Hi,

Have listened to this Ignite 2015 talk, and have a few questions: http://channel9.msdn.com/Events/Ignite/2015/BRK3857

1. The roadmap goes as follows: FIM to MIM to AAD Connect. So will AAD Connect have a different Sync Engine from its predecessors? Will we still have a Metaverse, Connector Space, Management Agents, etc? Or is the entire architecture changing?
2. Will AAD Connect still have the 'FIM Portal' equivalent?
3. It almost sounds like AAD Connect will only support Declarative Provisioning, and will no longer support Rules Extensions, is this correct?
4. Is there BHOLD in AAD Connect?
5. Will the FIM deprecated features still be available in MIM? https://technet.microsoft.com/en-us/library/jj879229%28v=ws.10%29.aspx; and they will only be unavailable in AAD Connect?
6. Comment: sounds like MIM 2016 will still support "FIM Reporting & SCSM combination". MIM will also be able to use Azure AD for Reporting (via an agent).

If anyone has any more questions/comments, please post.

Looking forward to the answers.

Thanks,

SK

What version of EWS libraries does FIM 2010 R2 Sp1 use?

I have traced the problem with FIM 2010 R2 SP1 Notifications via EWS down to the message to the BodyType. At least with our Exchange 2013 set up we get scrambled accented chars.

Writing a simple Powershell script to use the latest 2.2 EWS immediately highlighted the issue. Switching the BodyType has a profound effect.

Question is.. If I want, how can I configure FIM to use Text Emails always?

#Web Service Path

$EWSServicePath = "C:\Program Files\Microsoft\Exchange\Web Services\2.2\Microsoft.Exchange.WebServices.dll"

#Importing WebService DLL

Import-Module $EWSServicePath

#Creating Service Object

$Service = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService -ArgumentList Exchange2010_SP1

#Setting up Credentials

$user = "mydomain\fim.service"

$pass = "********"   # just a test ffs

$service.Credentials = New-Object Microsoft.Exchange.WebServices.Data.WebCredentials -ArgumentList $user, $pass

#Setting up EWS URL for exchange.

$EWSurl = "https://mail.mydomain.com/EWS/Exchange.asmx"   # same as FIM config

$Service.URL = $EWSurl

#Setting up Email message Class

$message = New-Object Microsoft.Exchange.WebServices.Data.EmailMessage -ArgumentList $service

$message.Subject = "This Message has been Created by EWS on my mail server"

$message.From = "fim.service@mydomain.local"

$message.ToRecipients.Add("harold.hare@mycompany.com")

$message.Body = "This is Test Message öäåÖÄÅ <br>Greetings, EWS Client 2.2"

$message.Body.BodyType = 'Text'   # works

#$message.Body.BodyType = 'HTML'   # likes the break but scrambles the scandies

$message.SendAndSaveCopy()

Hello,

we experienced an obscure issue in FIM, that costs us a lot of time and effort.

I would like to share my experiences.

We recently applied a FIMService Database backup for our FIM environment, due to a failed change implementation.

After implementing the fallback Database, everything was fine at the first glance. After some weeks, I recognized that our criteria based groups and sets in the FIM portal withdate time filters doesn’t work properly as intended and the necessary MPR’s didn’t get fired.

Long story short, I figured out that the SQL Server Agent Jobs didn’t run successful since our fallback. In our case the FIM_TemporalEventsJob (This job evaluates temporal sets and policies, validates set and group membership, and runs daily by default.)

https://technet.microsoft.com/en-us/library/ff830030%28v=ws.10%29.aspx

Recognized failure in the Job history:

'EXECUTE AS LOGIN' failed for the requested login “ServiceAccount”.  The step failed.

That was strange, because the ServiceAccount, that runs the Jobs is owner of the FIMService Database.

Further investigations reveals following:

The database owner SID recorded in the master database differs from the database owner SID recorded in database 'XXXX'. You should correct this situation by resetting the owner of database 'XXXX' using the ALTER AUTHORIZATION statement.

To prove that the problem is in factdiffering SID's I ran the following two SQL statements.

• To get owner SID recorded in the master database for the current database
  SELECT owner_sid FROM sys.databases WHERE database_id=DB_ID()
•  To get the owner SID recorded for the current database owner
  SELECT sid FROM sys.database_principals WHERE name=N'dbo'

They should return youSID values in the format of a GUID

Now if the two SID's differ which they did in my case it means that you need to reset the database owner so that both values are the same. To do this you can run another ALTER statement and pass in the owner value you want to use e.g

 ALTER AUTHORIZATION ON Database::XXXX TO [domain\user]

Once I had run this code the problem was fixed.

Hope this helps for those for those, having similar issues.

Thanks Fatih

Hi,

 I am trying to install Quest FIM Powershell Snapin. I dowloaded from Codeplex and added the DLL "Quest.FIMPowershellSnapin.dll" into the assembly. In powershell i checked whether the snapin is registered or not and the results showed that this Quest sanpin is registered. But When i try to add "Add-PSSnapin Quest.FIMPowershellSnapin", it is givivng me an error

Add-PSSnapin: Cannot load  windows powershell snapin "Quest.FIMPowershellSnapin.dll" because of the following error "The windows powershell snapin module Quest.FIMPowershellSnapin.dll does not have required  windows powershell snapin  strong name Quest.FIMPowershellSnapin version=1.0.0.0,Culture=neutral,PublicKeyToken=null".

Please help

Thanks

Prasanthi.

Currently we are using some code to project into the MV from on of our MA's based on extaqnsionAttribute.

I tried to add to this code to create a second qualifier, but it is now wanting both and when I try to project it to the MV tells me that it is missing.

boolIMASynchronization.ShouldProjectToMV(CSEntrycsentry,outstringMVObjectType)

Russell Lema

I have been looking around.

We have decided to use the FIM portal more and our current system we have a separate sharepoint environment to house the FIM portal.

I cannot seem to find any examples, but we would like to migrate this FIM portal to a different sharepoint environment that our company is already using that way it has better infrastructure than the current shallow sharepoint we have.

Thanks

Russ

Russell Lema

Hello,

We have run IDFix and found duplicated contacts from FIM that we need to fix. We think we can fix that if we make changes to the emailnickname attribute that are coming in from another forest.  Our idea is to add a suffix to the end of the nick name as in gets synchronized to our domain.  So it would be something like this. If the emailnickname is emailnickname@domain.com, we want to change it to emailnickname@domain.com.AMX  for example.  Can this be done using the functions? Would you be able to send me an example on how the function would look like such as ReplaceString and how to apply the function?  I am sorry, but we have been doing a straight GALsync for a long time but nothing has been done in this level.

Thank you. 

When i try to configure Powershell MA on a Windows 2008 with FIM 2010R2 I get the following error :

Unable to retrive schema: Error: An anchor attribute defined by the extension must not be of type Reference or Boolean. A multivalued value defined by the extension must not be of type Boolean.

And the following eventlog message:

The extensible extension returned an unsupported error.
The stack trace is:
"Microsoft.MetadirectoryServices.ExtensionException: The Schema returned from the PowerShell compliant server is null
  at Microsoft.IdentityManagement.Connector.PowerShell.Bridge.ConfigBridge.GetSchema()
  Forefront Identity Manager 4.1.3508.0"

But when i tried to do the installation and configuration on Another lab server "Win2008" i got stuck on the first error and on this server it didn't help to create the powershell folder.

I could also see that it's not even run the GetSchema cmdlet, and this is the trace file generated from config

ConnectorsLog Verbose: 0 : Method Name : PowerShellConnector : .ctor
Initiated PowerShellConnector Constructor
ConnectorsLog Verbose: 0 : Method Name : BridgeBase : .ctor
Initiated BridgeBase constructor
ConnectorsLog Verbose: 0 : Method Name : BridgeBase : .ctor
Initiated ConfigParametersParser constructor
ConnectorsLog Verbose: 0 : Method Name : ConfigParametersParser : ParseConfigParams
Initiated the Parsing of the Configuration Parameters
ConnectorsLog Verbose: 0 : Method Name : ConfigParametersParser : ParseConnectivityParams
Initiated the Parsing of the Connectivity Page Parameters
ConnectorsLog Verbose: 0 : Method Name : ConfigParametersParser : ParseConnectivityParams
Parsing of the Connectivity Page Parameters completed
ConnectorsLog Verbose: 0 : Method Name : ConfigParametersParser : SetPSCredential
Constructing PowerShell credential object
ConnectorsLog Verbose: 0 : Method Name : ConfigParametersParser : SetPSCredential
Constructing PSCredential for user: lumaville\administrator
ConnectorsLog Verbose: 0 : Method Name : ConfigParametersParser : ParseConfigParams
Construction of the PowerShell credential object completed
ConnectorsLog Verbose: 0 : Method Name : ConfigParametersParser : ParseConfigParams
LogonType selected is None, ImpersonateConnectorAccount is False, LoadUserProfileWhenImpersonating is False
ConnectorsLog Verbose: 0 : Method Name : ConfigParametersParser : ParseConfigParams
Parsing of the Configuration Parameters completed
ConnectorsLog Verbose: 0 : Method Name : BridgeBase : IntializeContext
Initializing the PowerShell context with the following PowerShell credentials
ConnectorsLog Verbose: 0 : Method Name : PowerShellContext : IsScriptSigned
Script signed is False
ConnectorsLog Verbose: 0 : Method Name : PowerShellConnector : GetSchema
IntializeContext completed
ConnectorsLog Verbose: 0 : Method Name : PowerShellConnector : GetSchema
Initiated ConfigBridge constructor
ConnectorsLog Verbose: 0 : Method Name : BridgeBase : GeneratePSContentScript
Generating the temporary file path for the PowerShell script
ConnectorsLog Verbose: 0 : Method Name : BridgeBase : GeneratePSContentScript
Creating a file in the following temporary file path C:\Windows\TEMP\FIMPowerShellConnectorModule.psm1
ConnectorsLog Verbose: 0 : Method Name : BridgeBase : GeneratePSContentScript
The temporary file path for the PowerShell script created
ConnectorsLog Verbose: 0 : Method Name : BridgeBase : GeneratePSContentScript
Generating the temporary file path for the PowerShell script
ConnectorsLog Verbose: 0 : Method Name : BridgeBase : GeneratePSContentScript
Creating a file in the following temporary file path C:\Windows\TEMP\ss2xvrzw.ps1
ConnectorsLog Verbose: 0 : Method Name : BridgeBase : GeneratePSContentScript
The temporary file path for the PowerShell script created
ConnectorsLog Information: 1 : Method Name : ConfigBridge : GetSchema
Initiated GetSchema method
ConnectorsLog Verbose: 0 : Method Name : ParameterBuilder : .ctor
Initiated ParameterBuilder Constructor
ConnectorsLog Verbose: 0 : Method Name : ParameterBuilder : GetConfigCommandParameters
Fetching the configuration command parameters
ConnectorsLog Verbose: 0 : Method Name : ParameterBuilder : GetConfigCommandParameters
Script type : Schema
ConnectorsLog Verbose: 0 : Method Name : ParameterBuilder : GetConfigCommandParameters
GetConfigCommandParameters completed
ConnectorsLog Verbose: 0 : Method Name : ConfigBridge : GetSchema
Executing the Schema script present at the following path C:\Windows\TEMP\ss2xvrzw.ps1
ConnectorsLog Verbose: 0 : Method Name : PowerShellRuntime : InvokePowerShell
Invoke PowerShell to execute the PowerShell commands and get the output as PowerShell Object collection
ConnectorsLog Verbose: 0 : Method Name : PowerShellRuntime : Initialize
Creating a new PowerShell instance
ConnectorsLog Verbose: 0 : Method Name : PowerShellRuntime : Initialize
Creation of new PowerShell instance completed
ConnectorsLog Information: 1 : Method Name : PowerShellRun

Ulf Lindström

Hi all,

In the middle of retrofitting a test environment with OTP in SSPR and while FIM Portal sends my new user notifications fine, I am having troubles sending out the one-time-codes.

In SSPR, I enter the username, and it sits there for a while with a spinning wheel before erroring out with the message: Unable to send a security code.

When I review Event logs, I can see that the e-mail sending is timing out:

Any thoughts on why this might be? It works fine in production, but not in test - and the only difference between the two environments is that we're using EWS in Prod and SMTP relay in test... but again, I've verified the SMTP relay works.

- Ross

FIMSpecialist.com | MCTS: FIM 2010 | Now Offering ECMA1->ECMA2 Upgrade Services

So I was just doing some checking up and making sure everything was running correctly, which it seems it is, but I have come across a lot of errors in the Windows logs attached to the FIMSync Service. Was wondering if anyone could give me any advice.

This is happening on our cycles, delta sync and exports

I know that some of the errors have to do with ADMIN accounts and the MA account does not have access to manage them. But not sure what the rest are

APPLICATION LOG ERROR

Forefront Identity Manager 4.1.3599.0

The server encountered an unexpected error in the synchronization engine:

 "BAIL: MMS(5504): d:\bt\37281\private\source\miis\server\sqlstore\csobj.cpp(8254): 0x80230404 (The operation failed because the attribute cannot be found)

BAIL: MMS(5504): d:\bt\37281\private\source\miis\server\sqlstore\csobj.cpp(8254): 0x80230404 (The operation failed because the attribute cannot be found)

BAIL: MMS(5504): d:\bt\37281\private\source\miis\shared\entry\tower.cpp(3989): 0x80004005 (Unspecified error)

ERR_: MMS(5504): d:\bt\37281\private\source\miis\shared\entry\tower.cpp(12133): BAIL: MMS(5504): d:\bt\37281\private\source\miis\server\sqlstore\csobj.cpp(1833): 0x80004005 (Unspecified error)

BAIL: MMS(5504): d:\bt\37281\private\source\miis\server\sync\expcall.cpp(905): 0x80004005 (Unspecified error)

ERR_: MMS(5504): d:\bt\37281\private\source\miis\server\sync\expbase.cpp(2957): PutAnchorWithDnInternal failed on CS object {0E6B94B6-4416-E211-ABF9-005056BA0089} with 0x80004005 (pass 1 of 5)

Forefront Identity Manager 4.1.3599.0"

The management agent controller encountered an unexpected error.

 "BAIL: MMS(5504): d:\bt\37281\private\source\miis\cntrler\cntrler.cpp(12498): 0x80004005 (Unspecified error)

BAIL: MMS(5504): d:\bt\37281\private\source\miis\cntrler\cntrler.cpp(9395): 0x80004005 (Unspecified error)

BAIL: MMS(5504): d:\bt\37281\private\source\miis\cntrler\cntrler.cpp(8158): 0x80004005 (Unspecified error)

Forefront Identity Manager 4.1.3599.0"

OPERATIONAL LOG ERROR – TONS OF THESE, NO OTHER DETAILS

HRESULT: '0x80230507' Source: 'd:\bt\37281\private\source\miis\server\rules\project.cpp(1635)' Thread ID: '0x109c' Additional Info: ''

Russell Lema

Hi all

I'm wanting to export a value to the CS which I want to be unique.

I've read a few pages regarding how this can be done using custom worksflows etc, but I'm wanting to do the comparison this based on what's in the CS rather than FIM/MV, as there's more objects (unrelated to FIM) in there that may already have this generated value.

I originally found the MV class utils.findmventries:

https://msdn.microsoft.com/en-us/library/windows/desktop/ms698827%28v=vs.85%29.aspx

I'm wondering if there's something just like this but for the CS or is there a better way?

Hello

i have this error in event viewer ? 

HRESULT: '0x80004001' Source: 'd:\bt\5414\private\source\miis\cntrler\cntrler.cpp(2718)'  Thread ID: '0x1ec0' Additional Info: ''
HRESULT: '0x80070002' Source: 'D:\bt\5414\private\source\MIIS\ma\shared\inc\MAUtils.h(114)'  Thread ID: '0x1ec0' Additional Info: ''
HRESULT: '0x80070002' Source: 'D:\bt\5414\private\source\MIIS\ma\shared\inc\MAUtils.h(59)'  Thread ID: '0x1ec0' Additional Info: 'Win32 API failure: 2
HRESULT: '0x0' Source: 'D:\bt\5414\private\source\MIIS\ma\shared\inc\MAUtils.h(58)'  Thread ID: '0x1ec0' Additional Info: 'Failed getting registry value 'ADMAUseLVR', 0x2
HRESULT: '0x0' Source: 'D:\bt\5414\private\source\MIIS\ma\shared\inc\MAUtils.h(58)'  Thread ID: '0x1ec0' Additional Info: 'Failed getting registry value 'ADMAUseACLSecurity', 0x2
HRESULT: '0x80230404' Source: 'd:\bt\5414\private\source\miis\server\sqlstore\csobj.cpp(8241)'  Thread ID: '0x1ec0' Additional Info: ''
HRESULT: '0x80070057' Source: 'd:\bt\5414\private\source\miis\shared\ldaputils\session.cpp(4771)'  Thread ID: '0x1ec0' Additional Info: ''
HRESULT: '0x0' Source: 'd:\bt\5414\private\source\miis\shared\ldaputils\session.cpp(2227)'  Thread ID: '0x1ec0' Additional Info: ''
HRESULT: '0x80070005' Source: 'd:\bt\5414\private\source\miis\shared\ldaputils\session.cpp(4771)'  Thread ID: '0x1ec0' Additional Info: ''

Any idea 

Thanks

Hi all,

I'm planing to have FIM server and SQL Server for FIM at DR site

I'm not sure that when I install FIM at DR Site to connect to SQL DB at DR site (SQL DB is replicated from DC to DR). Does it require me to input an exist encryption key to connect to DB at DR?

Anyone can help?

Thanks !

I have setup Export Add workflow and setpassword workflow to update the user in Webservice connector for SAP.

but the workflow is not working as expected, if any references regarding this issue, please post the answers.

Hello,

I'm wondering if it's possible to send notifications to a user when they are added or removed from a security or distribution group. It seems like the default approval workflow for adding a user to a group does not do this.

thanks,

Josh

Hello,

The title pretty much explains it all. I'm using SQL Server 2014 as a remote hosting DB server. I have the FIM Service and Portal installed and had no issues. But when installing the Synchronization Service, specifying the same DB server as the FIM Service and Portal, I get the following error:

Error 25009.  The Forefront Identity Manager Synchronization Service setup iszard cannot configure the specified database.  Usage: sp_dbcmptlevel [dbname [, compatibilitylevel]].  I get this message at the very end of the install process.

I would imagine I'm going to get an answer that the synchronization service is not support on SQL Server 2014, but I'm looking for a workaround.  The only think I can think of is the synchronization service database is supposed to run in a compatibility mode no longer support by SQL Server 2014.

But, I checked the installation I have on SQL Server 2008 R2 and the Synchronization service database is running is 2008 compatibility mode, just like the FIM Server db on the SQL Server 2014 installation.

Anyone have any ideas?

I'm trying to apply latest hotfix (4.1.3613.0) to a lab machine but hitting an error when updating the FIM Service. The install fails quickly, so I turned .msi logging on and can see this in the log

invalid for package C:\Windows\Installer\20946a.msi. Expected product version == 4.1.2273.0, found product version 4.1.3114.0

Which is odd, as the Hotfix says "To apply this update, you must have Forefront Identity Manager 2010 R2 SP1 (build 4.1.3419.0 or a later build) installed." - which is what FIM tells me I have installed...

I'm going to try applying some intermediary hotfixes and see if that helps, but thought I would raise the issue in case anyone else has seen it.

Cheers,

Dave

Hi,

The latest MIM VMs are zipped on Connect. Is there a way to get them into Azure, without having to download them first unto a local workstation? Is there a way to directly copy them from Connect into Azure?

Thanks,

SK

Hello,

Does anyone have any experience with publishing a Password Reset portal for external users? We have many users that work remotely, what would be the best or most secure way for these users to access the password reset portal? Any information is appreciated.

thanks