Quantcast
Channel: Microsoft Identity Manager forum
Viewing all 7443 articles
Browse latest View live

Separation of Duties - Ideas or Experience

September 13, 2019, 1:12 am
$
0
0

Hi All. Any ideas for the following scenario?

 

  • We have 10 departments and each department has a unique manager e.g. Manager1 to Manager10
  • Active Directory groups are sync'd with MIM portal and we have a group for each department e.g. RoleGroup1 to RoleGroup10 for Department1 to Department10 respectively
  • So Manager1 is an owner of RoleGroup1 for Department1 and the manager will use MIM portal to add/remove members as they join/leave their team
  • Users regularly move between these 10 departments but membership to more than one of the department RoleGroups creates a toxic combination of permissions that we must avoid
  • Our goal is to allow the managers to add users to their RoleGroup and automate the removal of the user from their previous RoleGroup

 

The question is how can we achieve this? Do we need to create additional resources and/or attributes? Can we do it all via MIMWAL? Do we need to run PowerShell scripts with the Lithnet module? If the number of RoleGroups grow, does the solution scale nicely?

 

Any thoughts would be appreciated, cheers.

Dan

Search

Followup to older thread about flowing empty values and deleting an attribute

September 13, 2019, 6:14 am
$
0
0

Hi,

This post is a followup to an older thread that I had about flowing an empty value and then deleting an attribute in a target LDAP that I posted awhile ago (https://social.technet.microsoft.com/Forums/en-US/868caa9d-aabd-45f2-b63f-a83c5b724e0c/solved-kind-of-can-the-openldap-ma-deleteempty-an-attribute-from-an-existing-user-in-the-ldap?forum=ilm2#9fb06dfb-b291-4469-8005-ed717e51646c).

To sum up that old thread, we had a problem with a scenario where we were trying to flow an empty value coming from a flatfile MA into, eventually, a target LDAP.   In that thread, I *THOUGHT* that I had found how to get that working, but per that thread, I had been testing in my test environment with an AD MA going into an AD LDAP.

However, in our actual/production environment, the LDAP is an Oracle OUD LDAP instance, and we use the OpenLDAP MA as the connector, and, it looks like, while I was able to figure out how to delete the attribute in my test environment (which, again, uses AD as the LDAP and the FIM AD connector), that same approach doesn't seem to work when the target LDAP is an Oracle OUD and the OpenLDAP MA is used :(!!

With the OUD and OpenLDAP MA, everything during the processing SEEMS to work in FIM, to the point that the attribute-to-be-deleted is appearing in the FIM connector space as being marked as "Deleted", HOWEVER, when we run the final run profile to do the EXPORT, it is failing to write to the OUD. 

If I use a profile with only an EXPORT step, I am getting an "unexpected-error" and in the Event Viewer, I am seeing:

The management agent controller encountered an unexpected error.

 
 

Log Name:      Application

Source:        FIMSynchronizationService
Date:          9/13/2019 6:08:56 AM
Event ID:      6401
Task Category: Server
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      FIM01.gxaws.com
Description:
The management agent controller encountered an unexpected error.
 
 "BAIL: MMS(4688): d:\bt\800\private\source\miis\cntrler\cntrler.cpp(12278): 0x80004001 (Not implemented)
BAIL: MMS(4688): d:\bt\800\private\source\miis\cntrler\cntrler.cpp(9315): 0x80004001 (Not implemented)
BAIL: MMS(4688): d:\bt\800\private\source\miis\cntrler\cntrler.cpp(8091): 0x80004001 (Not implemented)
Forefront Identity Manager 4.1.3419.0"
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="FIMSynchronizationService" />
    <EventID Qualifiers="49152">6401</EventID>
    <Level>2</Level>
    <Task>3</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2019-09-13T06:08:56.000000000Z" />
    <EventRecordID>75205</EventRecordID>
    <Channel>Application</Channel>
    <Computer>FIM01.gxaws.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data>BAIL: MMS(4688): d:\bt\800\private\source\miis\cntrler\cntrler.cpp(12278): 0x80004001 (Not implemented)
BAIL: MMS(4688): d:\bt\800\private\source\miis\cntrler\cntrler.cpp(9315): 0x80004001 (Not implemented)
BAIL: MMS(4688): d:\bt\800\private\source\miis\cntrler\cntrler.cpp(8091): 0x80004001 (Not implemented)
Forefront Identity Manager 4.1.3419.0</Data>
  </EventData>

</Event>

I've re-tested the same flows in my test environment (which again, uses AD

and AD connector) and it works fine, so it appears that the problem is with the OpenLDAP connector or with OUD LDAP.

Has any

one seen this problem and know how to fix/work around this problem?

Thanks!

Jim

MIM Sync Server Encryption. What's actually encrypted?

September 15, 2019, 6:11 pm
$
0
0
When you install the MIM Sync server, it prompts you to export an encryption key for the database. This lead me to believe that the MIM Sync database is encrypted. However when I open the database in SSMS and navigate to the metaverse table for example, I can see in plain text all of the values of the metaverse entries. So what is actually encrypted by the MIM Encryption Key?

Sync Computer Objects from one forest to another

September 17, 2019, 6:36 am
$
0
0

Hi Experts,

A bit of  newbie question here...I'm planning a AD domain migration to another Forest planning user object, group object and computer object(workstations) migration. I want to find if MIM can also sync existing computer objects to another forest?

FIM/MIM Data Source Object Types

September 17, 2019, 12:05 pm
$
0
0

I currently use the option to separate my MA imports into sub types, this way I can use 1 SQL View in order to import these users into FIM, with little configuration.  The primary MA's are used for the primary groups of users like "Current Acquisitions" or "Non-Employees", however within those MA's there are sub groups of users within depending on their on-boarding, as they can be active/inactive in more than one place.  In order to separate these users I used the "Object Type" option in the MA.  This worked out very well at first, until those groups started migration into our primary HR.

The issue is that as these entities now move into our Primary HR, I no longer want to see the sub group anymore, although there are now other groups within the "Current Acquisitions",  Is there a way to remove individual "Data Source Object Types" from FIM after they have been imported.  I can remove the "user type" from the view, but it appears to never get removed from the MA Configuration screens, and is beginning to appear cluttered with old information.

I even have one that was a misspelling and then corrected so now I have similar entries twice.

Thanks in advance,

Ron.



Cannot access MIM Password Registration Portal after configuring kerberos

September 18, 2019, 2:05 am
$
0
0

Hi everyone

  • My systems with MIM 2016, SharePoint 2013 foundation, Sql Server 2014 ent
  • I have config Kerberos as guide at  FIM 2010 R2 Kerberos Settings
  • I can access MIM portal, SSPR after configuring via web browsers (firefox, chrome) but I cannot access MIM Password Registration Portal and get error "Access denied"

Please help me to investigate this bug.

Thank you for any suggestion!

  • MIM Password Registration Portal access denied


Scripting the Deprovisioning Options of MIM Management Agents

September 18, 2019, 3:05 am
$
0
0

I have to switch the "Deprovisioning Options" for a long list of Management Agents.
I already found the settings in the SQL table "mms_management_agent" in the column "provisioning_cleanup_xml"
<provisioning-cleanup type="declared"><action>delete-object</action></provisioning-cleanup>
<provisioning-cleanup type="declared"><action>make-normal-disconnector</action></provisioning-cleanup>

Is there a way to script this settings on the "Configure Deprovisioning" tab of MIM Management Agents?

Thanks in advance
Henry

Generic SQL Connector - Export Type: Object Replace option

June 25, 2018, 5:26 pm
$
0
0

Hi,

I am currently implementing a Generic SQL Connector based on Stored procedures only (not direct access to the table). For the export, an ADD and UPDATE stored procedures have been implemented. To be able to clear value in the table, I wanted to use the option:"Export Type: Object Replace" available on the connector second page. From the documentation, this option should do:

Export Type: Object Replace: During export, when only some attributes have changed, the entire object with all attributes is exported and replaces the existing object.

Ref: https://docs.microsoft.com/en-us/microsoft-identity-manager/reference/microsoft-identity-manager-2016-connector-genericsql
  

By ticking this option, I would expect that FIM/MIM would send the whole object (all the attributes configured to be exported) with NULL value where this no value for an attibute. It's look like that this option is not taken in consideration by the Management Agent. Here the result of the log file after an export with this option activated:

<?xml version="1.0" encoding="UTF-16"?>
<mmsml xmlns="http://www.microsoft.com/mms/mmsml/v2" step-type="export">
  <directory-entries>
<delta operation="update" dn="MIM_History+220175640">
 <anchor encoding="base64">GAAAAE0ASQBNAF8ASABpAHMAdABvAHIAeBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBA==</anchor>
 <primary-objectclass>MIM_History</primary-objectclass>
 <objectclass>
  <oc-value>MIM_History</oc-value>
 </objectclass>
 <attr name="GIVENNAMES" operation="update" type="string" multivalued="false">
  <value operation="delete">Yfwegewi</value>
  <value operation="add">Yigsgd;Erfsfic Dudspond</value>
 </attr>
</delta>
  </directory-entries>
</mmsml>


Did anyone has the same issue in the past? Is it a bug in the MA or did I misconfigure something?

What would be a good workaround to clear value in a table with an UPDATE stored procedure?

Thanks in advance for you help.

Anthony S.

Search

AD MA export not creating user in AD

September 18, 2019, 10:24 pm
$
0
0

I have FIM/MIM 2010 and have configured everything following the guidance in https://docs.microsoft.com/en-us/microsoft-identity-manager/mim-how-provision-users-adds

I can populate all the attributes from FIM service to metaverse just fine, including the details new users created in FIM portal as well as the expected rule list.

But when I run the AD MA (export & delta sync) it adds 0 changes and the synchronization rule status in FIM portal stays "Pending". The agent run without error message, though.

I'm kind of new to FIM/MIM, I understand the basic concept but not that deep. Please advise what else that I should check to get the users created in FIM portal provisioned to AD.

FIM Sync Security groups to provide access to Metaverse search

August 27, 2019, 10:18 pm
$
0
0

Hi,

I need to allow L1 support team to have only Metaverse search tab enabled to search object in Metaverse.

When we add users to FIMSyncJoiners group user will have access to joiner and Metaverse search but I don't want user to have joiner tab access. Is there a way by which we can restrict joiner access and provide only metaverse search tab access.

Thanks in Advance

Initial Install: The features you have selected have the following prerequisites

August 13, 2019, 11:56 am
$
0
0

Currently installing MIM 2016 for the first time. I am following the guide from MS and am almost done the initial deployment. I am attempting to install the Service and Portal but receive the error "The features you have selected have the following prerequisites - IIS 7.0 or better. SharePoint."

A newer version than that of IIS is installed on this server as well as SharePoint 2016. I'm able to get to the central admin center for SP although it does show some issues however they seem unrelated to anything I need. This is for an initial lab environment before moving to production later.

Any suggestions would be greatly appreciated. If anything else is needed please let me know and I will provide.

The full MIM environment is running across 3 servers total, running Windows Server 2016 with a SQL 2016 db so all apps are on 2016.

Thank you in advance.

Microsoft.MetadirectoryServices.Utils how to use

August 5, 2019, 11:51 am
$
0
0

Hi,

I'm trying to create some unit tests for a Rules Extensions Code.

Since the Utils class is a static class, I was expecting to be able to use it for Microsoft.MetadirectoryServices.Utils.FindMVEntries

but it throws a NullReferenceException (Although it responds successfully to  Microsoft.MetadirectoryServices.Utils.ExtensionsDirectory method call)

How can I use the Utils class on my unit tests?

Many thanks,

JD

How Azure AD Access Review for MIM Provisioned Application

September 23, 2019, 8:30 pm
$
0
0


Post MIM release Microsoft added BHOLD in deprecated features list for new deployment microsoft suggested to use Azure AD.I want to understand how can we do the access review in AzureAD, if we use MIM to provision access to applications.

Background of the solution its Hybrid environment we have MIM,AzureAD,O365,AD etc..

kindly share me the configuration steps if it possible

Thanks,

MIM Sync Delta Sync not detecting changes

September 24, 2019, 2:23 am
$
0
0

HEllo Everyone,

i'm having a strange behavior on my MIM Sync Server.

i'm synchronizing from AD to SQL, and during this sync i have some advanced flows to generate emails and proxies.

for some reason if a user changes his/her lastname, the change is detected as an update on delta import, howver the delta sync will not work and only the full sync will work. does anybody know why ? 

simulating the delta Sync shows as if there are no changes detected, only a full sync will work. i don't understand why...

thanks for the help


Hitch Bardawil

Strange behaviour on IISRESET or Service restart

July 18, 2019, 2:06 am
$
0
0

Hello,

I have MIM 2016 installed on Windows Server 2016, SharePoint 2016 and SQL Server 2016.

I have, as in the past, created several Role based UIs for users accessing the MIM Portal.  The UIs work fine(RCDCs, search scopes, etc) until you do an IISRESET or restart the MIM Service.  At that point when you refresh the portal on the user desktop, the error page 'Unable to process your request' appears.  However, if you go to the portal on the server where you have full administrator rights and open a page with an RCDC in, e.g Portal Configuration, and then return to the User workstation all of the controls now work!!  The SharePoint logs are pretty unrevealing and I'm at a loss here so any suggestions would be appreciated.  First time in 10 years I've seen this behaviour.

Kind regards,

Rob


Search

Manager reference in Soren PowerShell MA

August 14, 2019, 2:05 am
$
0
0

Hi All,

I get managerid as a string from our Authroritative source(SAP) .managerid is  employeeid of the manager and it is the anchor attribute. All the values are imported successfully but having issues with manager reference.

If I define managerid as reference variable,mangerid gets deleted in CS. How do i add the manager reference ?

Schema Script

new-object -typename psobject -prop @{
    "anchor-EmployeeID|string" = ""
    "objectclass|string" = "user"
    "firstName|string" = ""
    "lastName|string" = ""
     "managerId|string"=""

}

Import Script

foreach ($User in $UserData.Users.User)
    {
        
        $obj = @{}
        $obj.personIdExternal = $User.personIdExternal
        $obj."[ObjectClass]" = "user"
        $obj.firstName = $User.firstName
        $obj.lastName = $User.lastName
        $Obj.managerId=$User.managerId
        $obj
    }

Any advise would be appreciated. Thanks!!

Security Group - Please select a displayed owner among the owners above.

July 1, 2019, 11:56 pm
$
0
0

Hi all,

We have been using mim for 2 years. MİM managed all active directory groups. 

I need help now. MİM Portal server on the Security Groups select new existing select. Error message "Please select a displayed owner among the owners above." 

I need to help. 

Thanks.

Best regards.

MIM CM - Issue with a new enrollment request - Error connecting to certificate authority

September 25, 2017, 7:05 am
$
0
0

Hello,

This is a new setup of MIM CM. I configured a new profile template for self-service and I'm getting the following error when a user from the subscriber's group try to request a new set of certificates! Any idea where should I investigate to fix this?

CM Portal error:

Error connecting to certificate authority: <certificate authority name>

https://ibb.co/g6ZvM5

Event Viewer - CM server - Certificate Management/Admin

Unable to complete request for profile template:  User Self-Service Profile Template (UUID fb46b125-a942-41c0-9bd6-37afc60c8ce6).
Certificate Authority:  <certificate authority name> is offline.
Start CA service.

Impersonated identity:  <DominName>\user1.
Windows identity:  <DominName>\user1.
Process ID:  2492.
Managed thread ID:  3.

https://ibb.co/hPVruQ

Thank you

Group update not working

September 30, 2019, 12:24 am
$
0
0

Dear All,

We have changed static group to dynamic group in the MIM portal. but membership update not happening to AD. 

the count i see is deffer in MV and MIM portal. 

Need your help!

Thanks,

Shashidhar

Approval for modification person's information

September 30, 2019, 2:26 am
$
0
0
Hi everyone
Our system typical have 4 role below:
  1. HRMS: Human Resources Management System
  2. MIM
  3. AD
  4. ADFS
    Synchronization flow HRMS => MIM => AD with 3 MA (HRMS, MIM, AD), 3 MPR (HR, MIM outbound, AD inbound).

For adding new person on HRMS, I using this MIMWAL https://github.com/Microsoft/MIMWAL/wiki/New-Accounts-Approval to approve / reject before provision on AD. it's work very nice. But I don't know how to config formodifying person's information in HRMS and approving before synchronizing to AD as addnew function

I'm newbie on MIM, please help me.

Thank you for any suggestion!

Viewing all 7443 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>