Identity Broker Forum

Welcome to the community forum for Identity Broker.

Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.

0
Fixed

Export errors - Calling Results.SetFailed on an entity seems to fail an entire batch.

Richard Green 7 years ago in UNIFYBroker/Microsoft Identity Manager updated by anonymous 7 years ago 9

Hi Gents,

I'm having an unusual issue with a custom connector. When running exports, a failure is occurring. However the single failure seems to be stopping subsequent entities from exporting. I currently have export 10 configured on the MA with a batch size of 1 (<-- which is interesting)

I've confirmed that the only results.SetFailed that is hit is the one in the UpdateEntity method. This is returned to the MA with an error of 'Other' and the actual exception is NOT included. After that point, no more entities are processed by the connector, and these show up as a 'cd-error' on the MA.

Nothing significant is noted in either the IDB or Event Logs.

Environment Details:

Running IDB v5.1.0 Revision #0

Patch: Unify.IdentityBroker.ChangeLog.Repository.Sql.dll

Image 3444


Unify.IdentityBroker.FIMAdapter

Image 3445


Answer
anonymous 7 years ago
0
Completed

Identity Broker for MIM watermark functioanlity enhancement

Andrew Silcock 7 years ago in UNIFYBroker/Microsoft Identity Manager updated by anonymous 6 years ago 9

After a recent production incident where MIM kept presenting the same watermark to IDB (5.1) on delta imports there may be an opportunity for Identity Broker to handle the watermark storage in a better way that works around this MIM issue.

From talking the Curtis he mentioned that this issue has been seen with other clients, and the only workaround is to either re-create the MA or run a full import which in large environments may not be practical. Acknowledge that this is 100% a MIM issue, but could be a plus for the IDB if it can provide a workaround to such an issue that can have a big impact on large environments.

There are a few options that I could see:

- store the watermark in the MaData directory for the MA and use that instead

- store the watermark in the MaData directory for the MA and build some smarts around that watermark in combination with the MIM provided watermark.

It could be possible done by providing an option in the ECMA2 MA to enable/disable such enhanced functionality.

Answer
anonymous 7 years ago

Moved to new issue.

0
Fixed

Office Connector Export fails with ma-extension-error - Index was out of range

Bob Bradley 7 years ago in UNIFYBroker/Microsoft Identity Manager updated by anonymous 7 years ago 5

QBE reported an ma-extension-error export failure for 702 O365 license updates this morning, but on later inspection the errors appeared to resolve themselves. However on further inspection the Application Event Log revealed corresponding Index was out of range exception within the Identity Broker for Office Enterprise 5.0.1.5 connector logic.

Refer to QBE JIRA ticket QBE-64

Answer
anonymous 7 years ago

Hi Bob. I've attached an updated version of the ECMA2 MA dll. I improved the exception logging where the above error was thrown so if it occurs again, more useful information will be provided.

To install, backup and replace the current MA dll located at:

C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Extensions

Unify.IdentityBroker.FIMAdapter.dll

0
Answered

Delta Import timeouts on Identity Broker 5.1 Management Agents

Andrew Silcock 7 years ago in UNIFYBroker/Microsoft Identity Manager updated by anonymous 7 years ago 23

Seeing some issues on IDB 5.1 MAs from FIM performing Delta Imports where after a period of time they will start reporting timeout issues, as below. The timeouts on the MA operations have been increased to 999, and the timeout settings I can find in IDB appear to be set to 10mins.

Currently the only workaround I can find is to perform a full import on the management agent which then seems to resolve the issue for subsequent delta imports - however this is not practical as full imports can take up to 3 hours. DB indexes are also regularly re-built.

Are you able to provide any guidance in troubleshooting this issue?

The extensible extension returned an unsupported error.
The stack trace is:

"Unify.Product.IdentityBroker.LdapOperationException: Error during processing of SearchRequest targetting cn=changelog: Operation timed out.
at Unify.Product.IdentityBroker.LdapConnection.SendRequest(ILdapRequest request)
at Unify.Product.IdentityBroker.LdapConnectionProxy.<SearchRequestPaged>d__8.MoveNext()
at Unify.Product.IdentityBroker.ImportProxy.<GetChangedEntriesPaged>d__33.MoveNext()
at System.Linq.Enumerable.<SelectManyIterator>d__14`2.MoveNext()
at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
at System.Linq.Enumerable.<SelectManyIterator>d__14`2.MoveNext()
at Unify.Product.IdentityBroker.ExtensionMethods.Take[TSource](IEnumerator`1 source, Int32 count, IList`1& items)
at Unify.Product.IdentityBroker.ExtensionMethods.<Page>d__3`1.MoveNext()
at Unify.Product.IdentityBroker.ImportProxy.Import(GetImportEntriesRunStep importRunStep)
Forefront Identity Manager 4.3.2266.0"

Answer
anonymous 7 years ago

Can confirm that after running the full imports over the weekend in isolation that the issues appear to have resolved themselves.

Am going to tweak the Event Broker scheduling to try and prevent the scenario from occurring.

0
Completed

Case-insensitive uniqueness of LDAP attribute names

Carol Wapshere 8 years ago in UNIFYBroker/Microsoft Identity Manager updated by anonymous 6 years ago 2

Just in case anyone else makes the same silly mistake as I did:


IdB 5.1 and MIM Sync. Adapter was populated, MA created fine, but then got a stopped-extension-dll-exception on the Full Import (full event message below).


The problem was I had done some rename and other transformations which ended up with some fileds with the same name but different casing - FIELDNAME and fieldName. Idb accepted it, and interestingly MIM also accepted it when creating the MA. It was only on running the Import I got an error.


Log Name: ApplicationSource: FIMSynchronizationService
Date: 8/19/2016 3:18:58 AM
Event ID: 6801
Task Category: Server
Level: Error
Keywords: Classic
User: N/A
Computer: <name>
Description:
The extensible extension returned an unsupported error.
The stack trace is:
"System.ArgumentException: An item with the same key has already been added.
at System.ThrowHelper.ThrowArgumentException(ExceptionResource resource)
at System.Collections.Generic.Dictionary`2.Insert(TKey key, TValue value, Boolean add)
at System.Linq.Enumerable.ToDictionary[TSource,TKey,TElement](IEnumerable`1 source, Func`2 keySelector, Func`2 elementSelector, IEqualityComparer`1 comparer)
at Unify.Product.IdentityBroker.SearchResultEntry.get_Attributes()
at Unify.Product.IdentityBroker.ImportProxy.EntryToAdd(SearchResultEntry searchEntry)
at System.Linq.Enumerable.WhereSelectArrayIterator`2.MoveNext()
at System.Linq.Enumerable.<SelectManyIterator>d__16`2.MoveNext()
at Unify.Product.IdentityBroker.ExtensionMethods.Take[TSource](IEnumerator`1 source, Int32 count, IList`1& items)
at Unify.Product.IdentityBroker.ExtensionMethods.<Page>d__3`1.MoveNext()
at Unify.Product.IdentityBroker.ImportProxy.Import(GetImportEntriesRunStep importRunStep)
at Unify.Product.IdentityBroker.UnifyLdapConnector.GetImportEntries(GetImportEntriesRunStep importRunStep)
Forefront Identity Manager 4.3.2266.0"
Event Xml:
<System>
<Provider Name="FIMSynchronizationService" />
<EventID Qualifiers="49152">6801</EventID>
<Level>2</Level>
<Task>3</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2016-08-19T03:18:58.000000000Z" />
<EventRecordID>8430</EventRecordID>
<Channel>Application</Channel>
<Computer>c21-mim.chris21demo.unifysolutions.local</Computer>
<Security />
</System>
<EventData>
<Data>System.ArgumentException: An item with the same key has already been added.
at System.ThrowHelper.ThrowArgumentException(ExceptionResource resource)
at System.Collections.Generic.Dictionary`2.Insert(TKey key, TValue value, Boolean add)
at System.Linq.Enumerable.ToDictionary[TSource,TKey,TElement](IEnumerable`1 source, Func`2 keySelector, Func`2 elementSelector, IEqualityComparer`1 comparer)
at Unify.Product.IdentityBroker.SearchResultEntry.get_Attributes()
at Unify.Product.IdentityBroker.ImportProxy.EntryToAdd(SearchResultEntry searchEntry)
at System.Linq.Enumerable.WhereSelectArrayIterator`2.MoveNext()
at System.Linq.Enumerable.<SelectManyIterator>d__16`2.MoveNext()
at Unify.Product.IdentityBroker.ExtensionMethods.Take[TSource](IEnumerator`1 source, Int32 count, IList`1& items)
at Unify.Product.IdentityBroker.ExtensionMethods.<Page>d__3`1.MoveNext()
at Unify.Product.IdentityBroker.ImportProxy.Import(GetImportEntriesRunStep importRunStep)
at Unify.Product.IdentityBroker.UnifyLdapConnector.GetImportEntries(GetImportEntriesRunStep importRunStep)
Forefront Identity Manager 4.3.2266.0</Data>
</EventData>
</Event>
Answer
anonymous 6 years ago

Available in v5.2.1.

0
Answered

Effort required to upgrade IdB to 5.0 to 5.1

Matthew Woolnough 8 years ago in UNIFYBroker/Microsoft Identity Manager updated by anonymous 8 years ago 1

Being a minor release, I expect the effort to be minor, but just after some confirmation of this.


How long has this process taken during testing?



Answer
anonymous 8 years ago

Hi Matthew,


The MA just gets dropped in. It should just work. If delta's don't it's due to a bug in MIM that prevents the watermark from being persisted. We're not sure what the trigger is for fixing it, however, two sites had it start working after recreating the MA.


Identity Broker takes about 10 minutes, plus about 2 minutes per connector. The changes are fairly well isolated so unlikely to cause issues. Plus any testing.


Thanks.

0
Answered

FIM Identity Broker 5.1 RC Management agent errors on Delta Imports

Andrew Silcock 8 years ago in UNIFYBroker/Microsoft Identity Manager updated by anonymous 8 years ago 4

When attempting to run a Delta Import on an IDB MA the MIM UI throws up that the MA has detected that a full import is required.


When running a Delta Import the error below appears in the Windows Event Log. Restarted IDB and attempted a delta import after a full import however the error still persists.


The extensible extension returned an unsupported error.
The stack trace is:

"System.FormatException: Invalid change number: ''
at Unify.Product.IdentityBroker.ImportProxy.DeltaImportPaged(GetImportEntriesRunStep importRunStep)
at Unify.Product.IdentityBroker.ImportProxy.Import(GetImportEntriesRunStep importRunStep)
Forefront Identity Manager 4.3.2124.0"

Answer
anonymous 8 years ago

Issue has now been resolved - appears to have corrected itself after a number of full import runs.

0
Completed

Had to change LDAP IP address in IdB 5.1

Carol Wapshere 8 years ago in UNIFYBroker/Microsoft Identity Manager updated by anonymous 8 years ago 3

IdB 5.1 and FIM Sync are on different servers. The Sync server was unable to contact the IdB server over port 389 (including from telnet). Windows firewalls were not enabled.

The fix was to change the LDAP server address in IdB from 127.0.0.1 to 0.0.0.0.

Answer
anonymous 8 years ago

No not necessarily - just putting it here in case anyone else has this problem.

0
Answered

No container imported

Carol Wapshere 8 years ago in UNIFYBroker/Microsoft Identity Manager updated by anonymous 8 years ago 6

IdB 4.1.5. The version number on the FIMEngine dll is 4.0.0.3.

There are no objects in the adapter, however I would still expect a container to be imported into FIM when I run a Full Import. Instead I get no objects, which means I can't provision as I don't have the parent container. How can I get that container object?

The container object type appears in the MA Object Types. The DN template in the adapter is "CN=@IdBID,OU=PRISM_ExternalIdentities".

Answer
anonymous 8 years ago

Hi Carol,


This has been answered here, and fixed here (documentation).


Thanks.

0
Completed

Add Detail in Andre's document to FIM IdB5 configuration page

Matthew Woolnough 8 years ago in UNIFYBroker/Microsoft Identity Manager updated by anonymous 8 years ago 3

On this page, there is a document which contains vital configuration information missing from the actual page. it would be a good idea to move the content into the page itself.


Answer
anonymous 8 years ago

Hi Matt,


Thanks for the feedback. The Extensible Connectivity 2.0 management agent is referenced in the first sentence of the article, although admittedly it could be clearer on the steps required to get started creating an agent. As such, I have added a section to the top of the article called Agent Creation.