Dear All

I am following MIM deployment guide for a POC lab using SQLServer2012 as db. MIM service and Portal fails to complete installation with following error "The Microsoft Identity Manager server database couldnot be sucessfully populated"
and installer gets stuck with a open command window. The database was created during the installation and it appears the database population failed
MIM service account have mail attribute manually set since Exchange server is not installed and here is the line from log file

MSI (s) (24:38) [16:34:35:701]: Executing op: CustomActionSchedule(
 Action=DeployAndPopulateDatabase,
 ActionType=1026,
 Source=BinaryData,
 Target=installApp=FIM
 action=DeployAndPopulateDatabase
 databaseName=FIMService namespaceName="fim" 
 datFilesInstallDir="E:\Program Files\Microsoft Forefront Identity Manager\2010\Service\Data\BL" 
 sqlserverName=CORPIDM
 FIMServiceAccountDomain=contoso
 FIMServiceAccountName=MIMService
 SyncServiceAccountDomain=CONTOSO
 SyncServiceAccountName=MIMSync
 RunningUserDomain=CONTOSO
 RunningUserName=Administrator
 RunningUserEmail= 
 CreateDatabase=True,)

The installer rollback and event viewer has the following error after few minutes even if the database exists.

SQL Database 'SharePoint_Config' on SQL Server instance 'CORPIDM' not found. Additional error information from SQL Server is included below.""Cannot open database "SharePoint_Config" requested by the login. The login failed.Login failed for user 'CONTOSO\SharePoint."

Kindly help in fixing this error.
Thanks!

I'm using only the GALSYNC component of MIM 2016.

There are 2 things I would like to achieve:

1. update the displayname of a synced object.

For example:

The displayname of user object in forest A is 'ABC'.

When it is synced to forest B, I want the displayname to show up as 'ABC (FixedString)'.

2. update the targetaddress attribute in the destination forest. Note that the user object in source forest does not have the attribute populated.

For example:

user object ABC in forest A does not have the targetaddress attribute. The mail attribute is abc@forestA.com 

When it is synced to forest B, I want the targetaddress attribute to be populated withabc@anotherdc.forestA.com. Note the additional domain component has to be added. 

How would I go about doing the above?

Hi,

I am trying to copy a datetime attribute to another datetime attribute within the FIM portal using an action workflow and function evaluator.

e.g. Target [//Target/TargetDate]  

Conactenate Value

SourceDate attribute.

The workflow creates fine but gives an internal error when the set transition occurs.  Can this be done?  Can you suggest a straightforward workaround if not.

Thanks,

A.

Hi Gurus,

I have a query regarding the PAM module present in the MIM 2016 suite. Can we install the PAM module in the MIM used to mange Corporate Identities or do we need to have a separate MIM in a separate server for the PAM module implementation? Couldn't see any microsoft documentation on this scenario.

So I'm a bit confused.  If we implement the PAM solution, does that mean that we are to use the portal in the "PRIV" forest for all of the users info, password reset, provisioning etc, etc or is the portal in the "PRIV" forest just for the "Priv" forest?

I understand the role of the bastion forest for PAM, but how the rest of MIM functionality fits in this eludes me for some reason.

We have several ECMA MAs where the MA Capability dnStyle is “None”.  We are adding additional Object types into these various MAs for an RBAC model. The anchors on the MAs are GUIDs.

We want to take advantage of adding partitions in the existing MAs. This will give us the ability to run a particular partition on demand and to allow references within the CS to be used between the object types in the MAs. 

To have partitions in a MA requires a rename of the objects to create a dnStyle of LDAP/Generic style from None.  Renames of objects are not allowed when using a NonednStyle
(See https://msdn.microsoft.com/en-us/library/windows/desktop/hh859564(v=vs.100).aspx).  

If anyone has a creative idea how to rename the objects, or get partitions into a MA that has adnStyle of None, or other solution would be appreciated.

Thank you, Robin

Hi,

I have a strange case where the inbound rule "Forefront Identity Manager Service (Webservice)" is suddenly without any cause disabled.  How can it be?

GH

I recently wanted to make a good use of an "Inbound and Outbound" synchronization rule because I read that using one "Inbound and Outbound" SR behaves similar to 2 separate Inbound and Outbound rules... didn’t seem like the case for me.

I created a Synchronization Rule (SR) with the following details:

SR name: _Inbound and Outbound

Data Flow Direction: Inbound and Outbound

Apply Rule: To all metaverse resource of this this type...

Metaverse Resource Type: group

External System: Active Directory MA

External System Resource Type: group

Outbound System Scoping Filter: accountName Equal "XYXYXYXY"

Inbound System Scoping Filter: sAMAccountName Equal "XYXYXYXY"

Relationship: accountName = sAMAccountName

I checked the following: “Create Resource In FIM” and “Create Resource in External System”

Added a dummy Outbound Attribute Flow: "Dummy Description" => description

Added some Inbound Attribute Flow: 

1. sAMAccountName => accountName

2. "Dummy DisplayName" => displayName

Then I run Delta Import and Delta Sync on MIM MA to bring the SR to the metavesre.

I created a Group in Active Directory (mytestgroup) and then run Delta Import and used the preview tool to run a Full Synchronization on it.

Here's the interesting part.

Even though mytestgroup doesn't meet the Inbound Filter criteria, it was projected to the metaverse and inbound SR was applied i.e. "Dummy DisplayName" is in the metaverse now.

However, Outbound SR were not applied and I don't have any pending export on Active Directory MA.

I changed the SR to Inbound only hoping that the Inbound Filter will work but no luck.

I eventually found out that converting it to Inbound doesn't uncheck the attribute (Outbound Scope Filter Based). So I went to Advanced View and did that and when I unchecked it, the Inbound Filter worked as expected. By the way, when you create an Inbound SR, this attribute (Outbound Scope Filter Based) is set to False so you don't run into the same problem.

By the way, when I separated the rule into an inbound and an outbound rules the result came as expected… the new group wasn’t projected to the MV because it didn’t meet the filter.

So Why does the Inbound flow apply even if it doesn't match the filter? is it a bug or am I missing something?

Hi,

Whenever I am trying to create new user its giving me below postprocessing error on portal log.But user is getting created synced to active directory. Suddenly some access issue happened which we recovered but this issue started, Can somebody help.

System.InvalidOperationException: There was an error generating the XML document. ---> System.InvalidOperationException: The type Microsoft.MetadirectoryServices.FunctionLibrary.NoFlowSingleton was not expected. Use the XmlInclude or SoapInclude attribute to specify types that are not known statically.
   at System.Xml.Serialization.XmlSerializationWriter.WriteTypedPrimitive(String name, String ns, Object o, Boolean xsiType)
   at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationWriterRequestParameter.Write1_Object(String n, String ns, Object o, Boolean isNullable, Boolean needType)
   at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationWriterRequestParameter.Write9_UpdateRequestParameter(String n, String ns, UpdateRequestParameter o, Boolean isNullable, Boolean needType)
   at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationWriterRequestParameter.Write11_RequestParameter(Object o)
   --- End of inner exception stack trace ---
   at System.Xml.Serialization.XmlSerializer.Serialize(XmlWriter xmlWriter, Object o, XmlSerializerNamespaces namespaces, String encodingStyle, String id)
   at System.Xml.Serialization.XmlSerializer.Serialize(XmlWriter xmlWriter, Object o)
   at Microsoft.ResourceManagement.WebServices.WSResourceManagement.RequestType.AddParameter(RequestParameter parameter)
   at Microsoft.ResourceManagement.WebServices.WSResourceManagement.RequestType.SetRequestParameters(OperationType operation, UniqueIdentifier targetObject, List`1 requestParameters)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(CreateRequestDispatchParameter dispatchParameter)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean isChildRequest, Guid cause, Boolean doEvaluation, Nullable`1 serviceId, Nullable`1 servicePartitionId, Boolean maintenanceMode, String synchronizationSequenceIdentifier)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean isChildRequest, Guid cause)
   at Microsoft.ResourceManagement.Workflow.Hosting.RequestWorkItemProcessor.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier objectId, OperationType operation, List`1 requestParameters, Guid parentRequest)
   at Microsoft.ResourceManagement.Workflow.Hosting.RequestWorkItemProcessor.ProcessPutWorkItem(UpdateRequestWorkItem updateWorkItem)
   at Microsoft.ResourceManagement.Workflow.Hosting.RequestWorkItemProcessor.ProcessWorkItem(WorkItem workItem)</RequestStatusDetail>

Thanks,

Venkatesh Mahajan

Hi,

I have configured Expiration Workflow which deletes the Users which have left the Organization after 5 Days from their last date.

(I have used two Custom attributes ("Employee_Updated_date" an "Employment_Status"based on which the User becomes part of a particular SET, and post transition In the SET the Expiration Workflow is triggered by an MPR which deletes the User from FIM Portal). All this was working fine till 7th June.

I upgraded FIM from RTM to version 4.0.3606.2 first and then to the latest version 4.0.3617.2. Post this Upgrade I have observed that the users whose End Date is 2nd june 2012/prior these only get Deleted from FIM Portal. i.e. the FIM Portal Date is stuck at 7th June (i.e. the Date on which the Upgrade was done). I even restarted the FIM Servers post Upgrade.

I have a similar Development Environment, wherin i replicated the issue with out of box attributes (i.e. Employee End Date and last Name  The user deletion works fine here for Employee end date as 9th June i.e. 5 Days from today. 

Thus , I again tried to replicate samething with Outof Box attributes in Production Environment , but there the user entry is deleted only when the Employee End date becomes 2nd June 2012 or prior. i.e. I concluded the Issue is not with Custiom Attributes post Upgrade.

Am i missing something in my configuration. as to why the Date assumed by FIM Portal is 7th June 2012 , even today. How to change this Date/overcome this Issue since it occurs with both out of box as well as custom attributes.

Request your replies,

Thanks in Advance,

Regards,

Kaushik B

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Krisna Ismayanto | My blogs: Krisna Ismayanto | Twitter:@ikrisna

Hi all;

َAfter installing MIM 2016 Service and Portal, when I want to login to the following URL, the authentication window appears.

http://pbmim.contoso.local:82/identitymanagement

When I provide the account that I have used for the entire installation process, the authentication process fails.

Any ideas?

Thanks

Please VOTE as HELPFUL if the post helps you and remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi,

Busy working through the PAM lab - and may I say this MS PAM solutions is so far, very user unfriendly...I dont see how end users are meant to fire off all these complex powershell scripts/cmdlets...(https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/configuring-mim-environment-for-pam)

I have deployed the sample PAM web app as per: https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/step-4-install-mim-components-on-pam-server. All the tests in the lab have passed, so when I navigate to the web site URL http://pamsrv.priv.contoso.local:8086/api/pamresources/pamroles/, a download does occur.

When I connect to the URL:  http://pamsrv.priv.contoso.local:8086 as MIM Administrator, I get this error message: "

HTTP Error 403.14 - Forbidden
The Web server is configured to not list the contents of this directory."

When I connect to the URL:  http://pamsrv.priv.contoso.local:8086 as Jen (the test user in the lab), I get this error message: "

403 - Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials that you supplied."

Can someone please clarify what steps are missing from the Microsoft lab to actually see the Sample Web Application on http://pamsrv.priv.contoso.local:8086

Thank you.

Hi,

Just wondering what are the major changes/enhancements when Windows 2016 launches and Privileged Access Management (PAM). No need for a bastion forest anymore?

Thx

Hi,

We're having trouble understanding how PAM is meant to work from an Administrator and End User perspective.

There is this 'Sample Web Application' for PAM - what is this? who is meant to use this?

There is also a PAM module in the MIM Portal - what is this and how is it different from the 'Sample Web Application'?

Then there is the end-user...what do they need installed, what do they need to access in order to request AD Group membership?

PAM is starting to look like another FIM/MIM type application, where everything has to be customized....

thank u in advance.

I have people who like to change their names for various reasons (marriage, divorce, gender reassignment) and therefore need to change their cn, account name, dn, display name etc.  Most of these change just fine but when it comes to changing the account name/cn I get a Modify-naming-attribute error "The attribute cannot be modified because it is owned by the system."

Currently one of the MA's is a very basic MA just flowing attributes directly the other has some Sync rules.  

I have been doing some research and it said to have two entries for the dn, one for the initial flow and one for the renames.  I have this already and it's not working.

Is it possible to do renames without extensible dlls?  how?

Thanks

Hello!

I have a simple question about FIM/MIM logic.

I have a text file with such attributes:

1.DEPID (Department ID, key)

2.DEPOU (Department OU for location of objects)

And Oracle DB with such attributes:

1.UserID (key)

2.DEPID (User department ID)

3.DEPNAME (User department name)

I want to join this attributes to one record in MV. How I can do it?

Thanks!

1

Hi,

I am looking for information regarding how to create a custom mobile application for MIM 2016 Passport Self-Service. What is possible and any examples would be appreciated. Cannot find anything regarding MIM Service API. Looking to create a custom mobile application for a managed mobile devices providing password self-service for end users.

Regards,

1

Hi! I'm trying to make group flow from AD to MIM by this guide:

https://technet.microsoft.com/en-us/library/ff686936%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

User's sync is working fine.

I have a such flow in Portal, nothing unusual

Preview:

Validation:

Preview:

When I try to make Export from MIM MA I get such error: 

Fault Reason: The request message contains errors that prevent processing the request.\r\n\r\nFault Details: <RepresentationFailures xmlns="http://schemas.microsoft.com/2006/11/ResourceManagement" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><AttributeRepresentationFailure><AttributeType>MembershipLocked</AttributeType><AttributeValue></AttributeValue><FailureMessage>Exception: RequiredValueIsMissing Target(s): 3590D756-165C-4F95-8117-0E59880DBA73
Stack Trace: Microsoft.ResourceManagement.WebServices.Exceptions.InvalidRepresentationException: RequiredValueIsMissing
   at Microsoft.ResourceManagement.Utilities.ExceptionManager.ThrowException(Exception exception)
   at Microsoft.ResourceManagement.Data.Exception.DataAccessExceptionManager.ThrowException(SqlException innerException, TransactionAndConnectionScope scope)
   at Microsoft.ResourceManagement.Data.DataAccess.ProcessRequest(RequestType request)
   at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.ProcessInputRequest(RequestType request)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction(RequestType request)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction[ResponseBodyType](RequestType request)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request, Guid requestIdentifier, Object redispatchSingleInstanceKey, Boolean isRedispatch)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request)
   at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Create(Message request)</FailureMessage><AttributeFailureCode>RequiredValueIsMissing</AttributeFailureCode><AdditionalTextDetails>An attribute is required to complete the operation.</AdditionalTextDetails></AttributeRepresentationFailure><CorrelationId>b221a2b1-2fd6-463c-8f82-719b982cf826</CorrelationId></RepresentationFailures>

I can't understand which attribute is needed.

Any ideas?

Thanks!

1