Extension-DLL-exception when doing a full sync

December 6, 2016, 9:18 pm

≫ Next: Who will be crowned the First FIM Guru of 2017!!

≪ Previous: FIM MPR and Workrflows interaction

Basically what I'm trying to do is basically sync AD attributes of users from one forest to a resource forest using FIM. I have created the necessary management agent as well as workflows, sets, MPR and sync rules.

The configuration I made is working on a dev environment but when I try to replicate it to our PROD executing a full sync will give out a lot of error pertaining to extension DLL exception. I have drilled down on a particular user and tried to generate a preview but the error points to the DN.

I did read a article to trim the custom expression that is mapped to the DN but to no avail.

Thanks.

↧

Who will be crowned the First FIM Guru of 2017!!

January 2, 2017, 11:14 am

≫ Next: How to sync two active directory forest with FIM or MIM 2016.

≪ Previous: Extension-DLL-exception when doing a full sync

Time for a fresh start!

[The Guru is the means of realisation. "There is no knowledge without a teacher."]

We're looking for the first Gurus of 2017!!

All you have to do is add an article to TechNet Wiki from the field of your interest. Something that fits into one of the categories listed on the submissions page. Copy in your own blog post, a forum solution, a white paper, or just something you had to solve for your own day’s work today.

A snippet you share can make you a January 2017 TechNet Wiki Guru in your favorite category and this is official Microsoft TechNet recognition!

HOW TO WIN

Please copy over your Microsoft technical solutions and revelations to TechNet Wiki.

Add a link to it on THIS WIKI COMPETITION PAGE (so we know you’ve contributed).

Every month, we will highlight your contributions, and select a "Guru of the Month" in each technology.

If you win, we will sing your praises in blogs and forums, similar to the weekly contributor awards. Once "on our radar" and making your mark, you will probably be interviewed for your greatness, and maybe eventually even invited into other inner TechNet/MSDN circles!

Winning this award in your favorite technology will help us learn the active members in each community.

Feel free to ask any questions below.

More about TechNet Guru Awards.

Thanks,

If my reply is helpful please mark as Answer or vote asHelpful.

My blog | Twitter | LinkedIn

This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

↧

How to sync two active directory forest with FIM or MIM 2016.

August 2, 2016, 6:01 am

≫ Next: MIM 2016 and SQL 2014 High Availability?

≪ Previous: Who will be crowned the First FIM Guru of 2017!!

Hello,

Please, I have a problem and would like to know if the FIM help me solve.

We have two Active Directory forests in the same company and single physical site, however we are implementing a third-party application that only allows LDAP integration with only a forest and not work with trust relationship.

To solve this issue I thought about synchronizing accounts that are in the forest A who need to access the system in forest B and thus not having to create user repeated in forest B and thus maintain synchronized accounts. Would it be possible?

Basically, this system would LDAP queries in forest B, but would be able to authenticate users of the forest that would be synchronized by the FIM.

Regards

William

↧

MIM 2016 and SQL 2014 High Availability?

November 19, 2015, 1:02 pm

≫ Next: MIM 2016 & SQL 2012/2014 High Availability options support?

≪ Previous: How to sync two active directory forest with FIM or MIM 2016.

Hi,

What are the options for MIM 2016 and SQL 2014 High Availability? Are we still limited to SQL Clustering?

Thanks,

↧

MIM 2016 & SQL 2012/2014 High Availability options support?

February 21, 2016, 4:28 pm

≫ Next: BHOLD setup

≪ Previous: MIM 2016 and SQL 2014 High Availability?

Hi,

According to the FIM Infrastructure Planning Guide (IPD):

FIM Service database: SQL Server can be clustered for fault tolerance (there is no mention of other high availability and disaster recovery strategies like database mirroring and log shipping in this part of the IPD document)
FIM Sync Service database: The FIM Synchronization Service database can be hosted on a clustered instance of SQL Server for fault tolerance. Other high availability and disaster recovery strategies like database mirroring and log shipping can also be used to provide fault tolerance for the SQL Server database, whether located locally or remotely

Question 1:

Based on this IPD document, FIM Service database does NOT support "Other high availability and disaster recovery strategies like database mirroring and log shipping"?

Question 2:

SQL these days has numerous High Availability options, how many of these are supported by both MIM databases:

- SQL Clustering

- Availability Groups

- Database Mirroring

- Log Shipping

- any other?

It would be awesome if Microsoft could give us a clear answer to these HA options for MIM SQL databases please.

Thx,

↧

BHOLD setup

January 3, 2017, 3:33 am

≫ Next: GALSync, 2 domains, and 1 O365

≪ Previous: MIM 2016 & SQL 2012/2014 High Availability options support?

what if we do not have HROrg(sample) table while setting bhold.(only to be used for attestation).

Any other way to achieve the same?

↧

GALSync, 2 domains, and 1 O365

January 3, 2017, 7:10 am

≫ Next: What are FIM SQL database DR supported scenarios?

≪ Previous: BHOLD setup

Right now we're GALSyncing with MIM two forests. So far so good as Domain A's users, groups, and contacts get converted into contacts and put in Domain B. The same thing happens from Domain B to domain A. Domain B has their DLs ONLY in O365 with AAD Sync syncing the AD users and contacts to O365. We can get the O365 DLs into MIM but the problem is we just want those DLs that get converted into Contacts into Domain A, not Domain B. Does anyone have any clue how to do this easily?

↧

What are FIM SQL database DR supported scenarios?

June 16, 2015, 5:11 pm

≫ Next: SQL server 2012 AlwaysOn Availability Groups support with MIM 2016

≪ Previous: GALSync, 2 domains, and 1 O365

Hi,

What are FIM SQL database DR supported scenarios?

SQL Clustering?

SQL Log Shipping?

Mirroring?

etc?

thanks,

↧

SQL server 2012 AlwaysOn Availability Groups support with MIM 2016

August 5, 2015, 8:52 pm

≫ Next: Time Based Application Access via Active Directory Groups using FIM 2010 R2

≪ Previous: What are FIM SQL database DR supported scenarios?

As MIM 2016 is released could you please advise if SQL server 2012 AlwaysOn Availability Groups support with MIM 2016

↧

Time Based Application Access via Active Directory Groups using FIM 2010 R2

January 3, 2017, 10:39 pm

≫ Next: How to set NULL if attribute is empty in FIM web service configuration tool?

≪ Previous: SQL server 2012 AlwaysOn Availability Groups support with MIM 2016

Hello,

In FIM 2010 R2, is there any way of achieving time based application access?

Scenario- A user to be allowed to access application for a certain duration only let's say for 1 month. The application is linked to Active Directory Group which has to be managed via FIM and user to be kept as member for the fixed duration only. If the user needs to have access for more time, user can request for extension.

Approach 1- Create 1 attribute("Valid Upto"-Datetime Type) and bind it with user object. Store the expiry date to future date for the users who need to have access to the application. Now, created one Criteria Based / RBAC Group mentioning the desired criteria based on "ValidUpto" attribute. As soon as the criteria doesn't match for any user, it will be thrown out of the group and for the ones whose dates will be extended will still remain a part of the group.

The above approach is challenged by client asking if they need to do this for 100 Applications, there would be a need to create 100 new attributes which will increase the data load for FIM Server as the present user count is approx - 50k(inactive) & 30k(active)

Is there any other standard way of achieving this in FIM 2010 R2, i.e. if there can be any attribute which can be created and bind to request object rather than user object which can be used commonly for all applications or the mentioned approach is standard in terms of industry best practice which won't hamper the database or any other feature of FIM 2010 R2.

Thanks.

Regards,
Manuj Khurana

↧

How to set NULL if attribute is empty in FIM web service configuration tool?

January 4, 2017, 1:01 pm

≫ Next: FIM 2010 R2 with AAD MA vs Azure AD Connect strategy.

≪ Previous: Time Based Application Access via Active Directory Groups using FIM 2010 R2

I get an error in sync manager in when I am trying to delta import empty attribute to portal. I need some code that will import in metaverse only null's if attributes are empty. After some research I found out that this might help, but I don't know how to write code in web service configuration tool, can someone help with that or show me where to find examples?

↧

FIM 2010 R2 with AAD MA vs Azure AD Connect strategy.

January 5, 2017, 12:30 am

≫ Next: FIM R2 SP1 to MIM SP1 upgrade broke MIM Pwd Reset Portal

≪ Previous: How to set NULL if attribute is empty in FIM web service configuration tool?

Hi folks,

We use FIM 2010 R2 extensively and I'm at the point where I'm looking at topologies for integrating Office 365/Azure AD.

It's noted on the AAD MA download page that the MA is feature frozen with a recommendation to move to Azure AD Connect.

The immediate problems I believe I can see with this is it means provisioning becomes a double hop (MA -> on-premise AD -> Azure AD) and as a follow-on, rule extensions can't be used.

Are both of these intermediate conclusions correct and if so, how are people with established FIM/MIM footprints currently dealing with the double hop issue? I'm not keen on introducing this kind of disconnect into the topology if it's not completely necessary.

I'm also not particularly keen on treating FIM like an old backup product where I have to trigger post-execution jobs if I can avoid it. It's much cleaner both from a programmatic, efficiency and documentation (and therefore support and business continuity) perspective to keep everything coming from the source of truth to FIM, and then from FIM to the dependant system.

Cheers,
Lain

↧

FIM R2 SP1 to MIM SP1 upgrade broke MIM Pwd Reset Portal

January 5, 2017, 12:37 am

≫ Next: Custom resource

≪ Previous: FIM 2010 R2 with AAD MA vs Azure AD Connect strategy.

Hi All,
After migrating from FIM R2 SP1 to MIM SP1 we are facing issue withpassword reset using the MIM Pwd Reset Portal.
Every time it is failing after weprovide the new password and confirmation password page. Below are the event viewer details.
[Note: Q & A and OTP isworking perfectly. Microsoft.CredentialManagement.ResetPortal]

If any one faced similar issue please share the experience. We tried few solution which was already posted in forum related to below error but no luck.

Error 1:Microsoft.IdentityManagement.CredentialManagement.Portal:System.Web.HttpUnhandledException: ScriptManager_AsyncPostBackError ---> Microsoft.IdentityManagement.CredentialManagement.Portal.Exceptions.NotAuthorizedException: The Request contains changes that violate system constraints. ---> The web service client has encountered the following class of error: SystemConstraint Details: Failed Attributes: Additional Text Details: The Request contains changes that violate system constraints. Correlation Identifier: f66c1f53-9634-4182-9e4c-a195147d144b Failure Message: Request Identifier: --- Endof inner exception stack trace --- at Microsoft.IdentityManagement.CredentialManagement.Portal.Common.ResetProxy.GetChallenge(String domain, String userName, ChallengeContext gateChallengeResponse) at Microsoft.IdentityManagement.CredentialManagement.Portal.Common.ResetProxy.GetNextChallenge(Stringdomain, String userName, ChallengeContext gateChallengeResponse, FaultExceptionHandlerDelegate faultExceptionHandler) at Microsoft.IdentityManagement.CredentialManagement.Portal.Components.ResetDriver.InitiatePasswordReset(String domain, String username) at Microsoft.IdentityManagement.CredentialManagement.Portal.Reset.MoveToAuthenticationGates() at System.Web.UI.WebControls.Button.OnClick(EventArgs e) at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) --- End of inner exception stack trace --- at Microsoft.IdentityManagement.CredentialManagement.Portal.Site.ScriptManager_AsyncPostBackError(Object sender, AsyncPostBackErrorEventArgs eventArgs) at System.Web.UI.ScriptManager.OnAsyncPostBackError(AsyncPostBackErrorEventArgs e) at System.Web.UI.PageRequestManager.OnPageError(Object sender, EventArgs e) at System.Web.UI.TemplateControl.OnError(EventArgs e)at System.Web.UI.Page.HandleError(Exception e) at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest() at System.Web.UI.Page.ProcessRequest(HttpContext context) at ASP.default_aspx.ProcessRequest(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously

Error: 2 The error page was displayed to the user. Details: Title: Access denied. Message: Error processing yourrequest: The operation was rejected because of access control policies. Source: The supplied request content violates system rules. Attributes: Details: The Request contains changes that violate system constraints. CorrelationId: f66c1f53-9634-4182-9e4c-a195147d144b RequestId: ErrorCode: 3001 CaughtTime: 01/02/2017 21:38:43 Web Portal: FIM Password Reset Portal Session Id: anxyhd55ox5lflbxcqszl155

Aswathy Raj

↧

Custom resource

January 5, 2017, 4:36 am

≫ Next: Import several CSEntry to one MultiValued attribute in Metaverse

≪ Previous: FIM R2 SP1 to MIM SP1 upgrade broke MIM Pwd Reset Portal

Is it possible to allow Custom Resource type to login into FIM portal?

↧

Import several CSEntry to one MultiValued attribute in Metaverse

January 5, 2017, 11:10 pm

≫ Next: SharePoint 2016 User Sync Problem

≪ Previous: Custom resource

Hi,

I need help to do a sync from a MA to a MV.

I explain the actual situation :
- I have one MA import from an active directory with user objets and contract objects (all are in the same ActiveDirectory).
-- I do projection with the user object to the MV
-- I do join with contract object to the user in the MV based on a rule extension that found the principal contract only

Now I want to have all contracts of a user in a mutlivalue attribute in the metaverse, How I can do that ?

Example :
AD user objects
Name - ID
User1 - 10001
User2 - 10002

AD contract objects
ID - Fonction - UserID
499990 - Manager - 10001
499991 - Sale assistant - 10002
499992 - IT assistant - 10002

The result must be in the MV
Name - ID - Fonction
User1 - 10001 - Manager
User2 - 10002 - Sale assistant, IT assistant

The attribute fonction must be multivalue

Somebody can give me way to do that ?

regards

↧

SharePoint 2016 User Sync Problem

September 30, 2016, 12:24 pm

≫ Next: MIM Server Sync to several AD`S that don`t have trust or relationship

≪ Previous: Import several CSEntry to one MultiValued attribute in Metaverse

Hello,

I have setup Identity Manager for the first time to use with a new SharePoint 2016 environment. I had tried to use the default AD sync but could not pictures to work there way over. I have followed a few instructions on getting MIM installed, hot fix applied, SharePoint connector installed, GitHub files downloaded, and scripts run. I am running in the issue where I cannot get the ADMA and SPMA to run successfully with the following command.

Start-SharePointSync -Confirm:$false

When I do I am getting two different Return Values.

The first is for the ADMA FullSync. I get stopped-extension-dll-file-not-found. The dll listed in the ADMA Agent is SharePointSynchroniation.dll. When I navigate to the extensions folder it is not listed. Tried another extension that was and received the same error. Event viewer giving this:

The server encountered an unexpected error:"Could not load file or assembly 'file:///C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Extensions\SharePointSynchronization.dll' or one of its dependencies. The system cannot find the file specified.

   at System.Reflection.RuntimeAssembly._nLoad(AssemblyName fileName, String codeBase, Evidence assemblySecurity, RuntimeAssembly locationHint, StackCrawlMark& stackMark, IntPtr pPrivHostBinder, Boolean throwOnFileNotFound, Boolean forIntrospection, Boolean suppressSecurityChecks)
   at System.Reflection.RuntimeAssembly.InternalLoadAssemblyName(AssemblyName assemblyRef, Evidence assemblySecurity, RuntimeAssembly reqAssembly, StackCrawlMark& stackMark, IntPtr pPrivHostBinder, Boolean throwOnFileNotFound, Boolean forIntrospection, Boolean suppressSecurityChecks)
   at System.Reflection.RuntimeAssembly.InternalLoadFrom(String assemblyFile, Evidence securityEvidence, Byte[] hashValue, AssemblyHashAlgorithm hashAlgorithm, Boolean forIntrospection, Boolean suppressSecurityChecks, StackCrawlMark& stackMark)
   at System.Reflection.Assembly.LoadFrom(String assemblyFile)
   at Microsoft.MetadirectoryServices.Impl.ScriptHost.InitializeWorker(InitializeArguments pArgs)


InnerException=>
none"

On the SPMA FullImport, Export, and DeltaImport I am seeing extensible-connector-refresh-required. No clue on this one as I have no support I can locate.

I have deleted and recreated the Run Profiles and Updated the Management Agents no avail. No users appear in the Metaverse search and no user data is getting to SharePoint from AD. Looking for advice and direction.

↧

MIM Server Sync to several AD`S that don`t have trust or relationship

December 16, 2016, 8:31 am

≫ Next: How to use FIM web service endpoint using JAVA?

≪ Previous: SharePoint 2016 User Sync Problem

Hello,

I have one main Domain (Domain A) that has several OU`S, each OU belong to a company, I can sync the users to the MIM Server from this Domain A, but I am trying to synchronize the MIM with others domain, but I don`t get any response from the management agent, I was also trying to get the logs, but when I had the lines to activate the logs in the file "miiserver.exe.config", I start to get errors in the MIMMA.

The propose of this, is to be able to do a reset and a password registration, through the MIM Portal, in all the domains.

The Main Domain only export the users to the MIM Server and the MIM Server should export the users to the correspondent OU/Domain, and the password synchronization can be done through MIM.

I have a SR, Workflow a MPR for the Outbound Sync, at the moment I am just trying to sync something not even appying filters.

PS. I Believe the problem could be that I want to synchronize one user from one domain to another, but I only need the atribute accountName for this sync.

Thank you very much for the help.

↧