MIM Event Broker Forum
Welcome to the community forum for MIM Event Broker.
Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.
I know this is somewhere on the roadmap, but I thought I'd give you a specific example of how I would like to use this to lookup the Operation List name for a corresponding guid from within a PowerShell script. I know this method exists on the WCF endpoint because it is exposed in the WSDL. However it is not a simple exercise to access this from PowerShell.
For the time being I have a work-around which relies on looking up the Event Broker registry key to determine the extensibility file path, then querying the operations extensibility xml directly. However the limitation here is that this will only work if the script is running locally on the Event Broker service host.
Now that this has been proven in Identity Broker we'll look at this for MIM Event Broker.
When an OU is configured for an AD agent that is NOT the domain root (e.g. "OU=Employees,DC=mim2016,DC=local") we get the following exception when the generated incoming operation list is activated:
Operation faulted: The server is unwilling to process the request. - Please see the log viewer for more details.
This is because the AD Sync Changes check operation uses the full DN for the "Domain" property instead of the DC part only (i.e. "DC=mim2016,DC=local").
To avoid this error the AD sync changes operation needs to extract the DC DN from the full DN supplied.
Presently the TO address supports only a single target email address. However this field is multi-valued in the sendmail API and the logger could easily be extended to support this. There is no tooltip on this field so it was not intuitive that this restriction applied - however attempts using "," and ";" delimiters both failed. Work-arounds include setting up multiple loggers, or using a distribution list. However there are times when this would still be handy - especially when d-lists are not easily modified or the requirement is only temproary.
Added ability to have logs emailed to multiple addresses. Will be included in the next release.
With the release of Ryan Newington's latest Lithnet miis-powershell module it occurred to me that it may be possible in some scenarios (e.g. full imports vs. delta imports) to leverage the progress bar idea for the Event Broker console.
The native AD MA for the FIM Sync service has long had an optional configuration section for preferred DCs, so that administrators can nominate an ordered list of preferred DCs to connect to for imports/exports. When this is used with Event Broker, especially in forests where there are delays in AD replication between DCs, the result can be that Event Broker detects a change before it is replicated to the DC from which FIM is connecting. This generally results in a missed change.
A feature to configure the AD agent exactly in line with that in the corresponding AD MA is suggested here.
How do I configure the Domain in EvB 4.0 AD Agent?
I have configured the following in the UI:
When viewing the traffic, I can see Domain Name is NULL (as shown in image below) and Authentications are failing. with the following error.
20170726,05:29:36,UNIFY MIM Event Broker,Operation List Executor Sink,Error,"The trigger for operation list with id 3c27daae-4669-498e-9e43-54ba6d36120a has failed to attached with the message The supplied credential is invalid.. System.DirectoryServices.Protocols.LdapException: The supplied credential is invalid. at System.DirectoryServices.Protocols.LdapConnection.BindHelper(NetworkCredential newCredential, Boolean needSetCredential) at System.DirectoryServices.Protocols.LdapConnection.SendRequestHelper(DirectoryRequest request, Int32& messageID) at System.DirectoryServices.Protocols.LdapConnection.BeginSendRequest(DirectoryRequest request, TimeSpan requestTimeout, PartialResultProcessing partialMode, AsyncCallback callback, Object state) at Unify.Product.EventBroker.OpenLDAPListenPlugIn.AttachTrigger(IListenOperationInformation listenOperationInformation) at Unify.EventBroker.PlugIn.Audit.ListenOperationAuditingDecorator.AttachTrigger(IListenOperationInformation listenOperationInformation) at Unify.Product.EventBroker.OperationListExecutorSink.RecycleListenOperation(IListenOperationFactoryInformation operationInformation)",Normal
This is working on a new AD instance using both the domain format and FQDN.
Possible causes could be:
- Typo in username or password;
- User not provided enough permissions
- User doesn't have permission to perform the required operation (or use the required controls - see documentation)
I recommend testing using the simple check or changes operations - as there are fewer requirements than the listen operation and should make diagnosis easier.
Here's a new one - i'm having issues with the IDB Changes operation between EVB 4.0 and IDB 5.2
I have the default configuration.
Initially i was getting the following error:
Operation Check for changes in the External AD Events Adapter with id 331db65e-4d4d-48a0-b09f-a7247c7d3f15 failed in the operation list MIM - External AD Events MA - Incoming with id ddde4bd5-4173-419b-9388-92df3f10d705 for the following reason. This is retry number 0: System.InvalidOperationException: Could not find endpoint element with name 'IdentityBroker' and contract 'IChangesAvailableCollector' in the ServiceModel client configuration section. This might be because no configuration file was found for your application, or because no endpoint element matching this name could be found in the client element. at System.ServiceModel.Description.ConfigLoader.LoadChannelBehaviors(ServiceEndpoint serviceEndpoint, String configurationName) at System.ServiceModel.ChannelFactory.ApplyConfiguration(String configurationName, Configuration configuration) at System.ServiceModel.ChannelFactory.InitializeEndpoint(String configurationName, EndpointAddress address) at System.ServiceModel.ChannelFactory`1..ctor(String endpointConfigurationName, EndpointAddress remoteAddress) at Unify.Product.EventBroker.IdentityBroker50ChangesCommunicator.ChangesAvailable(Guid adapterId) at Unify.Product.EventBroker.IdentityBroker50ChangesPlugIn.Check() at Unify.EventBroker.PlugIn.Audit.CheckOperationAuditingDecorator.Check() at Unify.Product.EventBroker.OperationListExecutorBase.RunCheck(ICheckOperationFactoryInformation checkOperation)
So I added the following endpoint config in the service.event.exe.config:
<endpoint binding="basicHttpBinding" contract="IChangesAvailableCollector" bindingconfiguration="StreamingFileTransferServicesBinding" name="IdentityBroker"></endpoint>
Now, i'm getting the following:
Operation Check for changes in the External AD Events Adapter with id 331db65e-4d4d-48a0-b09f-a7247c7d3f15 failed in the operation list MIM - External AD Events MA - Incoming with id ddde4bd5-4173-419b-9388-92df3f10d705 for the following reason. This is retry number 0: System.ServiceModel.Security.MessageSecurityException: The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Negotiate'. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized.
Not something i've seen before...
I thought this had come up before (there's a matching ticket in VSO), but can't find it in UserEcho...
Please change the endpoint element to this:
<endpoint binding="basicHttpBinding" contract="IChangesAvailableCollector" bindingconfiguration="IdentityBroker4Binding" name="IdentityBroker" />
It'll be in the next release, not sure how it was missed. Thanks.
I'm currently having an issue communicating with the IDB API from Event Broker. Not sure if this is IDB or EVB.
I'm getting the following error trying to run an API operation:
Operation Full Import - DAMS Contact Connector with id a1508248-0161-46a0-a703-a1cad6cfc8ed failed in the operation list IDB - DAMS Contact - Full Import with id bae408b8-0b38-495f-a92a-4b1a8319f15b for the following reason. This is retry number 0: Unify.Product.EventBroker.RestAPIAgentUnexpectedStatusException: Response code NotFound doesn't match expected response code NoContent. at Unify.Product.EventBroker.RestAPIPlugIn.Execute() at Unify.EventBroker.PlugIn.Audit.OperationAuditingDecorator.Execute() at Unify.Product.EventBroker.OperationListExecutorBase.RunNextOperations(IEnumerator`1 operationEnumerator)
I have the following agent configured (Have tried IDB Port with no change):
And the following API config in IDB:
IDB v5.2.0 R2
EVB v4.0.0 R1
IDB and EVB are on the same box, and i can hit the swagger page for the rest API.
Nothing applicable in the IDB logs or Event Logs (even enabled diagnostic logging in IDB)
Please try placing the following patch DLL into the Event Broker Services directory and re-attempting the operation.
Please note that this ONLY affects Identity Broker v5.2+. Please don't use this patch against an Identity Broker v5.1 instance.
I'm having an issue with event broker at the moment:
Stack trace from Event Log:
Event code: 3005 Event message: An unhandled exception has occurred. Event time: 14/07/2017 10:36:36 AM Event time (UTC): 14/07/2017 12:36:36 AM Event ID: a852df8e00cb40e4a34b31600dea2fca Event sequence: 2 Event occurrence: 1 Event detail code: 0 Application information: Application domain: b7cf9837-1-131444661896298544 Trust level: Full Application Virtual Path: / Application Path: C:\Program Files\UNIFY Solutions\Event Broker\Web\ Machine name: REDACTED Process information: Process ID: 5640 Process name: Unify.Service.Event.exe Account name: REDACTED Exception information: Exception type: TypeInitializationException Exception message: The type initializer for 'Unify.EventBroker.Web.EventServiceClientInstance' threw an exception. at Unify.EventBroker.Web.MvcApplication..ctor() in C:\agent\_work\23\s\Source\Unify.EventBroker.Web\Global.asax.cs:line 33 at ASP.global_asax..ctor() Could not load file or assembly 'Unify.Framework.Collections, Version=126.96.36.199, Culture=neutral, PublicKeyToken=84b9288cb2633de4' or one of its dependencies. The system cannot find the file specified. at Unify.Framework.TimingGenerator..ctor() at Unify.Framework.Logging.LoggingEngineClient..ctor(ILoggingEngineCollector collector) in C:\agent\_work\1\s\Source\Logging\Unify.Framework.Logging.Engine.Shared\LoggingEngineClient.cs:line 25 at Unify.EventBroker.Web.EventServiceClientInstance.CreateComponent(EndpointAddress serviceEndpointAddress) in C:\agent\_work\23\s\Source\Unify.EventBroker.Web\Extensions\EventServiceClientInstance.cs:line 53 at Unify.EventBroker.Web.EventServiceClientInstance..cctor() in C:\agent\_work\23\s\Source\Unify.EventBroker.Web\Extensions\EventServiceClientInstance.cs:line 32 Request information: Request URL: http://localhost:8081/ Request path: / User host address: 127.0.0.1 User: Is authenticated: False Authentication Type: Thread account name: REDACTED Thread information: Thread ID: 236 Thread account name: REDACTED Is impersonating: False Stack trace: at Unify.EventBroker.Web.MvcApplication..ctor() in C:\agent\_work\23\s\Source\Unify.EventBroker.Web\Global.asax.cs:line 33 at ASP.global_asax..ctor() Custom event details:
Not sure what's going on here. This worked previously as i was able to apply the license, however this is the first i have used it since.
I've restarted the browser, service and server with no change.
Service account is a local admin, so there should not be any permissions issues.
Running the latest version (4.0)
Running on windows server 2016.
I note also that Unify.Framework.Collections.dll is present in the web\bin dir, and it is version 188.8.131.52 (different from the 184.108.40.206 in the error message, although i expect that's just the display...)
It is the recommended approach and the embedded web server has been deprecated (as per http://voice.unifysolutions.net/topics/2721-configuring-mim-event-broker-for-use-with-embedded-web-server/).
We're hoping IIS fixes the issue because it means that there's no further work to be done. If, however, the issue remains, we'll have to do some analysis. This issue has come up before, but was either fixed by IIS, or just stops without explanation.
Customer support service by UserEcho