Identity Broker Forum
Welcome to the community forum for Identity Broker.
Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.
Identity Broker for MIM watermark functioanlity enhancement
After a recent production incident where MIM kept presenting the same watermark to IDB (5.1) on delta imports there may be an opportunity for Identity Broker to handle the watermark storage in a better way that works around this MIM issue.
From talking the Curtis he mentioned that this issue has been seen with other clients, and the only workaround is to either re-create the MA or run a full import which in large environments may not be practical. Acknowledge that this is 100% a MIM issue, but could be a plus for the IDB if it can provide a workaround to such an issue that can have a big impact on large environments.
There are a few options that I could see:
- store the watermark in the MaData directory for the MA and use that instead
- store the watermark in the MaData directory for the MA and build some smarts around that watermark in combination with the MIM provided watermark.
It could be possible done by providing an option in the ECMA2 MA to enable/disable such enhanced functionality.
Office Connector Export fails with ma-extension-error - Index was out of range
QBE reported an ma-extension-error export failure for 702 O365 license updates this morning, but on later inspection the errors appeared to resolve themselves. However on further inspection the Application Event Log revealed corresponding Index was out of range exception within the Identity Broker for Office Enterprise 5.0.1.5 connector logic.
Refer to QBE JIRA ticket QBE-64
Hi Bob. I've attached an updated version of the ECMA2 MA dll. I improved the exception logging where the above error was thrown so if it occurs again, more useful information will be provided.
To install, backup and replace the current MA dll located at:
C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Extensions
Delta Import timeouts on Identity Broker 5.1 Management Agents
Seeing some issues on IDB 5.1 MAs from FIM performing Delta Imports where after a period of time they will start reporting timeout issues, as below. The timeouts on the MA operations have been increased to 999, and the timeout settings I can find in IDB appear to be set to 10mins.
Currently the only workaround I can find is to perform a full import on the management agent which then seems to resolve the issue for subsequent delta imports - however this is not practical as full imports can take up to 3 hours. DB indexes are also regularly re-built.
Are you able to provide any guidance in troubleshooting this issue?
The extensible extension returned an unsupported error. The stack trace is: "Unify.Product.IdentityBroker.LdapOperationException: Error during processing of SearchRequest targetting cn=changelog: Operation timed out. at Unify.Product.IdentityBroker.LdapConnection.SendRequest(ILdapRequest request) at Unify.Product.IdentityBroker.LdapConnectionProxy.<SearchRequestPaged>d__8.MoveNext() at Unify.Product.IdentityBroker.ImportProxy.<GetChangedEntriesPaged>d__33.MoveNext() at System.Linq.Enumerable.<SelectManyIterator>d__14`2.MoveNext() at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext() at System.Linq.Enumerable.<SelectManyIterator>d__14`2.MoveNext() at Unify.Product.IdentityBroker.ExtensionMethods.Take[TSource](IEnumerator`1 source, Int32 count, IList`1& items) at Unify.Product.IdentityBroker.ExtensionMethods.<Page>d__3`1.MoveNext() at Unify.Product.IdentityBroker.ImportProxy.Import(GetImportEntriesRunStep importRunStep) Forefront Identity Manager 4.3.2266.0" |
Can confirm that after running the full imports over the weekend in isolation that the issues appear to have resolved themselves.
Am going to tweak the Event Broker scheduling to try and prevent the scenario from occurring.
Case-insensitive uniqueness of LDAP attribute names
Just in case anyone else makes the same silly mistake as I did:
IdB 5.1 and MIM Sync. Adapter was populated, MA created fine, but then got a stopped-extension-dll-exception on the Full Import (full event message below).
The problem was I had done some rename and other transformations which ended up with some fileds with the same name but different casing - FIELDNAME and fieldName. Idb accepted it, and interestingly MIM also accepted it when creating the MA. It was only on running the Import I got an error.
Log Name: ApplicationSource: FIMSynchronizationService Date: 8/19/2016 3:18:58 AM Event ID: 6801 Task Category: Server Level: Error Keywords: Classic User: N/A Computer: <name> Description: The extensible extension returned an unsupported error. The stack trace is: "System.ArgumentException: An item with the same key has already been added. at System.ThrowHelper.ThrowArgumentException(ExceptionResource resource) at System.Collections.Generic.Dictionary`2.Insert(TKey key, TValue value, Boolean add) at System.Linq.Enumerable.ToDictionary[TSource,TKey,TElement](IEnumerable`1 source, Func`2 keySelector, Func`2 elementSelector, IEqualityComparer`1 comparer) at Unify.Product.IdentityBroker.SearchResultEntry.get_Attributes() at Unify.Product.IdentityBroker.ImportProxy.EntryToAdd(SearchResultEntry searchEntry) at System.Linq.Enumerable.WhereSelectArrayIterator`2.MoveNext() at System.Linq.Enumerable.<SelectManyIterator>d__16`2.MoveNext() at Unify.Product.IdentityBroker.ExtensionMethods.Take[TSource](IEnumerator`1 source, Int32 count, IList`1& items) at Unify.Product.IdentityBroker.ExtensionMethods.<Page>d__3`1.MoveNext() at Unify.Product.IdentityBroker.ImportProxy.Import(GetImportEntriesRunStep importRunStep) at Unify.Product.IdentityBroker.UnifyLdapConnector.GetImportEntries(GetImportEntriesRunStep importRunStep) Forefront Identity Manager 4.3.2266.0" Event Xml: <System> <Provider Name="FIMSynchronizationService" /> <EventID Qualifiers="49152">6801</EventID> <Level>2</Level> <Task>3</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2016-08-19T03:18:58.000000000Z" /> <EventRecordID>8430</EventRecordID> <Channel>Application</Channel> <Computer>c21-mim.chris21demo.unifysolutions.local</Computer> <Security /> </System> <EventData> <Data>System.ArgumentException: An item with the same key has already been added. at System.ThrowHelper.ThrowArgumentException(ExceptionResource resource) at System.Collections.Generic.Dictionary`2.Insert(TKey key, TValue value, Boolean add) at System.Linq.Enumerable.ToDictionary[TSource,TKey,TElement](IEnumerable`1 source, Func`2 keySelector, Func`2 elementSelector, IEqualityComparer`1 comparer) at Unify.Product.IdentityBroker.SearchResultEntry.get_Attributes() at Unify.Product.IdentityBroker.ImportProxy.EntryToAdd(SearchResultEntry searchEntry) at System.Linq.Enumerable.WhereSelectArrayIterator`2.MoveNext() at System.Linq.Enumerable.<SelectManyIterator>d__16`2.MoveNext() at Unify.Product.IdentityBroker.ExtensionMethods.Take[TSource](IEnumerator`1 source, Int32 count, IList`1& items) at Unify.Product.IdentityBroker.ExtensionMethods.<Page>d__3`1.MoveNext() at Unify.Product.IdentityBroker.ImportProxy.Import(GetImportEntriesRunStep importRunStep) at Unify.Product.IdentityBroker.UnifyLdapConnector.GetImportEntries(GetImportEntriesRunStep importRunStep) Forefront Identity Manager 4.3.2266.0</Data> </EventData> </Event>
Effort required to upgrade IdB to 5.0 to 5.1
Being a minor release, I expect the effort to be minor, but just after some confirmation of this.
How long has this process taken during testing?
Hi Matthew,
The MA just gets dropped in. It should just work. If delta's don't it's due to a bug in MIM that prevents the watermark from being persisted. We're not sure what the trigger is for fixing it, however, two sites had it start working after recreating the MA.
Identity Broker takes about 10 minutes, plus about 2 minutes per connector. The changes are fairly well isolated so unlikely to cause issues. Plus any testing.
Thanks.
FIM Identity Broker 5.1 RC Management agent errors on Delta Imports
When attempting to run a Delta Import on an IDB MA the MIM UI throws up that the MA has detected that a full import is required.
When running a Delta Import the error below appears in the Windows Event Log. Restarted IDB and attempted a delta import after a full import however the error still persists.
The extensible extension returned an unsupported error.
The stack trace is:
"System.FormatException: Invalid change number: ''
at Unify.Product.IdentityBroker.ImportProxy.DeltaImportPaged(GetImportEntriesRunStep importRunStep)
at Unify.Product.IdentityBroker.ImportProxy.Import(GetImportEntriesRunStep importRunStep)
Forefront Identity Manager 4.3.2124.0"
Issue has now been resolved - appears to have corrected itself after a number of full import runs.
Had to change LDAP IP address in IdB 5.1
IdB 5.1 and FIM Sync are on different servers. The Sync server was unable to contact the IdB server over port 389 (including from telnet). Windows firewalls were not enabled.
The fix was to change the LDAP server address in IdB from 127.0.0.1 to 0.0.0.0.
No not necessarily - just putting it here in case anyone else has this problem.
No container imported
IdB 4.1.5. The version number on the FIMEngine dll is 4.0.0.3.
There are no objects in the adapter, however I would still expect a container to be imported into FIM when I run a Full Import. Instead I get no objects, which means I can't provision as I don't have the parent container. How can I get that container object?
The container object type appears in the MA Object Types. The DN template in the adapter is "CN=@IdBID,OU=PRISM_ExternalIdentities".
Add Detail in Andre's document to FIM IdB5 configuration page
On this page, there is a document which contains vital configuration information missing from the actual page. it would be a good idea to move the content into the page itself.
Hi Matt,
Thanks for the feedback. The Extensible Connectivity 2.0 management agent is referenced in the first sentence of the article, although admittedly it could be clearer on the steps required to get started creating an agent. As such, I have added a section to the top of the article called Agent Creation.
How far off is IdB 5 from having a schema unique to each adapter?
How far off is IdB 5 from having a schema unique to each adapter? Both adapters will have feilds like Person_Number and Given_Names and I want to avoid having to have:
AdapterA_Person_Number
and
AdapterA_Given_Names
If I dont need to. I believe this is the case as it stands with the current version of IdB.
Hi Matthew,
Thanks for the question. The reason behind the single schema was a limitation in Microsoft's generic LDAP MA. Now that we have our own MA there is some flexibility in what parts of the LDAPv3 specification that we support. We have code in the v5.1 branch that we are currently testing which allows for multiple schemas for a single directory (1 per adapter), and it is our intention to have this available in the upcoming v5.1 release.
Thanks.
Customer support service by UserEcho