Hi,

I am having some difficulty setting up the PCNS. I noticed every time I configure or add the PCNS target, the PCNS service (pcnssvc.exe) is crashing. If I remove the target, PCNS service will run just fine. Any one has experience this?

Looking at the event viewer this is what I can see. Not much of information telling what is the reason for service to crash.

Appreciate any help here.

Thanks!

Gerard

We have a scenario where we are looking at a installation of several thousands of users, what are the scaling recommendations for MIM 2016?

I mean like installing the components by them selves is a thought we have at the moment to do:

1+ windows 2012 server - mim sync

1+ windows 2012 server - mim service

1+ windows 2012 server - mim portal

Is it maybe wise also to have different database hosts for the MIM sync / service databases?

Hi to all!

I'm in process of integration of existing AD and HR based on Oracle DB systems.

I want to make a sync users from Oracle to AD, but at this moment we have all users in AD.

How it would be better to make a such sync?

As I understand when we will start provisioning MIM will try to create in AD all users again?

Thanks!

1

Hi gents,<o:p></o:p>

We use FIM 2010 to manage identity lifecycle management in our “secure environment” but lately for business needs, we start to deploy Standalone Active Directory on “isolated environment” and unfortunately for security and operations constraints we cannot manage and sync directly those isolated AD with FIM.<o:p></o:p>

We think about exporting users db file from FIM to the isolated environment then develop a bunch of scripts to maintain the isolated AD up to date but I am a bit annoyed and wonder if there is a more “gentle” way to do it.<o:p></o:p>

So I am looking for any kind experience feedback/ advices/ best practices to solve this issue.<o:p></o:p>

Thanks in advance!    <o:p></o:p>

Written code to lookup physcialDeliveryOfficeName to set dial plan for Skype users in FIM based on their location.  We have the import script working to do the lookup and compare.  We do not use FIM Portal and are getting error on export script attempting to update dialplan getting error  MA-Extension-error 0x80230825. Here is snip of the code - Any thoughts?

param

(

     $username="",

     $password=""

)

begin

{

           import-modulelync

}

process

{

     $error.clear()

     $errorstatus="success"

     $errordetails=""

     $identifier=$_."[Identifier]"

     $anchor=$_."[Anchor]"

     $samaccountname=$_.accountName

     $physicalDeliveryOfficeName=$_.physicalDeliveryOfficeName

     $SkypeDialPlan=$_.SkypeDialPlan

     $objectmodificationtype=$_."[ObjectModificationType]"

     $objectguid=$_.objectguid

     $changedattrs=$_.'[ChangedAttributeNames]'

      [bool]$SkypeUserEnabled=$_.SkypeUserEnabled

     $_ |out-filec:\psma\dump\$samaccountname.txt

     try

      {

          foreach ($canin$_.ChangedAttributeNames)

      {

       $can

        foreach ($ValueChangein$_.AttributeChanges[$can].ValueChanges)

          {

           if ($can-eq'physicalDeliveryOfficeName')

                        {if ($objectmodificationtype-match'Replace')

                        {

                                   #physicalDeliveryOfficeName has changed and we need to update the dialplan

                                   Grant-CsDialPlan-Identity$_.sipaddress-PolicyName$_.SkypeDPLookup

                              }

                       }          

              }

      }

I am setting up new FYNC sync between 2 ads. From newly set up ads I am getting tombstoned objects in FUll import as group member. How to remediate the issue?

1. REstrciting access to my service account to "CN=Deleted Objects,DC=Contoso,DC=com" tombstoned objects?

2. What declared import filter I need to add in MA to exclude these objects?

I'm really hoping to be able to use Soren Granfeldt's Powershell MA to do some new integrations with FIM, but am having some difficulties.  My latest problem is that I get an ma.extension error, which dumps the following stack trace in the Application event log:

 "System.NullReferenceException: Object reference not set to an instance of an object.
   at Granfeldt.PowerShellManagementAgent.Microsoft.MetadirectoryServices.IMAExtensible2CallExport.PutExportEntries(IList`1 csentries)
Forefront Identity Manager 4.1.3613.0"

The only thing it's trying to export right now is a change of e-mail address on a user it's done a join for (I've only got my sync rule applied to one person at the moment), so I wouldn't think it would be a provisioning problem?  I've commented out the majority of my code in my export script so I'm reasonably certain it's not a PS code problem.

Sync rule:

firstName -> first_name
lastName -> last_name
mail -> email
[init flow only] LowerCase(accountName)+"@uwrf.edu" -> username
[init flow only] LowerCase(accountName)+"@uwrf.edu" -> dn

I'm excited about the possibilities, but frustrated.  I'd be happy to post additional details but I'm not sure what would be helpful.

-Robert

I have a query regarding Microsoft Test manager tool ,can you please provide  answer to  my query .

I have 3 resources in my test team & I want to use Microsoft Test manager tool in my project.

Do I need to purchase 3 separate licenses for individuals or only one license can be shared by the all 3 members?

Hello,

We are running in a very critical issue. Need your kinds thoughts, please review below details.

Background : We are running SharePoint 2013 on premises farm with 2 WFEs, 2 APPs and 1 DB server. As per the architecture we are running User Profile Service on APP1 & APP2 and User Profile Synchronization Service on APP1 server. Everything is running smoothly and AD profiles are syncing with SharePoint 2013.

Problem : We ran a security scan using a third party tool which scanned the whole farm and pointed few Vulnerabilities in servers. Most of them are fixed. However its pointing to http://localhost:5725 or http://MyServerIP:5725 saying that its allowing ClickJacking on this URL. This Vulnerability is appearing only on the server that is running User Profile Synchronization Service (i.e APP1). I am unable to find this binding in IIS with any site or web service. Research on Google says that it belongs to Forefront Identity Manager Synchronization Service which connects with AD for User Profile Synchronization Service.

I can see Inbound Rules in  firewall and found that this port is allowed with below name.

ILM Web Service - RMS  (Port 5725)

ILM Web Service - STS   (Port 5726)

Question : Any idea how i can get to source of this service or prevent from ClickJacking?

I'll glad to provide more details on it and really thankful for your kind thoughts.

Regards,

Muhammad Zeeshan Tahir

Is FIM 2010 R2 getting support for Outlook 2016 like MIM 2016 got? Or is there some unsupported way to get the add-ins and extensions to be installed on a client that has Outlook 2016?

Hi Guys,

At a customer I have an issue with the Lotus Domino Connector whilst trying to rename a Lotus Notes Group.

When I export the change I get the following error during the export: The given Key was not present in the dictionary.

I used debugViewer to check if there is any more information before the error and there is none specific.

The error in the MA is :

System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary.
   at System.Collections.Generic.Dictionary`2.get_Item(TKey key)
   at System.Collections.ObjectModel.KeyedCollection`2.get_Item(TKey key)
   at Microsoft.IdentityManagement.MA.LotusDomino.NotesClientWrapper.DominoGroup.UpdateGroupAttributesByUNID(CSEntryChange csentry, IDictionary`2 schema, Context exportContext, IDictionary`2 deleteInfo)
   at Microsoft.IdentityManagement.MA.LotusDomino.Core.Group.ExportEntry(CSEntryChange csentry, Context exportContext, List`1 listChangeResult)

The error in debug viewer is:

[6220] Message: The given key was not present in the dictionary. 
[6220] Exception root Exception type: System.Collections.Generic.KeyNotFoundException 
[6220] Source: mscorlib 
[6220] Stack Trace:    at System.Collections.Generic.Dictionary`2.get_Item(TKey key) 
[6220]    at System.Collections.ObjectModel.KeyedCollection`2.get_Item(TKey key) 
[6220]    at Microsoft.IdentityManagement.MA.LotusDomino.NotesClientWrapper.DominoGroup.UpdateGroupAttributesByUNID(CSEntryChange csentry, IDictionary`2 schema, Context exportContext, IDictionary`2 deleteInfo) 
[6220]    at Microsoft.IdentityManagement.MA.LotusDomino.Core.Group.ExportEntry(CSEntryChange csentry, Context exportContext, List`1 listChangeResult) 
[6220] Target Site: get_Item 

I was wondering if anybody could give me any pointers on how to solve this problem (Maybe a missing attribute,...) I have checked the group exists in Lotus Notes because I imported it from there.

There is no error on the Lotus Notes side as it does not arrive to Notes.

I am using Lotus Client 9.0 and domino server 8.6FP6

My FIM 2010 R2 version is  4.1.3671.0

My Lotus Domino Connector is 1.1.117.0

Any help would be appreciated. I have been trying to solve this problem for a few days now with no luck.

Thanks

Sylvan

Hi,

I have developed a new custom activity for FIM and deployed it. In the activity UI, we provide three radio buttons to select different options. The activity UI looks like below:

For Option 1 selection, the activity receives the string Option 1 and so on for other options. Based on that value, we run different business logic in the activity. However, I am facing issues when I select Options 2 and 3. When I select Option 2 or 3, it gets selected and the value received in the activity during execution is also proper. However, when I open the workflow to check what Option we have selected, then the UI always displays "Option 1" though it is sending values for Option 2 and 3 as expected during execution.

How do I persist the selection on the Activity UI for different options?

Hello!

Can anybody advice, what to do in such case:

I have 2 Oracle HR tables

First:

1. UserID
2. Division ID
3. ManagerID

Second:

1. DivisionID
2. Division Description

How I can populate user info in MV, if I need to have information about account in such form:

1. UserID
2. Division Description

As I understand I need to use 2 references, but to different objects.

I can't found such examples is one guide and don't know if it can work.

Thanks!

1

Hi,

 I have developed a new custom activity for FIM and deployed it. In the activity UI, we provide three radio buttons to select different options. The activity UI looks like below:

or Option 1 selection, the activity receives the string Option 1 and so on for other options. Based on that value, we run different business logic in the activity. However, I am facing issues when I select Options 2 and 3. When I select Option 2 or 3, it gets selected and the value received in the activity during execution is also proper. However, when I open the workflow to check what Option we have selected, then the UI always displays "Option 1" though it is sending values for Option 2 and 3 as expected during execution.

Below is the UI code for the activity:

public static DependencyProperty ActivityNameProperty = DependencyProperty.Register("ActivityName", typeof(System.String), typeof(CustomActivity));
[Description("Please specify the target attribute")]
[DesignerSerializationVisibility(DesignerSerializationVisibility.Visible)]
[Browsable(true)]
public string ActivityName
{
    get
    {
        return ((String)(base.GetValue(CustomActivity.ActivityNameProperty)));
    }
    set
    {
        base.SetValue(CustomActivity.ActivityNameProperty, value);
    }
}

 static string[] ActivityNames = new string[]
{
    "Option1","Option2","Option3"
};

public class CustomActivitySettingsPart : ActivitySettingsPart
{

   public override Activity GenerateActivityOnWorkflow(SequentialWorkflow workflow)
   {
       if (!this.ValidateInputs())
       {
           return null;
       }
       CustomActivity changeActivity = new CustomActivity();
       changeActivity.ActivityName = this.GetRadioSelection("activityToRun");
       return changeActivity;
   }

   public override void LoadActivitySettings(System.Workflow.ComponentModel.Activity activity)
   {
       CustomActivity changeActivity = activity as CustomActivity;
       if (changeActivity != null)
       {
           this.SetRadioSelection("activityToRun", changeActivity.ActivityName);
       }
   }

   public override ActivitySettingsPartData PersistSettings()
   {
       ActivitySettingsPartData data = new ActivitySettingsPartData();
       data["ActivityName"] = this.GetRadioSelection("activityToRun");
       return data;
   }

   public override void RestoreSettings(ActivitySettingsPartData data)
   {
       if (data != null)
       {
           this.SetRadioSelection("activityToRun", (string)(data["ActivityName"]));
       }

   }

   public override void SwitchMode(ActivitySettingsPartMode mode)
   {
       bool readOnly = (mode == ActivitySettingsPartMode.View);
       this.SetRadioListReadOnlyOption("activityToRun", readOnly);
   }

   public override string Title
   {
       get { return "My custom activity"; }
   }

   public override bool ValidateInputs()
   {
       return true;
   }

   /// <summary>
   ///  Creates a Table that contains the controls used by the activity UI
   ///  in the Workflow Designer of the FIM portal. Adds that Table to the
   ///  collection of Controls that defines each activity that can be selected
   ///  in the Workflow Designer of the FIM Portal. Calls the base class of
   ///  ActivitySettingsPart to render the controls in the UI.
   /// </summary>
   protected override void CreateChildControls()
   {
       Table controlLayoutTable;
       controlLayoutTable = new Table();

       //Width is set to 100% of the control size
       controlLayoutTable.Width = Unit.Percentage(100.0);
       controlLayoutTable.BorderWidth = 0;
       controlLayoutTable.CellPadding = 2;

       controlLayoutTable.Rows.Add(this.AddTableRowRadioList("Please select one option", "activityToRun", ActivityNames, ActivityNames[0]));
       this.Controls.Add(controlLayoutTable);

       base.CreateChildControls();
   }

   #region "Radio Functions"
   private TableRow AddTableRowRadioList(String labelText, String controlID, String[] radioOptions, String defaultValue)
   {
       TableRow row = new TableRow();
       TableCell labelCell = new TableCell();
       TableCell controlCell = new TableCell();
       Label label = new Label();
       RadioButtonList radioList = new RadioButtonList();

       label.Text = labelText;
       label.CssClass = base.LabelCssClass;
       labelCell.Controls.Add(label);
       radioList.ID = controlID;
       foreach (String Item in radioOptions)
       {
           radioList.Items.Add(new ListItem(Item, Item));
       }
       radioList.SelectedValue = defaultValue;
       radioList.RepeatDirection = RepeatDirection.Vertical;
       controlCell.Controls.Add(radioList);
       row.Cells.Add(labelCell);
       row.Cells.Add(controlCell);
       return row;
   }

   private String GetRadioSelection(String radioListID)
   {
       RadioButtonList radioList = (RadioButtonList)this.FindControl(radioListID);
       return radioList.SelectedValue;
   }
   private void SetRadioSelection(String radioListID, String radioSelection)
   {
       RadioButtonList radioList = (RadioButtonList)this.FindControl(radioListID);
       if (radioList != null)
       {
           radioList.SelectedValue = radioSelection;
       }
       else
       {
           radioList.SelectedValue = radioList.Items[0].Text;
       }
   }

   private void SetRadioListReadOnlyOption(String radioListID, bool readOnly)
   {
       RadioButtonList radioList = (RadioButtonList)this.FindControl(radioListID);
       radioList.Enabled = !readOnly;
   }
   #endregion
}

Please let know if I have missed anything in the UI code. When the activity reloads, it is always displaying first option as selected.

Hi,

We are sending out an email notification to a manager 2 weeks before a contractor is to be terminated.

The email notification depicts the date/time in UTC...not in the time zone we are in (e.g. UTC -7), but in UTC.

This has the possibility of confusing people.

Is there a way to correct this UTC time in the email template to reflect the correct time zone (e.g. UTC -7)?

Thank you,

SK

Hi,

Just going through the "Before you begin" section of FIM setup. We are planning to use a hardware load balancer, and this has been configured and the relevant 'A' record created in DNS. We next go to a DC and try to register the SPN for this new NLB name as follows:

• setspn –S FIMService/IDM.company.com domain\FIMSync
• setspn –S FIMService/IDM domain\FIMSync
• setspn –S HTTP/IDM.company.com domain\FIMWSS
• setspn –S HTTP/IDM domain\FIMWSS

When we run the first setspn registration we get the error message:

• Unknown Parameter FIMService/IDM.company.com. Please check your usage.

We also tried running it like this:

• setspn –A FIMService/IDM.company.com domain\FIMSync

But the same error message appears.

Any ideas?

thank you

Hi

I have three entity Types within the same connector space (CS). Two are mapped to the same Metaverse (MV) Entity:
CS User -> MV Person
CS Contact -> MV Person

CS Organization -> MV Organization

Now my Problem: MV Organization references to a MV Person. I would like to flow that information to CS using Synch engine only (no FIMService, no syncRules, no Flow Scope - means coding, which is normally not a problem to me). Using direct flows I get ambiguous flows as expected. So I need an advanced rule. But since I cannot use a MV Reference Attribute as Source-Attribute in an Advanced Export flow things get complicated.
What's the best option?

thanks for your help

Pirmin

Hello,

I am receiving  "This page cannot be displayed" while accessing SSPR sites. Please note that i have checke application pools and srvices are up and running.

Kindly suggets.

Regards,

Suman

Hello All,

TLDR; Upon deleting ALL entries of a multivalued reference attribute, the Generic SQL connector does not export the changes. Removing only some of the entries works fine. Reproduction steps at the end.

We have 3 management agents:

• MA connected to an authorative datasource for users
• Access Management MA connected to Bhold for Role Based Access Control
• Generic SQL MA connected to the destination datasource which is also the source of 'permissions' (being groups in MV & BHOLD)

We provide users from the first MA, and permissions from the Generic SQL MA. Then we use BHOLD to assign these permissions to the user roles. In the MetaVerse BHOLD permissions are translated into group objects. The users that have these permissions are stored in a multivalued reference attribute (called UserID) of each corresponding group object.

These group objects later update their permissions in the Generic SQL connectorspace via a basic attribute flow (allow nulls is checked). Afterwards they get exported to the destination datasource and we can verify that the permissions are assigned to the users.

Everything works like a charm except when we remove a certain permission from ALL users in BHOLD (removing the permissions from some users works fine). In the MetaVerse this translates in the removal of all values from the multivalued reference field (and again, leaving just 1 or more values present works fine).

This works like a charm and propagates properly to the datasource

This does not work (note that this screenshot was taken after we removed the first two entries shown in the screenshot above thus only one entry is present).

We expect the cause to be a not implemented scenario (bug?) in the Generic SQL connector. Upon debugging the code of the generic SQL connector using reflection we encountered the code below. Since we have a multivalued attribute we enter the first (highlighted) if-statement. Once inside it counts the 'ValueChanges' of the attribute, but apparently this count returns zero, causing the code to pass the two next if statements.

A result of this is represented in the export run profile logfile you can find below. The former logfile removes all but one entry of the reference field and the latter removes all of them. As you can see the '<dn-attr>' element in the latter is empty (which according to us is originating in the code above).

Export log file upon removing some entries:

<?xml version="1.0" encoding="UTF-16"?><mmsml xmlns="http://www.microsoft.com/mms/mmsml/v2" step-type="export"><directory-entries><delta operation="update" dn="CN=G01,OBJECT=role"><anchor encoding="base64">CAAAAEcAMAAxAAAACgAAAHIAbwBsAGUAAAA=</anchor><dn-attr name="UserID" operation="update" multivalued="true"><dn-value operation="delete"><dn>CN=U02,OBJECT=user</dn><anchor encoding="base64">CAAAAFUAMAAyAAAACgAAAHUAcwBlAHIAAAA=</anchor></dn-value><dn-value operation="delete"><dn>CN=U03,OBJECT=user</dn><anchor encoding="base64">CAAAAFUAMAAzAAAACgAAAHUAcwBlAHIAAAA=</anchor></dn-value></dn-attr></delta></directory-entries></mmsml>

Export log file upon removing ALL entries:

<?xml version="1.0" encoding="UTF-16"?><mmsml xmlns="http://www.microsoft.com/mms/mmsml/v2" step-type="export"><directory-entries><delta operation="update" dn="CN=G01,OBJECT=role"><anchor encoding="base64">CAAAAEcAMAAxAAAACgAAAHIAbwBsAGUAAAA=</anchor><dn-attr name="UserID" operation="delete" multivalued="true"></dn-attr></delta></directory-entries></mmsml>

Is this some mistake or a not implemented scenario in the Generic SQL connector, and if so, where do i report this? Since we only got part of the code using reflection is it possible to obtain the source code for the Generic SQL Connector so we can investigate further?

Reproduction Steps :

1. Create accounts in the source system
2. Create permissions in the destination system
3. Import both the accounts and the permissions
4. Synchronize both accounts and permissions to the MV (they will get provisioned to BHOLD through a MV-extension)
5. Export to BHOLD
6. Assign a couple of roles to the permissions in BHOLD
7. Import from BHOLD
8. Synchronize BHOLD MA (groups will contain their member ID's in the destination CS)
9. Export the destination MA (+ confirming import)
10. Remove all roles from the BHOLD permission
11. Import from BHOLD (group objects will have no members in BHOLD CS)
12. Synchronize BHOLD MA (group objects will have no members in the MV and destination CS)
13. Export the destination MA