Hi,

Have deployed SharePoint Foundation 2013 Sp1, and now am trying to install MIM 2016 Service and Portal and get the following error:

"The FIM portal does not support being deployed on a SharePoint web application with claims-based authentication. Please make sure the SharePoint web application is configured with classic-mode authentication"

According to another Microsoft article: "claims-based authentication is the default (in SharePoint Foundation 2013) and preferred method of user authentication". So why is MIM not following Microsoft best practices?

It would be nice if the MIM documentation team would provide us with an answer in order to deploy and test their new product (or update MIM to work according to Microsoft best practices).

Unfortunately this article does not really say enough: https://technet.microsoft.com/en-us/library/jj863242.aspx?f=255&MSPPError=-2147217396

Look forward to hearing some feedback from the team.

Regards,

SK

Hello.

I have a problem. My system has users information only in FIM and I'm able to export wirh success these users into AD running the following profiles:

1) Full import (ADMA)

2) Full synch (ADMA)

3) Full import, synch, export, delta import (FIMMA)

4) Export with ma-extension-error (ADMA)

5) Delta import (ADMA)

Users are successfully write into AD even if during the export phase ther is the problem written above.

Moreover, I modify a user attribute in AD and I want to propagate this change into FIM.

So I run:

1) delta import

2) delta synch (ADMA). (everything ok)

3) export (FIMMA)

When I run export for FIMMA an error appears for every user Detected Rule Entry: failed-creation-via-web-services.

If I click Validate object against schema, "Required attribute 'Connector' is missing" appears in Export in progress tab.

If I click Preview and Generate preview it says Synchronization succesfull. On the left, I click Connector Updates and I explore Attribute flow for Detected Rule Entry object of FIMMA and I notice that synchRuleID, displayName, connector, resourceParent, objectType have skipped: Not precedent status and Final value (Deleted). Only <object-id> is applied.

It seems that the connector space of Fimma was deleted automatically.

What can I do? Thank you in advance.

Dear Sir,

I am facing some issue is FIM 2010 while exporting user to another AD environment. Please tell me the feasible time for you so that i can communicate with you on it.

Regards,

Hi,

We have one requirement to integrate/move  users/groups from  multi-forest, multi-domain AD environment to Azure Active directory and manage the password of users. I knew that FIM provides the AAD connector to move the user/groups object  to AAD. Request you please suggest me for the below.

1. Where we need to deployee FIM - On premise or on cloud? 

2. Whats are the others main things we need to consider  for solution.

3 What about the FIM SSPR. Does it support the password reset on AAD.

4. is there any document for it?

Thanks

Harry

Hi,

As User AccountName  is a fairly common attribute that needs to be generated Unique, I want to create/generate a unique AccountName in the FIM Portal. Specifically, take a LastName and a FirstName, generate a AccountName in the format of<LastName><FirstName> and check whether it exists in the FIM Portal. If it does, FirstName first one character will be added to the end,if it is also exists in fim portal then FirstName first two character will be added to the end  and so on  checked until a unique value is discovered.if any one have any idea or any solution or code for developing this logics on this please share with me.

Regards

Anil Kumar

Peter Geelen (Microsoft Belgium) - Premier Field Engineer Identity and Security

[If a post helps to resolve your issue, please click the "Mark as Answer" of that post or click"Vote as helpful" button of that post.
By marking a post as Answered or Helpful, you help others find the answer faster.

I am using Forefront Identity Manager 2010 R2.  We have installed the Microsoft SharePoint Profile Store connector and have setup up attribute flow to my SharePoint Server.  We have disconnected and disabled the Native FIM Sharepoint Profile Connector that is deployed by SharePoint (This is my SharePoint DEV environment).

I followed this Documentation: https://msdn.microsoft.com/en-us/library/Dn511003%28v=WS.10%29.aspx

I used input from: http://goodworkaround.com/node/70

I am pushing all the standard attributes such with no Custom Attributes on the SharePoint side.

Data flow is one direction from my FIM Installation to Sharepoint. We do not have any flows from SharePoint to FIM.

I have exported several thousand user objects to SharePoint with Success, photographs included.  User profiles are working and successful.

After a few days of letting the synchronization bake, I am finding that Updates to user objects are failing on Export to SharePoint with the following error (taken from the MA error message):

Export retry FAILED for Entry[ObjectType: user, Anchor: DOMAIN_USER1234__fa631765-12b1-4da1-879-2dcfd6a7afae]..
 Error: System.Web.Services.Protocols.SoapException: Server was unable to process request. ---> Value cannot be null.
Parameter name: strAccountName
   at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
   at Microsoft.IdentityManagement.Connector.Sharepoint.SharePointProfileImportExportService.ProfileImportExportService.UpdateWithProfileChangeData(Int64 importExportId, ProfileChangeData[] profileChangeData)
   at Microsoft.IdentityManagement.Connector.Sharepoint.SharepointServiceProvider.UpdateWithProfileChangeData(Int64 importExportId, ProfileChangeData[] profileChangeData)
   at Microsoft.IdentityManagement.Connector.Sharepoint.SharepointConnector.PutExportEntries(IList`1 csEntries)

I have verified that the AccountName is not blank as this error suggests.

The XML of the update request (As pulled from a network trace):

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    <soap:Body>
        <UpdateWithProfileChangeData xmlns="http://microsoft.com/webservices/SharePointPortalServer/ProfileImportExportService">
            <importExportId>104</importExportId>
            <profileChangeData>
                <ProfileChangeData>
                    <ProfileIdentifier />
                    <DistinguishedName>DOMAIN_USER12345__8ce5dfd2-0b49-40fb-8b56-7a2b740256cb</DistinguishedName>
                    <ObjectGuid>00000000-0000-0000-0000-000000000000</ObjectGuid>
                    <ObjectClass>user</ObjectClass>
                    <PropertyChanges>
                        <PropertyChangeData>
                            <Name>LastName</Name>
                            <ChangeType>Modify</ChangeType>
                            <Values>
                                <anyType xsi:type="xsd:string">Smith</anyType>
                            </Values>
                        </PropertyChangeData>
                        <PropertyChangeData>
                            <Name>WorkEmail</Name>
                            <ChangeType>Modify</ChangeType>
                            <Values>
                                <anyType xsi:type="xsd:string">SSMith@domain.com</anyType>
                            </Values>
                        </PropertyChangeData>
                    </PropertyChanges>
                    <ChangeType>Modify</ChangeType>
                </ProfileChangeData>
            </profileChangeData>
        </UpdateWithProfileChangeData>
    </soap:Body>
</soap:Envelope>

The SharePoint server response:

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    <soap:Body>
        <soap:Fault>
            <faultcode>soap:Server</faultcode>
            <faultstring>Server was unable to process request. ---&gt; Value cannot be null.

Parameter name: strAccountName</faultstring>
            <detail />
        </soap:Fault>
    </soap:Body>
</soap:Envelope>

I can delete the profile in SharePoint and after a full sync the profile will be there with the updated data.

Any thoughts on why SharePoint would be rejecting this update.

I'm following the upgrade instructions here https://technet.microsoft.com/en-us/library/mt219041.aspx on upgrading to MIM.  The FIM build version isFIM 2010 R2 SP1 (4.1.3634.0). 

Error captured in MSIEXEC logs is below. I found one wiki reference to a 1772 error which related to the install account not having Farm admin rights in Sharepoint. I checked that I have this right, and have also tried giving SQL db_owner on the FIMService DB to the FIM service account & the installer account, but no change.

Any ideas? Thanks,

Matthew

CustomAction UpgradeDatabase returned actual error code -2 (note this may not be 100% accurate if translation happened inside sandbox)
Error 1722. There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor. Action UpgradeDatabase, location: C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\Microsoft.IdentityManagement.DatabaseUpgrade.exe, command: /ConnectionString:"Data Source=FIM1;Initial Catalog=FIMService;Integrated Security=SSPI;Pooling=true;Connection Timeout=225" /FimServiceAccountName:"CORP\SVC_FIMService" /FimServiceDatabaseName:"FIMService" 
MSI (s) (7C:64) [10:30:05:896]: Product: Microsoft Identity Manager Service and Portal -- Error 1722. There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor. Action UpgradeDatabase, location: C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\Microsoft.IdentityManagement.DatabaseUpgrade.exe, command: /ConnectionString:"Data Source=FIM1;Initial Catalog=FIMService;Integrated Security=SSPI;Pooling=true;Connection Timeout=225" /FimServiceAccountName:"CORP\SVC_FIMService" /FimServiceDatabaseName:"FIMService" 

08/07/2015 10:30:05.896 [5500]: Assembly Install: Failing with hr=80070005 at RemoveDirectoryAndChildren, line 384

08/07/2015 10:30:05.896 [5500]: Detailed info about C:\Windows\assembly\tmp\7MIPTGMU\Microsoft.ResourceManagement.WorkflowContract.dll

08/07/2015 10:30:05.896 [5500]: File attributes: 00000080

08/07/2015 10:30:05.932 [5500]: Restart Manager Info: 1 entries

08/07/2015 10:30:05.932 [5500]: App[0]: (5500) Windows Installer (msiserver), type = 3 

08/07/2015 10:30:05.932 [5500]: Security info:

08/07/2015 10:30:05.932 [5500]: Owner: S-1-5-18

08/07/2015 10:30:05.932 [5500]: Group: S-1-5-18

08/07/2015 10:30:05.932 [5500]: DACL information: 4 entries:

08/07/2015 10:30:05.932 [5500]: ACE[0]: Type = 0x00, Flags = 010, Mask = 001f01ff, SID = S-1-5-18

08/07/2015 10:30:05.932 [5500]: ACE[1]: Type = 0x00, Flags = 010, Mask = 001f01ff, SID = S-1-5-32-544

08/07/2015 10:30:05.932 [5500]: ACE[2]: Type = 0x00, Flags = 010, Mask = 001200a9, SID = S-1-5-32-545

08/07/2015 10:30:05.932 [5500]: ACE[3]: Type = 0x00, Flags = 010, Mask = 001200a9, SID = S-1-15-2-1

Hi,

Please give me list of FIM question/answer for interview.

Thanks

Harry

Hi Everyone,

I wanted to install Microsoft Identity Manager 2016, but during the installation I always have the following message:

Once I started installation with verbose logging, and I found the following rows:

This happens only in case if I want to install Privileged Access Management feature. If I deselect it, the installation fininshes successfully and all features working perfectly.

Do you know, what does this SetPolicyforMonitoringServiceAccount method do during the installation?

Maybe it is an important information that in my environment many very strict policies are configured and many options are disabled (I mean editing local permissions in the local GPO).

Thanks a lot!

BR

Gabor

Anyone tried upgrading FIM CM to MIM CM or is even supported? Cannot find any guides or other articles for MIM CM other than guide to use (in my opinion useless) modern app.

Hello,

I am upgrading my development environment to MIM 2016. Synchronization service is one server and MIM service and Portal on a different server. I upgraded the synchronization service. When I am upgrading MIM service and portal I get "The MIM synchronization server you have entered does not exist or is not running". I am guessing may be some ports are not open. Which ports I should be looking for?

How else can I troubleshoot this error?

Thank you for any help,

Svetlana

Hello, 

I try to create a set with a filter starts-with('*') the * is the literral caracter but I have an error that the filter is not supported. 

Any solution for that, thx

Dear All,

I have created FIM 2010 environment for synchronizatoin between two different AD forest and i have done all the configuration which is necessary for it but still users are not provisioning in external AD.

If anyone have got step by step document then please share with me and please help me to check all the steps to do this.

Please see the below mentioned steps in which i have done all the steps and if i skipped anything so please let me know.

1- FIM Active Directory Service Agent.

2- FIM MA agent.

3- Synchronization Rules.

4- Management Policy Rules

5 - Work FLows

- FIM ADMA Full Import and Full Sync is working fine

- FIMMA Full Import is working fine

- FIMMA Export is not sending the data to the external AD metaverse.

Regards,

Shakeel Shahid

Hi,

We are running a full sync this weekend and I noticed that on the FIM MA export the msidmCompositeTypes all return “Denied” as a status.

The FIM web service reports a SQL timeout expired session.

I am able to put FIM in pre-asynchronous mode and the exports complete but take a long time.

We have the timeout on the web service set to 20 minutes. The msidmCompositeType requests hang in a validating state until the 20 minutes are up and then report the Denied status.

Ever seen this before? It doesn’t appear to be a permissions issue and SQL is definitely responding when the requests are issued in single file.

I am going to try adjusting the length of the aggregationThreshold to see if that helps, but appreciate any ideas. Tried to figure this out yesterday to no avail.

Thanks,

Sami

Requestor: urn:uuid:fb89aefa-5ea1-47f1-8890-abe7797d6497

Correlation Identifier: b1c67faf-aa01-465d-90b8-d47d7299c18c

Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---> System.Data.SqlClient.SqlException: Timeout expired.  The timeout period elapsed prior to completion of the operation or the server is not responding.

   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean isChildRequest, Guid cause, Boolean doEvaluation, Nullable`1 serviceId, Nullable`1 servicePartitionId, UniqueId messageIdentifier, UniqueIdentifier requestContextIdentifier, Boolean maintenanceMode)

   at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Put(Message request)

   --- End of inner exception stack trace ---

.Net SqlClient Data Provider: System.Data.SqlClient.SqlException: Timeout expired.  The timeout period elapsed prior to completion of the operation or the server is not responding.

   at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection)

   at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)

   at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)

   at System.Data.SqlClient.SqlDataReader.ConsumeMetaData()

   at System.Data.SqlClient.SqlDataReader.get_MetaData()

   at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString)

   at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async)

   at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, DbAsyncResult result)

   at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method)

   at System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior, String method)

   at System.Data.SqlClient.SqlCommand.ExecuteReader()

   at Microsoft.ResourceManagement.Data.DataAccess.DoRequestCreation(RequestType request, Guid cause, Guid requestMarker, Boolean doEvaluation, Int16 serviceId, Int16 servicePartitionId)

Hello!

I need export attribute EmployeeID from FIM Portal to AD.

When I export EmployeeID to AD (Relationship criteria accountname = samaccountname) - all OK

When I export EmployeeID to AD (Relationship criteria Firstname = givenname and Lastname = sn) - EmployeeId does not export to same user in AD.

Help!  

Alex

Hi Everyone,

I'm making my way through this FIM stuff. I somehow made it around my last issue and to be honest I have no idea what caused it.

Right now i'm trying to build what will be our production Syncing logic. Right now I have two MA's: the FIM Service MA and AD DS. I'm trying to set it up so I can provision users in FIM into a particular OU and also have FIM sync my existing user accounts over to the FIM Portal (for password reset). I'm running into an issue where if I configure both import and export attribute flows on the FIM Service MA objects then are exported to the Service database without any AD Attributes. If I remove the Import flow mappings AD data then is published to the FIM Service data without a problem.

There must be a simple reason for what is going on. Any ideas?

Hi Guys,

I am going through a very unusual scenario here. I added a new attribute in FIM Portal. Created new attribute in Metaverse. Defined an export attribute flow in  FIM.Service Management agent. Defined an import attribute flow in Source MA. We have around 2 lakh records to be processed. FI and FS on source MA together took 9 hours approx. But export to FIM MA is very very slow. I can tell its processing approx. 5 records every 30 secs. Is this normal??? I am wondering since I have 2 lkh records to be exported, will it take 2 weeks to complete? Can someone help me out here? Is there any way we can have the records exported faster to FIM Portal?

Kindly help!!

Regards,

Veena

I've tried installing both to SQL 2012 SP2 and it fails on Populate Database step. I think it worked with 2012 SP1.

Can anyone confirm?

The data above this text is pseudorandom, brace yourselves.