Identity Broker Forum

Welcome to the community forum for Identity Broker.

Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.

0
Fixed

Value bp is not a valid hexadecimal number

Matthew Woolnough 4 months ago in Identity Broker for Microsoft Identity Manager • updated by anonymous 4 months ago 5

Running a Delta import and Delta Sync from IdB Sharepoint connector and get the error below. Ran a Full Import and Full Synchronization & the error did not occur.  Ran a Delta import and Delta Sync again and error does not occur.

Not sure if I'll be able to replicate again, but raising regardless.


The extensible extension returned an unsupported error.
 The stack trace is:
 
 "System.ArgumentException: Value bp is not a valid hexadecimal number.
Parameter name: sourceValue
   at Unify.Framework.IO.DNComponentAttributeValueParserAdapter.Transform(String sourceValue)
   at Unify.Framework.IO.DistinguishedNameComponent.CreateDNComponent(String dnComponentString)
   at Unify.Framework.IO.DistinguishedNameConversionFromString.CreateDistinguishedName()
   at Unify.Product.IdentityBroker.ImportProxy.GetContainerName(String dn)
   at Unify.Product.IdentityBroker.ImportProxy.TryGetObjectClass(String dn, String& objectClass)
   at Unify.Product.IdentityBroker.ImportProxy.<EntryToDeltas>d__25.MoveNext()
   at System.Linq.Enumerable.<SelectManyIterator>d__16`2.MoveNext()
   at System.Linq.Enumerable.<SelectManyIterator>d__16`2.MoveNext()
   at Unify.Product.IdentityBroker.ExtensionMethods.Take[TSource](IEnumerator`1 source, Int32 count, IList`1& items)
   at Unify.Product.IdentityBroker.ExtensionMethods.<Page>d__3`1.MoveNext()
   at Unify.Product.IdentityBroker.ImportProxy.Import(GetImportEntriesRunStep importRunStep)
   at Unify.Product.IdentityBroker.UnifyLdapConnectorTypeProxy.GetImportEntries(GetImportEntriesRunStep importRunStep)
   at Unify.Product.IdentityBroker.UnifyLdapConnector.GetImportEntries(GetImportEntriesRunStep importRunStep)
Forefront Identity Manager 4.4.1459.0"


Answer
anonymous 4 months ago

Hi Matt,

Thanks for raising this. This looks to be the same issue as DN Creation not escaping LDAP Reserved Characters. I've created a new build of the Identity Broker for Microsoft Identity Manager management agent which includes the fix from there, attached here: Unify.IdentityBroker.FIMAdapter.dll. Please update the DLL in the FIM Extensions directory and re-attempt the import.

0
Answered

PowerShell Transformation: Required Attribute

Matthew Woolnough 5 months ago in Identity Broker for Microsoft Identity Manager • updated by anonymous 5 months ago 1

I want to use an attribute created in a PowerShell transformation in the DN, but am getting a "field not required" error.  How can I configure this new attribute as required?

Answer
anonymous 5 months ago

Hi Matt,

Good question. Currently there is no way to mark fields added via a PowerShell transformation as Required, but this is something we could look at adding support for. Please note though though that since you can't supply values in Add/Modify requests from an Identity Management platform for these fields (no way to reverse a PowerShell transformation), putting such a field in the Distinguished Name template would effectively block you from provisioning into that adapter.

0
Answered

Error enabling TLS from Management Agent

Richard Green 5 months ago in Identity Broker for Microsoft Identity Manager • updated by anonymous 4 months ago 15

Hi Gents,

I'm configuring my IDB management agents, and I've noticed the following error being thrown when I try to enable TLS:


I have created a self signed cert and configured it within the interface.
For reference, I used the following command to create my cert:
New-SelfSignedCertificate -Type Custom -Provider "Microsoft RSA SChannel Cryptographic Provider" -Subject "CN=Unify.IdentityBroker" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2") -KeyUsage DigitalSignature -KeyAlgorithm RSA -KeyLength 2048 -CertStoreLocation "Cert:\LocalMachine\My" -NotAfter (Get-Date).AddYears(5)

Answer
anonymous 5 months ago

Please try Unify.IdentityBroker.FIMAdapter.dll and let me know how it goes.

0
Answered

Restrict access to IIS

Matthew Woolnough 5 months ago in Identity Broker for Microsoft Identity Manager • updated by anonymous 5 months ago 4

I have configured IdB to use IIS, but there is nothing in the doco to suggest that it should be restricted. 

http://voice.unifysolutions.net/topics/2943-configuring-identity-broker-for-use-with-iis/

Leaving access open to any authenticated user is potentially a security risk.  

I have configured IIS to only listed on 127.0.0.1, but presumably there is something else in IdB to perform this role. 

How can IdB be restricted when using IIS?

Answer
anonymous 5 months ago

Hi Matt,

We removed the IDB auth settings from 5.0 as it was unmaintanable. From 5.2 onwards, we provide auth settings through Owin (as seen on this page.)

For 5.0 and 5.1, auth settings can be restricted in IIS through groups etc, using examples such as this one or settings found here. Up to the consultant and client how the restrictions look in line with what the requirements are.

0
Answered

Date handling changes

Matthew Woolnough 6 months ago in Identity Broker for Microsoft Identity Manager • updated by anonymous 6 months ago 4

I have a date attribute in my Aurion Adapter called DateCommenced.  

In the IdB UI it appears as 2010-05-24. 

When it imports into MIM, it's a string type and is shown in the connector space as:

2010-05-24T00:00:00:000

When I look at FIM, (which we're replacing) it's also a string type, however it's shown in the connector space as:

2010-05-24

Has something changed in the handling of Dates between 3.x and 5.x? 

0
Not a bug

Time Offset Flag Transformation throws error when no data present

Matthew Woolnough 6 months ago in Identity Broker for Microsoft Identity Manager • updated by anonymous 6 months ago 6

The UI is displaying "Specified argument was out of the range of valid values. Parameter name: key"  after configuring a Time Offset Flag Transformation.   Looking at the data, there is nothing currently in the column, I suspect this might be causing the error. 

There are two configured transformations:

<adapter name="TimeOffsetFlag" key="e761c890-313b-4b88-bfcf-272595dcf784">
  <Extended offset="-P15DT10H" sourceColumn="DateCommenced" destinationColumn="EmployeeStarted" LesserValue="True" EqualValue="True" GreaterValue="False" NullValue="False" adjustForLocal="false" xmlns="" />
</adapter>
<adapter name="TimeOffsetFlag" key="00eaab5c-89e9-41b4-9728-e7b342d07db8">
  <Extended offset="PT10H" sourceColumn="DateTerminated" destinationColumn="EmployeeTerminated" LesserValue="False" EqualValue="True" GreaterValue="False" NullValue="True" adjustForLocal="false" xmlns="" />
</adapter>

The first one foes not throw an error. The second one does.



Answer
anonymous 6 months ago

Hi Matt,

Where is the UI displaying this error? Is it under the Transformations section, between a heading Time Offset Flag and its corresponding description? Please ensure that you don't have duplicate column names in your adapter, i.e. that there isn't already a column named DateTerminated. If there is, either rename the existing column or change the Target for the Time Offset Flag Transformation.

0
Fixed

Object reference not set to an instance of an object error when attempting to retrieve schema

When trying to retrieve schema, MIM throws error below.

Log Name:      Application
Source:        FIMSynchronizationService
Date:          30/05/2017 8:44:54 AM
Event ID:      6801
Task Category: Server
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      dc1devfim01.dev.apra.gov.au
Description:
The extensible extension returned an unsupported error.
 The stack trace is:
 
 "Unify.Product.IdentityBroker.LdapOperationException: Object reference not set to an instance of an object.
   at Unify.Product.IdentityBroker.LdapConnection.SendRequest(ILdapRequest request)
   at Unify.Product.IdentityBroker.LdapConnection.GetSchema(String schemaDn)
   at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
   at System.Linq.Enumerable.Aggregate[TSource](IEnumerable`1 source, Func`3 func)
   at Unify.Product.IdentityBroker.LdapConnectionProxy.get_LdapSchema()
   at Unify.Product.IdentityBroker.LdapConnectionProxy.get_Schema()
   at Unify.Product.IdentityBroker.UnifyLdapConnectorTypeProxy.GetSchema(KeyedCollection`2 configParameters)
   at Unify.Product.IdentityBroker.UnifyLdapConnector.GetSchema(KeyedCollection`2 configParameters)
Forefront Identity Manager 4.4.1459.0"
Error in logs is as follows:
20170529,22:44:53,UNIFY Identity Broker,Security engine,Information,"Require an LDAP access level
Request to require LDAP access level Read completed successfully.",Verbose
20170529,22:44:53,UNIFY Identity Broker,LDAP engine,Error,"Handling of LDAP schema request.
Handling of LDAP schema request from user mim on connection 127.0.0.1:65135 for the server schema failed with error ""Ob
ject reference not set to an instance of an object."". Duration: 00:00:00.",Normal
20170529,22:44:53,UNIFY Identity Broker,LDAP Engine,Error,"An error occurred on client from 127.0.0.1:65135. More detail
s:
Internal Server Error #11: System.NullReferenceException: Object reference not set to an instance of an object.
   at Unify.Product.IdentityBroker.SearchRequestHandlerBase.HandleRequest(IRfcLdapMessage message, CancellationToken tok
en, Action`1 postAction)
   at Unify.Product.IdentityBroker.RequestHandlerAuditingDecorator.HandleRequest(IRfcLdapMessage message, CancellationTo
ken token, Action`1 postAction)
   at Unify.Product.IdentityBroker.LDAPRequestHandlerSecurityDecorator.HandleRequest(IRfcLdapMessage message, Cancellati
onToken token, Action`1 postAction)
   at Unify.Product.IdentityBroker.LDAPConnection.<RespondToMessageAsync>d__33.MoveNext()",Normal
20170529,22:44:53,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP unbind request.
Handling of LDAP unbind request received on connection mim to connect as user 127.0.0.1:65135 started.",Verbose
20170529,22:44:53,UNIFY Identity Broker,Security engine,Information,"Require an LDAP access level


Answer

Hi Matt,

Thanks for the feedback, I agree that the product could handle this more gracefully, and we'll take it into consideration.

For your immediate issue, you should be able to resolve this by removing the container corresponding to the previous container name and re-populating the adapter entity context.

0
Fixed

"Sequence contains no elements" trying to retrieve schema

Matthew Woolnough 6 months ago in Identity Broker for Microsoft Identity Manager • updated by anonymous 1 month ago 5

Trying to retrieve schema in MIM & getting the error below in event logs. MIM UI displays error Unable to retrieve schema. Error: Exception from HRESULT: 0x80231343

Log Name:      Application
Source:        FIMSynchronizationService
Date:          25/05/2017 3:35:21 PM
Event ID:      6801
Task Category: Server
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      dc1devfim01.dev.apra.gov.au
Description:
The extensible extension returned an unsupported error.
 The stack trace is:
 
 "System.InvalidOperationException: Sequence contains no elements
   at System.Linq.Enumerable.Single[TSource](IEnumerable`1 source)
   at RegExExtensions.RegExExtensions.Extract(String text, String pattern)
   at Unify.Product.IdentityBroker.LdapAttributeDefinition..ctor(String definition)
   at Unify.Product.IdentityBroker.LdapSchema.<>c.<.ctor>b__0_0(String attr)
   at System.Linq.Enumerable.WhereSelectListIterator`2.MoveNext()
   at System.Linq.Enumerable.ToDictionary[TSource,TKey,TElement](IEnumerable`1 source, Func`2 keySelector, Func`2 elementSelector, IEqualityComparer`1 comparer)
   at Unify.Product.IdentityBroker.LdapSchema..ctor(SearchResultEntry entry)
   at Unify.Product.IdentityBroker.LdapConnection.GetSchema(String schemaDn)
   at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
   at System.Linq.Enumerable.Aggregate[TSource](IEnumerable`1 source, Func`3 func)
   at Unify.Product.IdentityBroker.LdapConnectionProxy.get_Schema()
   at Unify.Product.IdentityBroker.UnifyLdapConnectorTypeProxy.GetSchema(KeyedCollection`2 configParameters)
Forefront Identity Manager 4.4.1459.0"

Answer
anonymous 1 month ago

Fix added for 5.3

0
Under review

Install IdB MIM Adapter DLL to appropriate MIM directory

Matthew Woolnough 7 months ago in Identity Broker for Microsoft Identity Manager • updated by anonymous 6 months ago 1

The MIM adapter currently installs to a Unify directory in Program Files, after which it needs to be moved manually into the appropriate MIM Directory.

The installer could install into the appropriate directory, which would result in better end user experience, both in the initial install and in repairs.

The FIM Sync base directory can be retrieved from the registry at: 

SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters\Path

as documented here.

After this \extensions needs to be added to the path value to find the location.

0
Fixed

Unable to retrieve schema

Matthew Woolnough 7 months ago in Identity Broker for Microsoft Identity Manager • updated by anonymous 6 months ago 15

MIMs IdB MA is unable to retrieve schema from IdB during implmentation. Error returned is:

-------------------------------------------
Synchronization Service Manager

Unable to retrieve schema. Error: Exception from HRESULT: 0x80231343
-------------------------------------------


Event Log contains the following:

-------------------------------------------

The extensible extension returned an unsupported error.
 The stack trace is:
 
 Unify.Product.IdentityBroker.LdapOperationException: Object reference not set to an instance of an object.
   at Unify.Product.IdentityBroker.LdapConnection.SendRequest(ILdapRequest request)
   at Unify.Product.IdentityBroker.LdapConnection.GetSchema(String schemaDn)
   at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
   at System.Linq.Enumerable.Aggregate[TSource](IEnumerable`1 source, Func`3 func)
   at Unify.Product.IdentityBroker.LdapConnectionProxy.get_Schema()
   at Unify.Product.IdentityBroker.UnifyLdapConnectorTypeProxy.GetSchema(KeyedCollection`2 configParameters)
Forefront Identity Manager 4.4.1459.0

-------------------------------------------



Answer
anonymous 6 months ago

Thanks Matt,

It looks like you have an entry in the [Container] table left over from an adapter with a container name of users. These should be removed automatically when you delete the adapter, or if you delete it directly from the xml config, at service startup. I'm not sure how it's managed to stay in there for you if you don't have any such adapter. You can manually delete the entry from the [Container] table where the [DistinguishedName] column has the value OU=users,DC=IdentityBroker to resolve this issue, and I'll re-raise this as bug in our backlog.

You should be able remove the patches supplied on this issue as well.