5.3.1003.0 Logging

September 24, 2014, 7:05 am

≫ Next: FIM CM AD User query...

≪ Previous: completing-referential-updates 0%

Hi,

I cannot get logging to work with build 5.3.1003.0 of the Lotus Domino Connector. I've followed the instructions on these sites

http://social.technet.microsoft.com/wiki/contents/articles/21086.how-to-enable-etw-tracing-for-fim-2010-r2-connectors.aspx
http://social.technet.microsoft.com/Forums/en-US/dbeeb280-4c2a-492f-9d5a-0c14d340ae0c/lotus-domino-connector-logging?forum=ilm2

When I use the ETW tracing subsystem option I get log files but they doesn't contain any log entries from the connector.

I see that the guid is different in the two articles. Maybe it's a new guid for the that build.

Has anybody been able to get it to work? Any ideas that I can try?

↧

FIM CM AD User query...

September 24, 2014, 9:47 pm

≫ Next: Usage of the double byte characters on the “Forgot your password?” link for Japan and China in FIM 2010 R2

≪ Previous: Lotus Domino Connector 5.3.1003.0 Logging

Is it possible to configure the LDAP query that does the user search in FIMCM?

http://blogs.technet.com/b/instan/archive/2010/07/29/how-fim2010-cm-amp-clm-2007-search-for-users.aspx

I would like to limit the search to specific OU so that no other resources would be even show up...

↧

Usage of the double byte characters on the “Forgot your password?” link for Japan and China in FIM 2010 R2

September 25, 2014, 4:45 am

≫ Next: Management Agent Profile Scripts are throwing errors

≪ Previous: FIM CM AD User query...

Hi,

The users in China and Japan are able to change IME settings from single byte mode to double byte mode and vice versa by KEYBOARD operation on Excel ,word, outlook , IE and more.
While resetting the password through the Ctrl-Alt-Del screen using the “Forgot your password?” link, they are unable to use the double byte character as they don’t get the option to change the byte mode.
On the contrary, when the users try to use the reset URL, they are able to change the byte mode and so able to reset their passwords.
So the users who have input the answers in the double byte mode are unable to reset their passwords using the “Forgot your password?” link.

Regards

Anil Kumar

↧

Management Agent Profile Scripts are throwing errors

September 25, 2014, 7:12 pm

≫ Next: Getting error while migrating single mpr from pilot to production environment

≪ Previous: Usage of the double byte characters on the “Forgot your password?” link for Japan and China in FIM 2010 R2

Hi All,

I am generating VB Scripts from FIM Managements agents to schedule into a batch file. But when I try to run any script from any MA profile(Export/Import/Sync) it is throwing errors. Please refer below screenshot for error.

PLease do let me know, If this is permission issue or some FIM installation/configuration issue.

Thanks in advance !!!!!!

If My Answer helps you do not forget to check helpful post and If answers your question do not forget to "Mark it as an Answer" Thanks~ Giriraj Singh Bhamu

↧

Getting error while migrating single mpr from pilot to production environment

September 26, 2014, 12:00 am

≫ Next: An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3000)

≪ Previous: Management Agent Profile Scripts are throwing errors

Hi,

I am migrating single MPR form pilot to production and I am facing the following issue

Join-FIMConfig : Two objects with same AnchorAttributeValue were detected. A requirement for using this migration tool is that AnchorAttributeValue is unique with objectType

AnchorAttributeNames = DisplayName
AnchorAttributeValues = DisplayName

ObjectType = AttributeTypeDescription
ObjectID 1 = urn:uuid:acbcad3b-8394-4af3-a1d4-149cabae05d1
ObjectID 2 = urn:uuid:9f35c912-18bb-4b73-b128-281be0cae32f

Any help to resolve this issue. The DisplayName is built-in attribute.

Thanks

Pavani

↧

An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3000)

September 26, 2014, 2:04 am

≫ Next: FIM R2 Password Sync

≪ Previous: Getting error while migrating single mpr from pilot to production environment

Hi,

When i open my Password Reset portal then provide Username credentials in text box and click on next then asked the Securites Question Answers to me,i provide the correct Answers to the securites Question after this password reset portal asked me New Password and Confirm Password then click on next for resetting the password then gives below Error only for 2 Users. and all other users are working fine.

An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3000:)

Regards

Anil Kumar

↧

FIM R2 Password Sync

September 26, 2014, 9:18 am

≫ Next: FIM r2 software reqs

≪ Previous: An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3000)

I have a doubt related to related to Password Synchronization in FIM R2. I tried searching in different forums but could not get clear answer.

I am using FIM password reset portal to reset the user password in AD. Do we require PCNS to synchronize Password using FIM synchronization service.

As per my understanding, this is how Password synchronization works when resetting the password using FIM password reset portal

The portal passes the user name and domain to FIM via the WMI.
The correct AD CS object is found.
Any other related objects, in MAs for which password management is configured, are found.
A password change is sent to AD.
If that is successful, a password set (never a change) is sent to any other CDs.

If this is correct then password synchronization should work but it is not working for me. Only password reset is working.

Can you please help me to understand if we require PCNS to synchronize the password?

Note: I have enabled the password management in respective MA's. The target which I am trying to synchronize the password is AD in different domain.

↧

FIM r2 software reqs

September 27, 2014, 4:05 am

≫ Next: Hotfix (4.1.3559) installation on the second portal node fails

≪ Previous: FIM R2 Password Sync

I'm looking to implement FIM 2010 r2 however looking at the software reqs, it mentions

"Exchange 2007 SP1 Management Console." , "System Center Service Manager 2010 Service Pack 1 (SCSM 2010 SP1) " and "Windows SharePoint Services 3.0 Service Pack 2 (SP2) or Microsoft SharePoint Foundation 2010."

Is exchange required? We do not have an exchange server nor use office 365. The password for our email account is not linked to the AD account

SCSM is apparently needed for "new reporting" features. What would we miss out on if we did not get SCSM?

I know sharepoint foundation is free but is it a show stopper if we don't have it?

↧

Hotfix (4.1.3559) installation on the second portal node fails

September 27, 2014, 1:27 pm

≫ Next: FIM Portal Workflow Approvals questions

≪ Previous: FIM r2 software reqs

Hi,

I'm installing FIM hotfix (4.1.3559). It installed without issues on sync server and first node of the portal/service. On second node it is failing. Here is place from the log (most probably failing somewhere here):

StartServices: Service: Forefront Identity Manager Service
MSI (s) (70:D4) [16:57:19:635]: Executing op: ActionStart(Name=PatchRemoveFIMPortal,,)
Action 16:57:19: PatchRemoveFIMPortal.
MSI (s) (70:D4) [16:57:19:635]: Executing op: CustomActionSchedule(Action=PatchRemoveFIMPortal,ActionType=1025,Source=BinaryData,Target=CAQuietExec,CustomActionData="C:\Program Files\Microsoft Forefront Identity Manager\2010\Portal\Microsoft.IdentityManagement.SolutionPackUtility.exe" action=uninstall mode=ServiceAndPortal log=event SHAREPOINTTIMEOUT=180 SolutionPack=MicrosoftIdentityManagement.wsp deleteweb=no continueonerror=no UILevel=5)
MSI (s) (70:2C) [16:57:19:790]: Invoking remote custom action. DLL: C:\Windows\Installer\MSICD1E.tmp, Entrypoint: CAQuietExec
CAQuietExec: Microsoft.IdentityManagement.SolutionPackUtility.exe will deploy and/or retract the FIM solution packs. This operation may take long time in a SharePoint farm environment.
CAQuietExec: Executing all administrative timer jobs in preparation for FIM solution pack retraction.
CAQuietExec: An exception occurred while deploying/retracting FIM Portal solution packs. Exception : Exception has been thrown by the target of an invocation.
CAQuietExec: Error 0xfffffff9: Command line returned an error.
CAQuietExec: Error 0xfffffff9: CAQuietExec Failed
CustomAction PatchRemoveFIMPortal returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
09/27/2014 16:57:28.791 [7024]: Assembly Install: Failing with hr=80070005 at RemoveDirectoryAndChildren, line 398

09/27/2014 16:57:28.791 [7024]: Detailed info about C:\Windows\assembly\tmp\S9M6DS80\Microsoft.ResourceManagement.dll

09/27/2014 16:57:28.791 [7024]: File attributes: 00000080

09/27/2014 16:57:28.948 [7024]: Restart Manager Info: 1 entries

09/27/2014 16:57:28.948 [7024]: App[0]: (7024) Windows Installer (msiserver), type = 3

09/27/2014 16:57:28.948 [7024]: Security info:

09/27/2014 16:57:28.948 [7024]: Owner: S-1-5-18

09/27/2014 16:57:28.948 [7024]: Group: S-1-5-18

09/27/2014 16:57:28.948 [7024]: DACL information: 4 entries:

09/27/2014 16:57:28.948 [7024]: ACE[0]: Type = 0x00, Flags = 010, Mask = 001f01ff, SID = S-1-5-18

09/27/2014 16:57:28.948 [7024]: ACE[1]: Type = 0x00, Flags = 010, Mask = 001f01ff, SID = S-1-5-32-544

09/27/2014 16:57:28.948 [7024]: ACE[2]: Type = 0x00, Flags = 010, Mask = 001200a9, SID = S-1-5-32-545

09/27/2014 16:57:28.948 [7024]: ACE[3]: Type = 0x00, Flags = 010, Mask = 001200a9, SID = S-1-15-2-1

09/27/2014 16:57:28.963 [7024]: Assembly Install: Failing with hr=80070005 at RemoveDirectoryAndChildren, line 398

09/27/2014 16:57:28.963 [7024]: Detailed info about C:\Windows\assembly\tmp\WGGUV4IP\Microsoft.IdentityManagement.Logging.dll

09/27/2014 16:57:28.963 [7024]: File attributes: 00000080

09/27/2014 16:57:29.088 [7024]: Restart Manager Info: 1 entries

09/27/2014 16:57:29.088 [7024]: App[0]: (7024) Windows Installer (msiserver), type = 3

09/27/2014 16:57:29.088 [7024]: Security info:

09/27/2014 16:57:29.088 [7024]: Owner: S-1-5-18

09/27/2014 16:57:29.088 [7024]: Group: S-1-5-18

09/27/2014 16:57:29.088 [7024]: DACL information: 4 entries:

09/27/2014 16:57:29.088 [7024]: ACE[0]: Type = 0x00, Flags = 010, Mask = 001f01ff, SID = S-1-5-18

09/27/2014 16:57:29.088 [7024]: ACE[1]: Type = 0x00, Flags = 010, Mask = 001f01ff, SID = S-1-5-32-544

09/27/2014 16:57:29.104 [7024]: ACE[2]: Type = 0x00, Flags = 010, Mask = 001200a9, SID = S-1-5-32-545

09/27/2014 16:57:29.104 [7024]: ACE[3]: Type = 0x00, Flags = 010, Mask = 001200a9, SID = S-1-15-2-1

09/27/2014 16:57:29.104 [7024]: Assembly Install: Failing with hr=80070005 at RemoveDirectoryAndChildren, line 398

09/27/2014 16:57:29.104 [7024]: Detailed info about C:\Windows\assembly\tmp\NJBBJ7LC\Microsoft.IdentityManagement.CredentialManagement.Portal.Gates.dll

09/27/2014 16:57:29.104 [7024]: File attributes: 00000080

09/27/2014 16:57:29.244 [7024]: Restart Manager Info: 1 entries

09/27/2014 16:57:29.244 [7024]: App[0]: (7024) Windows Installer (msiserver), type = 3

09/27/2014 16:57:29.244 [7024]: Security info:

09/27/2014 16:57:29.244 [7024]: Owner: S-1-5-18

09/27/2014 16:57:29.244 [7024]: Group: S-1-5-18

09/27/2014 16:57:29.244 [7024]: DACL information: 4 entries:

09/27/2014 16:57:29.244 [7024]: ACE[0]: Type = 0x00, Flags = 010, Mask = 001f01ff, SID = S-1-5-18

09/27/2014 16:57:29.244 [7024]: ACE[1]: Type = 0x00, Flags = 010, Mask = 001f01ff, SID = S-1-5-32-544

09/27/2014 16:57:29.244 [7024]: ACE[2]: Type = 0x00, Flags = 010, Mask = 001200a9, SID = S-1-5-32-545

09/27/2014 16:57:29.244 [7024]: ACE[3]: Type = 0x00, Flags = 010, Mask = 001200a9, SID = S-1-15-2-1

09/27/2014 16:57:29.275 [7024]: Assembly Install: Failing with hr=80070005 at RemoveDirectoryAndChildren, line 398

Any suggestions/hints? I belive it is something with SharePoint (SP Foundation 2013 is used/ no farms).

By the way - in the similar setup in test environment it went OK. Right now it is failing on the production

Borys Majewski, Identity Management Solutions Architect (Blog: IDArchitect.NET)

↧

FIM Portal Workflow Approvals questions

September 28, 2014, 5:33 pm

≫ Next: BHOLD Model Generator Error - The source was not found

≪ Previous: Hotfix (4.1.3559) installation on the second portal node fails

Hi,

Got a few FIM Portal Workflow Approval questions. How many of these can be accomplished with out of the box FIM functionality/GUI:

1. If there are multiple approvers listed in the 'Approvers' section, and the 'Approval Threshhold = 1 Approver" - then when only one person approves the request, the request will be approved and also be no longer visible to the other approvers?

2. Can there be two levels of approval required? And if the first approver rejects the request, the second approver will simply not even be notified?

3. Can the first level approver be an AD Group? and the 'Escalated Approver' be the AD Group Owner?

4. What happens if the Escalated approval has not happened, say after 10 days...can FIM Service fire off an email to someone like Help Desk?

Thank you,

↧

BHOLD Model Generator Error - The source was not found

September 28, 2014, 11:24 pm

≫ Next: Getting error-Creating an mpr with admin account which is service account in fim portal

≪ Previous: FIM Portal Workflow Approvals questions

Hi,

I am running Model Generator wizard and have encountered this error multiple times. Could some one help me understand why this error occurs and where to check the permissions for logs. I am running the Model Generator with an account that has Administrator privileges on local machine.

Error: "The source was not found, but some or all event logs could not be searched. Inaccessible logs:Security."

Appreciate any help to identify the error.

Thanks

Kris

↧

Getting error-Creating an mpr with admin account which is service account in fim portal

September 29, 2014, 5:47 am

≫ Next: SSPR: How to send OTP email by SMS gateway?

≪ Previous: BHOLD Model Generator Error - The source was not found

Error processing your request: The operation was rejected because of access control policies.
Reason: The operation failed as a result of insufficient access rights.
Attributes: action parameter, ActionType, Description, Disabled, DisplayName, GrantRight, ManagementPolicyRuleType, ObjectType, Principalset, ResourceCurrnetset

Correlation Id: ec9085b2-510e-45f3-ad20-a1a823916eee
Request Id:
Details: No policy grants the Requestor permission to complete all changes.

Any help to solve this permission issue?

↧

Latest Images