Hello All,
I have a requirement where i need to upgrade existing FIM envirornment to MIM.
Actually i have a doubt regarding the synchronization encryption key. I want to know if we use the existing configuration (FIM) encryption key while installing MIM will that restore all the MPRs,Sets,SYnc rule and workflows that are ther in the existing portal? Please confrim.
Regards,
Suman
Hi,
We have deployed the default out of the box MIM 2016 SSPR solution.
When registering for SSPR, if a user types in a " " (i.e. space) for an answer, MIM does not respond with the expected error message of "your answer must be 4 characters or more".
Instead, MIM responds with the following wrong error message:
The password that you entered is incorrect.You must enter the correct password in order to register for Password Reset. (Error 3006)
Is this a MIM bug?
I know we can modify the 3000 message, but this clearly is the wrong error message being called by MIM. Also, I don't want to customise this error message, as it may give me the wrong message for another issue.
Any advise?
thank you,
sk
We are currently attempting to install the MIM Hybrid Reporting Agent, as detailed here : https://docs.microsoft.com/en-us/microsoft-identity-manager/deploy-use/working-with-identity-manager-hybrid-reporting
The install fails with Event ID 118 logged in the Application Event log (full details pasted below) "The HTTP request to 'https://policykeyservice.dc.ad.msft.net/clientregistrationmanager.svc/ClientRegistration/d07a5f73-f053-47f7-8aa8-1823d43a0e89/IMMIMSTPDVVW01/cade92aa-1db7-4c02-aabc-bf9830e10992' has exceeded the allotted timeout "
Proxy access is enabled and the Azure Powershell bits are installed on the server and I am able to connect to the tenant and run various commands to confirm connectivity.
I've enabled verbose MSI reporting and this seems to be the place where the install ends with error status 1603.
SI (s) (DC!48) [10:20:23:172]: Creating MSIHANDLE (37) of type 790531 for thread 9800
CAQuietExec64: Error 0x80070001: CAQuietExec64 Failed
MSI (s) (DC!48) [10:20:23:172]: Closing MSIHANDLE (37) of type 790531 for thread 9800
CustomAction RegisterClient returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
MSI (s) (DC:E4) [10:20:23:172]: Closing MSIHANDLE (33) of type 790536 for thread 7588
Action ended 10:20:23: InstallFinalize. Return value 3.
...
...
[10:20:28:124]: Windows Installer installed the product. Product Name: Microsoft Identity Manager Hybrid Reporting. Product Version: 4.3.2041.0. Product Language: 1033. Manufacturer: Microsoft Corporation. Installation success or error status: 1603.
Any suggestions for next troubleshooting steps would be gratefully received...
Alastair
-
Log Name: Application
Source: MIM Hybrid Reporting Monitoring Agent
Date: 21/11/2016 10:20:23
Event ID: 118
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: IMMIMSTPDVVW01.devswad.net
Description:
Agent.Main;Client activation failed:The request channel timed out while waiting for a reply after 00:01:00. Increase the timeout value passed to the call to Request or increase the SendTimeout value on the Binding. The time allotted to this operation may have
been a portion of a longer timeout. The HTTP request to 'https://policykeyservice.dc.ad.msft.net/clientregistrationmanager.svc/ClientRegistration/d07a5f73-f053-47f7-8aa8-1823d43a0e89/IMMIMSTPDVVW01/cade92aa-1db7-4c02-aabc-bf9830e10992' has exceeded the allotted
timeout of 00:01:00. The time allotted to this operation may have been a portion of a longer timeout.
System.TimeoutException: The request channel timed out while waiting for a reply after 00:01:00. Increase the timeout value passed to the call to Request or increase the SendTimeout value on the Binding. The time allotted to this operation may have been a portion
of a longer timeout. ---> System ........
Hi,
I'm currently setting up a lab environment with the following configuration:
I have tried to create a Management Agent (step 2 Connectivity) to Lotus Domino and I got the following error on event log:
"Microsoft.MetadirectoryServices.ExtensibleExtensionException ---> System.NullReferenceException: Object reference not set to an instance of an object.
at Microsoft.IdentityManagement.MA.LotusDomino.NotesClientWrapper.DominoConfig.GetOrganizationalUnit(KeyedCollection`2 configParameters)
at Microsoft.IdentityManagement.MA.LotusDomino.Common.DominoConfigParam.GetConfigParameters(KeyedCollection`2 configParameters, ConfigParameterPage page)
at Microsoft.IdentityManagement.MA.LotusDomino.LotusDominoMA.Microsoft.MetadirectoryServices.IMAExtensible2GetParameters.GetConfigParameters(KeyedCollection`2 configParameters, ConfigParameterPage page)
--- End of inner exception stack trace ---
at Microsoft.IdentityManagement.MA.LotusDomino.LotusDominoMA.Microsoft.MetadirectoryServices.IMAExtensible2GetParameters.GetConfigParameters(KeyedCollection`2 configParameters, ConfigParameterPage page)
Forefront Identity Manager 4.1.3419.0"
I would like to know if there is any problem during I create the Management Agent?
Regards,
Tonny
Tonny
Hi,
We had MIM Sync and MIM Service/Portal running MIM 2016 SP1.
We have now deployed a separate server for SSPR.
We had to rerun the MIM Service/Portal setup, in order to configured the SSPR URLs & Service Accounts.
Since we ran the MIM Service/Portal setup from the original MIM 2016 RTM .iso file - do we now need to reapply MIM 2016SP1?
Thank you,
SK
Hi,
We are looking at managing our Admin accounts using MIM.
However, when an Admin account is placed in any of the following groups, as listed in this article https://technet.microsoft.com/en-us/library/2009.09.sdadminholder.aspx, the AdminSDHolder attribute is set to 1....which means MIM cannot manage this account any more.
How have others used MIM/FIM to manage Admin accounts?
Thank you,
SK
Hi,
So our MIM 2016 (build 4.3.2266.0) SSPR lockout gate is configured as follows:
At logon, if a user clicks "Problems Logging In?", but DOES NOT complete the Answers and simply clicks the CANCEL button on the screen where the Questions are presented, MIM takes that as an incomplete set of Answers and locks the account in the MIM Portal.
Surely this is a MIM bug?
Regards,
SK
FIM will provision mailboxes based on the user's office location,If so Can you help us on the rule extension part/Sync rule/Work flow/PS wf activity to proceed further.
Please help us out on this.
thanks
Sivakama
When I run the discovery tool I am getting the following error
What's weird is it completely reads the .WSDL file and returns all the info you would expect, then I get this error.
In the WSDL this is what I see as configured by the only binding in the service
<sp:TransportBinding xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility" xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex" xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:sapsp="http://www.sap.com/webas/630/soap/features/security/policy" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">Has anyone ever seen this before?
I have thousands of errors in event viewer > applications and services logs > Forefront Identity Manager Synchronization > Operational. They are all very similar. What causes them?
HRESULT: '0x0' Source: 'd:\bt\25920\private\source\miis\server\mgmt\perfmon\prfdata.cpp(654)' Thread ID: '0x213C' Additional Info: ''
HRESULT: '0x80070002' Source: 'd:\bt\25920\private\source\miis\server\mgmt\perfmon\prfdata.cpp(956)' Thread ID: '0x213C' Additional Info: ''
HRESULT: '0x80230404' Source: 'd:\bt\25920\private\source\miis\server\sqlstore\csobj.cpp(8254)' Thread ID: '0xCF4' Additional Info: ''
HRESULT: '0x80070002' Source: 'd:\bt\25920\private\source\miis\server\mgmt\perfmon\optex.cpp(245)' Thread ID: '0x22AC' Additional Info: ''
I'm trying to sync groups (DL and Security) along with their membership from on AD to another AD. I'm referencing the sample https://technet.microsoft.com/en-us/library/ff686936(v=ws.10).aspx and I'm not able to find the "Scope" and "Type" attributes to map.
They are also not included in the "Show All" for the Select Attributes page.
Any idea what I'm missing?
Thank you.
David
David Downing
Dearest Microsoft Technologists!
This is your last minute call for November Gurus!
You have just over a week left to submit anything you post to TechNet Wiki, into our competition, and you could win BIG!
With the management in turmoil due to MVP Summits and RL interruptions, there has been low publicity this month for the competition.
This simply means any half decent submission to TechNet Wiki can win a medal... and a place in history!
Changes are under way in this competition, and medals will count towards REAL WORLD PRIZES in the new year...
So get in while you can, and start making a name for yourself in your favourite technologies
All you have to do is add an article to TechNet Wiki from your own specialist field. Something that fits into one of the categories listed on the submissions page. Copy in your own blog posts, a forum solution, a white paper, or just something you had to solve for your own day's work today.
Drop us some nifty knowledge, or superb snippets, and become MICROSOFT TECHNOLOGY GURU OF THE MONTH!
This is an official Microsoft TechNet recognition, where people such as yourselves can truly get noticed!
HOW TO WIN
1) Please copy over your Microsoft technical solutions and revelations toTechNet Wiki.
2) Add a link to it on THIS WIKI COMPETITION PAGE (so we know you've contributed)
3) Every month, we will highlight your contributions, and select a "Guru of the Month" in each technology.
If you win, we will sing your praises in blogs and forums, similar to the weekly contributor awards. Once "on our radar" and making your mark, you will probably be interviewed for your greatness, and maybe eventually even invited into other inner TechNet/MSDN circles!
Winning this award in your favoured technology will help us learn the active members in each community.
Feel free to ask any questions below.
More about TechNet Guru Awards
Thanks in advance!
Pete Laker - Azure MVP
#PEJL
Got any nice code? If you invest time in coding an elegant, novel or impressive answer on MSDN forums, why not copy it over toTechNet Wiki, for future generations to benefit from! You'll never get archived again, and
you could win weekly awards!
Have you got what it takes o become this month's
TechNet Technical Guru? Join a long list of well known community big hitters, show your knowledge and prowess in your favoured technologies!
Hi,
We have a requirement of Loading users into FIM using .CSV files. Currently we have implemented using FIM Sync. Below are the MA s we used to Export the users to FIM and then to FIM Sync.
SQL MA
FIM MA
ADDS Ma
We are looking into areas of improvising with respect to performance. What can be better approach for Bulk Load of users into FIM? Can we use FIM Client/FIM API instead of FIM Sync? Please Suggest.
Thanks
Prasanthi.
Hi,
We are running the MIM solution and SSPR (MIM v 4.3.2266.0).
Our AD Domain password policy has "Enforce Password History" set to 5.
When using the MIM SSPR client, "Enforce Password History" is totally ignored, and we are able to reuse the same password over and over.
When attempting to change password from the cntrl-alt-del screen, only then is password history enforced.
Is this a MIM SSPR bug?
thanks,
sk
Hi,
We have a requirement of Loading users into FIM using .CSV files. Currently we have implemented using FIM Sync. Below are the MA s we used to Export the users to FIM and then to FIM Sync.
SQL MA
FIM MA
ADDS Ma
We are looking into areas of improvising with respect to performance. What can be better approach for Bulk Load of users into FIM? Can we use FIM Client/FIM API instead of FIM Sync? Please Suggest.
Thanks
Prasanthi.
I've upgraded my development FIM 2010 R2 environment to MIM 2016 (4.3.2195) on new virtual servers (same underlying hardware). The OS is Server 2012 R2 and SQL is 2014 Standard (12.0.4213.0). I'm getting hundreds of failed-modification-via-web-services errors when exporting to the FIM connector which look to be due to deadlocks:
Stack Trace: Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---&gt; System.Data.SqlClient.SqlException: Reraised Error 50000, Level 13, State 1, Procedure ReRaiseException, Line 37, Message: Reraised Error
50000, Level 13, State 1, Procedure ReRaiseException, Line 37, Message: Reraised Error 1205, Level 13, State 51, Procedure GenerateRequestOutput, Line 1148, Message: Transaction (Process ID 110) was deadlocked on lock resources with another process and has
been chosen as the deadlock victim. Rerun the transaction.
at System.Data.SqlClient.SqlConnection.OnError
I've worked with my DBA and we've tweaked a few things on the SQL side (including adding RAM and moving disk to new SAN storage), but it doesn't seem to have helped much at all. My FIM 2010 setup seemed to handle largish volumes of updates like this (3000+) relatively error-free. I'm hesitant to upgrade my production environment without resolving this, since that volume of change does occur there periodically as well. Is there tuning I can do to reduce or eliminate this problem? What additional information about my setup would be helpful? Most of the person updates that are failing look to be minor and not really different from those that appear to be succeeding.
-Robert
UW-River Falls
I've just done a fresh install of MIM 2016 SP1 Service and Portal. Normally I would expect to find its own event log under "Applications and Services Logs" in Event Viewer - but it's not there. Has this log been discontinued or is this a bug with the SP1 installer?
Carol
http://www.wapshere.com/missmiis
I am using the MIM 2016 Web Services Connector to get data from SAP ECC 6. I can successfully pull users using the default import function in the SAP ECC 6 with User wsconfig. However, none of the other object types work. I've reduced my MA to just pull roles. In the standard event log I get the following information.
I'm trying to get more information about where in the connection this is failing out so I added logging in the workflow. However, where I added logging is not actually generating any log messages. I have all of the messages I added set to [Verbose] and [TRACE]
Then I followed the directions in the documentation to set the logging.xml file to enable verbose logging
<rules-extension-properties>
<logging>
<use-single-log>false</use-single-log>
<file-name>WebServicesConnector.log</file-name>
<logging-level>3</logging-level>
</logging>
</rules-extension-properties>
However, even after closing the web services connector tool and resaving the .wsconfig I've been using plus restarting the sync service I am not getting any log entries in a file called WebServicesConnector.log as described in the documentation. Any
thoughts on why the logging isn't being produced. Is there a "debug" setting that needs to go somewhere that's not in the documentation?
Hi
I try to set the manager attribute of a user account.
In my example the user account itself has the sAMAccountName of its manager stored in a string formatted attribute, lets say "adManagerAccount", in the metaverse.
Now I try to flow the attribute out to AD using a custom expression:
Source: /Person[accountName=adManagerAccount]
Destination: manager
if a given object has "TomTaler" as accountName and the object in question has "TomTaler" in its adManagerAccount value in the metaverse then
in my understanding, /Person[accountName] should result in a reference to the object with the value of "TomTaler" as accountName.
I also tried to hard-code the name into the source statement without success:
Source: /Person[accountName='tomTaler']
How should the source look like that it can be used as reference value?
BTW: Henrik Nilsson told me not to use a string value instead I should use a DN
http://social.technet.microsoft.com/Forums/en-US/identitylifecyclemanager/thread/6c5f1d1f-245f-4f84-9ddc-9261141570ea
To be more specific: the question is how to query to get the DN as a result whenever I only know the value of one unique attribute?
In meantime I also imported the managers DN into the metaverse in the attribute named "adDN".
EscapeDNComponent(/Person[accountName='TomTaler']/adDN)
same error.
?
Any help is appreciated.
Henry
How do ADMA password sync work ?
ADMA change password (using old password set the new password)
OR
ADMA reset (set new password only)
FIM and PCNS are in source domain and target domain is non-trust domain. For both domain , ADMA is configured. Can be FIM able to sync password on change in source domain to target domain ?
Dushyant Singh