Are you the publisher? Claim or contact us about this channel

Embed this content in your HTML


Report adult content:

click to rate:

Account: (login)

More Channels


Channel Catalog

Channel Description:

This forum is for IT Professionals who have questions/issues or other feedback about Forefront Identity Manager (FIM) 2010 suite

older | 1 | .... | 96 | 97 | (Page 98) | 99 | 100 | .... | 204 | newer

    0 0

    Hi all. I had a quick search but couldn't find what I was looking for.

    Easy question.

    I've setup the following flows:


    FIM MA

    (FIM)employeeEndDate  -> (MV)employeeEndDate

    AD MA

    (MV)employeeEndDate  ->(AD)accountExpire (I have a rule extension to convert it to a UTC etc)


    If I enter an enddate on a person object in the FIM portal it will flow to the MV and then flow to AD (via the AD CS/MA). 

    But (as with all attributes, this is just an example) if I remove the enddate on the person object in the FIM portal it will in turn delete the attribute (AD)accountExpire in the CS of AD. 

    This is normal and expected... My question is. How do I flow a NULL and still have the CS attribute retain a value?

    I'm not wanting to flow a NULL to the destination but I am taking a NULL in as a source (I am working with rule extensions, I have tried a 'ispresent' but as there's no longer a 'space' to flow to it does nothing, I'm stuck with between flow NULL or do nothing, depending on if I allow NULLs to flow). 

    The reason is the AD attribute accountExpire is never NULL, but either a date or "0" or "9223372036854775807"(Taken from the MSDN page: )

    I had thought of using a RE on the import rule of the FIM MA but you can't use RE there.

    I hope I've made the question clear, thank you for any help or tips in advanced. 

    0 0

    Hi, FIM portal workflows with email functionality are stuck in post processing state. The event viewer has two entries as below:


    EmailNotificationDataExchange caught an exception while trying to send an email.  The email was not sent.  See the trace immediately following for exception contents.


    System.Web.Services: System.Net.WebException: The request failed with HTTP status 403: Forbidden.

       at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)

       at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)

       at Microsoft.ResourceManagement.WebServices.Mail.Exchange.ExchangeServiceBinding.CreateItem(CreateItemType CreateItem1)

       at Microsoft.ResourceManagement.Mail.ExchangeProxy.ExecuteCreateItem(CreateItemType request)

       at Microsoft.ResourceManagement.Mail.ExchangeServer.SendNotification(NotificationMessage message)

       at Microsoft.ResourceManagement.Mail.NotificationMessage.Send(Int32 timeoutInMilliseconds)

       at Microsoft.ResourceManagement.Workflow.Hosting.SendMailWorkItemProcessor.SendMailMessage(MessageContent messageContent, Int32 timeoutInMilliseconds)

       at Microsoft.ResourceManagement.Workflow.Hosting.SendMailWorkItemProcessor.ProcessWorkItem(WorkItem workItem)

    0 0

    I inherited the FIM installation of our organisation, which essentially is the synchronization service taking a CSV extract of our HR data and then provisioning new users based on it (and some attributes flow backwards).  We had one of the earlier releases of FIM 2010 R2.  I've created a test environment for FIM as I am doing a lot of work on it, so I'm beginning with the back end change of installing the latest service pack and hotfix rollup - compatbility for future desired state in our environment and bug fixes of course. 

    I found the build overview page ( and located the first build that mentions SP1. is the build with SP1 but it is deprecated, instead I found, which replaces it, and is the minimum version required to install the latest hotfix.  No problem - I only have the synchronization service, so I run and install the x64 version for synchronization service, and it's upgraded.  Confirmed the version is correct in the Synchronzation Service application, although it doesn't explicitly say "R2".  I guess that's not important.  Next I'll upgrade my test environment to the latest hotfix.

    The problem is that I'm next going to install the FIM Portal.  I have the installation media, but I'm not sure if the following is correct:

    Upgrade FIM sync service to latest version
    (later) Install FIM portal
    Immediately upgrade to latest hotfix of FIM portal and service

    Possibly there isn't any other way anyway, but I just have this feeling that I'm not doing something quite right - it doesn't feel comfortable installing an earlier version of the FIM portal alongside the latest version of the FIM sync service.  Having said that - I guess as long as I'm installing from the SP1 media I should be fine.

    Are my concerns valid, or should I just go ahead with my plan? At the moment I'm only making changes in my test environment, though I'd really not have to rebuild it if possible, so just checking...

    0 0


    Quick question, the OTP email gate...once a user has received a code to their personal email, does the code expire? If so is this configurable and where is it done?



    0 0

    I try to install the Public Preview. Right at the beginning of the Setup Procedure of the Service and Portal the Setup stops with the error below.

    Thanks for your help.


    MSI (c) (70!D0) [08:55:53:380]: Creating MSIHANDLE (5) of type 790531 for thread 5840
    Calling custom action Microsoft.IdentityManagement.PasswordResetCAs!Microsoft.IdentityManagement.ManagedCustomActions.PasswordResetCustomActions.GetIISVersion
    MSI (c) (70!D0) [08:55:53:411]: Closing MSIHANDLE (5) of type 790531 for thread 5840
    MSI (c) (70!D0) [08:55:53:426]: Creating MSIHANDLE (6) of type 790531 for thread 5840
    Error: could not load custom action class Microsoft.IdentityManagement.ManagedCustomActions.PasswordResetCustomActions from assembly: Microsoft.IdentityManagement.PasswordResetCAs
    MSI (c) (70!D0) [08:55:53:426]: Closing MSIHANDLE (6) of type 790531 for thread 5840
    MSI (c) (70!D0) [08:55:53:426]: Creating MSIHANDLE (7) of type 790531 for thread 5840
    System.IO.FileLoadException: Could not load file or assembly 'Microsoft.IdentityManagement.PasswordResetCAs, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. Strong name validation failed. (Exception from HRESULT: 0x8013141A)
    File name: 'Microsoft.IdentityManagement.PasswordResetCAs, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35' ---> System.Security.SecurityException: Strong name validation failed. (Exception from HRESULT: 0x8013141A)
    The Zone of the assembly that failed was:
       at System.Reflection.Assembly._nLoad(AssemblyName fileName, String codeBase, Evidence assemblySecurity, Assembly locationHint, StackCrawlMark& stackMark, Boolean throwOnFileNotFound, Boolean forIntrospection)
       at System.Reflection.Assembly.InternalLoad(AssemblyName assemblyRef, Evidence assemblySecurity, StackCrawlMark& stackMark, Boolean forIntrospection)
       at System.Reflection.Assembly.InternalLoad(String assemblyString, Evidence assemblySecurity, StackCrawlMark& stackMark, Boolean forIntrospection)
       at System.AppDomain.Load(String assemblyString)
       at Microsoft.Deployment.WindowsInstaller.CustomActionProxy.GetCustomActionMethod(Session session, String assemblyName, String className, String methodName)

    MSI (c) (70!D0) [08:55:53:426]: Closing MSIHANDLE (7) of type 790531 for thread 5840
    CustomAction GetIISVersionFromRegistry returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
    MSI (c) (70:9C) [08:55:53:442]: Closing MSIHANDLE (2) of type 790542 for thread 5144
    Action ended 8:55:53: GetIISVersionFromRegistry. Return value 3.
    Action 8:55:53: FatalError.
    Action start 8:55:53: FatalError.
    Action 8:55:53: FatalError. Dialog created
    Action ended 8:55:55: FatalError. Return value 2.
    Action ended 8:55:55: INSTALL. Return value 3.

    0 0

    We are at the stage where the Outlook add-in shows all 4 options on the Groups tab.

    When we try via the Add-in to Join to a Group or Add members to groups we own, Emails are sent to FIMSERVICE and they are delivered to FIMSERVICE mailbox but that is end of story. The emails are never read/acted on.

    I have set using regedit.exe the registry value HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/FIMservice/PollExchangeEnabled to 0x01 on the FIMService server and restarted the FIMService service.

    Still nothing. Nothing visible in the Event Viewer. Emails are set but never read (by FIMSERVICE)

    What is the Poll frequency? Can I configure the Poll interval? Can I force FIMSERVICE to read its Email Inbox?

    Is there anywhere a checklist/debug guide for this Outlook 2010 Add-in?

    We are using the 64bit Outlook 2010 which comes with Office Professional Plus 2010. The (test) Outlook client is hosted on a 64 bit Windows 2008 R2 server.

    If I access the FIM Portal to do the same thing, FIMSERVICE sends emails to the group owners OK.

    Help! What is the usual cause of this problem?


    0 0


    i am a beginner in FIM ; i want to configure workflow that send notification when a user is created in a specific OU in AD.

    PLZ help me doing it step by step


    0 0


         When I am trying to create a group, FIM is picking up the my account (in which I am logged in) and setting that as the owner of a group unless I manually delete that and put another user as the owner. Can we change the settings somewhere so that it doesn't take the default logged in account?

         Please let me know, Any help will be much appreciated.


    0 0

    Hi Folks!

    Is there a way to populate questions in FIM SSPR so that the users get to choose which question they want to store the answer to?


    0 0
  • 01/08/15--07:47: Customize FIM SSPR
  • We set up an environment using quick start tool. However, we would like to customize the SSPR implementation to work as follows:

    1. User registers with username and password. During the registration he/she chooses which questions he wants to store the answers to. The user also has a choice to enter the email and cell phone number. The registration of email and the number would be verified via a code.

    2. During reset process the user has a choice either to reset the password by answering the questions OR by sending a password to the email or the cell phone.

    Is this doable? Has any one done this?


    0 0

    Hi everybody, have a nice new year 2015,

    I have an error about approval notifications and the issue is explained below in detail:

    • Whoever the user (approver) try to approve the requests from FIM portal (fromMy Pending Requests tab), he is getting the "Request Failed" popup. the requests is not getting approved and remains withPending state.
    • There are no failure requests entries generated in the FIM admin portal (when looking intoSearch requests tab) and the requests remains in Authorizing state which seems like there is a pending approval to complete the request. Because of this, in the fim server, I was unable to identify that the requests are not getting approved  (as the FIMADMIN).
    • The requests are stucked. All the workflows in the stucked requests are left inRunning state.
    • As a process, If the approvers do not approves the request in 5 days, the request gets expired on the 6th day. I have seen that the stuck requests initiated in last week are not gettingexpired and remains in Authorizing state.
    • In the fim portal event viewer log , we have seen the below error each time the approvers were trying to approve requests and had got"Request Failed" error pop-up.

    I've done the following workarounds and none fixed it:


    My actually versión is 4.1.3419.

    Thanks in advanced



    0 0



    whenever the join between user in target AD and source AD user breaks offs or unjoin, the group membership of target user should be cleared.

    Is there any way of doing this without code extension? I don't think so.

    I think I need a rule extension which gets fired at event of disconnect/unjoin/deprovisioning.

    Can someone help me with a piece of code that will do this .

    Thanks in advance.

    0 0

    This may have been asked before, but I did not find it in my searches.

    I have a setup where authoritative user information is being provided through an ADLDS instance - this includes both general user information as well as some specific groups (actually groupsofnames) which are used to determine user roles.

    In both initial provisioning, as well as subsequent rename operations, I need to be able to reference which groups (currently a total of 8 possible) that a given user object is a member of and use that information to build the DN - specifically for determining which OU the account will be in.

    The FIM configuration is in place and operating against an older authoritative datasource at this time using classic rules extentions for all of the provisioning and advance import/export attribute flows.  This will most likely continue to be the case due to limitations with the declarative provisioning capabilities.  The existing code will be updated to reflect the new authoritative source as soon as I can figure out how to get the data needed from the group membership.

    Thanks in advance.


    0 0


     I'm using FIM 2010 to provision users to AD and create Exchange mailboxes. This has worked fine for the majority of my users, however a small number (less than 1%) do not have the domain attribute populated in the FIM portal or are not created in AD. I'm using the following sequence to provision users to AD from an input CSV file:

    1. File MA - Full import and delta sync on a CSV file which contains samaccountname, first name, given name and email.
    2. FIM MA - Export, delta import and delta sync.
    3. AD MA - Export and delta import.

    The run profiles above are executed using a set-mpr-triple workflow. I'm using declarative rules with an inbound and outbound AD rule (domain and objectsid are populated on the inbound flow).

    I've tried running full imports and full syncs on steps 2 & 3, but this still hasn't updated all users correctly. Next, I'll try a full import and full sync on step 1.

    I'm just wondering on the best way to ensure that I get 100% of my users created and updated accurately?


    0 0


    Can anyone let me know the logs where I can check group membership changes done by FIM prior to migration through the group synching process.

    Thanks in advance.

    0 0

    Hey how are you?
    I have the following scenario:

    One organization

        Exchange 2010 Sp3
        Active Directory 2008 R2

    Two organization

       Exchange 2013 SP1
       Active Directory 2012
       FIM 2010 R2 SP1

    through FIM 2010 synchronizing contacts?
    My question is how much of acho band used to synchronize each user?

    0 0

    I have 3 servers running windows server 2012 R2. One DC, One SQL server 2012 Sp1 and a single FIM server.

    I have installed FIM Sync and Portal with SFP 2013 SP1 successfully as reported by the installation wizards. When I access the FIM Portal I get the same gui as the FIM SPF site. The fimservice/portal installation wizard completes successfully but it seems SPF has not applied the FIM portal templates.

    Eventlog looks OK

    Tried twice by rolling back my VM's

    I am following Kent Nordstrom’s very useful scripts

    I should confirm that the install wizard tells me I am installing the service and portal

    Bit stuck really :)

    Any ideas please

    TIA Nigel

    0 0

    Avery weird issue just started happening. I'm trying to create mail enabled security groups in FIM 2010 R2 (v4.1.3613.0), and when I go to modify the number to flow into GrouptType nothing happens - no error messages - nothing logged in the event viewer.

    I tried rebooting the SQL Server and then once that was back, I tried rebooting the FIM Server.

    I tried creating a new Sync rule and when I get to the Outbound Attribute Flow tab I enter the required values in the New Attribute Flow button, but nothing ever get populated in the tab.

    0 0
  • 01/12/15--19:59: Sync Rules - Can't modify
  • A very weird thing started happening today. Trying to modify a Sync rule and nothing happens - no error messages - nothing in the Requests & Approvals - nothing in the event viewer.

    The wizard seems to complete successfully, just nothing happens.

    0 0


    As SharePoint Foundation 2013 is supported for FIM  2010 R2 sp-1 on windows 2012. I am trying to install the SharePoint  foundation 2013 on windows 2012. There are some prerequisite(like .net framework,windows Identity framework, sync, windows appfabric etc) which needs to be get installed before installing SharePoint 2013. I have installed on the prerequisite sucessfully but when try to install the SP 2013, getting the error, windows server AppFabric is not configured properly. Search on google and  configured the windows server AppFabric many times still getting the same issue. Kindly suggest if it  mandatory to configure the AppFabric.If yes, please suggest  the correct step to configure the AppFabric. 

    Error Print screen is as below.



older | 1 | .... | 96 | 97 | (Page 98) | 99 | 100 | .... | 204 | newer