none
FIM 2010 R2: 2 Questions about Exchange 2013 and Windows Azure AD PW Sync RRS feed

  • Question

  • Hi,

    1. my first question is about Exchange 2013. It's about the Account to send and receive Status Mails. I checked the Value in "Microsoft.ResourceManagement.Service.exe.config". I have done through this Troubleshoot guide: http://technet.microsoft.com/en-us/library/18e87593-9728-4890-8765-dac5e5e36809(v=ws.10)#bkmk_Exchange . I am able to connect to the Address of the EWS Webpage, also with the FIM Service Account. I can open the OWA Webadress for the FIMService Account. There is no Certificate Error when browsing to These sites. I can't find any Information that FIM Supports Exchange 2013, could that be the Problem?

    2. I read about, that it is not possible to sync the Passwords to Azure AD with FIM. Is that true? Does someone know, if and when this functionalitäy will appear?

    Thanks a lot
    Martin


    www.sccmfaq.ch


    • Edited by Martin Wüthrich Thursday, September 4, 2014 8:29 AM typo in title :)
    Thursday, September 4, 2014 8:13 AM

Answers

  • Hi Martin,

    1. Yes, Exchange 2013 is supported from SP1. So if you have at least FIM 2010 R2 SP1, you can put FIMService's mailbox on Exch2013 - http://technet.microsoft.com/en-us/library/jj863246(v=ws.10).aspx

    2. Only DirSync can do that. As per: http://msdn.microsoft.com/en-us/library/dn511001(v=ws.10).aspx : This connector does not support any password management scenarios


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.



    • Edited by Dominik Trojnar Thursday, September 4, 2014 9:50 AM
    • Proposed as answer by FIMService Thursday, September 4, 2014 12:29 PM
    • Unproposed as answer by Martin Wüthrich Thursday, September 4, 2014 1:00 PM
    • Proposed as answer by FIM Indian Thursday, September 4, 2014 6:36 PM
    • Marked as answer by Martin Wüthrich Thursday, September 4, 2014 7:09 PM
    Thursday, September 4, 2014 9:45 AM
  • one more question - is the certificate name the same as fqdn? I mean - do you use the same URL as certificate is issued to?

    make sure WSSecurity is enabled on the virtual directories for Autodiscover and EWS. When this is confirmed verify that the svc-integrated handler is assigned to both the Autodiscover and EWS

    moreover, try iisreset on exchange.


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.


    Thursday, September 4, 2014 3:01 PM

All replies

  • Hi Martin,

    1. Yes, Exchange 2013 is supported from SP1. So if you have at least FIM 2010 R2 SP1, you can put FIMService's mailbox on Exch2013 - http://technet.microsoft.com/en-us/library/jj863246(v=ws.10).aspx

    2. Only DirSync can do that. As per: http://msdn.microsoft.com/en-us/library/dn511001(v=ws.10).aspx : This connector does not support any password management scenarios


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.



    • Edited by Dominik Trojnar Thursday, September 4, 2014 9:50 AM
    • Proposed as answer by FIMService Thursday, September 4, 2014 12:29 PM
    • Unproposed as answer by Martin Wüthrich Thursday, September 4, 2014 1:00 PM
    • Proposed as answer by FIM Indian Thursday, September 4, 2014 6:36 PM
    • Marked as answer by Martin Wüthrich Thursday, September 4, 2014 7:09 PM
    Thursday, September 4, 2014 9:45 AM
  • Hi Dominik,

    thanks for pointing number 2 out :)

    For my Problem on the Exchange:

    I get the Event ID 12 in the Application log with:
    The Forefront Identity Manager Service cannot connect to the Exchange Web Service.

    In the FIM Log I find:
    System.Web.Services: System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host

    This leads me to http://social.technet.microsoft.com/Forums/en-US/7697048b-3cf1-48ce-a8eb-b5c51104c279/error-connecting-to-exchange-2010?forum=ilm2 . This guy seems to have the same error. But I don't know exactly what he changed in IIS. As a said, my Certificate chain is OK.
    Do you have some resource for me, where to start to get rid of this?
    Thanks a lot,
    Martin


    www.sccmfaq.ch

    Thursday, September 4, 2014 9:50 AM
  • Hi Martin,

    Do you use NLB name of Exchange EWS server? If so, please try with direct connection to one server.


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    Thursday, September 4, 2014 10:25 AM
  • I'm in a LAB, thus I've got only one Exchange Server, and I connecto to this directly with the FQDN of the Server.

    www.sccmfaq.ch

    Thursday, September 4, 2014 12:10 PM
  • Ok. Please check the following:

    1. If FIMService account has mailbox at the Exchange Server

    2. Do you have proper configuration in configuration file:

        <add key="mailServer" value="Exch2010.predica.pl" />
        <add key="isExchange" value="1" />
        <add key="sendAsAddress" value="fimservice@predica.pl" />

    After changing config file make sure you have restarted FIMService service.


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    Thursday, September 4, 2014 12:26 PM
  • 1. Yes the Service Account got his own Mailbox.

    2. Yes, it should be proper in my Point of view:

        <add key="mailServer" value="https://hosebeimail01.deheim.myDomain.TLD/EWS/Exchange.asmx" />
        <add key="isExchange" value="1" />
        <add key="sendAsAddress" value="svc-FIMService01@deheim.myDomain.TLD" />

    First I had the value svc-FIMService01@myDomain.TLD as "sendAsAddress". I changed this to the value I now have in the config File. Both E-Mail Adressess was or are existent on the Service Account. The UPN of the Service Account is the same as the vlaue of the sendAsAddress in the config File.

    I can Login to the Mailbox through OWA with the UPN and the sAMACcountname.

    And I can open the EWS page with the Service Account as well.


    www.sccmfaq.ch


    Thursday, September 4, 2014 12:54 PM
  • ok, another try: check if you can use it without ssl, do specify http instead of https.

    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    Thursday, September 4, 2014 2:51 PM
  • one more question - is the certificate name the same as fqdn? I mean - do you use the same URL as certificate is issued to?

    make sure WSSecurity is enabled on the virtual directories for Autodiscover and EWS. When this is confirmed verify that the svc-integrated handler is assigned to both the Autodiscover and EWS

    moreover, try iisreset on exchange.


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.


    Thursday, September 4, 2014 3:01 PM
  • Hi Dominik,

    It worked, when I changed to HTTP. I had a certificate with Subject Alternate Names, so I changed to one, without Subject Alternative Names, but with the hosebeimail01.deheim.myDomain.TLD URL. I still get the error.

    I then tried to check the WSSecurity, but I failed, so I activated WSSecurity, unsure if it was active or not. I also made an iisreset, and after this, it now works.

    Thanks a lot for your time, I really appreciate.


    www.sccmfaq.ch

    Thursday, September 4, 2014 6:25 PM