Does anyone know if there is a way in MIMWAL or otherwise, without writing custom code, to compare one attribute against a myltivalue attribute.
I have a request with multiple approvers. I want to compare if Requestor is anyone of the approvers.
Thanks,
Nosh
Nosh Mernacaj, Identity Management Specialist
Hi,
One of my customers recently upgraded their FIM 2010 R2 to MIM 2016 SP1. It seems that their password reset SMS Gate stopped working. They had implemented SMSServiceProvider.dll using gate from their telecom (and it was working fine). All the phones are registered in format: 00971xxxxxxxxx
Right now instead of sending SMS we have error in the log coming from Azure MFA complaining that telephone number doesn't contain international code. It looks like it switched to use Azure MFA instead of previously used SMSServiceProvider.dll.
How can we switch it back?
Borys Majewski, Identity Management Solutions Architect (Blog: IDArchitect.NET)
Hi Everyone,
i wish to know how MIM can confirm user Creation\Modification in AD to an External System (e.g. HR Application)having a Web Services API). So need to send say SOAP Message back to External System on the status of the provisioning\modification in AS
Thanks in anticipation for your help
Akinzo
Next user is asked to change password during first logon. As soon as user submits new password he gets this error: “Your organization doesn’t allow you to change your password on this site. Please change your password according to the method recommended by your organization, or ask your admin if you need help.”
May I know how could I allow the user to change his password? Am I missing something, any workaround?
Thanks,
Shobhit Vaish
I am using MIM 2016 and for provisioning AD I use a MPR / Set / Workflow. The MPR is set for transition in triggering the workflow
In the workflow I have used some MIMWAL including Generate Unique Values (for accountname) and Function to populate WorkflowData parameters (vAccountName, vHomeDirectory)
In the workflow I then use an update resources to set the Target/AccountName to the workflowdata/AccountName value
In the sync rule I flow the AccountName to sAMAccountname and also the WorkflowData/vHomeDirectory
The problem I have is that any value that is set through a Workflow parameter when used in the sync rule has a final value of null
Have been over everything several times and tried different ways but still the same issue.
I do need to set these values in the workflow as opposed to the sync rule directly so looking for the solution more so then a workaround please
In order to clean up the disconnected objects from SQL MA, I did the following steps
1.I manaully projected them from MA's Connector space into Metaverse by applying projection rules.
2. I imported end dates and names via import rules.
3. I created a set that transitions in the objects that have end dates less than sys date (obviously these objects will transition in to the set)
4. Created a MPR that will remove the particular MA's ERE whenever an object is transitioned in to the set.
5. Tried this by doing the following steps.
i) Individually preview'd and commited accounts.
ii) Objects stood for export in FIM MA, ran Export on FIM MA
iii) DIDS on FIM MA
iv) When I see the search requests in FIM portal, i can see that the MPR is triggered but it didnt removed.
Could anyone please help me out. Have I missed anything?
Hi,
We are using Forefront Identity Manager to sync 2 Active Directory domains.
Let's call it DomainA and DomainB. A FIM server has been installed in the DomainA. Users and groups are synced between DomainA and DomainB, all works great.
Now we want to use password sync from B to A. As mentioned in https://technet.microsoft.com/en-us/library/jj590288(v=ws.10).aspx, PCNS agent has been installed on all domain controlers for B.
Password change from DomainB (which does NOT hosts FIM Server) to DomainA = error.We have configured FIM as explained, created a SPN entry on DomainB and target.
But when a password is changed on DomainB, it is captured by PCNS, and send to the FIM server (domainA) and the errors occurs : Status is -2146893053 - The target is unknown
On server side, we can find this log : An error has occurred during authentication to the password notification source.
0x80070534: no mapping between account names and security IDs...
Indeed, when configuring spn, we created on domain B
setspn.exe -a PCNS/server.domainb.local DOMAINB\MIMSync which may be unknown on domain A.
What should be the way to sync password when the FIM server is not in the source domain ?
BR,
Emmanuel IT
I'm having a strange problem with an account: when FIM tries to delete it, the AD MA reports the error "The directory service can perform the requested operation only on a leaf object."
If I check the account in AD, I see that it has indeed a child object, of type msExchActiveSyncDevice. However, the account used by the AD MA has full control over the users' OU and descendant objects, so it should be able to delete that as well. If I check the permissions on that object explicitly, I see that the AD MA account *has* full control over it, and I see nothing particular about the permissions for this object (e.g. a deny permission somewhere).
It's the first time that I see this error, so I would guess that the best approach will be to assume that something has gone bananas with that object, delete it manually and forget about it, but if someone has some insights it would be great...
Cheers,
Paolo
Paolo Tedesco - http://cern.ch/idm
I tried to reset my password via FIM SSPR and I was able to successfully register for a password reset but unable to reset the password, while doing it I am getting error like access denied.
Kindly assist me in this.
Hi,
My current FIM 2010 RTM installed on server 2008 and CA's are 2008 R2.
I use FIM CM only.
I have Installed new CA's hierarchy (2012 R2) and copied the certificate templates settings as I needed.
I plan to upgrade to FIM 2010 R2 SP1 on server 2012 R2, from what I could find, the upgrade is supported. but I couldn't find any other documentation about side-by-side migration since I want to install the FIM 2010 R2 SP1 on a fresh vanilla server 2012 R2.
I have several questions regarding the desired configuration:
1. I need to Install FIM RTM on the vanilla server 2012 R2 before installing the FIM 2010 SP1? any documentation/guidelines for FIM upgrade process and DB upgrade will be much appreciated!
2. after the FIM upgrade to 2010 R2 SP1, I'm planning to change the Certificate Template in an existing smart card Profile Template, this certificate template will be from the new (2012 R2) CA's hierarchy. after I will do so, I will be able to renew smart card certificates through this "updated" profile template?
I hope I'm understandable :)
thanks in advance!
Gal
I have installed MIM Sync 4.3.2195.0. It was a fresh install and not an upgrade.
When trying to do a manual join I get the following error:
"Could not find any resources appropriate for the specified culture or the neutral culture. Make sure "Microsoft.DirectoryServices.MetadirectoryServices.UI.PropertySheetBase.MMSErrorMessages.resources" was correctly embedded or linked into assembly "PropertySheetBase" at compile time, or that all the satellite assemblies required are loadable and fully signed."
After clicking OK I can see the error details which are as follows:
See the end of this message for details on invoking
just-in-time (JIT) debugging instead of this dialog box.
************** Exception Text **************
System.ArgumentNullException: Value cannot be null.
Parameter name: value
at System.String.IndexOf(String value, Int32 startIndex, Int32 count, StringComparison comparisonType)
at System.String.IndexOf(String value, StringComparison comparisonType)
at Microsoft.DirectoryServices.MetadirectoryServices.UI.WebServices.MMSErrors.AdjustErrorTextForExtensionException(String& sErrorString)
at Microsoft.DirectoryServices.MetadirectoryServices.UI.AccountJoiner.AccountJoinerControl.Join()
at System.Windows.Forms.Button.WndProc(Message& m)
at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
************** Loaded Assemblies **************
mscorlib
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.34209 built by: FX452RTMGDR
CodeBase:
file:///C:/Windows/Microsoft.NET/Framework64/v4.0.30319/mscorlib.dll
----------------------------------------
miisclient
Assembly Version: 4.3.2195.0
Win32 Version: 4.3.2195.0
CodeBase:
file:///C:/Program%20Files/Microsoft%20Forefront%20Identity%20Manager/2010/Synchronization%20Service/UIShell/miisclient.exe
----------------------------------------
PropertySheetBase
Assembly Version: 4.3.2195.0
Win32 Version: 4.3.2195.0
CodeBase:
file:///C:/Program%20Files/Microsoft%20Forefront%20Identity%20Manager/2010/Synchronization%20Service/UIShell/PropertySheetBase.DLL
----------------------------------------
System.Windows.Forms
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.34251 built by: FX452RTMGDR
CodeBase:
file:///C:/windows/Microsoft.Net/assembly/GAC_MSIL/System.Windows.Forms/v4.0_4.0.0.0__b77a5c561934e089/System.Windows.Forms.dll
----------------------------------------
System.Drawing
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.34209 built by: FX452RTMGDR
CodeBase:
file:///C:/windows/Microsoft.Net/assembly/GAC_MSIL/System.Drawing/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
----------------------------------------
System
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.34238 built by: FX452RTMGDR
CodeBase:
file:///C:/windows/Microsoft.Net/assembly/GAC_MSIL/System/v4.0_4.0.0.0__b77a5c561934e089/System.dll
----------------------------------------
UiUtils
Assembly Version: 4.3.2195.0
Win32 Version: 4.3.2195.0
CodeBase:
file:///C:/Program%20Files/Microsoft%20Forefront%20Identity%20Manager/2010/Synchronization%20Service/UIShell/UiUtils.DLL
----------------------------------------
System.Core
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.34209 built by: FX452RTMGDR
CodeBase:
file:///C:/windows/Microsoft.Net/assembly/GAC_MSIL/System.Core/v4.0_4.0.0.0__b77a5c561934e089/System.Core.dll
----------------------------------------
System.Xml
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.34234 built by: FX452RTMGDR
CodeBase:
file:///C:/windows/Microsoft.Net/assembly/GAC_MSIL/System.Xml/v4.0_4.0.0.0__b77a5c561934e089/System.Xml.dll
----------------------------------------
MmsServerRCW
Assembly Version: 4.3.2195.0
Win32 Version: 4.3.2195.0
CodeBase:
file:///C:/Program%20Files/Microsoft%20Forefront%20Identity%20Manager/2010/Synchronization%20Service/UIShell/MmsServerRCW.DLL
----------------------------------------
System.ServiceProcess
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.34209 built by: FX452RTMGDR
CodeBase:
file:///C:/windows/Microsoft.Net/assembly/GAC_MSIL/System.ServiceProcess/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.ServiceProcess.dll
----------------------------------------
Operations
Assembly Version: 4.3.2195.0
Win32 Version: 4.3.2195.0
CodeBase:
file:///C:/Program%20Files/Microsoft%20Forefront%20Identity%20Manager/2010/Synchronization%20Service/UIShell/Operations.DLL
----------------------------------------
GroupListView
Assembly Version: 4.3.2195.0
Win32 Version: 4.3.2195.0
CodeBase:
file:///C:/Program%20Files/Microsoft%20Forefront%20Identity%20Manager/2010/Synchronization%20Service/UIShell/GroupListView.DLL
----------------------------------------
MaExecution
Assembly Version: 4.3.2195.0
Win32 Version: 4.3.2195.0
CodeBase:
file:///C:/Program%20Files/Microsoft%20Forefront%20Identity%20Manager/2010/Synchronization%20Service/UIShell/MaExecution.DLL
----------------------------------------
AccountJoiner
Assembly Version: 4.3.2195.0
Win32 Version: 4.3.2195.0
CodeBase:
file:///C:/Program%20Files/Microsoft%20Forefront%20Identity%20Manager/2010/Synchronization%20Service/UIShell/AccountJoiner.DLL
----------------------------------------
mmsuihlp
Assembly Version: 0.0.0.0
Win32 Version: 4.3.2195.0
CodeBase:
file:///C:/Program%20Files/Microsoft%20Forefront%20Identity%20Manager/2010/Synchronization%20Service/UIShell/mmsuihlp.DLL
----------------------------------------
System.Configuration
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.34209 built by: FX452RTMGDR
CodeBase:
file:///C:/windows/Microsoft.Net/assembly/GAC_MSIL/System.Configuration/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Configuration.dll
----------------------------------------
ObjectLauncher
Assembly Version: 4.3.2195.0
Win32 Version: 4.3.2195.0
CodeBase:
file:///C:/Program%20Files/Microsoft%20Forefront%20Identity%20Manager/2010/Synchronization%20Service/UIShell/ObjectLauncher.DLL
----------------------------------------
ObjectViewers
Assembly Version: 4.3.2195.0
Win32 Version: 4.3.2195.0
CodeBase:
file:///C:/Program%20Files/Microsoft%20Forefront%20Identity%20Manager/2010/Synchronization%20Service/UIShell/ObjectViewers.DLL
----------------------------------------
Preview
Assembly Version: 4.3.2195.0
Win32 Version: 4.3.2195.0
CodeBase:
file:///C:/Program%20Files/Microsoft%20Forefront%20Identity%20Manager/2010/Synchronization%20Service/UIShell/Preview.DLL
----------------------------------------
************** JIT Debugging **************
To enable just-in-time (JIT) debugging, the .config file for this
application or computer (machine.config) must have the
jitDebugging value set in the system.windows.forms section.
The application must also be compiled with debugging
enabled.
For example:
<configuration>
<system.windows.forms jitDebugging="true" />
</configuration>
When JIT debugging is enabled, any unhandled exception
will be sent to the JIT debugger registered on the computer
rather than be handled by this dialog box.
http://www.wapshere.com/missmiis
February 2017 Guru, it’s time to share great skills as a TechNet Wiki article and WIN medal(s). Medals? Yes, you can share multiple articles in the same or different categories! Now, navigate to TechNet Guru Competition February 2017 to choose your categories and if it’s not listed add your content in Miscellaneous Category!
All you have to do is add an article to TechNet
Wiki from the field of your interest. Something that fits into one of the categories listed on the submissions page. Copy in your own blog post, a forum solution, a white paper, or just something you had to solve for your own day’s work today.
A snippet you share can make you a February 2017 TechNet Wiki Guru in your favorite category and this is official Microsoft TechNet
recognition!
HOW TO WIN
1) Please copy over your Microsoft technical solutions
and revelations to TechNet
Wiki.
2) Add a link to it on THIS WIKI
COMPETITION PAGE (so we know you’ve contributed).
3) Every month, we will highlight your contributions,
and select a "Guru of the Month" in each technology.
If you win, we will sing your praises in blogs and forums, similar to the weekly contributor awards. Once "on our radar" and making your mark, you will probably be interviewed for your greatness, and maybe eventually even invited into other inner TechNet/MSDN circles!
Winning this award in your favorite technology will
help us learn the active members in each community.
Feel free to ask any questions below.
More about TechNet Guru Awards.
Thanks,
If my reply is helpful please mark as Answer or vote asHelpful.
My blog |
Twitter | LinkedIn
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.
However the issue now is to create an Extract to CSV with changes to user accounts in AD. The changes successfully sync back to MV. But I cannot seem create a CSV using the "delimited file MA". I have tried the Outbound Sync Rule method with a MRP and workflow. An ERE is added to the user account you can see the relevant objects imported when you do a MIMMA import. However when you export using the inbuilt "Delimiter File" MA nothing happens and the CSV (one specified in the Export run profile) file is empty.
Hi,
I can't seem to find any information regarding delegating access (RBAC) to Skype for Business across a forest trust ("bastion forest"). Have anyone of you tried this and succeeded?
Just creating a PAM group of the CsAdministrator group does not work (the group membership is listed by whoami /groups as expected when logged on) and I don't see an equivalent of Microsoft Exchange's "LinkedForeignGroup".
Any tips, thoughts or ideas?
Andreas
We need to build somehow a connector filter rule to filter on a Date attribute.
The oob basic criteria option has things like Ispresent, Startswith Equals and so on. Nothing like IsAfter IsBefore.
I understand we need write code in the FilterforDisconnection Method... but where is an example? Hunted all over with Google and Bing but no luck.
Has anyone an example I can use as a basepoint?
Hi!
I have a task to manage user accounts and assign/revoke a licenses for Office365 users.
This is my first expirience with such integration, so, as I understand I need to do 2 main tasks:
1. Import current licensing information
2. Assign and revoke licenses with information regarding user plans in metaverse.
So, now I'm trying to make first part to work.
I get this article:
https://blog.kloud.com.au/2016/08/26/office365-licensing-management-agent-for-microsoft-identity-manager/
and trying to run full import run profile, but I getting this error:
DN is unavailable / missing-anchor-value / No value provided for anchor attribute
In this thread
https://social.technet.microsoft.com/Forums/en-US/3bf23eb9-fc1f-4f56-85aa-0c730c019a6c/missinganchorvalue-error-using-powershell-ma-soren-granfeldt?forum=ilm2
I found what the problem can be in import script, but script already have a such statement ($obj2.Add("objectClass","LicensePlans")), so I think that this is not a problem.
Any ideas?
Thanks!
1
Hi,
i need your help to configure/synchronize specific information from HR to FIM Portal, then to AD attribute: the specific information which we need to upload it in AD (in departement attribute) is "the Residence" from HR DB.
We configured already the synchronization rules as described below,and the attribute flow which configured on AD MA and HR MA.
2. FIM to AD synchronization rule:
The attribute flow are configured as below (on AD Management agent and HR Management agent):
ADMA:
HR HR MA:
iff
i
We are doing a conversion from a system that uses LDAP queries for setting dynamic groups, is there a way to convert these queries into Xpath filters easily, or do I have to do it manually for the groups?
I know that the languages have similarities, but have yet to find a way to easily do it for the 7000 groups I am converting
Russell Lema
I know not traditional that using on-premise active directory (Local AD) for public services, but I don't have alternative that has AD's features. For example many software that integrated with AD.
I want know active directory is good choice for using as authentication/authorization/account solution in a website? (For public services)
Note: I don't give permission to public users that they can access directly to AD. It is possible use the ADFS between AD and public users.