Hello, 

Is it possible to create multiple Criteria-based groups in MIM Portal based on inputs I will provide?

Any way we can Automate or Import the Criteria file? 

Regards, Amol Patil

Hello,

For various reasons I won't go into we are using the latest version of the Generic LDAP connector to sync users and groups to AD LDS.

The sync rule for groups is pretty straightforward with the usual two attribute flows for DN (IFO and persistent) and a bunch of others, none of which are CN before you ask!  The DN is constructed from CN=accountname,OU=etc,etc

The problem occurs when a group manager renames one of his groups and modifies the accountName in MIM.  Although this flows to AD fine in AD LDS it errors because in the LDAP world it has to delete the Old RDN before it can write the new RDN.  We can prove this by doing it manually in LDP.exe whereby if you don't select to delete the Old RDN the operation fails.

Any ideas as to why we cannot do this with the Generic LDAP MA?

TIA

Rob

Has anyone ever see this one when installing a hotfix on the MIM Service & Portal?  I'm installing 4.5.286.0 when it fails.  I just installed 4.4.1642.0 successfully.  It seems to have an issue with editing the config file, though I can see the file being updated twice.  I assume once for initial update pass and once for rollback.  It's SharePoint 2013 on Server 2016 (I know, I know), though I don’t think that is the issue. All MIM components and SQL on same server (test server).

MSI (s) (DC:60) [16:53:35:241]: Executing op: ActionStart(Name=UpdateAppConfigSettingsInPatch,,)

Action 16:53:35: UpdateAppConfigSettingsInPatch.

MSI (s) (DC:60) [16:53:35:241]: Executing op: CustomActionSchedule(Action=UpdateAppConfigSettingsInPatch,ActionType=3074,Source=BinaryData,Target=Operation=Patch ConfigFilePath="C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\\Microsoft.ResourceManagement.Service.exe.config",)

CustomAction UpdateAppConfigSettingsInPatch returned actual error code -1 (note this may not be 100% accurate if translation happened inside sandbox)

MSI (s) (DC:60) [16:53:35:397]: Note: 1: 1722 2: UpdateAppConfigSettingsInPatch 3: C:\Windows\Installer\MSIE484.tmp 4: Operation=Patch ConfigFilePath="C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\\Microsoft.ResourceManagement.Service.exe.config" 

MSI (c) (34:8C) [16:53:35:397]: Transforming table Binary.

MSI (c) (34:8C) [16:53:35:397]: Transforming table Binary.

MSI (c) (34:8C) [16:53:35:397]: Note: 1: 2262 2: Binary 3: -2147287038

Error 1722. There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor. Action UpdateAppConfigSettingsInPatch, location: C:\Windows\Installer\MSIE484.tmp, command: Operation=Patch ConfigFilePath="C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\\Microsoft.ResourceManagement.Service.exe.config"

MSI (s) (DC:60) [16:55:53:320]: Product: Microsoft Identity Manager Service and Portal -- Error 1722. There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor. Action UpdateAppConfigSettingsInPatch, location: C:\Windows\Installer\MSIE484.tmp, command: Operation=Patch ConfigFilePath="C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\\Microsoft.ResourceManagement.Service.exe.config"

Keith

Hello Everyone,

I have an implementation of MIM 2016 and we are looking to integrate it with IBM AS 400. So my question is:

Is there any recommended third party connector for AS 400 besides the one from IDMWorks?

Thanks in advanced for your answers 

Hello all,

we have just installed a MIM 2016 CM SP1 (4.4.1302.0) on a windows server 2016.

the Certificate Authority is a 2016 one.

and we have the Error: the version of OLE on the client and server machines does not match.(Exception from HRESULT: 0x80010110)

Is someone know how to solve this problem?

we check all the spn and delegation, the rights on the database, and the group in Web Config, and all seem to be good.

thanks,

Regards,

Jean.

Hello all,

Not sure where to start with this.  I suspect it's more of an AD issue than a MIM issue.  None of the posts I've read seem to address this issue specifically.

My MIM ADMA is throwing a "permission-issue" message when trying to delete an account.  I've managed to mess around with it some and can make it work. But, I'm confused about a few things.

The account MIM is trying to delete was created by  the ADMA, and owned by the account the ADMA is running under.  The ADMA account is granted full control rights to the parent OU, with inheritance set to this object and all child objects. (the account is actually four levels down).  If I check the security tab of the account, the ADMA account shows up with full control checked (and all the other checkboxes, includeing delete).  Seems pretty simple, to me.  I can't think of any more pertinent information to add.

What I have done to make it work is: 1) remove the ADMA rights from the parent OU, 2) drill down to the account and assigned the ADMA account full control to the actual account.  After doing that, ADMA will delete the account.  Then, I'll set the ADMA account back to full control at the parent and enable inheritance.

So, this leads me to believe there's something in the inheritance that's not getting set.  When setting file system rights, there is an option to replace all the child permissions when the changes are applied.  I don't see that option for user accounts.

To throw another thing at this, I don't have the problem with all the accounts.  It actually seems to be quite rare that I run into this.

I can't be certain about this final aspect.  I do have cases where there is an account I temporarily do not want MIM messing with. So, I'll break the inheritance on the one account and revoke the ADMA account rights.  When I'm comfortable that MIM isn't going to do something sinister to that account, I'll put the inheritance back.  It's rare that I do that, but in one case, this "permission-issue" has reared its head on an account I have done that to. 

Is the a way to force the inheritance to propogate throughout the tree?  Is there something I'm missing?

My "go to" work around has been to just go into AD and manually delete the account. That's quick and dirty and it keeps the ADMA from failing.  But, I'd like to know what's going on.

Thanks,

Greg

I am having installation error in PAM 2016, please help

Error 2826:  Control ckboxUseSSL on dialog ExchAndCertificateDlg extends beyond the boundaries of the dialog to the right by 15 pixels
The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 2826. The arguments are: ExchAndCertificateDlg, ckboxUseSSL, to the right

TL;DR: 
Users do not get removed from shadow principals by PAM Component Service upon manual deactivation of PAM role membership. Removal from regular security groups works as intended. TTL based group membership also works. Correct access has been granted to the service account. 

So I have a 2016 AD domain/forest (PRIV) with MIM 2016 SP1 and PAM configured (4.4.1302.0). I also have a 2012 domain (CORP - One-way trust). 

I have configured PAM groups and roles using the cmdlets, which creates a shadow principal object as expected. Any access requests through the API results in the user being added to the shadow principal (with a TTL as expected). So far so good.

But if the role is manually deactivated before the TTL has expired, I can see all the request go through successfully (the TTL of the PAM request is set to 0 and it is expired). However the user is never removed from the shadow principal by the PAM Component service. Yes, the service account has been granted the proper permissions to do so, and no failure audit is logged. It simply seems as it never even tries to remove it from the shadow principal at all. The ETW trace shows a few log messages saying that it found an expired/closed membership and that the user was removed from the shadow principal, so it knows that it's dealing with a shadow principal and not a security group at this stage. 

"User 'sAMAccountName', (Priv SID 'S-1-5-21-PRIV-SID-1688') was removed fromshadow principal CORP.GroupName (SID 'S-1-5-21-CORP-SID-131870')"

However no removal (or failure events in MIM/Event logs) actually occur. 

If I on the other hand create a regular security group and assign a role to it, the above procedure works. The user is added to the group when requested, and if the request is manually closed, the user is removed from the security group by the PAM Component service. 

User 'sAMAccountName', (Priv SID 'S-1-5-21-PRIV-SID-1688') was removed from group GroupName (SID 'S-1-5-21-PRIV-SID-3106')

So in other words, log wise everything looks OK, but when it's dealing with a shadow principal nothing actually happens even though the logs state that 'the user was removed'. 

Has anyone else run into this and perhaps can shed some light on this behavior? 

Andreas

Hi All

Am trying to integrate the SAPSuccessFactors which is in the form of ODATA API URL. am not able to see the list of attributes which gets when i do integrate the same.

while finding out the troubleshoot options in one of the MIM Technet documents mentioned that

• REST (not ODATA): An HTTP protocol-based connector/web.

https://docs.microsoft.com/en-us/microsoft-identity-manager/reference/microsoft-identity-manager-2016-ma-ws

Can some one please provide their inputs to get it corrected.

Hi All

I have implemented basic Approval Workflow using Microsoft Article. But still am not able to see the Workflow Triggered. not able to identify what exactly went wrong.

Thanks

Hi All,

I have designed the Database which queries Region based States, states based Office Locations and OfficeLocation based Department. I wanted to use this in MIM RCDC Configuration by using any of the below to populate the Dropdown.

Direct calling the Stored Procedure into RCDC using Powershell. how to bind powershell dataset to  RCDC Dropdown list Control

Call the Stored Procedure into Jquery and use the JQuery in the ASPX files of MIM Portal

Please do suggest and provide how can we acheive this in MIM RCDC Configuration.

Thanks 

Hi there,

I've read the threads on this but still need help.

I'm setting sup MIM 2016 SP1 (which is absolutely not my forte) and have run into the this problem when running the Export on the MIM MA.

It seems to be the one detailed in https://social.technet.microsoft.com/wiki/contents/articles/17242.fim-troubleshooting-failed-creation-via-web-services-invalidrepresentationexception-valueviolatesuniqueness.aspx, which suggests creating an Import Attrib Flow for domain --> domain but I can't see how to do that... I don't get the option under Mgmt Agent/Properties/Configure Attribute Flow.

The MIM server was set up according to the instructions at 

https://docs.microsoft.com/en-us/microsoft-identity-manager/microsoft-identity-manager-deploy

Full text of the error is below. Thanks in advance for any assistance.

What is TechNet Guru Competition?

Each month the TechNet Wiki council organizes a contest of the best articles posted that month. This is your chance to be announced as MICROSOFT TECHNOLOGY GURU OF THE MONTH!

One winner in each category will be selected each month for glory and adoration by the MSDN/TechNet Ninjas and community as a whole. Winners will be announced in dedicated blog post that will be published in Microsoft Wiki Ninjas blog, a tweet from the Wiki Ninjas Twitter account, links will be published at Microsoft TNWiki group on Facebook, and other acknowledgement from the community will follow.

Some of our biggest community voices and many MVPs have passed through these halls on their way to fame and fortune.

If you have already made a contribution in the forums or gallery or you published a nice blog, then you can simply convert it into a shared wiki article, reference the original post, and register the article for the TechNet Guru Competition. The articles must be written in February 2019 and must be in English. However, the original blog or forum content can be from beforeFebruary 2019.

Come and see who is making waves in all your favorite technologies. Maybe it will be you!

Who can join the Competition?

Anyone who has basic knowledge and the desire to share the knowledge is welcome. Articles can appeal to beginners or discusse advanced topics. All you have to do is to add your article to TechNet Wiki from your own specialty category.

How can you win?

1. Please copy/Write over your Microsoft technical solutions and revelations to TechNetWiki.
2. Add a link to your new article on THIS WIKI COMPETITION PAGE (so we know you've contributed)
3. (Optional but recommended) Add a link to your article at the TechNetWiki group on Facebook. The group is very active and people love to help, you can get feedback and even direct improvements in the article before the contest starts.

Do you have any question or want more information?

Feel free to ask any questions below, or Join us at the official MicrosoftTechNet Wiki groups on facebook. Read More about TechNet Guru Awards.

If you win, people will sing your praises online and your name will be raised as Guru of the Month.

Hello,

Client have a production window server 2008 r2 with fim 2010 rtm installed and sql server 2008 r2 installed on different server and wants to upgrade them to mim 2016 sp1 and sql server 2016 on new window 2016 server and 2012 r2 platform respectively.

We are not doing in place migration. 

Below are steps we performed:

• FIM sync and service DB backups(fim 2010 rtm)
• Restored the databases on sql server 2016 on new window server 2012 r2 platform with all required permissions.
• Ran mim sync 2016 sp1 setup on window server 2016 
• Received error with rollback action

Below is the error we received:

Error 25009 the microsoft identity manager synchronization service cannot configure the specified database.Invalid object name 'mms_management_agent'

<hr=0*80230406>

We tried to change the compatibility level from sql server 2008 to sql 2016 for FIM database but still getting the same error.

Hi Team,

I have a PAM implementation in which I have a Root Forest abc.no and a subdomain <g class="gr_ gr_99 gr-alert gr_gramm gr_inline_cards gr_run_anim Style multiReplace" data-gr-id="99" id="99">xyz.abc.no .</g> I have installed MIM 2016 SP1 <g class="gr_ gr_262 gr-alert gr_gramm gr_inline_cards gr_run_anim Style multiReplace" data-gr-id="262" id="262">latest  and</g> built a PAM <g class="gr_ gr_170 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="170" id="170">bastian</g> forest <g class="gr_ gr_204 gr-alert gr_gramm gr_inline_cards gr_run_anim Style multiReplace" data-gr-id="204" id="204">pam.priv .</g>

I followed Microsoft's documentation and tried to create a trust between pam.priv and abc.no which was successful. However, when I try to run the command

$ca = get-credential
New-PAMDomainConfiguration -SourceDomain "xyz.abc.no" -Credentials $ca  I get the below error message -

------------------------------------------------------------------------------------------------------------------

<g class="gr_ gr_509 gr-alert gr_gramm gr_hide gr_inline_cards gr_run_anim Style multiReplace replaceWithoutSep" data-gr-id="509" id="509">New-PAMDomainConfiguration :</g> No existing trust found with xyy.abc.no. Please run New-<g class="gr_ gr_507 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="507" id="507">PAMTrust</g> to create required
trust.
At line:1 char:1
+ New-PAMDomainConfiguration -SourceDomain "xyz.abc.no" -Credentia ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-PAMDomainConfiguration], InvalidOperationException
    + FullyQualifiedErrorId : GeneralServerError,Microsoft.IdentityManagement.AdminPamCmdlets.NewPamDomainConfiguratio
   nCommand

-------------------------------------------------------------------------------------------------------------------

I also tried to create a trust between pam.priv and xyz.abc.no but it wont allow as xyz.abc.no is not a forest its a domain under forest abc.no.

My Forest and Domain are running on Windows 2008R2 fun level and my PAM forest is on Win server 2016.

<g class="gr_ gr_851 gr-alert gr_gramm gr_inline_cards gr_run_anim Style multiReplace" data-gr-id="851" id="851">Also ,</g> I created the trust with Enterprise Admin credential between pam.priv and abc.no

I am unable to <g class="gr_ gr_692 gr-alert gr_gramm gr_inline_cards gr_run_anim Style multiReplace" data-gr-id="692" id="692">proceed ,</g> kindly assist.

Thank You,

Parin Das

Team,

In my environment we are facing Delta sync issue in "stopped-database-connection-lost" aad connect server.

Its happening daily twice in a day.

Checked the system event logs ,just showing delta sync issue .

Thanks

====

Rama

Hi All,

Is there anyway possible that I can convert / write a CustomExpression to convert the EmployeeEndDate to AccountExpires in AD using the MIM Portal Synchronization Rule.

I am familiar with Rules Extension, but i want to implement this with Synchronization Rule / Workflow anything is fine. 

Can some one help me on this please . 

Thanks - Srinivas

My scenario is almost identical to the sample scenario in this blog that I have been trying to follow.  Customer has multiple domains.  A user's manager may likely exist in another domain in a different forest.  So, they use the UserProxy objects in LDS to track the managers.  All users in MIM are exported to a single LDS datasource.  I have the managerID attribute populated on all users with their manager's employee ID.  I need a way to export the reference to the manager attribute to the LDS Connector Space.  Here is my adapted code from the above blog.  Where am I going wrong?  The Sync Engine is telling me that ManagerID doesn't exist.  I have ManagerID (string) mapped to manager (reference) and set as a Rules Extension.  Then, I put the below code in the Export section of the code.

string ManagerIDField;
            ManagerIDField = "" + csentry["ManagerID"].ReferenceValue;
            string employeeIDField;
            employeeIDField = "" + csentry["employeeID"].ReferenceValue;
            //Start manager lookup
            if (mventry[ManagerIDField].IsPresent)
            {
                MVEntry[] mveManager;
                mveManager = Utils.FindMVEntries(employeeIDField, mventry[ManagerIDField].Value);

                //performs a search
                if (mveManager.Length == 1)//if we get only one return (which we should)
                {
                    if (mveManager[0]["DN"].IsPresent)//if there is the DN on that return
                    {
                        csentry["manager"].Value = mveManager[0]["DN"].Value; //set the DN as the manager
                        //break;
                    }
                    else
                    {
                        //break;//dn may not be populated yet - it will occur on the next run
                    }
                }
                else
                {
                    //break;

                    //should never happen (employeeID is unique)- we'll fall through if it does
                }
            }
            else
            {
                //break;

Mike Leach | http://blogs.catapultsystems.com/mleach/default.aspx

Hi All,

Just wanted to check if anyone ever came across any issues when FIM 2010 servers were updated to use TLS 1.1 or TLS 1.2?

Thank you in adavance.

Best Regards,

Rajan Shrivastava