Quantcast
Channel: Microsoft Identity Manager forum
Viewing all 7443 articles
Browse latest View live

FIM 2010 on Windows 2012 R2 stopped working since some weeks now - production environment - please help

December 5, 2018, 9:22 am
$
0
0

I could troubleshoot the issue so that i cna confirm that the password notification service on the domain controller of our production active directory environment is working.

The FIM stuff is used to synchronize the password of the AD user with the password of a NetIQ eDirectory user.

The change is transmitted with the LDAP protocol.

The stuff worked for years but now since weeks - after several reboots of the server for different reasons we noticed that it doesn't work anymore.

The first thing to do is to see if the passowd change notification of the domain controller has been received from the FIM server but i have no clue which event it should be.

I will try to go through all events in the timeframe of some minutes after PCNS event is recorded on the DC.

Any further hints are welcome.

Search

Setting up MIM and PAM together and Design

November 16, 2018, 11:59 pm
$
0
0


Hi Team,
Hope you all are doing good. I need some guidance with the MIM and PAM deployment and design.

Our clients wants to use fresh new installed components of MIM and PAM in their environment.
They currently have 4-5 Domain Controllers with necessary FSMO roles enabled , spread across two data centers for HA.

For us to build a solution with HA for both MIM and PAM , what is the best approach?

a.Considering we have a main forest as abc.com and within that we have a domain xyz.abc.com
b.I understand that for PAM we need to have a separate new forest(bastian) , so does this mean I have to install and configure a new DC with name something like pqr.com? ( in this way abc.com and pqr.com will be two separate forest and I can then build PAM trust between them )
c.For MIM to be installed and configured, do I need to install MIM on Virtual machines which are joined to PAM's forest i.e. pqr.com ?
d.If I do point number C, in that case can I use that same MIM server ( which is under pqr.com domain ) to provision users in various target applications like SAP , AD (xyz.com) or exchange servers?
e.Since we are in design phase , are there any design recommendations which I can refer and build my own?

Requesting your assistance here.

Thank you,
Parin Das

How to enable Advanced Error logging

May 8, 2017, 1:50 am
$
0
0

Hi there,

I'm getting a weird error with one workflow action I coded.
I'd like to debug what's going on so I want to enable advanced error logging.

In order to do it,  I'm following the steps described here: http://setspn.blogspot.ch/2010/06/fim-2010-enable-advanced-error-logging.html

After commenting out the line starting with <add name="ILMError"... and restarting the service, I'm get the following error for every FIM page:

Server Error in '/' Application.

Object reference not set to an instance of an object.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.NullReferenceException: Object reference not set to an instance of an object.

Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:
[NullReferenceException: Object reference not set to an instance of an object.]
   Microsoft.IdentityManagement.WebUI.Controls.UICacheUtils.GetCacheKey(CacheKey key) +266
   Microsoft.IdentityManagement.WebUI.Controls.UICacheUtils.RetrieveFromCache(UserNonSharedKey key) +25
   Microsoft.IdentityManagement.WebUI.Controls.NavigationBarConfigurationModel.RetrieveSiteNodeFromCache() +96
   Microsoft.IdentityManagement.WebUI.Controls.NavigationBarProvider.BuildSiteMap() +87
   Microsoft.SharePoint.WebControls.AspMenu.GetEditableSiteMapProvider(SiteMapDataSource dataSource) +43
   Microsoft.SharePoint.WebControls.AspMenu.AdjustForProviderMaximumDepth() +59
   Microsoft.SharePoint.WebControls.AspMenu.OnPreRender(EventArgs e) +46
   System.Web.UI.Control.PreRenderRecursiveInternal() +175
   System.Web.UI.Control.PreRenderRecursiveInternal() +272
   System.Web.UI.Control.PreRenderRecursiveInternal() +272
   System.Web.UI.Control.PreRenderRecursiveInternal() +272
   System.Web.UI.Control.PreRenderRecursiveInternal() +272
   System.Web.UI.Control.PreRenderRecursiveInternal() +272
   System.Web.UI.Control.PreRenderRecursiveInternal() +272
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +6785

Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.6.1098.0

Any ideas of what I am doing wrong?
How can I enable advanced logging?

Thanks!!
Daniel.


Accessing to FIM Portal - Unable to process your request

May 21, 2015, 4:08 am
$
0
0

Hi

I am facing an issue where users can't access to the FIM Portal. It doesn't matter are you a normal user or admin. The error message is allways the same, "Unable to process your request".

Also I have managed to get a Detailed error message from the portal but it does point me to nowhere. It is below:

Server Error in '/' Application.
--------------------------------------------------------------------------------

Object reference not set to an instance of an object. 
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. 

Exception Details: System.NullReferenceException: Object reference not set to an instance of an object.

Source Error: 

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.  

Stack Trace: 


[NullReferenceException: Object reference not set to an instance of an object.]
   Microsoft.IdentityManagement.WebUI.Controls.UICacheUtils.GetCacheKey(CacheKey key) +274
   Microsoft.IdentityManagement.WebUI.Controls.NavigationBarConfigurationModel.RetrieveSiteNodeFromCache() +118
   Microsoft.IdentityManagement.WebUI.Controls.NavigationBarProvider.BuildSiteMap() +63
   Microsoft.SharePoint.WebControls.AspMenu.AdjustForProviderMaximumDepth() +90
   Microsoft.SharePoint.WebControls.AspMenu.OnPreRender(EventArgs e) +49
   System.Web.UI.Control.PreRenderRecursiveInternal() +154
   System.Web.UI.Control.PreRenderRecursiveInternal() +239
   System.Web.UI.Control.PreRenderRecursiveInternal() +239
   System.Web.UI.Control.PreRenderRecursiveInternal() +239
   System.Web.UI.Control.PreRenderRecursiveInternal() +239
   System.Web.UI.Control.PreRenderRecursiveInternal() +239
   System.Web.UI.Control.PreRenderRecursiveInternal() +239
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +4105


--------------------------------------------------------------------------------
Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.34248

Any ideas what to do next?

Object deletion rule not working as expected.

December 5, 2018, 10:30 am
$
0
0

I have four MA's.

ADMA, SPMA, HRMA, MIMMA all have "Configure Deprovisioning" set to "Make them disconnectors" Object Deletion Rule is set too "Delete metaverse object when connector from any of the following management agents is disconnected" All four are selected.

Desired effect. When and object is deleted from any one of these (MIMMA, SPMA, ADMA or HRMA) external sources the Metavers object will be disconnected followed by any remain CS objects that were linked to it.

What I'm seeing.  I delete a user object from MIM console.  Perform a full import using the MIMMA. It show 1 delete and the object is removed from MIMMA connector space, but when I trigger a fullsync, Expecting the disconnect to remove the MV object, instead the MV Object is re-ADDED to the MIMMA CS and upon the next export recreated in the MIMMA console. What am I doing wrong?

How does MIM know if EOL mailbox been created by AADConnect?

December 5, 2018, 6:45 pm
$
0
0

Hi,

We have an Exchange Hybrid environment, and MIM is issuing the 'enable-remotemailbox' cmdlet against the on-prem Exchange server. AADConnect then creates the online mailbox, when it runs every 30 minutes.

We would like for MIM to send the user a 'Welcome Message'...however, we can only do that once AADConnect has run and created the mailbox (otherwise the mail will NDR).

What are some of the ways that MIM can use to confirm that the remote mailbox has been created by AADConnect?

- Does AADConnect write something back to on-prem AD that we can check? Maybe check for the existence of the "msDS-ExternalDirectoryObjectID" attribute in on-prem AD? Or if "msDS-ExternalDirectoryObjectID" starts with "User_"?

- Or does MIM have to issue a Exchange Online Powershell query to find out if the mailbox has been created...if yes, what should we look for?

Thank you,

SK






Access denied while changing value in schema management binding

December 6, 2018, 1:28 am
$
0
0

Hi

On the user creation page of FIM portal, I wanted to have country field must be filled and should not be empty. So I checked the Required field from schema management>binding>country.

But as soon as I submit to apply the change it gives me error access is denied. So what is causing this error

thanks.

ECMA2.0 MA discovery errors - invalid-attribute-value

December 6, 2018, 3:46 am
$
0
0

Hi everyone.

We have an ECMA2.0 management agent used to import employee/student data that is provided to us by a middle ware system that populates several SQL tables.  I should mention that this MA has been working for several years without issue and the issue we're seeing only started recently.

A delta import of the MA completes with discovery errors.  In the error list below there are three errors titled "entry 108", "entry 209", and "entry 125".  Each error type is 'invalid-attribute-value'.  So this suggests that someone upstream has given us some fields that don't conform to our data types/lengths.  If I click an error I get no useful information, just the error and entry number.  Distinguished name is "<unavailable>", and the 'Error details' button is greyed out.

My assumption was that "entry 108" refers to the 108th add/update/delete/whatever it tried to process.  I enabled logging for that MA, then counted through the records it gave me and checked the data for 108, 109 and 125 but the data looked fine, in fact those accounts are already in the metaverse and the values in the log for those records already exist in the metaverse.

Does anyone have any suggestions on how I can troubleshoot this further?

Thanks in advance!

Search

MIM 2016

December 6, 2018, 4:26 am
$
0
0

Hi all

Please someone say me what s MIM reporting?

and how to deploy the MIM reporting Portal And prerequisites 

thank you all.

MIM Portal Sync Rules have become orphaned

August 31, 2018, 3:39 am
$
0
0

We are running a MIM 2016 (latest patch) Portal/Service and Sync system (separate servers).  We created a few Synchronization rules within the MIM portal to perform data syncs from a SQL agent into an AD enviroment (group membership management).  The environment was not touched for a few weeks and when we came back to it the Portal was offline.  Upon starting the portal and going into the list of Synchronization rules each rule lists the following beside it:

<guid>
The referenced Management Agent has been deleted. Please delete this Synchronization Rule, update the external system field or re-import the deleted Management Agent)

Please note.  We did NOT remove any of the management agents from the sync server.  We did not change any MA configuration such as service account details, etc.

We checked the workflow history in the portal and found that the Built-in Synchronization account deleted the ma-data for each agent off the portal and when attempting to add it resulted in a error.

Anyone experience something similar before and managed to resolve without wiping everything out and re-creating?

AK

Invalid Namespace error when attempting to reset password via SSPR

December 7, 2018, 4:08 am
$
0
0

Hello,

I'm currently running across a problem when a user is attempting to reset their password via either the client or the portal. They are able to authenticate against the phone gate we have in place, but when resetting their password they are presented with the following error page:

An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3000)
Go to Self-Service Password Reset home page

On the server running the MIM Service, the event log error is showing:

System.Management: System.Management.ManagementException: Invalid namespace 
   at System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus errorCode)
   at System.Management.ManagementScope.InitializeGuts(Object o)
   at System.Management.ManagementScope.Initialize()
   at System.Management.ManagementObjectSearcher.Initialize()
   at System.Management.ManagementObjectSearcher.Get()
   at Microsoft.ResourceManagement.PasswordReset.ResetPassword.ResetPasswordHelper(String domainName, String userName, String newPasswordText)

I've worked through the configuration outlined in the document i've pasted a link to at the bottom (as i apparently can't post links yet). So as far as i am aware shouldn't be any issues with permissions. The event log error seems to indicate an issue communicating to the WMI on the server running the Sync Service, but i'm struggling to see why.

Has anyone else come across this before?

Document: https://docs.microsoft.com/en-us/previous-versions/mim/ee534892(v=ws.10)

Setting Account to never expire using a Work Flow

November 30, 2018, 11:10 am
$
0
0

Hey everyone.  I was wondering if there was a was to set an account in MIM WF to never expire.  In our environment when a contract work converts to full time the employeeEndDate stays on the account and expires the account.  Currently we are manually going into portal and clearing the date which then allows us to set account to never expire in ADUC  We would like to automate this when they fall into the set to clear the employeeEndDate any help on this would be greatly appreciated.

Active Directory Federation services (OTP through EMAIL)

November 19, 2018, 10:03 am
$
0
0

Hi Guys,

I am very new to this topic and yes  I don't understand most of the terms in regards to the process I am implementing , but yes this is the task that was given to me to implement a process where a user signs in to an application and gets an OTP to his email id which is in our Active directory for that user. and he submits the OTP and gets access to the application and an authenticatoin provider provides the JWT tokens suck as authentication token, refresh token and reset tokens for the entire session.

My question is can Active directory federation service be helpful in implementing this 2fa for sending OTP to an email, and we currently have 200 users ..so we will have 200 hundred emails , each user trying to login gets an OTP to his email id.

If not can we achieve this using custom ADFS ,if so can any one direct me to the links and procedure to implement this. here cognito user pools will be an authentication provider and I really appreciate if some could help me out of this .since I am trying to complete it since a month and I am ending up with no light :(

Thanks,

Venkata



Skype Management Agent

November 3, 2018, 10:53 pm
$
0
0

Hi,

There are MAs for Skype On Premise (latest version) and Skype Online?

Thank you,

CA SiteMinder and FIM/MIM

September 25, 2018, 10:46 am
$
0
0
We are looking at implementing MIM 2016. One of our web applications is secured using CA SiteMinder which currently handles password changes. We would like to use MIM for password reset. Anyone aware of issues with MIM and SiteMinder playing nicely together. 
Search

using Exchange Online Mailbox for MIMService Account

October 8, 2018, 12:40 am
$
0
0

Dear All,

what are limitations, if we use following setting?

Configure mail server connection image

Exchange Online * (Notification Only before build 4.4.1749.0

Does it support Approval option for later versions?

Identity Manager version release history:
https://docs.microsoft.com/en-us/microsoft-identity-manager/reference/version-history  

About exportflow

September 5, 2018, 5:54 am
$
0
0

Hello!

I have two agents HR and AD.
AD is projected and HR is joined.

In AD db I have 5 rows lets call them 1,2,3,4,5.
I can join 1,2 and 3 with HR but 3 and 4 has no match in HR.
I have a rules extension export flow on attribute initial in AD agent.
When I run full sync on AD the MapAttributesForExport is called 5 times one for each object.

When I call full sync on HR the MapAttributesForExport is called 3 times.
I thought is would call MapAttributesForExport 5 times one for each.

I assume it will only call MapAttributesForExport for those object that can be matched to AD.
Is that correct understood?

//Tony

MIM Access - Two Different AD domains

December 10, 2018, 4:20 am
$
0
0

Hi All,

   We have a requirement where we want MIM portal to be used by external user's residing in a separate AD different from the AD(employees or internal users) with which MIM is configured. Can this be possible if we can get the user's to MIM portal with a Separate MA configured with the external user AD. I am not sure if the authentication will ever happen without any trust to that domain or is there any way we can authenticate with that domain like ADFS or any windows authentication menchanism. Any hints regarding this will be appreciated.

MIM - Collect user access data from a database table/view

October 12, 2018, 3:42 am
$
0
0

Hello,

There is a requirement to import users and their access data from a database table/view into MIM portal.

The db view contains userid, user email, roles etc.  And this need to be imported to mim portal . where it should have a relationship like users and what roles they have . Users can have multiple roles too.

How can we achieve this in MIM. I have a DB management agent created but how to import roles and user-role relationships.

Please elaborate

Once saw a document that explained how to have the ADMA set passwords over LDAP(s)? Fighting with No-Logon-Server error

September 7, 2018, 1:30 pm
$
0
0

Once saw a document that explained how to have the ADMA set passwords over LDAP(s)?  Fighting with No-Logon-Server error

Viewing all 7443 articles
Browse latest View live
Search