I am running MIM SP1 with the latest patch on Windows 2012 R2 and MS SQL Server 14 SP3. I want to start putting together a plan to upgrade both the operating system to 2016 or 2019 when it becomes officially supported, and MS SQL server to 2016 SP2. I am only running/using FIM Sync and Service for admin purposes only. The SSPR role is in Azure now. Do any of you guys have any reference to any documentation I could use as a guidelines to work on my plan?
↧
MIM 2016 SP01: Windows Server and MS SQL Server Upgrades
↧
Import Flow - Trying to set default value with a Rule Extension
Hi,
I need to implement a rule extension to set a default value for a datetime attribute
If csentry("XYZ").IsPresent Thenmventry("xyz").Value = DateTime.ParseExact(...).ToString("yyyy-MM-ddTHH:mm:ss.000")
Else
mventry("xyz").Value = DateTime.Now.ToString("yyyy-MM-ddTHH:mm:ss.000")
End If
It does the desired formatting where there is a value in the source (csentry).
However, when there is no value in the source, the rule extension code does not run and I can see in the PReview the "Not Applied" in the status column.
Why does this happens and how can I ensure a default value into the Metaverse?
Thanks,
JD
↧
↧
Approval for modification person's information
Hi everyone
Our system typical have 4 role below:
Our system typical have 4 role below:
- HRMS: Human Resources Management System
- MIM
- AD
- ADFS
Synchronization flow HRMS => MIM => AD with 3 MA (HRMS, MIM, AD), 3 MPR (HR, MIM outbound, AD inbound).
For adding new person on HRMS, I using this MIMWAL https://github.com/Microsoft/MIMWAL/wiki/New-Accounts-Approval to approve / reject before provision on AD. it's work very nice. But I don't know how to config formodifying person's information in HRMS and approving before synchronizing to AD as addnew function
I'm newbie on MIM, please help me.
Thank you for any suggestion!
↧
MFA Authenticator App on Android - Which Operating System-versions are required for the app?
Hi,
We have an organization which are looking to implement MFA with the Authenticator app. Today they have many different Android-phones, different models with different Android OS-versions. I looked up the requirements for the app here: https://play.google.com/store/apps/details?id=com.azure.authenticator&hl=en
It states: "Requires Android: varies with device"
Where can I find a list of Android devices and required OS-versions for the Authenticator App? Or does my organization have to try to figure this one out by ourselves?
↧
MIM 2016 SP01: Windows Server and MS SQL Server Upgrade
I am running MIM SP1 with the latest patch on Windows 2012 R2 and MS SQL Server 14 SP3. I want to start putting together a plan to upgrade both the operating system to 2016 or 2019 when it becomes officially supported, and MS SQL server to 2016 SP2. I am only running/using FIM Sync and Service for admin purposes only. The SSPR role is in Azure now. Do any of you guys have any reference to any documentation I could use as a guidelines to work on my plan?
↧
↧
New to MIM, looking for assistance on triggering workflows in order
Hi folks, I'm new to MIM and gradually learning as I go. I have a solution which pulls data from an HR app (via csv file) and creates AD users based on that. I'm no developer and also want to keep the solution as simple as possible for the end users of the system. To that end I've tried as much as possible to only use worfklows and rules from within MIM portal where possible, with everything else padded out with MIMWAL (eg Powershell commands etc). I have a situation where I have MIMWAL generating a unique username (feeding in to an oubound sync rule to AD, so after the user object has been pulled in to MIM), I also have a workflow set up to run a Powershell command (Add-ADGroupMember) to configure the default AD Group memberships - however, this Powershell command is not executing correctly, as it sees the username (for the "-Members" instance) as being NULL. The script works perfectly well executing via Powershell logged in as the user account that is being used so the script is fine - but I'm wondering if the issue I'm hitting is because both the unique username generation workflow and the Add default groups workflow are firing at the same time - which is possibly resulting in the AD Group workflow firing before a samAccountName has been passed to AD. How can I stagger the workflows? I'm thinking it would be via MPRs and Sets (both the workflow for the group membership and the unique name generation fire on transition in to the All People set), but I can't for the life of me work out how I can pass a user to a set based on completion of a sync rule, or to check whether the user exists in AD and use that as the basis. I daresay I'm sounding like a complete newbie and missing something completely obvious to those more familar with the app and I can definitely detect some eyerolls :) but can anyone give me a starter for 10 as to how to get the AD group workflow to only trigger after the account name has been generated?
I should also add that there are multiple different default AD group workflows which are dependent on different job titles if that makes any difference.
Essentially, I want - workflow to generate unique name -> Outbound rule to AD -> workflow to add default AD groups
I'm sure I'm missing something simple.
↧
Acces denied, Permission Issue
We have a domain Admin account which is using in Active directory connector. We have configure a stage a delete in AD connector and deleting the user through synchronization configuration triple from portal and define the object deletion rule in MIM if FIM connector is disconnected, deleted from the metaverse.
All scenario are working fine. User are deleted based on object deletion rule and stage a delete in AD connector. There is a problem in account operator account, it has been deleted from the metaverse perfectly but when we are exporting the Ad connector we are getting the access denied error for deleting this account from AD.
I have checked all the permission in AD. My account is domain Admin account and when I delete this user manually in Ad it works fine.
Can anyone help me where I am missing the permission in MIM.
↧
Oracle Management Agent Creation Failure
I know this question has been asked a dozen times already, but I don't know if there has ever been a definitive answer to what is going on aside from the recommendations to use the Generic SQL connector in lieu of the Oracle connector to connect to an Oracle database. Like many I still get the message about the unlinked assembly.
I have followed about all the recommendations in the serveral threads I have been revisiting like:
- Oracle Client 11.2.0.4 installed with the administration option;
- The connection to the database with tnsping works, and I can use sqlplususename@db_alias without any problem showing the tnsnames.ora file is correctly set up. In fact I have one entry in that file and the entire entry is in one line with no spaces to avoid another potential issue raised in one of the threads;
- Accounts associated with both FIM Service and FIM Synchronization Service have full rights to the Oracle install folder;
- Used the .NET installUtil.exe to re-register/re-install Microsoft.DirectoryServices.MetadirectoryServices.Config.dll;
- Provided the table name as schema.table_name;
- I am running MIM 2016 SP1 (4.5.412.0) on Windows 2016 with latest updates
The connection with the generic SQL connector works, but I would like to get the Oracle connector working as well. Is there anything that needs to be done regarding the Oracle.ManagedDataAccess.dll library? I do use that library with some Powershell scripts to connect to the same database, and I wonder if that is not being loaded if it is even used.
↧
using IIF and and operation
Dear All,
how to use IIF and and operation for customexpression
requirement: if "location = location1 and department = IT "the output value should be OU=Department,OU=location1,DC=domain,DC=com
thanks in advance.
shashidhar
↧
↧
disable textbox only in MIM control “UocIdentityPicker”
We have an issue with the MIM control “UocIdentityPicker” in RCDC . For some cases we need to set this control as disabled in edit so that it is visible but user cannot select any data using the picker. So we set the Enabled property of this attribute to False. The issue is that the control consists of a textbox and buttons for selection and when we set Enabled= false, the buttons are disabled and dimmed but the user can still write in the textbox and add data. The screen shot below shows how the control looks when the Enabled is set to True and when it is set to False but in both cases , the textbox is editable.
mano_meee
↧
Access to Portal
Good Day!
I have a working MIM 2016 installation but I cannot seem to allow users access to the portal. My install account has access and I have manually added another user to the admin set. Syncing is in place so that domain, SID and sam are being synced into the portal, When the user authenticates they receive:
Service not available
I am seeing error 10 in the event log on the portal server:
The Portal cannot connect to the middle tier using the web service interface. This failure prevents all portal scenarios from functioning correctly.The cause may be due to a missing or invalid server url, a downed server, or an invalid server firewall configuration.
Ensure the portal configuration is present and points to the resource management service.
I have tried various tips online but they mostly point to a mis-configuration that would cause all users to be unable to access the portal, but I can access the portal with the install account.
Ideas?
Thanks
↧
Generic SQL Connector: issues when exporting deletion of multivalue attribute (e.g. removal of last group member)
Hi.
I'm running MIM Sync (v4.5.412.0) with the newest release of Generic SQL Connector (v.1.1.953.0). I have a non-complex setup in the Microsoft SQL database:
[Users] table
[Groups] table
[GroupsMV] table (used for 'MemberID' multivalue attribute in Group objects - basically storing group memberships)
All imports/exports are done with Table operation (so no custom SQL statements or Stored Procedures). Exporting AD users, AD groups and additions/removals of memberships to the SQL database works perfect - except for one thing:
If the last member(s) in a group is removed, export to SQL is not working doing what it should. No errors during connector Export, but an "exported-change-not-reimported" error during re-import. If I look in the GroupsMV table, no records were deleted during export.
Running a SQL Trace I can see the following (one working example, one error example):
-----------------------------
When removing 2 of 4 members from 'MemberID' multivalue attribute on Group 1 (works correctly):
exec sp_executesql N'SELECT COUNT(*)
FROM GROUPSMV
WHERE ( ( MemberID = @P1 ) AND ( GROUP_ID = @P2 ) ) ;',N'@P1 nvarchar(36),@P2 nvarchar(36)',N'018e67c1-677c-4296-8464-9a91f47b98dc',N'b02d9a85-f405-49a6-8c37-6d9d5eea4288'
exec sp_executesql N'DELETE FROM GROUPSMV
WHERE ( ( MemberID = @P1 ) AND ( GROUP_ID = @P2 ) ) ;',N'@P1 nvarchar(36),@P2 nvarchar(36)',N'018e67c1-677c-4296-8464-9a91f47b98dc',N'b02d9a85-f405-49a6-8c37-6d9d5eea4288'
exec sp_executesql N'SELECT COUNT(*)
FROM GROUPSMV
WHERE ( ( MemberID = @P1 ) AND ( GROUP_ID = @P2 ) ) ;',N'@P1 nvarchar(36),@P2 nvarchar(36)',N'33463cdb-f9d4-44c5-9abb-b4349f69663d',N'b02d9a85-f405-49a6-8c37-6d9d5eea4288'
exec sp_executesql N'DELETE FROM GROUPSMV
WHERE ( ( MemberID = @P1 ) AND ( GROUP_ID = @P2 ) ) ;',N'@P1 nvarchar(36),@P2 nvarchar(36)',N'33463cdb-f9d4-44c5-9abb-b4349f69663d',N'b02d9a85-f405-49a6-8c37-6d9d5eea4288'
-----------------------------
When removing last 2 members from 'MemberID' multivalue attribute on Group 1 (error, records are not removed in MV-table):
exec sp_executesql N'SELECT COUNT(*)
FROM GROUPSMV
WHERE ( GROUP_ID = @P1 ) ;',N'@P1 nvarchar(36)',N'b02d9a85-f405-49a6-8c37-6d9d5eea4288'
exec sp_executesql N'DELETE FROM GROUPSMV
WHERE ( GROUP_ID = @P1 ) ;',N'@P1 nvarchar(2)',NULL
-----------------------------
The last delete statement seems to be lacking the GROUP_ID value, as it's NULL. But we can clearly see that it's the correct value in the select statement. As far as I understand, it should work correctly by deleting all memberships for specific group if it just weren't for the GROUP_ID being NULL.
Is this a bug in the Generic SQL Connector? Has anyone seen this behavior in the past, and if so - got a solution or troubleshooting tips?
Regards,
Stian S.
I'm running MIM Sync (v4.5.412.0) with the newest release of Generic SQL Connector (v.1.1.953.0). I have a non-complex setup in the Microsoft SQL database:
[Users] table
[Groups] table
[GroupsMV] table (used for 'MemberID' multivalue attribute in Group objects - basically storing group memberships)
All imports/exports are done with Table operation (so no custom SQL statements or Stored Procedures). Exporting AD users, AD groups and additions/removals of memberships to the SQL database works perfect - except for one thing:
If the last member(s) in a group is removed, export to SQL is not working doing what it should. No errors during connector Export, but an "exported-change-not-reimported" error during re-import. If I look in the GroupsMV table, no records were deleted during export.
Running a SQL Trace I can see the following (one working example, one error example):
-----------------------------
When removing 2 of 4 members from 'MemberID' multivalue attribute on Group 1 (works correctly):
exec sp_executesql N'SELECT COUNT(*)
FROM GROUPSMV
WHERE ( ( MemberID = @P1 ) AND ( GROUP_ID = @P2 ) ) ;',N'@P1 nvarchar(36),@P2 nvarchar(36)',N'018e67c1-677c-4296-8464-9a91f47b98dc',N'b02d9a85-f405-49a6-8c37-6d9d5eea4288'
exec sp_executesql N'DELETE FROM GROUPSMV
WHERE ( ( MemberID = @P1 ) AND ( GROUP_ID = @P2 ) ) ;',N'@P1 nvarchar(36),@P2 nvarchar(36)',N'018e67c1-677c-4296-8464-9a91f47b98dc',N'b02d9a85-f405-49a6-8c37-6d9d5eea4288'
exec sp_executesql N'SELECT COUNT(*)
FROM GROUPSMV
WHERE ( ( MemberID = @P1 ) AND ( GROUP_ID = @P2 ) ) ;',N'@P1 nvarchar(36),@P2 nvarchar(36)',N'33463cdb-f9d4-44c5-9abb-b4349f69663d',N'b02d9a85-f405-49a6-8c37-6d9d5eea4288'
exec sp_executesql N'DELETE FROM GROUPSMV
WHERE ( ( MemberID = @P1 ) AND ( GROUP_ID = @P2 ) ) ;',N'@P1 nvarchar(36),@P2 nvarchar(36)',N'33463cdb-f9d4-44c5-9abb-b4349f69663d',N'b02d9a85-f405-49a6-8c37-6d9d5eea4288'
-----------------------------
When removing last 2 members from 'MemberID' multivalue attribute on Group 1 (error, records are not removed in MV-table):
exec sp_executesql N'SELECT COUNT(*)
FROM GROUPSMV
WHERE ( GROUP_ID = @P1 ) ;',N'@P1 nvarchar(36)',N'b02d9a85-f405-49a6-8c37-6d9d5eea4288'
exec sp_executesql N'DELETE FROM GROUPSMV
WHERE ( GROUP_ID = @P1 ) ;',N'@P1 nvarchar(2)',NULL
-----------------------------
The last delete statement seems to be lacking the GROUP_ID value, as it's NULL. But we can clearly see that it's the correct value in the select statement. As far as I understand, it should work correctly by deleting all memberships for specific group if it just weren't for the GROUP_ID being NULL.
Is this a bug in the Generic SQL Connector? Has anyone seen this behavior in the past, and if so - got a solution or troubleshooting tips?
Regards,
Stian S.
↧
using IIF function for DN logic
Dear All,
how to use IIF function for the below requirement.
requirement: if "location = location1 and department = department1 "the output value should be OU=department1,OU=location1,DC=domain,DC=com
thanks in advance.
shashidhar
↧
↧
Missing SQL Server Agents
I have ran into a problem with the server agents being missing on the sql database for MIM.
I have tried using the repair option to get them re-created but there is still no trace of them on the database instance.
The mim server talks to a dedicated sql instance as part of our sql cluster and due to issues the db filled up and found that the jobs that where supposed to clear it down where missing.
Any help on how to clear this up would be great.
↧
How to prevent directly sync MIM to AD in case of modifying people
Hi everyone
Our system typical have 4 role below:- HRMS: Human Resources Management System
- MIM
- AD
-
ADFS
Synchronization flow HRMS => MIM => AD with 3 MA (HRMS, MIM, AD), 3 MPR (HR, MIM outbound, AD inbound).
I using this MIMWAL https://github.com/Microsoft/MIMWAL/wiki/New-Accounts-Approval for approving before provision to AD.
In case of modifying: I cannot set value of flag (ProvisionToAD) from HRMS to MIM to prevent updating Person from MIM to AD directly without approving.
Please help me to explain why I cannot set value through Synchronization Rule? How to do as follow order?
Edited on HRMS => Set Provision to AD attribute (metaverse) MIM => Approved => Sync to AD
Thank you for any suggestion!
↧
MIM 2016 - Oracle HCM Cloud Integration - RestApi
Hi,
With one of our client we are working on integrating MIM 2016 with Oracle HCM Cloud using Rest API. I have recently worked on integrating MIM with ServiceNow and I was able to pull the user records. I used the same ECMA 2.0 code to integrate with ORACLE HCM CLOUD but I am getting Object not set to an instance of an object when I run FULL Import.
I am using https://<host>.<host>/hcmCoreApi/resources/latest/emps to connect to ORACLE HCM Cloud. I observed one thing, when I browsed the SERVICENOW RestApi in IE it works fine and exports the data on to the browser it self but when I execute that of ORACLE HCM it exports the data to a file and gives a popup ti save the file.
I am using the code from below link for building ECMA 2.0 connector for ORACLE HCM Cloud. The Error Object reference is being thrown at Line:124 in below Link.
http://a-zenith.blogspot.in/2016/09/mim-2016-fim-service-now-ma.html
I have changed the attributes to those that I want but still I am getting Error "stopped-extension-dll-exception" with below eventlog entries...,
The extensible extension returned an unsupported error.
The stack trace is:
"System.NullReferenceException: Object reference not set to an instance of an object.
at FimSync_Ezma.EzmaExtension.GetImportEntries(GetImportEntriesRunStep importRunStep) in c:\Users\admin\Documents\Oracle HCMExtension\Oracle HCMExtension.cs:line 121
Forefront Identity Manager 4.3.1935.0"
Any help Appreciated. Thanks.
Regards, Chandan
↧
Add Users to multiple groups, when adding into first group
Hi MIM Team ,
I want the below Scenario, Please do help me with MIM to achieve
1) I have a Group Called L2UsersGroup, where I have User1, User2, User3, User4 as default members or as per adding by the Owner of the Group and there is not limit that the no of users to the group.
Group Name - L2UsersGroup
Members - User1, User2, User3, User4
2) I have another group called L2AdminGroup, Once the Users are added to the above group mentioned in point (1), should get added to theL2AdminGroup by default.
Steps i have done:
- I have did nested group (added second group to first group), but it didn't work and not added to the Point (2) group L2AdminGroup .
- I have done by using the below link as well. but no success
https://justidm.wordpress.com/2016/03/25/mimwal-update-set-membership-based-on-group-membership/
I need Experts suggestions on this to resolve, and to get the users added to second group (L2AdminGroup) from firstgroup (L2UsersGroup).
Thanks to one and all.
↧
↧
MIM 2016 Installation - Cannot get Portal to open, configure MV for Synchronization
Dear Experts,
I have been struggling for a week to get MIM 2016 installed in a greenfield environment. My configuration is
Sharepoint 2016 and MIM 2016 on the same Server
SQL 2016 on a different Server
I have tried repeatedly tried to setup the portal, following the Sharepoint prep outlined in [docs.microsoft.com/en-us/microsoft-identity-manager/prepare-server-sharepoint]. The Server was just registered in SPN. I do not have a Certificate, and because this is a lab environment planned to use NTLM. The Portal installed last night, but now get only three login prompts, and I'm passed to a blank page. Please guys, I really need a win here..any help will be greatly appreciated.
Background....
I was able to install SharePoint, and SQL with minimal issues. MIM Installation required me to walk through the process installation. The last component to install is the Portal. I have the MIM Service running, the Synchronization Manager has MA's created and installed for my Active Directory, and a HCM. I see records populating the Current State for both Management Agents, but the Metaverse is blank.
Praying for a miracle, hoping I'm not that far off.
Patrick
↧
MIM Portal - Asks credentials 3 times and then give a wihte page
So I can access to MIM portal using address hostname.domain.com. Portal works fine. But then I want to access to the portal with mimportal.domain.com and now the browser is asking my credentials 3 times and then returns a blank white screen.
So what is the issue? I have configured dns-a record with mimportal.domain.com to point MIM portal ip address.
I have not configured Kerberos. I have followed http://www.fimspecialist.com/fim-portal/installing-fim-2010-r2-sp1-portal-on-sharepoint-foundation-2013/ this manual to install the portal.
↧
MIM Sync without a PORTAL
Novice to MIM,
However, I have a project I'd like to deliver in Two Days, and avoid the Portal all together. Will the below solution provide this capability. I have SharePoint, Active Directory, and my Management Agents created. I have Current State Data, but nothing in the Metaverse data. I am hopeful this is a fairly straight forward solution. Can you please share any procedures you have done in the past to enable this replication.
Thank you.
↧