Quantcast
Channel: Microsoft Identity Manager forum
Viewing all 7443 articles
Browse latest View live

Adding secondary relationship to Inbound SR

August 21, 2015, 10:49 am
$
0
0

Hello,

When we original setup FIM 2010 R2 we only had one domain (AD1). Our original  inbound sync rule has a relationship criteria based on MetaverseObject:accountName = ConnectedSystemObject:sAMAccountName. 

After a few months we added a second domain (AD2), which has a inbound sync rule based on MetaverseObject:ObjectSID = ConnectedSystemObject:ObjectSID.

Each end user has an account in both domains and the same username is used. Our problem occures when a user is pulled into FIM from AD2 first then the same username is added from AD1. Since AD1's relationship is based on accountName, it tries to join with the AD2 object which has the same username.

I believe a solution would be to add a second relationship criteria to AD1 which would be :ObjectSID = ConnectedSystemObject:ObjectSID

Does this sound like a possible solution? what happens to all the exisitng objects if i add a second relationship to an existing inbound rule?

Any information is appreciated.

thanks,

Josh

Search

Adamsync & Forefront Identity Manager

August 21, 2015, 11:43 am
$
0
0
I am currently using adamsync.exe to create UserProxy objects in AD LDS to allow users to authenticate. Can i replace the command line adamsync tool with Forefront Identity Manager? As of now adamsync.exe looks at an OU in Active directory and creates an account for each user in AD LDS as userproxyfull objects and that works well to allow authentications. I would like to move away from the command line approach and use another tool to do it....Can Forefront Identity Manager handle this?

Jef

Modify Approval Request Display Name to be more indicative of request

August 21, 2015, 1:10 pm
$
0
0

Does anyone know how to Modify an Approval Requests Display Name to be more indicative of request? Currently, we have an account creation workflow implemented that sends a notification to a manager for approval. When the manager (non technical person) opens his Requests & Approvals all they see is Update to person : 'Smith, John' Request. Is there any way to make that Display Name say something like :Approve creation of  user account 'Smith, John' Request?

Thanks in advance...

Why there is no member of property for active directory management agent ?

August 21, 2015, 10:33 pm
$
0
0

Hi All, 

I am quite new to FIM. I recently look at some videos and blog and Later I search that when we have to add role to user we can not do it directly in user object. Instead we have to add user to group for active directory MA.

I tried to look at list of attribute in Active directory MA Configuration but there is no such property called memberOf. 

Can you please let me know what we have to do manage memberOf attribute in AD.

Thanks.

MIM Licensing

August 22, 2015, 12:29 am
$
0
0

Hi All,

How much the licensing cost of per User (CAL) for MIM ?

 Regards,
Anirban Singha

Become the August 2015 FIM Guru!!! Here's how!

August 22, 2015, 3:22 pm
$
0
0

Just add your TechNet Wiki article to this list:

  

One winner in each category will be selected each month for glory and adoration by the MSDN/TechNet Ninjas and community as a whole. This includes a dedicated blog post in the Wiki Ninjas blog, a tweet from the Wiki Ninjas Twitter account, an announcement on your forum, and other acknowledgement from the community. 

Winners will be voted on by five judges. The judges consist of 3 Microsoft MVPs and TechNet Wiki Community Council members and 2 Microsoft Employee SMEs (Subject Matter Experts -usually the people making the technologies). The judges will be looking for articles that are thorough, technically accurate, visually clear (images might help, but aren't necessary), and well written.

 

How to Enter

1) Create a new TechNet article YOU CAN COPY YOUR CONTRIBUTION FROM MSDN/TECHNET FORUMS OVER TO TECHNET WIKI (IN AUGUST) TO QUALIFY FOR THESE AWARDS. You can also create a new article not related to your forums contributions. 

A) Log into TechNet/MSDN with your Microsoft credentials

B) Add your content as an article to TechNet Wiki: http://social.technet.microsoft.com/wiki/contents/articles/add.aspx%20  

If you are copying and pasting your MSDN/TechNet forum solutions over to TechNet Wiki, please give some introduction to the problem, make sure your steps are clear, and then link to the original forum post. You can also paste in your blog posts (rather than forum content).

2) Tell us about it To add a link to your article:

A) Log into TechNet with your Microsoft credentials

B) Click the "Edit" tab on the list of August Guru articles, and copy in the URL  to your TechNet Wiki article into the appropriate section, along with your name and link to your profile!

 

We're looking forward to seeing your article!

Thanks!

Ed Price, Azure & Power BI Customer Program Manager (Blog,Small Basic, Wiki Ninjas, Wiki)

Answer an interesting question? Create a wiki article about it!

Dynamic Multivalue User Attribute -> Security Groups

August 1, 2015, 9:12 pm
$
0
0

Hi All and thanks for any advice

We are migrating from Novell IDM and have struck a issue with MS FIM 2010

we have Teachers and Students with Classes stored in multi-valued attributes,

The list changes as subjects and classes get added, changed and deleted, we would like FIM to create the classes as security groups in Active Directory and assign members,

NOTE: the key point is we are trying to avoid creating a rule for every security group, the goal would be to have FIM create the groups that are in the users attribute and assigning/removing members with changes,

example data in FIM

user1 - classcosed = 11MTA01, 11ENG03, 11DES02

user2 - classcosed = 11MTA02, 11ENG03, 11DES02

user3 - classcosed = 9MTA01, 9ENG03, 9DES02

user4 - classcosed = 9MTA02, 9ENG03, 9DES02


Desired Security Groups Result in Active Directory

11MTA01 = user1

11MTA02 = user2

11ENG03 = user1,user2

11DES02 = user1,user2

9MTA01 = user3

9MTA02 = user4

9ENG03 = user3, user4

9DES02 = user3, user4

again thank-you in advance for any ideas

Steve

SSPR and Google Authenticator

August 24, 2015, 2:41 am
$
0
0

Hi,

I got a question from a customer the other day about the possibility to use Google Authenticator in SSPR for the OTP part after answering the security questions.

Does anyone knows if this is possible?

Regards

Patrik

Search

FIM 2010 R2 - It is not possible to delete a user (Error: permission-issue, Error code: 5, Access denied)

May 7, 2015, 7:31 am
$
0
0

We have several domains  to manage for our customers, so we have installed "FIM 2010 R2" to manage our admin-accounts. But if I now try to delete a user, by deletion from the "User Set", I get this error (please note the screenshot) after synchronization.

Error

Running management agent:

AD MA xyz

Error:

Permission-issue

Latest occurrence:

07.05.2015 15:30:06

Initial occurrence:

07.05.2015 11:07:22

Retry count:

15

Connected data source error code:

5

Connected data source error :

Access is denied.


I don't get more information about this error, not in the eventvwr and also not in the FIM-Panel even. 

Maybe someone knows more about this issue I would be very thankful for helping to solve this problem.

If more information is needed let me know what kind of.

Thank you

Custom logging inside a Extention-rule

July 6, 2015, 6:54 am
$
0
0

Hi,

I'm trying to enable some custom logging inside my extention rules. After a ot of search I decided to ask you if it's possible or not.

For the time beeing I've tryed to approaches:

1. Add a reference to Logging.dll and then try to use the code:

using Microsoft.MetadirectoryServices.Logging;
Log("message", true, 2);

2. Import a log4net dll into my project, add the configuration to the app.config file.

None of then seams to work... The log4net.dll doesn't show me the log methods, and with the logging.dll I have the error

 'Microsoft.MetadirectoryServices.Logging.Logging.Log(string, bool, int)' is a 'method' but is used like a 'type'

Is it possible to do some custom log with FIM 2010?

Thanks in advance for your help,

Marc

New MIM FIMSync SPN

August 24, 2015, 7:56 pm
$
0
0

Hi,

Just noticed on https://technet.microsoft.com/en-us/library/mt219038.aspx, that MIM will require a new SPN:

setspn -S FIMSync/mimservername.domain.local Domain\MIMSync

Could someone please clarify why this is needed in MIM (and wasnt in FIM)?

Thanks,

SK

FIM 2010 R2 Reset pasword Error 3000

August 24, 2015, 2:37 pm
$
0
0

Hello,

We are having trouble getting users to change their passwords.

The access to portal works good, the user received the email with the security code, but we the user tries to complete the password reset the following error appears:

“An error has occurred.  Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3000)”

We already review IIS Authentication Settings and the configuration is as shows the image

We followed the instruccions about Troubleshooting on this issue described on this website

https://jorgequestforknowledge.wordpress.com/2015/03/08/resolving-the-pwunrecoverableerror-error-with-fim-self-service-password-reset-sspr/

We fixed some configurations, but the issue persists.

Some aditional events we have on Event Viewer are described below:

Event ID 5605

Log Name:      Application

Source:        Microsoft-Windows-WMI

Date:          21-Aug-15 4:12:23 PM

Event ID:      5605

Task Category: None

Level:         Warning

Keywords:      Classic

User:          N/A

Description:

The root\WebAdministration namespace is marked with the RequiresEncryption flag. Access to this namespace might be denied if the script or application does not have the appropriate authentication level. Change the authentication level to Pkt_Privacy and run the script or application again.

Event ID 3

Log Name:      Forefront Identity Manager

Source:        Microsoft.CredentialManagement.ResetPortal

Date:          21-Aug-15 2:53:04 PM

Event ID:      3

Task Category: None

Level:         Error

Keywords:      Classic

User:          N/A

Description:

The error page was displayed to the user.

Details:

Title: Error

Message: An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3000)

Source:

Attributes:

Details: System.InvalidProgramException: Error while performing the password reset operation: PWUnrecoverableError

   at Microsoft.IdentityManagement.CredentialManagement.Portal.Reset.AttemptToResetPassword()

   at System.Web.UI.WebControls.Button.OnClick(EventArgs e)

   at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)

   at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)

   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

CorrelationId:

RequestId:

ErrorCode: 3000

CaughtTime: 08/21/2015 14:53:04

Web Portal: FIM Password Reset Portal

Session Id: 5olobg55mqnzz5q3v2bzzxrp

IP Address: xx.xx.xx.xx

Event ID 2

Log Name:      Forefront Identity Manager Management Agent

Source:        ForefrontIdentityManager.ManagementAgent

Date:          21-Aug-15 3:28:15 PM

Event ID:      2

Task Category: None

Level:         Warning

Keywords:      Classic

User:          N/A

Description:

The Synchronization State Machine is now in this state: StoppingState.stopping  Thread #2

We will appreciate any advice about this issue.

Best regards,

Manuel

Manuel´s Microsoft Forums Threads


Request Status: PostProcessing

August 25, 2015, 7:12 am
$
0
0
Hello

I found on my FimService a lot of request in status PostProcessing which was generated 1 day ago or more.

Those requests should execute Action Workflows and I don't found any execution on workflow instances (Administration => all Resources => Workflow instances).

Is There any way to track if it's doing anything?


SQL server 2012 AlwaysOn Availability Groups support with MIM 2016

August 5, 2015, 8:52 pm
$
0
0
As MIM 2016 is released could you please advise if SQL server 2012 AlwaysOn Availability Groups support with MIM 2016

Faulting module name: clr.dll, version: 4.0.30319.34209

August 25, 2015, 6:33 pm
$
0
0

Hi All,

After Migrating from ILM 2007 to FIM 2010 R2 SP1, the synchronization service stopped automatically when the sync run and on re-start the service it work fine again. The service stopped randomly and not frequently.

I am not a .Net expert and suspecting some issue with my .net Framework.

Current .Net version is 4.5.2

Event Log

Faulting application name: miiserver.exe, version: 4.1.3627.0, time stamp: 0xXXXXXX
Faulting module name: clr.dll, version: 4.0.30319.34209, time stamp: 0xXXXXXX
Exception code: 0xc0000005
Fault offset: 0x00000000005e2d30
Faulting process id: 0x1080
Faulting application start time: 0xXXXXXXXX
Faulting application path: C:\FIMTest\2010\Synchronization Service\Bin\miiserver.exe

Kindly advice and what is the root cause of it and how to get this fix.

Thanks in Advance,
Raja Village Sync

Search

eDirectory auxiliary class sync problem

February 26, 2015, 2:50 am
$
0
0

Hello guys,

I am trying to sync objects from eDirectory 8.8.5. Everything works fine, I map inetOrgPerson objects to person objects. I discovered if an inetOrgPerson object has an auxiliary class attached in eDirectory it does not get synchronized into the connector space. In case it is referenced by another user or group, a placeholder object is created.

When I remove the auxiliary class, the object gets synchronized fine.

Is there a solution/workaround?

I believe I have the latest hotfix rollup installed, 4.1.3599.0

Thanks,
Csaba

Csaba

FIMService databas: error stopped-databasediskfull

August 26, 2015, 2:28 am
$
0
0

Hi, 

I have some issues with FIMService database. I mean, i just have just few users on the fim portal and the size of datas present in the data is too high arround 23Gb. Can i know if some one have any idea about how it can be ? Maybe its a part of logs on the fIMService database which causes the damage. So where are them located ? 

Thanks a lot 

MIM2016 Installing FIM PowerShell Module - Export-FIMConfig : The term 'Export-FIMConfig' is not recognized as the name of a cmdlet

August 26, 2015, 3:17 am
$
0
0

So I am trying to install Fim PowerSell Module for MIM2016. I downloaded the package from sourceforge and so one. When I run Create-FimServiceAccountAsFimPerson ps-script, powersell says:

Export-FIMConfig : The term 'Export-FIMConfig' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name
, or if a path was included, verify that the path is correct and try again.

What I am missing? It creates FimServiceAccount correctly.

Does FIM Galsync require a target container in every connected Active Directory forest?

August 26, 2015, 9:14 am
$
0
0

Hi everyone,

Hoping someone can help with my basic understanding of FIM Galsync.

The background is that we currently use FIM 2010 R2 Galsync along with  FIM 2010 R2 + WAAD connector to produce a consolitdated Office 365 GAL, referencing several Active Directory forests. This solution was implemented almost 3 years ago by an external consultant.

As each new Active Directory forest comes onboard, we deploy an on-premises Exchange 2013 Management server (or utilize an existing one if the forest has Exchange deployed) and add a new MAs to the Galsync and Dirsync servers.

To date as we create the new Galsync MAs we create and specify a Galsync target container, and this results in over 120K contact objects being provisioned in the new forest.

I'm wondering whether we actually need this Galsync target container in all the connected Active Directory forests, given that the synchronization to Office 365 is only done from the Galsync target container within the forest where FIM Dirsync server is installed.

I understand the need for the Galsync target container if all the Active Directory forest had on-prem email implementations, as Galsync would then maintain "repliability" if users moved between forests. However in this case where Galsync is deployed purely for Office 365 purposes I can't see the need.

My research found a document "Microsoft Identity Integration Server 2003 - Global Address List (GAL) Synchronization" which despite its age has a great technical description of Galsync. It mentions that provisioning of contacts can be disabled by the simple expedient of not defining a Galsync target container within the Active Directory forest in question.

Can anyone advise whether I can indeed disable provisioning of Galsync contacts within downstream Active Directory forests in this particular scenario? To be honest the Galsync contacts seem superfluous except in the forest where the FIM Dirsync server is homed.

SQL Service LogOn account change - FIM 2010

August 26, 2015, 10:26 am
$
0
0

FIM Portal/ SQL database are on the same server and FIM Sync /SQL database are on the same server. My SQL team is requiring the SQL service logon account to be changed. What impact will changing the SQL service logon account be if any?

Thanks,

Steve

Viewing all 7443 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>