Hi

Has anyone had problem with Approval activity on FIM 2010R2 SP1 (running on SPS Foundation 2013 and Windows Server 2012 - just for information), where workflow which contains approval activity just fails to initialize and logs on Event with ID 3 (pretty generic):

Error message from Event ID 3:

Microsoft.ResourceManagement.Service: System.NullReferenceException: Object reference not set to an instance of an object.
   at Microsoft.ResourceManagement.Workflow.Hosting.HostActivator.ActivateHost(ResourceManagementWorkflowDefinition workflowDefinition, Boolean suspendWorkflowStartupAndTimerOperations)
   at Microsoft.ResourceManagement.Workflow.Hosting.WorkflowManager.StartWorkflowInstance(Guid workflowInstanceIdentifier, KeyValuePair`2[] additionalParameters)

First I thought that it is some my activity, but it happens even if only activity on a workflow is Approval activity. Once approval activity is removed from the workflow this problem is also gone.

Tomek Onyszko, memberOf Predica FIM Team (http://www.predica.pl), IdAM knowledge provider @ http://blog.predica.pl

Hi

I am getting the following error when connecting to the FIM Password Reset Portal (FIM 2010 R2):

Access Denied Loading ... 
Ensure you enter your user name correctly. If you still cannot reset your password, please contact your helpdesk for assistance. (Error 3001)

I have also installed the Windows FIM Client on a few test Windows 7 systems to assist in password reset tests. Please note, this function works perfectly.

All the relevant FIM 2010 R2 setup manuals were followed step by step during the install.

The following error is also generated on the Password Reset Portal (Event Viewer) when I submit a request:

User unauthorized to reset password. An unauthenticated user requested to reset the password for a user who does not have permission to reset their password using the FIM Password Reset Portal. The asserted identity was: Domain\User The user's IP address was: x.x.x.x Possible causes include: (1) user error inputting their identity, (2) user is permanently locked out, and (3) malicious user attempting to enumerate valid identities and/or reset password for other users. 

Notes: The account used for testing is a valid and active account. This account is also included in the "Password Reset User Set".

Looking forward in finding a resolution to this issue.

Cheers, Franna

Hi,

I have a problem installing FIM 2010 R2 Synchronization Service at a customers site. I keep getting the 25009 error. This is a clean install and not an upgrade. The error I keep getting is:

Error 25009. The Forefront Identity Manager Synchronization Service setup wizard cannot configure the specified database. Invalid object name 'mms_management_agent'. A required privilege is not held by the client.

I have verified that I am sysadmin on the SQL server. I have tried the suggestion as per Brad Turners blog post:

http://www.identitychaos.com/2009/09/issues-with-sql-server-in-windows-2008.html

But the problem still exists.... The Environment is Server 2012 for FIM and a remote SQL 2012 server. I also tested on an 2008 R2 server with SQL 2008 R2 running locally, but got the same error, so it doesn't seem to be related to OS or SQL versions but rather some domain related issue.

Any tips on how to solve this error would be much appreciated.

Regards

Patrik

I am trying to customize the registration portal so that only four questions appear, but the user is able to select different questions from a drop down. Currently it just lists the 10 questions populated through the FIM workflow.

I also need to customize the screens in the rich client, when users are using the SSPR from the desktop, to include company branding. As well as re-word some of the errors they end-user may see. I was able to get the branding and error messages switched in the web portal.

Please let me know if this is possible and if so how?

Hi folks,

I am facing some problems for FIM Export. When I ran a delta sync, in the Sycn Service Manager, I got Status "Stopped-Server". It worked before for a few months and all of sudden, it stopped working. It used to take about 2 min to finish successfully, now it takes about 20 min to show this error. The export statistics shows all 0 for all the fields.

In the system Application log, I got this "The management agent "FIM Service MA" failed on run profile "FIM Export" because the server encountered errors."

In the FIM event log, I got this:

Log Name:      Forefront Identity Manager Management Agent
Source:        ForefrontIdentityManager.ManagementAgent
Event ID:      3
Task Category: None
Level:         Error
Computer:      FIMSyncSrv.domain.local

Description:
System.InvalidOperationException: The export session has timed out waiting for responses.  

That amount of time can be configured using the exportActivityTimeoutInSeconds attribute of the resourceSynchronizationClient element within the Forefront Identity Management Synchronization Service application configuration file.  The default duration is 600 seconds.  If the volume of requests is very high, then using that attribute to increase the duration would be advisable. 

However, one should investigate why no responses to export requests have been received within the default amount of time.  Requests created on behalf of the Forefront Identity Manager Synchronization Service should be investigated to determine whether they are taking an unexpectedly long time to process. 

I have checked that both FIM Service server and Sync server are running on the same version of FIM binary. No hotfix or update was installed on either FIM boxes when the problem started to happen. I never manually touched sync service application config file before so I don't really I corrupted it. Both servers have been rebooted multiple times and I also manually bounced both FIM Service and Sync service multiple times with the same error.

I dont know where to look at this point. Is there a log to trace it or how to continue troubleshooting?

Thanks,

We are implementing the FIM Outlook plug-in for Outlook 2007. We would like to disable the ability for a user to use the global address book to manage groups and to only us the FIM plug-in. We believe we can prevent users from managing groups via the GAL via group policy but require the control id of the "Modify Members" button displayed below in the image. Does any one know the control id for this button or how to obtain it or a different approach as our understanding is that we should not allow users to manage distribution list both through the GAL and the FIM plug-in. Thanks for your help!

We're using MIIS 2003 (v3.2 SP2) to import to Active Directory from eDirectory.

I've created a simple PowerShell script that uses WMI to trigger the Run Profiles of the Management Agents on demand.  I can parse the resulting RunDetails' XML to find the number of users added into AD:

[xml]$xmlAD=$activeDirectoryMA.RunDetails().ReturnValue
$xmlAD."run-history"."run-details"."step-details"."export-counters"."export-add"."#text"

 How do I find out WHO was added?  I can see the details (distinguished names) of synchronisation errors but not of what was added (or updated) successfully.  This is easily viewable in the GUI.

Is this level of detail accessible over WMI?

Thanks!

All,

We are planning to load balance three password registration and reset portals that will be used by network and non-network users. I haven’t found an official guide from Microsoft on how to do this so I wanted to run the scenario by the group to see if anyone could suggest best practices. I used this document for part of my design solution.

Business Case:

Allow end users on the internal network, as well as external remote users not on the network, to register for and reset their network passwords without calling the company help desk.

Standard Set Up:

1. We already have connectivity to FIMService so all needed ports are open between portal machines, FIM Service and FIM Sync.
2. There are three VMs:  server1.acme.com, server2.acme.com, server3.acme.com
3. These machines are available for internal users on the company network as well as external non-network users via reverse proxy
4. IIS 7.5 installed on the password portal servers and SharePoint is not present
5. Password and registration portal installed on each machine
6. Single network adapter and IP  per machine
7. Single password service account (FIMPassword)
8. There are three DNS entries for password registration that point to each server passwordregistration1.acme.com, passwordregistration 2.acme.com, passwordregistration 3.acme.com
9. There are three DNS entries for password reset  that point to each server passwordreset1.acme.com, passwordreset 2.acme.com, passwordreset 3.acme.com
10. We will have a NLB with the main addresses as passwordreset .acme.com and passwordregistration .acme.com in front of the DNS entries
11. We will set SPNS on FIMPassword passwordregistration1-3  and passwordreset1-3 along with the main passwordreset .acme.com and passwordregistration .acme.com addresses
12. We plan to set up IIS to use the appPool per the document instructions

Questions:

1. Based on the game plan above, is this a valid approach to load balance three servers available to both internal and external users?
2. Are there any other settings that we need to update to make the sites accessible to both network and non-network users?
3. Any other recommendations for items we might have missed?

Cheers!

We have a manually managed owner approval required group in FIM2010 R2. These groups flows to AD with membership.

Users can request to join the group from portal or outlook add in. 

Now what i want is user should be removed from security group in FIM after 30 days. Prior to this an email needs to sent to user notifying his access to group is going to expire in 7 days . User can extend or do nothing.

If he extends then request must go to owner of group stating a user wants to extend his membership  . Owner can approve or reject.

- user expiring in 7 days , there can be set and transition MPR with WF which will trigger email notifying user that his membership will expire in 7 days.

How to track when user was added to security in FIM ? and when group owner approves extension how to extend his membership in Group in FIM ?

Please guide me on this.

AdiKumar

We use FIM .

I backuped SQL2008R2 DB of FIM and restored test FIM environment.

After restore, I reconfigure test FIM install but , The computer_id in the database does not match error happen and I could not start FIM sync service.

What shoud I do ?

If we use domain account for FIM sync service , we need to create and use AD security group ( domain\FIMadmins ,etc),

and if we use local account for FIM sync service , we need to use FIM server localgroup (FIMhostname\FIMadmins ,etc) ?

I would like to copy development FIM environment to test FIM environment.

I backuped SQL2008DB of development FIM and restore DB to test FIM SQL2008 environment.

I tried to reconfigure FIM using fim installer and during that , it start to Updating connector space indexes .

It looks it take long time.

Is there any way to good way to rapidly copy development FIM environment to test FIM environment ?

If Updating connector space indexes is inevitable, how could I speed up that proccess ?

Test environment is Hyper-V guest and have a lot of CPU,memory resources.

I set max memory limit of test SQL2008 to speed up Updating connector space indexes.

or should I increase max memory of test SQL2008 ?

Hi,

I'm developing an ECMA 2.2 and I have set the Anchor attribute to be the objectSid. I have to use powershell (from within the C# MA code) to obtain the objectSid.

The trouble I have now is that I'm unable to translate this objectSid into the right format (to be honest, I don't even know what format it is returned in).

When coding the schema, I code the "ObjectSid" attribute as an AttributeType.Binary

public Schema GetSchema(KeyedCollection<string, ConfigParameter> configParameters)
        {
            Microsoft.MetadirectoryServices.SchemaType userType = Microsoft.MetadirectoryServices.SchemaType.Create("user", false);
            userType.Attributes.Add(SchemaAttribute.CreateSingleValuedAttribute("AccountName", AttributeType.String)); // AccountName is the anchor attribute
            userType.Attributes.Add(SchemaAttribute.CreateSingleValuedAttribute("Email", AttributeType.String));
            userType.Attributes.Add(SchemaAttribute.CreateSingleValuedAttribute("SipAddress", AttributeType.String));
            userType.Attributes.Add(SchemaAttribute.CreateSingleValuedAttribute("EmployeeID", AttributeType.String));
            userType.Attributes.Add(SchemaAttribute.CreateSingleValuedAttribute("ObjectSid", AttributeType.Binary));
            Schema schema = Schema.Create();
            schema.Types.Add(userType);
            return schema;
        }

Then I populate the ObjectSid like so:

                    csentry.AttributeChanges.Add(AttributeChange.CreateAttributeAdd("ObjectSid", obj.Members["ObjectSid"].Value));

where obj is a powershell object which contains the result of a powershell command execution which gets the objectSid. 

This doesn't work and I get an error in the Server logs:

How should I handle the objectSid conversion here? Totally lost since I thought the objectSid would be returned as a byte[] array but instead it is being returned as a string.

Thanks

Hello,

how should I configure a workflow for multivalued reference attributes in Export workflow by using Web Service Configuration Tool? I need to configureRoleIds multivalued reference attribute for User object.

For now I have only configured assignments for String attributes:

Hello,

I‘ve been using the workflow from here: http://www.wapshere.com/missmiis/generate-unique-attribute-activity to generate unique accountName. Everything seems to work, except, it‘s not using one thread. That is – while for the first user it is calling the enumerateResourceActivity, then for the second user it starts another workflow (even if for the first user workflow is not finished). And when for the second user the search for unique values is made in the portal, the changes for the first one (generated unique accountName) may still not be submitted, so the same accountName will be generated for the second user.

What changes should I make to the workflow to force to start the workflow for the next user only when the workflow is finished for the current one?

I've tried to put the whole workflow in synchronizationScopeActivity, but after changes my workflow is not loaded at all.

Hi All
I try to figure out how the new Access Management Connector works. Not to speak of all the other features of BHOLD.
But the documentation says only a little about it. The walk through doesn't work for me.
Has anyone had more success and is willing to share it?
Some of my Problems are:
- Documentation says nothing about the application. In RTM Active Directory was described as an application in BHOLD. Not a word about it now? Is it not required anymore?
- Documentation says I should flow out department into OrganizationalUnit as string but OrganizationalUnit comes back in as reference value containing some sort of XML structure. (part of step 17 AMCUsers MA)
- Documentation says I should flow out domain name as an advanced export into a cs-attribute named "Domain" but the connector space doesn't hold such an attribute? (step 18 AMCUsers MA)
- Documentation says nothing about the hierarchy for organizational units.
- Documentation says nothing about changes in the underlying SQL tables and the new AMC hides what is nessecary to bring users into the right organizational unit. all my users are in root.

It could of cause be that I missed the right link to a current version of the documentation. So please every help is appreciated.

Henry

Hi,

We have deployed FIM 2010 R2 in our client environment.

We are facing issues in FIM Portal.  For all the authorization workflows, we have created custom approval activities.Whenever the approver approves requests in bulk (20 requests or more), the following behaviour is observed:

1. the approval response is generated and the approval status is updated in the request window as "Approved" but the request status is set to "Failed" or "PostProcessing" or "PostProcessingError".
2. The transaction running to set the value of an attribute is not completed.
3. Action workflows not running after completion of Authorization workflows.

We are not running any parallel workflows. When we have analyzed the event viewer logs on FIM Portal machine, we have got the below Warning / errors:

Administrative / Application Logs

The Forefront Identity Manager Service was not able to perform the following operation 'Resume Request 5xxxxxd9-xxxx-4c04-b18c-xxd77ccba2f8' successfully.

The Forefront Identity Manager Service will attempt execution of this operation in the future if the operation is recoverable, or will cancel the operation.  If this warning is repeated for the same operation, it is likely the Forefront Identity Manager Service will not be able to complete or cancel the operation automatically.  There may be no automated recovery for this issue.

Restart the Forefront Identity Manager Service.

Forefront Identity Manager Logs:

Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---> System.Data.SqlClient.SqlException: Reraised Error 50000, Level 13, State 1, Procedure ReRaiseException, Line 37, Message: Reraised Error 50000, Level 13, State 1, Procedure ReRaiseException, Line 37, Message: Reraised Error 50000, Level 13, State 1, Procedure ReRaiseException, Line 37, Message: Reraised Error 1205, Level 13, State 56, Procedure DoDeleteCachedRequest, Line 47, Message: Transaction (Process ID 53) was deadlocked on lock resources with another process and has been chosen as the deadlock victim. Rerun the transaction.
Transaction count after EXECUTE indicates a mismatching number of BEGIN and COMMIT statements. Previous count = 1, current count = 0.
   at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection)
   at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)
   at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
   at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString)
   at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async)
   at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, DbAsyncResult result)
   at System.Data.SqlClient.SqlCommand.InternalExecuteNonQuery(DbAsyncResult result, String methodName, Boolean sendToPipe)
   at System.Data.SqlClient.SqlCommand.ExecuteNonQuery()
   at Microsoft.ResourceManagement.Data.DataAccess.UpdateRequest(RequestType request, IEnumerable`1 updates)
   --- End of inner exception stack trace ---

Is this a bug or limitation for FIM Portal?
Can somebody help me to identify the issue? has anyone seen this issue earlier?

Quick response will be really helpful.

Thanks,

Sanjog

This isn't so much a question as something others might like to be aware of...

When you install the FIM Portal and configure metaverse->FIM user sync, supposing you use an account of which your FIM metaverse is already aware, the sync service will be unable to export your account to the FIM MA with an uniqueness constraint violation. This is because merely setting up the portal and service cause your AccountName, SID, etc., to be populated in the database.

This will express itself as a "failed-creation-via-web-services" with error detail thusly:

Fault Reason: The request message contains errors that prevent processing the request.

Fault Details: <RepresentationFailures xmlns="http://schemas.microsoft.com/2006/11/ResourceManagement" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><AttributeRepresentationFailure><AttributeType>ObjectSID</AttributeType><AttributeValue></AttributeValue><FailureMessage>The specified attribute value must be unique for this Resource Type.</FailureMessage><AttributeFailureCode>ValueViolatesUniqueness</AttributeFailureCode></AttributeRepresentationFailure></RepresentationFailures>

My solution was to search (cautiously) the FIMService database to figure out the conflicting account's anchor value:

select ObjectID from fim.Objects with(nolock) where ObjectKey =(select ObjectKey from fim.DomainAndAccountName with(nolock) where DomainAndAccountName = 'mydomain\my.user')

This returns a GUID you can use in the FIM Sync Service admin interface to search the FIM MA by DN/anchor and disconnect.  Now you have a user disconnector in the FIM MA, so head over to the joiner tab, and link it up.

I keep wondering if I've done something wrong in the FIM setup to arrive at this situation, but it's happened in several clean installs following the documented guidelines.

--Steve

Hi...

I have FIM2010 in production environment with some Active Directory Management Agents and 2 Novell eDirectory Management Agents.

From a days ago, one of my 2 eDir agentes crash on a Full Import and the status of its is "Server-Down" or "Stopped-Server".

The following events are recorded in EventViewer:

Source Appilcation - EventId 1000

Faulting application name: miiserver.exe, version: 4.0.2592.0, time stamp: 0x4b6790ea
Faulting module name: MSVCR90.dll, version: 9.0.30729.4940, time stamp: 0x4ca2e32e
Exception code: 0xc0000005
Fault offset: 0x000000000001e654
Faulting process id: 0x%9
Faulting application start time: 0x%10
Faulting application path: %11
Faulting module path: %12
Report Id: %13

*****************************************************
Source: Windows Error Reporting - EventId: 1001

Fault bucket , type 0
Event Name: APPCRASH
Response: Not available
Cab Id: 0

Problem signature:
P1: miiserver.exe
P2: 4.0.2592.0
P3: 4b6790ea
P4: MSVCR90.dll
P5: 9.0.30729.4940
P6: 4ca2e32e
P7: c0000005
P8: 000000000001e654
P9:
P10:

Attached files:

These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_miiserver.exe_4d9b5c29a7de588c117875da81bb34c9f96cca_123c60f3

Analysis symbol:
Rechecking for solution: 0
Report Id: 226c2ccb-0b96-11e2-b340-1cc1deed2390

**************************************************

Source: Service Control Manager - EventID: 7034

The Forefront Identity Manager Synchronization Service service terminated unexpectedly.  It has done this 3 time(s).

*********************************************************

When I run this eDir MA in test mode (logging the results to a file) its execute without any error.

After this, I need to manually restart the FIMSynchronizationService

This problem is affecting my sync flow, once that a have more than a run profile running at the same time.

Any help is welcome

Paulo H. Campos

***** Paulo H. Campos - São Paulo/Brasil ***** http://identitypedia.blogspot.com (in PT-BR)