Hello!
Does anybody have any experience with provisioning users (or access rights) from FIM to Oracle DB or Microsoft SQL DB?
For example, I need to automate user management in connected system, which stores user accounts and access rights in their own DB.
Is this is possible?
Thanks!
1
Hello,
Since some time I encounter an issue which gets more and more annoying, especially when one need to analyse some run history details. The Operations table is being refreshed every couple of seconds and it cause refresh of all other controls (the ones containing
errors and statistics). Anybody encountered this as well ? Any fixes ?
I don't remember this happening in the past I think I encounter it only in more recent versions of fim/mim and/or windows (2012/2012 R2). But it might not be related.
Thanks for any clues.
Regards,
T
I am currently working to try and design a Powershell script to change the credentials of our management agents. We utilize a service account for the management agents to connect to our SQL Database (for the SQL agents) and to connect to our Active Directory Forest (for the Active Directory agents). The password for this service account is changed on a schedule, but this require manually updating the password for each agent via the Management Agent Designer. I would like to roll this task into a script to expedite and simplify the process.
After some research, so far I am able to enumerate the management agents:
#Get wmi object for management agents
$MAs = get-wmiobject -class "MIIS_ManagementAgent" -namespace "root\MicrosoftIdentityIntegrationServer"
#Iterate and and perform respective actions on AD and SQL agents
foreach ($MA in $MAs)
{
if ($MA.type -eq "Active Directory")
{
#Looking for actions to perform here
}
elseif ($MA.type -eq "SQL Server")
{
#Looking for actions to perform here
}
}After much research, I'm having a difficult time locating an object or a method which can make the change I'm aiming for and was hoping to try and get some insight.
Regards,
Hi,
I am having some difficulty setting up the PCNS. I noticed every time I configure or add the PCNS target, the PCNS service (pcnssvc.exe) is crashing. If I remove the target, PCNS service will run just fine. Any one has experience this?
Looking at the event viewer this is what I can see. Not much of information telling what is the reason for service to crash.
Faulting application name: pcnssvc.exe, version: 4.1.3114.0, time stamp: 0x50ad5a0dAppreciate any help here.
Thanks!
Gerard
Hi,
I know this is a hard question - but anyone got an idea on what a typical PAM project might take (days/effort/duration)?
Typical project would include:
With a PAM project, there is another forest, another MIM instance, tweaking the existing Forest AD Groups, etc etc
Then it also depends on the number of privileged accounts, groups and the complexity of the PAM/MIM Policies.
So anyone have any idea on duration? or is this another "how long is a piece of string" discussion?
Thanks,
Sk
Hi,
We have 2 instances of FIM (Portal+Service) installed in our QA environment. One for Admin and other for User. Now when I place a request in FIM to add a user to group, it places request successfully. End user is able to approve the request as well.
Now we have a PowerShell script to add users to group and when that is used, requests get placed successfully but Approver is unable to approve the request. When he tries to submit the request he gets a pop up stating "Unable to Process the request". This only happens when request is placed via PowerShell.
The difference I see between both request i.e. request raised directly and request raised via script is that the "Create Approval" request created in FIM has 2 different end point address referred. PowerShell uses Admin instance of fim portal and normal request has end point address as User Instance. PowerShell script does not have any reference to end point address so I am not sure why the differentiation is happening.
I checked for many other blogs regarding this issue and checked all config. Everything looks perfect. I do not see any logs logged in event viewer as well. The only error I get at the end of PS script execution is as below:
Unknown exception occurred when processing SOAP message from FIM. View the FIM error and debug logs for trouble shooting information.
The same Powershell code works good in DEV environment and we are able to approve requests there.
I have spent 2 full days in solving this but of no success. Can someone help me here?
Thanks,
Veena
Hi all,
Can anyone clarify how licensing users to perform password reset via Azure MFA works?
I understand you can configure and pay for Azure MFA for per-user or per-authentication, but what about in an EMS scenario where the user is already subscribing to Azure MFA via an active EMS subscription? I can see nothing in the registration process that "ties" the two identities together. So is it really the case that MIM MFA incurs additional cost?
Many thanks,
Paul.
Hi all,
I was wondering if MIM portal could be made responsive design. I know that it is not so reponsive deisgn but would there be a way to make the portal responsive design?
As it running under sharepoint foundation, I was wondering if this project on codeplex would help: https://responsivesharepoint.codeplex.com/releases/view/114361
Thanks in advance for in any insight on this matter.
Sylvan
With regular FIM user in portal > user card > roles tab, one roles block is not showing, but with administrator its there, what can be wrong?
Hi everyone:
Somebody knows some documentation or example about to créate workflows in the web service configuration tool from connector web service in Forefront identity manager?
Thanks in advanced
Regards
FIM
Hi All,
We are in the process of decomissioning window server 2008, What are the check we need to perform from FIM side.
In Enviorement, AD management connection is forest and domain and no hard coded DC is mentioned.
When 2008 is decomissioned, does AD Management agent auto discover server 2012.
Last used DC is server is 2008 and the option is uncheck to use prefered domain controller.
Want to understand how AD Managent auto discover ?
Please advice.
Regards,
Anirban Singha
I am using MIM 2016 and it is patched to the latest hotfix roll out. Build 4.3.2266.0
I have created my AD MA. I now want to create an Inbound/Outbound sync rule to provision to AD.
When I access the scope tab, I can complete the Metaverse resource type drop down and the External system drop down BUT
when I try to complete the External System resource type .. it just hangs and doesnt show any options, after furious clicks
I get a popup saying Error in Resource control. But I can complete sync rules for other MAs, just not the AD MA.
Event Viewer shows, as a Warning!
The portal was unable to complete a request and showed a user the default error page.
An unhandled exception was caught.
Check the product diagnostic log file and then check the SharePoint log file.
So which "product diagnostic log file" should I be looking for?
The SharePoint log doesnt seem to give any information why this error is shown.
When metaverse updated FIM, i don't see the logs in search requests. please let me know if I am missing something.
FIM has value 'A'
AD (di and ds) - triggered the value to be 'B' in FIM.
FIMMA (ex_di) - updated the value B in fim but I don't see the logs in search requests.
fimportal has the value B but no logs. what am I missing.
| FIM Knowledge Bit |
Getting datetime values into the portal is a tricky thing - you need a very specific ISO8601 format with three digits of fractional precision:
yyyy-MM-ddTHH:mm:ss.fff
This post talks about how to do this from C# and TSQL, the two most common methods you will likely use when transforming data through the Sync Service:
http://www.identitychaos.com/2010/01/fim-2010-contributing-datetime-values.html
C#
DateTime dtFileTime = DateTime.FromFileTime(csentry[strSourceAttribute].IntegerValue);// Convert to UTC, format string using custom format similiar to round trip "o" format// NOTE: SQL's precision for fractional time makes storage and confirmation of anything more than two digits problematic// It's better to simply enforce .000 for fractional time here since it's not absolutely critical mventry[strDestinationAttribute].Value = dtFileTime.ToUniversalTime().ToString("yyyy'-'MM'-'dd'T'HH':'mm':'ss'.000'");
SELECT--source attribute is already datetime/datetime2 [DATE_OF_HIRE] = CONVERT(nvarchar(30), DATEADD(hour, 7, [DATE_OF_HIRE]) , 126) + '.000'--source attribute needs to be converted to datetime2 ,[TERMINATION_DATE] = CONVERT(nvarchar(30), DATEADD(hour, 7, CAST([TERMINATION_DATE] AS datetime2(7))), 126) + '.000'<br/>FROM tMyHRSource
| Go to the FIM Knowledge Bit Collection |
Hello!
I have a problem with updating Emploee Start Date on MIM Portal.
What is in my setup:
1. SQL table with HIRE_D collumn.
2. In MV employeeStartDate is filled with data from SQL table as on example 2012-07-15 00:00:00
3.Inbound Sync rule from SQL table is in such format:
function
function name = DateTimeFormat
dateTimeString:String=HIRE_D
format:String = yyyy-MM-ddTHH:mm:ss.000
linked to employeeStartDate in MV
after this configurations I can't see anyone filled employee Start date on MIM portal.
Can anybody help?
Thanks!
1
Hi All
I am new to FIM and just learning the ropes.
One thing I need to get my head round is deprovisioning. Is there a tutuorial of how to implement a simple deprovisioning process between say two systems?
Thanks!
Hi,
I've setup a FIM Portal with 2 languages, the first one being the default english and the second being french.
When changing my browser language, it correctly switch between the french and the english version, but there is something that bugs me.
When I use the french version on any list of object, mostly custom ones, and then I click on "Display Name" to order them, it doesn't order the objects by their French display name but it uses the english one, even tho the display name is in french.
This is causing problem for users using the portal in french because it seem to order them randomly instead of having the expected behavior.
Is this by design or is there a way to order by the language used by the user ?
Hi,
I'm provisioning users to AD based on an input from a CSV file (it's actually a CSVDE). I've successfully synced around 6000 users and that has worked fine for a number of months. The process I'm using is as follows:
1. File MA --> Full import and delta sync (loads data from CSV file)
2. FIM MA --> Export, delta import and delta sync (provisions user to FIM portal)
(wait 10 minutes)
3. AD MA --> Export, delta import and delta sync (provisions user and mailbox in AD)
4. FIM MA --> Export, delta import and delta sync (updates domain attribute in FIM portal)
I'm using declarative rules, similar to this: https://technet.microsoft.com/en-us/library/ee534908(v=ws.10).aspx
The HR file is authoritative (i.e. takes precedence
Today I realised that around 50 users were provisioned to the MV, had a file MA connector and a FIM connector, but not a an AD connector. Looking at the account in the FIM portal I realised that the domain attribute was not populated for contoso and that an AD outbound sync rule was not pending.
I then decided to run the synchronisation steps at 1 to 4 above, but this time used full imports and full synchronisations. After doing this the number of accounts which did not have an AD MA connector dropped to around 10 (e.g. 40 additional accounts were provisioned to AD).
To provision the remaining 10 users, I firstly deleted the 10 users from my input CSV file and ran through the sync steps above. This ensured that the 10 users were removed from the MV and FIM portal. I then re-added the 10 users to my CSV and ran through the steps above, but this did not provision the 10 users! To ensure the 10 users and their mailboxes were created in AD/Exchange I did the following:
1. Logged on the FIM portal and checked to see if an AD outbound sync rule is pending (it's not).
2. Changed the user account employee type to "contractor" (bringing the user out of scope of a sync rule using the MPR\triple).
3. On the FIM MA, performed a delta import and delta sync. The MA shows an update, but prompts for a FIM MA export back to "FullTimeEmployee" for the user as the MV value takes precedence.
3b. I perform an export and delta import on the FIM MA.
4. The user account now shows as having an AD export sync rule pending.
5. If the synchronisation step in 3A shows an outbound sychronisation for the AD MA, I simply perform a:
5a. AD MA --> export, AD delta import & AD delta sync
5b FIM MA --> export, delta import & delta sync
If the synchronisation step in 3A does not show an outbound sychronisation for the AD MA, I do the following:
5c. Change the domain attribute for the user to "contoso" using the drop down in the FIM portal when clicking on the user.
5d. FIM MA --> delta import and delta sync (MA reports update due to 5c).
5e. FIM MA --> export, delta import and delta sync.
5f. FIM MA --> delta import and delta sync (now the AD MA shows an outbound synchronisation)
5g. AD MA --> export, delta import and delta sync (user account and mailbox provisioned in AD)
5h. FIM MA --> export, delta import and delta sync (tidy up)
I don't know why these additional steps were required for the 10 users, it just feels as if they got stuck in the system!
Any ideas on how to avoid this oddness would be appreciated in future...
On a slightly different note, am I right in thinking that full synchronisations and imports on valid existing objects simply updates the existing object if applicable, rather than delete and create new objects?
Thanks in advance
IT Support/Everything
Hi, everybody.
We are having a request from a potential FIM CM customer, which is to support browsers besides Internet Explorer for the enrollment process, especially Firefox, which doesn't support ActiveX controls.
Are there any plans to broaden browser support?
Thank you very much,
Mario
Hi,
AM using BHOLD access management connectors to flow my users into org units.criteria for OU movement is set as department -> organization. but my users are not flowing into their respective organization units.
Regards'
SHAKti
shakti