locked
Provisioning is failing in FIM 2010 R2 RRS feed

  • Question

  • Hi,

    I am using FIM 2010 R2 and we have created VIS MA(Virtual Identity server) . My VIS will be connecting to two AD directories(AD1 & AD2). 

    When I am provisioning user from FIM to AD1 through VIS MA, the user are not provisioning. I am getting "Required attribute "ObjectGUID" is missing" error in "Validate Object againest schema" in Sync server.

    Will Provisioning works through VIS MA or not. Or else provisioning will work only AD MA. Please suggest.

    Saturday, December 29, 2012 1:40 PM

All replies

  • If I understand correctly you are using standard AD MA from FIM to talk to some third party Virtual Identity Server which is hidding underlying Active Directory structure from your provisioning solution. Am I right?  In that case I simply don't know if it will work or not - it all depends on how this 3'rd party product operates.

    FIM requires ObjectGUID as underneath it is objectGUID in AD which is unique for a user not a DN even if DN is presented for you as an object DN. If your VIS should hide AD from provisioning standpoint it should also present same schema (including objectGUID) and handle provisioning with this attribute. I've never looked at exact operations AD MA is doing but looking at my knowledge of how MAs are operating in general I would assume that AD is provisioning and object and then expects that it will be able to get its details (not sure if it does it during the export operation).

    If AD MA will not work for you solution might be to write your own MA which will talk to your VIS directory or consult with your VIS provider to get their standpoint on this.


    Tomek Onyszko, memberOf Predica FIM Team (http://www.predica.pl), IdAM knowledge provider @ http://blog.predica.pl

    Saturday, December 29, 2012 9:11 PM