none
change in UPN throwing error in fimma ds RRS feed

  • Question

  • The previous sync rules were UPN – accountname@xyz.local; DN- accountname,OU=users,dc=xyz,dc=local and was working fine. I modified the UPN so that UPN – accountname@ORG.edu; DN- accountname,OU=users,dc=xyz,dc=loca. DN was kept the same.

    xyz.local is the actual domain name. FIMMA DS is throwing error for new user creation in AD. Microsoft.MetadirectoryServices.ProvisioningBySyncRuleException: The DN must be set before calling CSEntry.CommitNewConnector.

    what is weird was, I am able to change the UPN of the account from accountname@xyz.local to accountname@org.edu.I am unable to create new account with the UPN of accountname@org.edu. Please help.


    Friday, November 20, 2015 3:16 PM

Answers

  • 1. Create an action WF in FIM Portal to set UPN =<AccountName>@<org.edu

    2. Create an MPR that applies to all users (Transition in) and calls above WF

    3.  Import UPN to Metaverse, export to AD

    4. Make your FIM MA precedence 1


    Nosh Mernacaj, Identity Management Specialist

    • Proposed as answer by Nosh Mernacaj Friday, November 20, 2015 8:11 PM
    • Marked as answer by fim_sc Friday, December 4, 2015 2:10 PM
    Friday, November 20, 2015 8:09 PM

All replies

  • I can give you a quick workaround.

    1. Leave it as is for New user.
    2. Create and export rule with the new value.

    it will create it and update it (although as 2 steps) you will get what you want.


    Nosh Mernacaj, Identity Management Specialist

    Friday, November 20, 2015 6:57 PM
  • That's what I do now. But the export rule needs some manual steps to trigger the export. What should be the precedence in this case? should the export rule have higher precedence number?
    Friday, November 20, 2015 7:13 PM
  • 1. Create an action WF in FIM Portal to set UPN =<AccountName>@<org.edu

    2. Create an MPR that applies to all users (Transition in) and calls above WF

    3.  Import UPN to Metaverse, export to AD

    4. Make your FIM MA precedence 1


    Nosh Mernacaj, Identity Management Specialist

    • Proposed as answer by Nosh Mernacaj Friday, November 20, 2015 8:11 PM
    • Marked as answer by fim_sc Friday, December 4, 2015 2:10 PM
    Friday, November 20, 2015 8:09 PM
  • I have sync rules that creates AD account. first sync rule with conditions 1 and 2, triggers the AD creation. Another sync rule with condition 3, triggers the UPN change. Precedence set to those sync rules are causing a problem.
    Friday, November 20, 2015 8:15 PM
  • That's what I do now. But the export rule needs some manual steps to trigger the export. What should be the precedence in this case? should the export rule have higher precedence number?

    What did you mean by this, then? When I said you can change UPN to the value you mention? is that a valid value?  UPN can be used to login to AD, so if it is not a valid value, will not work.


    Nosh Mernacaj, Identity Management Specialist

    Friday, November 20, 2015 8:21 PM
  • Sync rule 1 creates an AD account with UPN @xyz.local. Sync rule 2 changes the UPN to @org.edu. This works fine. I am trying to change sync rule 1 to create accounts with UPN @org.edu and remove sync rule 2. This is not working.  I am trying to find the reason why AD is not accepting a new account with upn as @org.edu but I can change the upn  from @xyz.local to @org.edu.
    Friday, November 20, 2015 8:27 PM
  • Hi,

    I imagine that you have a rights user account issue for the AD MA account.

    Do you have added the alternate UPN @org.edu on your domain conf ?

    https://technet.microsoft.com/en-us/library/cc756018%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    Joris 


    Joris Faure

    Sunday, November 22, 2015 11:00 PM