Im trying to use the following filter on a SET: /Person[AccountName != '&Invalid&']
But im only getting Access denied. I allready tried adding Accountname to "Administrato Filter Permission" but that didn`t help..
Anybody ?
↧
Access denied on SET filter
↧
Parent Child Domains.
I recently deployed a MIM2016/FIM dev environment. My test users seem to be working fine in the parent domain, but users in the child domain are getting unauthorized errors at the pw registration screen. When I look at users on the MIM portal I see all my test users in the parent and child domains. The domain listed for the child domain users is the parent domain instead of the child domain. If I click on one of the users I am unable to change the domain manually because only the parent domain is listed in the domain drop down window. My sync service manager is pointing to the child domain and OU and syncs with one of the child domain DC's successfully. The DN and CN are correct. Just not sure why its showing the parent domain as the domain rather then the child domain. Any help would be much appreciated.
***Update*** So it seems if I manually go into advanced view > Extended Attributes > Domain and type in the child domain it works. Im not sure why it isn't automatically assigned the child domain though.
↧
↧
PCNS - The password change notification target could not be authenticated
Hi everyone, I am having an issue getting PCNS up and running across two domains.
The specific error is: The password change notification target could not be authenticated.
User Action: This usually happens under the following conditions:
1. The Service Principal Name (SPN) for the target has not been assigned to the Active Directory account used to host the target process.
2. The SPN is assigned to more than one Active Directory account.
3. The SPN is not properly formatted. The SPN must use the fully qualified domain name of the target system.
4. There is more than 5 minutes of time variance between this system and the target system.
I have reviewed above error in this forum but have not found a solution as yet. I believe it is an incorrect SPN or forest level trust, I have doubled checked everything against the PCNS documentation and as far as we can tell it is correct.
Our set up is as follows:
Domain A - Windows 2008 R2 - PCNS installed on all DCs
Domain B - Windows 2008 R2- PCNS DISABLED on all DCs
When PCNS start it shows correctly that it is queuing requests as expected
FIM 2010 Synch Server is in Domain B
Outgoing Domain A trust to Domain B - Forest, Transitive =Yes
Ingoing Domain A trust to Domain B- Forest, Transitive =Yes
FIM Server (service running under domainB\FIMService)
- Tools Options"Enable Password Synch" checked
- Domain A MA -enabled a password source, domain B MA selected as target
- Domain B MA - enable password management selected
PCNS config in Domain A:
pcnscfg ADDTARGET /N:sso-fed-app2 /A:sso-fed-app2.bpo-shared-fim.ad.hp1.com /S:PCNSCLNT/sso-fed-app2.bpo-shared-fim.ad.hp1.com /FI:"Domain Users" /FE:"Domain Admins" /F:1 /I:600 /D:False /WL:20 /WI:60
Targets
Target Name...........: SSO-FED-APP2
Target GUID...........: 10A7BDA1-873A-4DCC-AFCD-5C7941990684
Server FQDN or Address: sso-fed-app2.bpo-shared-fim.ad.hp1.com
Service Principal Name: PCNSCLNT/sso-fed-app2.bpo-shared-fim.ad.hp1.com
Authentication Service: Kerberos
Inclusion Group Name..: CORP\Domain Users
Exclusion Group Name..: CORP\Domain Admins
Keep Alive Interval...: 600 seconds
User Name Format......: 1
Queue Warning Level...: 20
Queue Warning Interval: 60 minutes
Disabled..............: False
On Domain B i have set
Setspn.exe -A PCNSCLNT/sso-fed-app2.bpo-shared-fim.ad.hp1.com bpo-shared-fim\FIMService
Any help on this would be GREATLY appreciated
thanks, Vadiraj
↧
How can Help Desk Validate Users for Password Reset
We have implemented the MIM SSPR option to allow users to reset their own passwords or unlock their accounts.
We are looking for a solution to allow the help desk to reset a users password if they need to call in to have the password reset. The issue is how do you validate the user who is calling in. How can we utilize MIM 2016 to help us with this.
For example, so scenarios:
Could be a user who is external and may know the answers to the questions (Or not) and does not have access to get their OTP, because their external email has changed or new phone number, etc.
Or
Maybe they have forgotten the answers to some of the questions as they register quite a while ago and have now forgotten
↧
PAM Module of MIM
Hi Gurus,
I have a query regarding the PAM module present in the MIM 2016 suite. Can we install the PAM module in the MIM used to mange Corporate Identities or do we need to have a separate MIM in a separate server for the PAM module implementation? Couldn't see any microsoft documentation on this scenario.
↧
↧
FIM Administration Portal - Unable to process your request
Recently, I posted a question asking on how to delete management agents;
https://social.technet.microsoft.com/Forums/en-US/96cc60ec-baab-4e0f-be3d-609518f4c042/unable-to-delete-management-agents?forum=ilm2
After a few days of trying to find the Administrator Account to log into the Administration Portal to attempt to follow the steps outlined in the above link, I find myself with a new issue.
1. I am trying to log into the FIM Admin Portal, which I assume the URL is: http://SERVERNAME/IndentityManagement, is this correct?
2. I get the following error message after using credentials;
Not really sure what has gone wrong here, nor how to resolve this issue.
Thanks in advance for all advice here.
↧
SSPR integration with no PCNS and password extensions
Hi all,
I can't believe I'm having to ask this as I feel like it's something I should know, but here goes nothing...
Does FIM/MIM SSPR only reset the AD password and not recursively every supported, connected system? We've developed a password extension for a web service implemented using ECMA and successfully tested that the password reset works when triggered through a WMI SetPassword call, but the password is not being reset when a user completes self service password reset.
Does it normally reset the password in AD, which gets communicated back using PCNS and changed in the other systems? I guess that's not normally too much of an issue, as FIM/MIM is heavily AD-integrated, but it's interesting that I've only just come across this as an issue with our customer who is risk averse and still considering PCNS through change control in a hybrid test/development (I know, I know..), so at the moment their testing is failing.
Any clarification would be helpful just to support my findings.
Thanks,
Paul.
↧
How do I patch/hotfix the MIM 2016 password registration/reset features?
I installed MIM 2016 from media. Installed MIM Portal/service, Password Registration, Password Reset and MIM Sync. Tested OK.
I did not install any add-ins or extensions.
Then I obtained the latest hotfix and patched the MIM Service and MIM Sync (now on build 4.3.2266.0)
Since then I have had hard times getting the Password Registration to work without 401 errors. I do not see in the Hotfix492580 folder any patch installers for Password Registration and/or Password reset. Are there any?
The only way I have found to get the Password registration to work once more is to switch in IIS8 the order Negotiate NTLM to be NTLM Negotiate.
The documentation says I should keep all parts of MIM at the same patch level... where is the PW reg hotfix???
↧
Hotfix rollup package for Microsoft Identity Manager 2016
Hi,
What are the proper installation instructions for the hotfix rollup packages?
https://blogs.technet.microsoft.com/iamsupport/idmbuildversions/
Unzipping the hotfix leaves me with 16 msi and one language packs zip file.
I'm running a MIM 2016 installation with PAM and just AD and the FIM Service MAs. Should I install them all, to avoid a version mismatch or just install the relevant ones? If so.. which ARE the relevant ones for my (current) setup?
Regards,
Andreas
What are the proper installation instructions for the hotfix rollup packages?
https://blogs.technet.microsoft.com/iamsupport/idmbuildversions/
Unzipping the hotfix leaves me with 16 msi and one language packs zip file.
I'm running a MIM 2016 installation with PAM and just AD and the FIM Service MAs. Should I install them all, to avoid a version mismatch or just install the relevant ones? If so.. which ARE the relevant ones for my (current) setup?
Regards,
Andreas
↧
↧
MIM 2016 - Portal Connectivity after IIS bindings
Hi,
I am currently following the MIM 2016 handbook by David Steadman and Jeff Ingalls. After adding the bindings for the password portals, whenever I try to get to the main MIM portal, it seems to get stuck in the "Waiting...." loop.
I have tried removing all of the bindings and accessing the MIM Portal again but it just seems to be hanging.
I'm not sure why it has stopped working - both the registration and reset portal were accessible without issues and are still accessible via http after removing the https bindings.
Is there anything I can try to sort this out - i'm fearing a complete rebuild again (I've done this 5 times now!)
Hope someone can help.
Many thanks,
Stephen
↧
Preparing PAM Server & .Net Framework issues
Hi,
I am following this guide to deploy PAM server (Win 2012 R2):
https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/step-3-prepare-pam-server
I am at the stage of installing SharePoint Foundation 2013.
Ran the SPS pre-req installer and here are the results of the SPS pre-req installer:
• Microsoft .NET Framework 4.5: equivalent products already installed (no action taken)• Windows Management Framework 3.0: equivalent products already installed (no action taken)
• Application Server Role, Web Server (IIS) Role: configured successfully
• Microsoft SQL Server 2008 R2 SP1 Native Client: equivalent products already installed (no action taken)
• Windows Identity Foundation (KB974405): was already installed (no action taken)
• Microsoft Sync Framework Runtime v1.0 SP1 (x64): was already installed (no action taken)
• Windows Server AppFabric: was already installed (no action taken)
• Microsoft Identity Extensions: equivalent products already installed (no action taken)
• Microsoft Information Protection and Control Client: equivalent products already installed (no action taken)
• Microsoft WCF Data Services 5.0: equivalent products already installed (no action taken)
• Microsoft WCF Data Services 5.6: was already installed (no action taken)
• Cumulative Update Package 1 for Microsoft AppFabric 1.1 for Windows Server (KB2671763): was already installed (no action taken)
Here is the error when I try to next install SharePoint Foundation:
Has anyone seen this before? How do we fix it?
Thanks
↧
Unable to establish PAM Trust
Hi,
Busy working through https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/step-5-establish-trust-between-priv-corp-forests.
Just got to the part where I need to establish the PAM Trust - everything thus far has passed successfully.
I log to PAMSrv as Domain Admin.
this cmdlet works fine
$ca = get-credential
New-PAMTrust -SourceForest "contoso.local" -Credentials $caThis one however does not work
$ca = get-credential
New-PAMDomainConfiguration -SourceDomain "contoso" -Credentials $caI am using the same credentials for both...why would it work for one cmdlet and not the other? Are the steps in the guide incorrect?
↧
GALSYNC: is there a way to deposit contacts into separate OUs
I'm using MIM 2016 GalSync with Exchange 2013 and Exchange 2010.
In a default GALSync installation, the MAs will deposit all contacts into a single OU.
I've seen the article How to Provision Contacts to Specific OU Units Based Upon an Originating Forest but the article is old an the method to update the GALSYNC solution is not working for me. Plus the attributemsExchOriginatingForest is not available in our schema.
I would like contacts from different MAs to go into separate OUs. How can I achieve that?
↧
↧
How to use PowerShell to List the Sets in which a FIM Portal (MIM) user is a member
David Lundell, Get your copy of FIM Best Practices Volume 1 http://blog.ilmbestpractices.com/2010/08/book-is-here-fim-best-practices-volume.html
↧
HOW to configure MIM 2016 Password Reset to enforce AD Password Policy?
I am looking at the article https://support.microsoft.com/en-us/kb/2443871
"FIM 2010 Self Service Password Reset now supports Enforcement of all domain password policies"
It seems I need to set a Registry Key. [FIM] documentation says:
Registry Key
SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters\PerMAInstance\<ma name>
Registry Value Name Values Class Created by Explain
ADMAEnforcePasswordPolicy dword HKLM Admin 1- true, everything else is false
Setting this value to “1” will cause the AD MA to verify the password history before it will reset a password during password reset.
Note:
This setting is only supported on FIM build version 4.0.3561.2 and later versions.
Note:
This is only supported where the domain controller is as follows:
· Windows Server 2008 R2 with KB2386717
· Windows Server 2008 R2 SP1
· Windows Server 2008 with KB2386717
Our Windows 2008 DomainControllers are patched. ldp.exe works over SSL.I have MIM. version 4.3.2266.0
BUT I cannot locate that registry key in SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters
What must I do for MIM 2016 to enforce the AD Password Policy. Testers complain that SSPR works but allows old passwords.
↧
Reusing extensions in FIM
Can anybody say, how I can make reusable extension in FIM?
I have 3 functions to replace chars (diacritics) in First Name, Last Name and Initials.
For example (part of code):
case "LASTEN":
if (csentry["LAST"].IsPresent)
{
string LAST = csentry["LAST"].Value;
string LAST_EN;
LAST_EN = Regex.Replace(LAST, "[Б]", "B");
LAST_EN = Regex.Replace(LAST, "[Ж]", "Zh");
LAST_EN = Regex.Replace(LAST, "[Ю]", "Yu");
LAST_EN = Regex.Replace(LAST, "[П]", "P");
mventry["lastNameEN"].Value = LAST_EN;
}I want to use this code for 3 times First Name, Last Name and Initials, how I can do it without using 3 "tables" of changing chars?
Thanks!
1
↧
Protecting Access to the MIM Self-Service Portal with MFA
Hello
I have a requirement to introduce additional layer of authentication before users Login to the MIM Self-Service Portal. (The requirement at this stage is not the SSPR MFA). Can this be achieved within MIM or will there be a need to integrate with an External or third party MFA solution ? or Can MIM make API calls to third party MFA solution to achieve this ?
Appreciate feedback
Akinzo
↧
↧
stopped-extension-dll-exception fim 2010 R2 ( version 4.1.3469.0) while full Import from Office365
Hi,
I'm trying to do a Full Import on Office365 connector MA on FIM 2010 R2 ( version 4.1.3469.0). However each time it reaches specific number of objects the process terminates due to "stopped-extension-dll-exception". Below are my configurations:
Eventlog Error:
FIM SYNC Engine :
↧
Scenario MIM 2016
Hello everyone
I need of direction about a scenario. I've the MIM 2016 installed, and configured to the provisioning of users of one specific OU.
What the best practice to the provisioning of users in different OUs.
MIM 2016 + Portal with sharepoint? - or it's possible make this, using just the MIM 2016 Synchronization service, and create different scripts? or only one script?
Thanks
I need of direction about a scenario. I've the MIM 2016 installed, and configured to the provisioning of users of one specific OU.
What the best practice to the provisioning of users in different OUs.
MIM 2016 + Portal with sharepoint? - or it's possible make this, using just the MIM 2016 Synchronization service, and create different scripts? or only one script?
Thanks
Wilsterman Fernandes
↧
Is Microsoft EDGE Browser supported for FIM 2010 R2?
Ik can't get no ,
information... ;-)
GH
↧