Getting below error for some users while exporting to FIM CS, all the users were successfully exported before without any issue, I can see all the users are there in FIM.

Please help

Fault Reason: The request message contains errors that prevent processing the request.\r\n\r\nFault Details: <RepresentationFailures xmlns="http://schemas.microsoft.com/2006/11/ResourceManagement" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><AttributeRepresentationFailure><AttributeType>AccountName</AttributeType><AttributeValue></AttributeValue><FailureMessage>Exception: ValueViolatesUniqueness Target(s): VenkataRama Bolla
Stack Trace: Microsoft.ResourceManagement.WebServices.Exceptions.InvalidRepresentationException: ValueViolatesUniqueness
   at Microsoft.ResourceManagement.Utilities.ExceptionManager.ThrowException(Exception exception)
   at Microsoft.ResourceManagement.Data.Exception.DataAccessExceptionManager.ThrowException(SqlException innerException, TransactionAndConnectionScope scope)
   at Microsoft.ResourceManagement.Data.DataAccess.ProcessRequest(RequestType request)
   at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.ProcessInputRequest(RequestType request)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction(RequestType request)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction[ResponseBodyType](RequestType request)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request, Guid requestIdentifier, Object redispatchSingleInstanceKey, Boolean isRedispatch)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request)
   at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Create(Message request)</FailureMessage><AttributeFailureCode>ValueViolatesUniqueness</AttributeFailureCode><AdditionalTextDetails>The specified attribute value must be unique for this Resource Type.</AdditionalTextDetails></AttributeRepresentationFailure><CorrelationId>a692fddf-b075-499a-bc13-df34d58c69ab</CorrelationId></RepresentationFailures>

Thanks & Regards,

Sudhish

I am using FIM 2010R2 , exchange 2010 and outlook 2010.

Question:- I am able to send/receive mails to others users through outlook. But approval requests/notifications are not coming to outlook inbox though they are present in portal. Can someone please let me know how can I troubleshoot this.

We have built out a development environment for FIM 2010 R2 product which is in its own DEV Domain:

The DEV domain (DEVDomain) has no trust relationship to Production domain (PRODDomain). The DEV domain is on the Production network and accessible by FQDN.

So far everything seems to work perfectly fine with the FIM web-services and the portal as long as your accessing the Portal from a workstation that is domain joined to DEV. If I use a workstation domain join to Prod, sharepoint then prompts me for credentials in which I can enter a credential for a user in the DEV domain and SharePoint will then let me in. It is at this point however any attempts using the FIM Portal will result in a "The request for security token could not be satisfied because authentication failed. "

I am assuming Sharepoint lets me in due to NTLM authentication, but why doesn't the FIM Web Services behave the same?

I can also access the FIM Web Services via the ResourceManagement Client from the PROD Domain if I explicitly pass a credential from DEV to the client.

Is it possible to access the FIM Portal from a workstation that is not in the same domain as the FIM Portal? Even with NTLM authentication? Am I missing a configuration to make this possible?

Hi! This is the case,

We need to identify the security groups that have at least one member to be removed in the syncronization.

The idea is to alert the administrator via a notification that the group will lose members.

Is there any way to implement this?

Thanks in advance for your help.

Hello,

We are in the process of setting up a HA enviorment with 2 servers having FIM portal, FIM service and FIM password registration

in the lower enviornment all these components  where on 1 server so during SSPR extention install the input values where just 1 server name for FIM service and 1 url for password registeration .

How do I setup HA for these components?

Here is some useful information that is missing from the FIM Documentation.

1) Your FIM server should be installed with Windows 2008 64 Bit - non R2 version

2) You MUST download the Oracle Client 10.2.0.4 which is the only version of the Oracle Client supported on Windows 2008 64 Bit, the 10.2.0.1 will not install on 2008 64 Bit.  The exact Oracle download link is: http://www.oracle.com/technology/software/products/database/oracle10g/htdocs/10204_winx64_vista_win2k8.html

3) If you are running R2 then you can modify the oraparam INI file under "client\install\oraparam.ini" from the zip downloaded above.  If you open the INI in wordpad (not notepad) under the [Certified Versions] section to say:

Windows=5.0,5.1,5.2,6.0,6.1

Adding the 6.1 onto the end will mean that the initial steps of the installer won't fail because you're running R2.

Then just do a "Administrator" install, or if you want to save space selet a Custom install and include "Oracle Windows Interfaces" which will include the Oracle OLE DB which is required as per the documentation.  With the Administrator install you will also get Net Manager.

4) You should set the ORACLE_HOME variable to your oracle home (such as "C:\oracle\product\10.2.0\client_1" if you do a default install) then things go a bit more smoothly.

5) Under Start -> Oracle -> Configuration and Migration Tools -> select Net Manager.  This will allow you to setup your connection (this may also be done by your friendly Oracle DBA).

If you open Local -> Service Naming select Edit -> Create and give your net service the instance name that your Oracle DBA has given you.  Normally it will be TCP/IP (without ssl). Put in the IP address/DNS name and Port for the Oracle Instance.  Then put in either the Service Name or SID, again the DBA should have given you this information.  Click finish to close.

Now save the configuration File -> Save Network Configuration.

6) In the Command Prompt try: tnsping instancename

Then you will know if your connectivity into the Oracle Instance is working or not.

7) Add the FIM Sync Service account to have full rights over the C:\Oracle directory to ensure it has rights to read the oracle config

8) Restart the FIM Sync Service to make sure it picks up on the new permissions.

Then you can configure the Oracle FIM MA and put in the Instance name that you just did a tnsping to for the destination address, table name.  Normally you also won't use integrated login, so put in the username and password you were given by your Oracle DBA.

Then wait a few mins (well that's how long it took with me) for the FIM MA to connect to the Oracle instance and pull up the full table information.

And you're good to go!

Hi there!

I'm trying to create an Oracle Management Agent and I'm following this link: http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/19f3436b-0fae-45a8-a1b1-c7b11a33b3c9.

After finishing the procedure described on the link, I succesfully connect the Oracle Server and the Oracle Client (that is installed on the FIM Server) but when I try to create the Management Agent, this error shows up: "Unable to locate required client software.For more information about specific requirements for synchronizing with this connected data source".

Any ideas?

PD:Oracle Server and Client are 11g versión.

Thank you in advance...

Hi everyone! I'm demoing the FIM 2010 R2 Beta internally, but I'm having some trouble with the self-service password registration.

Specifically, I recieve the following error after I click the "next" button:

Hi,

I encountered a weird error when trying to import a user from a connected directory.  It seems that the MV entry got deleted before the object in the connector space was made a disconnector (not sure how this happened), now the connector space object"thinks" it is still connected to a MV object which no longer exists. I have two user objects like this.  I can't make the object a disconnector because it reports that the MV object doesn't exist.

It also doesn't help to remove the object from the connected directory which is a SQL database, this also fails because of the above error. (the object is removed from the SQL database, but not from the connector space.  I have done various Full imports, Full syncs and exports but to no avail.

Does anyone know how to resolve this without deleting the MA connector space? This is a production system and I will also have to remove all the orphaned EREs which take a long time to complete.  I have about 30K objects in the SQL database.

Any help is appreciated

Thanks

Johan Marais

JkM6228

Hi Folks,

I have been spending much time with a problem that I think should be easy. See if anyone can help me.

I need to create a Search Scope to get all security groups with same “Unidade” (extended metaverse attribute in both resource types: User, Group) of current user. I tried this:

/Group[(Type='Security'or Type='MailEnabledSecurity') andUnidade = /Person[ObjectID= '%LoginID%']/UsrUnidade]

But, no result found!

For test proposal and daring relational query, I tried this:

/Group[Owner=/Person[AccountName='usrmicrosoft']/ObjectID]

It has been working very well,

When a try with another attribute, it does not work, like this:

/Group[DisplayName=/Person[AccountName='usrmicrosoft']/DisplayName]

Why cannot I perform a search comparing DisplayName of two Resource Types?

Is there any secret to get attributes values of related queries?

Is there a way to do what I want?

Rubens Arandas - MCP, MCTS, MCPD, MCTIP (www.cheetahservices.com.br)

This happened to me several times on servers running FIM Synchronization Service, all of a sudden I can't find the performance counters for FIM Synch Service in perfmon. Service/Server restart did not help. I'm guessing they are registered during installation, but have no idea what would make them dissapear.

Bottom line, is there a way to restore them? Maybe a parameter to be used with the msi file? Of course not to break/roll back anything installed with any of the hotfix rollups.

Hello,

We’ve installed the FIM 2010 R2 Synchronization Service (SP1) in Windows Server 2012 (64 bit) machine.

We've successfully configured the AD MA and it runs successfully. But we have some problem to run the web service MA.

First, we had problem with Web Services Configuration Tool, so we had to add Microsoft.MetadirectoryServicesEx.dll from earlier version.

For this web service MA we use a simple custom web service. We've configured a very basic workflow in Web Services Configuration Tool.

But whenever we run the web service MA, its status is "no-start-ma". The errors:

The management agent controller encountered an unexpected error.

"ERR_: MMS(2720): d:\bt\2172\private\source\miis\shared\utils\libutils.cpp(10018): Failed to start run because of undiagnosed MA errorForefront Identity Manager 4.1.3114.0"

The management agent "myTestWebService" failed on run profile "Full Import" because of an unspecified management agent error.

Additional Information

%3

What we've tried:

-restart the server

-restart the synch service (after stop it could not start up, so we had to restore the machine to it's earlier state)

-schema refresh

-run only one operation in Run Profile

-remove logging

-run in separate process

I have looked at several threads that concern outbound synchronization.  Unfortunately, none have helped.  I am attempting to create a declarative inbound rule for BHOLD SP1.  Most of the documetation shows how to provision using classical methods and using a MVExtension, but I have been told I can do it this way.  I have created my Outbound triple (MPR, set, workflow) and associated them to my Outbound Sync Rule.  I see my expected ERL on one of my user objects.  But when I look in the sync engine, nothing has been provisioned.  I look at one of my users in the sync preview and see that the provisioning is "not applied".  Where do I go from here? 

Here is my user with ERL

The sync preview of that user...  Not applied and none of the attributes even show up as available...

Currently I'm implementing FIM Certificate Manager, the installation process is complete and I can access to the portal but when I try to request a new certificate using the sponsor account, an logon failed error shows up, can you help me solve this issue?

There is a image from the error:


Thank you in advance.

We are currently facing issues in setting up the SSPR on the FIM 2010 installation

Actions done:

Installed SQL,FIM Service, Portal and SSPR sites on the same box
Followed all the instructions to set up SSPR  as per  installation guide

Used FIMPassword as the App Pool account for the SSPR sites (the same service is used for FIM installation)

Created the following SPNs
 
Verified all the MPRs and the Password Reset
For all the test accounts we have edited the property “AuthN Workflow Registered” to “Password Reset AuthN Workflow”
Verified the “Password Reset Users Set” and all the users are in this set

Observed Issues

Though all users are able to log into FIM portal, none of them are able to use the SSPR features. (The home page opens up for everyone, but beyond that we are facing issues described below)

After pressing Next on the first screen we observe the following error message
Ensure you enter your user name correctly. If you still cannot reset your password, please contact your helpdesk for assistance. (Error 3001)

The detailed message is:
The supplied request content violates system rules.

Event log :

Log Name:      Forefront Identity Manager
Source:        Microsoft.CredentialManagement.ResetPortal
Date:          4/4/2013 3:42:47 PM
Event ID:      3
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      WIN-391G4CQQSCF.fim.test.com
Description:
The error page was displayed to the user.
Details:
Title: Access denied.
Message: Error processing your request: The operation was rejected because of access control policies.
Source: The supplied request content violates system rules.
Attributes:
Details: The Request contains changes that violate system constraints.
CorrelationId: ddc58752-221c-4ef2-a0f0-c016025312ab
RequestId: 10f823ae-11e5-4897-8c45-bae6521e9095
ErrorCode: 3001

Please let us know if there are any other steps that we are missing. We are struck in this step for over a week and would really appreciate any help provide..

Note:I tried reinstalling FIMService & modifying the application pool as well.

Appreciate any help in this
Thanks,Vadiraj

Hi 

I am trying to find a way to edit a user object from within a customised popup.

On the User Edit and User View RCDC is have add a panel that lists a users Reportees (i.e. list every user that has the target set as manager) the list shows the usernames as hyperlinks (i.e. A manager can then click through to view the user that reports to him/her)

eg

My problem is that when you click through to the reportee, the generated popup does not allow you edit the user (there is no OK button). It would be great if a manager could click through to a reportees user object and be able to disable it.

Anybody got any ideas on how to enable this on the popup ?? 

Hi,

I have set of attributes like first name , last name , department etc that i want to set mandatory at time of user creation at FIM portal . Please suggest a way out as my required Field of that attribute in Schema Management --> Attribute binding is freeze . Is there any Mpr that can be set to do this?

Hi,

I have deployed FIM-based solution to the testing environment and some users cannot access the portal.

They get "Service not available" and URL http://servername/_layouts/MSILM2/ErrorPage.aspx?ErrorCode=3000.

Everything looks fine on the portal. The user accounts have been imported from AD.

The users that cannot access the portal are on the list of users with all required attributes (display name, account, domain, sid).

Nothing is logged in the event log, nothing in fimDiagnostics.svclog.

DebugView shows also nothing.

Best regards

    Rafal Grzybowski

I am currently getting 6803 & 6801 FIMSynchrnizationService errors  when I attempt a Delta sync or delta import from BHOLD.  I can sucessfully run a full Sync or Import, so I am unsure of where to look.

The 6803 error reads - "The management agent "AMOrg" failed on run profile "Delta Sync" because the server encountered errors."

The 6801 error is as follows:  The extensible extension returned an unsupported error.
 The stack trace is:
 
 "System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary.
   at System.Collections.Generic.Dictionary`2.get_Item(TKey key)
   at Microsoft.AccessManagement.BHOLDConnector.DataAccess.DataAccess.GetDeltaObjects(IDictionary`2 schema, Int32 batchSize, DeltaImportWatermark expectedWatermark, DeltaImportWatermark& nextWatermark)
   at Microsoft.AccessManagement.BHOLDConnector.DataAccess.IntegratedSecurityDataAccess.GetDeltaObjects(IDictionary`2 schema, Int32 batchSize, DeltaImportWatermark expectedWatermark, DeltaImportWatermark& nextWatermark)
   at Microsoft.AccessManagement.BHOLDConnector.DataAccess.DeltaImportDataReader.Read()
   at Microsoft.AccessManagement.BHOLDConnector.BHOLDConnector.GetImportEntries(GetImportEntriesRunStep importRunStep)
Forefront Identity Manager 4.1.3114.0"

 Again, I can perform full synchs and I can see object move, but I cannot run delta import/syncs.  Also, I get the error on both my Access Management User MA and my Access Management Org MA.  We are using BHOLD SP1.

Thanks!