Quantcast
Channel: Forum Microsoft Identity Manager
Viewing all 6944 articles
Browse latest View live

MIM 2016 to SP1/SP2 upgrade reset RCDCs

April 28, 2020, 12:18 am
$
0
0
Hi All,

Sorry if this is an obvious / stupid question. I'm running through my first MIM upgrade and I've come across an issue that I wasn't expecting and I'm not sure what is the best way to proceed.

I've upgraded an existing Dev system from 4.3.2266.0 to SP1 then SP2. Everything appears to be working except at least some of the RCDCs have been reset to what I'm guessing is default. I've since come across minor references that imply this might be expected and that you can then re-import your modifications (https://docs.microsoft.com/en-us/microsoft-identity-manager/microsoft-identity-manager-2016-service-pack-2-upgrade-path) but they don't provide any steps for doing this. The best I can find is this FIM upgrade guide (https://docs.microsoft.com/en-us/previous-versions/mim/jj134291(v=ws.10)). I've tried performing the restore steps but after the Import-FIMConfig / IISRESET the page still looks the same and a new export of the XML is the same as before attempting the import.

So questions are:
1. is it expected that RDCDs will be modified on updating MIM?
2. should the FIM RCDC import instructions have worked?
3. Is there a better way to do this that either prevents this RCDC issue happening in the first place or makes the import process easier?

Related question. Do people use the RCDC Editor Tool from Oxford and find it's worth the money?
https://oxfordcomputertraining.com/tools/rcdc-editor/#description

Thanks for any advice
Regards
Brett
Search

Possible bug: MIM 2016 PAM and removal of Shadow Principal membership

December 13, 2016, 1:24 am
$
0
0

TL;DR: 
Users do not get removed from shadow principals by PAM Component Service upon manual deactivation of PAM role membership. Removal from regular security groups works as intended. TTL based group membership also works. Correct access has been granted to the service account. 


So I have a 2016 AD domain/forest (PRIV) with MIM 2016 SP1 and PAM configured (4.4.1302.0). I also have a 2012 domain (CORP - One-way trust). 

I have configured PAM groups and roles using the cmdlets, which creates a shadow principal object as expected. Any access requests through the API results in the user being added to the shadow principal (with a TTL as expected). So far so good.

But if the role is manually deactivated before the TTL has expired, I can see all the request go through successfully (the TTL of the PAM request is set to 0 and it is expired). However the user is never removed from the shadow principal by the PAM Component service. Yes, the service account has been granted the proper permissions to do so, and no failure audit is logged. It simply seems as it never even tries to remove it from the shadow principal at all. The ETW trace shows a few log messages saying that it found an expired/closed membership and that the user was removed from the shadow principal, so it knows that it's dealing with a shadow principal and not a security group at this stage. 

"User 'sAMAccountName', (Priv SID 'S-1-5-21-PRIV-SID-1688') was removed fromshadow principal CORP.GroupName (SID 'S-1-5-21-CORP-SID-131870')"

However no removal (or failure events in MIM/Event logs) actually occur. 

If I on the other hand create a regular security group and assign a role to it, the above procedure works. The user is added to the group when requested, and if the request is manually closed, the user is removed from the security group by the PAM Component service. 

User 'sAMAccountName', (Priv SID 'S-1-5-21-PRIV-SID-1688') was removed from group GroupName (SID 'S-1-5-21-PRIV-SID-3106')

So in other words, log wise everything looks OK, but when it's dealing with a shadow principal nothing actually happens even though the logs state that 'the user was removed'. 

Has anyone else run into this and perhaps can shed some light on this behavior? 


Andreas


Upgrading MIM 2016 from Service pack 1 to Service pack 2 in High Availability environment.

April 30, 2020, 10:54 pm
$
0
0

Hi Everyone,

We are able to upgrade the MIM SP1 to SP2 in our standalone environments and it worked out perfectly.

But when we tried the same approach in one of our High availability environment setup with 2 zones, each zone having a separate mim, mim synch and Database. The zone 1 and zone 2 database are always configured to be in synchronized mode.

We followed below steps:

  1. Installed MIM in Zone 1 using DB listener name.
  2. Applied patch and worked fine.
  3. Tried to install MIM in Zone 2 using same db listener, but it failed saying DB version mismatch which is already upgraded in zone 1 as DB’s are always in synchronized mode.

Can anyone please assist us through this.

Looking forward for a response.

Thanks,

Kavish.

SSPR in a Virtual Desktop Environment

April 14, 2011, 5:16 pm
$
0
0

I have a scenario where SSPR will be used in a Virtual Desktop Environment (VDI). How will the GINA components interact with VDI configured in static or dynamic modes? Has anybody implemented this scenario?

 

Looking at how VDI works (http://blogs.technet.com/b/yungchou/archive/2010/01/06/microsoft-virtual-desktop-infrastructure-vdi-explained.aspx) the static model provides a user with a VM (with a Win OS) and the dynamic model provides a cloned personalised VM. Both models are accessed by the user via RDP. I would guess that as long as a the FIM SSPR client extensions are install on the VM (or base VM in the dynamic model) then this should work as if the user where using remote desktop to access a normal workstation.

 

Thanks

 

Paul



MIM RCDC

May 3, 2020, 1:05 am
$
0
0

Hi All,

I am making two attributes to "required" based on a Boolean checkbox attribute.

Had put in autopost back property and in required property of those two attributes have mentioned the value as the checkbox. But after implementing end users are not able to edit their profile.

An error "Null object cannot be converted to a value type" pops out

What could be the issue?

For all users the checkbox value has been set as False and not null.

Kindly let me know if I am missing anything

Thank you

Rajesh


MIM PAM API not send information

May 4, 2020, 3:00 am
$
0
0

Hello,

I am trying to run the Privileged Access Management Sample Portal
I did the installation several times but without result.

Pam works fine because I tested

When I do Get-PAMRole, I get the list of roles in place

When I go to the address http://pam-svr1.priv.adatum.com:8086/api/pamresources/pamroles/, I manage to download the file "pamroles.json" but it does not display the role available as with the Get-PAMRole request.

The json file displays
{
  "odata.metadata": "http://pam-svr1.priv.adatum.com:8086/api/pamresources/%24metadata#pamroles", "value": [

  ]
}

Do you have an idea ? Please

sorry for my English

    

Post MIM 2016 SP1 / SP2 upgrade issue: NetworkClearText connection

May 4, 2020, 6:31 am
$
0
0

Hi All,

I've run through upgrading MIM 2016 from 4.3.2266.0 to SP1 then SP2 and I thought everything was running well, but I've been informed by Security that the Portal MA is now talking to the database using NetworkClearText (Logon Type 8) rather than the Interactive (Logon Type 2) connection it was using prior to the upgrade. I was wondering if maybe MIM was trying to use TLS 1.2 but some other part of the system wasn't able to support it and so it was failing back to clear text instead of whatever lower protocol it was using before. I think I've enabled TLS 1.2 in SharePoint but the issue remains.

Is this expected behavior or is something not working correctly?

The SharePoint Foundation 2013 installation is still on RTM version which may also be contributing to the problem. Are there any special update requirements when it's supporting MIM or do I just follow normal SharePoint update procedures?

Thanks for any advice
Brett

PAM Sample Portal Status code: 406. Error: Not Acceptable.

January 8, 2020, 6:26 am
$
0
0

I installed MIM 2016 SP2 Server in privOnly mode, with PAM feature and have the following error when deploying the PAM Sample portal.

Oops! Something went wrong. The ajax calls failed, please contact your administrator.
Status code: 406.
Error: Not Acceptable

When testing with http://mydomain.local:port/api/pamresources/pamroles I got the following error :

406 - Client browser does not accept the MIME type of the requested page.


So if I understand the error, it seems that the server is sending some information that the browser cannot parse, which is strange since I took the the exact files in the src folder in github .

Can someone help to resolve this issue ?


Thanks in advance.

Search

MIM PAM REST API returns empty JSON file.

May 4, 2020, 9:21 am
$
0
0
I installed MIM service and portal with PAM module in my test environment everything is working fine using powershell cmdlets, however, when I deployed the PAM Sample user Portal from Github to test the REST API, the JSON file retrieved is empty. I'm looking for a way to gather some logs to troubleshoot this, as I can't see anything in eventviewer ? 

Did anyone face this issue before or have any hint about it ? 

Please note that using powershell, I can see the roles and request them.  

Screenshot 

[MIM PAM] Adding groups and users from Portal with PRIVOnly Flag

May 5, 2020, 4:59 am
$
0
0
When adding PAMusers and PAMGroups using powershell cmdlets, it's possible to set thePrivOnly Flag to mark the environment as PrivOnly, is this supported by the Portal as well ? 

For instance what would be the equivalent of this command using the admin portal : 
New-PAMGroup -SourceDomain contoso.corp -SourceGroupName T0-Admins  –PrivOnly

Information on FIMAutomation Class Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject

May 6, 2020, 12:25 am
$
0
0

Hello,

I am working on powershell scripting on MIM on-premises environment.
I have found a lot of different scripts to use FIM Automation but I did not find anywhere any information or class description for the following objects usage.

Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject

Microsoft.ResourceManagement.Automation.ObjectModel.ImportChange

All scripts found about changing ressources attributes in the ResourceManagementService, make usage of this objects to define some attribute change. But I did not find any documentation about them.

FIM MA Export resulting in Error- Add Person failing

May 6, 2020, 5:44 am
$
0
0

Hi 

I had created an AD inbound synchronization rule with necessary mappings. I was able to import the users from AD to portal . I am seeing some failures for some users where the export to portal is failing.When i tried to look into the the error details i found that the FIMMA connector space was being deleted automatically. There were some required attributes which were not coming from AD so i changed the FIMMA mapping to allow nulls for those still the error remains same. Any pointers to this will be appreciated.


How to disable an attribute for particular group in MIM portal

May 8, 2020, 4:05 pm
$
0
0

Hello all,

I have this requirement where I need to disable an attribute so that one of the group can not read or update it.

Thanks.

Converting Boolean to String in FIM Portal (Outbound Rule)

March 31, 2020, 5:09 am
$
0
0

All,

I need your guidance to figure out, is there any way to converting a Boolean to String in the FIM Portal during Outbound rules?

The data would appear as String in the AD and the FIM portal as Boolean. I tried the below but didn’t work: IIF(Eq(FIMboolean,"true"),"NOSYNC",Null()) => ADNOSYNC

Regards,
Srinwantu

Microsoft business acount

May 10, 2020, 1:50 am
$
0
0
How can I set up a Microsoft business account when my email is linked to my personal account? I don't want to have a seperate email address for these accounts.
Search

Errors installing MIM 2016SP2

May 10, 2020, 9:46 am

Error While FIM MA export - Create User

May 11, 2020, 4:11 am
$
0
0

Hi 

I am getting an error While FIM MA export for users which are pending export. The error details does not tell much about what error it is. Checked for mandatory attributes, invalid attributes values . 

Microsoft.ResourceManagement: The web service client has encountered the following class of error: RequestMessageViolatesProtocol
Details: Additional Text Details: The request does not conform to the expected request message format of the protocol.
Correlation Identifier: 54cdc002-0fa2-4303-892f-e31f5cf88030
Failure Message: 
Request Identifier: 

MultiValue tables for groups. Is there a size limitation?

May 12, 2020, 4:44 am
$
0
0

I've set up multivalue tables that specifiy group memberships but I've seen reports that if the secondary table, which holds the memberships, reaches 50% the size of the primary table, which holds the user and group names, the system grinds to a halt, taking potentially days to import. Given that the secondary table is likely to be 5 or 6 times the size of the primary table in production, are multivalue tables not a viable solution to group management in mim?

thanks,

Alistair

How does MIM start the deprovisioning process?

May 13, 2020, 2:49 am
$
0
0

I pretty much understand the deprovisioning process apart from what starts it.

If there is a userid 1234 that is imported to the CS and synced to the metaverse:

DataSource (1111,...,1234,...,...) -> MA -> Import -> CS -> Sync -> Join/Project 1234

is deprovisioning started if that userid "disappears" from the feed?

DataSource (1111,...,...,...) -> MA -> Import -> CS -> Sync -> Disconnect 1234

does that mean the CS is really just a cache? and deprovisioning is started from a diff of Import(n) cf Import(n-1)?

or is the missing userid (1234) noticed during the Sync? In either case, MIM needs to "diff" somewhere to find out userids that have "disappeared" from the feed. Would be good to know where that discovery happens and where that "cache" is.

thanks,

Alistair

MIM 2016 - MIMService not installing - error 'Forefront Identity Manager' (FIMService) failed to start.

May 13, 2020, 2:17 pm
$
0
0

Trying to install MIM2016 and getting the FIMService failed to start error message.

I have already got these services listed in User Rights Assignment (impersonate user, logon as a service etc) enabled in the Group Policy.

But it is failing to start when trying to install MIM Service

Viewing all 6944 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>