Quantcast
Channel: Forum Microsoft Identity Manager
Viewing all 6944 articles
Browse latest View live

Invalid-DN During Export on a SQL MA

June 27, 2012, 8:51 am
$
0
0

Hit a confusing error recently on a SQL MA.  This SQL MA has no reference attributes, and the anchor is simply a GUID (good enough for the FIM MA, right?).

On Export there are a few objects with an Export Error of "invalid-dn".  This is confusing because this MA has no DNs.  The problem here is that the MA has pending exports for objects that don't exist in the target SQL table. 

In my case these objects are waiting to be cleaned up by a Full Import, so I expect these to just go away naturally without any of my invasive meddling.

Weird error, I would have preferred something more like "Object not found".  Hopefully the next person that gets this error finds this post ;-)

CraigMartin – Edgile, Inc. – http://identitytrench.com

Search

Error creating Generic SQL MA

November 29, 2019, 3:59 am
$
0
0
I try to create the Generic SQL MA
I use a simple SQL Database layout. No multi-value attributes right now.
One attribute has a primary key to use it as anchor. 
Schema Detection Step 1 is ok (object type)
Schema Detection Step 2 is ok (attribute type)
After selecting Anchor and DN, when I hit next, I get the error:
"The given key was not present in the dictionary"

Any help is appreciated.
Henry

MIM 2016 Oops!Something went wrong. The ajax called failed, please contact your administrator.

November 29, 2019, 4:20 am
$
0
0

I have followed the instruction as mentioned in this article .

https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/step-3-prepare-pam-server

However  , while open the PIM Roles for activation URL from PRIVClientWorkstation , its return an error 

"Oops!Something went wrong. The ajax called failed, please contact your administrator.

Status Code : 403 

Error Forbiddon

" 

Inside PAM server , the page open fine . Outside PAM server it returns error 403. Screen shot is attached. Any idea what could be the reason . I have followed step by step instructions as mentioned in Microsoft web site  . https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/configuring-mim-environment-for-pam

PAM 2016 Transition a group to Privileged Access Management

November 29, 2019, 4:28 am

Microsoft Privileged Access Management (PAM) Supported Non-Domain Client/Workstation?

November 26, 2019, 11:46 pm
$
0
0

Hi All,

 

We are Planing to deploy Microsfot Privileged Access Management (PAM)  in Our Environment. Below are some quires regarding the Microsfot Privileged Access Management (PAM).

 

  1. Non-Domain servers/Workgroup servers e.g Windows Server,Linux , Unix ,AIX ,Oracle ,SQL prevelidge accounts can be managed via PAM?
  2. How can we manage Service accounts of existing AD as these accounts are required to run the services?

 

Thank You,

Asad Ali

userAccountControl and EmployeeStatus

October 3, 2012, 10:40 pm
$
0
0

Hi,

I have seen guidance on how to configure 'employeeStatus' in the FIM Portal, and translate it to the correct 'userAccountControl' value in AD (e.g. 512,514)

However, how would I do this in reverse?

Here is my thinking 'userAccountControl' can have these values:

512Enabled Account
514Disabled Account
544Enabled, Password Not Required
546Disabled, Password Not Required
66048Enabled, Password Doesn't Expire
66050Disabled, Password Doesn't Expire
66080Enabled, Password Doesn't Expire & Not Required
66082Disabled, Password Doesn't Expire & Not Required
262656Enabled, Smartcard Required
262658Disabled, Smartcard Required
262688Enabled, Smartcard Required, Password Not Required
262690Disabled, Smartcard Required, Password Not Required
328192Enabled, Smartcard Required, Password Doesn't Expire
328194Disabled, Smartcard Required, Password Doesn't Expire
328224Enabled, Smartcard Required, Password Doesn't Expire & Not Required
328226Disabled, Smartcard Required, Password Doesn't Expire & Not Required

So do I simply write up a multiple IIF statement?

IIF(CustomExpression(Eq(userAccountControl,"66048")),"active","disabled") -> employeeStatus

How do I repeat this for all the other values in one long Custom Expression?

IIF(Eq(userAccountControl,512),"active"),IIF(Eq(userAccountControl,66048),"active")
,"disabled")) ???

Thank you



(MIM 2016) UnwillingToPerformException when adding multiple users at once

December 3, 2019, 7:21 am
$
0
0

Hi,

when the sync service is exporting multiple new users into the portal all at once (around 20 or 30 at a time) and the workflows start to fill attrbiutes like login name, there are some users (around 20%) who dont get some of their attributes populated.

These two error messages are the ones that appear almost at the same rate:

Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---> 
Procedure: ReRaiseException. Line number: 37. Message: A Sql failure occurred during Request processing., State 1, 
Procedure ReRaiseException, Line 37, Message: Reraised Error 50000, Level 16, State 1, 
Procedure ReRaiseException, Line 37, Message: Reraised Error 50000, Level 16, State 1, 
Procedure UpdateResource, Line 61, Message: RequestSqlOperationException: Not able to acquire a lock for UpdateResource because it is locked by another process.. 
--- End of inner exception stack trace --- 
at Microsoft.ResourceManagement.Utilities.ExceptionManager.ThrowException(Exception exception) 
at Microsoft.ResourceManagement.Data.Exception.DataAccessExceptionManager.ThrowException(SqlException innerException, TransactionAndConnectionScope scope) 
at Microsoft.ResourceManagement.Data.DataAccess.ProcessRequest(RequestType request) 
at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.ProcessInputRequest(RequestType request) 
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction(RequestType request) 
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction[ResponseBodyType](RequestType request) 
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request, Guid requestIdentifier, Object redispatchSingleInstanceKey, Boolean isRedispatch) 
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request) 
at Microsoft.ResourceManagement.Workflow.Hosting.RequestWorkItemProcessor.DispatchRequest[TResponseType](RequestType request, Boolean applyAuthorizationPolicy) 
at Microsoft.ResourceManagement.Workflow.Hosting.RequestWorkItemProcessor.ProcessPutWorkItem(UpdateRequestWorkItem updateWorkItem) 
at Microsoft.ResourceManagement.Workflow.Hosting.RequestWorkItemProcessor.ProcessWorkItem(WorkItem workItem)
Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---> 
System.Data.SqlClient.SqlException: Reraised Error 50000, Level 13, State 1, 
Procedure ReRaiseException, Line 37, Message: Reraised Error 50000, Level 13, State 1, 
Procedure ReRaiseException, Line 37, Message: Reraised Error 1205, Level 13, State 52, 
Procedure UpdateResource, Line 587, Message: Transaction (Process ID 154) was deadlocked on lock resources with another process and has been chosen as the deadlock victim. 
Rerun the transaction. Uncommittable transaction is detected at the end of the batch. The transaction is rolled back. 
at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection) 
at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj) 
at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj) 
at System.Data.SqlClient.SqlDataReader.ConsumeMetaData() 
at System.Data.SqlClient.SqlDataReader.get_MetaData() 
at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString) 
at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async) 
at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, DbAsyncResult result) 
at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method) 
at System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior, String method) at System.Data.SqlClient.SqlCommand.ExecuteReader() 
at Microsoft.ResourceManagement.Data.DataAccess.ProcessRequest(RequestType request) 
--- End of inner exception stack trace --- 
at Microsoft.ResourceManagement.Utilities.ExceptionManager.ThrowException(Exception exception) 
at Microsoft.ResourceManagement.Data.Exception.DataAccessExceptionManager.ThrowException(SqlException innerException, TransactionAndConnectionScope scope) 
at Microsoft.ResourceManagement.Data.DataAccess.ProcessRequest(RequestType request) 
at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.ProcessInputRequest(RequestType request) 
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction(RequestType request) 
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction[ResponseBodyType](RequestType request) 
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request, Guid requestIdentifier, Object redispatchSingleInstanceKey, Boolean isRedispatch) 
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request) 
at Microsoft.ResourceManagement.Workflow.Hosting.RequestWorkItemProcessor.DispatchRequest[TResponseType](RequestType request, Boolean applyAuthorizationPolicy) 
at Microsoft.ResourceManagement.Workflow.Hosting.RequestWorkItemProcessor.ProcessPutWorkItem(UpdateRequestWorkItem updateWorkItem) 
at Microsoft.ResourceManagement.Workflow.Hosting.RequestWorkItemProcessor.ProcessWorkItem(WorkItem workItem)
MIM is already patched to Version 4.5.412.0 because i saw that there was a similar bug fixed in a recent update.

Any advice would be appreciated.


Do you want to be acknowledged as Microsoft Forefront Identity Manager Guru? Submit your work to December 2019 competition!

December 3, 2019, 11:24 am
$
0
0


What is TechNet Guru Competition?

Each month the TechNet Wiki council organizes a contest of the best articles posted that month. This is your chance to be announced as MICROSOFT TECHNOLOGY GURU OF THE MONTH!

One winner in each category will be selected each month for glory and adoration by the MSDN/TechNet Ninjas and community as a whole. Winners will be announced in dedicated blog post that will be published in Microsoft Wiki Ninjas blog, a tweet from the Wiki Ninjas Twitter account, links will be published at Microsoft TNWiki group on Facebook, and other acknowledgement from the community will follow.

Some of our biggest community voices and many MVPs have passed through these halls on their way to fame and fortune.

If you have already made a contribution in the forums or gallery or you published a nice blog, then you can simply convert it into a shared wiki article, reference the original post, and register the article for the TechNet Guru Competition. The articles must be written in December 2019 and must be in English. However, the original blog or forum content can be from beforeDecember 2019.

Come and see who is making waves in all your favorite technologies. Maybe it will be you!

Who can join the Competition?

Anyone who has basic knowledge and the desire to share the knowledge is welcome. Articles can appeal to beginners or discusse advanced topics. All you have to do is to add your article to TechNet Wiki from your own specialty category.

How can you win?

  1. Please copy/Write over your Microsoft technical solutions and revelations to TechNetWiki.
  2. Add a link to your new article on THIS WIKI COMPETITION PAGE (so we know you've contributed)
  3. (Optional but recommended) Add a link to your article at the TechNetWiki group on Facebook. The group is very active and people love to help, you can get feedback and even direct improvements in the article before the contest starts.

Do you have any question or want more information?

Feel free to ask any questions below, or Join us at the official MicrosoftTechNet Wiki groups on facebook. Read More about TechNet Guru Awards.

If you win, people will sing your praises online and your name will be raised as Guru of the Month.


PS: Above top banner came from Vimal Kalathil.

Thanks,
Kamlesh Kumar

If my reply is helpful please mark as Answeror vote as Helpful.

My blog | Twitter | LinkedIn

Search

Problems with sharing beetwen PC's with windows 7domain clients under windows server 2019

December 4, 2019, 5:50 am
$
0
0

Hi,

I hade before Windows Server 2008 and my PC's are with windows 7 that are joined to domain, but after installing windows server 2019 and all services where migrated from old windows server 2008.

Now PCs under new domain server 2019 are not discovered and I cant not access share folders between PC.

PAM users for a pre-existing bastion forest.

November 4, 2019, 12:27 pm
$
0
0

we're adding a MIM PAM deployment to an existing bastion forest.  How can we start using these bastions accounts to make PAM requests?  I see how to recreate new accounts, but not use existing ones.  

MIM 2016 to use for GALSync between 2x Exchange 2010 SP3

November 19, 2019, 4:05 am
$
0
0

Hi all,

My question is very simple:

If I want to use MIM 2016 to run GalSync between 2x Exchange 2010 SP3 located in 2x forests (with interforest trust), do I need to install Sharepoint at all?

Thanks in advance.

Workflow for notification of criteria based group or set membership change

November 11, 2019, 11:56 am
$
0
0

I've tried to search for something like this, but I haven't been able to find anything relevant.  I've seen hints that it's not supported, but nothing specific to what i'm trying to do.  I'm running the latest update of MIM 2016 with MIMWAL.

What I want to do is have a set or group of users with a criterion that changes somewhat regularly.  I want changes in that set/group membership to be emailed to specific people or DLs (i.e. static, not like a "welcome" email to new members of the group).

Is that something I can do without going to lengths like sending a members attribute out to SQL server to be split and imported back into a separate multivalue attribute?


MIM Sync

November 18, 2019, 11:08 pm
$
0
0

Hi,

I have two questions of similar kind. I know we can sync data from on-premises AD to MIM portal andvice-versa. Also we can sync data from on-premises AD to SQL, But:

1. Can we sync data from SQL DB to AZURE AD?

  1a. If yes, how?

  1b. If no, what are the other ways?

2. Can we sync data from SQL DB to On-premises AD?

Thanks

MIM Portal not opening on Chrome Error "Service Not Available"

December 7, 2019, 10:23 am
$
0
0

I have an on-Prem installation for Microsoft Identity Manager 2016 SP1 With 3 Servers as below

  1. Sync Server
  2. Service Server
  3. Portal Server on SharePoint 2013 Foundation

portal works perfect on IE but when we open from chrome it shows Service not available. there are no events on Service server but Portal server shows event as middle tier not available in Event Viewer.

Service Account and Portal Pool account are the same and all SPN are set on the server name of portal , Server name of service, Service Address and portal address and delegate to any Kerberos Service.

Appreciate your quick Response

How do I remove parents off my microsoft account?

December 8, 2019, 4:27 am
$
0
0
I received my xbox as a gift when I was living away from home with my dad and step mum. In turn I must of had to set up a Microsoft account and somehow they must be the adults on it. I now live back with my mum and family problems mean I no longer want to speak with my dad and step mum. I recently bought a new laptop and I tried to download chrome and realised I need to ask parent permission. They are going to ignore the email for sure and I do not wish to speak to them about removing themselves from my account. I am now 17 and practically an adult and do not want to have to rely on them for anything. I have so much game progress and things on my account. Is there a way for me to remove them without having to set up a whole new account? Cheers, Tiana.
Search

User is not allowed to access application Azure Portal due to Legal Age Group Requirement

December 8, 2019, 4:20 pm
$
0
0

Hi

I chose by mistake in Azure Portal administrators profile MINOR, not ADULT! (that was very silly)

Now I cannot sign in and can't i get support services etc, DO NOTHIG

In sign in  process I get this error message: AADSTS54000: User is not allowed to access application Azure Portal due to Legal Age Group Requirement of application Windows Azure Service Management API.

Can anyone help me?

Please! 

I chose by mistake
I chose by mistake
I chose by mistake

Set Account Expiry for contractors

November 21, 2019, 11:27 pm
$
0
0

Dear All,

I am trying to set EmployeeEndDate by using following query. but the problem is time. 

DateTimeAdd(DateTimeNow(),"180.00:00:00.0"). 

its adding current time in the employeeEndDate. want to add fixed time

Thanks in Advance,

Shashidhar Joliholi

How do we install the "Application Server" role features required by MIM 2016 on Windows 2016 server?

May 31, 2018, 3:42 am
$
0
0

I am trying to get MIM 2016 installed on a Windows Server 2016 Standard host.

I follow the deploy MIM 2016 guide as provided by Microsoft.

In the setup Windows Server section of https://docs.microsoft.com/en-us/microsoft-identity-manager/prepare-server-ws2016

I am asked to add the Application Server role. This is deprecated in Windows Server 2016 although the guide is guiding you on Windows Server 2016!!!

In section 7 it says run these PS commands:

import-module ServerManager
Install-WindowsFeature Web-WebServer, Net-Framework-Features,rsat-ad-powershell,Web-Mgmt-Tools,Application-Server,Windows-Identity-Foundation,Server-Media-Foundation,Xps-Viewer –includeallsubfeature -restart -source d:\sources\SxS

Seriously WTF Microsoft?

What features are required here.

Azure Security - Support needed urgently

December 9, 2019, 4:32 am
$
0
0

Hi All,

We want to systematically check the existing configuration and status. 
     Example, to check the AAD connect health status whether Healthy or not. 

 So need suggestion on whether AAD logs are configured to push for azure Monitor. 
Any powershell commandlets or graph API exposed these details?

1)      How to configure controls/custom policies in azure active directory to configure diagnostic log delivery?
2)      How to create custom policy to health monitoring? (Powershell or Graph API can achieve this?)

Thank you. Awaiting the response.


Possible bug: MIM 2016 PAM and removal of Shadow Principal membership

December 13, 2016, 1:24 am
$
0
0

TL;DR: 
Users do not get removed from shadow principals by PAM Component Service upon manual deactivation of PAM role membership. Removal from regular security groups works as intended. TTL based group membership also works. Correct access has been granted to the service account. 


So I have a 2016 AD domain/forest (PRIV) with MIM 2016 SP1 and PAM configured (4.4.1302.0). I also have a 2012 domain (CORP - One-way trust). 

I have configured PAM groups and roles using the cmdlets, which creates a shadow principal object as expected. Any access requests through the API results in the user being added to the shadow principal (with a TTL as expected). So far so good.

But if the role is manually deactivated before the TTL has expired, I can see all the request go through successfully (the TTL of the PAM request is set to 0 and it is expired). However the user is never removed from the shadow principal by the PAM Component service. Yes, the service account has been granted the proper permissions to do so, and no failure audit is logged. It simply seems as it never even tries to remove it from the shadow principal at all. The ETW trace shows a few log messages saying that it found an expired/closed membership and that the user was removed from the shadow principal, so it knows that it's dealing with a shadow principal and not a security group at this stage. 

"User 'sAMAccountName', (Priv SID 'S-1-5-21-PRIV-SID-1688') was removed fromshadow principal CORP.GroupName (SID 'S-1-5-21-CORP-SID-131870')"

However no removal (or failure events in MIM/Event logs) actually occur. 

If I on the other hand create a regular security group and assign a role to it, the above procedure works. The user is added to the group when requested, and if the request is manually closed, the user is removed from the security group by the PAM Component service. 

User 'sAMAccountName', (Priv SID 'S-1-5-21-PRIV-SID-1688') was removed from group GroupName (SID 'S-1-5-21-PRIV-SID-3106')

So in other words, log wise everything looks OK, but when it's dealing with a shadow principal nothing actually happens even though the logs state that 'the user was removed'. 

Has anyone else run into this and perhaps can shed some light on this behavior? 


Andreas


Viewing all 6944 articles
Browse latest View live
Search