Quantcast
Channel: Forum Microsoft Identity Manager
Viewing all 6944 articles
Browse latest View live

"stopped-extension-dll-exception" on a PS MA

October 1, 2020, 11:37 pm
$
0
0

Hi all,

I have this error "stopped-extension-dll-exception" on a PS MA.

On the event viewer, I can see this :

 

The extensible extension returned an unsupported error.
 The stack trace is:

 "System.Management.Automation.ActionPreferenceStopException: The running command stopped because the preference variable "ErrorActionPreference" or common parameter is set to Stop: Unable to complete this action. Try again later.
   at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)
   at System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke)
   at System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync)
   at System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)
   at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)
   at Granfeldt.PowerShellManagementAgent.InvokePowerShellScript(Command command, PSDataCollection`1 pipelineInput)
   at Granfeldt.PowerShellManagementAgent.GetImportEntries(GetImportEntriesRunStep importRunStep)
Forefront Identity Manager 4.6.263.0"

Do you have any idea about that ?

Search

Azure Global Admin

October 4, 2020, 6:29 pm
$
0
0
I signed up for Azure AD services after discovering MMC no longer allowed for add-ins to manage local users and groups. I began the process and think I skipped a step as my gmail account was my local user log-in. Now my google email is part of the onmicrosoft.com login/account for azure and the gmail address is one word without the dot separating @gmail. Can anyone tell me the step I missed? Is it pointing 'A' records or something along those lines? 

How the "Object Deletion Rule" works

October 4, 2020, 10:17 pm
$
0
0

Hi All,

How the "Object Deletion Rule" works for below.

"Delete metaverse object when connector from any of the following management agent is disconnected" 

I have three Agents and I have selected the "FIM MA", Please clarify the my understanding is correct. If any deletion happen in ADMA or SQL the FIM portal object will be deleted?

1. Adma

2. FIM MA

3. SQL

my requirement is if any object deleted in AD or SQL , the FIM portal object should delete.

Thanks,

Arunabathan.G

Microsoft Identity Manager

October 5, 2020, 2:29 am
$
0
0

Hello,

We want to deploy Microsoft Identity Manager in our company for synchronization between  System HR and  Active Directory  (our target is to synchronize object attribute between system HR database and AD DB based on sytem HR changes)

my concern is if the MIM solution meet our requierement? if yes which type of  licence we need, if the synchronization  done automatically and what are the prerequiest to deploy this solution.

Uninstall MIM 2016 Service & Portal Manually

August 4, 2020, 1:47 pm
$
0
0

Hello There,

I require some assistance on how to manually uninstall MIM 2016 Service & Portal. I have tried several approach including the URL below, but MIM 2016 would not just uninstall. Appreciate Ideas on how I can get to do this to enable me do a clean install of the MIM 2016 Service & Portal on the same Server

https://social.technet.microsoft.com/wiki/contents/articles/37711.mim2016fim2010-troubleshooting-uninstall-fails-with-error-administrator-privileges-required.aspx.

Thanks

Akinzo

MIM 2016 SP2 4.6.258.0 and deadlock issues on portal export

August 10, 2020, 9:55 pm
$
0
0

I am aware that there is a hotfix 4.5.286.0 that fixes deadlock issues. However, I am already on 4.6.258.0. As a matter of fact, this is a fresh install of MIM 2016 SP2 4.6.34.0 and hotfix 4.6.258.0.

The deadlock error is as follows:

Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---> System.Data.SqlClient.SqlException: Reraised Error 1205, Level 13, State 51, Procedure fim.CalculateRequestSetTransitionsStatementEvaluation, Line 153, Message: Transaction (Process ID 95) was deadlocked on lock resources with another process and has been chosen as the deadlock victim. Rerun the transaction.

As of right now, I have not added any Sets, Workflows or MPRs, other than few MPRs that give permissions. What do I have in the portal, is more than 50 000 users and more than 3000 criteria-based security groups.

I have also tweaked miiserver.exe.config and Microsoft.ResourceManagement.Service.exe.config.

<resourceSynchronizationClient asynchronous="true" aggregate="true" aggregationThreshold="8" delayUpdateAcknowledgements="true" exportRequestsInProcessMaximum="4"/>

<resourceManagementService externalHostName="mimtest.domain.org" maxSimultaneousSynchronizationRequests="2"/>

However, deadlock errors happen unless I disable asynchronous. SQL Server is version 14.0.3335.7, which is the latest available update for SQL Server 2017.

Please, does anybody have any idea why is this happening and how I can solve the problem?

ADMT user migration is renaming the UPN - Include file used

October 5, 2020, 1:25 pm
$
0
0
Hello,

I’m unable to merge accounts despite of using the include file format suggested for account merge.

In domain A:

CN=User1, Test

UPN=user1@domainA.com (domainA\user1)

In domain B, the same user was set up as

CN=Test User1

UPN=TestUser1@domainB.com (domainB\testuser1)

The include file I’m using is,

SourceName,TargetSAM,TargetRDN,TargetUPN

user1,TestUser1,CN=Test User1,TestUser1@domainB.com

We opted to skip all other attributes while merging the accounts, as the users have a completely new account provisioned in domainB, and only need the SID.

The ADMT migration is merging the accounts and adding the SID, but the problem we’re having is that the UPN is being renamed from TestUser1@domainB.com to TestUser10@domainB.com.

Migration Log:

[Object Migration Section]
2020-10-01 14:53:14 Starting Account Replicator.
2020-10-01 14:53:35 WRN1:7561 ADMT could not migrate some properties for this object type (user) due to schema mismatches.  Please refer to the Schema Section in the migration log for a complete listing.  The Schema Section will be available once object migration is complete.
2020-10-01 14:53:38 CN=Test User1        - Merged.
2020-10-01 14:53:39 Renamed UPN name from TestUser1@domainB.com to TestUser10@domainB.com. Cannot create accounts with the same UPN name as another UPN in the enterprise.
2020-10-01 14:53:39 Did not update password for 'CN=Test User1' as user already existed.
2020-10-01 14:54:00 SID for domainA\user1 added to the SID History of DomainB\testuser1
2020-10-01 14:54:11 Updated user rights for CN=Test User1
2020-10-01 14:54:12 Operation completed.

Please advise. I’m not sure where I’m going wrong.

Thanks in advance!

MIIServer.exe.config: tag

October 5, 2020, 3:09 pm
$
0
0

I have noticed the tag <resourceManagementService/> in the MIIServer.exe.config file under the MIM Sync engine configuration. In my case, that tag is commented it out.  Does it have to match the settings found in the  Microsoft.ResourceManagement.Service.exe.config file under the MIM Service configuration if that tag is customized in this latter file?

I am referring to the parameters dataReadTimeoutInSeconds, dataWriteTimeoutInSeconds, synchronizationDataReadTimeoutInSeconds, etc.

 
Search

Reset password for multiple user at a time in One Indentity(Active Role)

October 6, 2020, 2:26 am
$
0
0

Hi have list of more that hundred user , where i want reset the password for all of them at a time.

Do any one know how would i do that, as , couldn't get any info from microsoft website too.

There is feature in latest version , but couldn't see it 

https://support.oneidentity.com/technical-documents/active-roles/7.4/whats-new/3#TOPIC-1305582

Imported users from active directory to FIM portal but user has been created without any info

October 6, 2020, 11:04 am
$
0
0

Hi All,

I have configured sync rules for both inbound and outbound with necessary fields and defined the metaverse in MIM service

after running the profile from Active Directory, 

Delta Import
Delta Synchronization

and from FIM run profile

Full Import
Full Synchronization
Export
Delta Import

the users are created without any information like firstname, lastname, mail, displayname etc..

Could you please help me what could be the issue!?

Thanks,

Arunabathan.G

Access Denied to MIIS_ManagementAgent WMI Class

October 6, 2020, 2:50 pm
$
0
0

I keep getting the following error, when attempting to run an MA via a PowerShell script, under a service account. I already added the service account to the local FIMSyncAdmins group. I even added it to the local Administrators group. It is still refusing to allow the account to access the WMI class!!! It works fine when I run it under my account, and I don't see anything different between the permissions on my account, and the permissions on the service account that I am trying to use.

 

Get-WmiObject : Access denied 
At C:\System\UserProfile.MIMSync\SharePointMultiSync.psm1:551 char:13
+             Get-WmiObject -Class MIIS_ManagementAgent -Namespace root ...
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Get-WmiObject], ManagementException
    + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand

MA not found: 
At C:\System\UserProfile.MIMSync\SharePointMultiSync.psm1:492 char:13
+             throw "MA not found: $Name"
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (MA not found: :String) [], RuntimeException
    + FullyQualifiedErrorId : MA not found: 

The specific line that is throwing the error is:

Get-WmiObject -Class MIIS_ManagementAgent -Namespace root/MicrosoftIdentityIntegrationServer

Running that under the service account produces the following error:

Get-WmiObject : Access denied 
At line:1 char:1
+ Get-WmiObject -Class MIIS_ManagementAgent -Namespace root/MicrosoftId ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Get-WmiObject], ManagementException
    + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand

I even checked the permissions on the root/MicrosoftIdentityIntegrationServer namespace, and verified that the FIMSyncAdmins group has permissions.

HELP!!!!

1908 Could not find the domain controller for this domain on PDC reboot

October 6, 2020, 3:58 pm
$
0
0

Hi All,

I'm doing some updates to our PDC and every time I reboot it I get the following message (1908 could not find the domain controller for this domain) and the source DSAs disappear. If I force a replication from a neighboring DC or wait an hour, it will go away. I was just wondering if this is something to be concerned about. Normally I'll get an "RPC unavailable error" but I'm wondering if this is normal behavior because it's the PDC.
"repadmin /replsum" attached
Thank you in advance!

Use MIM to Sync Contacts using Normal ADMA ( Without GAL Agent )

October 8, 2020, 4:15 am
$
0
0

Hi Guys,

I want to sync contacts in Forest A to Forest B using MIM 2016 ADMA - NOT GAL AGENTS.

I set up two ADMAs - 1 for Forest A and 1 for Forest B

I am using only Classic Attribute Flow mapping ( No rule extension , only direct mapping and no MIM Portal )

I am able to get the object using Management Agent A to Metaverse , but when I run Export on Management Agent B , the object is not exported to Forest B.

Please guide me here.

MIM Portal Login

October 9, 2020, 9:00 am
$
0
0

Hi There,

Is there a way users can Login into the MIM Portal without being prompted for Credentials. In other words using the same session token for login into AD to access the MIM Portal.

Akinzo



Reading User Attribute showing Empty Value

October 12, 2020, 9:25 am
$
0
0

Hello Everyone,

We have 2 MIM portal servers which is load balanced. I create and new attribute (RegID) on User Resource and created necessary bindings to display them on the Create/View/Edit RCDC. 

The problem I have is, When I user PowerShell script to Read the values of the attribute its showing empty value. 

$MIMUrl = "http://localhost:5725/resourcemanagementservice";

$Filter = "/Person[RegID = '78901']"
$ET = Export-Fimconfig -uri $MIMUrl -onlyBaseResources -customconfig $Filter -ErrorAction SilentlyContinue;
$ET | Foreach-Object {
       $RegID = ($_.ResourceManagementObject.ResourceManagementAttributes | Where-Object {$_.AttributeName -eq "RegID"}).Value;
    $AccountName= ($_.ResourceManagementObject.ResourceManagementAttributes | Where-Object {$_.AttributeName -eq "AccountName"}).Value;
       Write-Host ($RegID)
#       Write-Host ($AccountName)
}

When running above code, It fetched the person object and displayed AccountName but not RegID

As I mentioned, its load balanced,

Running on Server 1 : Returns both RegID and AccountName

Running on Server 2 : Return only Account Name but not RegID.

Its Wired, Could you please help?

Thanks

Durai

Search

MIM Portal Search for Umlaute/Special Characters (Ä,ä,Ö etc) with Powershell

October 13, 2020, 7:28 am
$
0
0

Hello everyone

I am quite new in Powershell and MIM. I am trying too find groups which contains Umlaute like ((Ä,ä,Ö etc).

When I execute following code will output every group that either contains "ä" but also the regular "a".

 if(@(Get-PSSnapin | ? { $_.Name -eq "FIMAutomation" } ).Count -eq 0)            
 {            
     Add-PSSnapin FIMAutomation;            
 }            
$groups = Export-FIMConfig -customConfig "/Group[contains(DisplayName, 'ä')] " -Uri "http://localhost:5725"  -OnlyBaseResources            
foreach ($group in $groups)            
{            
    $x = (($group.ResourceManagementObject.ResourceManagementAttributes | Where-Object {$_.AttributeName -eq "DisplayName"}).Value)
    Write-Host "$x"            
}

What do I have to change in my script to get only the groups that conatiain umlaute?

Thanks in advance!


ADFS 3: Adding second DNS/Domain ADFS server 2012 r2

October 13, 2020, 3:00 pm
$
0
0

Currently we have ADFS running on server 2012r2 ... with DNS as adfs.firstdomain.com
Now we have a requirement to add  second domain/DNS to our existing ADFS federation for one application.

For eg: 
App 1 : https://adfs.firstdomain.com/adfs/ls/

App2 2 : https://adfs.Seconddomain.com/adfs/ls/

Please let me know how to achieve this.

Thanks



PostProcessingError during a PS script

October 14, 2020, 12:16 am
$
0
0

Hello all,

I have an issue with a PS script, I have the PostProcessingError  error. While when I run the script manually, it works.

Encountered error during federation passive request. (Event ID 364)

October 14, 2020, 11:45 pm
$
0
0
Encountered error during federation passive request. 

Additional Data 

Protocol Name: 
 

Relying Party: 
 

Exception details: 
Microsoft.IdentityServer.RequestFailedException: MSIS7065: There are no registered protocol handlers on path /adfs/ls/ to process the incoming request.
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

Admin Rights, Elevated Access, ADD

October 16, 2020, 4:05 pm
$
0
0
I had a laptop that started off as a local Admin Account. I assigned +Work account using the Join using Active Directory Domain for the first employee. Then the employee left and to add a new employee I simply went to Other in login page and typed new credentials without making a new account via traditional way. Everything seems good. Two months later I realize that user does not have admin rights to install new applications. Local account info is lost. 

I can have the laptop shipped out to me to wipe and start fresh with a new account, but there's got to be a better way... Any CMD scripts that can grant the domain user Admin rights over the device? or any settings in Azure AD portal to control the device and allow Admin Rights?

And for future devices, When a user leaves our tenant, I expect the device to give the next user admin rights as well. 
Viewing all 6944 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>