Identity Broker Forum

Welcome to the community forum for Identity Broker.

Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.

0
Answered

Identity Broker CRM Connector Exported Changes are Not Appearing in CRM

Aneesh Varghese 8 years ago in UNIFYBroker/Microsoft Dynamics CRM updated by Richard Green 7 years ago 5

Previous Version: Microsoft Dynamics CRM Connector v4.1.1.1

Upgraded Version: Microsoft Dynamics CRM Connector v5.1.0.1

Observing a strange behaviour after the Connector upgrade. Exports are successful from IdB and FIM point of view but the changes are not reflected in CRM.

The above mentioned behaviour is happening only for new users/records or if the attribute is "Null" or blank in CRM. Changes are appearing correctly if the attribute is already populated with something (existing contact/record).

Please advise what details you need to troubleshoot this issue.

I already performed the following:

  • Checked the IdB logs but couldn't find any errors
  • Checked with the CRM team
  • Captured the TCP traffic but found the SOAP message is pretty much encrypted
Answer
anonymous 8 years ago

Hi Aneesh,

Here is a patch that should hopefully resolve this issue. Could you backup (to a different location) and replace the Unify.IdentityBroker.Communicator.DynamicsCRM.dll that is currently in the Identity Broker/Services directory with the patched version below.

Unify.IdentityBroker.Communicator.DynamicsCRM.dll

0
Fixed

Value bp is not a valid hexadecimal number

Matthew Woolnough 8 years ago in UNIFYBroker/Microsoft Identity Manager updated by anonymous 8 years ago 5

Running a Delta import and Delta Sync from IdB Sharepoint connector and get the error below. Ran a Full Import and Full Synchronization & the error did not occur.  Ran a Delta import and Delta Sync again and error does not occur.

Not sure if I'll be able to replicate again, but raising regardless.


The extensible extension returned an unsupported error.
 The stack trace is:
 
 "System.ArgumentException: Value bp is not a valid hexadecimal number.
Parameter name: sourceValue
   at Unify.Framework.IO.DNComponentAttributeValueParserAdapter.Transform(String sourceValue)
   at Unify.Framework.IO.DistinguishedNameComponent.CreateDNComponent(String dnComponentString)
   at Unify.Framework.IO.DistinguishedNameConversionFromString.CreateDistinguishedName()
   at Unify.Product.IdentityBroker.ImportProxy.GetContainerName(String dn)
   at Unify.Product.IdentityBroker.ImportProxy.TryGetObjectClass(String dn, String& objectClass)
   at Unify.Product.IdentityBroker.ImportProxy.<EntryToDeltas>d__25.MoveNext()
   at System.Linq.Enumerable.<SelectManyIterator>d__16`2.MoveNext()
   at System.Linq.Enumerable.<SelectManyIterator>d__16`2.MoveNext()
   at Unify.Product.IdentityBroker.ExtensionMethods.Take[TSource](IEnumerator`1 source, Int32 count, IList`1& items)
   at Unify.Product.IdentityBroker.ExtensionMethods.<Page>d__3`1.MoveNext()
   at Unify.Product.IdentityBroker.ImportProxy.Import(GetImportEntriesRunStep importRunStep)
   at Unify.Product.IdentityBroker.UnifyLdapConnectorTypeProxy.GetImportEntries(GetImportEntriesRunStep importRunStep)
   at Unify.Product.IdentityBroker.UnifyLdapConnector.GetImportEntries(GetImportEntriesRunStep importRunStep)
Forefront Identity Manager 4.4.1459.0"


Answer
anonymous 8 years ago

Hi Matt,

Thanks for raising this. This looks to be the same issue as DN Creation not escaping LDAP Reserved Characters. I've created a new build of the Identity Broker for Microsoft Identity Manager management agent which includes the fix from there, attached here: Unify.IdentityBroker.FIMAdapter.dll. Please update the DLL in the FIM Extensions directory and re-attempt the import.

0
Not a bug

Given_Names not appearing in Connector

Matthew Woolnough 8 years ago in UNIFYBroker/Aurion updated by anonymous 8 years ago 4

Given_Names is included in Schema of the Aurion Connector. I can see the attribute has values in Wireshark packet trace as seen below, but no objects have a value in the attribute in the connector.


<AQT_Output>
  <Employee_Number>546</Employee_Number>
  <Person_Number>546</Person_Number>
  <Surname>Lord</Surname>
  <Given_Names>Dale Brendan</Given_Names>
  <Preferred_Name>Dale</Preferred_Name>
  <Salutation>Mr</Salutation>
  <Person_Type>EMPLOYEE</Person_Type>
  <Employment_Type_Code>CA</Employment_Type_Code>
  <Actual_Position_Number>L42368V</Actual_Position_Number>
  <Actual_Organisation_Unit_Number>426</Actual_Organisation_Unit_Number>
  <Date_Commenced>01-JUL-1999</Date_Commenced>
  <Date_Terminated></Date_Terminated>
  <Contract_Expiry_Date></Contract_Expiry_Date>
  <Leave_Date_From></Leave_Date_From>
  <Leave_Date_To></Leave_Date_To>
  <Leave_Type_Code></Leave_Type_Code>
  <Organisation_Unit_Level_01>APRA Members</Organisation_Unit_Level_01>
  <Organisation_Unit_Level_02>Specialised Institutions</Organisation_Unit_Level_02>
  <Organisation_Unit_Level_03>Sth West-Melb (SID)</Organisation_Unit_Level_03>
  <Primary_Cost_Code>SID310</Primary_Cost_Code>
  <Attendance_Type_Code>FULL</Attendance_Type_Code>
  <Actual_Location_Code>MELB</Actual_Location_Code>
 </AQT_Output>


Answer
anonymous 8 years ago

When you edit your connector settings, does the mapping look like the screenshot here? If so, the problem is that you don't have a GivenNames field in the schema - rename the Given_Names schema field to GivenNames.

0
Not a bug

The resource cannot be found - /Account/LogOn

Bob Bradley 8 years ago updated by anonymous 8 years ago 8

Using

  • IdB service v4.1.5.5
  • IdB for Microsoft Active Directory 4.1.2.1
  • IdB for PeopleSoft Connector 4.1.0.0
  • IdB for FIM 4.0.0.3

* Note - About page incorrectly showing this: "UNIFY Identity Broker Management Studio, v0.0.5 Revision #5" ... can't explain this!

The following error is thrown when starting on the ABOUNT page (/About) and clicking on the Identity Btroker home page image to return to the dashboard.

The resource cannot be found. 
  Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable.  Please review the following URL and make sure that it is spelled correctly. 

 Requested URL: /Account/LogOn

The URL for this page is as follows:

http://localhost:8008/Account/LogOn?ReturnUrl=%2f

I am running IdB under IIS.  Navigating directly to the home page (by removing everything after the 8008 port number in the URL) also fails - only works after I put in a trailing ?, i.e.

http://localhost:8008/?

I am using a clean install of IdB 4.1, using the extensibility files from the (to be retired) existing v4.1.4 RTM version.

Answer
anonymous 8 years ago

Please try updating the authentication node in the web.config to:

<authentication mode="Windows" />

0
Fixed

Updates to IdMParentProfileReference not being saved

Matthew Woolnough 8 years ago in UNIFYBroker/Microsoft SharePoint updated by anonymous 8 years ago 4

The format of IdMParentProfileReference attribute has changed due to new IdB DNs structure. The DN is not saving however. No error is thrown, just get an exported change is not re-imported error.


Image 4409




Answer
anonymous 8 years ago

See latest v5.1.1 DEV build (not in place upgrade as the version hasn't updated). There's a new setting on the org connector for the org adapter.

0
Answered

Reflection for adapter XXX failed with message One or more errors occurred

Bob Bradley 8 years ago updated by anonymous 8 years ago 2

Using IdB 5.0.5 Rev#0

I noted today that 2 adapters were both red on the dashboard.

Searching in the IdB logs via the console for the word "error" I could see earlier today that there were 8 occurrences of some sort of timeout siting "System.Threading.ReaderWriterLock.*.

Can you please spend a few minutes to check this out over a remote shared desktop to confirm that this is indeed the problem for which a patch has since become available whereby changelog access was causing record locking?

Answer
anonymous 8 years ago

Hi Bob,

This issue is unrelated to Delta Import timeouts on Identity Broker 5.1 Management Agents, as it occurs acquiring a lock for a different table. What is the impact of the issue? It looks like only one page of reflection fails at a time and subsequent pages continue to process normally, so the issue should be resolving itself.

0
Answered

Does Identity Broker PLUS v5.1.0 store previous Locker states?

Tom Parker 8 years ago in UNIFYBroker/Plus updated by anonymous 8 years ago 1

I was able to find the change log for adapters and I was able to find the source log for lockers, but I couldn't find the change log for lockers (containing previous states of entities in lockers). Does one exist, and if so where would it be?

Thanks,
Tom

Answer
anonymous 8 years ago

No, as there was no requirement to be able to query it directly. See http://voice.unifysolutions.net/topics/2929-auditing/ for details on how to keep track of this information (among other changes).

0
Answered

What is the expected behaviour of 2 unset priority datasources?

Tom Parker 8 years ago in UNIFYBroker/Plus updated by anonymous 8 years ago 1

According to https://unifysolutions.jira.com/wiki/display/IDBPLUS51/Priority, data sources with unset priority are considered lowest priority.

Based on that, what is the expected behavior of an attribute in an adapter which has only 2 data sources, both of which are unset priority?

Image 4390


In this example, Person is a locker and Active Directory Person is a bidirectional link between the active directory adapter (the screen this screenshot was taken from) and the Person locker.

In the case of the attribute being changed in the source system and coming into the adapter through the connector: will it override what's already in there from person, or will it thrown away and have the data from the Person locker push back out to the connector?

Thanks,

Tom
Answer
anonymous 8 years ago

Hi Tom,

In cases where both the existing value and the new value in an update are both from un-prioritised sources, the newest value (the update) is taken - last write wins.

0
Answered

PowerShell Transformation: Required Attribute

Matthew Woolnough 8 years ago in UNIFYBroker/Microsoft Identity Manager updated by anonymous 8 years ago 1

I want to use an attribute created in a PowerShell transformation in the DN, but am getting a "field not required" error.  How can I configure this new attribute as required?

Answer
anonymous 8 years ago

Hi Matt,

Good question. Currently there is no way to mark fields added via a PowerShell transformation as Required, but this is something we could look at adding support for. Please note though though that since you can't supply values in Add/Modify requests from an Identity Management platform for these fields (no way to reverse a PowerShell transformation), putting such a field in the Distinguished Name template would effectively block you from provisioning into that adapter.

0
Answered

IdBPlus Projects with Exchange Provisioning

Daniel Walters 8 years ago in UNIFYBroker/Plus updated by anonymous 8 years ago 1

Does anyone know of any projects that used IdBPlus and configured Exchange Provisioning? My initial investigation suggests it's more complicated than a simple enable-mailbox -identity x in a post-provisioning task.

Answer
anonymous 8 years ago

The base script that I'd recommend starting with and adapting is as follows. It can be run unlimited times without duplication as it checks for users in AD that haven't been enabled. This particular script uses the default Exchange rules for mailbox name, but can be adapted by changing the arguments supplied to the Enable-Mailbox command:

# STEP 1
#   The first step involves securing the password to Exchange.
#   The following command should be run in a PowerShell console, changing the out-file to the desired location:
#     read-host -assecurestring | convertfrom-securestring | out-file C:\securestring.txt
#   Enter the password to Exchange. A file should be written to the desired location.
#   If a permission error was shown, try running the script as administrator, or select a new location.
# STEP 2
#   Configure the following settings:
#     ExchangeServer - Configure the URL to the PowerShell virtual directory on the Exchange machine.
#     AdminAccount   - The name of the account being used to connect to the Exchange machine.
#     SearchBase     - The deepest container that holds all items being managed.
#     Filter         - The LDAP filter to select items that have not been mail enabled. This will probably not need to be updated.
#     Password       - The file path should be updated to the file created in STEP 1.
$ExchangeServer = http://exchange/PowerShell/
$AdminAccount = "DOMAIN\Administrator"
$SearchBase = "OU=RootContainer,DC=organization"
$Filter = "(&(objectCategory=user)(objectClass=user)(!msExchHomeServerName=*))"
$Password = cat C:\securestring.txt | convertto-securestring
# END OF CONFIGURABLE SECTION #
$UserCredential =  New-Object -Typename System.Management.Automation.PSCredential -Argumentlist $AdminAccount,$Password
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri $ExchangeServer -Authentication Kerberos -Credential $UserCredential
Import-PSSession $Session
Add-Type -Assembly Microsoft.ActiveDirectory.Management
Import-Module ActiveDirectory
$users = get-aduser -LDAPFilter $Filter -searchbase $SearchBase -searchscope "Subtree"
if ($users -ne $null) 
{
    foreach ($user in $users)
    {
        Enable-Mailbox $user.SamAccountName | Set-Mailbox -SingleItemRecoveryEnabled $true
    }
}
#Exit-PSSession
Remove-PSSession -session $Session