When I am provisioning a user to AD and also want to join that user to a group, is there any situations that FIM might try to add that user to a group before that user is created to AD?
↧
FIM AD provisioning process with Users and Groups
↧
Issue getting SQL MA Group Object- Members Attribute populated to Metaverse Group member
Hi , im working on project to convert Novel IDM to MIM 2016 . im having issue with getting SQL groups and members in to AD
So far
Get Users to FIM
- Create SQLUSERMA -> connect SQL User table – NO ISSUES
SQL table structured for Users
[employeeDI] [varchar]
… AND other user attributes
- Create FIMMA -> Export user to FIM portal – NO ISSUES
- Create ADMA -> Export Users to Active Directory NO ISSUES
User get provision in FIM Portal / AD/Exchange and User have access to FIM Portal – NO ISSUES
Get Groups to FIM
SQl table structured for Groups and group memberships
Table : Groups
[groupID] [varchar],
[groupDescription] [varchar],
[groupManager] [varchar],
[type] [varchar],
[groupType] [varchar],
Table : GroupsMembers
[employeeID] [varchar],
[groupID] [varchar],
Attribute [varchar]
- Create DCGROUPMA (steps as here ) -> Connect Group table and Group membership table as multi valve table
MA Multi Value Configuration
Run Full Import in DCGroupsMA – NO ISSUES
When checking DCGROUPMA member attribute , members are there with multi value asemployeeID
DCGROUPMA Full Sync – NO ERROR
But when exploring the Metaverse , Groups are created in MV but no member attribute displayed
How do I fix this issue ? I have read 100 of articles in TechNet, still I can’t get this to working .
↧
↧
FIM Hotfix 4.1.3419.0 does not seem to resolve FIM Portal issue
Hello all,
I have applied hotfix 4.1.3419.0 on a FIM solution to try and resolve this issue in the release notes:
FIM service and portal
Issue 1
If a user who has access to advanced pages for a group (typically, an administrator) made a change to the object in this view, the group would contain invalid members. If the user was trying to delete the group, the system would be in a state in which no additional requests could be processed.
After applying the update and attempting to delete the problem group, the Portal becomes in a state where it can not service any new object creation requests.
I have attempted to delete the groups via the Portal, via deprovisioning and via PowerShell but all methods trigger the problem. Similarly new objects cannot be created in the Portal or by provisioning or through PowerShell.
The error presented in the portal is:
Error processing your request: There was a problem with the supplied attribute(s).
Reason: The required attribute value has not been provided.
Attributes: MembershipLocked
Correlation ID: xxx
Details: An attribute is required to complete the operation.
A subsequent warning is logged in the FIM Service event log:
Request '55411fb1-38f2-4489-bafc-346b35afa9e4' failed while trying to commit the changes to the database. Exception: 'Target(s): 5AC010E0-7BC4-479E-A1D7-B0D777C610B9, B3D44B95-4E81-49EF-AFC2-893F5A35B601, 6EFB607E-ED0A-40FB-8EB7-2CE1840B2349, 2C24B9FD-F55F-444D-8E02-384D599A7753, 5920B702-A7F5-4E51-9C53-1C54BCC62144, 739CB715-08FF-4EFA-B16A-A27F40449813, 4C4EBE08-CF09-4918-88E2-A31C4661DBAE, 5FDD204C-C56F-46FF-95C2-0875F28711D3, B1391C1F-2CD8-4771-8B0F-D77ACB824DE7, 79B9BCB0-49B9-4A0B-B08B-B3AC095B5009, 919BC494-CB79-483F-9D27-E127B16AE18D, B11586C7-6D4D-43E2-ADB8-B32ED0B4B510, 331BD4C2-EB0E-4E8F-893B-EA6080E79BA9, 9A7A8F2C-D408-49B8-9439-9837CA87E592, kjasd, Attribute Failure Code: 'RequiredValueIsMissing', Attribute Name: 'MembershipLocked''.
The 15 object ID's in the 'Targets' are the 15 corrupted groups that I deleted.
If I remove the "required" from the MembershipLocked attribute the error would just move to another attribute.
This prevents me from creating new objects only, changing existing objects seems to be okay.
The only advice I can find is from FIM R2 release notes stating that delta run cycle should clear this error...which it doesn't.
Any help would be greatly appreciated!
Jason
↧
Who will be crowned the last FIM Guru of 2015!!
Here it is folks!
THE FINAL CHALLENGE OF 2015!!
Step up all known Gurus currently active!
Let us see the year out in style, with some final thoughts and knowledge from everyone we love and follow in the TechNet and MSDN community.
All you have to do is add an article to TechNet Wiki from your own specialist field. Something that fits into one of the categories listed on the submissions page. Copy in your own blog posts, a forum solution, a white paper, or just something you had to solve for your own day's work today.
Drop us some nifty knowledge, or superb snippets, and become MICROSOFT TECHNOLOGY GURU OF THE MONTH!
This is an official Microsoft TechNet recognition, where people such as yourselves can truly get noticed!
HOW TO WIN
1) Please copy over your Microsoft technical solutions and revelations toTechNet Wiki.
2) Add a link to it on THIS WIKI COMPETITION PAGE (so we know you've contributed)
3) Every month, we will highlight your contributions, and select a "Guru of the Month" in each technology.
If you win, we will sing your praises in blogs and forums, similar to the weekly contributor awards. Once "on our radar" and making your mark, you will probably be interviewed for your greatness, and maybe eventually even invited into other inner TechNet/MSDN circles!
Winning this award in your favoured technology will help us learn the active members in each community.
Feel free to ask any questions below.
More about TechNet Guru Awards
#PEJL
Got any nice code? If you invest time in coding an elegant, novel or impressive answer on MSDN forums, why not copy it over toTechNet Wiki, for future generations to benefit from! You'll never get archived again, and
you could win weekly awards!
Have you got what it takes o become this month's
TechNet Technical Guru? Join a long list of well known community big hitters, show your knowledge and prowess in your favoured technologies!
↧
The ConnectionString property has not been initialized
Hi all,
I just configured FIM. When I type http://myserver/CertificateManagement, after type my credentials (User / password) the URL returns: "The ConnectionString property has not been initialized". What happen?
What happen? Thanks in advance.
↧
↧
ADMA and Connector filter - How should "Bit of equals - 0x1" work?
I declared a connector filter like this:
Flags (attribute) - Bit off equals (operator) - 0x1 (value)
Now when I set flags value to 0, filter works and the object becomes to a disconnector. When I set flags value to 1, filter works and the object becomes to a connector.
But when I set flags value to 3 (when it is a disconnector) it doesn't come to a connector.
Am I missing something or what? I am trying to create a filter which looks only the first bit of the attribute and doesn't care about the rest.
↧
enterprise single signon
I am supposed to login via weblogin,desktop,mobile,Proximity Card,Bio Metric,IVRS to Web-based Applications / Client Server Applications / Mainframe Applications / .Net Applications / Java Applications / Legacy Applications using single signon feature..
what are all my prerequisites
↧
MIM 2016 ADMA LDAP cross forest config throws errors
We're an MSP who manages 75+ customer forests & networks. In the LAB I am trying to switch my working ADMAs to use LDAP to ensure SSL encrypted traffic between forests.
In production I built a new Two Tier CA infrastructure and have imported the CA root certificate chains into the Trusted Certificate Authorities containers. I created a certificate for each of my target forest DC and have verified that LDAP over port 636 is working using the LDP.exe utility from my Lab MIM server
When I go into the working ADMA and change the settings from "Sign & Encrypt LDAP Traffic" to "Enable SSL for the Connection" I get the following error:
"An error was encountered trying to retrieve the SSL cipher strength"
I am using 256 bit encryption verified by LDP.exe
Any ideas ?
Thanks, Stu
↧
Do I need a Metaverse Rules Extension to Export\Provision User objects to a Active Directory Management Agent?
Hi,
I've got FIM 2010 in a Lab with 2 Source Active Directory MAs and 1 Active Directory MA which I want to Export\Provision User objects to. My 2 Source MAs project, provision, and join objects to the Connector Spaces and Metaverse correctly, but when I try to Export\Provision objects to another Active Directory MA, nothing shows up. Im struggling with understanding what are all the specific requirements to Export\Provision User objects to MAs. Is coding a Metaverse Rules Extension needed for the Active Directory MA I want to Export\Provision to in order to Export\Provision User objects?
Thanks for your help! SdeDot
↧
↧
MIM 2016 ADMA LDAP SSL cross forest config throws errors
We're an MSP who manages 75+ customer forests & networks. In the LAB I am trying to switch my working ADMAs to use LDAP to ensure SSL encrypted traffic between forests.
In production I built a new Two Tier CA infrastructure and have imported the CA root certificate chains into the Trusted Certificate Authorities containers. I created a certificate for each of my target forest DC and have verified that LDAP over port 636 is working using the LDP.exe utility from my Lab MIM server
When I go into the working ADMA and change the settings from "Sign & Encrypt LDAP Traffic" to "Enable SSL for the Connection" I get the following error:
"An error was encountered trying to retrieve the SSL cipher strength"
I am using 256 bit encryption verified by LDP.exe
Any ideas ?
Thanks, Stu
↧
Filtering based on imported date in CS
Hi everyone,
I need to filter objects in the connector Space based on the imported date. I need to filter the objects imported in the connector space before of a specific date. Dou you have any idea?
Thanks in advance,
↧
Deprovision access denied
I have deleted some user objects from the FIM portal but get "access denied" errors when I want to "export" those deletions to AD. Creating & modifying user objects from FIM to AD has no issues.
Checked the FIM ADMA account but that appears to have the right permissions to delete objects from that particular OU and downwards. What am i missing.
Thanks,
JD
↧
PowerShell MA: problems exporting
I'm really hoping to be able to use Soren Granfeldt's Powershell MA to do some new integrations with FIM, but am having some difficulties. My latest problem is that I get an ma.extension error, which dumps the following stack trace in the Application event log:
"System.NullReferenceException: Object reference not set to an instance of an object.
at Granfeldt.PowerShellManagementAgent.Microsoft.MetadirectoryServices.IMAExtensible2CallExport.PutExportEntries(IList`1 csentries)
Forefront Identity Manager 4.1.3613.0"
The only thing it's trying to export right now is a change of e-mail address on a user it's done a join for (I've only got my sync rule applied to one person at the moment), so I wouldn't think it would be a provisioning problem? I've commented out the majority of my code in my export script so I'm reasonably certain it's not a PS code problem.
Sync rule:
firstName -> first_name
lastName -> last_name
mail -> email
[init flow only] LowerCase(accountName)+"@uwrf.edu" -> username
[init flow only] LowerCase(accountName)+"@uwrf.edu" -> dn
I'm excited about the possibilities, but frustrated. I'd be happy to post additional details but I'm not sure what would be helpful.
-Robert
↧
↧
Workflow Activity Library - Creat group object failed
Hi all,
I would like to use the Workflow Activity Library from Soren to create group objects from a custom FIM object.
Hi, I've succesfully installed the workflow activity and created the following workflow in order to create group objects using the workflow. My source object in FIM is a custom object from named Location.
Initial values:
DG-[//Target/CompanyCode][//Target/LocationCode]-[//Target/City],displayName
All employees Location [//Target/CompanyCode][//Target/LocationCode]-[//Target/City],description
DG-[//Target/CompanyCode][//Target/LocationCode]-[//Target/City]@domain.com,Email
DG-[//Target/CompanyCode][//Target/LocationCode]-[//Target/City],MailNickname
GLOBAL,domain
true,MembershipLocked
None,MembershipAddWorkflow
Global,Scope
Distribution,TypeExistence lookup filter:
/Group[DisplayName = 'DG-[//Target/CompanyCode][//Target/LocationCode]-[//Target/City]']New object type:
GroupAs soon as I Trigger the workflow I get the following warning in the Eventlog.
Microsoft.ResourceManagement.WorkflowDataExchangeException: Microsoft.ResourceManagement.WebServices.Exceptions.InvalidRepresentationException: ResourceTypeViolatesSchema
at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.ValidateObjectAttributes[T](RequestType request, Guid objectIdentifier, String objectTypeName, IEnumerable`1 parameters, OperationType operationType)
at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.ValidateInputRequestCreate(RequestType request)
at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.ProcessInputRequest(RequestType request)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction(RequestType request)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction[ResponseBodyType](RequestType request)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request, Guid requestIdentifier, Object redispatchSingleInstanceKey, Boolean isRedispatch)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request)
at Microsoft.ResourceManagement.Workflow.Hosting.RequestWorkItemProcessor.DispatchRequest[TResponseType](RequestType request, Boolean applyAuthorizationPolicy)
at Microsoft.ResourceManagement.Workflow.Hosting.RequestWorkItemProcessor.ProcessCreateWorkItem(CreateRequestWorkItem createWorkItem)
at Microsoft.ResourceManagement.Workflow.Hosting.RequestWorkItemProcessor.ProcessWorkItem(WorkItem workItem)
at Microsoft.ResourceManagement.Workflow.Activities.CreateResourceActivity.ProcessRequestResponse(Object sender, QueueEventArgs e)
at System.Workflow.ComponentModel.ActivityExecutorDelegateInfo`1.ActivityExecutorDelegateOperation.Run(IWorkflowCoreRuntime workflowCoreRuntime)
at System.Workflow.Runtime.Scheduler.Run()Any idea what I'm missing? My request to create the Group is in the status "Denied".
If I look at the "detailed conntent" tab of the denied request I can see that all values are calculated correctly.
Thanks
Chris
↧
Sending notification for approve before changing the DN
Hi,
i am a beginner in administration of FIM platform
i need to have a workflow to approve the modification of DN of users.
actually, and for AD Provisionning, we use a script and dll extension to calculate the DestinaoinOU for each account to create in Active Directory. the calculation is based of value in Human Resource Database, in some cases, the values are modified, and the corresponding AD account should be moved (according to the new values in HR database).
i need to approve each modification for these account before the move of these account.
how can i do it ?
Regards.
↧
Generic LDAP connector
Hi,
I am trying to understand the working of Generic Ldap connector for OpenLDAP. I know it uses modifyTimeStamp to search for added/ modified objects for delta import. How about delta deletes?
I am wondering how does it figure about deleted entries during delta import? Could you please assist me on this?
Thanks,
Shobhit vaish
↧
FIM CM 2010 R2 Smart Card Renew policy, update service creates additional renewal requests
Hi,
I could use some advice with a smart card renewal issue in FIM CM 2010 R2. (Self-service)
How can I prevent FIM CM update service from creating additional renewal requests for a smart card that was already renewed?
FIM CM update service detects in FIM CM database when a certificate enters its renewal period. When it's time, a renewal request is created and an email with OTP is sent to the user. The user successfully completes the renewal request and all should be OK.
The problem: FIM CM update service will soon (default within 5 hours), re-check for certificates entering renewal. Although the smart card was just renewed, an additional renewal request is created and a new OTP email is sent
to the user.
If the user completes also the second renewal request, a third request is generated, and it goes on.
I'm assuming that the still valid, still expiring certificate is re-detected by the FIM CM update service.
The second renewal request can be avoided by enabling "revoke old certificates" in the revokation settings workflow, without delay. This would however make the renewal request creation revoke the certificate. I would prefer to keep the certificate valid until expiry, or revoke it when the request is completed.
Thanks
↧
↧
kerberos-no-logon-server in fim 2010
Hi,
When we run Export run profile of ADMA Management Agent then we get fallowing error
kerberos-no-logon-server
and all user that provisioned in AD OU in disabled mode and also taking more time for provisioning.
please provide any solution.
Regards
Anil Kumar
↧
Missing data source attribute
I've never dealt with FIM before, so please forgive me if I don't provide enough background. We use FIM with SharePoint 2010. My DS_FULLSYNC is generating tons of extension-unexpected-attribute-value errors. In Test, I have proxyAddresses mapped
to SPS-SipAddress in Configure Attribute Flow, but proxyAddress is not an available option in my Prod environment. Is there a way I can add this data source attribute? Thanks for any help you can provide this newbie:-)
↧
FIM support for SQL 2012 AlwaysOn
Anyone know if FIM 2010 R2 SP1 supports use of AlwaysOn under SQL 2012 as a high availability option? (For both the Sync engine and the FIM Service)
If it is supported, are there any known issues that one should be aware of?
Thanks
↧