I currently have FIM 2010 R2 installed and I'm trying to create a Temporal Set using xs:dayTimeDuration. The samples I have found on the Internet are using 'PnD' syntax, where n is the number of days.  However for my use case, I need to be more restrictive, like 6 hours. Based on XPath 2.0 syntax linked from FIM 2010 R2 documentation, I would use this:

(ExpirationTime < op:subtract-dayTimeDuration-from-dateTime(fn:current-dateTime(), xs:dayTimeDuration('PT6H')))

When I manually run the "FIM_TemporalEventsJob" SQL Job, nothing happens. The UI doesn't support the syntax, so I don't know how to see if the object is part of the set. All I know is that my workflow doesn't execute.  However, if I change the syntax to use 'P1D', everything works as expected...

My question is: is this a bug or FIM doesn't support the syntax?

Mark Remkiewicz

The results for January's TechNet Guru competition were posted!

http://blogs.technet.com/b/wikininjas/archive/2014/02/16/technet-guru-awards-january-2014.aspx

Post your FEBRUARY contributions here:

http://social.technet.microsoft.com/wiki/contents/articles/22885.technet-guru-contributions-for-february.aspx

A great big thank you to EVERYONE who contributed an article to last month's competition.

Hopefully we will see you ALL again in this month's listings?

Unfortunately, forum restrictions have prevented me from posting the winners here.

You will find the complete post, comments and feedback on the main announcement post.

Please join the discussion, add a comment, or suggest future categories.

If you have not yet contributed an article for this month, and you think you can write a more useful, clever, or better produced wiki article than last month's winners, here's your chance! :D

Best regards,
Pete Laker

More about the TechNet Guru Awards:

• TechNet Guru Competitions

#PEJL

Got any nice code? If you invest time in coding an elegant, novel or impressive answer on MSDN forums, why not copy it over to the one and onlyTechNet Wiki, for future generations to benefit from! You'll never get archived again!

If you are a member of any user groups, please make sure you list them in the Microsoft User Groups Portal. Microsoft are trying to help promote your groups, and collating them here is the first step.

I have a scenario where FIM is managing identity, but not all identities have an Active Directory account. I have a flag in the FIM Portal (Service) that indicates if a particular user is entitled to an AD account or not. My provisioning setup adds or removes the AD account as appropriate. To support FIM Portal activities for those that do have AD accounts, I populate AccountName, Domain, and ObjectSID in the FIM Service from their corresponding attributes in AD.

What I have noticed is that it does not seem possible to null out or delete the Domain attribute for a user in the FIM Service. I can delete the attributes for both AccountName and ObjectSID without issues.

When attempting to remove the Domain attribute for a user I get the following in the event logs:

Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---> System.Data.SqlClient.SqlException: Procedure or function 'GetDomainConfigurationIdentifiersFromDomain' expects parameter '@domainName', which was not supplied.

I assume that something internal to the FIM Service is trying to do some magic with validating the domain name and the domain configuration. I did found a post saying, “Yeah, you have to populate Domain”:

http://social.technet.microsoft.com/Forums/en-US/f207caa9-3a6f-4f2d-8461-a83777280803/fim-service-ma-export-failedmodificationviawebservices-error?forum=ilm2

My question is why is Domain required for a user? It is obviously needed for users that have AD accounts an must authenticate with the Portal, but in the case where a user does not have an account (and therefore does not have a domain), it feels odd to store the incorrect data for the user. It also looks weird when you bring up list of users in the portal and see domain values for users that do not have accounts. In this particular case, the client has many domains and does have the Domain and AccountName attributes displayed on the user search results page.

I want to get all users in FIM with home addresses longer than 30 characters. Does anoyone know a good way to that without first getting all user?

I'm using the Quest Powershell module for FIM and I tried to do it like this but it seems like you cannot use greater than in the filter.

TechNet loves you!

We love your contributions at TechNet Wiki sooo much that we give you more than just love in return...

We give you NOTORIETY, GLORY... and VIRTUAL MEDALS!

That's not all, this love we have, together, it flows both ways my friend.

You give us stuff, we give you stuff, like interviews, recognition points, Ninja Belt rankings, and of coursefront page love!

If the love is strong enough, who knows where it could end! We may even invite you into secret clubs and other initiatives.

So why not spread the love a little further this Valentines, with more than just a cheap card from the highstreet...

Express your love for your favourite technology in a TechNetWiki article!

Pour your heart out to us, capture our hearts and woo us with your prowess!

All you have to do is add an article to TechNet Wiki from your own specialist field. Something that fits into one of the categories listed on the submissions page. Copy in your own blog posts, a forum solution, a white paper, or just something you had to solve for your own day's work today.

Drop us some nifty knowledge, or superb snippets, and become MICROSOFT TECHNOLOGY GURU OF THE MONTH!

This is an official Microsoft TechNet recognition, where people such as yourselves can truly get noticed!

HOW TO WIN

1) Please copy over your Microsoft technical solutions and revelations toTechNet Wiki.

2) Add a link to it on THIS WIKI COMPETITION PAGE (so we know you've contributed)

3) Every month, we will highlight your contributions, and select a "Guru of the Month" in each technology.

If you win, we will sing your praises in blogs and forums, similar to the weekly contributor awards. Once "on our radar" and making your mark, you will probably be interviewed for your greatness, and maybe eventually even invited into other inner TechNet/MSDN circles!

Winning this award in your favoured technology will help us learn the active members in each community.

Feel free to ask any questions below.

More about TechNet Guru Awards

Thanks in advance!
Pete Laker

#PEJL

Got any nice code? If you invest time in coding an elegant, novel or impressive answer on MSDN forums, why not copy it over to the one and onlyTechNet Wiki, for future generations to benefit from! You'll never get archived again!

If you are a member of any user groups, please make sure you list them in the Microsoft User Groups Portal. Microsoft are trying to help promote your groups, and collating them here is the first step.

hello, 

i'am using a script that permits me to parse a  CSExport Generated XML File Into A Scoped CSV. 

I want only to get the users wich are connected to my connector space. 

when i use $csObject.connector -eq "1", in the result csv file i have some users which are not connected and are not in the Metaverse ? 

is there another attribut that permit me to export only connected users ? 

Thanks 

Hi,

***Problem

I encounter a problem with FIM (version 4.1.3441.0 and 4.1.3496.0) when I try to delete a User object (and only a User object) whatever if it ismanually/Expiration Workflow/Powershell.

Deleting a User object used to be perfectly functional and, without any product version modification, stopped working. I haven't neither deleted/modified or add a"Grant" MPR or any of the corresponding Sets since last time I saw it working.

Displayed error is "Request could not be dispatched" in FIM Portal and is referencing a stored procedure in Event Viewer.

***Error details

When I try to delete a User object, here is the output :

• Portal
  • "Processing error" on submit
    • with the following details 

• Request status is stuck at "Validating" until next restart of FIM Service (after what it becomes “Canceled”)
• Request’s “Applied Policy” tab does not contain any MPR where, at least, a “Grant” MPR is expected
  • As SQL Timeout is relatively high and error happens quickly, I don’t think there is a Timeout problem under that.

• Logs

• « Application »
  • The Portal cannot connect to the middle tier using the web service interface.  This failure prevents all portal scenarios from functioning correctly.

The cause may be due to a missing or invalid server url, a downed server, or an invalid server firewall configuration.

Ensure the portal configuration is present and points to the resource management service.

•  « Forefront Identity Manager »
  • Reraised Error 50000, Level 16, State 1, Procedure ReRaiseException, Line 37, Message: Reraised Error 1088, Level 16, State 12, Procedure CalculateRequestSetTransitionsAssembleStatements, Line 332, Message: Cannot find the object "#calculateRequestSetTransitionsAssembleStatementsPartition" because it does not exist or you do not have permissions.

Transaction count after EXECUTE indicates a mismatching number of BEGIN and COMMIT statements. Previous count = 1, current count = 0.

• Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---> System.Data.SqlClient.SqlException: Reraised Error 50000, Level 16, State 1, Procedure ReRaiseException, Line 37, Message: Reraised Error 1088, Level 16, State 12, Procedure CalculateRequestSetTransitionsAssembleStatements, Line 332, Message: Cannot find the object "#calculateRequestSetTransitionsAssembleStatementsPartition" because it does not exist or you do not have permissions.

Transaction count after EXECUTE indicates a mismatching number of BEGIN and COMMIT statements. Previous count = 1, current count = 0.

   at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection)

   at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)

   at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)

   at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString)

   at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async)

   at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, DbAsyncResult result)

   at System.Data.SqlClient.SqlCommand.InternalExecuteNonQuery(DbAsyncResult result, String methodName, Boolean sendToPipe)

   at System.Data.SqlClient.SqlCommand.ExecuteNonQuery()

   at Microsoft.ResourceManagement.Data.DataAccess.UpdateRequest(RequestType request, IEnumerable`1 updates)

   --- End of inner exception stack trace ---

• Requestor: urn:uuid:7fb2b853-24f0-4498-9534-4e10589723c4

Correlation Identifier: e7209633-46d0-4f4b-a59e-807649ef71ea

Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---> System.InvalidCastException: Specified cast is not valid.

   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean isChildRequest, Guid cause, Boolean doEvaluation, Nullable`1 serviceId, Nullable`1 servicePartitionId, UniqueId messageIdentifier, UniqueIdentifier requestContextIdentifier, Boolean maintenanceMode)

   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean isChildRequest, Guid cause, Boolean doEvaluation, Nullable`1 serviceId, Nullable`1 servicePartitionId, UniqueId messageIdentifier)

   at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Delete(Message request)

   --- End of inner exception stack trace ---

For information, a maintenance plan rebuild/reorganize indexes daily and this problem has occurred on servers with different performances.

Is any of you has already encounter this problem ?

Any help would be greatly appreciated,

Thanks in advance for your help,

Matthew

Anyone know if FIM 2010 R2 SP1 supports use of AlwaysOn under SQL 2012 as a high availability option? (For both the Sync engine and the FIM Service)

If it is supported, are there any known issues that one should be aware of?

Thanks

Hi

I realize the SSPR web portal does not require SharePoint and only need IIS. Our security team does not want any self registration pages to be hosted on a domain joined server. We do have a reverse proxy server before the users can get to the registration pages. Q - Is it a possible scenario to have SSPR server in DMZ that is not joined to any domain? 

I am trying to send an Email notification from a workflow and am getting the following error:

It appears that the Exchange web service doesn't like the schema FIM is presenting. Anyone seen this? Is there a trace setting that will dump out the call to the Exchange server?

I have tested that I can hithttps://fqdn_server/ews/exchange.asmxfrom the FIM Service account and the certificate is correct.

I have a new installation of FIM 2012 R2 SP1 "on premise".  

I can do import, synchronizations, etc...  but at every hour sharp (12:00, 1:00, 2:00, ...) the Forefront Identity Manager Synchronization windows service stops (disabled).  I have to enable it manually and re-start it every time...

Any things I should check...? Is it caused by a SharePoint Timer Job...? 

The SharePoint logs or Event Viewer don't show anything particular...

Thanks,

J-F

Jean-François Guertin Entreprise Solution Architect Collaborum Services Conseils Inc | 1-581-997-4911 | jfguertin@collaborum.com Certifications Visual Studio Team Foundation Server 2010 Microsoft Office SharePoint Server 2007 - 2010 Windows SharePoint Services 3.0

Hi Gurus

I have a couple of quick questions about the FIM Password Reset and Registration Portal. I have a portal that is up and running and I can register users and can update their passwords. I am trying to do the following:

• On the password registration success page, can I add static text and a link to the password reset page?
• On the password reset page, where the password needs to be entered, can we enter a static text telling users what the AD password policy is, so that they don't try unsuccessfully a number of times.
• I believe that FIM now has the capability to enforce the password policy as per http://support.microsoft.com/KB/2443871. So if I use that, all my AD password policy, like length, history, complexity, age etc will be implemented?

Any help will be greatly appreciated, thanks in advance.

Regards

I created my web service to create, update and delete users from one of our systems.

Now I am to create MA to use my web service and export users into that system, there is no need to import!

I tried to use web service configuration tool but had lots of errors and could not find an example of configuring run profiles.

Now I am trying to write Extensible Conectivity 2.0 Management Agent. I need help as there is no examples available for how to call/use web service in MA.

Thanks

Hi,

I've created two new custom attributes (one type string and the other a type boolean) and binded them to the Person object. I also modified the Create User and Edit User RCDC to include those attributes in the view.

The attributes show up just fine for the administrator which is expected when creating or editing a user object, however when I login as a normal user, I can still see those attributes despite the normal user not having Read permissions through any MPR on the attributes. The read permissions are controlled on an attribute level and I have double checked these attributes are not added to that list. 

Is there some way to check if these attributes show up in any MPRs? My only guess here is that some MPR is granting read permission to these attributes but I don't want to go through all the MPRs to find out which one that might be.

Thanks 

I have a BDC connection to a SQL database, however this database may timeout from time to time or be offline... right now if the database is down the fields that depend on it on the user profile come out empty, i would like to have the old values if there is no connection. How can I achieve this? I am desperate

My sharepoint user profile has fields from AD and a BDC connection... how can I handle a missing connection?

Hi all,

I'm busy with architects designing on a new scenario for me in FIM 2010 R2 Password reset Portal.
We have an existing FIM setup in our internal coperate AD Domain without any existing password reset/registration.

I've got to manage an AD (not domain- or forest-trusted) containing external users (no problem for the AD MA). The idea is to provide the FIM Password Reset Portal functionality to those users (I've got their email address):
- Once a new user is created in that seperate AD, create an OTP via mail to that user to ask to set a password.
- Allow the users to ask for an OTP via mail on request (forgot my password) via reverse proxy (extranet scenario).
- There is no functional need for registering secrets in the self service  (FIM registration NOT wanted/needed)

I'm not sure before proceeding if this is possible:
- is only OTP mail possible, without using the registering in FIM? (I think yes)
- can I set the password of a user of an external domain, without trust: this means does a reset go 100% via FIM, and there is no trust in the IIS required somehow to that domain?  

I've seen the interesting video http://www.youtube.com/watch?v=T-p41Ze9ewA but I want to be sure.

Thanks for the reply and suggestions
David.
PS: anyone of you ever connected to DB2 on a Mainframe via the FIM DB2 MA?

Has anyone tried to tackle the issue of remote wiping ActiveSync devices before disabling a user account with FIM?

We have an issue when we terminate a user and disable the account and we reset the password for good measure, the phone will not receive a remote wipe command since that user on that phone will no longer authenticate.

Curious if anyone has thought of a work around or some solution to wipe mobile devices.  Short of an MDM that will do this via an installed app on the phone.

Kirk

Jimmy George

When implementing this:

http://msdn.microsoft.com/en-us/library/windows/desktop/ms696034(v=vs.100).aspx

does it mandate that you use Full Synchronization or can you still run Delta's?

Ed Bell - Specialist, Network Services, Convergys

We're currently deploying the FIM 2010 R2 SP1 SSPR client and Chinese Language Pack to our Asia Pacific users. We have had several of our test users report that the currently selected keyboard language, they have the option of switching between English and Chinese Traditional, is ignored and defaults to English when entering challenge question answers.

The Chinese Traditional Language Pack is installed and matches the Server Side language packs version. End users have no problem registering and resetting their passwords, via the web portals, in Chinese, but when using the SSPR client the Keyboard Language always defaults to English and there seems to be no way to force the Chinese keyboard character set to be enforced.

Any help would be greatly appreciated!

Austin