Quantcast
Channel: Microsoft Identity Manager forum
Viewing all 7443 articles
Browse latest View live

MIM Graph MA error on delta import "File was corrupted or removed. Try to re-run 'FullImport' to re-initialize it."

$
0
0

I recently upgraded the MS Graph connector to 1.1.1170.0 (from 1.1.1130.0).  Now when I run a delta import on the MA that uses this connector, it fails with an error.  Full import and all the other operations work fine.

It looked like it needed a schema update, which I performed (and it took several hours, which seems a lot longer than it should for a database of this size).  Delta import worked immediately after that, but it's failing again.

The full error message in the event log is:

Log Name:      Application
Source:        FIMSynchronizationService
Date:          5/21/2020 2:40:21 PM
Event ID:      6801
Task Category: Server
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      SVPHCMIM01.hc.hctx.net
Description:
The extensible extension returned an unsupported error.
 The stack trace is:
 
 "Microsoft.MetadirectoryServices.ExtensibleExtensionException: Exception during the import: ---> Microsoft.IdentityManagement.Connector.Graph.GraphAPIException: File was corrupted or removed. Try to re-run 'FullImport' to re-initialize it.
   at Microsoft.IdentityManagement.Connector.Graph.LocalStorageManager..ctor(String fileName, String fileHash, Boolean isDeltaImport)
   at Microsoft.IdentityManagement.Connector.Graph.ImportContext.GetImportEntries()
   at Microsoft.IdentityManagement.Connector.Graph.GraphConnector.GetImportEntries(GetImportEntriesRunStep importRunStep)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityManagement.Connector.Graph.GraphConnector.GetImportEntries(GetImportEntriesRunStep importRunStep)
Forefront Identity Manager 4.5.412.0"
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="FIMSynchronizationService" />
    <EventID Qualifiers="49152">6801</EventID>
    <Level>2</Level>
    <Task>3</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2020-05-21T19:40:21.754947400Z" />
    <EventRecordID>1773995</EventRecordID>
    <Channel>Application</Channel>
    <Computer>SVPHCMIM01.hc.hctx.net</Computer>
    <Security />
  </System>
  <EventData>
    <Data>Microsoft.MetadirectoryServices.ExtensibleExtensionException: Exception during the import: ---&gt; Microsoft.IdentityManagement.Connector.Graph.GraphAPIException: File was corrupted or removed. Try to re-run 'FullImport' to re-initialize it.
   at Microsoft.IdentityManagement.Connector.Graph.LocalStorageManager..ctor(String fileName, String fileHash, Boolean isDeltaImport)
   at Microsoft.IdentityManagement.Connector.Graph.ImportContext.GetImportEntries()
   at Microsoft.IdentityManagement.Connector.Graph.GraphConnector.GetImportEntries(GetImportEntriesRunStep importRunStep)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityManagement.Connector.Graph.GraphConnector.GetImportEntries(GetImportEntriesRunStep importRunStep)
Forefront Identity Manager 4.5.412.0</Data>
  </EventData>
</Event>


to check zw.knightfrank.com is registered under knightfrank.onmicrosoft.com, office 365

$
0
0
Need to check if zw.knightfrank.com is registered under knightfrank.onmicrosoft.com, office 365

swathi

Azure Global Admin

$
0
0
I signed up for Azure AD services after discovering MMC no longer allowed for add-ins to manage local users and groups. I began the process and think I skipped a step as my gmail account was my local user log-in. Now my google email is part of the onmicrosoft.com login/account for azure and the gmail address is one word without the dot separating @gmail. Can anyone tell me the step I missed? Is it pointing 'A' records or something along those lines? 

"stopped-extension-dll-exception" on a PS MA

$
0
0

Hi all,

I have this error "stopped-extension-dll-exception" on a PS MA.

On the event viewer, I can see this :

 

The extensible extension returned an unsupported error.
 The stack trace is:

 "System.Management.Automation.ActionPreferenceStopException: The running command stopped because the preference variable "ErrorActionPreference" or common parameter is set to Stop: Unable to complete this action. Try again later.
   at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)
   at System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke)
   at System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync)
   at System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)
   at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)
   at Granfeldt.PowerShellManagementAgent.InvokePowerShellScript(Command command, PSDataCollection`1 pipelineInput)
   at Granfeldt.PowerShellManagementAgent.GetImportEntries(GetImportEntriesRunStep importRunStep)
Forefront Identity Manager 4.6.263.0"

Do you have any idea about that ?

Access Reviews in Azure & Bulk Group Upload

$
0
0
I'm trying to set up a recurring access review in Azure to track guest access to Teams Sites. Given then number of sites I have I need to be able to automatically update the access review with the current list of O365 Groups, but I'm struggling to find a way to do this. Anyone else had this problem?

Fire Workflow based on Request Creation

$
0
0
Do you know if you can fire a workflow based on the creation of a Request? I added an MPR and Workflow that should fire on Transition In to the All Requests set. But the workflow doesn't fire. I understand there might be a good reason for this - if you're firing a workflow that generates requests based on the creation of a a request, you might get an infinite loop. But is this actually enforced in the portal? It seems to be but I can't find any documentation about it.

MIM Justification - Justification response provided by the approver

$
0
0

So how we really get the value of the response provided by the approver for example to include it in email notification?

Some examples in internet are providing solution to use [//WorkflowData/Reason]. But somehow we need to include the value to worflowdata dictionary.

Get-AzureADServicePrincipalOwner -ObjectId XXXXX

$
0
0

When I execute below command , the output is not returning anything. Could you please help how to get the owner information of a SPN

Get-AzureADServicePrincipalOwner -ObjectId XXXXX


Allow group owners delete access - FIM 2010 R2

$
0
0
Hello,

I am using FIM 2010 R2 for group management and currently user's are allowed to manage membership "add and remove members, now i want to allow them delete access on group they own. 

As i know, i need to modify security and distribution group MPR's and select "Delete Resource" option, but is this enough or do i need to configure anything else to achieve this requirement.

Many thanks in Advanced

Regards, Manoj Misal

Convert Privileged Group scope from Universal to Global

$
0
0

Hello Team,

Is there an option to convert domain privileged group, (Enterprise Admins & Schema Admins) from Universal to Global scope. Will that secure the privileged group in a Single domain forest.

Thanks.

Error: The RPC server is unavailable. 0x8007706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)

$
0
0
So we upgraded our Certificate Authority Server from windows 2012 to windows 2019 and it stopped working. Every time I try to issue a certificate from a network PC (Start >> Manage User Certificate >> Certificate Current user >> Personal>> Certificates >> Right click and select All Task >> Request New  >>    ) I get the following error 

As error occurred while enrolling for a certificate. The certificate request could not be submitted to the certificate authority.

Url: CAServer.domain\Company Enterprise CA

Error: The RPC server is unavailable. 0x8007706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)



I have tried the following
* I can ping the CA server from the PC (trying to request new cert) and from the CA to PC
* Checked the CA server it has Certificate Service DCOM Access User group and Domain Computers, Domain Controllers, and Domain Users are part of it
* Form the PC that im trying to get the certificate I issued certutil -ping -config "CAServer.domain\Company Enterprise CA"
Connecting to CAServer.domain\Company Enterprise CA ...
Server "Company Enterprise CA" ICertRequest2 interface is alive (94ms)
CertUtil: -ping command completed successfully.


So not sure what to try next. Upgrading the server to 2019 was the only change that was done. Any suggestions would be highly appreciated

Microsoft Identity Manager 2016 upgrade - MSP patch keeps rolling back and failing to install

$
0
0

Hi folks I'm trying to update our instance of Microsoft Identity Manager 2016 from version 4.3.1935.0 to version 4.6.263.0 via the provided MSP. I'm trying to update the MIM Service and Sync Components (we only use the SSPR element of MIM) and every time I run the MSP patch, it fails and rolls back. The patch I am trying to install is: MIMSyncService_x64_KB4512924 MIMService_x64_KB4512924

I've output verbose logs and the below are the relevant errors I am getting:

MSI (c) (E8:28) [20:44:32:690]: Note: 1: 2262 2: Error 3: -2147287038

MSI (c) (E8:28) [20:44:32:690]: Note: 1: 2262 2: Error 3: -2147287038

DEBUG: Error 2749: Transform VL.2 invalid for package C:\Windows\Installer\68cfdb.msi. Expected product version == 4.4.1302.0, found product version 4.6.34.0.

DEBUG: Error 2749: Transform VL.3 invalid for package C:\Windows\Installer\68cfdb.msi. Expected product version == 4.6.31.0, found product version 4.6.34.0.

DEBUG: Error 2749: Transform VL.4 invalid for package C:\Windows\Installer\68cfdb.msi. Expected product version == 4.6.33.0, found product version 4.6.34.0.

DEBUG: Error 2746: Transform EVAL.5 invalid for package C:\Windows\Installer\68cfdb.msi. Expected product {E38A2125-01B4-4CFF-B4F9-0E2DD61344E1}, found product {5A7CB0A3-7AA2-4F40-8899-02B83694085F}.

DEBUG: Error 2746: Transform EVAL.6 invalid for package C:\Windows\Installer\68cfdb.msi. Expected product {E38A2125-01B4-4CFF-B4F9-0E2DD61344E1}, found product {5A7CB0A3-7AA2-4F40-8899-02B83694085F}.

DEBUG: Error 2746: Transform EVAL.7 invalid for package C:\Windows\Installer\68cfdb.msi. Expected product {E38A2125-01B4-4CFF-B4F9-0E2DD61344E1}, found product {5A7CB0A3-7AA2-4F40-8899-02B83694085F}.

DEBUG: Error 2746: Transform EVAL.8 invalid for package C:\Windows\Installer\68cfdb.msi. Expected product {E38A2125-01B4-4CFF-B4F9-0E2DD61344E1}, found product {5A7CB0A3-7AA2-4F40-8899-02B83694085F}.

(E8:28) [20:44:32:706]: Transforming table Error.
MSI (c) (E8:28) [20:44:32:706]: Note: 1: 2262 2: Error 3: -2147287038

MSI (c) (E8:28) [20:44:32:706]: Transforming table Error.

MSI (c) (E8:28) [20:44:32:894]: Skipping action: ErrorNotElevated (condition is false)

MSI (c) (E8:84) [20:44:32:894]: Transforming table Error.
MSI (c) (E8:84) [20:44:32:894]: Transforming table Error.
MSI (c) (E8:84) [20:44:32:894]: Note: 1: 2262 2: Error 3: -2147287038

MSI (c) (E8:84) [20:44:32:894]: Transforming table Error.
MSI (c) (E8:84) [20:44:32:894]: Transforming table Error.
MSI (c) (E8:84) [20:44:32:894]: Note: 1: 2262 2: Error 3: -2147287038

MSI (c) (E8:28) [20:44:32:972]: Doing action: DetectStoreServerIgnoreError
Action 20:44:32: DetectStoreServerIgnoreError.
Action start 20:44:32: DetectStoreServerIgnoreError.

MSI (c) (E8:B8) [20:44:32:987]: Invoking remote custom action. DLL: C:\Users\xxxx\AppData\Local\Temp\MSI6C5E.tmp, Entrypoint: DetectStoreServerIgnoreError

Action ended 20:44:33: DetectStoreServerIgnoreError. Return value 1.

CustomAction DetectServiceAccount returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)

MSI (c) (E8:28) [20:44:33:206]: Doing action: SetupCompleteError
Action 20:44:33: SetupCompleteError.
Action start 20:44:33: SetupCompleteError.

Action 20:44:33: SetupCompleteError. Dialog created

Action ended 20:44:38: SetupCompleteError. Return value 2.

Property(C): ErrorDialog = SetupError

MSI (c) (E8:28) [20:44:38:316]: Product: Microsoft Identity Manager Synchronization Service - Update 'MIM Synchronization Service Hotfix KB KB4512924' could not be installed. Error code 1603. Additional information is available in the log file D:\MIM2016SP2\mimsyncservice.log.
MSI (c) (E8:28) [20:44:38:316]: Windows Installer installed an update. Product Name: Microsoft Identity Manager Synchronization Service. Product Version: 4.6.34.0. Product Language: 1033. Manufacturer: Microsoft Corporation. Update Name: MIM Synchronization Service Hotfix KB KB4512924. Installation success or error status: 1603.

MSI (c) (E8:28) [20:44:38:316]: Transforming table Error.
MSI (c) (E8:28) [20:44:38:316]: Transforming table Error.
MSI (c) (E8:28) [20:44:38:316]: Note: 1: 2262 2: Error 3: -2147287038
MSI (c) (E8:28) [20:44:38:316]: Transforming table Error.
MSI (c) (E8:28) [20:44:38:316]: Transforming table Error.
MSI (c) (E8:28) [20:44:38:316]: Note: 1: 2262 2: Error 3: -2147287038
MSI (c) (E8:28) [20:44:38:316]: Product: Microsoft Identity Manager Synchronization Service -- Configuration failed.
MSI (c) (E8:28) [20:44:38:316]: Windows Installer reconfigured the product. Product Name: Microsoft Identity Manager Synchronization Service. Product Version: 4.6.34.0. Product Language: 1033. Manufacturer: Microsoft Corporation. Reconfiguration success or error status: 1603.

Then the patch installer ends with the following (not errors):

MSI (c) (E8:28) [20:44:38:316]: Grabbed execution mutex.
MSI (c) (E8:28) [20:44:38:316]: Cleaning up uninstalled install packages, if any exist
MSI (c) (E8:28) [20:44:38:316]: MainEngineThread is returning 1603

Any ideas folks on why this patch is not applying?

Thanks RW

MIM 2016 SP2 4.6.258.0 and deadlock issues on portal export

$
0
0

I am aware that there is a hotfix 4.5.286.0 that fixes deadlock issues. However, I am already on 4.6.258.0. As a matter of fact, this is a fresh install of MIM 2016 SP2 4.6.34.0 and hotfix 4.6.258.0.

The deadlock error is as follows:

Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---&gt; System.Data.SqlClient.SqlException: Reraised Error 1205, Level 13, State 51, Procedure fim.CalculateRequestSetTransitionsStatementEvaluation, Line 153, Message: Transaction (Process ID 95) was deadlocked on lock resources with another process and has been chosen as the deadlock victim. Rerun the transaction.

As of right now, I have not added any Sets, Workflows or MPRs, other than few MPRs that give permissions. What do I have in the portal, is more than 50 000 users and more than 3000 criteria-based security groups.

I have also tweaked miiserver.exe.config and Microsoft.ResourceManagement.Service.exe.config.

<resourceSynchronizationClient asynchronous="true" aggregate="true" aggregationThreshold="8" delayUpdateAcknowledgements="true" exportRequestsInProcessMaximum="4"/>

<resourceManagementService externalHostName="mimtest.domain.org" maxSimultaneousSynchronizationRequests="2"/>

However, deadlock errors happen unless I disable asynchronous. SQL Server is version 14.0.3335.7, which is the latest available update for SQL Server 2017.

Please, does anybody have any idea why is this happening and how I can solve the problem?

Reference attribute retaining old value in metaverse

$
0
0

I have a reference attribute called "teamLeader" in the Metaverse, which is being imported from the FIM management agent and no other flow.

If the value in FIM is null, the previous value in the metaverse is not cleared:

If I check the MV object, I see that the value is contributed by FIM:


However, if I check the FIM MA connector space, I don't see the attribute at all (since it's null).

The only import flow defined is from the FIM MA, and it's a simple direct flow.

Is there any way I can force a cleanup of this attribute?

Thanks,
Paolo


Paolo Tedesco - http://cern.ch/idm



syncing to two different locations

$
0
0

A third party app creates account in active directory OU (lets say OU-1). After creation of accounts, some accounts get moved to a different OU (lets say OU-2) for business purpose. 

Currently using FIM to sync some attributes to "OU-1" in AD. FIM does not create accounts but merely syncs few attributes. The issue the users that get moved to different OU don't get synced with the attribute info. 

Would including the second OU "OU-2" in the AD management agent be the recommended approach? Would that cause sync errors during the run? 


Device Admin for Local Admin Group not working

$
0
0

Hi All,

As I imagine many companies, we dont want the majority of our users having local admin rights on their laptops, however we still need a local admin on those devices to be able to support them (which we will also share with our MSP).   

So I found the section for Device Administrators and from everything I have read anyone assigned to this group should become a local admin.  However we created a new account localadmin@ and assigned it to this group months ago (it kind of fell off the priority list for awhile) and I just had a chance to check and its not visible on the local users group on my laptop.

So I guess firstly is there something I may have missed, or secondly am I using this in the wrong way?

Steps:

- go to Dashboard\Devices\Device Settings

- click Manage Additional local administrators on all Azure AD joined devices

- click Add assignments

- Add Localadmin@ User and save


Windows Hello for Business

$
0
0

Hello everybody,

I have a question regarding authentication via Windows Hello for Business. When authenticating to your pro computer and pro applications using Windows Hello for Business, how long does the authentication remain valid before you need to authenticate again? 
How long is the login token valid if the session remains open? 

Thank you

Is AD FS required for computer certificates (not user) for Office 365 Authentication

Active Directory Groups Management

$
0
0

Hi,

I am trying to find a way to manage my Azure AD groups. There seem to exist a lot of unused groups, but no way to organize them properly. 

Kindly help.

KB458922 patch released - do we need to "undo" the work-around

$
0
0

The KB458922patch for MIM has been released to deal with the SharePoint issue (and some other items)


What I cannot find anywhere is if I need to remove the work-around given to us in KB458798 or if it should remain in place.  I'm guessing the installer will not just "remove" that entry but will it be an issue if it's still in place after the patch?

My experience with the work-around is that if I turn off the "custom error" pages, the site does not load correctly and this can be very useful for troubleshooting issues!


Viewing all 7443 articles
Browse latest View live


Latest Images

<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>