Quantcast
Channel: Forum Microsoft Identity Manager
Viewing all 6944 articles
Browse latest View live

the image or delta doesn't have a distinguished name

October 27, 2016, 4:55 am
$
0
0

I have an ECMA2 MA (export only) with a synchronization rule, which calls a webservice in the PutExportEntries method. Everything works fine en the web-service is called with no errors after the export.

But in the event viewer I receive the following error.

BAIL: MMS(8500): d:\bt\38553\private\source\miis\server\sync\syncstage.cpp(782): 0x80230301 (The image or delta doesn't have a distinguished name.) BAIL: MMS(8500): d:\bt\38553\private\source\miis\server\sync\syncstage.cpp(648): 0x80230301 (The image or delta doesn't have a distinguished name.) Forefront Identity Manager 4.1.3671.0

Does anybody have a clue why the error occurs?

Search

MIM 2016 Users from AD to AD

October 10, 2016, 5:11 am
$
0
0

Hi,

i'm testing MIM2016 to synchronize user from Domain A to Domain B. Now i have configured two Active Directory agents. The MA of Domain A Import the selected attributes and MA of Domain B exports them. The whole Agent configuration is the same except attribute flow.

I also created run profiles. For Domain A Full Import, Full Sync, Delta Import and Delta Sync. For Domain B i created the run profile to Export the Metaverse Data.

My Problem is that the data from Domain A are imported, but the Metaverse data would not be exported to Domain B.

I'm only using MIM synchronization Service. I don't want to use the Service Portal. Could anyone help me?

Declarative vs classic rules

September 26, 2016, 6:23 am
$
0
0

Hello!

I have some questions about MIM concepts.

  1. Can I do something like "sync preview" for all of my object? As I think, this can be useful when deploying in existing environments.
  2. Can anybody explain difference between attribute flows in Portal (Declarative) and in Synchronizations Service Manager(Classic) ? Pros and cons for every method?

Attribute flows can be declared in two places.

Portal:

+  We can make a separate inbound and outbound rule for attribute flows. This can simplify a sync process.

+  MS is recommending this type of sync

-     We need to make an extra “import cycle” for MIM MA to import declared rule and get it to work

- Can't make export of configuration.

Synchronizations Service Manager:

+ Extensions in C# and VB with more complicated rules

+ Simple export of all configuration

-      Only one place to declare sync rules, so this is can be + or – at the same time.

But, if you google for guides in Internet about provisioning users from AD to MIM there are many guides which are using for this a declarative rules in portal, but as I think more faster in this case is to use a classic flows in Sync Service Manager(a less mouse button clicks) :)

And declaring 2 rule flows in different places can be difficult to undestand.

So, what do you think about this situation, which methods are you preffer?

Thanks!

1



MIM 2016 and SharePoint 2016 syncing

October 28, 2016, 8:29 am
$
0
0

Hello,

I am running into an issue where I am unable to fully sync all information to SharePoint and could use some guidance. For some reason I cannot get the Manager to push into SharePoint. Other information will however push and update.

I have 3 tasks running in the Task Scheduler. A FullSync (Once daily), DeltaSync (30 minutes), and a PhotoProfileUpdate. When I review their history in SSM they show success 98% of the time. Occasionally I will get a completed warnings on the SPMA DeltaImport. The details specify "exported-change-not-reimported" and reference the manager field.

I know the field is pulling for AD because when I search the Metaverse I can see managers for users and am able to click them to confirm the linking is correct. Not sure what I am missing as users will add/delete and change information as it is updated in AD. Only thing not pushing is the Manager info.

Ideas?

Set criteria

October 28, 2016, 9:27 am
$
0
0

2 object types - user and sponsorship. Each user has a sponsor and a sponsorship.

I am trying to create a set of those sponsorships, the sponsor of which has an active sponsorship (future termination date).

I have the first set as

Now I am trying to create the set that I want as below:

But this one is not producing correct result. I am getting some sponsorships in the set which have inactive sponsor(sponsorship of the sponsor expired).

Any help please?


does MIM 2016 SP1 support Exchange 2016 GALsync?

October 31, 2016, 2:56 am
$
0
0

Hi all.

I'm currently working on a project. It includes connecting Exchange servers of 20 companies so they can route mail to each other, and be able to send email to every user in each domain without knowing his email address. e.g when they put"T" in "To" field in microsoft outlook, it autocompletes names starting with T in each domain.

Since Federated Sharing doesn't do GALsync, I suggested using Microsoft Identity Manager 2016 to sync GAL between domains automatically. But i have a couple of questions.

1.Does MIM 2016 SP1 support Exchange GALsync for Exchange 2016? (Document says it doesn't, but I heard some microsoft tech guy at Summit in UK said it does and i really hope it does)

2.Does MIM 2016 Evaluation software support Exchange 2013 CU 14? (Cause it couldn't detect our setup)

3.Is there any possible way to do a failover installation of MIM 2016 on 2-3 servers?

4.Is there any trick/extra thing to do for instaling MIM 2016? (Cause after we installed it, FIM 2010 R2 popped up (without SP1), so it couldn't detect Exchange 2013)

5.Is there any way to test out MIM 2016 SP1? (It's only available on MSDN accounts)

Thanks in advance

this post is provided as is, with no warranties/guarantees

Unable to Process request when expanding Activity After upgrade to MIM 2016 Sp1

November 1, 2016, 6:00 am
$
0
0

Hello all, 

we have recently upgraded from FIM 2010 R2 to MIM 2016 SP1. The upgrade went fine however, there is one single thing not working in the portal. when we open a workflow and go to the activities, and we select the drop down arrow to view and load the properties of an activity, we get "unable to process request". If i want to create a new workflow, i can successfully load the list of activities and save however when i want to view the activities of the saved workflow i get the error again. The error even happens in out-of the box workflows and activities. The Sharepoint version is 2010 foundation

The event viewer shows the error "the portal was unable to complete a request and showed the user the default error page". I have enabled verbose logging in the web.config file of MIM portal and got the following two additional errors:

- ErrorHandlingModule.HandlePortalException: The following error is not handled through FIM components :An exception of type 'System.Web.HttpUnhandledException' was raised

- ErrorHandlingModule.HandlePortalException: There is an error. The error detail is not reported by IIS.

I have opened a case with MS since 3 weeks now, but still no progress. Any chance someone can help?

thanks

MM

MIM 2016 Admin Account login issue - MIM 2016 Admin Portal

November 1, 2016, 7:54 am
$
0
0

Hi folks

Product: MIM 2016 (SSPR)

We're currently using MIM 2016 purely for SSPR to sync against one domain.  Everything is working as expected fine and dandy; users are able to Password Register and Reset etc.  No issues there.  Recently, the MIM 2016 Portal admin account object was a) changed in AD from usernameA to usernameB and this AD object was moved into a new OU once the username was changed.  The following day, we tried to log into the MIM 2016 Admin Portal and I got the following error:

You do not have permission to access this site.  
   Please contact your help desk or system administrator. 
 
    > Go to Forefront Identity Manager home page 
 

I then checked for the new username using Metaverse Search within Synchronization Services Manager and could not find the modified username, only the old one.  I tried the old username and this too would not let me log into the Admin Portal either - same error as above.

I then performed an Export, Full Import (Stage Only) followed by a Full Synchronization on both the MIM Management Agent and the same again on the MIM AD Management Agent.  I still couldn't see the correct (changed) username in the metaverse and obviously still couldn't log in to the MIM 2016 Admin Portal (as above error again).

I then modified the MIM AD Management Agent within the Directory Partitions to include the new OU (to sync in) with the renamed/moved MIM 2016 admin account to sync across.  I then performed an Export, Full Import (Stage Only) followed by a Full Synchronization on both the MIM Management Agent and the same again on the MIM AD Management Agent.  I could then see the renamed MIM 2016 Admin account but still couldn't log in.  I now realise that this should be a flow filtered account to protect the MIM 2016 admin account but was not aware of this at the time.

What is the current status on this account, based on the above?  Has it gone?  Am I blocked now from accessing the MIM 2016 Portal?  I search and see the new account in the MIM 2016 metaverse and it exists but I cannot log into the MIM 2016 Admin Portal - I get the error above.  The account was modified and moved to a new OU in AD and not deleted and then the changes (I assume) sync'd in.  Have I lost access to the MIM 2016 Admin Portal or can I still access the system?

I found the following article recently - https://www.ccrossan.com/blog/identity-management/fim-portal-no-access-for-fim-admin-account/ - which uses a Powershell script to set the AccountName attribute of the MIM Admin account - identified by a well-known admin user GUID) - is this attribute different between FIM 2010/R2 and MIM 2016?  Is this Powershell script of any use here?

If someone could assist me here in any way I can get access back to the Admin Portal, I'd appreciate it.  Has the account in the MIM 2016 Admin Portal been deleted?  Surely not, as I can see it - it has just had a modification.

Any help on this, really, really appreciated folks! :)





Search

Populate Manager attribute from another Forest

November 1, 2016, 3:38 pm
$
0
0

My client was recently acquired. The new corporation has 2 AD forests, that are syncing accounts to one O365 tenant. Some of the employees have managers from the new firm. What is the recommended best practice for maintaining the Manager attribute in this scenario?

I'm thinking that they should use FIM/MIM with Azure AD Connect, but I don' t know how to do that .

Dean MCTS-SQL 2005 Business Intelligence, MCITP SharePoint 2010, MCSA Office 365

MIM 2016 Service and portal msi installation error

November 2, 2016, 9:27 am
$
0
0

I am trying to install mim 2016 service and portal.  SharePoint is all setup.  The wizard starts fine but after selecting what to install a message box pops up title "Installation Prerequisites Not met", body -windows powershell 1.0 or better. 

So I turned on detailed logging - Failure happens at the log entry - Doing action: checkdotnetversion and here it returns value 1.  It then creates the dialog etc.

Now I have both .net 4.5 and .net 3.5 installed.  I have PowerShell host version 4.0 and using it.  Any ideas?  thanks.

 

Hilalh

FIM 2010 R2 and MIM 2016 queries

November 2, 2016, 8:05 pm
$
0
0

Hello Experts,

I was advised to write to your email for an advice on this concern.

My overall goal is to migrate FIM 2010 R2 to MIM 2016, and to that effect I have tested a few aspects separately and I was able to figure out most of the parts.

One such test, I am getting stuck at is to deploy MIM 2016 SSPR portals (Pwd Reg and reset) on SPF 2013 Port 80, like it was done for FIM 2010 R2.

I was able to deploy Identity Management Portal, and also setup AAM for a userfirendly address (URL) rather than just hostname and that works fine, except the password registration and reset portals.

The environment:
Domain: Cloud.org
New MIM 2016 Deplyment

MIM2016/SQL2014/SPF2013SP1/IIS are installed on Windows Server 2012 R2, and the host name is -----SQL2014-2.

Sharepoint URL
AAM
MIM Portal (works fine with standard and AAM as weel)
SSPR URL (doesn't work- Page cannot be displayed/ Host A static record created in DNS)
Service Accounts (Names)
MIMService
MIMSync
MIMMA
SharePoint

SQLServer

The issue:

The MIM portal works fine and I am able to provision and sync users in AD, however the the SSPR portals end up in "Page cannot be displaied" error. There are Host A records created in DNS, pointing to same IP as the MIM Server (SQL2014-2). The SPNs for http/pwdreg.cloud.org are also registered for Mimservice service account. 

Also, Claims auth and auto upgrade are disabled for SPF2013 SP1.

The SSPR portals are set to operate on Port 80, unlike what's stated on MIM guide to use ports 8080 and 8088 respectively. This is a new install and I have followed the FIM guide where all the portals work fine together on 80/443.It as suggested in MIM formal guide  to use FIM guide when necessary.

Is this supposed to work or  are we supposed to use ports other than Port 80 for MIM 2016 unlike FIM 2010 R2?

The only related error I could see in the eventlog:
Log Name:      Forefront Identity Manager
Source:        Microsoft.ResourceManagement
Date:          11/3/2016 7:37:36 AM
Event ID:      3
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      SQL2014-2.cloud.org
Description:
Requestor: Internal Service
Correlation Identifier: 3204fa40-1d54-4a08-bbbe-a8a8e706a6ff
Microsoft.ResourceManagement.Service: Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: IdentityIsNotFound
   at Microsoft.ResourceManagement.WebServices.ResourceManagementService.GetUserFromSecurityIdentifier(SecurityIdentifier securityIdentifier)
   at Microsoft.ResourceManagement.WebServices.ResourceManagementService.GetCurrentUser()
   at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Enumerate(Message request)
Event Xml:
  <System>
    <Provider Name="Microsoft.ResourceManagement" />
    <EventID Qualifiers="0">3</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2016-11-03T02:07:36.000000000Z" />
    <EventRecordID>22</EventRecordID>
    <Channel>Forefront Identity Manager</Channel>
    <Computer>SQL2014-2.cloud.org</Computer>
    <Security />
  </System>
  <EventData>
    <Data>Requestor: Internal Service
Correlation Identifier: 3204fa40-1d54-4a08-bbbe-a8a8e706a6ff
Microsoft.ResourceManagement.Service: Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: IdentityIsNotFound
   at Microsoft.ResourceManagement.WebServices.ResourceManagementService.GetUserFromSecurityIdentifier(SecurityIdentifier securityIdentifier)
   at Microsoft.ResourceManagement.WebServices.ResourceManagementService.GetCurrentUser()
   at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Enumerate(Message request)</Data>
  </EventData>

</Event>

Also, following SPNs are registered for service accounts and host server (you may ignore MIM2016 and MIM2016-S2K8 as they were older installations and are shutoff):

CN=MIMService,OU=Service Accounts,DC=cloud,DC=org:
        HTTP/pwdreset.cloud.org
        HTTP/pwdreg.cloud.org
        MIMService/SQL2014-2
        MIMService/SQL2014-2.cloud.org
        MIMService/MIM2016.cloud.org
        MIMService/MIM2016-S2K8.cloud.org
CN=MIMSync,OU=Service Accounts,DC=cloud,DC=org:
        MIMSync/SQL2014-2
        MIMSync/SQL2014-2.cloud.org
        MIMSync/MIM2016.cloud.org
        MIMSync/MIM2016-S2K8.cloud.org
No SPNS for MIMMA
CN=SharePoint,OU=Service Accounts,DC=cloud,DC=org:
        http/mimportal
        http/mimportal.cloud.org
        http/SQL2014-2
        http/SQL2014-2.cloud.org
        http/MIM2016
        http/MIM2016.cloud.org
        http/MIM2016-S2K8
        http/MIM2016-S2K8.cloud.org
CN=SqlServer,OU=Service Accounts,DC=cloud,DC=org:
        MSSQLsvc/SQL2014-2:1433
        MSSQLsvc/SQL2014-2.cloud.org:1433
CN=SQL2014-2,CN=Computers,DC=cloud,DC=org:
        MIMSync/SQL2014-2 Cloud\MIMSync
        MIMService/SQL2014-2.cloud.org Cloud\MIMService
        MIMService/SQL2014-2 Cloud\MIMService
        http/SQL2014-2.cloud.org Cloud\Sharepoint
        http/SQL2014-2 Cloud\Sharepoint
        MSSQLSVC/SQL2014-2.cloud.org:SHAREPOINT
        MIMSync/SQL2014-2.cloud.org Cloud\MIMSync
        WSMAN/SQL2014-2
        WSMAN/SQL2014-2.cloud.org
        TERMSRV/SQL2014-2
        TERMSRV/SQL2014-2.cloud.org
        RestrictedKrbHost/SQL2014-2
        HOST/SQL2014-2
        RestrictedKrbHost/SQL2014-2.cloud.org

        HOST/SQL2014-2.cloud.org

Any help would be greatly appreciated.

Regards

SG

MIM SSPR Registration Error 3001

November 2, 2016, 1:33 am
$
0
0

Hi,

We have setup MIM SSPR Registration Portal deployed on URL http://PasswordRegister.company.com

The URL loads, but when we click to register, the following error appears:

Event Log shows the following:

The error page was displayed to the user.

Details:

Title: Access denied.

Message: Error processing your request: The operation was rejected because of access control policies.

Source: The supplied request content violates system rules.

Attributes:

Details: The Request contains changes that violate system constraints.

CorrelationId: cb3f3644-ef0d-4f72-90dd-3207e0056cee

RequestId:

ErrorCode: 3001

CaughtTime: 02/11/2016 11:20:15

Web Portal: FIM Password Registration Portal

Session Id: qhifrt5541wgrn33oxwkz0uw

IP Address: 10.10.20.52

This is the SPN we registered:

setspn -A HTTP/PasswordRegister.company.com Domain\SSPR_server_name$

Could someone please recommend some troubleshooting steps?

thanks you

SK


Want SMS OTP instead of Azure MFA for PAM request

November 3, 2016, 1:58 am
$
0
0

Hi,

Is there any option to modify the Azure MFA given by default for PAM request which gives a call to your phone to use SMS OTP instead. If so please let me know the steps to achieve the same

MIM 2016 SSPR with Azure MFA Provider

November 3, 2016, 3:48 am
$
0
0

Hi Experts,

Is it necessary that MIM Service Server(SSPR Portal) must be internet facing for testing SSPR with MFA?

I have installed SSPR portals on the same server where MIM Service is and is using phone gate. While testing password reset, i am getting error "Please contact system administrator" while my MIM Server is trying to made a phone call.

I am not using any internet connection. Is it mandatory that my server must be internet facing? 

BR

MIM 2016: RCDC Management with PowerShell

November 3, 2016, 6:41 am
Search

MIM2016 Troubleshooting: MIM Portal Performance Issue

November 3, 2016, 6:45 am

cd-existing-object error after enabling AD recycle bin

October 21, 2016, 12:51 am
$
0
0

I am using MIM 2010 to sync my Development AD domain with Production Domain. Recently I had deleted some core MIM groups and users in Dev because of which I reverted the VMware snapshot of my DC. After that I enabled recycle bin in my DC.

Now when I execute the whole refresh process which include the following steps:

1. ProdMA Delta Import

2.DevMA Delta Import

3. ProdMA Delta Sync

4. DevMA Delta Sync

5. DevMA Export

6. DevMA Delta Import

I get completed-transient-objects status when I run the profiles DevMA Delta Import and DevMA Delta Sync.

In DevMA Export I get the error cd-existing-objects error.

Any ideas?

SharePoint 2016 User Sync Problem

September 30, 2016, 12:24 pm
$
0
0

Hello,

I have setup Identity Manager for the first time to use with a new SharePoint 2016 environment. I had tried to use the default AD sync but could not pictures to work there way over. I have followed a few instructions on getting MIM installed, hot fix applied, SharePoint connector installed, GitHub files downloaded, and scripts run. I am running in the issue where I cannot get the ADMA and SPMA to run successfully with the following command.

Start-SharePointSync -Confirm:$false

When I do I am getting two different Return Values.

The first is for the ADMA FullSync. I get stopped-extension-dll-file-not-found. The dll listed in the ADMA Agent is SharePointSynchroniation.dll. When I navigate to the extensions folder it is not listed. Tried another extension that was and received the same error. Event viewer giving this:

The server encountered an unexpected error:"Could not load file or assembly 'file:///C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Extensions\SharePointSynchronization.dll' or one of its dependencies. The system cannot find the file specified.

   at System.Reflection.RuntimeAssembly._nLoad(AssemblyName fileName, String codeBase, Evidence assemblySecurity, RuntimeAssembly locationHint, StackCrawlMark& stackMark, IntPtr pPrivHostBinder, Boolean throwOnFileNotFound, Boolean forIntrospection, Boolean suppressSecurityChecks)
   at System.Reflection.RuntimeAssembly.InternalLoadAssemblyName(AssemblyName assemblyRef, Evidence assemblySecurity, RuntimeAssembly reqAssembly, StackCrawlMark& stackMark, IntPtr pPrivHostBinder, Boolean throwOnFileNotFound, Boolean forIntrospection, Boolean suppressSecurityChecks)
   at System.Reflection.RuntimeAssembly.InternalLoadFrom(String assemblyFile, Evidence securityEvidence, Byte[] hashValue, AssemblyHashAlgorithm hashAlgorithm, Boolean forIntrospection, Boolean suppressSecurityChecks, StackCrawlMark& stackMark)
   at System.Reflection.Assembly.LoadFrom(String assemblyFile)
   at Microsoft.MetadirectoryServices.Impl.ScriptHost.InitializeWorker(InitializeArguments pArgs)


InnerException=>
none"

On the SPMA FullImport, Export, and DeltaImport I am seeing extensible-connector-refresh-required. No clue on this one as I have no support I can locate.

I have deleted and recreated the Run Profiles and Updated the Management Agents no avail. No users appear in the Metaverse search and no user data is getting to SharePoint from AD. Looking for advice and direction.


The Forefront Identity Manager Service cannot connect to the Exchange Web Service

February 5, 2010, 3:15 am
$
0
0

The FIM Service server is standalone on WK28 64 Bit.  FIM Service account is Domain User, no admin rights.  Exchange server is remote and EWS is running.  Can connect to https://EWSServer/EWS/services.wsdl over browser from the FIM Service server.  However, get the following error in the Application log of the FIM Service Server (Title as above):

"The connection failure may be due to a network failure, firewall configuration error, or other connection issue.  Additionally, the failure may be due to incorrect Exchange Web Service configuration.

Verify that the Exchange Web Service is reachable from the Forefornt Identity Manager Service computer.  Ensure that Exchange is running, that the network connection is active, and that the firewall is configured properly.  Last, ensure that the Exchange Web Service Configuration is correct in the Microsoft.ResourceManagement.Service.exe.config file."

I believe the configuration to be correct in the config file and have tried several different configs to resolve the issue but none have worked.

Any ideas would be welcome

Rob

Do we apply SP1 after deploying SSPR?

November 3, 2016, 2:17 pm
$
0
0

Hi,

We had MIM Sync and MIM Service/Portal running MIM 2016 SP1.

We have now deployed a separate server for SSPR.

We had to rerun the MIM Service/Portal setup, in order to configured the SSPR URLs & Service Accounts.

Since we ran the MIM Service/Portal setup from the original MIM 2016 RTM .iso file - do we now need to reapply MIM 2016SP1?

Thank you,

SK

Viewing all 6944 articles
Browse latest View live
Search