Identity Broker Forum

Welcome to the community forum for Identity Broker.

Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.

0
Fixed
Matthew Woolnough 2 months ago in Identity Broker for Microsoft Identity Manager • updated 2 months ago 5

Running a Delta import and Delta Sync from IdB Sharepoint connector and get the error below. Ran a Full Import and Full Synchronization & the error did not occur.  Ran a Delta import and Delta Sync again and error does not occur.

Not sure if I'll be able to replicate again, but raising regardless.


The extensible extension returned an unsupported error.
 The stack trace is:
 
 "System.ArgumentException: Value bp is not a valid hexadecimal number.
Parameter name: sourceValue
   at Unify.Framework.IO.DNComponentAttributeValueParserAdapter.Transform(String sourceValue)
   at Unify.Framework.IO.DistinguishedNameComponent.CreateDNComponent(String dnComponentString)
   at Unify.Framework.IO.DistinguishedNameConversionFromString.CreateDistinguishedName()
   at Unify.Product.IdentityBroker.ImportProxy.GetContainerName(String dn)
   at Unify.Product.IdentityBroker.ImportProxy.TryGetObjectClass(String dn, String& objectClass)
   at Unify.Product.IdentityBroker.ImportProxy.<EntryToDeltas>d__25.MoveNext()
   at System.Linq.Enumerable.<SelectManyIterator>d__16`2.MoveNext()
   at System.Linq.Enumerable.<SelectManyIterator>d__16`2.MoveNext()
   at Unify.Product.IdentityBroker.ExtensionMethods.Take[TSource](IEnumerator`1 source, Int32 count, IList`1& items)
   at Unify.Product.IdentityBroker.ExtensionMethods.<Page>d__3`1.MoveNext()
   at Unify.Product.IdentityBroker.ImportProxy.Import(GetImportEntriesRunStep importRunStep)
   at Unify.Product.IdentityBroker.UnifyLdapConnectorTypeProxy.GetImportEntries(GetImportEntriesRunStep importRunStep)
   at Unify.Product.IdentityBroker.UnifyLdapConnector.GetImportEntries(GetImportEntriesRunStep importRunStep)
Forefront Identity Manager 4.4.1459.0"


Answer
Curtis Lusmore 2 months ago

Hi Matt,

Thanks for raising this. This looks to be the same issue as DN Creation not escaping LDAP Reserved Characters. I've created a new build of the Identity Broker for Microsoft Identity Manager management agent which includes the fix from there, attached here: Unify.IdentityBroker.FIMAdapter.dll. Please update the DLL in the FIM Extensions directory and re-attempt the import.

0
Answered
Matthew Woolnough 3 months ago in Identity Broker for Microsoft Identity Manager • updated by Curtis Lusmore 3 months ago 1

I want to use an attribute created in a PowerShell transformation in the DN, but am getting a "field not required" error.  How can I configure this new attribute as required?

Answer
Curtis Lusmore 3 months ago

Hi Matt,

Good question. Currently there is no way to mark fields added via a PowerShell transformation as Required, but this is something we could look at adding support for. Please note though though that since you can't supply values in Add/Modify requests from an Identity Management platform for these fields (no way to reverse a PowerShell transformation), putting such a field in the Distinguished Name template would effectively block you from provisioning into that adapter.

0
Answered
Richard Green 3 months ago in Identity Broker for Microsoft Identity Manager • updated by Curtis Lusmore 2 months ago 15

Hi Gents,

I'm configuring my IDB management agents, and I've noticed the following error being thrown when I try to enable TLS:


I have created a self signed cert and configured it within the interface.
For reference, I used the following command to create my cert:
New-SelfSignedCertificate -Type Custom -Provider "Microsoft RSA SChannel Cryptographic Provider" -Subject "CN=Unify.IdentityBroker" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2") -KeyUsage DigitalSignature -KeyAlgorithm RSA -KeyLength 2048 -CertStoreLocation "Cert:\LocalMachine\My" -NotAfter (Get-Date).AddYears(5)

Answer
anonymous 3 months ago

Please try Unify.IdentityBroker.FIMAdapter.dll and let me know how it goes.

0
Answered
Matthew Woolnough 3 months ago in Identity Broker for Microsoft Identity Manager • updated 3 months ago 4

I have configured IdB to use IIS, but there is nothing in the doco to suggest that it should be restricted. 

http://voice.unifysolutions.net/topics/2943-configuring-identity-broker-for-use-with-iis/

Leaving access open to any authenticated user is potentially a security risk.  

I have configured IIS to only listed on 127.0.0.1, but presumably there is something else in IdB to perform this role. 

How can IdB be restricted when using IIS?

Answer
Matthew Davis 3 months ago

Hi Matt,

We removed the IDB auth settings from 5.0 as it was unmaintanable. From 5.2 onwards, we provide auth settings through Owin (as seen on this page.)

For 5.0 and 5.1, auth settings can be restricted in IIS through groups etc, using examples such as this one or settings found here. Up to the consultant and client how the restrictions look in line with what the requirements are.

0
Answered
Matthew Woolnough 4 months ago in Identity Broker for Microsoft Identity Manager • updated 4 months ago 4

I have a date attribute in my Aurion Adapter called DateCommenced.  

In the IdB UI it appears as 2010-05-24. 

When it imports into MIM, it's a string type and is shown in the connector space as:

2010-05-24T00:00:00:000

When I look at FIM, (which we're replacing) it's also a string type, however it's shown in the connector space as:

2010-05-24

Has something changed in the handling of Dates between 3.x and 5.x? 

0
Not a bug
Matthew Woolnough 4 months ago in Identity Broker for Microsoft Identity Manager • updated by Curtis Lusmore 4 months ago 6

The UI is displaying "Specified argument was out of the range of valid values. Parameter name: key"  after configuring a Time Offset Flag Transformation.   Looking at the data, there is nothing currently in the column, I suspect this might be causing the error. 

There are two configured transformations:

<adapter name="TimeOffsetFlag" key="e761c890-313b-4b88-bfcf-272595dcf784">
  <Extended offset="-P15DT10H" sourceColumn="DateCommenced" destinationColumn="EmployeeStarted" LesserValue="True" EqualValue="True" GreaterValue="False" NullValue="False" adjustForLocal="false" xmlns="" />
</adapter>
<adapter name="TimeOffsetFlag" key="00eaab5c-89e9-41b4-9728-e7b342d07db8">
  <Extended offset="PT10H" sourceColumn="DateTerminated" destinationColumn="EmployeeTerminated" LesserValue="False" EqualValue="True" GreaterValue="False" NullValue="True" adjustForLocal="false" xmlns="" />
</adapter>

The first one foes not throw an error. The second one does.



Answer
Curtis Lusmore 4 months ago

Hi Matt,

Where is the UI displaying this error? Is it under the Transformations section, between a heading Time Offset Flag and its corresponding description? Please ensure that you don't have duplicate column names in your adapter, i.e. that there isn't already a column named DateTerminated. If there is, either rename the existing column or change the Target for the Time Offset Flag Transformation.

0
Planned
Matthew Woolnough 4 months ago in Identity Broker for Microsoft Identity Manager • updated by Curtis Lusmore 4 months ago 8

When trying to retrieve schema, MIM throws error below.

Log Name:      Application
Source:        FIMSynchronizationService
Date:          30/05/2017 8:44:54 AM
Event ID:      6801
Task Category: Server
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      dc1devfim01.dev.apra.gov.au
Description:
The extensible extension returned an unsupported error.
 The stack trace is:
 
 "Unify.Product.IdentityBroker.LdapOperationException: Object reference not set to an instance of an object.
   at Unify.Product.IdentityBroker.LdapConnection.SendRequest(ILdapRequest request)
   at Unify.Product.IdentityBroker.LdapConnection.GetSchema(String schemaDn)
   at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
   at System.Linq.Enumerable.Aggregate[TSource](IEnumerable`1 source, Func`3 func)
   at Unify.Product.IdentityBroker.LdapConnectionProxy.get_LdapSchema()
   at Unify.Product.IdentityBroker.LdapConnectionProxy.get_Schema()
   at Unify.Product.IdentityBroker.UnifyLdapConnectorTypeProxy.GetSchema(KeyedCollection`2 configParameters)
   at Unify.Product.IdentityBroker.UnifyLdapConnector.GetSchema(KeyedCollection`2 configParameters)
Forefront Identity Manager 4.4.1459.0"
Error in logs is as follows:
20170529,22:44:53,UNIFY Identity Broker,Security engine,Information,"Require an LDAP access level
Request to require LDAP access level Read completed successfully.",Verbose
20170529,22:44:53,UNIFY Identity Broker,LDAP engine,Error,"Handling of LDAP schema request.
Handling of LDAP schema request from user mim on connection 127.0.0.1:65135 for the server schema failed with error ""Ob
ject reference not set to an instance of an object."". Duration: 00:00:00.",Normal
20170529,22:44:53,UNIFY Identity Broker,LDAP Engine,Error,"An error occurred on client from 127.0.0.1:65135. More detail
s:
Internal Server Error #11: System.NullReferenceException: Object reference not set to an instance of an object.
   at Unify.Product.IdentityBroker.SearchRequestHandlerBase.HandleRequest(IRfcLdapMessage message, CancellationToken tok
en, Action`1 postAction)
   at Unify.Product.IdentityBroker.RequestHandlerAuditingDecorator.HandleRequest(IRfcLdapMessage message, CancellationTo
ken token, Action`1 postAction)
   at Unify.Product.IdentityBroker.LDAPRequestHandlerSecurityDecorator.HandleRequest(IRfcLdapMessage message, Cancellati
onToken token, Action`1 postAction)
   at Unify.Product.IdentityBroker.LDAPConnection.<RespondToMessageAsync>d__33.MoveNext()",Normal
20170529,22:44:53,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP unbind request.
Handling of LDAP unbind request received on connection mim to connect as user 127.0.0.1:65135 started.",Verbose
20170529,22:44:53,UNIFY Identity Broker,Security engine,Information,"Require an LDAP access level


Answer
Curtis Lusmore 4 months ago

Hi Matt,

Thanks for the feedback, I agree that the product could handle this more gracefully, and we'll take it into consideration.

For your immediate issue, you should be able to resolve this by removing the container corresponding to the previous container name and re-populating the adapter entity context.

0
Planned
Matthew Woolnough 4 months ago in Identity Broker for Microsoft Identity Manager • updated 4 months ago 4

Trying to retrieve schema in MIM & getting the error below in event logs. MIM UI displays error Unable to retrieve schema. Error: Exception from HRESULT: 0x80231343

Log Name:      Application
Source:        FIMSynchronizationService
Date:          25/05/2017 3:35:21 PM
Event ID:      6801
Task Category: Server
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      dc1devfim01.dev.apra.gov.au
Description:
The extensible extension returned an unsupported error.
 The stack trace is:
 
 "System.InvalidOperationException: Sequence contains no elements
   at System.Linq.Enumerable.Single[TSource](IEnumerable`1 source)
   at RegExExtensions.RegExExtensions.Extract(String text, String pattern)
   at Unify.Product.IdentityBroker.LdapAttributeDefinition..ctor(String definition)
   at Unify.Product.IdentityBroker.LdapSchema.<>c.<.ctor>b__0_0(String attr)
   at System.Linq.Enumerable.WhereSelectListIterator`2.MoveNext()
   at System.Linq.Enumerable.ToDictionary[TSource,TKey,TElement](IEnumerable`1 source, Func`2 keySelector, Func`2 elementSelector, IEqualityComparer`1 comparer)
   at Unify.Product.IdentityBroker.LdapSchema..ctor(SearchResultEntry entry)
   at Unify.Product.IdentityBroker.LdapConnection.GetSchema(String schemaDn)
   at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
   at System.Linq.Enumerable.Aggregate[TSource](IEnumerable`1 source, Func`3 func)
   at Unify.Product.IdentityBroker.LdapConnectionProxy.get_Schema()
   at Unify.Product.IdentityBroker.UnifyLdapConnectorTypeProxy.GetSchema(KeyedCollection`2 configParameters)
Forefront Identity Manager 4.4.1459.0"

Answer
Curtis Lusmore 4 months ago

The issue is that Identity Broker is incorrectly responding with the schema for a disabled adapter which does not have an LDAP-compliant schema. For now, please ensure that all adapters, including disabled adapters, have LDAP-compliant schema by visiting the corresponding adapter details page and clicking the link in the warning to automatically generate a Rename transformation.

A fix to ensure that Identity Broker doesn't report the schema for disabled adapters will be included in future releases.

0
Under review
Matthew Woolnough 4 months ago in Identity Broker for Microsoft Identity Manager • updated by anonymous 4 months ago 1

The MIM adapter currently installs to a Unify directory in Program Files, after which it needs to be moved manually into the appropriate MIM Directory.

The installer could install into the appropriate directory, which would result in better end user experience, both in the initial install and in repairs.

The FIM Sync base directory can be retrieved from the registry at: 

SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters\Path

as documented here.

After this \extensions needs to be added to the path value to find the location.

0
Fixed
Matthew Woolnough 4 months ago in Identity Broker for Microsoft Identity Manager • updated by anonymous 4 months ago 15

MIMs IdB MA is unable to retrieve schema from IdB during implmentation. Error returned is:

-------------------------------------------
Synchronization Service Manager

Unable to retrieve schema. Error: Exception from HRESULT: 0x80231343
-------------------------------------------


Event Log contains the following:

-------------------------------------------

The extensible extension returned an unsupported error.
 The stack trace is:
 
 Unify.Product.IdentityBroker.LdapOperationException: Object reference not set to an instance of an object.
   at Unify.Product.IdentityBroker.LdapConnection.SendRequest(ILdapRequest request)
   at Unify.Product.IdentityBroker.LdapConnection.GetSchema(String schemaDn)
   at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
   at System.Linq.Enumerable.Aggregate[TSource](IEnumerable`1 source, Func`3 func)
   at Unify.Product.IdentityBroker.LdapConnectionProxy.get_Schema()
   at Unify.Product.IdentityBroker.UnifyLdapConnectorTypeProxy.GetSchema(KeyedCollection`2 configParameters)
Forefront Identity Manager 4.4.1459.0

-------------------------------------------



Answer
anonymous 4 months ago

Thanks Matt,

It looks like you have an entry in the [Container] table left over from an adapter with a container name of users. These should be removed automatically when you delete the adapter, or if you delete it directly from the xml config, at service startup. I'm not sure how it's managed to stay in there for you if you don't have any such adapter. You can manually delete the entry from the [Container] table where the [DistinguishedName] column has the value OU=users,DC=IdentityBroker to resolve this issue, and I'll re-raise this as bug in our backlog.

You should be able remove the patches supplied on this issue as well.