Identity Broker Forum
Welcome to the community forum for Identity Broker.
Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.
Tested Against: Identity Broker v5.3
Currently if you have no adapters enabled in IDB, and you attempt to create an MA in MIM using the MIM Adapter ECMA2, you get the following error:
The extensible extension returned an unsupported error. The stack trace is: "System.InvalidOperationException: Sequence contains no elements at System.Linq.Enumerable.Aggregate[TSource](IEnumerable`1 source, Func`3 func) at Unify.Product.IdentityBroker.LdapConnectionProxy.get_Schema() at Unify.Product.IdentityBroker.UnifyLdapConnectorTypeProxy.GetSchema(KeyedCollection`2 configParameters) Forefront Identity Manager 4.4.1302.0"
It would be good if the error could either be reported in a more logical way (IE inform that there's no adapters enabled, and therefore no OU's to load), or simply allow the creation process to continue and the user will realise there's no adapters enabled in a subsequent step.
The error also occurs if you have adapters which are enabled with valid schema, but inhibited due to a condition with the base connector.
Fixed, will be in next release
From UNIFYBroker 5.3.1 RC2, Active Directory accounts are created via the powershell connector.
MIM (4.4.1749) is exporting data to UnifyBroker. The user is created in AD with the correct AccountName.
There is no error in UnifyBroker Logs, but for each batch of users (5 at the moment), MIM is showing the error message: unexpected-error with the DN of the first user. After the creation of the user, the user doesn't appear in the Connector space. FI & FS are required to get them back and link the user in MIM.
Do you have any idea to remove this error in MIM for all executed batch? It seems to be a communication issue from UNIFYBroke to MIM.
I'm getting this error when I try to create an MA connecting to UNIFYBroker. I'm using MIM SP1 v4.4.1237.0.
I've just installed UnifyBroker v5.3.1 and then Identity Broker for FIM v5.0.4. I created SQL connectors and an adapter and created the LDAP User. I changed the port it uses to 8888. I copied the .dll into the FIM Extensions directory, selected extensible connectivity 2.0 and selected the .dll and the refresh interfaces works but on the next page, trying to auth with IdB I get the above error. There's nothing in event viewer. I get the same error if I enter the wrong credentials but a different error if I enter the wrong port. I also tried 127.0.0.1 instead of localhost and got the same error. I also tried port 59991 in case I should be connecting to the web service and got the same error.
We are currently working with a datasource (via Broker to MIM) which only shows active users - there is no end-date field for us to trigger events on termination.
Is there a way to capture the record delete event in Broker and create an action based on that (i.e., write some field about the record to a log file, etc..)?
As discussed, a potential solution would be to hook up a new MA, that connects to the same UNIFYBroker Adapter. You could then configure this MA to remove its Connector Space objects when they are removed from the adapter, and join to your existing metaverse object. That way you have a record of who has been terminated and who hasn't - if they're terminated they'll exist in one MA, and if not terminated they'll exist in both.
You should be able to use this and a combination of some other logic to trigger your notifications and other requirements.
Let us know how it goes. As mentioned, I wouldn't recommend relying on the changelog table as a source of truth as the format could potentially change in future versions and it's not directly supported as a data source so we can't guarantee the integrity of the data.
I need to import the container from an empty adapter, but MIM is returning completed-no-objects and the container is not imported.
I have found another couple of Voice issues about this but both indicate the problem should already be fixed. I'm on IdB v5.2.1.
I've updated the page that I linked, there are a few things that need to be checked, see https://voice.unifysolutions.net/knowledge-bases/7/articles/3364-identity-broker-for-microsoft-identity-manager-configuration for details. I.e. importing the container object type; and also at least one attribute on that object type.
The best I could find was the link below;
which does mention Window 2008 SP1 or later, but client’s question is specific to Windows 2016 testing and certification. To be honest I believe what they really mean is, are the following products tested to be supporting Windows 2016 by UNIFY. Or should they get the new server build on Windows 2012 2012 R2 64bit
- UNIFY Identity Broker Service v22.214.171.124 RTM x64
- UNIFY Identity Broker for Microsoft Identity Manager v5.1.0 RTM
- UNIFY Identity Broker for Aurion v5.2.0 RC1
Identity Broker has been tested against all versions of Windows from 2008 SP1 and onwards, with most testing against 2016. I'll look at updating the page so that it's a little more clear.
If the client was actually referring to Microsoft certification, then no; the certification program is not available at the moment as it's being reworked.
I'm investigating an ACTGOV incident (Ivanti Incident 50255) and they have run into issues testing an upgrade to .Net 4.6 on an existing installation in their TEST environment.
The description from ACTGOV is as follows:
We would like to upgrade .net on our Education FIM server to 4.6 but we found that when we do so in our test environment that our Maze MAs stop working. In the event log we get the error message:
Given the MA refuses to even start the problem appears to be Unify.Framework.ILM2007FP1Adapter.dll. Are you able to provide an updated version of this DLL that has been compiled with .net 4.6?
The version we currently have is 126.96.36.199 with a time stamp of 9/7/2013.
I was hoping you may be able to assist with a copy of the dll able to run with .Net 4.6 or what the action for remediation on this issue is.
Below are also the software versions the client has:
- FIM 2010 Sync Engine
- FIM Service Portal and SSPR
- Identity Broker for FIM 4
- Identity Broker for CISCO 4
- Identity Broker for viewDS
- Identity Broker for Sharepoint 4
Let me know if you need any more details.
I'm not sure why that would cause the MA to fail, the Windows Event Log might have more information. However, if you're targeting Identity Broker v4+ you should be using the matching MA dll (not v3). If you're still on v3, you should upgrade to v4+ as it's no longer supported (extended support can be arranged, see https://voice.unifysolutions.net/knowledge-bases/7/articles/3321-identity-broker-support-policy).
I have installed IdB 188.8.131.52 on a new Dev server and migrated the config from Production, which has IdB 5.0.4. I created the LDAP gateway and got the MA imported - however when I tried to make any changes to the MA I got a warning that it was going to delete the partitions "DC=IdentityBroker" (previously selected) and "cn=schema" (previously un-selected).
After backing up the MA I let it delete the partitions, and so far everything looks fine - I can run a Full Import and data was imported from the adapters.
So this is just a sanity check - was letting MIM delete that partition from the MA the right thing to do?
We changed the way the MIM MA retrieves partitions. It previously used the entries defined in the naming context of the root DSE, but it now uses the OUs underneath DC=IdentityBroker. This was to prevent using DC=IdentityBroker as a partition, as importing from DC=IdentityBroker involves querying multiple adapters and this proved problematic.
I don't believe that the deletion of those partitions should affect your solution, but if you do notice any problems please update this ticket.
Running a Delta import and Delta Sync from IdB Sharepoint connector and get the error below. Ran a Full Import and Full Synchronization & the error did not occur. Ran a Delta import and Delta Sync again and error does not occur.
Not sure if I'll be able to replicate again, but raising regardless.
The extensible extension returned an unsupported error.
The stack trace is:
"System.ArgumentException: Value bp is not a valid hexadecimal number.
Parameter name: sourceValue
at Unify.Framework.IO.DNComponentAttributeValueParserAdapter.Transform(String sourceValue)
at Unify.Framework.IO.DistinguishedNameComponent.CreateDNComponent(String dnComponentString)
at Unify.Product.IdentityBroker.ImportProxy.GetContainerName(String dn)
at Unify.Product.IdentityBroker.ImportProxy.TryGetObjectClass(String dn, String& objectClass)
at Unify.Product.IdentityBroker.ExtensionMethods.Take[TSource](IEnumerator`1 source, Int32 count, IList`1& items)
at Unify.Product.IdentityBroker.ImportProxy.Import(GetImportEntriesRunStep importRunStep)
at Unify.Product.IdentityBroker.UnifyLdapConnectorTypeProxy.GetImportEntries(GetImportEntriesRunStep importRunStep)
at Unify.Product.IdentityBroker.UnifyLdapConnector.GetImportEntries(GetImportEntriesRunStep importRunStep)
Forefront Identity Manager 4.4.1459.0"
Thanks for raising this. This looks to be the same issue as DN Creation not escaping LDAP Reserved Characters. I've created a new build of the Identity Broker for Microsoft Identity Manager management agent which includes the fix from there, attached here: Unify.IdentityBroker.FIMAdapter.dll. Please update the DLL in the FIM Extensions directory and re-attempt the import.
I want to use an attribute created in a PowerShell transformation in the DN, but am getting a "field not required" error. How can I configure this new attribute as required?
Good question. Currently there is no way to mark fields added via a PowerShell transformation as Required, but this is something we could look at adding support for. Please note though though that since you can't supply values in Add/Modify requests from an Identity Management platform for these fields (no way to reverse a PowerShell transformation), putting such a field in the Distinguished Name template would effectively block you from provisioning into that adapter.
Customer support service by UserEcho