Identity Lifecycle Manager 2 Forum

SSPR install less stable since RC1 ?

Tue, 24 Nov 2009 20:55:20 Z

First let me say that I really like the fact that in RC1 the MPRs and Workflows no longer need to be created manually and in some ways getting this configured is simpler.

But I have found SSPR in RC1 a lot less reliable than RC0 - I installed RC0 SSPR about 6 times and only had problems with some documentation glitches the first time - the other 5 times were fine. I've now tried to install RC1 SSPR for the 10th time and have yet to get it working. I am trying with a pretty simple configuration - single domain and portal+sync service on the same box.

FYI the installer functions which are supposed to set the permissions for portal and password portal, and to add the sites to trusted sites for all users in IE7 have never worked for me in 10 installs, I've always ended up doing it manually, yet no errors get reported.

There is now a lot of required manual configuration of DCOM permissions, SPNs, group memberships, WSS configuration, IE zones which should, IMHO be taken care of by the installer - I think the uptake of SSPR in RTM will be a lot higher if this is improved.

Run on Policy Update - Retroactive Policy Enforcement

Wed, 25 Nov 2009 22:52:55 Z

Somewhat hidden within Forefront Identity Manager 2010, there is a very useful feature for action workflows called "Run on Policy Update".
Here are the situations where you may find this feature useful:

You are creating a new Management Policy Rule (MPR), such as one to provision all users an AD account, and you want one or more of the action workflows in your new MPR to be applied, upon creation of the MPR, to all the members of the MPR's Resource Final Set (also referred to as "Target Resource Definition After Request" in the portal's MPR wizard).
For example, you may be creating a new MPR to apply a new Synchronization Rule to all users.
You may want to retroactively enforce this new policy by applying the Synchronization Rule workflow to all users that already exist.
You are enabling a previously disabled MPR, and you want one or more of the action workflows in the MPR to be applied, upon enabling of the MPR, to all the members of the MPR's Resource Final Set.
You are adding a new action workflow to an existing MPR, and you want the new workflow to be applied to all the members of the MPR's Resource Final Set, immediately upon adding the workflow to the MPR.
You are modifying the Resource Final Set of an existing MPR to reference a new set, and you want one or more of the MPR's action workflows to be applied to all the members of the new Resource Final Set, immediately upon modification of the MPR.
You are manually modifying the membership of the Resource Final Set of an MPR, either by modifying the set's Filter or ExplictMember attribute, and you want one or more of the MPR's action workflows to be applied to all the *new* members of the new Resource Final Set, immediately upon modification of the set.

The "Run on Policy Update" feature is an option that lives on action workflow definitions, as an attribute labeled "RunOnPolicyUpdate" bound to the WorkflowDefinition resource type.
When this boolean attribute is set to "true" for a given action workflow, if any of the 5 scenarios above are encountered with an MPR that uses this workflow, the workflow will be automatically applied to the members of the Resource Final Set of the MPR.
Following is a table that summarizes the cases where a "Run on Policy Update" enabled action workflow is applied, in addition to the normal cases where a new Request satisfies all the criteria of an MPR that uses the workflow.

User Request	Resulting Action by the FIM Service
Create new MPR	Apply each "Run on Policy Update" enabled action workflow referenced by the new MPR to all members of the MPR's ResourceFinalSet.
Enable an existing MPR	Apply each "Run on Policy Update" enabled action workflow referenced by the enabled MPR to all members of the MPR's ResourceFinalSet.
Select a new ResourceFinalSet for an existing MPR	Apply each "Run on Policy Update" enabled action workflow referenced by the MPR, to all members of the new set referenced by the ResourceFinalSet attribute.
Add a new "Run on Policy Update" enabled action workflow to an existing MPR	Apply the newly added action workflow to all members of the MPR’s ResourceFinalSet.
Modify the filter of a set	For all MPRs whose ResourceFinalSet references the set being modified, apply each "Run on Policy Update" enabled action workflow mapped to the MPR to each resource that transitions into the set because of the filter update.
Update explicit membership of a set	For all MPRs whose ResourceFinalSet references the set being modified, apply each "Run on Policy Update" enabled action workflow mapped to the MPR to each resource that that is added to the set.

Note
Simply enabling the “Run on Policy Update” option for a workflow does not result in the workflow being automatically run. The workflow will only be run upon completion of one of the requests outlined in the table above.

Disabling the “Run on Policy Update” option for a workflow will allow you to perform any of the user requests outlined above, without the workflow being automatically run.
If you submit one of the user requests outlined above, thereby triggering the execution of a “Run on Policy Update” enabled action workflow, you can cancel all the workflows that have been triggered by simply cancelling the request that triggered them (eg. cancel the request tracking the creation of the MPR).

Cheers,
Nima

Outbound Synchronization is not working when changing an attribute

Wed, 25 Nov 2009 17:03:16 Z

i have deployed FIM 2010 RC1 successfully and i've created 3 synchrnization rules from the portal one for AD (inbound and outbound) and one for HR(Inbound) and one for AD Security Groups.
the flow in FIM is done from the Synchronization manger.

i have also created 2 workflows to allow users to change attribute of their own but need authorization from their manager. the problem is when i try to push the changes from the Portal to AD no changes happen.. Note that when a new user is created from HR the user is automatically provisioned in AD and the Portal, and when any changes happen in AD it appears in the portal.

Note also that i have moved some of the attributes from AD Synchronization Rule in the portal to the AD MA in Synchronization Manager and when i synch the changes appears in AD

am i missing something? or does the workflows and MPR affect the Outbound synchroniztion?

Configuration Migration Tool Question

Wed, 25 Nov 2009 09:54:24 Z

Hi
I trying to migrate a FIM configuration from one server to another.
While following the steps described in "Introduction to the Configuration Migration Tool" document I get an error in step 8.

Join-FIMConfig : Two objects with the same AnchorAttributeValue were detected. A requirement for using this migration
tool is that AnchorAttributeValue is unique within an Object Type.
AnchorAttributeNames = AppliesToCreate AppliesToEdit AppliesToView DisplayName
AnchorAttributeValues = AppliesToCreate AppliesToEdit AppliesToView DisplayName
ObjectType = ObjectVisualizationConfiguration
ObjectID 1 = urn:uuid:ecbff780-511b-45da-85fe-65cbf236d80f
ObjectID 2 = urn:uuid:8aa59dca-7759-4d32-96d2-3f21ed1239f2
At line:1 char:26

I am not ware, that I have changed anything in the portal itself at all. I only have custom Sync rules, Sets and MPRs defined.
How can I determin which those objects are that make the trouble here?
What are preferred join rules to overcome this problem?

Thanks in advance.
Henry

FIM Certificate Management Configuration Wizard Fails

Wed, 25 Nov 2009 18:56:03 Z

Hello

When I run the configuration wizard fr FIM CM at the end when I click configure I am getting the following error. Name Translation: Could not find the name or insuffcient right to see the name. (Exception from HRESULT: 0x80072116). Any ideas would be great. I have a root domain and a child domain. FIM is installed in the Child Domain along with the Enterprise CA. I am using an Enterprise Admin Account to perform the install and config.

Not able to Provision user

Wed, 25 Nov 2009 12:30:36 Z

Hi,
I am not able to provision users to AD since i had applied Updates to FIM2010 RC1. My senario is as follows
I am trying to sync between AD only.

2 sync rules: 1 for AD outboud Sync rule with inbound sync for Email and Domain. 1 for inbound sync rule to import users from AD.
1 MPR
1 Set

also i had enables following MPR

General: Users Can read Schema related resources.
general: Users can read non-Administrative config resources
User Management : Users can read attribute of thier own.

i think i did`nt missed anything so far.

Now while i run FIM MA with Full Import and Full Sync it works fine, but while export it does not show any count to be under add or update neither add anything to AD OU and it finish with success.
Same happens with AD MA. But to my surprise i can see user partially imported to the portal with not all attribute flow which i defines in sync rule.

Please help!!!!!!!!

Cheers, Mohit Goyal

Flowing an expiry date to the ILM portal

Mon, 23 Nov 2009 13:14:15 Z

Hi All,

I am trying to flow an expiry date from the AD to the ILM portal, this will eventually be used to disable a contractor's account. I ran into problems very soon and after reviewing numerous posts here, I still don't know whether this should be possible or not and whether the format I am using is right or not. The date value and format I am trying to flow to the portal is:

2009/11/23 12:00:00:000 AM

When exporting the data to the portal I still get the "datetime-string-format-incorrect" error

Any help or guidance would be appreciated
Thanks
Johan Marais

Email notification workflow not working

Tue, 24 Nov 2009 17:52:12 Z

Hi All

I am following the walkthrough "Introduction to Management Policy Rules".
I have configured the MPR/WF as per the steps "Create a MPR that will send a notification to the user’s manager when an employee transitions between set."

After changing the employee type, no email notification is generated.
Can anyone please suggest the steps to debug the issue?

TIA
Sachin

FIM 2010 with Exchange Server 2010

Sun, 22 Nov 2009 08:02:02 Z

Hi,

I would like to know if Exchange 2010 is supported by FIM 2010 RC1?

Thank you.

Patrick L.

SSO AD Synchronisation

Wed, 25 Nov 2009 06:03:35 Z

Is it at all possible to leverage ILM to populate and/or manage user credentials stored in a SSO database?

Having a look at the SSO database schema it looks like it would be simple enough to insert/update SID and Application information in, it's just the Credentials (password) that I'm really not sure about.

Provisioning XML file with a Extensible Connectivity MA

Tue, 24 Nov 2009 23:59:48 Z

Hi Everyone

I have a new question I couldnt do the synchronization rules, workflows, sets and MPR. Somebody can help me with the synch rules, workflows, set and MPR to provision mi XML file from my ORACLE DB?

Servers

- FIM RC1 2010 ( 1 server with the service synch and 1 server with the portal service).
- AD
- Oracle

Scenario

Oracle HR source has to provisioning -> Ad and XML File (user data basically).

Oracle source table

Fields EmployeeID, Employeetype, FirstName, LastName, UserID

Configuration by MA

I have 3 MAs

FIMMA
MyFileBasedExportECMA
Oracle kichitan MA

MyFileBasedExportECMA Confguration
Specify the interfaces Supportes by this management agent:

Import and Export

Specify the export mode supported by this management agent:

File-based

Connected data source extension name:

ECMA.dll

Configure Additional Parameters:

ExportFileName: Export.xml
RootElementName: sample-objects
ObjectElementNAme: Object

Configure Attributes:

Objectclass
delta
employeeid
firstname
lastname
userid
employeetype

Map Objetc Types:

Person

Define Object Types:

Person

Configure Connector Filter:

no filters

Configure Join and Projection Rules:

No join or projections

Configure Attribute Flow:

employeeid <- employeeid
firstname <- firstname
lastname <- firstname

All of them direct export.

Confgure Deprovisioning:

Make them disconnectors

Configure Extensions

Nothing

Oracle kichitan configuration

-Configure Columns

EmployeeID (AnchorID)

Firstname

Lastname

UserID

EMployeeTYpe

-Configure Connector Filter

No filters

-Configure Join and Projection Rules

Projection RULE to ECMA person (is a custom object type, but is equal to Person)

-Attribute Flow

Person to ECMAPerson

EmployeeID -> employeeID

EmployeeType -> employeeType

FirstName -> firstName

LastName -> lastName

Configure Desprovisioning

Make them disconnectors

-Configure Extensions

Nothing

MyFileBasedExportECMA´s CODE

Imports Microsoft.MetadirectoryServices

Imports System.IO

Imports System.Xml

Public Class MyImportECMA

Implements IMAExtensibleFileImport

Implements IMAExtensibleFileExport

'------------------------------------------------------------------

Public Sub GenerateImportFile(ByVal fileName As String, _

ByVal connectTo As String, _

ByVal user As String, _

ByVal password As String, _

ByVal configParameters As Microsoft.MetadirectoryServices.ConfigParameterCollection, _

ByVal fFullImport As Boolean, _

ByVal types As Microsoft.MetadirectoryServices.TypeDescriptionCollection, _

ByRef customData As String) Implements Microsoft.MetadirectoryServices.IMAExtensibleFileImport.GenerateImportFile

'--------------------------------------------------------------

'Read the schma definition from the schema file

Dim swSchema As New StreamReader(configParameters("SchemaFilePath").Value)

Dim header As String = swSchema.ReadLine.ToLower

swSchema.Close()

'--------------------------------------------------------------

'Write the header into the file

Dim swImport As New StreamWriter(fileName)

swImport.WriteLine(header)

'--------------------------------------------------------------

'Load the correct XML data file

Dim doc As New XmlDocument

If (fFullImport) Then

doc.Load(configParameters("FullImportFilePath").Value)

Else

doc.Load(configParameters("DeltaImportFilePath").Value)

End If

'--------------------------------------------------------------

Dim node As XmlNode

'Loop through each object in the XML data file

For Each node In doc.DocumentElement.ChildNodes

Dim objectAttributes As String = ""

Dim attributeName As String = ""

'Read the attribute values for each attribute

For Each attributeName In header.Split(",")

If (objectAttributes.Length > 0) Then objectAttributes += ","

objectAttributes += node.SelectSingleNode(attributeName).InnerXml

swImport.WriteLine(objectAttributes)

Next node

'--------------------------------------------------------------

'Close the stream writer

swImport.Close()

'--------------------------------------------------------------

End Sub

Public Sub DeliverExportFile(ByVal fileName As String, ByVal connectTo As String, ByVal user As String, ByVal password As String, ByVal configParameters As Microsoft.MetadirectoryServices.ConfigParameterCollection, ByVal types As Microsoft.MetadirectoryServices.TypeDescriptionCollection) Implements Microsoft.MetadirectoryServices.IMAExtensibleFileExport.DeliverExportFile

Throw New EntryPointNotImplementedException()

End Sub

End Class

FIMMA configuration

-Object Types

Detected Rule Entry

Expected Rule Entry

Group

Person

SynchronizationRule

-Atrtributes

All of them are selected.

-Configure Connector Filter

No filters

-Configure Object Type mapping

Data source object type Metaverse object type

Detected Rule entry detected Rule entry

Expected Rule Entry expected Rule Entry

Group group

Person person

SynchronizationRule synchronizationRule

-Attribute Flow

Person to person

AccountName -> accountName

DisplayName -> displayName

EmployeeID -> employeeID

EmployeeType -> employeeType

ExpectedRulesList -> expectedRulesList

FirstName -> firstName

LastName -> lastName

AccountName <- accountName

DisplayName <- displayName

Domain <- domain

EmployeeID <- employeeID

EmployeeType <- employeeType

FirstName <- firstName

LastName <- lastName

ObjectSID <- objectSid

Group to group

AccountName -> accountName

DisplayName -> displayName

ExpectedRulesList -> expectedRulesList

Member -> meber

AccountName <- accountName

DisplayName <- displayName

Member <- member

Configure Desprovisioning

Make them disconnectors

What MPR needs to be enabled so that user can see the users created by him

Tue, 24 Nov 2009 16:49:45 Z

Hi All

I am following the walkthrough "Introduction to Management Policy Rules".

After creating a contract user, I login as a manager1 but I can't see any users except manager1.
What MPR needs to be enabled?

TIA
Sachin

Help: Configuration file for User create

Tue, 24 Nov 2009 10:53:17 Z

Hi,
I was trying to customize the portal to add attributes. In the process i accidently have replaced the configuration file for "configuration for user creation "(present under resource control display configuration), by another file. I donot have a backup of the original file. Can anyone please post the original here or mail to deborah.benjamin08@gmail.com

PS: It can be exported from :
Administration- Resource Control Display configurations- Configuration for user creation - export configuration data

Does FIM2010 supports SQL 2008 x86

Mon, 23 Nov 2009 12:08:12 Z

Hi,

I just wanted to know i had installed SQL server 2008 x86 on different machine and tried to connect it . i got connected. does it supports SQL server 2008 x86 ad documentation says it require x64 environment.

Cheers, Mohit Goyal

Allow Anonymous Access to the Password Reset Portal

Tue, 17 Nov 2009 20:29:53 Z

How do I go about enabling Anonymous Access to the Password Reset Portal?
The following instructions don't seem accurate anymore. Has this setting changed with Sharepoint Services 3.0 SP2?
When I click on "Settings" in Step 4 the only option displayed is "Permission Levels".

Allow Anonymous Access to the password reset portal
In this procedure you will configure the portal to allow Anonymous Access to users who need to reset their passwords.
To allow anonymous access to the password reset portal
1. Log on to the password portal (http://<portal hostname/PasswordPortal) as an administrator.
2. On the top right hand side of the portal homepage click Site Actions, and then click Site Settings.
3. Under Users and Permissions click Advanced Permissions.
4. On the Permissions page, click Settings, and then select Anonymous Access.
5. Under Anonymous users can access, select Entire Web site, and then click OK.

FIM 2010 and Powershell 2.0

Mon, 23 Nov 2009 22:29:57 Z

Is the current RC for FIM compatible with Powershell 2.0, or should I jsut keep 1.0 on the server?

Thanks

Steve

Steve Moss Pomona College

Unable to Update User CN value in AD

Thu, 19 Nov 2009 23:19:04 Z

Hi there

I´m provisioning AD users with FIM 2010 RC1 from Oracle 10g, but when I change the name, last name or some info in my Oracle DB and I ran the run profiles, I cant see the changes in my AD user.

Example

Current User  in AD                                                                      Change in Oracle

First Name: Christian                                                                  Rodrigo
Last Name: Sandino                                                                    Castillo
Display Name: Christian Sandino
Account Name: csandino
Email: csandino@kichitan.com

After Run profiles and Sync

Users container you could see (CN value): Christian Sandino as the user name but,

User properties

First Name: Rodrigo
Last Name: Castillo
Display Name: Rodrigo Castillo
Account Name: csandino
email: csandino@kichitan.com

As you can see the CN, AccountName and email address arent updated.

Somebody has ideas of this behavior.

Cheers

Users and Contacts - ways to distinguish?

Thu, 29 Oct 2009 14:21:38 Z

I am trying to wrap my head around on how to efficiently handle provisioning of contact objects.

In one test scenario, I created a separate contact object type in FIM portal bound with a subset of attributes I wanted associated to this object type and established flows to contact object type in MV. It could be done but I am not so sure that this is the way to go. Suggestions?

A specific use case that I am testing - I want to be able to create users by default as mail enabled contacts in exchange. After AuthZ workflows in FIM have completed successfully, I want to then move these contact objects to user objects. Futher, based on certain criteria, these user objects could get a mailbox in exchange or can remain as mail-enabled user.

So to flip between user and contact states what's the best design approach -use distinct object types in FIM or create a complex set that will drive provisioning of user vs contact or ....?

Thanks.

Anu

FIM problem when trying to join a group with the Outlook Add-in

Mon, 23 Nov 2009 09:56:31 Z

Hi,

I set up a FIM RC1 platform with 3 computers:
- fim-dc
- fim-exchange: Exchange 2007 as a mail server.
- fim-sharepoint: MOSS, SQL, FIM sync, fim svc, fim portal RC1 + update 1
The domain is contoso.com

The account running the fim service is fimsvc@contoso.com
I installed the fim-exchange computer certificate in the fimsvc trusted people certificate store.

Here is the appsettings section of the fim service config file :

<appSettings>
<add key="mailServer" value="https://fim-exchange.contoso.com/ews/exchange.asmx" />
<add key="isExchange" value="1" />
<add key="sendAsAddress" value="fimsvc@contoso.com" />
<add key="synchronizationServerName" value="FIM-SHAREPOINT" />
</appSettings>

All the security updates are installed.

I have a distribution group named "Technet 2010 attendees", where members are moderated by pascals@contoso.com
The problem is that I got an error when trying to join a group using the outlook add-in, whereas it does work correctly if I run the same process on the web portal.
For instance,
- on fim-exchange:
      - as the user fabiend@contoso.com, I asked to join the Technet 2010 ITForum Attendees
      - in the sent items, I can see a correct mail.
- on fim-sharepoint (the server running the fim service),
   - some informational messages about queries regarding fabiend@contoso.com and technet-2010-attendees@contoso.com
   - and then 3 error messages:
     - "The Exchange Mail Channel could not find a resource referred to in a mail message."
     - "System.InvalidOperationException: Operation is not valid due to the current state of the object."
     - "Microsoft.ResourceManagement: System.InvalidOperationException: Operation is not valid due to the current state of the object.
at Microsoft.ResourceManagement.Utilities.ExceptionManager.ThrowException(Exception exception)
at Microsoft.ResourceManagement.WebServices.Mail.Exchange.ResourceManagementMail.ProcessPullResponseMessage(Message responseMessage)
at Microsoft.ResourceManagement.WebServices.Mail.Exchange.ResourceManagementMail.ProcessResponseMessage(Message responseMessage)"

- and then, on fim-exchange, I then get an email

"Your request was received and processed. The results are below. 
We did successfully add these members to the groups: 
    None

The following members are pending authorization before being added to the groups, as requested: 
    None

Please visit the Forefront Identity Management Portal for more details. 

We were unable to add these members to the groups: 
Fabien d to Technet 2010 ITForum Attendees

The reason for each failure may be that the user or group is not managed by Forefront Identity Manager, or that you do not have sufficient permissions to use Forefront Identity Manager to manage them. 

Please contact your Forefront Identity Manager support personnel for assistance. "

Do you have any idea?

Adding a custom resource type

Mon, 23 Nov 2009 07:08:15 Z

Hi All,

I have added a new resource type to handle contractors in our environment. But before you wonder why I am not using the peson resource to handle these, we have different categories of contractors, all other contrators are handle by our HR system except a group categorized as 'X-type' contractors which are handled by the AD.

with the help of this forum I was able to create the resource and made it availble in the synchronization service as well, but when I want to run the FIMMA to export the contractors to the portal, I get "Access to the requested resource(s) is denied". I gathered that I had to give the sync engine permission to create and maintain this resource in the portal, but where?

I have created a MPR to give the sync engine all permission on the resource, but still gets the error above. The MPR is created as follows:

Requestors: Synchronization Engine
Permission: all
Target Resources (Before and After): X-Contractors (Set that I have created)

Any help would be appreciated
Thanks
Johan Marais

Synchronizing data from multiple tables

Mon, 23 Nov 2009 10:50:11 Z

Hi,

I have information distributed among multiple tables (around 40). I need to synchronize/pull the information from all these tables.

Can I do this using single database (oracle management agent) or do I need to create number of Management agents?

Or

Can I create a singe view/table from all these tables and use that view/table to create management agent?

Kindly reply ASAP

Regards
Rama Murthy

FIM Portal Feedback

Mon, 23 Nov 2009 11:30:59 Z

FIM Portal is amazing and does a great job. While going through the walkthroughs, some of the thoughs which I had,

1. If I understand the UI design principles correctly, application should always try to avoid popping up any dialog box.
To configure anything like MPR, WF, Sync rules etc, you have to go through the dialog box and that also without any maximize/minimize button.

2. If I understand the UI desing principles correctly, application should require as less clicks as possible.
To configure anything like MPR, WF, Sync rules etc, too many clicks are required.

3. How easy it would be for the user to find out all the sync rules associated with a particular MPR?
How easy it would be for the user to find out MPR this WF is part of? etc. These kind of questions do come in mind while working on the Portal.

I guess, UI like tree structure, MPR -> WF -> Sync, might be bit user friendly. (Similar to SQL Management Studio)

4. Another, do we say X = 2 + 3 or 2 + 3 = x. So while configuring IAF/EAF in Portal, should we first configure source or destination.

5. I think, no of tabs displayed in the portal can be reduced e.g while configuring IAF/EAF. We/I like to see both source and destination at the same time.

6. Can not find 'Logout' option on the Portal.

7. Manager My Requests: On request details dialog, you can not select the text and copy.

- Sachin

FIM Scriptbox

Sun, 02 Aug 2009 16:04:48 Z

Welcome to the FIM ScriptBox!

Scripts are a convenient way to simplify common tasks.
I'm sure that many of you have developed some cool scripts that will help others in the community to get a job done much faster.

The objective of this post is to track, share and discuss information about scripts you have developed.
Please don't hesitate to contact us if you have a script you would like to share!

FIM ScriptBox Content

Tools:

Date	Type	Title	Version	Author
10/28/2009	Tool	C# helper classes generators	1.0	Paolo Tedesco
10/2/2009	Documenter	FIM Provisioning Configuration Documenter	1.0	Markus Vilcinskas
10/1/2009	Tool	FIM Object Visualizer	1.1	Markus Vilcinskas
8/3/2009	Viewer	FIM CS Synchronization Rule Viewer Plus	1.6	Markus Vilcinskas
8/2/2009	Documenter	FIM MA Attribute Flow Documenter	1.5	Markus Vilcinskas
8/1/2009	Viewer	FIM Attribute Flow Precedence Viewer	1.5	Markus Vilcinskas
8/1/2009	Viewer	FIM CS Synchronization Rule Viewer	1.5	Markus Vilcinskas

PowerShell:

Date	Title	Author
11/18/2009	Using PowerShell to start Run Profiles	Fabien Duchene
11/6/2009	Using PowerShell to list the configured management agents	Markus Vilcinskas
11/6/2009	Using PowerShell to list the configured management agents	Markus Vilcinskas
11/6/2009	Using VBScript to run a PowerShell script	Markus Vilcinskas
11/6/2009	Using PowerShell to check your MPR configuration for synchronization	Markus Vilcinskas
11/5/2009	Using PowerShell to display the value of the ERL attribute of a user	Markus Vilcinskas
11/5/2009	Using PowerShell to display the value of the ERL attribute of a group	Markus Vilcinskas
10/26/2009	Using PowerShell to manage multiple FIM scenarios on a lab computer	Markus Vilcinskas
10/26/2009	Using PowerShell to test the FIM management agent account	Markus Vilcinskas
8/1/2009	Using PowerShell to check the initial flow configuration of your AD MA	Markus Vilcinskas
8/1/2009	Using PowerShell to determine the ERL configuration	Markus Vilcinskas

FIM Documentation Feedback

Thu, 19 Nov 2009 10:35:08 Z

Just installed FIM 2010 RC1 and going through the documentation http://technet.microsoft.com/en-us/library/ee534890%28WS.10%29.aspx

Few points

1. I am finding it bit difficult to read the documentation due to font size and spacing between the lines. I literaly struggle to move from one line to another due to spacing between the line.

2. No logical order of documents. The sequenece in which one should start is not mentioned anywhere. Document X assumes that reader has already completed the exercise in Document Y, Document Y assumes Doucment Z etc...

3. Hard to understand some of the concepts, the way things are explained.

- Sachin

Invalid Requestor specified for Get Operation

Sun, 22 Nov 2009 22:56:28 Z

Hi all,

has anyone seen this error thrown during a custom workflow activity?. I've tried de-bugging the activity but nothing gets thrown by way of an error, it just bombs out and the "Invalid Requestor specified for Get Operation" is visible in the request in FIM. As far as i can tell this is thrown in the Current Request Activity at the begining of the workflow. But I'm not sure. I'm logged on as an administrator and I have full rights to everything. I have run a similar activity with no issues. I may be missing something obvious. All help greatly appreciated. Thanks,

James McAlonan

James McAlonan

Password Reset Scenario requirements question

Sun, 22 Nov 2009 14:56:20 Z

Hi all
The description of the test scenario for the password reset test environment contains a statement for the following requirement:

"XP SP2 or Windows Vista Enterprise 32-bit or 64-bit that running hosts the FIM Add-in and Extensions in the same domain as the FIM 2010 server components"

Does that mean that in any case the Clients and the FIM server must be in the same domain? Is it possible to serve clients from different domains by a single FIM server? Are there special things to take into account when configuring only one FIM Server for mutliple domains (if possible)?

Thanks in advance
Henry

Can FIM store passwords to a custom attribute?

Fri, 20 Nov 2009 19:48:51 Z

Hi amigos!

I am using PCNS/FIM2010RC1 for password sync from AD to AD. Now, on the target AD(DC) I will create an AD LDS (formerly named ADAM) and there I will create custom attributes in such a way I will not modify my target AD current schema....

so the question is.........

+ is it possible to modify the password sync process to store the password value to a custom attribute??

+ how?

Thank you guys,

max

sap testing environment

Sat, 21 Nov 2009 17:49:45 Z

Hi all,
I would like to know, how can I deploy SAP testing environment which can be used together with ERP MA included in FIM 2010. Do I need some real-functioning SAP application or is there any other way for simulating SAP system.
Thanks

Windows Server 2008 R2 - FIM MA Full Import failed with stopped-server status

Thu, 08 Oct 2009 15:11:12 Z

Hi,

Has anyone tried RC1 in Windows Server 2008 R2 successfully?

I installed SQL 2008x64, WSS 3.0, FIM 2010 RC1, AD DS all in one box. No Exchange is installed or used. Use a non existent email address for the FIM Service account. Everything is fine for the installation. But the FIM MA Full Import always failed with stopped-server status, even without any change to the FIM Portal after a brand new installation. For every FIM MA Full Import, there's an error in event log say FIM Sync Service failed with unexpected error. The error msg is not helping at all.

Thanks.

FIM Object Visualizer

Thu, 01 Oct 2009 16:16:09 Z

Name	Latest Version
FIM Object Visualizer	1.1

Description:

The FIM Object Visualizer is a community script to display and document configurable objects such as Synchronization Rules, Workflows and Management Policy Rules:

Display – because the script has a UI to render your configuration
Document – because you can copy a displayed configuration to the clipboard and save it to a file.

The script is based on the HTA (HTML Application) framework – a framework that enables you to develop scripts that look like Windows applications without the need of writing code in Visual Studio.

Important
To run the script, you need a FIM server with PowerShell installed. Please read the FIM ScriptBox Read Me First prior to running this script

The FIM Object Visualizer is a customizable community script to display and document configurable objects such as Synchronization Rules, Workflows and Management Policy Rules.
You can use this script to document your current FIM deployment or to provide configuration information in case of a troubleshooting scenario.
The script consist of two main components:

Data Request
Data Display

The script assumes that all PowerShell scripts that are located in the Collection folder are scripts to request object information from your FIM server.
When you start the script, the script code locates all these scripts and adds them to the left list box in the toolbar:

To request new or update existing object information for a specific object type, select the object type you are interested in from the list box, and then click Get Objects.
You can extend the number of supported object types by adding additional PowerShell scripts to the Collection folder.
The second list box lists the object types for which you have already requested object information.
To list the display names for an object type, select the object type from the list box, and then click Get Names:

To display the configuration of an object, click the object's display name:

As mentioned eelier in this post, the FIM Object Visualizer is a community tool.
This means, the objective of this download is to get you started with the process of documenting your deployment; however, I expect that you will modify the components of this script.
For example, if you don't like the "look & feel" of how an object type is rendered, you can easily customize it by modifying the related XSLT file.

If you have questions, comments or even extensions for this script, please respond to this post.

To download this script, use this link.
To get to the FIM ScriptBox, use this link.

Markus Vilcinskas, Technical Content Developer, Microsoft Corporation

"Portal cannot connect to middle tier using web service interface" following uninstall/re-install of Portal

Wed, 18 Nov 2009 20:53:14 Z

Tried un-installing and re-installing portal to get round some issues with SSPR.
Reinstall reported no errors but portal now inaccesible - event log error below:
Tried looking at microsoft.resourcemanagement.service.exe.xml but can't see anything wrong....

Log Name:      Application
Source:        Microsoft.ResourceManagement.PortalHealthSource
Date:          17/11/2009 11:23:50 a.m.
Event ID:      10
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      hostname.domain
Description:
The Portal cannot connect to the middle tier using the web service interface. This failure prevents all portal scenarios from functioning correctly.

The cause may be due to a missing or invalid server url, a downed server, or an invalid server firewall configuration.

Ensure the portal configuration is present and points to the resource management service.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Microsoft.ResourceManagement.PortalHealthSource" />
    <EventID Qualifiers="0">10</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2009-11-16T22:23:50.000Z" />
    <EventRecordID>6974</EventRecordID>
    <Channel>Application</Channel>
    <Computer>hostname.domain</Computer>
    <Security />
</System>
<EventData>
    <Data>The Portal cannot connect to the middle tier using the web service interface. This failure prevents all portal scenarios from functioning correctly.

The cause may be due to a missing or invalid server url, a downed server, or an invalid server firewall configuration.

Ensure the portal configuration is present and points to the resource management service.</Data>
</EventData>
</Event>

Managed Service account in 2008 R2

Thu, 19 Nov 2009 17:50:59 Z

I'm just curious here if any one has tried to use managed service accounts? http://technet.microsoft.com/en-us/library/dd560633(WS.10).aspx

It looks like they could be used for at least the sql and sync engine accounts. They maintain their own passwords...which would relieve some administrative burden.

I'm going to try it once my lab gets upgraded next week. If no one answers I'll post my results.

MPR and Outbound Synchronization

Thu, 19 Nov 2009 18:02:29 Z

Hi All

1. Created three new users (contractors)
2. Created Outbound Sync rule
3. Created WF
4. Created MPR

When I look at the users properties created in step 1, none of them are part of the ERL.

5. I then created another user (contractor)

When I look at this users properties, I can see that user is part of the ERL.

My question is, why MPR is not applied on the users created in step 1 and but only on users created in step 5.

I have verified that all the users (step 1 & 5) are part of the All Contractors set.

TIA
Sachin

An appcrach on dllhost is generated when a full import profile from SAP/R3 MA runs

Mon, 09 Nov 2009 17:39:25 Z

Hello everyone.

My name is Paulo, I am in Sao Paulo / Brazil. This is my first post on Identity Lifecycle Manager 2 forum.

I'm having a problem with the FIM2010RC1, to be more specific with Agent SAP/R3.

I used the "Synchronization Service ERP MA Configuration" to:

Create the necessary XML files based on the existing template
Create the MA using these files
Create a "Full Import" profile

When I run the "Full Import" profile I can see the file "temp <MA>. Mdb" growing (~ 67MB). After a while, the "Input File" begins to grow and suddenly stops (~ 27MB).
About 20 minutes after the input file stops, a number of events are recorded in EventViewer:

________________________
Source: HHCTRL
EventID: 1904
Level: Information
Description:
The description for Event ID 1904 from source HHCTRL can not be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
about: blank
http://go.microsoft.com/fwlink?LinkID=45840
_________________________
Source: Application Error
EventID: 1000
Level: Error
Description:
Faulting application name: DllHost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc6b7
Faulting module name: ntdll.dll, version: 6.1.7600.16385, time stamp: 0x4a5bdb3b
Exception code: 0xc0000374
Fault offset: 0x000cdcbb
Faulting process id: 0x9e4
Faulting application start time: 0x01ca5d436ad52ec5
Faulting application path: C: \ Windows \ SysWOW64 \ DllHost.exe
Faulting module path: C: \ Windows \ SysWOW64 \ ntdll.dll
Report Id: befe7ea5-c941-11de-843c-00155d404902
_________________________
Source: Windows Error Reporting
EventID: 1001
Level: Information
Description:
Fault bucket, type 0
Event Name: APPCRASH
Response: Not available
Cab Id: 0
Problem signature:
P1: DllHost.exe
P2: 6.1.7600.16385
P3: 4a5bc6b7
P4: StackHash_a6c2
P5: 6.1.7600.16385
Q6: 4a5bdb3b
P7: c0000374
Q8: 000cdcbb
Q9:
Q10:
Attached files:
C: \ Users \ u-svr-fim-sync \ AppData \ Local \ Temp \ WERD354.tmp.appcompat.txt
C: \ Users \ u-svr-fim-sync \ AppData \ Local \ Temp \ WERD53A.tmp.WERInternalMetadata.xml
C: \ Users \ u-svr-fim-sync \ AppData \ Local \ Temp \ WERD55A.tmp.hdmp
C: \ Users \ u-svr-fim-sync \ AppData \ Local \ Temp \ WER7B6.tmp.mdmp
These files may be available here:
C: \ Program Files \ Microsoft \ Windows \ WER \ ReportQueue \ AppCrash_DllHost.exe_238bf3e18b391514810578a751941268f629639_cab_1f0a0a33
Analysis symbol:
Rechecking for solution: 0
Report Id: befe7ea5-c941-11de-843c-00155d404902
Report Status: 0

Once these events are written to EventViewer, trying to stop running the profile "Full import" an unavailable RPC message popup´s and the profile still in a state of "Running" until the server is restarted.

Today I applied the update is available (FIMSyncService_EVAL_KB976465).

thank you.

Paulo.

PS.: I need to import all employees from SAP.

Problem: Send notification email X days before last working day

Fri, 20 Nov 2009 13:15:10 Z

Hi,

I was implementing a very basic scenario "Send notification email 5 days before last working day". The problem is that the MPR doesn't fire when the 5 days before rule is true.

The MPR works fine if the target after set is defined "EmployeeEndDate after 5 days hence". When I change the EmployeeEndDate for a user in the portal, I can see that user is in the right set and that he receives the notification email ok.

But if the target set is defined "user that match all of the following conditions: EmployeeEndDate after 4 days hence AND EmployeeEndDate prior to 5 days hence". When I change the EmployeeEndDate to be just 5 days before, I can see that the user is in the right set but he does NOT RECEIVE the email?

Is this a bug or am I using FIM wrong? =)

I've tested this on a clean downloadable RC1 Hyper-V image to root out other factors that might interfere. Can anyone else reproduce this issue?

The MPR is:
Requestors: All objects
Operation: Create, Modify
Target Before: All People
Target After: Set, see above
Select specific attributes: Employee End Date, Object Time
+ Action workflow to send email

Sync rule list of external systems doesn't get repopulated after portal re-install

Fri, 20 Nov 2009 00:09:56 Z

It appears that if you re-install the portal after MAs are configured in the sync service, the portal does not dynamically update the list of external systems available to be selected for sync rules.

This is probably expected behaviour and would be an unusual circumstance, but in case anyone else has this issue the workaround is to export the MA configuration and then update the MA from the exported file. This seems to trigger the list to be updated.

FIM CS Synchronization Rule Viewer Plus

Tue, 04 Aug 2009 22:54:17 Z

Name	Latest Version
FIM CS Synchronization Rule Viewer Plus	1.6

Description:

The FIM CS Synchronization Rule Viewer Plus is a script to display and document your FIM synchronization rules:

Display – because the script has a UI to render your configuration
Document – because you can copy a displayed configuration to the clipboard and save it to a file.

The script is based on the HTA (HTML Application) framework – a framework that enables you to develop scripts that look like Windows applications without the need of writing code in Visual Studio.

Important
It is highly recommended that you read the FIM ScriptBox Read Me First, before running this script on your computer.

If you have PowerShell installed on your FIM server, make sure that it is configured to allow running scripts.
The command to verify this is “get-executionpolicy”.
To enable all Windows PowerShell scripts to run, use the following command: "set-executionpolicy unrestricted".
Please see the PowerShell documentation for more details.

The FIM CS Synchronization Rule Viewer Plus and the FIM CS Synchronization Rule Viewer are basically the same.
The major difference between both scripts is that you don't need to look up a DN to use the Plus version.
The tradeoff is that it might take a while until you get the list of synchronization rules.

It would be nice to get some feedback on how the script behaves in larger environments...
I'm wondering whether the time it takes to build the list of synchronization rules is acceptable.

To download this script, use this link.
To get to the FIM ScriptBox, use this link.

Can't create new object (resource) type after Update1

Thu, 19 Nov 2009 11:39:30 Z

I'm trying to create a new object ie. resource type.
After submitting the GUI only says:

Status
Description: Error
Status: Error

I'm running FIM RC1 Update1.
Before Update1 there were no problems
in creating new object types.

How to resolve?

multiple domain forests

Thu, 19 Nov 2009 14:35:28 Z

Hello,
I need to know if it is possible for FIM to handle more than one domain forest. E.g. I have one domain fabrikam.com and portal is a member of this domain. In future there will be a new domain forest abc.com and I establish a cross forest trust between them. Is it possible to allow access to users from abc.com domain to the portal and assign them some approval process.

Thanks.

Send email to the manager when a user is created

Wed, 18 Nov 2009 17:25:05 Z

i have installed fim 2010 rc1 and everything is working, i created some Management rule policies and they are also working to send mail notifications.

i have acually two question:
First Question: what i'm trying to do is when a new users is created from the portal, i need a email notification to be send to his manager, how can i do that? i know i have to create a workflow and MPR which i did but i think i'm missing something it this case.

Second Question: i have downloaded one of the FIM ScriptBox content and when i run the HTA it give me this message: You are running your HTA in 32bit mode... and the strange thing is i'm running it on a 64bit windows server 2008.. what is the problem?

Identity Lifecycle Manager 2 Forum

SSPR install less stable since RC1 ?

Run on Policy Update - Retroactive Policy Enforcement

Outbound Synchronization is not working when changing an attribute

Configuration Migration Tool Question

FIM Certificate Management Configuration Wizard Fails

Not able to Provision user

Flowing an expiry date to the ILM portal

Email notification workflow not working

FIM 2010 with Exchange Server 2010

SSO AD Synchronisation

Provisioning XML file with a Extensible Connectivity MA

What MPR needs to be enabled so that user can see the users created by him

Help: Configuration file for User create

Does FIM2010 supports SQL 2008 x86

Allow Anonymous Access to the Password Reset Portal

Allow Anonymous Access to the password reset portal

FIM 2010 and Powershell 2.0

Unable to Update User CN value in AD

Users and Contacts - ways to distinguish?

FIM problem when trying to join a group with the Outlook Add-in

Adding a custom resource type

Synchronizing data from multiple tables

FIM Portal Feedback

FIM Scriptbox

FIM Documentation Feedback

Invalid Requestor specified for Get Operation

Password Reset Scenario requirements question

Can FIM store passwords to a custom attribute?

sap testing environment

Windows Server 2008 R2 - FIM MA Full Import failed with stopped-server status

FIM Object Visualizer

"Portal cannot connect to middle tier using web service interface" following uninstall/re-install of Portal

Managed Service account in 2008 R2

MPR and Outbound Synchronization

An appcrach on dllhost is generated when a full import profile from SAP/R3 MA runs

Problem: Send notification email X days before last working day

Sync rule list of external systems doesn't get repopulated after portal re-install

FIM CS Synchronization Rule Viewer Plus

Can't create new object (resource) type after Update1

multiple domain forests

Send email to the manager when a user is created