Quantcast
Channel: Forum Microsoft Identity Manager
Viewing all 4767 articles
Browse latest View live

FIM 2010 - Connector Space extension DLL - Accessing MV Atributes

0
0

Hi,

I have a rule extension (.Net C#) that maps for export a metaverse atribute to an Active Directory atribute (conector space). In that rule i need to access other metaverse atributes.

When i do this only the atributes that belong to the maping configuration rule of the agent are present. When i use other mventry atributes it causes an exception showing that these atributes are not declared.

Is it possible to access those other atributes or is it impossible by design?

TIA.

Filipe Clemente


MA DATA got deleted in Portal

0
0
What would cause the fim inbuilt sync to delete a MA data? All the Management agents are still in sync machine. But in portal, some are missing in the ma data folder and sync rule is missing the view of those MA. Please help.

FIMMA is very slow FIM 2010 R1

0
0

Hi,

We have only 600 user and 5 Management agent (AD and sql type).When i run the FIMMA, it is taking  more than 3 hours to   run the Export,Sync and import opertaion.Please suggest me how to improve the performance of FIMMA.

How could I solve Provisining error in MIIS.

0
0

We use MIIS for passowrd sync btw AD adn SQLDB.

we have provisioning error in some user.

Microsoft.MetadirectoryServices.ObjectAlreadyExistsException: An object with DN "XXXXXX" already exists in management agent "SQL_MA".
   at Microsoft.MetadirectoryServices.Impl.CSEntryImpl.CommitNewConnector()
   at Microsoft.MetadirectoryServices.GALSync.MVSynchronizer.XXXXProvision(MVEntry mventry)
   at Microsoft.MetadirectoryServices.GALSync.MVSynchronizer.Provision(MVEntry mventry)

I found that user CS object in AD_MA.

If I simulate sync, it says in provisioning summary in SQL_MA connector add , failed duplicate object.

I confirmed that user exists in AD_MA,SQL_MA , but does not exist in MV.

In my guess, AD_MA try to project and provision but same object already exists in SQL_MA and sync fail.

How could I solve that safely ?


During MIIS SP2 installation get Warning 25043

0
0

During the installation got the following warning.  What does this mean and does it need to be fixed ?  does it mean the SP2 will not have completed properly ?

Warning 25043.  The Microsoft Identity Integration Server wizard cannot delete the specified data files.  Archive and delete these files manually.

Forefront Identity Manager - locked accounts in separate domain.

0
0

Hi all

I hope some of you can help me as I feel I'm sorta stuck with this issue.

The overall issue is locked accounts after password sync. I suspect the FIM to be the sinner here but frankly i do not know.

Enviroment:

the setup consists of two separate domains located in separated forests. Domain A users logs on to their own domain when starting but logs on to exchange and lync in domain B. All users in domain A have a user account in domain B that are sync'd to domain B by FIM (FIM is located in domain A).

Whenever a user in domain A decides to change his/her password, it's changed in domain A but the corrosponding account in domain gets locked - resulting in their exchange and lync wont work.

As far as I can undestand when digging in this issue, the problem arose after the FIM was upgraded to Release 2. I have not been able to find any known bugs described in Release2 that revolves around this issue.

Any input and comment are highly appeciated :)

Regards

Trev.

 

AD Group provisioning

0
0

I'm trying to do a setup, where i provision and populate AD Securitygroups from an organizational structure in HR. The groups are nestet with parent/child groups and groups contain users from the specifik departments.

Groups are named what the departments are named in HR, but the problem is here, HR is not IT guys and there puts stuff like " , & / \ % " whatever characters they like in departmentname.

DN cannot be flown to AD with comma in the CN part,   "CN=Group,name,OU=name,DC=test,DC=com"  or can it? Can i somehow make the ADMA know that the comma in"group,name" is text and not a delimitter?

Backup solution would be to create the groups with some other sAMAccountName and flow department name to DisplayName.

Does anyone have an xPath for removing certain characters from attributes?


/Frederik Leed

Two factors Authenticaiton

0
0

Dear All:

We want to use the two factor authentication for Administrator users login to the server. First authentication would be username & password & we are looking the option for secondary authentication! Any suggest the solution on this!


Arun Khatri


Approval Process

0
0

Dear All:

I want to implement the approval process before creating any users in active directory. Is there any solution for the approval taking process in Active Directory before creating any users in Active Directory>


Arun Khatri

Function to remove quotes from inbound sync data

0
0

Hello!

We need to remove all quotes (") in  text strings which varies and comes from Oracle MA inbound sync rules before write the new values in FIM.

Is it possible with function String ReplaceString(string, OldValue, NewValue)?

If not how to accomplish this?

Additional info:

  • Oracle data source for Company attribute contains quotation marks 
  • The DN path is based on this Company attribute but it can't contain the quotation marks 
  • We have Outbound sync rules with function 'EscapeDNComponent' but the outbound synchronization to AD works only when actual OU name contains quotation marks. When I rename the OU, synchronization ends with error that "Object DN=...  does not have a parent object in management agent .."

Thanks!



[Reference] Discovery Errors:

FIM 2010 R2 SP1 Password reset portal not checking Password history of the user

0
0

Hi All,

I have implemented Password reset portal in my test environment. Password reset is working fine but it accepts the old password. FIM password reset not checking Password history of the user.

Other password policy is working (example: password length check is working)

Kindly help me.

My Test environment:

Server 1:  Roles- Domain controller, Certificate Authority, Exchange [Win 2008 R2 SP1]

Server 2: FIM Sync, Service, Portal, Password registration & Reset portal. [FIM 2010 R2 SP1]

  1. My password reset portal is not using SSL.
  2. I have imported the root CA certificate in to the trusted certificate list of FIM Sync server.
  3. Domain Controller (Server1) has Domain Controller server Certificate.
  4. My ma name is AD MA
  5. I have created the registry entry : [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FIMSynchronizationService\PerMAInstance\AD MA]”ADMAEnforcePasswordPolicy”=dword:00000001
  6. I have tested the LDAP over SSL using ldp.exe as mention in the linkhttp://support.microsoft.com/kb/2443871

Result:

ld = ldap_sslinit("company.fimcompany.com", 636, 1);

Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);

Error 0 = ldap_connect(hLdap, NULL);

Error 0 = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);

Host supports SSL, SSL cipher strength = 128 bits

Established connection to company.fimcompany.com.

Retrieving base DSA information...

Getting 1 entries:

Dn: (RootDSE)

configurationNamingContext: CN=Configuration,DC=fimcompany,DC=com;

currentTime: 6/20/2013 10:19:48 AM India Standard Time;

defaultNamingContext: DC=fimcompany,DC=com;

dnsHostName: Company.fimcompany.com;

domainControllerFunctionality: 4 = ( WIN2008R2 );

domainFunctionality: 4 = ( WIN2008R2 );

dsServiceName: CN=NTDS Settings,CN=COMPANY,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fimcompany,DC=com;

forestFunctionality: 4 = ( WIN2008R2 );

highestCommittedUSN: 180333;

isGlobalCatalogReady: TRUE;

isSynchronized: TRUE;

ldapServiceName: fimcompany.com:company$@FIMCOMPANY.COM;

namingContexts (5): DC=fimcompany,DC=com; CN=Configuration,DC=fimcompany,DC=com; CN=Schema,CN=Configuration,DC=fimcompany,DC=com; DC=DomainDnsZones,DC=fimcompany,DC=com; DC=ForestDnsZones,DC=fimcompany,DC=com;

rootDomainNamingContext: DC=fimcompany,DC=com;

schemaNamingContext: CN=Schema,CN=Configuration,DC=fimcompany,DC=com;

serverName: CN=COMPANY,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fimcompany,DC=com;

subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=fimcompany,DC=com;

supportedCapabilities (5): 1.2.840.113556.1.4.800 = ( ACTIVE_DIRECTORY ); 1.2.840.113556.1.4.1670 = ( ACTIVE_DIRECTORY_V51 ); 1.2.840.113556.1.4.1791 = ( ACTIVE_DIRECTORY_LDAP_INTEG ); 1.2.840.113556.1.4.1935 = ( ACTIVE_DIRECTORY_V61 ); 1.2.840.113556.1.4.2080;

supportedControl (29): 1.2.840.113556.1.4.319 = ( PAGED_RESULT ); 1.2.840.113556.1.4.801 = ( SD_FLAGS ); 1.2.840.113556.1.4.473 = ( SORT ); 1.2.840.113556.1.4.528 = ( NOTIFICATION ); 1.2.840.113556.1.4.417 = ( SHOW_DELETED ); 1.2.840.113556.1.4.619 = ( LAZY_COMMIT ); 1.2.840.113556.1.4.841 = ( DIRSYNC ); 1.2.840.113556.1.4.529 = ( EXTENDED_DN ); 1.2.840.113556.1.4.805 = ( TREE_DELETE ); 1.2.840.113556.1.4.521 = ( CROSSDOM_MOVE_TARGET ); 1.2.840.113556.1.4.970 = ( GET_STATS ); 1.2.840.113556.1.4.1338 = ( VERIFY_NAME ); 1.2.840.113556.1.4.474 = ( RESP_SORT ); 1.2.840.113556.1.4.1339 = ( DOMAIN_SCOPE ); 1.2.840.113556.1.4.1340 = ( SEARCH_OPTIONS ); 1.2.840.113556.1.4.1413 = ( PERMISSIVE_MODIFY ); 2.16.840.1.113730.3.4.9 = ( VLVREQUEST ); 2.16.840.1.113730.3.4.10 = ( VLVRESPONSE ); 1.2.840.113556.1.4.1504 = ( ASQ ); 1.2.840.113556.1.4.1852 = ( QUOTA_CONTROL ); 1.2.840.113556.1.4.802 = ( RANGE_OPTION ); 1.2.840.113556.1.4.1907 = ( SHUTDOWN_NOTIFY ); 1.2.840.113556.1.4.1948 = ( RANGE_RETRIEVAL_NOERR ); 1.2.840.113556.1.4.1974 = ( FORCE_UPDATE ); 1.2.840.113556.1.4.1341 = ( RODC_DCPROMO ); 1.2.840.113556.1.4.2026 = ( DN_INPUT ); 1.2.840.113556.1.4.2064 = ( SHOW_RECYCLED ); 1.2.840.113556.1.4.2065 = ( SHOW_DEACTIVATED_LINK ); 1.2.840.113556.1.4.2066 = ( POLICY_HINTS );

supportedLDAPPolicies (14): MaxPoolThreads; MaxDatagramRecv; MaxReceiveBuffer; InitRecvTimeout; MaxConnections; MaxConnIdleTime; MaxPageSize; MaxQueryDuration; MaxTempTableSize; MaxResultSetSize; MinResultSets; MaxResultSetsPerConn; MaxNotificationPerConn; MaxValRange;

supportedLDAPVersion (2): 3; 2;

supportedSASLMechanisms (4): GSSAPI; GSS-SPNEGO; EXTERNAL; DIGEST-MD5;


Enayathulla.S

Management agent for Azure-WaaD (Azure Active Directory Service)

0
0

Waad is not available through LDAP. For this reason, one of my customers can't use it as its main users store. He wants to keep using FIM 2010 with minimal modifications. I'm exploring the possibility using the extensible management agent to connect to WaaD using the GRAPH protocol. The GRAPH has a CRUD API.

  1. Is it already done somewhere by someone?
  2. Is it a good idea?
  3. How much work is it in hours?

GH

Infrastructure design consideration - FimServiceAccount exchange mailbox domain

0
0

Hi all, just wondering if any of you tried this. MS Support is pretty evasive when we ask.

We have a domain where FIM is installed, Exchange is in the same domain, but because of a restriction in FIM 2010 R2, the FIM service account needs to be in another domain. 

Now, the FIM service account needs exchange attributes for the approval buttons to work when using the outlook 2010 add-in.

The question is, could theese approval buttons / group management work, if the FIM service account is in another domain than the FIM installation?

There is full forrest trust between the two domains.

Have any of you tried this? FIM installed in a domain where exchange does exist, but the user account used for FIMService is in another forrest?


/Frederik Leed

please help !!

0
0

hi

my sons facebook account can not be accessed as his password has been changed ( not by himself ), to change his facebook password his self he now has to send a link to his hotmail e-mail address, but this also has been tampered with, it will not accept his password as we no it and also the security questions are not in our language anymore, it is very important that we can get back these accounts as they hold information we really need and fast ..... please can anyone help us.


Querying BHOLD object data via API

0
0

Hello,

Does anyone know if it is possible to get information about BHOLD objects, like object types, attributes, attribute sets, etc. via an API or something of sorts?  I am not talking about obtaining database infomration but rather the schema info.

Thank you,
Ilya

Where could we confiugre which attributes to import to GAL_MA connector space ?

0
0
 Where could we  confiugre which attributes to import to GAL_MA connector space ?

ResourceID in set members Manager attribute

0
0

Hi

I wan't to create a set of all managers. I have a set of all active users and all users have the manager attribute populated.

This xPath defines users in the set of all active users.
/Person[ObjectID = /Set[ObjectID = '45b73b9c-3f1f-40b1-af9b-feb320f63e96']/ComputedMember]

what i really want is the managers of all theese active users. But just adding "/Manager" like below off course does not work.

/Person[ObjectID = /Set[ObjectID = '45b73b9c-3f1f-40b1-af9b-feb320f63e96']/ComputedMember/Manager]


Bright ideas?


/Frederik Leed

Home Drive attribut provisioning

0
0

Hello,

Hello i need to syncrhonize the homeFolder attribut in AD from FIM

but when i check in AD it s allways empty ? 

How can i manage that ? 

between contact and contact_MaName Attribute flow is needed for galsync ?

0
0

We use MIIS.

When we create new GALMA, new metaverse object contact_MaName is created and attribute flow is automaticcally defined between contact(data source) and  contact_MaName(metaverse) is created.

Do we need those metaverse object contact_MaName and that attribute flow ?

Q1

Is there any negative impact if we delete that attribute flow or that metaverse object (contact_MaName)

Q2

These metaverse object contact_MaName is really used in MIIS/ILM/FIM users ? we do not project any metaverse object (contact_MaName) and do not use those attribute flow currently in MIIS.

Viewing all 4767 articles
Browse latest View live


Latest Images