Are you the publisher? Claim or contact us about this channel

Embed this content in your HTML


Report adult content:

click to rate:

Account: (login)

More Channels

Channel Catalog

Channel Description:

This forum is for IT Professionals who have questions/issues or other feedback about Forefront Identity Manager (FIM) 2010 suite
    0 0

    Hi my FIM notifications have stopped working a couple of days ago.  I checked the configuration file and notified my email admin and inquired about the mail server value and the email admin states it's still working.

        <!-- Setup adds entries -->

        <add key="mailServer" value="https://XXXXXX/ews/exchange.asmx" />

        <add key="isExchange" value="1" />

    He mentioned to look for an IP address in my setup, stating that a server was decommissioned a couple of days ago. Is there another place to look for that?

    0 0


    We have Microsoft Forefront Identity Manager 2010 R2

    I have an xml file below and I know it's possible to run this xml file instead of manually run each profile but how do I run it.
    I use only the "Synchronization Service Manager"
    The xml file below might not be correct but I hope you understand what I mean.

    <?xml version="1.0" encoding="ISO-8859-1"?>
    <!-- Kör skript som körs med xxxx.cmd konsole app -->
    <!-- Har stöd för att köra en grupp agenter både parallellt eller serielt -->
        <name>Tony testar</name>

        <version>1.0.0, b01</version>
          <Doc>Synka alla agenter</Doc>     
          <run>Projekt - personal      /Full Import</run>
          <run>Projekt - personal /Full Sync</run>
          <run>Projekt - AD /Full Sync</run>


    0 0


    I have read some articles About Attribute Flow Precedence but I have a question about this.
    Here is what I do.

    My agent AD source is just a simple database.
    I have two agent called agent HR and agent AD
    For agent HR I have done full import.
    I have also a import flow on attribute uid in agent HR like this
    LastName, FirstName, SSN  --> uid

    I now do a full sync on agent HR to get data into MV.
    This data is projected into MV.
    This will also cause that I do provision for agent AD which also run the export flow for this agent.

    Agent AD has this import flow LoginAccount ---> uid defined
    and the export flow is LoginExport <--- uid.

    In Configure Attribute Flow Precedence I have this.
    Order   MA              ObjectType     SourceAttribute                  MappingType
    1         Agent AD      Katalog            LoginAccount                       Direct
    2         Agent HR      Person             LastName,FirstName,SSN      Rules Extension

    When I do an export on agent AD the attribute LoginAccount is not exported.
    I know I can fix this by mark the field "use equal precedence"

    I know that the reason that the attribute LoginAccount is not exported has to do with Attribute Flow Precedence.
    Just for testing if I just remove the import flow which is this LoginAccount ---> uid
    from agent AD than attribute LoginAccount will be exported.

    But I mean agent AD has not done this LoginAccount ---> uid because agent AD has not done any import flow.

    So can somebody explain how this Attribute Flow Precedence cause the attribute LoginAccount not to be exported if I have
    defined both import and export for agent AD like this LoginAccount ---> uid (import flow)
    LoginExport <--- uid  (export flow)


    0 0


    I am trying to create a new RCDC  where RequestFilter attribute consists of valid XPath. I need to populate UocFilterBuilder with RequestFilter, make Preview button visible and populate UocListView with RequestFillter rendered values only when Preview button is clicked. My code looks like below.

    The issue is the Button does not work  when I click it

    <my:Control my:Name="ComplexFilterBuilder" my:TypeName="UocFilterBuilder" my:RightsLevel="{Binding Source=rights, Path=RequestFilter}" my:ExpandArea="true"><my:Properties><my:Property my:Name="PermittedObjectTypes" my:Value="Person,Group" /><my:Property my:Name="Value" my:Value="{Binding Source=object, Path=RequestFilter, Mode=TwoWay}" /></my:Properties><my:Events><my:Event my:Name="PreviewClicked" my:Handler="OnClickPreview"/></my:Events></my:Control><my:Control my:Name="FilterBuilderwithpreview" my:TypeName="UocListView" my:RightsLevel="{Binding Source=rights, Path=RequestFilter}" my:ExpandArea="true"><my:Properties><my:Property my:Name="ColumnsToDisplay" my:Value="DisplayName,ObjectType,AccountName" /><my:Property my:Name="EmptyResultText" my:Value="There is no members according to the filter definition." /><my:Property my:Name="PageSize" my:Value="10" /><my:Property my:Name="ShowTitleBar" my:Value="false" /><my:Property my:Name="ShowActionBar" my:Value="false" /><my:Property my:Name="ShowPreview" my:Value="false" /><my:Property my:Name="ShowSearchControl" my:Value="false" /><my:Property my:Name="EnableSelection" my:Value="false" /><my:Property my:Name="SingleSelection" my:Value="false" /><my:Property my:Name="ItemClickBehavior" my:Value=" ModelessDialog "/><my:Property my:Name="ReadOnly" my:Value="true"/></my:Properties>

    0 0


    I want to learn more above MIM 2016 (with SP1) so I thought I would download the evaluation version and install it in a LAB.

    However I see it needs Active Directory (already built a 2016 DC), an SQL Server, SharePoint, Exchange (options) as outlined here

    First question is can I install the SQL Server on the same Server as SharePoint, or should I install SQL on the Domain Controller (its only a LAB) ?

    I am used to setting up SQL, but not SharePoint, when it comes to installing SharePoint I take it I need to install the SQL Server first as SharePoint will likely want a database ? 

    Also with the SharePoint installation do I just perform a basic next, next, next installation e.g. accepting the default ?



    0 0

    I only use the Synchronization Service Manager
    I assume that I start with open the dialog "Configure Object Deletion Rule" and select the Rules extension
    When I have done this I want this method

    DeprovisionAction IMASynchronization.Deprovision (CSEntry csentry) to being called but does'n know how.

    Can you give a small example because I'm new to MIM.

    I have also read that it's not possible to delete any object from MV by using some code.
    Is that correct?
    So I assume the only way to remove object from MV is to delete object from CS and as a result of this the MIM itself will remove the MV object if the rule say so.



    0 0

    Hi All,

    I am currently implementing Password Synchronization from PCNS on AD to a connected MS SQL Data source. From the event viewer logs (on DC and MIM Sync Server) I can confirm that the password synchronization flow works well from the DC to the MS SQL Data source Management Agent. However I get the error below after triggering a password change for a user object.

    Error Code:0x80230730
    ErrorString:(The password extension does not implement the entry point)

    Being MS SQL, I have implemented and compiled the password extension using the guidance below verbatim, really did not add any other piece of code.

    Is there anything I might be missing ? I specified connection details to the DataSoure on the SQL MA Configuration

    A working sample or snippet could be helpful as well

    Thanks in anticipation for your help


    0 0
  • 09/18/18--05:36: Transient Objects after sync
  • Hi all,
    I'm trying to manage by a script all transient objects inside the metaverse.
    This because I would like to avoid to manage it manually.
    I've search internet for it but I've not found any article about hwo to do this.
    Do you have suggest for me ?

    Thanks regards

    0 0


    I'm a beginner in MIM. Assume the following:
    I have an agent defined as a Extensible Connectivity.
    This agent read a database and create a file which is read into CS when I do Full Import.
    Now I do a full sync.
    The agent is defined to project the data into MV.

    Now all the data that existed in CS is now in MV which is correct.
    Now to my question if I now to a second Full import on the same data without change anything.
    What happen?
    As I understand it the following will happen. Do correct me if I'm wrong.
    The whole CS is loaded again. The file is read and the data is written into CS when I do a Full Import.
    Now I do a Full sync in the same way that I did before.
    But what happen with the MV(metaverse)?

    I assume that the only sensible solution is that MV will not change anything because the data has not been changed.


    0 0

    Dear All,

    I am getting following error when I am trying to export data to MIM.

    Fault Reason: The request message contains errors that prevent processing the request.\r\n\r\nFault Details: &lt;RepresentationFailures xmlns="" xmlns:xsi="" xmlns:xsd=""&gt;&lt;AttributeRepresentationFailure&gt;&lt;AttributeType&gt;AccountName&lt;/AttributeType&gt;&lt;AttributeValue&gt;&lt;/AttributeValue&gt;&lt;FailureMessage&gt;Exception: ValueViolatesUniqueness Target(s): \M1090300
    Stack Trace: Microsoft.ResourceManagement.WebServices.Exceptions.InvalidRepresentationException: ValueViolatesUniqueness
       at Microsoft.ResourceManagement.Utilities.ExceptionManager.ThrowException(Exception exception)
       at Microsoft.ResourceManagement.Data.Exception.DataAccessExceptionManager.ThrowException(SqlException innerException, TransactionAndConnectionScope scope)
       at Microsoft.ResourceManagement.Data.DataAccess.ProcessRequest(RequestType request)
       at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.ProcessInputRequest(RequestType request)
       at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction(RequestType request)
       at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction[ResponseBodyType](RequestType request)
       at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request, Guid requestIdentifier, Object redispatchSingleInstanceKey, Boolean isRedispatch)
       at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request)
       at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Create(Message request)&lt;/FailureMessage&gt;&lt;AttributeFailureCode&gt;ValueViolatesUniqueness&lt;/AttributeFailureCode&gt;&lt;AdditionalTextDetails&gt;The specified attribute value must be unique for this Resource Type.&lt;/AdditionalTextDetails&gt;&lt;/AttributeRepresentationFailure&gt;&lt;CorrelationId&gt;efffe73f-01b5-4842-82f6-2745b47045b5&lt;/CorrelationId&gt;&lt;/RepresentationFailures&gt;.



    0 0


    I just learning MIM and I'm very new to this but I have been using C# for many years. This test is just a test that I have made up to learn MIM.

    I have created a database that act as a HR system and I have created a database that act as a AD system.
    I have one agent for the HR and I have one agent for the AD. In the HR I have a column called endDate  which is the date when an employee is to leave the job. The startdate is when an employee is starting to work at the company. I have also a column called Inactive that is true when an employe has left the job which mean the person is no longer working at that company. I want the column Inactive in HR to be updated automatically to true by MIM when there is a valid value in endDate and startdate and the realation between these two is valid. The AD system has also a column called Inactive and I want this column to be updated to true automatically when endDate and startdate is valid and the relation between these two are valid.

    When I want to test this I changed the endDate in the HR database and run all the profiles.

    I project HR into MV and I join AD to matching HR object in MV. If there is no matching object in MV I use ShouldProjectToMV for those AD object that doesn't exit in HR.

    There is two way to do this as I can see:
    I have done it in this way and it works fine but I don't know if this way is reasonable acceptable.
    On import flow from HR I check if endDate and startdate and relation is valid is so I set Inactive to true in MV.
    I have also an direct export flow on Inactive which will set this attribute in CS for the HR system. If the attribute Inactive  has been changed in CS will this result in pending export for the HR.
    I also want the AD system column Inactive to be updated as soon as the endDate has a valid value.
    In the AD agent I have set an direct export flow on Inactive.
    I have not set an import flow on Inactive for the AD system. But I can if I will.

    The second way that this can be done is the following.
    I have a direct import flow on Inactive and endDate and startdate .
    For the HR system on export flow check endDate and startdate and the reralation and if valid set Inactive  to true.
    For the AD system on export flow check endDate and startdate and the relation and if valid set Inactive  to true.

    This checking for my solution is done in the MAR MapAttributesForImport. If I want to use the second solution I have to add this code to both the export flow for HR and for AD.

    Which way is the best practice?
    As I mentioned I'm very new to MIM.
    I only use the Synchronization Service Manager so we don't use the Fim Portal.


    0 0

    Started to receive the following errors in the application log of a FIM synchronization service server (FIM 2010 R2):

    Alert description: Event Description: The server encountered an unexpected error while performing an operation for

    the client.

    "BAIL: MMS(20572): d:\bt\37528\private\source\miis\server\server\server.cpp(7428): 0x8023062d (The operation cannot be performed because the management agent's credentials are invalid.): MA missing default password

    BAIL: MMS(20572): d:\bt\37528\private\source\miis\server\server\server.cpp(7697): 0x8023062d (The operation cannot be performed because the management agent's credentials are invalid.)

    BAIL: MMS(20572): d:\bt\37528\private\source\miis\server\server\server.cpp(8094): 0x8023062d (The operation cannot be performed because the management agent's credentials are invalid.)

    Forefront Identity Manager 4.1.3766.0"

    The issue is there are no MAs running at the time of the error and I've confirmed there are no missing passwords on any of the MAs. I've searched online for any information on BAIL: MMS(20572) alerts with no success. Any recommendations or ideas would be greatly appreciated.

    0 0

    User unauthorized to register for Password Reset
    An unauthorized user initiated a request to register for self-service password reset.
    The user's identity was: CONTOSO\happys
    The user's IP address was:
    Ensure that all users who should be eligible for self-service password reset are members of a set which is referenced by MPR(s) that (1) grant permission to create registration objects for themselves in the FIM Service, and (2) have permission to read password reset resources.

    0 0


    So a while back Microsoft announced that we should use AADConnect and not MIM to provision identities into Azure.

    1. So does that mean if we use MIM and a PowerShell connector to provision to Azure it will not be supported by Microsoft?

    2. What about this. Can we use AADConnect to provision users to Azure, but, for example, if we need to immediately terminate a user, could we use MIM and PowerShell Connector?

    Hope my questions make sense.

    Thank you


    0 0


    I'm new to MIM.
    Below is a method in MVE handling Provision.
    In this method ProvisionPerson below we create two connectors one for agent "Projekt - Personal" and one for
    agent "Projekt - AD"
    I just wonder what consequence what occur if I don't have a connector to agent "Projekt - Personal"
    Can somebody explain that?
    Why is connector important?

    bool ProvisionPerson(MVEntry mventry)
                CSEntry csentryKatalog;

                ReferenceValue dn;

                //This well give the number of connectorer to source system
                int connectorsSourceSystem = mventry.ConnectedMAs["Projekt - Personal"].Connectors.Count;

                //Get connector to Projekt - AD
                ConnectedMA targetAgent = mventry.ConnectedMAs["Projekt - AD"];              

                //Add a new csEntry in CS named Katalog with dn as initials
                if (connectorsSourceSystem >= 1 && targetAgent.Connectors.Count == 0)
                    dn = targetAgent.CreateDN(mventry["personnummer"].Value);
                    csentryKatalog = targetAgent.Connectors.StartNewConnector("Katalog");
                    csentryKatalog.DN = dn;
                    csentryKatalog["MAID"].Value = mventry["personnummer"].Value;


               return false;          



    0 0


    I want to say that I'm new to MIM and this test is just for learning.
    I only use Synchronization Service Manager and not the FIM Portal.
    I have two agent called Project-AD and Project-HR.
    I have this provision code located in MVE for agent  Project-AD.

    bool ProvisionPerson(MVEntry mventry)
                CSEntry csentryKatalog;
                ReferenceValue dn;
                int connectorsSourceSystem = mventry.ConnectedMAs["Projekt - Personal"].Connectors.Count;
                ConnectedMA targetAgent = mventry.ConnectedMAs["Projekt - AD"];              
                if (mventry["forname"].Value.ToLower() == "nilspoppe" && connectorsSourceSystem > 0)
                    CSEntry csentry = mventry.ConnectedMAs["Projekt - Personal"].Connectors.ByIndex[0];
                else if (connectorsSourceSystem >= 1 && targetAgent.Connectors.Count == 0)
                    dn = targetAgent.CreateDN(mventry["personnummer"].Value);
                    csentryKatalog = targetAgent.Connectors.StartNewConnector("Katalog");
                    csentryKatalog.DN = dn;
                    csentryKatalog["MAID"].Value = mventry["personnummer"].Value;
               return false;          

    In addition for this example I also have this code for method Deprovision in MAR for agent Project-HR

    DeprovisionAction IMASynchronization.Deprovision (CSEntry csentry)
           return DeprovisionAction.Delete;
    In "Configure Deprovision" for agent Project-HR" I have set  to use "Determine with a rule extension"

    This method Deprovision will cause the Connector for this object with forname=nilspoppe to be false.
    So the object will have status pending export so I can delete that object in method BeginExport.

    Now I mean that the following should also call the Deprovision metod but is doesn't.
    I do the following for agent Project-AD
    I click Search Connector space
    Select one line that has Connector =True
    Click Lineage
    Click Metaverse Object Properties
    Click Connectors
    In my case I have two agent
    * Project-AD
    Now I select the row with agent Project-HR and click disconnect and then choose Disconnector(default)
    When I do this I get the result "The object was successfully disconnected."
    So my question is why is not the method Deprovision being called?

    Hope you understand what I mean?


    0 0
  • 09/23/18--17:54: PCNS, MA & Google
  • Hi,

    Has anyone used PCNS, an MA and (probably) a password DLL to provision users and set their passwords in Google (typical PCNS functionality)?

    Thank you


    0 0


    Is there a way for MIM to send out a notification when, for example, 25 changes are detected against a single account in a 5 minute window?



    0 0


    I am generating a random password as per client's password policy through workflow and setting it while creating account in Active Directory. Now I need to notify user about this new password directly with out the interference of any system team user. 

    How can I achieve this via MIM?

    Moreover, I know about the password reset portal provided by the MIM. Can I use the same portal or any other service provided by MIM through which user can generate his/her password first time by some verification via EMAIL or SMS or security questions?



    0 0


    I only use Synchronization Service Manager and no portal
    I have two agents called agent-HR and agent-AD.
    In Meteverse Designer-> Configure Object Deletion Rule I have selected the one in the middle
    "Delete metaverse object when connectors from any of the following management agents is disconnected."
    I have here selected agent-HR.

    In "Configure Deprovision" for agent HR I have selected "Stage a delete on the object for the next export run"

    Now I disconnect an object from agent HR by using Search Connector Space and chose an object and select Lineage and click on Metaverse Object Properties and then click on Connectors and here I select the row with agent HR and click Disconnect and chose the default.
    I get the result saying "The object was successfully disconnected."

    I can now see that the Connector is False for this object and the object is gone in metaverse but I have no pending export on this object in connector space.

    Because I choose "Stage a delete on the object for the next export run" for agent HR I should have an pending export for this object in agent HR
    If I look at this object in connector space for agent-HR I can see that I have Changes add.
    I found this strange when I selected "Stage a delete on the object for the next export run"

    Can somebody explain this too me how on earch I can have add for changes in the CS for this object
    I have probably misundersttod this "Stage a delete on the object for the next export run"