Hello,

We have run IDFix and found duplicated contacts from FIM that we need to fix. We think we can fix that if we make changes to the emailnickname attribute that are coming in from another forest.  Our idea is to add a suffix to the end of the nick name as in gets synchronized to our domain.  So it would be something like this. If the emailnickname is emailnickname@domain.com, we want to change it to emailnickname@domain.com.AMX  for example.  Can this be done using the functions? Would you be able to send me an example on how the function would look like such as ReplaceString and how to apply the function?  I am sorry, but we have been doing a straight GALsync for a long time but nothing has been done in this level.

Thank you. 

When using an OOTB MA which connects to a system, such as SQL Server MA or ADDS MA, a connection status is visible which when clicked on opens a connection log. Is it possible to create such a status/log with ECMA2 and if so, what method do I use?

Thank you.

Hi

I'm looking for some guidance and examples please.

I have a classic FIM 2010 R2 installation with an SQL MA acting as the primary source for my users.  This works fine and users are provisioned to AD without issue. The problem started when I was informed we needed to also provision some users via the FIM Portal (those that come into the business as consultants or contractors and bypass HR). 

I've tried various methods to get this to work but I simply don't know how to get the DN constructed for AD for a user that has been created via the portal. 

When a user is created in the portal and imported into the Metaverse, the object never arrives.  The object appears to  get as far as the connector space for the FIM MA (I can find it if I search the connector space), but when I do a sync, I get the following error:

"Microsoft.MetadirectoryServices.ProvisioningBySyncRuleException: The DN must be set before calling CSEntry.CommitNewConnector."

My outbound sync rule to AD generates the DN in the classic way by contactenating various values but, I guess when you add a user via the FIM Portal, these values aren't in the Metaverse yet which is why the sync fails.

I thought I might be able to work around this and I guess I've followed the trail of many who have gone before me learning that you can't do certain things with the FIM MA.

Currently I'm thinking that I should create a rule extension for the Metaverse - I'm very experienced with VB.NET but I've not worked with rules extensions before and I'm finding it difficult to get up and running quickly. Pehaps I'm running down the wrong alley but my current thinking is that I should write an extension that queries the FIM MA connector space, checks thet Metaverse and creates a unique DN from the values in the connector space as the object passes through to the MV.

So I guess my question is:

How would I construct a unique DN for each user object that is added via the FIM Portal so that they can be provisioned to AD?

In addition, may you please point me at some real primers that get you started on coding rules extensions using VB.NET  (or some examples of what I actually want to do.

Thank you for any help you can provide.

Am unable to add any staffs to the security group. It pop's for the below mentioned error,

Error processing your request: The operation was rejected because of access control policies.

Reason: The server workflow rejected the operation.

Correlation Id: 6ebb20f7-9807-4db8-a412-8a80cc1fa829

Request Id: 6d05799f-3c92-410c-88c1-accb8f0d64a5

Details: The Workflow Instance 'fbcef8fb-4524-4deb-9af3-c03ca7a7b93e' encountered an internal error during processing. Contact your system administrator for more information.

FIM newbie here.

We have a situation where the HR source provides the user IDs and their manager IDs. Quite normal.

The kink is that many managers are "external" and their IDs are not present in the HR file but exist in AD.

An example 3 line file could be

UserID,FirstName,LastName,ManagerID,Title

123,Joe,Soap,X123,Manager

345,Chris,Spalding,123,Worker

678,David,Soul,123,Worker

Joe Soaps manager identified by X123 exists in AD as do all the other 3 users. The person identified by X123 just isn't present in the HR provided file. So the 'natural' use of anchors and references fail. It is impossible to push External people into the HR system. However,  All AD entries containing IDs are projected/joined into the MV and onwards into the Portal.

Is it possible to build a rules extension on import to get the "manager" via MV search using the key ManagerID?

I was hoping the following might be possible.

Invent a MV attribute to hold the manager reference called myManager type reference.

With the advanced attribute flow rule import to attribute myManager with flow rule XYZ

In the C# code

get the CS.ManagerID

<somehow get the MVobjectID of the MV entry having UserID = CS.ManagerID>

push the MVobjectID found into myManager

and then flow myManager to AD manager and Portal Manager attributes.

I am not sure if it is possible/would work.

Is it possible to grab a MV objectID with FIM C# methods?

Is it possible to work with reference typed attributes with flow rules?

Just what methods are available to work with the MV in C#?

Hi Guys,

We have a situation where Owner for a group should be Active, Enabled and Employee of the organization. We can set this criteria in Search Scope.

But when I try setting the Owner(who does not meet the required conditions) via PowerShell script or via sync from AD-->MV-->FIM Portal, the portal seems to accept the value.

Is there any way where we can configure FIM Portal to not accept Unsatisfactory inputs from other sources?

I am thinking its not possible to set this in FIM Portal and might be we have to manually be sure of the Owner value what we set using Powershell or AD.

Please let me know your thoughts on this.

Thanks!

We have several domains  to manage for our customers, so we have installed "FIM 2010 R2" to manage our admin-accounts. But if I now try to delete a user, by deletion from the "User Set", I get this error (please note the screenshot) after synchronization.

I don't get more information about this error, not in the eventvwr and also not in the FIM-Panel even. 

Maybe someone knows more about this issue I would be very thankful for helping to solve this problem.

If more information is needed let me know what kind of.

Thank you

Recently we found a problem with default Resource Control Display Configuration (RCDC) objects when they had been replaced in the FIMService database by a new copy.  
The end result is that any default RCDC object that has been replaced (delete / add) for any reason will not be usable because the FIM Portal references these objects by the default GUID created with the object during the FIM Service install.

Default RCDC Definitions Broken After FIM Service Configuration Migration

Steve Klem

Hi Guys,

Trying to figure this out. I am using the PSMA to control Lync identities, importation is OK, but it's not projecting and nor exporting data to lync. There's something missing?

Here the scripts:

IMPORT

param
(
	$Username = "",
	$Password = "",
	$OperationType = "Full",
	[bool] $UsePagedImport,
	$PageSize
)

# these delta properties are used for delta searches in Active Directory. When this script is called
# with the Delta operation type, it will only return users objects where one of the specified
# attributes has changed since last import
$DeltaPropertiesToLoad = @( "distinguishedname", "mail", "homemdb", "objectguid", "isdeleted", "samaccountname", "oksecondarymail" )

# the MASchemaProperties are the properties that this script will return to FIM on objects found
$MASchemaProperties = @( "mail", "samaccountname", "oksecondarymail" )

$rootdse = [adsi] "LDAP://RootDSE"
$searchroot = $rootdse.defaultnamingcontext
$domain = new-object system.directoryservices.directoryentry "LDAP://$searchroot", $username, $password

$Searcher = new-object System.DirectoryServices.DirectorySearcher $Domain, "(&(objectClass=user)(objectCategory=person))", $DeltaPropertiesToLoad, 2
$searcher.tombstone = ($operationtype -match 'delta')
$searcher.cacheresults = $false

if ($OperationType -eq "Full" -or $RunStepCustomData -match '^$')
{
	# reset the directory synchronization cookie for full imports (or no watermark)
	$searcher.directorysynchronization = new-object system.directoryservices.directorysynchronization
}
else
{
	# grab the watermark from last run and pass that to the searcher
	$Cookie = [System.Convert]::FromBase64String($RunStepCustomData)
	$SyncCookie = ,$Cookie # forcing it to be of type byte[]
	$searcher.directorysynchronization = new-object system.directoryservices.directorysynchronization $synccookie
}

$results = $searcher.findall()

$results = $results | where { $_.psbase.path -match 'OU=USERS,DC=DOMAIN,DC=LOCAL$' }

if ( $results -ne $null )
{
	foreach ($global:result in $results)
	{
		# we always add objectGuid and objectClass to all objects
		$obj = @{}
		$obj.id = ([guid] $result.psbase.properties.objectguid[0]).tobytearray()
		$obj."[DN]" = $result.psbase.path -replace '^LDAP\://'
		$obj.objectClass = "user"
		if ( $result.Properties.Contains("isdeleted"))
		{
			# this is a deleted object, so we return a changeType of 'delete'; default changeType is 'Add'
			$obj.changetype = "delete"
			if ( $operationtype -ne 'full' )
			{
				$obj
			}
		}
		else
		{
			# we need to get the directory entry to get the additional attributes since
			# these are not available if we are running a delta import (DirSync) and
			# they haven't changed. Using just the SearchResult would only get us
			# the changed attributes on delta imports and we need more, oooh, so much more
			$global:direntry = $result.getdirectoryentry()

			# special handled attribute
			$obj.'ismailboxenabled' = $direntry.properties.contains('homemdb')

			# always add the objectguid and objectsid
			$obj.objectguidstring = [string] ([guid] $result.psbase.properties.objectguid[0])
			$obj.objectsidstring = [string] ( New-Object System.Security.Principal.SecurityIdentifier($DirEntry.Properties["objectSid"][0], 0) )

			# add the attributes defined in the schema for this MA
			$maschemaproperties | foreach-object `
			{
				write-debug $_
				if ( $direntry.properties.$_ )
				{
					$obj.$_ = $direntry.properties[$_][0]
				}
			}
			$obj
		}
	}
}

# grab the synchronization cookie value to use for next delta/watermark
# and put it in the $RunStepCustomData. It is important to mark the $RunStepCustomData
# as global, otherwise FIM cannot pick it up and delta's won't work correctly
$global:RunStepCustomData = [System.Convert]::ToBase64String($Searcher.DirectorySynchronization.GetDirectorySynchronizationCookie())

EXPORT

PARAM
(
	$username = "",
	$password = "",
	$domain = ""
)

begin
{
	function log( $message )
	{
		if ( $message )
		{
			write-debug $message
			$message | out-file e:\logs\exchange-ps-export.log -append
		}
	}

	function set-actioninfo($message)
	{
		if ( $message )
		{
			$global:actioninfo = $message
			log -message $actioninfo
			write-debug $actioninfo
		}
		else
		{
			$actioninfo = "general"
		}
	}

	log -message "begin export"

	$securepassword = convertto-securestring $password -asplaintext -force
	$creds = new-object -typename system.management.automation.pscredential($username, $securepassword)

	set-actioninfo "new-pssession"
	$session = new-pssession -connectionuri ('https://SERVER.DOMAIN.LOCAL/OcsPowershell') -credential $creds -debug
	import-pssession -session $session
}

process
{
	log -message "-- start export entry --"
	$identifier = $_."[Identifier]"
	$anchor = $_."[Anchor]"
	$dn = $_."[DN]"
	$objecttype = $_."[ObjectType]"
	$changedattrs = $_."[ChangedAttributeNames]"
	$attrnames = $_."[AttributeNames]"
	$objectmodificationtype = $_."[ObjectModificationType]"
	$objectguid = $_.objectguidstring

	# used to return status to sync engine; we assume that no error will occur
	set-actioninfo 'general'
	$errorstatus = "success"
	$errordetail = ""

	$error.clear()

	try
	{
	enable-csuser -registrarpool fepool.domain.local -id "domain\"+$accountname -sipaddress "sip:"+$mail
	}
	catch
	{
		$errorstatus = ( "{0}-error" -f $actioninfo )
		log -message "ERROR: $errorstatus"
		$errordetail = $error[0]
	}

	# return status about export operation
	$status = @{}
	$status."[Identifier]" = $identifier
	$status."[ErrorName]" = $errorstatus
	$status."[ErrorDetail]" = $errordetail
	$status

	log -message "-- end export entry --"
}

end
{
	set-actioninfo "new-pssession"
	$null = remove-pssession -session $session
	log -message "end export"
}

Diego Shimohama

FIM SSPR quickstart has two MAs - FIMMA and ADMA. Associated with these MAs are three run profiles (actually five but generalizing) - Import, Sync and export.

Can someone please clarify what these do for each MA?

ADMA :  Import -> This creates holograms in AD connector space?

             Sync -> Syncs the AD connector space data with MV?

             Export - ??

FIMMA :  Import -> imports data from MV to fim connector space?

              sync -> syncs data with MV??

              export -> exports to FIM portal database?

Hi,

I am receiving an error "There was an error serializing the security token. "  When trying to save the answers to my Password reset Self Service registrations question in the RTM version.

Anyone seen this before?

Matthew



Log Name:      Forefront Identity Manager
Source:        Microsoft.ResourceManagement
Date:          11/03/2010 10:10:15 AM
Event ID:      3
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      FIMPort1.ebus.root.internal
Description:
System.ServiceModel: System.Xml.XmlException: There was an error serializing the security token. Please see the inner exception for more details. ---> System.InvalidOperationException: The SamlAssertion could not be serialized to XML. Please see inner exception for details. ---> System.Security.Cryptography.CryptographicException: Keyset does not exist

   at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
   at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
   at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
   at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)
   at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
   at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.get_PrivateKey()
   at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetSignatureFormatter(String algorithm)
   at System.IdentityModel.SignedXml.ComputeSignature(SecurityKey signingKey)
   at System.IdentityModel.Tokens.SamlAssertion.System.IdentityModel.ICanonicalWriterEndRootElementCallback.OnEndOfRootElement(XmlDictionaryWriter dictionaryWriter)
   at System.IdentityModel.SamlDelegatingWriter.OnEndOfRootElement()
   at System.IdentityModel.Tokens.SamlAssertion.WriteXml(XmlDictionaryWriter writer, SamlSerializer samlSerializer, SecurityTokenSerializer keyInfoSerializer)
   --- End of inner exception stack trace ---
   at System.IdentityModel.Tokens.SamlAssertion.WriteXml(XmlDictionaryWriter writer, SamlSerializer samlSerializer, SecurityTokenSerializer keyInfoSerializer)
   at System.IdentityModel.Tokens.SamlAssertion.WriteTo(XmlWriter writer, SamlSerializer samlSerializer, SecurityTokenSerializer keyInfoSerializer)
   at System.ServiceModel.Security.WSSecurityJan2004.SamlTokenEntry.WriteTokenCore(XmlDictionaryWriter writer, SecurityToken token)
   at System.ServiceModel.Security.WSSecurityTokenSerializer.WriteTokenCore(XmlWriter writer, SecurityToken inToken)
   --- End of inner exception stack trace ---
   at System.ServiceModel.Security.WSSecurityTokenSerializer.WriteTokenCore(XmlWriter writer, SecurityToken inToken)
   at Microsoft.ResourceManagement.WebServices.WSTrust.RequestSecurityTokenResponseType.SetRequestedSecurityToken(SamlSecurityToken samlSecurityToken)
   at Microsoft.ResourceManagement.WebServices.SecurityTokenService.TokenIssuer.IssueSecurityToken(Message requestMessage, Object request, Claim[] claims)
   at Microsoft.ResourceManagement.WebServices.SecurityTokenService.Challenger.IssueAuthenticationChallenge(Message requestMessage, Object requestBody, Nullable`1 requestContext, UniqueIdentifier authenticationProcessIdentifier, List`1 accumulatedClaims, Nullable`1& currentWorkflowInstanceIdentifier, AuthenticationChallengeType[]& currentChallenges)
   at Microsoft.ResourceManagement.WebServices.SecurityTokenService.ProcessRequest(Message requestMessage, Object requestBody)
   at Microsoft.ResourceManagement.WebServices.SecurityTokenService.RequestSecurityTokenResponse(Message requestMessage)
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft.ResourceManagement" />
    <EventID Qualifiers="0">3</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2010-03-11T00:10:15.000000000Z" />
    <EventRecordID>785</EventRecordID>
    <Channel>Forefront Identity Manager</Channel>
    <Computer>FIMPort1.ebus.root.internal</Computer>
    <Security />
  </System>
  <EventData>
    <Data>System.ServiceModel: System.Xml.XmlException: There was an error serializing the security token. Please see the inner exception for more details. ---&gt; System.InvalidOperationException: The SamlAssertion could not be serialized to XML. Please see inner exception for details. ---&gt; System.Security.Cryptography.CryptographicException: Keyset does not exist

   at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
   at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle&amp; safeProvHandle, SafeKeyHandle&amp; safeKeyHandle)
   at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
   at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)
   at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
   at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.get_PrivateKey()
   at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetSignatureFormatter(String algorithm)
   at System.IdentityModel.SignedXml.ComputeSignature(SecurityKey signingKey)
   at System.IdentityModel.Tokens.SamlAssertion.System.IdentityModel.ICanonicalWriterEndRootElementCallback.OnEndOfRootElement(XmlDictionaryWriter dictionaryWriter)
   at System.IdentityModel.SamlDelegatingWriter.OnEndOfRootElement()
   at System.IdentityModel.Tokens.SamlAssertion.WriteXml(XmlDictionaryWriter writer, SamlSerializer samlSerializer, SecurityTokenSerializer keyInfoSerializer)
   --- End of inner exception stack trace ---
   at System.IdentityModel.Tokens.SamlAssertion.WriteXml(XmlDictionaryWriter writer, SamlSerializer samlSerializer, SecurityTokenSerializer keyInfoSerializer)
   at System.IdentityModel.Tokens.SamlAssertion.WriteTo(XmlWriter writer, SamlSerializer samlSerializer, SecurityTokenSerializer keyInfoSerializer)
   at System.ServiceModel.Security.WSSecurityJan2004.SamlTokenEntry.WriteTokenCore(XmlDictionaryWriter writer, SecurityToken token)
   at System.ServiceModel.Security.WSSecurityTokenSerializer.WriteTokenCore(XmlWriter writer, SecurityToken inToken)
   --- End of inner exception stack trace ---
   at System.ServiceModel.Security.WSSecurityTokenSerializer.WriteTokenCore(XmlWriter writer, SecurityToken inToken)
   at Microsoft.ResourceManagement.WebServices.WSTrust.RequestSecurityTokenResponseType.SetRequestedSecurityToken(SamlSecurityToken samlSecurityToken)
   at Microsoft.ResourceManagement.WebServices.SecurityTokenService.TokenIssuer.IssueSecurityToken(Message requestMessage, Object request, Claim[] claims)
   at Microsoft.ResourceManagement.WebServices.SecurityTokenService.Challenger.IssueAuthenticationChallenge(Message requestMessage, Object requestBody, Nullable`1 requestContext, UniqueIdentifier authenticationProcessIdentifier, List`1 accumulatedClaims, Nullable`1&amp; currentWorkflowInstanceIdentifier, AuthenticationChallengeType[]&amp; currentChallenges)
   at Microsoft.ResourceManagement.WebServices.SecurityTokenService.ProcessRequest(Message requestMessage, Object requestBody)
   at Microsoft.ResourceManagement.WebServices.SecurityTokenService.RequestSecurityTokenResponse(Message requestMessage)</Data>
  </EventData>
</Event>

I have an ECMA2 ma, and in the Full Import I create a list of CSEntryChange objects with ObjectModificationType Add, like in this example:

// iterate through the objects in the connected system
foreach (var website in theListOfWebsitesInTheConnectedSystem) {
    // create a CSEntryChange object
    var entry = CSEntryChange.Create();
    entry.ObjectType = "website";
    entry.ObjectModificationType = ObjectModificationType.Add;
    entry.AnchorAttributes.Add(AnchorAttribute.Create("Name", website.NAME));
    entry.AttributeChanges.Add(AttributeChange.CreateAttributeAdd("Description", website.DESCRIPTION));
    entry.AttributeChanges.Add(AttributeChange.CreateAttributeAdd("Category", website.CATEGORY));
    // add it to the list (this list will be split somewhere else to manage the page size)
    listOfEntries.Add(entry);
}

My understanding was that if an object is not in the list of objects I return, FIM should understand that the object has been deleted in the connected system, and try to recreate it.

However, if I delete an object in the Connected System and then run a Full Import, the object is NOT returned in the list, but FIM still sees it as a connector in the connector space of my MA, and I see no deletion in the import results.

How is this supposed to work? What should I do to make FIM realize that an object was deleted?

Paolo Tedesco - http://cern.ch/idm

I am trying to get some numbers on how many password resets have occurred in a specified amount of days/Months/years.

Is there a way to do this with sets? Or is this something done with FIM Powershell or FIM Query?

Thanks

Brandon

I am trying to use this client to set binary attributes such as Photo in FIM but found out that these attributes were defined as "Int' in the client schema instead of "Byte[]".

What is the reason for that?

Does anybody has some sample code to set binary attributes in FIM?

Hi,

We are using Generic Rest API MA for Google(Naohiro) Provisioning from FIM. For provisioning,we are using provision code and mapped FIM "Email" Attribuite with DN(google) i.e.(FIM Email->dn) and FIM Email-->PrimaryEmail(Google) in MVExtension code. Now we have to change PrimaryEmail value on Google. As 'PrimaryEmail' is used as Anchor attribute, through FIM Sync we are unable to change PrimaryEmail. So, we came up by deleting/disconnecting the metaverse object  and re provisioned the user with changed Email. So now we want to automate deleting a particular user from Metaverse.

Is there any way for automating the deletion of a specific user from metaverse using some script(powershell or any others).

Thanks

Prasanthi.

Hi,

Does the built-in FIM 2010 R2 Oracle MA support structural, aux and extensibleObject classes?

Thanks,

SK

Trying to develop an Email Template for local user to Notify when a new AD account is created for the user.

The local language here norse/finnish/ has extended ascii characters in the alphabet e.g. ö ä å Æ æ Œ œ ø Ø þ Þ ð Ð

(I hope these are visible in the forum message, they are danish/norwegian and swedish/finnish characters)

These get scrambled when the Notification Email is built by FIM.

How do I start debugging this to track down what is wrong?

*HH

Hi,

The Generic LDAP MA takes about 50 minutes to import 90 records from a target Oracle server.

So we looked for a hotfix, and came across this: https://support.microsoft.com/en-nz/kb/3008177

However, once we download this hotfix and try to extract it, we get the following error:

"An error has occurred while unzipping. One or more files were not successfully unzipped. The error code is 40."

We have tried to download and extract this file on 3 different computers, but get the same error message.

Please could someone from Microsoft fix the zip file please, or point us to the correct URL?

thank you,

SK

We have a tab in FIM that has 3 boolean attributes. 2 set of users have got different level of access to those attributes. When one of the boolean is checked, FIM is trying to set the value to false for other 2 attributes and they are getting access denied error. In RCDC, I changed the default value to false for all those 3 attributes but still getting the same error. Is there any other solution?

  <my:Property my:Name="Text" my:Value="Termination" />
  <my:Property my:Name="Checked" my:Value="{Binding Source=object, Path=ForceDeprovision, Mode=TwoWay}" />
  <my:Property my:Name="DefaultValue" my:Value="false" />



Hi,

What are the bare minimum attributes need to provision a user to iPlanet via FIM?

Thank you,

SK