none
Group membership alterations timeout RRS feed

  • Question

  • Hello,

    I've imported about 100 security groups with their members from AD to FIM and have altered precedence so that FIM now manages these groups. I want to change the groups to criteria based membership and have successfully done so in a number of cases, however I am finding that groups with more than apx. 700 members are causing an error in the portal.

    Event viewer says that the diagnostic log may contain more information but it does not. It also suggests checking the SharePoint log but unfortunately I have been unable to find an appropriate log.

    I've had this error occur before in similar circumstances and my guess is that there is some sort of timeout cancelling the operation.

    Does anyone know of a fix for this? Is there a way to empty the group memberships?

    Many thanks 

    Portal error:

    "Unable to process your request. Please contact your help desk or system administrator."

    Event viewer:

    "The portal was unable to complete a request and showed a user the default error page.

    An unhandled exception was caught.

    Check the product diagnostic log file and then check the SharePoint log file."


    • Edited by FIM-EN Tuesday, July 22, 2014 8:12 AM
    Monday, July 21, 2014 10:48 AM

Answers

  • Hello FIM-EN,


    You probably have a timeout issue. Tyr to increase the value in the file "C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\Microsoft.ResourceManagement.Service.exe.config":

    /configuration/ resourceManagementClient/ @timeoutInMilliseconds

    [0,360000]

    90,000

    The timeout of the client side of communication.


    link:

    http://technet.microsoft.com/en-us/library/ff800821%28v=ws.10%29.aspx

    Regards,



    Sylvain

    • Marked as answer by FIM-EN Monday, July 21, 2014 2:59 PM
    Monday, July 21, 2014 11:48 AM
  • FIM-EN,

    Also, are you modifying your portal timeout value? There are separate entries for the service file timeout(above) and for the portal timeout. Often when the portal timout is not enough but the service config file timeout has been changed, you will see an error in the portal but the request will have ultimately worked. Go to your web.config file in the InetPub->wwwroot->WSS->VirtualDirectories->80 folder and check the timeoutInMilliseconds value. This is an example. This value should match what you have modified in the service config file, except that this value is in milliseconds, the service config file values are in seconds.

    • Marked as answer by FIM-EN Tuesday, July 22, 2014 8:11 AM
    Tuesday, July 22, 2014 3:16 AM

All replies

  • Hello FIM-EN,


    You probably have a timeout issue. Tyr to increase the value in the file "C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\Microsoft.ResourceManagement.Service.exe.config":

    /configuration/ resourceManagementClient/ @timeoutInMilliseconds

    [0,360000]

    90,000

    The timeout of the client side of communication.


    link:

    http://technet.microsoft.com/en-us/library/ff800821%28v=ws.10%29.aspx

    Regards,



    Sylvain

    • Marked as answer by FIM-EN Monday, July 21, 2014 2:59 PM
    Monday, July 21, 2014 11:48 AM
  • Thanks for the reply Sylvain, very helpful! I set timeoutInMilliseconds to its max, 360000 and it has worked for some of the smaller groups I was previously having problems with!

    Unfortunately though, most of the larger groups (1200+ members) are still timing out, after 2 minutes now.

    Presumably this is another timeout setting somewhere but I have no idea where to begin to look. The other concern would be that the 360 second max timeout probably won't be long enough for the 6000+ member groups.

    I wonder if there is a way to flow null into the members attribute on an inbound group sync rule so I can at least temporarily empty the groups while I configure the criteria settings?

    Monday, July 21, 2014 12:59 PM
  • You can try to built an operational MA to empty the members:

    • Add a flow to get the dn of your groups in the metaverse
    • Create a new file delimited MA with attribute DN (anchors) and Members (type CSV)
    • Create a join rule based on DN
    • Add a flow your object "Members -> member"
    • Set the initial file with all DN of your groups
    • In the metaverse designer set the precedence to "Operational MA" for the attribute "member" of object "group"
    • Allow to export null value on the FIM MA for "Members"
    • Run Full Import, Full Synchronization on Operational MA
    • Run Export on FIM MA
    • Remove the Operational MA

    Done!


    Sylvain

    Monday, July 21, 2014 2:08 PM
  • Good thinking. Thanks for your help :)
    Monday, July 21, 2014 2:59 PM
  • FIM-EN,

    Also, are you modifying your portal timeout value? There are separate entries for the service file timeout(above) and for the portal timeout. Often when the portal timout is not enough but the service config file timeout has been changed, you will see an error in the portal but the request will have ultimately worked. Go to your web.config file in the InetPub->wwwroot->WSS->VirtualDirectories->80 folder and check the timeoutInMilliseconds value. This is an example. This value should match what you have modified in the service config file, except that this value is in milliseconds, the service config file values are in seconds.

    • Marked as answer by FIM-EN Tuesday, July 22, 2014 8:11 AM
    Tuesday, July 22, 2014 3:16 AM
  • Hi Glenn,

    That might have explained the two minute timeout when it was set to six. I've resolved it using something similar to Sylvain's recommendation this time but this isn't the first and probably won't be the last time I encounter this problem.

    I'll try altering the web.config attribute also next time.

    Thanks!

    Tuesday, July 22, 2014 8:11 AM