Identity Broker Forum
Welcome to the community forum for Identity Broker.
Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.

Identity Broker CRM Connector Exported Changes are Not Appearing in CRM
Previous Version: Microsoft Dynamics CRM Connector v4.1.1.1
Upgraded Version: Microsoft Dynamics CRM Connector v5.1.0.1
Observing a strange behaviour after the Connector upgrade. Exports are successful from IdB and FIM point of view but the changes are not reflected in CRM.
The above mentioned behaviour is happening only for new users/records or if the attribute is "Null" or blank in CRM. Changes are appearing correctly if the attribute is already populated with something (existing contact/record).
Please advise what details you need to troubleshoot this issue.
I already performed the following:
- Checked the IdB logs but couldn't find any errors
- Checked with the CRM team
- Captured the TCP traffic but found the SOAP message is pretty much encrypted

Hi Aneesh,
Here is a patch that should hopefully resolve this issue. Could you backup (to a different location) and replace the Unify.IdentityBroker.Communicator.DynamicsCRM.dll that is currently in the Identity Broker/Services directory with the patched version below.

Value bp is not a valid hexadecimal number
Running a Delta import and Delta Sync from IdB Sharepoint connector and get the error below. Ran a Full Import and Full Synchronization & the error did not occur. Ran a Delta import and Delta Sync again and error does not occur.
Not sure if I'll be able to replicate again, but raising regardless.
The extensible extension returned an unsupported error.
The stack trace is:
"System.ArgumentException: Value bp is not a valid hexadecimal number.
Parameter name: sourceValue
at Unify.Framework.IO.DNComponentAttributeValueParserAdapter.Transform(String sourceValue)
at Unify.Framework.IO.DistinguishedNameComponent.CreateDNComponent(String dnComponentString)
at Unify.Framework.IO.DistinguishedNameConversionFromString.CreateDistinguishedName()
at Unify.Product.IdentityBroker.ImportProxy.GetContainerName(String dn)
at Unify.Product.IdentityBroker.ImportProxy.TryGetObjectClass(String dn, String& objectClass)
at Unify.Product.IdentityBroker.ImportProxy.<EntryToDeltas>d__25.MoveNext()
at System.Linq.Enumerable.<SelectManyIterator>d__16`2.MoveNext()
at System.Linq.Enumerable.<SelectManyIterator>d__16`2.MoveNext()
at Unify.Product.IdentityBroker.ExtensionMethods.Take[TSource](IEnumerator`1 source, Int32 count, IList`1& items)
at Unify.Product.IdentityBroker.ExtensionMethods.<Page>d__3`1.MoveNext()
at Unify.Product.IdentityBroker.ImportProxy.Import(GetImportEntriesRunStep importRunStep)
at Unify.Product.IdentityBroker.UnifyLdapConnectorTypeProxy.GetImportEntries(GetImportEntriesRunStep importRunStep)
at Unify.Product.IdentityBroker.UnifyLdapConnector.GetImportEntries(GetImportEntriesRunStep importRunStep)
Forefront Identity Manager 4.4.1459.0"

Hi Matt,
Thanks for raising this. This looks to be the same issue as DN Creation not escaping LDAP Reserved Characters. I've created a new build of the Identity Broker for Microsoft Identity Manager management agent which includes the fix from there, attached here: Unify.IdentityBroker.FIMAdapter.dll. Please update the DLL in the FIM Extensions directory and re-attempt the import.

Given_Names not appearing in Connector
Given_Names is included in Schema of the Aurion Connector. I can see the attribute has values in Wireshark packet trace as seen below, but no objects have a value in the attribute in the connector.
<AQT_Output>
<Employee_Number>546</Employee_Number>
<Person_Number>546</Person_Number>
<Surname>Lord</Surname>
<Given_Names>Dale Brendan</Given_Names>
<Preferred_Name>Dale</Preferred_Name>
<Salutation>Mr</Salutation>
<Person_Type>EMPLOYEE</Person_Type>
<Employment_Type_Code>CA</Employment_Type_Code>
<Actual_Position_Number>L42368V</Actual_Position_Number>
<Actual_Organisation_Unit_Number>426</Actual_Organisation_Unit_Number>
<Date_Commenced>01-JUL-1999</Date_Commenced>
<Date_Terminated></Date_Terminated>
<Contract_Expiry_Date></Contract_Expiry_Date>
<Leave_Date_From></Leave_Date_From>
<Leave_Date_To></Leave_Date_To>
<Leave_Type_Code></Leave_Type_Code>
<Organisation_Unit_Level_01>APRA Members</Organisation_Unit_Level_01>
<Organisation_Unit_Level_02>Specialised Institutions</Organisation_Unit_Level_02>
<Organisation_Unit_Level_03>Sth West-Melb (SID)</Organisation_Unit_Level_03>
<Primary_Cost_Code>SID310</Primary_Cost_Code>
<Attendance_Type_Code>FULL</Attendance_Type_Code>
<Actual_Location_Code>MELB</Actual_Location_Code>
</AQT_Output>

The resource cannot be found - /Account/LogOn
Using
- IdB service v4.1.5.5
- IdB for Microsoft Active Directory 4.1.2.1
- IdB for PeopleSoft Connector 4.1.0.0
- IdB for FIM 4.0.0.3
* Note - About page incorrectly showing this: "UNIFY Identity Broker Management Studio, v0.0.5 Revision #5" ... can't explain this!
The following error is thrown when starting on the ABOUNT page (/About) and clicking on the Identity Btroker home page image to return to the dashboard.
The resource cannot be found.
Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Please review the following URL and make sure that it is spelled correctly.
Requested URL: /Account/LogOn
The URL for this page is as follows:
http://localhost:8008/Account/LogOn?ReturnUrl=%2f
I am running IdB under IIS. Navigating directly to the home page (by removing everything after the 8008 port number in the URL) also fails - only works after I put in a trailing ?, i.e.
I am using a clean install of IdB 4.1, using the extensibility files from the (to be retired) existing v4.1.4 RTM version.

Please try updating the authentication node in the web.config to:
<authentication mode="Windows" />

Updates to IdMParentProfileReference not being saved
The format of IdMParentProfileReference attribute has changed due to new IdB DNs structure. The DN is not saving however. No error is thrown, just get an exported change is not re-imported error.

See latest v5.1.1 DEV build (not in place upgrade as the version hasn't updated). There's a new setting on the org connector for the org adapter.

Reflection for adapter XXX failed with message One or more errors occurred
Using IdB 5.0.5 Rev#0
I noted today that 2 adapters were both red on the dashboard.
Searching in the IdB logs via the console for the word "error" I could see earlier today that there were 8 occurrences of some sort of timeout siting "System.Threading.ReaderWriterLock.*.
Can you please spend a few minutes to check this out over a remote shared desktop to confirm that this is indeed the problem for which a patch has since become available whereby changelog access was causing record locking?

Hi Bob,
This issue is unrelated to Delta Import timeouts on Identity Broker 5.1 Management Agents, as it occurs acquiring a lock for a different table. What is the impact of the issue? It looks like only one page of reflection fails at a time and subsequent pages continue to process normally, so the issue should be resolving itself.

Does Identity Broker PLUS v5.1.0 store previous Locker states?
I was able to find the change log for adapters and I was able to find the source log for lockers, but I couldn't find the change log for lockers (containing previous states of entities in lockers). Does one exist, and if so where would it be?
Thanks,
Tom

No, as there was no requirement to be able to query it directly. See http://voice.unifysolutions.net/topics/2929-auditing/ for details on how to keep track of this information (among other changes).

What is the expected behaviour of 2 unset priority datasources?
According to https://unifysolutions.jira.com/wiki/display/IDBPLUS51/Priority, data sources with unset priority are considered lowest priority.
Based on that, what is the expected behavior of an attribute in an adapter which has only 2 data sources, both of which are unset priority?
In this example, Person is a locker and Active Directory Person is a bidirectional link between the active directory adapter (the screen this screenshot was taken from) and the Person locker.
In the case of the attribute being changed in the source system and coming into the adapter through the connector: will it override what's already in there from person, or will it thrown away and have the data from the Person locker push back out to the connector?
Thanks,
Tom
Hi Tom,
In cases where both the existing value and the new value in an update are both from un-prioritised sources, the newest value (the update) is taken - last write wins.

PowerShell Transformation: Required Attribute
I want to use an attribute created in a PowerShell transformation in the DN, but am getting a "field not required" error. How can I configure this new attribute as required?

Hi Matt,
Good question. Currently there is no way to mark fields added via a PowerShell transformation as Required, but this is something we could look at adding support for. Please note though though that since you can't supply values in Add/Modify requests from an Identity Management platform for these fields (no way to reverse a PowerShell transformation), putting such a field in the Distinguished Name template would effectively block you from provisioning into that adapter.

IdBPlus Projects with Exchange Provisioning
Does anyone know of any projects that used IdBPlus and configured Exchange Provisioning? My initial investigation suggests it's more complicated than a simple enable-mailbox -identity x in a post-provisioning task.

The base script that I'd recommend starting with and adapting is as follows. It can be run unlimited times without duplication as it checks for users in AD that haven't been enabled. This particular script uses the default Exchange rules for mailbox name, but can be adapted by changing the arguments supplied to the Enable-Mailbox
command:
# STEP 1 # The first step involves securing the password to Exchange. # The following command should be run in a PowerShell console, changing the out-file to the desired location: # read-host -assecurestring | convertfrom-securestring | out-file C:\securestring.txt # Enter the password to Exchange. A file should be written to the desired location. # If a permission error was shown, try running the script as administrator, or select a new location. # STEP 2 # Configure the following settings: # ExchangeServer - Configure the URL to the PowerShell virtual directory on the Exchange machine. # AdminAccount - The name of the account being used to connect to the Exchange machine. # SearchBase - The deepest container that holds all items being managed. # Filter - The LDAP filter to select items that have not been mail enabled. This will probably not need to be updated. # Password - The file path should be updated to the file created in STEP 1. $ExchangeServer = http://exchange/PowerShell/ $AdminAccount = "DOMAIN\Administrator" $SearchBase = "OU=RootContainer,DC=organization" $Filter = "(&(objectCategory=user)(objectClass=user)(!msExchHomeServerName=*))" $Password = cat C:\securestring.txt | convertto-securestring # END OF CONFIGURABLE SECTION # $UserCredential = New-Object -Typename System.Management.Automation.PSCredential -Argumentlist $AdminAccount,$Password $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri $ExchangeServer -Authentication Kerberos -Credential $UserCredential Import-PSSession $Session Add-Type -Assembly Microsoft.ActiveDirectory.Management Import-Module ActiveDirectory $users = get-aduser -LDAPFilter $Filter -searchbase $SearchBase -searchscope "Subtree" if ($users -ne $null) { foreach ($user in $users) { Enable-Mailbox $user.SamAccountName | Set-Mailbox -SingleItemRecoveryEnabled $true } } #Exit-PSSession Remove-PSSession -session $Session
Customer support service by UserEcho