I've just done a fresh install of MIM 2016 SP1 Service and Portal. Normally I would expect to find its own event log under "Applications and Services Logs" in Event Viewer - but it's not there. Has this log been discontinued or is this a bug with the SP1 installer?
Carol
http://www.wapshere.com/missmiis
Dear All,
I have a scenario where I have written a action work flow to perform. certain action on a AD user account. but before performing the action, the changes in FIM service database (portal) is supposed to be exported (updated) to the AD via ADMA.
1) how can I achieve the above scenario.
2) How can make sure that the ADMA doesn't re import the old data and synchronize this data back to Fim server, whilst the workflow is executing.
best regards
Sri
I'm looking at an issue in our FIM - we have been using FIM for a number of years and it mostly works but we have a specific issue at the moment with a group of users. I'm very very new to FIM so excuse any terminology errors in the below.
We sync from "our_parent_company" reading AD objects from multiple domains into the MV. Then the flow creates mail enabled contacts in our own AD in a specific OU for email purposes using a second management agent.
A few users from "our_parent_company" have moved domains and/or changed their office addresses recently and we're not getting updates in our contacts folder in our AD for these users, we're not sure how many but it's probably in the 10's.
I have tried explicit disconnects from the MV for the objects but they don't re-provision even into the MV from the "import connector". New objects in our parent company AD provision OK in our contacts folder. The issue just seems to impact users at our parent company who have had something substantial changed about their AD account, ie, domain, or office address etc.
We're not seeing any sync errors for these users and can verify them as existing with the correct info in the remote AD as we have visibility.
Could it be related to the moved/changed objects having the same CN values so the explicit disconnect is causing them to be ignored? They wouldn't sync before we tried the explicit disconnect either but we're just trying what we know.
I've checked the attribute flow/attributes to check we're reading the correct values, but even if we weren't what would stop a changed AD object synching into the MV when new objects sync OK?
Many thanks
Andy
Andy CR
How do ADMA password sync work ?
ADMA change password (using old password set the new password)
OR
ADMA reset (set new password only)
FIM and PCNS are in source domain and target domain is non-trust domain. For both domain , ADMA is configured. Can be FIM able to sync password on change in source domain to target domain ?
Dushyant Singh
Hi
I try to set the manager attribute of a user account.
In my example the user account itself has the sAMAccountName of its manager stored in a string formatted attribute, lets say "adManagerAccount", in the metaverse.
Now I try to flow the attribute out to AD using a custom expression:
Source: /Person[accountName=adManagerAccount]
Destination: manager
if a given object has "TomTaler" as accountName and the object in question has "TomTaler" in its adManagerAccount value in the metaverse then
in my understanding, /Person[accountName] should result in a reference to the object with the value of "TomTaler" as accountName.
I also tried to hard-code the name into the source statement without success:
Source: /Person[accountName='tomTaler']
How should the source look like that it can be used as reference value?
BTW: Henrik Nilsson told me not to use a string value instead I should use a DN
http://social.technet.microsoft.com/Forums/en-US/identitylifecyclemanager/thread/6c5f1d1f-245f-4f84-9ddc-9261141570ea
To be more specific: the question is how to query to get the DN as a result whenever I only know the value of one unique attribute?
In meantime I also imported the managers DN into the metaverse in the attribute named "adDN".
EscapeDNComponent(/Person[accountName='TomTaler']/adDN)
same error.
?
Any help is appreciated.
Henry
Followed installation steps up to running the PAM install wizard after inputting all the data in the wizard the wizard just fails with a generic message, turned logging on. the log shows the following error, any ideas on what is wrong. Thanks.
MSI (s) (04:8C) [07:01:33:505]: Skipping action: NotValidServiceEmailAccountFormat (condition is false)
MSI (s) (04:8C) [07:01:33:505]: Doing action: EncryptExchangeOnlineAccountPassword
Action 7:01:33: EncryptExchangeOnlineAccountPassword.
Action start 7:01:33: EncryptExchangeOnlineAccountPassword.
MSI (s) (04:D4) [07:01:33:505]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIB0.tmp, Entrypoint: EncryptExchangeOnlineAccountPassword
SFXCA: Extracting custom action to temporary directory: C:\Windows\Installer\MSIB0.tmp-\
SFXCA: Binding to CLR version v2.0.50727
Calling custom action Microsoft.IdentityManagement.ServerCustomActions!Microsoft.IdentityManagement.ServerCustomActions.CustomActions.EncryptExchangeOnlineAccountPassword
Exception thrown by custom action:
System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Exception:Failed logon user while attempting to impersonate user: MIMService
at Microsoft.IdentityManagement.ServerCustomActions.Impersonator.Impersonate(String domain, String userName, String password)
at Microsoft.IdentityManagement.ServerCustomActions.CustomActions.Encrypt(String accountDomain, String accountName, String accountPassword, String unencryptedString)
at Microsoft.IdentityManagement.ServerCustomActions.CustomActions.EncryptExchangeOnlineAccountPassword(Session session)
--- End of inner exception stack trace ---
at System.RuntimeMethodHandle._InvokeMethodFast(Object target, Object arguments, SignatureStruct& sig, MethodAttributes methodAttributes, RuntimeTypeHandle typeOwner)
at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object parameters, CultureInfo culture, Boolean skipVisibilityChecks)
at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object parameters, CultureInfo culture)
at Microsoft.Deployment.WindowsInstaller.CustomActionProxy.InvokeCustomAction(Int32 sessionHandle, String entryPoint, IntPtr remotingDelegatePtr)
CustomAction EncryptExchangeOnlineAccountPassword returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Hilalh
Hi,
Just going through the "Before you begin" section of FIM setup. We are planning to use a hardware load balancer, and this has been configured and the relevant 'A' record created in DNS. We next go to a DC and try to register the SPN for this new NLB name as follows:
When we run the first setspn registration we get the error message:
We also tried running it like this:
But the same error message appears.
Any ideas?
thank you
I try to evaluate MIM PAM.
Everything works as expected so far except for the MIM PAM Management Portal Demo Application where users can manage their roles.
It only works when logged on locally at the PAM Server. When logged on to a different machine (in the RED forest or in the CORP forest) I can see an 401 error in the IIS log of the REST API Web Site. At the Client I get a logon window when clicking one the
options: "Activate", "View History" or "Approvals".
One difference in IIS logs I can see is that all successful requests have IPv6 IP link-local addresses for client and server, while all lines with errors are IPv4 addresses. The bindings in IIS are "*:<port>" for both Web Sites and
the redirec works as I see requests in the logs of both virtual servers.
Any help is appreciated.
Henry
Hello,
I am running into an issue where I am unable to fully sync all information to SharePoint and could use some guidance. For some reason I cannot get the Manager to push into SharePoint. Other information will however push and update.
I have 3 tasks running in the Task Scheduler. A FullSync (Once daily), DeltaSync (30 minutes), and a PhotoProfileUpdate. When I review their history in SSM they show success 98% of the time. Occasionally I will get a completed warnings on the SPMA DeltaImport. The details specify "exported-change-not-reimported" and reference the manager field.
I know the field is pulling for AD because when I search the Metaverse I can see managers for users and am able to click them to confirm the linking is correct. Not sure what I am missing as users will add/delete and change information as it is updated in AD. Only thing not pushing is the Manager info.
Ideas?
Hi all,
I have a scenario, lets say I have two Management Agent which are SQLMA and ADMA. I enabled the projection rules from SQLMA at the same time I enable projection rules from ADMA as well.
So now I have a UserA (projected from SQLMA) and UserB (projected from ADMA).
When comes to provisioning, I enable provisioning rules to create an object to another Management Agent lets say HRMA. In this case, what can I do to choose to provision UserB instead of UserA?
Does it have a way to determine which Contributing MA the object came from so that I can create a condition in provisioning code?
Thanks.
Hi,
We are using FIM 2010 R2 version 4.1.3479.0.
Been looking over threads and for performance issues and have not been able to work out why our instance of FIM has all of a sudden gone quite slow, particularly the AD MA. From a month ago the AD MA FIFS was about 20 mins to run and now it's over an hour.
We've only added an extra 300 users to sync in that time, we are syncing about 22k users for the AD MA.
As I write this the Full Import and Synchronization step is running at about an average 5 objects/s read rate.
The FIM sync and the FIM service servers are both looking very unstressed as is the SQL server they are connected to.
Have restarted the 2 FIM services and even the servers themselves.
Question is if the performance of the sql and the OS looks ok, is there any way to pin point in the FIM app what could be slowing the MA's down? Something like perhaps a lot of fails and retries perhaps.
Thanks!
Just wanted to ask the Community,
how would I get all accounts that have a high Retry count: value from the Connector Space?
Hi!
I need to move user account to "Disabled" OU and disable it (uac=514) when user is deleted from HR DB.
Now I have a sync rule which can make user active or inactive depends of it status field in HR DB by this sync rule (0=Active, all another values=disabled)
It is like this:
IIF(Eq(employeeStatus,"0"),512,514)-userAccountControl
and I have a location sync rule flow like this:
IIF(Eq(employeeStatus,"0"),"cn="+displayName+",OU=Active,OU=....",IIF(Eq(employeeStatus,"2"),"cn="+displayName+",OU=Active,OU=.....",IIF(Eq(employeeStatus,"3"),"cn="+displayName+",OU=Active,OU=....",IIF(Eq(employeeStatus,"1"),"cn="+displayName+",OU=Disabled,OU...","cn="+displayName+",OU=Disabled,OU=....")))) ->dn
I have found this thread:
https://social.technet.microsoft.com/Forums/en-US/0729c303-b3c2-4be4-bbbc-f81382671303/disable-a-user-from-ad-if-it-removed-from-source?forum=ilm2
There is recomendation to use such sync rule:
IIF(IsPresent(EMPSTATUS),512,514) => userAccountControl"
But I need to check value of EMPSTATUS and it can have not only one value. User can be active or at sick leave and this status not only 512.
So I need to construct more complicated expression to handle this.
I have a such questions:
1. How I can disable and move user to "Disabled" OU ?
2. What will happened if my user was deleted in HR DB by mistake and at next sync cycle it will be in active state in HR DB?
3. Is my service (or manually created in FIM Portal) accounts will not be disabled? They are not in HR DB, so they will not be connected and disabled by this rules, right?
4. How I can delete this user from all groups?
Thanks!
1
I cannot load the MIMPAM module.
First the program complains that it does not exist. When I pinpoint to it, I get the message the dotnet version is too new. Can someone explain it? My server is 'Azure 2012 R2' VM.
PS C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\PAM\PowerShell\Modules\MIMPAM> Import-Module .\MIMPAM.psd1
Import-Module : The assembly 'Microsoft.IdentityManagement.WinTools.dll' was not loaded because no assembly with that name was
found. Verify the assembly name, and then try again.
At line:1 char:1
+ Import-Module .\MIMPAM.psd1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Import-Module], DllNotFoundException
+ FullyQualifiedErrorId : FormatXmlUpdateException,Microsoft.PowerShell.Commands.ImportModuleCommand
PS C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\PAM\PowerShell\Modules\MIMPAM> gacutil -i .\Microsoft.IdentityManagement.WinTools.dll
Microsoft (R) .NET Global Assembly Cache Utility. Version 3.5.30729.1
Copyright (c) Microsoft Corporation. All rights reserved.
Failure adding assembly to the cache: This assembly is built by a runtime newer than the currently loaded runtime and cannot be loa
ded.
PS C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\PAM\PowerShell\Modules\MIMPAM>
GH
Hi,
I upgraded to SP1 on MIM and the pop up windows when clicking on something like "About Forefront Identity Manager" get stuck on loading.
If I clear the browser's cache the pop up load OK--but is that something I'm going to have to tell all of my users to do? Does anyone have a more elegant solution for this issue?
Thank you!
Hello!
Can anybody say is FIM or MIM can work with Office365 services (SharePoint,Exchange,Skype for Business) and provision access to them for users?
As I understand this is not "out of box" possibility, which solutions are you using?
Thanks!
1
I cannot load the MIMPAM module.
First the program complains that it does not exist. When I pinpoint to it, I get the message the dotnet version is too new. Can someone explain it? My server is 'Azure 2012 R2' VM.
PS C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\PAM\PowerShell\Modules\MIMPAM> Import-Module .\MIMPAM.psd1
Import-Module : The assembly 'Microsoft.IdentityManagement.WinTools.dll' was not loaded because no assembly with that name was
found. Verify the assembly name, and then try again.
At line:1 char:1
+ Import-Module .\MIMPAM.psd1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Import-Module], DllNotFoundException
+ FullyQualifiedErrorId : FormatXmlUpdateException,Microsoft.PowerShell.Commands.ImportModuleCommand
PS C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\PAM\PowerShell\Modules\MIMPAM> gacutil -i .\Microsoft.IdentityManagement.WinTools.dll
Microsoft (R) .NET Global Assembly Cache Utility. Version 3.5.30729.1
Copyright (c) Microsoft Corporation. All rights reserved.
Failure adding assembly to the cache: This assembly is built by a runtime newer than the currently loaded runtime and cannot be loa
ded.
PS C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\PAM\PowerShell\Modules\MIMPAM>
GH
Hi,
In addition to creating an Exchange 2010 Mailbox via FIM, we'd also like to enable the account for voice mail.
Do we need to execute a powershell script to do this, or just flow some attributes across?
Thanks,
SK
Wim Beck | IS4U FIM/MIM Expert Blog: blog.is4u.be
If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer. Thank you!
I'm looking for the Dell driver \VEN_1180&DEV_0592&SUBSYS_01FC1028&REV_12\4&cc5b14e&0&0BA4
Some one know where i can get it?
