Hi Guys,

I have deploying website, I decision using active directory for authentication/authorization/account(user store) for this website.

At now I need a web portal that it is full integrated with active directory. 

I want my public users can self-register to active directory through this web portal, and for authentication/authorization use the active directory. Actually I want this portal use the active directory's user store (DB) for add/edit users or like mirror status between user store (DB) either active directory and web portal. 

1- Could you tell me, FIM is a good solution for this scenario?
2- I see the last release of FIM was 2012 !!!!? This mean the Microsoft don't want support it and stop update stream?

Note: I know, i shall use AD LDS for relation between AD and portal, and I should not directly connection between either.

We have an Oracle HR table.

EmployeeNumber is unique and is the one we want to use as a base reference.

There is a ReportsTo attribute which contains the EmployeeNumber of the user's manager.

However, To make sense of the data in the table we have to invent an Anchor in our CS consisting of 3 attributes:

EmployeeNumber + OperationType + LastModifiedTime

Having set this anchor, how can I make FIM/MIM use ReportsTo as a reference? Normally I would have set EmployeeNumber as the anchor but is impossible with the table supplied by HR.

I would like to Sync the OracleHR MA ReportsTo attribute to person.MV attribute manager. But How??

Working on installing the Synchronization Service and I specify the SQL Server in remote machine, and leave instance as default and it immediately returns the error, "Microsoft Identity Manager Synchronization Service is having trouble contacting SQL server using the provided information."

I don't believe this is any kind of SQL problem as it doesn't even appear to make it to the server, Wireshark shows nothing going to it and SQL logs don't show any connection attempts.  I can ping the SQL server, and make an ODBC connection to it using Windows Authentication. 

Any ideas on things to try.  Due to how fast the error comes up I'm guessing something is causing the failure before the connection is even attempted.

Hello,

I'm still working with this, but I thought I post this to see if I can speed things up a bit. 

I'm trying to set the logonHours attribute for a particular set of users using MIMWAL's PowerShell.  In short, the PowerShell script is:

[byte[]]$logonHours = @(0x00,0x00,0x00,0x00,0x00,0xFC,0x00,0x00,0xFC,0x00,0x00,0xFC,0x00,0x00,0xFC,0x00,0x00,0xFC,0x00,0x00,0x00)
get-ADUser -Identity $AccountName
set-aduser -identity $user -replace @{logonHours = $logonHours}

This works from a PowerShell window.  It doesn't not work running under the workflow.  Throws this error:

Going through the install, using a remote SQL server and I get this error message.

"Error 25009. The Microsoft Identity Manager Synchronization
Service setup wizard cannot configure the specified database.
OLEDB Provider Information: Description = 'Login failed. The login is from an untrusted domain
and cannot be used with Windows authentication.'
Failure Code = 0x80004005
Minor Code = 18452
<hr=0x80230406>"

Not even sure where to start with this.  Has anyone come across this before?

We have a SQL Table of users and their managers as main source to MetaVerse.

The table is provided by HR and gives the ids for all the INTERNAL users + managers.

However, some of the INTERNAL users may have EXTERNAL managers and these manager ids will not exist in the Sql table as "user ids".

In this case FIM will flow a null to manager field in the MetaVerse as it cannot find (dereference the external manger's id)

All is not lost, all managers should have AD accounts. The manager's id not in HR table can be found in AD 99 times out of 100.

What I want to know is the best strategy to fill in the MV manager attribute when null by getting it from AD. What confuses me is the manager being a 'reference' field. This fact may limit my options.

What if I wrote some C# import attribute flow rule for the HR MA, is it OK just to push the DN *string* of the manager found in AD into MV:manager attribute? If not what should this C# code do??

What is best way to cover this hole, I am sure we are not unique in this situation?

Hi

I'm looking for a way to enter some lines of text on a TAB on the "MyProfile" ("Edit User" RCDC).

I have been trying with the UocCaptionControl, entering "Important!" in the Caption and the rest of the text in "Descrition". Problem is... i'm not able to control fontsize or enable text wrapping. So... font is way to big and not all of the Description text is displayed. (I have entered sample text below.)

Does anyone know of a way to accomplish such a thing?

Text sample with correct length.

Important!

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Cras blandit vel lacus ut laoreet. Integer molestie, lacus at euismod viverra, ligula ligula facilisis ligula, vel aliquet justo enim nec leo.
Duis nulla nunc, molestie faucibus dictum eget, pharetra in leo. Mauris non vehicula dui. Suspendisse pulvinar, lacus sit.

/Frederik Leed

I am using Forefront Identity Manager 2010 R2.  We have installed the Microsoft SharePoint Profile Store connector and have setup up attribute flow to my SharePoint Server.  We have disconnected and disabled the Native FIM Sharepoint Profile Connector that is deployed by SharePoint (This is my SharePoint DEV environment).

I followed this Documentation: https://msdn.microsoft.com/en-us/library/Dn511003%28v=WS.10%29.aspx

I used input from: http://goodworkaround.com/node/70

I am pushing all the standard attributes such with no Custom Attributes on the SharePoint side.

Data flow is one direction from my FIM Installation to Sharepoint. We do not have any flows from SharePoint to FIM.

I have exported several thousand user objects to SharePoint with Success, photographs included.  User profiles are working and successful.

After a few days of letting the synchronization bake, I am finding that Updates to user objects are failing on Export to SharePoint with the following error (taken from the MA error message):

Export retry FAILED for Entry[ObjectType: user, Anchor: DOMAIN_USER1234__fa631765-12b1-4da1-879-2dcfd6a7afae]..
 Error: System.Web.Services.Protocols.SoapException: Server was unable to process request. ---> Value cannot be null.
Parameter name: strAccountName
   at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
   at Microsoft.IdentityManagement.Connector.Sharepoint.SharePointProfileImportExportService.ProfileImportExportService.UpdateWithProfileChangeData(Int64 importExportId, ProfileChangeData[] profileChangeData)
   at Microsoft.IdentityManagement.Connector.Sharepoint.SharepointServiceProvider.UpdateWithProfileChangeData(Int64 importExportId, ProfileChangeData[] profileChangeData)
   at Microsoft.IdentityManagement.Connector.Sharepoint.SharepointConnector.PutExportEntries(IList`1 csEntries)

I have verified that the AccountName is not blank as this error suggests.

The XML of the update request (As pulled from a network trace):

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    <soap:Body>
        <UpdateWithProfileChangeData xmlns="http://microsoft.com/webservices/SharePointPortalServer/ProfileImportExportService">
            <importExportId>104</importExportId>
            <profileChangeData>
                <ProfileChangeData>
                    <ProfileIdentifier />
                    <DistinguishedName>DOMAIN_USER12345__8ce5dfd2-0b49-40fb-8b56-7a2b740256cb</DistinguishedName>
                    <ObjectGuid>00000000-0000-0000-0000-000000000000</ObjectGuid>
                    <ObjectClass>user</ObjectClass>
                    <PropertyChanges>
                        <PropertyChangeData>
                            <Name>LastName</Name>
                            <ChangeType>Modify</ChangeType>
                            <Values>
                                <anyType xsi:type="xsd:string">Smith</anyType>
                            </Values>
                        </PropertyChangeData>
                        <PropertyChangeData>
                            <Name>WorkEmail</Name>
                            <ChangeType>Modify</ChangeType>
                            <Values>
                                <anyType xsi:type="xsd:string">SSMith@domain.com</anyType>
                            </Values>
                        </PropertyChangeData>
                    </PropertyChanges>
                    <ChangeType>Modify</ChangeType>
                </ProfileChangeData>
            </profileChangeData>
        </UpdateWithProfileChangeData>
    </soap:Body>
</soap:Envelope>

The SharePoint server response:

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    <soap:Body>
        <soap:Fault>
            <faultcode>soap:Server</faultcode>
            <faultstring>Server was unable to process request. ---&gt; Value cannot be null.

Parameter name: strAccountName</faultstring>
            <detail />
        </soap:Fault>
    </soap:Body>
</soap:Envelope>

I can delete the profile in SharePoint and after a full sync the profile will be there with the updated data.

Any thoughts on why SharePoint would be rejecting this update.

Hi All,

I have deployed a MIM 2016 Sync-Service server with SQL 2014 on a seperate server. I am trying to make a test Management Agent, following the link below, but 

mmsmafim: MIIS.ManagementAgent.ManagedMACredentialFailureException: Failed to connect to the specified database with the given credentials.
   at MIIS.ManagementAgent.RavenMA.InitializeConnection(XmlNode connectionInformationNode, XmlNode encryptedAttributeNode, Boolean runInitialization)
   at MIIS.ManagementAgent.RavenMA.UIInitialize(String pszInitString, Int32& pfValid, String& ppszResult)

However, the credentials I use (the account running the FIM windows service) is correct, it has dbowner rights on the created database in SQL. Can login to either the MIM or the SQL Server with the account, etc. What am I missing? No time skew on the servers.

https://technet.microsoft.com/en-us/library/mt219040.aspx (Configure MIM Sync to Synchronize from Active Directory to MIM Service)

Hello,

I am running into an issue where I am unable to fully sync all information to SharePoint and could use some guidance. For some reason I cannot get the Manager to push into SharePoint. Other information will however push and update.

I have 3 tasks running in the Task Scheduler. A FullSync (Once daily), DeltaSync (30 minutes), and a PhotoProfileUpdate. When I review their history in SSM they show success 98% of the time. Occasionally I will get a completed warnings on the SPMA DeltaImport. The details specify "exported-change-not-reimported" and reference the manager field.

I know the field is pulling for AD because when I search the Metaverse I can see managers for users and am able to click them to confirm the linking is correct. Not sure what I am missing as users will add/delete and change information as it is updated in AD. Only thing not pushing is the Manager info.

Ideas?

However the issue now is to create an Extract to CSV with changes to user accounts in AD. The changes successfully sync back to MV. But I cannot seem create a CSV using the "delimited file MA". I have tried the Outbound Sync Rule method with a MRP and workflow. An ERE is added to the user account you can see the relevant objects imported when you do a MIMMA import. However when you export using the inbuilt "Delimiter File" MA nothing happens and the CSV (one specified in the Export run profile) file is empty.

Hello,

 I'm trying to install MIM 2016 on Windows 2012 R2. I've installed the synchronization service and SharePoint (although SharePoint 2013 is a pain to install). I've followed the prerequisite documentation.

Looking at the log file, the only error messages I've come across are shown below. I'm wondering if Exchange is an absolute requirement for MIM?

Thanks in advance

----------------------------------------------------------------------------------------------------------------------------

Errors DEBUG: Error 2769:  Custom Action ValidateSyncAccount did not close 1 MSIHANDLEs.

The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 2769. The arguments are: ValidateSyncAccount, 1,

this package. This may indicate a problem with this package. The error code is 2826. The arguments are: ExchAndCertificateDlg, ckboxUseSSL, to the right

                Line 526: DEBUG: Error 2826:  Control ckboxExchange on dialog ExchAndCertificateDlg extends beyond the boundaries of the dialog to the right by 15 pixels

I'm trying to setup GALSync and I created the MA for the forest my MIM server lives in, but cannot get it to work with the Trusted Forest, fails with error code 1355.  If I replace Forest Name and Domain with an IP of a Domain Controller in that forest, it works no problem.  This screams DNS issue to me, but I can't create any sort of DNS failure, can ping, reverse lookup, do nslookup for srv records.

I came across an old thread that mentioned using MIISDCInfo from the MIIS Reskit, but I can't find that.  Is it still available or anything like it available for FIM or MIM?

Time for a fresh start!

[The Guru is the means of realisation. "There is no knowledge without a teacher."]

We're looking for the first Gurus of 2017!!

All you have to do is add an article to TechNet Wiki from the field of your interest. Something that fits into one of the categories listed on the submissions page. Copy in your own blog post, a forum solution, a white paper, or just something you had to solve for your own day’s work today.

A snippet you share can make you a January 2017 TechNet Wiki Guru in your favorite category and this is official Microsoft TechNet recognition!

HOW TO WIN 

Please copy over your Microsoft technical solutions and revelations to TechNet Wiki.

Add a link to it on THIS WIKI COMPETITION PAGE (so we know you’ve contributed).

Every month, we will highlight your contributions, and select a "Guru of the Month" in each technology.

If you win, we will sing your praises in blogs and forums, similar to the weekly contributor awards. Once "on our radar" and making your mark, you will probably be interviewed for your greatness, and maybe eventually even invited into other inner TechNet/MSDN circles!

Winning this award in your favorite technology will help us learn the active members in each community. 

Feel free to ask any questions below.

More about TechNet Guru Awards.

Thanks,

If my reply is helpful please mark as Answer or vote asHelpful.

My blog | Twitter | LinkedIn

This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

Hi Everyone,

I need some help with how to write lines of code for the workflows in the FIM Web Services Configuration Tool namely:

Import (Full Import, Delta Import)
Export (Add, Delete, Replace)
Password

An online sample of the implementation or a reference with sufficient information on how to implement these workflows should help

Thanks

Akinzo

Getting the following error after running the core install procedures.  I've confirmed each pre-requisite.  Installing as the BHOLD service account which has local admin and domain admin membership, also has sqladmin rights on the SQL server DB. 

Product: Microsoft BHOLD Suite - Core -- Error 1720. There is a problem with this Windows Installer package. A script required for this install to complete could not be run. Contact your support personnel or package vendor.  Custom action CA_CoreProductGetWebsiteExists script error -2147217389, : Line 70, Column 1, 

Some additional information.

• Running latest version of Silverlight 5.1 (version 4 is mentioned in the guide)
• I'm installing on the same server where FIM Portal/Service and the Sync engine reside, we have a SQL server on another machine that I'm pointing to during install.
• Windows Internal DB (for portal) and FIM services are running.
• I noticed Windows Installer keeps shutting off, but have run through the install attempt while it was running.  Same failed result.  I ran the Microsoft Fixit Utility to see if something broke with the installed, it reported that it did not find anything....perhaps that tool shut it off?

Anyway, have the same result. Install fails with a Core Setup window stating.  There is a problem with this Windows Installer package.  A script required for this install to complete could not be run.  Call Bill, er Steve, for help.

Hello Everyone,

I am experiencing an issue with the MIM Reporting failing on the Initial Sync. Both times I have experienced the issue has been with the MIM 2016 SP1 install media. SCSM Service manager is on a separate server with SQL and SCSM DW is on a separate server with SQL. I first complete the SCSM 2012 Service Manager and Data Warehouse installation, register the Data Warehouse and confirm the initial MPSync job finishes with all Management Packs imported/associated. Then I run the MIM 2016 SP1 Reporting installation and confirm the MIM Management Packs are all imported/associated and showing up in Reports in the SCSM console. Then I run the FIMPostInstallScriptsForDataWarehouse.ps1 script which completes successfully. When I run theStart-FIMReportingInitialSync.ps1 script and check the Reporting Job in the MIM Portal, it fails immediately and produces the below errors.

Firewall is off between the servers as well. Has anyone seen this issue before and have a solution?

Reporting Job Details: 

ObjectTypeName: Person,

AttributeName: ObjectType,

RequestIdentifier: 00000000-0000-0000-0000-000000000000,

ObjectID: 7fb2b853-24f0-4498-9534-4e10589723c4,

Value: Person,

DataType: String,

MultiValue: False,

Added: True,

SubscriptionDetails: <DataWarehouseClassProperty ClassTypeIdentity="FIMDW.FIMPerson" PropertyIdentity="FIMObjectType" ManagementPackIdentity="Microsoft.Forefront.IdentityManager.Datawarehouse.Base" ManagementPackVersion=”1.0.0.1”/>,

EventTime: 12/05/2016 19:38:27

Event Viewer:(Three errors connected to the issue)

Error
12/5/2016 11:38:17 AM
Microsoft.ResourceManagement.ServiceHealthSource
68 None

"The FIM Reporting ETL job failed while making a call to the System Center Service Manager Management Server SDK service.  This could be caused by a network or service interruption which is preventing communication between the FIM Service and the System Center Service Manager SDK Service, or by an internal error within System Center.

To fix this issue, ensure that there are no firewalls or network connectivity issues which may be preventing communication between these two services. Also ensure that the System Center Management and System Center Data Access services are running on the System Center Service Manager Management Server.

If you encounter this error after running your first ETL job, ensure that you have installed the FIM Reporting support scripts on your Data Warehouse machine.  You can find these scripts in the Service and Portal folder of your FIM media.

For more information about this error, view the most recent reporting job in the FIM Portal and look for any exceptions which may have occurred.
"

Error
9/21/2012 4:19:41 PM
Microsoft.ResourceManagement 3
None

Reporting Job Manager: Reporting job halted due to error.

Error
9/21/2012 4:19:41 PM
Microsoft.ResourceManagement 3
None

ObjectTypeName: Person, AttributeName: ObjectType, RequestIdentifier: 00000000-0000-0000-0000-000000000000, ObjectID: 7fb2b853-24f0-4498-9534-4e10589723c4, Value: Person, DataType: String,

MultiValue: False, Added: True, SubscriptionDetails: <DataWarehouseClassProperty ClassTypeIdentity="FIMDW.FIMPerson" PropertyIdentity="FIMObjectType" ManagementPackIdentity="Microsoft.Forefront.IdentityManager.Datawarehouse.Base" ManagementPackVersion=”1.0.0.1”/>, EventTime: 12/05/2016 19:38:27 ---> System.InvalidOperationException: Cannot find management pack with identity Microsoft.Forefront.IdentityManager.Datawarehouse.Base
   at Microsoft.ResourceManagement.Reporting.DataProvider.DataWarehouseManagementPackManager.GetManagementPack(String managementPackKey)
   at Microsoft.ResourceManagement.Reporting.DataProvider.DataWarehouseObjectGenerator.CreateEnterpriseManagementObject(Guid objectIdentifier, String classType, String managementPackIdentity)
   at Microsoft.ResourceManagement.Reporting.DataProvider.DataWarehouseObjectGenerator.CreateEnterpriseManagementObject(DataWarehouseClassMapping mapping)
   at Microsoft.ResourceManagement.Reporting.DataProvider.DataWarehouseCollection.ProcessEntry(ExportLogEntry entry)
   --- End of inner exception stack trace ---
   at Microsoft.ResourceManagement.Reporting.DataProvider.DataWarehouseCollection.ProcessEntry(ExportLogEntry entry)
   at Microsoft.ResourceManagement.Reporting.DataProvider.DataWarehouseProvider.ProcessBatch(List`1 batch)
   at Microsoft.ResourceManagement.Reporting.ReportingManager.ExecuteBatchOfExtractTransformLoad(IDataManager dataManager)
   at Microsoft.ResourceManagement.Reporting.ReportingManager.ExportData(IDataManager dataManager)
   at Microsoft.ResourceManagement.Reporting.ReportingManager.RefreshSchema()
   at Microsoft.ResourceManagement.Reporting.JobManager.Run()

I'm trying to connect the sync service to a SQL Azure database.  I'm not having luck.

Searching online, I can't find a specific statement about the default SQL MA and whether it supports Azure SQL.

Does anyone know that answer?

I'm seeing chatter about SQL Azure with ECMA's and a generic connector, plus I see an open source MA option, plus SQL Azure MA's from partners.  All of that tells me the native FIM SQL MA doesn't support Azure, but again, I'm looking for confirmation.

Thanks!