Quantcast
Channel: Microsoft Identity Manager forum
Viewing all 7443 articles
Browse latest View live

Nested Visibility in RCDC

September 21, 2016, 2:08 am
$
0
0

Hi,

I am trying to achieve something as below:

There is a checkbox control and only when user selects the checkbox, he should be presented with another control which is Radio Button with 2 options available, Ex:A and B. Now when user selects B option, he should be presented with another control which is a checkbox option.

Is this possible?

I tried something as below, but doesn't seem to be working. None of the Radio Button options are selected when the page is loaded, even though I am setting default value to False.

<my:Control my:Name="CheckBox1" my:TypeName="UocCheckBox" my:Caption="{Binding Source=schema, Path=CheckBox1.DisplayName}" my:Description="{Binding Source=schema, Path=CheckBox1.Description}" my:RightsLevel="{Binding Source=rights, Path=CheckBox1}"  my:AutoPostback="true">
        <my:Properties>
          <my:Property my:Name="ReadOnly" my:Value="false" />
          <my:Property my:Name="Checked" my:Value="{Binding Source=object, Path=CheckBox1, Mode=TwoWay}" />
          <!--<my:Property my:Name="Text" my:Value="%SYMBOL_CheckBox1_END%" />-->
          <my:Property my:Name="Hint" my:Value="{Binding Source=schema, Path=CheckBox1.Hint}" />
        </my:Properties>
</my:Control>

<my:Control my:Name="RadioButtonOption" my:TypeName="UocRadioButtonList" my:Caption="%SYMBOL_RadioButtonOption_END%" my:Description="{Binding Source=schema, Path=RadioButtonOption.Description}"my:Visible="{Binding Source=object, Path=CheckBox1}" my:AutoPostback="true">
<my:Options>
          <my:Option my:Value="False" my:Caption="Option1" my:Hint="Option1"/>
          <my:Option my:Value="True" my:Caption="Option2" my:Hint="Option2"/>
        </my:Options>
<my:Properties>
<my:Property my:Name="Required" my:Value="{Binding Source=schema, Path=RadioButtonOption.Required}"/>
          <my:Property my:Name="DefaultValue" my:Value="False"/>
          <my:Property my:Name="CaptionPath" my:Value="Caption"/>
          <my:Property my:Name="HintPath" my:Value="Hint"/>
          <my:Property my:Name="ItemSource" my:Value="Custom"/>
          <my:Property my:Name="SelectedValue" my:Value="{Binding Source=object, Path=RadioButtonOption, Mode=TwoWay}"/> 
  </my:Properties>
  </my:Control>

Kindly Help!!

Thanks,

Veena

Search

MIM Licensing

September 21, 2016, 6:46 am
$
0
0

Hello All,

Need Suggestion.

We are currently using FIM 2010 R2 ver 4.1.3613 SSPR. We want to upgrade our environment to MIM 2016.

I want to know about the licencing of MIM 2016. Can we use the same licence of FIM 2010 R2 in MIM 2016.

Regards,

Suman

PAM functionality questions

September 21, 2016, 4:52 pm
$
0
0

Hi,

Just reviewed the PAM FAQ, and have a few questions (https://social.technet.microsoft.com/wiki/contents/articles/33363.mim-2016-privileged-access-management-pam-faq.aspx)

  1. FAQ states: "You cannot require multiple approvers; only one PAM approver is needed" - from a distance, it looks like PAM is a component of the MIM Service, so why can there not be multiple approvers? This will be very limiting.
  2. FAQ states: "The approval process does not allow references. For example, you can not require
    approval of the caller's manager" - again, it appears that PAM is part of the MIM service, so why are reference attributes for approvals not supported? This will definitely be very limiting.

Thank you,

SK


Unable to Login to MIM 2016 After Installation

September 21, 2016, 10:10 pm
$
0
0

Hello There,

i just concluded an single server install of MIM 2016 on SP 2013 Foundation SP1/SQL 2014 as per the product documentation. Authentication fails when I attempt to login to the MIM Service Portal using either the domain administrator or the account used to install the SP 2013 SP1.

I see here a similar problem posted but yet to be reported resolved

https://social.technet.microsoft.com/Forums/en-US/69ae1c15-3abd-40f2-9993-144e9d94c1ab/cannot-login-to-microsoft-identity-manager-2016-portal?forum=ilm2

I have followed the guidance below.

# Set a reference to the MIM portal website
$MIM = Get-SPWeb -Identity http://[MIM_PORTAL_NAME]/IdentityManagement

# Display the list of users
$MIM.Users

I could see NT AUTHORITY\authenticated users in the list that returns

Any further help will be appreciated

Akinzo

Import deletion limit

September 22, 2016, 7:50 am
$
0
0

Hello,

I have setup a deletion limit of 50 users on one of my MA on the Full Import (stage only) step.

The deletion limit do the job, it delete only 50 users during the run but continue to run with the next MA.

That means, when all the agents have run, at the next cycle, the first MA will run again and will delete 50 more users.

And the issue I have is that I would like the first MA where the deletion limit is setup, stop to run in a stand by mode, and wait for a manual action to continue.

I know that's the case on the export step, the MA stop and does not export anything. I would like the same thing on the import step.

Is it possible ?

Thanks,
Bruno

Upgrading customised FIM to MIM - process and things to be aware of

September 22, 2016, 7:42 am
$
0
0

Hello,
 We currently have FIM 2010 R2 in place and we're looking at upgrading MIM 2016. We're using FIM 2010 R2 4.1.3733.0 installed on Windows Server 2008 R2 as follow:

fimsync01 - FIM Sync Server + sync DB (SQL 2008 R2)
fimserviceDB01 - SQL 2008 R2 SQL DB for FIM service
fimportal01 - FIM portal server (also runs SharePoint Foundation 2010)

 My plan is to do the following in a lab environment first:

1. Upgrade all FIM 2010 R2 server components to the latest version (presumably this will not functionality with the client  component).
2. Deploy a new server to replace fimportal01. This will be a Windows 2012 R2 server with Share Point Foundation 2013.
2a. MIM portal will be installed on the new 2012 R2 server, but I'll point the installer to look at my existing 2008 R2 SQL DB.

I'll be using this guide or similar
https://blogs.msdn.microsoft.com/connector_space/2015/08/05/performing-an-in-place-upgrade-of-fim-2010-r2-to-microsoft-identity-manager-2016-service-and-portal/

I have a few questions:

1. I have extended the FIM portal schema to add new objects and attributes, will this cause an upgrade issue?
2. I've automated run profiles using scheduled tasks and scripts, these scripts reference GUIDs on the sync server - presumably I need to  
   amend these scripts?
3. I have customised the FIM portal, presumably I'll need to customise the portal again?
4. Is MIM compatible with existing FIM client plugins? We're using the SSPR plugin.

Thanks in advance

SSPR and Captcha

September 22, 2016, 9:06 pm
$
0
0

Hi,

Has anyone modified SSPR with a Captcha?

How easy was it?

Are there any recommendations?

Thanks,

SK

Synchronize Active Directory with Microsoft Identity Manager

September 22, 2016, 12:11 am
$
0
0

Hello guys,

this is my first entry in this forum :)

I want to install Microsoft Identity Manager and so far i have followed those instructions:

https://docs.microsoft.com/en-us/microsoft-identity-manager/deploy-use/microsoft-identity-manager-deploy

I have two Windows Server 2012 - one as a domain controller with Active Directory and the other one with SQL Server 2014 and SharePoint Server 2013 installed on it. On the second Server i installed MIM Synchronization Service and MIM Service and Portal without any errors or warnings. 

So now i wanted to synchronize Active Directory with MIM Service by creating a MIM management agent. When i try to open the Synchronization Service Manager the following error message appears:

"Unable to connect to the Synchronization Service.

Some possible reasons are:

1) The service is not started

2) Your account is not a member of a required security group.

See the Synchronization Service documentation for details."

The services Forefront Identity Manager Service and Forefront Identity Manager Synchronization Service are both running. I am not sure what the second error message means. Does it refer to the local administrator account, the domain administrator account or to any other account? What are the required security groups this account has to be a member of?

Thank you for your help!

Search

FIM BP Analyzer

September 23, 2016, 2:22 pm
$
0
0

Hi,

We are searching for the FIm BP Analyzer but no way to download it, the link seems to be broken.

http://www.microsoft.com/en-us/download/details.aspx?id=30419

Is there anyway to get it ?

BR,

Emmanuel IT

MIM 2016 and SQL 2016

September 23, 2016, 1:44 pm
$
0
0
I see MIM supports up to sQL 2014 SP1

https://docs.microsoft.com/en-us/microsoft-identity-manager/plan-design/microsoft-identity-manager-2016-supported-platforms

Is there any indication from Microsoft about if/when there will be support for SQL 2016?  I've looked but haven't found anything.  Also, has anyone tried MIM on SQL 2016?

Extract "Row Errors" in FIM using SQL query.

September 24, 2016, 12:43 am
$
0
0

Hi, Good afternoon,

Referring to Sync Service Manager console, how can i extract/copy all the errors shown in "Row Errors" (after a failed MA run) using SQL? (SQL is used in FIM backend for db).
There were a few tables inside the database such as the "dbo.mms_Connectorspace", "dbo.mms_Management_Agent" etc, but i could not identify which one would contain the "Row Errors" info that i need.

Thanks in advance!

r0m3ll

r0m3llm

Multiple Certificates in a Smart Card - FIM CM 2010 R2

September 26, 2016, 4:53 am
$
0
0

Hi, 

I am trying to see if its possible for me to have multiple active certificates for two AD user accounts installed in the same smart card. I have two user accounts, one for admin purposes and the other one for my activities as a normal user in the organization and would like to check the feasibility of having certificates for both the user accounts installed in the same smart card. 

The version of FIM which I am using is FIM 2010 R2. 

Thanks in advance. 

-- JPM


FIM 2010 R2 & GALSync?

May 26, 2014, 9:32 pm
$
0
0

Hi,

In the past, it was recommended (and I think required) that GALSync run on its own instance of MIIS/ILM/FIM.

I have experienced and seen posts where GALSync MA and FIM MA have issues coexisting on the same server - so is it still required that GALSync have its own instance of FIM 2010 R2 Sync?

Thanks,

SK

GALSYNC: is there a way to deposit contacts into separate OUs

September 1, 2016, 10:37 pm
$
0
0

I'm using MIM 2016 GalSync with Exchange 2013 and Exchange 2010.

In a default GALSync installation, the MAs will deposit all contacts into a single OU.

I've seen the article How to Provision Contacts to Specific OU Units Based Upon an Originating Forest but the article is old an the method to update the GALSYNC solution is not working for me. Plus the attributemsExchOriginatingForest is not available in our schema.

I would like contacts from different MAs to go into separate OUs. How can I achieve that?

High CPU usage

September 26, 2016, 2:49 pm
$
0
0

Hi,

We have deployed a FIM configuration with 2 database sources for "input".

Synchronization rules are working and "populating" the MV database. FIM output is also populated. In this "inbound" phase, all seems to work correctly, but when export to FIM is started, the FIM database server gets high CPU usage (95 to 100%).

This state occurs during all the export phase.

We have tried to separate FIMService and FIMSynchronization databases on different servers, and the only one impacted is FIMService.

Is it known issue or configuration mistake that may explain this problem ?

BR,

Emmanuel IT

Search

Declarative vs classic rules

September 26, 2016, 6:23 am
$
0
0

Hello!

I have some questions about MIM concepts.

  1. Can I do something like "sync preview" for all of my object? As I think, this can be useful when deploying in existing environments.
  2. Can anybody explain difference between attribute flows in Portal (Declarative) and in Synchronizations Service Manager(Classic) ? Pros and cons for every method?

Attribute flows can be declared in two places.

Portal:

+  We can make a separate inbound and outbound rule for attribute flows. This can simplify a sync process.

+  MS is recommending this type of sync

-     We need to make an extra “import cycle” for MIM MA to import declared rule and get it to work

- Can't make export of configuration.

Synchronizations Service Manager:

+ Extensions in C# and VB with more complicated rules

+ Simple export of all configuration

-      Only one place to declare sync rules, so this is can be + or – at the same time.

But, if you google for guides in Internet about provisioning users from AD to MIM there are many guides which are using for this a declarative rules in portal, but as I think more faster in this case is to use a classic flows in Sync Service Manager(a less mouse button clicks) :)

And declaring 2 rule flows in different places can be difficult to undestand.

So, what do you think about this situation, which methods are you preffer?

Thanks!

1



How to delete an "orphaned" metaverse object in SQL

September 27, 2016, 2:41 am
$
0
0

We had three "export-phantom" errors occurring on the FIMMA Export run operation.

The errors indicated missing attributes in the metaverse objects.  Unfortunately, we could not re-present the three objects in the Oracle Database MA to attempts a Join.  So we had to look at the tables in the FIMSynchronization Database.

First, we took a snapshot of the FIM 2010 R2 server, a VMware virtual machine.

This is the SQL we used, after some investigation:

-- Find incomplete metaverse object and copy it's object_id for next step
SELECT accountName, email, mailcontacttype, mailNickname, CN, object_id   FROM [FIMSynchronizationService].[dbo].[mms_metaverse] where object_type = 'contact' and accountName = 'SGBS123UFA';
-- Returns this record:
-- accountName email mailcontacttype mailNickname CN object_id
-- SGBSEDPSUFA SGBS1123SUFA@sefkekskail.ok.or NULL NULL NULL 5DBA9A28-FD7F-E611-9C88-005056913B1F

-- 1.  Delete object from mms_metaverse table
DELETE FROM [FIMSynchronizationService].[dbo].[mms_metaverse] where object_id = '5DBA9A28-FD7F-E611-9C88-005056913B1F';

-- 2.  Delete record from mms_metaverse_lineageguid
DELETE FROM [FIMSynchronizationService].[dbo].[mms_metaverse_lineageguid] where object_id like '5DBA9A28-FD7F-E611-9C88-005056913B1F';

-- 3.  Delete record from mms_metaverse_lineagedate
DELETE FROM [FIMSynchronizationService].[dbo].[mms_metaverse_lineagedate] where object_id = '5DBA9A28-FD7F-E611-9C88-005056913B1F';
 
-- Find record in mms_csmv_link using
SELECT mv_object_id, cs_object_id FROM [FIMSynchronizationService].[dbo].[mms_csmv_link] where mv_object_id = '5DBA9A28-FD7F-E611-9C88-005056913B1F';
-- Returns this record: 
-- mv_object_id cs_object_id
-- 5DBA9A28-FD7F-E611-9C88-005056913B1F 01113ADC-6B80-E611-9C88-005056913B1F
-- 4.  Delete record from mms_csmv_link
DELETE FROM [FIMSynchronizationService].[dbo].[mms_csmv_link] where mv_object_id = '5DBA9A28-FD7F-E611-9C88-005056913B1F';

-- 5.  Delete record from mms_connectorspace
DELETE FROM [FIMSynchronizationService].[dbo].[mms_connectorspace] where object_id = '01113ADC-6B80-E611-9C88-005056913B1F';

We deleted records from five tables to effectively delete the incomplete metaverse objects.

The sequence of run operations were run and the "export-phantom" errors did not occur.

Has anybody else attempted working directly with SQL to delete a metaverse object?  Any comments on the five tables?

 


Provision of users to AD OU

September 27, 2016, 4:58 am
$
0
0

Hi!

I am looking for ways how we can make users account flow to different ou, based on user department field.

We have an HR DB with DepartmentID field аnd a file (Excel) with relations departmentID and AD OU.

I can see such ways to get it to work:

1. Attribute valued text file with fields DepartmentID and AD OU relations. Fast and easy to add/delete new OU's.

2. Using some coding like this:

https://blog.kloud.com.au/2016/02/03/dynamic-active-directory-user-provisioning-placement-ou-using-the-granfeldt-powershell-management-agent/

PowerShell or C# code to export user to correct OU. As I think, this is not simple to maintain such code.

Do you have any more ideas?

Maybe I can store somewhere in MIM table with DepartmentID and AD OU relations?

Thanks!

 

 

1

sync a new custom attribute (User emp number) from flat file database (*.CSV) to FIM to Active directory

September 25, 2016, 11:42 pm
$
0
0

FIM is already deployed and functional in the environment for the user object and its attribute to flow from data source (*.CSV file) to FIM and export in to Target i.e. Active directory.
New custom attribute will be published in the CSV file for each user object. What steps needs to be performed on the Forefront Identity manager so that the new attribute is imported from CSV file and gets exported to Target (AD)

please provide the technical steps

Notify requestor when request has been approved by owner

September 27, 2016, 10:48 am
$
0
0

I have a demand for sending a notification to the Requestor when the request is approved. Currently, MIM only notifies the requestor if the request is rejected by the owner (e.g. for joining a Security Group).

I tried adding a Notification task to the "Owner Approval Workflow", but that made all requests fail (error: the workflow encountered an internal error during processing) so I had to restore the Owner Approval Workflow XOML to the default value.

Any guidance on how I can make sure that requestors get an email when their request is approved?


Viewing all 7443 articles
Browse latest View live
Search