Quantcast
Channel: Microsoft Identity Manager forum
Viewing all 7443 articles
Browse latest View live

MIM 2016 SP1 Popup freeze randomly

May 27, 2020, 7:52 am
$
0
0

Hi,

We have MIM 2016 SP1 (version 4.5.286).

The user works with Internet Explorer 11 and when they access MIM Portal, they have issues with popup several times a day.

What happen is the popup just hang at "loading...".  The only way to fix this is to close the popup and open it again.

This cause the user to make his search again.

I found some information on the internet where some peoples said that you must clear Internet cache or modify some files on the MIM Portal Server.

Anybody had this before ?

Thanks

This posting is provided AS IS without warranty of any kind

Search

Openldap delta-import removes all group members

May 28, 2020, 4:42 am
$
0
0

Hi,

we are currently experiencing a strange issue with delta imports via OpenLdap

Issue
While using delta import to get the changes from OpenLdap via AccessLog certain groups are left with only one member.
To restore all members we have to do a full import.

The behavior only occurs if an existing group member is removed and added in the same (Deltalog) step.
Removing and adding in separate steps works fine.

Environment
- MIM Syncservice v4.4.1302.0
- MIM Generic LDAP Connector v1.1.1170.0
- Openldap 2.4

Steps to reproduce

Example ldif file:
```
dn: reqStart=20200527050001.000001Z,cn=log
objectClass: auditModify
reqStart: 20200527050001.000001Z
reqEnd: 20200527050001.000002Z
reqType: modify
reqSession: 4593433
reqAuthzID: cn=admin,ou=admins,o=contoso,c=com
reqDN: cn=test,ou=groups,o=contoso,c=com
reqResult: 16
reqMod: member:- uid=dummy,ou=users,o=contoso,c=com
reqMod: member:+ uid=user3,ou=users,o=contoso,c=com
reqMod: member:+ uid=user4,ou=users,o=contoso,c=com
reqMod: member:+ uid=dummy,ou=users,o=contoso,c=com
reqMod: entryCSN:= 20200527050001.258824Z#000000#001#000000
reqMod: modifiersName:= cn=admin,ou=admins,o=contoso,c=com
reqMod: modifyTimestamp:= 20200527050001Z
reqEntryUUID: 428ab767-6257-4435-81cb-852523b1b871
```

1 The group "test" contains the users in Openldap and Connectorspace
- dummy
- user1
- user2
2 The ldif-file is imported in openldap
3 The group "test" contains the users
- In Openldap
-- dummy
-- user1
-- user2
-- user3
-- user4
- In Connectorspace
-- dummy
-- user1
-- user2
4 Delta import is run, after this "test" in the (Openldap) Connectorspace only contains the user

- dummy

If we then do a full import we get the correct users in "test" in the OpenLdap Connectorspace
- dummy
- user1
- user2
- user3
- user4

---

Has anyone encountered this strange behavior and found a solution for it or is this a bug?


INBOUND SYSTEM SCOPING FILTER

May 28, 2020, 11:08 pm
$
0
0

Hi All,

I have an inbound sync rule that creates resources in FIM.

I wanted to restrict some objects from the management agent to not project. So I have defined scoping filter but even after defining it, I could

See objects getting projected. Is there any issue or am missing anything over here?

Flow direction: Inbound

Apply Rule: To specific MV resources

Rajesh

MIM CM PublishCRL: The parameter is incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)

May 29, 2020, 6:52 am
$
0
0

Hi,

We're having a weird error from MIM CM when we revoke certificate or disable smart card.

Exception Type: System.ArgumentException
Message: CCertAdmin::PublishCRLs: The parameter is incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
ParamName: NULL
Data: System.Collections.ListDictionaryInternal
TargetSite: Void PublishCRLs(System.String, System.DateTime, Microsoft.Clm.CertificateServices.Interop.CrlFlags)
HelpLink: NULL
Source: CertificateAuthority.Admin
HResult: -2147024809


MIM CM call the CA to publish a CRL with the new certificate that has been revoked.  Theorically, i would say it's "by design".

But, the msClm-Data attribute of the Profile Template in Active Directory ("CN=MyProfile,CN=Public Key Services,CN=Configuration,DC=MyDomaine,DC=Com") specify that PublichCRL and PublishDeltaCRL are set to False for ALL policies

<xxxPolicy>
<PublishBaseCrl>false</PublishBaseCrl>
<PublishDeltaCrl>false</PublishDeltaCrl>

It's not critical but if someone has an idea why we have this issue would be appreciate.

Adding to this, the CA receive the call from CM

Event ID 4871 – Certificate Services Received A Request To Publish The Certificate Revocation List

Next Update: 0

Publish Base: No

Publish Delta: No

Thanks!

This posting is provided AS IS without warranty of any kind

To list KMS-server for activated installations

June 2, 2020, 1:08 am
$
0
0


 When the users can activate the windows installation using our KMS-server without buying or reporting the installation. 

Is it possible to get a report from the KMS-server about activated installations or how can we control this kind of installations/activations?

Thanks in advance.

Best Regards

/ Tubay

Multiple MIM Portal issue after applying Hotfix

June 2, 2020, 10:27 am
$
0
0

Quick backstory, my company hired consultants to setup our MIM environment and left me the keys to our solution. I took a training course in MIM and learned the rest as I went. I have become very capable and comfortable with SQL, C#, PowerShell, Synchronization and Portal Service which I think is pretty good given how spread out documentation for MIM seems to be. Where I am lacking is Sharepoint because I have never had to do anything beyond putting the Portal into "Maintenance" mode or running IISRESET.

In production we have 1 Synchronization server and 2 Portal servers. In dev we have 1 Synchronization server and 1 Portal server. I recently put together a bunch of changes in Dev along with upgrading to Hotfix 4.5.412. This week I attempted to rollout the Hotfix and the configuration changes to Production and immediately hit an issue with the hotfix. I could no longer access the MIM Portal with our load-balanced address or pointing directly at the servers.

Looking in the event logs I found the following error

The Portal cannot connect to the middle tier using the web service interface.  This failure prevents all portal scenarios from functioning correctly.

The cause may be due to a missing or invalid server url, a downed server, or an invalid server firewall configuration. Ensure the portal configuration is present and points to the resource management service.

I googled the error and tried everything I understood in the search results but had no luck resolving the issue so I had to rollback to my snapshots and SQL Backups. I copied all the .config files I kept seeing referenced in the search results on my non-working servers before doing this. The only difference in prod is the fact that we have 2 Portal servers instead of 1 so I suspected these were causing my problems.

What I discovered was in the C:\InetPub\wwwroot\wss\VirtualDirectories\80\web.config file, after applying the hotfix the value of resourceManagementClient resourceManagementServiceBaseAddress changed from "http://server1.domain.org:5725" and "http://server2.domain.org:5725" to our load balanced address of "http://manageidentity.webdomain.org:5725".

I am fairly confident this is the cause of my issue, however in trying to understand why, I found this https://social.technet.microsoft.com/wiki/contents/articles/10186.fim2010-troubleshooting-fim-service-is-not-available.aspx#APPENDIX_B which says "Essentially the value for resourceManagementServiceBaseAddress should match the same thing in the FIM Configuration File ( resourceManagementClient and resourceManagementServiceBaseAddress )". When I look at the MIM config i see the load balanced address of "http://manageidentity.webdomain.org:5725".

I have also seen that the web.config file should be the same on all the servers on the farm, but that was not the case with our working MIM solution as the 2 respective servers both referenced themselves in resourceManagementServiceBaseAddress.

I feel I am either misunderstanding the documentation/blogs or our production Portal servers were setup improperly.

Can anyone shed light on the resourceManagementServiceBaseAddress value when you have multiple portal servers? Or know of good documentation on setting it up so I can make sure my environment is setup correctly?

Azure AD Sync - Custome Attribute from On Premise to Azure AD

June 3, 2020, 12:40 pm
$
0
0

I am in the process of syncing a custom attribute.

I would like to know when I perform this action whether I need to keep the existing "optional features " e.g. hybrid exchange, password write hash write-back etc

These options are already selected.

Do they need to be removed??

What is the impact of these options being left selected. I assume nothing. But would like confirmation.

Thanks in advance!

Display advanced tab for user/person in portal?

May 18, 2020, 7:24 am
$
0
0
I want to allow a "department admin" to edit a couple of attributes for a certain set of users.  The set and MPR are working for other attributes.  These attributes are not in the RCDC and I'd like to avoid adding them.  But the"department admin" users can't see the "extended attributes" tab in "advanced view".  Is there a way to expose that to them without making them mim admins?
Search

FIMMA Export Error: Object reference not set to an instance of an object

March 20, 2010, 12:16 am
$
0
0

Until I can repro this I'll track this issue here...

This has cropped up a few times as I'm extending the portal schema. For this most recent experience, I added a new binding for an existing object to a second object class. Here is the breakdown:

AttributeTypeDescription

  • System Name: msExchHideFromAddressLists
  • DisplayName: Hide in Outlook Address Books
  • Data Type: Boolean

Binding

  • Resource Type: Group
  • Attribute Type: Hide in Outlook Address Books

Binding

  • Resource Type: User
  • Attribute Type: Hide in Outlook Address Books

Adding the first binding worked, but adding the second binding most recently cause my problem to surface. I have other attributes successfully bound to both user and group that do not present problems. The error presents itself as I am trying to contribute the existing values from my AD MA - flows are setup throughout the FIM MA to contribute the AD value into the portal and it attempts to export but throws a 'failed-modification-via-web-services' error on the export.

Looking at the pending export:

  • Only the msExchHideFromAddressLists is being exported (Change=add, Modification type = update, Person object)
  • Previous state of the attribute is NULL (it was never set previously) in the portal
  • Updates to other attributes in the export succeed as long as this attribute is not also listed on the same object (to be expected)

Error Information

  • Running management agent: FIM MA
  • Error: failed-modification-via-web-services
  • Connected data source error code: <none listed>
  • Connected data source error: <detail button>

Call Stack Information:

There is an error executing a web service object modification request.
Type: System.NullReferenceException

Message: Object reference not set to an instance of an object.

Stack Trace:    at MIIS.ManagementAgent.RavenMA.DoAttributeLevelExport(DataSourceObject dsObject, String objClass, UninitializedResource resource)
   at MIIS.ManagementAgent.RavenMA.ExportObjectModification(DataSourceObject dsObject, SchemaManager schemaManager)
   at MIIS.ManagementAgent.RavenMA.Export(DataSourceObject dsObject)

Inner Exception:

----<there was no exception listed>

Event Logs:

  • Application: None, other than general 6100 error indicating there were errors on the export
  • System: None
  • Forefront Identity Manager: None (with Verbose enabled)

Service Logs: tracing enabled, no errors logged

Search Requests (portal): no requests are logged for the failed requests

I have made sure of the following:

  • Refresh Schema on the FIM MA, several times
  • Full Import successful on the FIM MA (at least one clean full, but occasionally the "case" issues popup regarding export not reimported errors)
  • Full Sync completed on the FIM MA
  • The same attribute can be modifed directly in the portal without error

The fact that I have no request objects tells me this is some issue on the FIM MA side, but I can't get the error to clear. In the past, some combination of refreshing the schema was able to clear this condition.

Anyone else come across this? I doubt I could repro it...

Brad Turner, ILM MVP - Ensynch, Inc - www.identitychaos.com

so you sitll gcan hack with the micorosoft password on remote

June 7, 2020, 4:46 am
$
0
0

why you do'n make an image of security and autorisation on a datastick to you'se fysicaly only on the fysical system in steat of remote controle of administrator

so else you alway can log in

Update boolean attribute default state

June 8, 2020, 4:39 am
$
0
0
I have a custom boolean attribute that has been created recently and has no state (neither true nor false). Therefore, I would like to update all the existing user accounts to set this value to false. 

I created a set and was able to filter those accounts, and I'm looking to create a workflow that will set this attribute to false. 

In my understanding this should be done via Custom Expression but I couldn't find how to do it ? Did anyone face such case before ? Any hints are welcome :)

Thanks.

Search button on the MIM portal not working

June 8, 2020, 7:10 pm
$
0
0

Hi Everyone,

We upgraded MIM 2016 from SP1 to SP2.

1. When we choose the "Connect as" setting in IIS for the hosted MIM portal as "Logged in User" following is happening:

* After the upgrade, the user accounts with readonly access to MIM portal are able to login to the portal with readonly capabilitiy but the Search, Advanced search options are not clickable.

2. When we choose the "Connect as" setting in IIS for the hosted MIM portal as "specified user service account" everything is working as expected.

Please help out.

Thanks!

Setspn Unknown Parameter

April 11, 2011, 3:34 am
$
0
0

Hi,

Just going through the "Before you begin" section of FIM setup. We are planning to use a hardware load balancer, and this has been configured and the relevant 'A' record created in DNS. We next go to a DC and try to register the SPN for this new NLB name as follows:

  • setspn –S FIMService/IDM.company.com domain\FIMSync
  • setspn –S FIMService/IDM domain\FIMSync
  • setspn –S HTTP/IDM.company.com domain\FIMWSS
  • setspn –S HTTP/IDM domain\FIMWSS

When we run the first setspn registration we get the error message:

  • Unknown Parameter FIMService/IDM.company.com. Please check your usage.

 

We also tried running it like this:

  • setspn –A FIMService/IDM.company.com domain\FIMSync

But the same error message appears.

Any ideas?

thank you

is "AutoPostback" property valid for drop-down menu control in RCDC

June 9, 2020, 4:26 am
$
0
0

I would like to know if there is a way to customize a handler to use in RCDC to act based on a dropdown menu, which will trigger the visibility and required of a field based on a value chosen from the dropdown list.

Based on a specific value from a dropdown menu, a few fields will disable in the MIM portal while creating or editing a user/person object.

Regards,

Srinwantu


Unlink Single Email Personal/Company Email Account

June 9, 2020, 5:08 am
$
0
0

This probably isn't the right place for this, but maybe I can get redirected.

I have a company account that's used for Microsoft products (Outlook, Teams, 365 stuff, all linked, passed along from Azure.)  My issue is every time I log into Outlook.com it asks which one I want to use, Work or Personal.  So I followed the links to get to a sign in preference page, but there's only one email address there and it's grayed out.  I go to my account settings page and I've got XBL and a Skype account listed.  I don't have an XBox, but I did sign up for Mixer with this email.  I've since then made a new account with my personal email on Mixer, so I don't need this XBL account.  But when I click on it to go to change it, I have to put in a password to unlink it.  I don't remember my password, and there's nowhere that I can see to put in a "forgot my password" that doesn't lead back to the Account Manager page where the XBL and Skype accounts are listed in the first place.

It's just an annoyance every day to pick which account I want.

Ben Rollman


Search

MIM 2016 SP1 on Server 2019

March 31, 2020, 7:58 am
$
0
0

I am trying to find out if Server 2019 could be considered a supported server for MIM 2016 SP1 with SharePoint 2016. Microsoft does not list Server 2019 as supported server for SP1. Is that because of the Synchronization service? SharePoint 2016 is supported on Server 2019, so I am guessing MIM Portal & Service might be ok.

My rational here is that I don't want to move to SP2 just yet, but I would like to get my server infrastructure in place, so all I have to do later on is to apply the patch.

Multiple groups, one per domain, in a single forest, joined to same MV object

June 11, 2020, 7:11 am
$
0
0

The infrastructure in question involves one forest with several domains and a couple of other forests with one domain each.  The use case is populating membership of role groups based on arbitrary criteria.  Since these role groups are global groups, each domain must have its own group.

This works fine in cases where only one domain in a given forest has one of these groups.  But where multiple domains in the same forest each have a group, the first one joins and each subsequent group fails to join with an ambiguous-import-flow-from-multiple-connectors error, even though no import flows apply.  It also fails when no import SRs apply.  When trying to manually join a second group in a forest to the MV group with the joiner, it fails with an error "System.ArgumentNullException: Value cannot be null." (well it gives a language code property sheet error before showing that in a jit debug error dialog).

Is there a way to do this that I'm missing?

Powershell connector import fails when using multiple runspaces

June 12, 2020, 1:30 am
$
0
0

Hi all, I'm working on implementing a ps connector in our work environment. using it with full import as a single thread in production can take 20+hours due to the sheer number of attributes in the schema + 70k objects  so I wanted to improve the time to minimise the risk of a server exception stopping the import action all together. So I came up with the idea to utilise runspace pools and process the users in blocks in separate threads. 

This is all fine and dandy until you get to the end of the script - it just tells me stopped extension dll exception.

When I check the return list it's the same as when I run it single threaded. Has anyone  had any luck running PS Connector in a multi threaded way? 

Unable to login to Azure portal - AADSTS90100

June 12, 2020, 7:18 am
$
0
0

I have two work accounts nl and eu. NL account is used for AzDevops an EU account for Portal. I was able to access azure portal. All of a sudden, I am getting below error after successful login via Microsoft Authenticator.
I reset eu password, cleared cookies and restarted machine, nothing helps. Anyone faced this earlier?

AADSTS90100: ctx parameter is empty or not valid.
Request Id: bf8a97bd-b7c5-4d85-85e3-2167cb0c1f00
Correlation Id: 06e4bbee-4455-4e74-902b-f8ddf28cd011
Timestamp: 2020-06-12T08:39:58Z
Message: AADSTS90100: ctx parameter is empty or not valid.

My SG Visible to Group owners

June 15, 2020, 7:32 am
$
0
0
Hi,

I have a FIM environment where "My SG's" is Visible to FIM Administrators only.

I need to make it visible to everyone who is owner of any Group

Is there any FIM MPR to enable this or must it be a custom one?

If a custom MPR is necessary, can you providence any example or guidance?

Thanks a million,

JD
Viewing all 7443 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>