This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms

Or when FIM Filters go bad…

I’m currently taking a new project into production for the first time, and was a bit confused when the Sets being uploaded started failing with the FIPS error above – especially as I don’t quite understand how FIPS was being invoked for anything to do with this solution.

Fortunately this turns out to be the message thrown by MIM when a set that doesn’t meet the allowed filter criteria is uploaded – in development I’d disabled the MPRs that enforce the filter checks and it looks like when I’ve been performing the configuration upload that these sets were encountered before the updated MPR was.

Panic over as at least it’s possible to pre-emptively update (disable) the ‘General workflow: filter attribute validation for administrator’ and ‘non-administrator’ MPR and a re-import went in smoothly.

Posted in facepalm, FIM, MIM, Snippets, Troubleshooting | Tagged , , , , , , , , , | Leave a comment

Just in time–debugging

I’ve recently rebuilt a development environment – replacing my older Windows 2008 FIM R2 rig with a Windows 2012 MIM and hit an odd problem when trying to trigger the just in time debugger from within my code.

Normally to debug one of my tools, I just set a label at run time and the debugger is automatically triggered using System.Diagnostics.Debugger.Launch(); – however in the new environment the debugger never appears and in the event log I see an error message warning me that “Just-In-Time debugging this exception failed with the following error: The operation attempted is not supported.”

image

After doing some digging about, it appears that this is actually a security feature introduced after Windows 2008 – fortunately though, it can be turned off by updating the registry and I’ve found that setting HKEY_CLASSES_ROOT\AppID\{E62A7A31-6025-408E-87F6-81AEB0DC9347}\AppIDFlags to a value of 0x08 seems to do the trick and debugging is restored.

image

https://connect.microsoft.com/VisualStudio/feedback/details/770786/just-in-time-debugging-operation-attempted-is-not-supported

more background to why the feature was introduced here: http://stackoverflow.com/questions/11940378/vsjitdebugger-operation-attempted-is-not-supported-on-windows-8-windows-server

Posted in Testing, Tools, Troubleshooting, Upgrades, Visual Studio, Windows 2012 | Tagged , , , , , , , , , | Leave a comment

Unexpected ‘Unable to process your request’ error

I have an established MIM server that I’m currently developing on that started to throw ‘Unable to process your request’ errors whenever I attempted to move away from the initial landing tab of any RCDC – including the “System” ones such as those for MPR and Sets.

Looking into the event log on the Portal server it looked like there was a clear issue as:

image

image

It turns out that I’d managed to fill the transaction log for the MIM Service database and this was causing the whole service to misbehave – working through the suggestions here: https://msdn.microsoft.com/en-ie/library/ms175495.aspx

I was able to reduce the size of the transaction log and free space allowing MIM to breath – or at least start to behave itself again and normal MIM operation resuming once SQL had enough space to work again.

Posted in FIM, MIM, SQL, Troubleshooting | Tagged , , , , , , , , | Leave a comment

MIMWAL Demo

Update – A copy of this session is available on YouTube – https://www.youtube.com/watch?v=-TaTvfbgBJQ

The FIM Team have organized a briefing and Demo about MIMWAL for Februarys session – should make for an interesting demo and discussion.

From – https://www.thefimteam.com/fim-team-user-group/

Date:
10th February 2016, 20:00 UTC
See when this is in your timezone

Presenter:
Jef Kazimer (Microsoft)

Topic:
Demonstration of the MIM/FIM Workflow Activity Library (WAL) which has now been made availbel, by Microsoft, as open source project on GitHub.
The MIMWAL is a powerful solution accelerator for MIM / FIM that provides foundational activities which can be combined to create complex workflows to implement business processes within a MIM / FIM solution simply by configuration instead of coding. Microsoft Consoluting Services have been using this library for years and now the latest version has been made available for anyone to use.

Posted in FIM, MIM, Snippets, Tools, Workflow | Tagged , , , , , | Leave a comment

Microsoft WAL Library goes public

Microsoft have released their FIMWAL / MIMWAL “Workflow Activity Library” for building advanced workflows within FIM  / FIM.

Code and more details can be located here:

http://microsoft.github.io/MIMWAL/

If you’re at all interested in creating advanced workflows however it’s going to be worth a look.

Posted in Snippets | Tagged , , , , , | Leave a comment

Sync run profile fails for some connectors

We’re in the process of building a demo environment for a presentation when two of our connectors stopped synchronizing with a credential error.

The error thrown is “Unable to run the Management Agent” / “The Management Agent failed to validate against the application store with the specified credentials” which throws a Bail out into the event log with error code 0x80230709.

What is most odd is this was happening on two of the Management Agents on the solution – one which isn’t actually in use and the FIM MA (slightly more important) but all the other management agents will import / export / sync as usual.

After a great deal of worry, we’ve spotted that the account used to connect out to these two connectors has expired and unlocking it resolves the problem.

I’m not clear why FIM would be checking the external credentials for a straight (and basic) synchronization cycle as I’d have expected that to operate purely within the boundaries of the FIM Synchronization DB which these accounts don’t event grant access to.

Posted in FIM, Troubleshooting | Tagged , , , , , , | Leave a comment

FIM EventLog records errors on searches

I’m currently debugging some custom workflow activities and updating the logging code so it produces more useful information (apparently my ‘development’ error codes aren’t human readable enough!) and noticed that I was getting lots of ‘KeyNotFound’ exceptions in the event log.

Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other —> System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary.

After much digging through my code I spotted that this was actually being generated whenever I read from FIM in the Portal and while it was a relief to know that my workflow code was off the hook I didn’t really want to leave this in place and cluttering up the eventlog.

It looks like this was introduced during one of the hotfix releases (4.1.3496 is mentioned in the article I’ve linked to below) when additional Portal configuration was introduced to allow the Advanced Search option to be turned off – this means that my local FIM installation was actually attempting to locate an attribute on the Portal Configuration that I didn’t have in my schema which was the cause of the KeyNotFound exceptions I was finding.

The steps to fix is are fairly simple as follows (Steps taken from the referenced documents – not my own work – see below for links)

To enable the configuration and remove the Advanced Search link, follow these steps:

  1. In Administration, click Schema Management, and then click All Attributes.
  2. Create a new Boolean attribute that is named “HideAdvancedSearchLink.”
  3. In All Bindings, create a new binding for the HideAdvancedSearchLink attribute to the Portal Configuration resource, and then click Finish to save the binding.
  4. Create a new Management Policy Rule (MPR) to allow for changes to the new binding in the portal configuration. To do this, use the following configuration for the new MPR:Display Name: Administrators can modify the HideAdvancedSearchLink attribute in the Portal Configuration resource
    Type: Request
    Disabled: False
    Specific Set of Requestors: All Administrators
    Operation: Modify a single-valued attribute
    Permissions: Grants permission
    Target Resource Definition Before Request: All Basic Configuration Objects
    Target Resource Definition After Request: All Basic Configuration Objects
    Resource Attributes: Select specific attributes: HideAdvancedSearchLink
  5. Reset Internet Information Services (IIS), and then restart the FIM service.
  6. In Administration, click Portal Configuration, and then click Extended Attributes. You should see theHideAdvancedSearchLink attribute together with the other extended attributes.
  7. Click to select the HideAdvancedSearchLink check box, and then click Submit to enable the hiding of the Advanced Search link.
  8. Verify that the Advanced Search link is not available in the list views. For example, check the following list views:
  9. My DGs
  10. My DG Memberships
  11. Management Policy Rules

Once I had this implemented and FIM restarted the errors were removed and I was left with the exceptions of my own making again – yay I think!

Links for the above are to:

Blog Post – http://www.networksteve.com/windows/topic.php/Error_raised_in_the_event_log_when_browsing_the_portal/?TopicId=61333&Posts=3

KB Article –https://support.microsoft.com/en-us/kb/2906832/en-us

Posted in FIM, Snippets, Troubleshooting | Tagged , , , , , , , , , , , , , | Leave a comment

Daylight Savings

Sometimes FIM strikes me as being way to clever for its own (and usually my) good – and I’ve been looking into a problem for a client that ticks this box big time.

They have a number of email notifications that they need to generate that instruct various parties within the organization about people joining, moving and leaving so that the processes that they can’t or don’t want to automate can be initiated based on the data held by FIM – in this scenario, a leavers email is sent to HR letting them know when a contractor has reached their leaving date.

This works fairly well for six months out of every year – during the daylight savings months, the email is issued the day before its supposed to go out, and the HR department being highly efficient are carrying out the required action when they see the email leading to all sorts of downstream mayhem trying to clean up after the event.

Naturally, focus fell on a custom workflow that is used to generate these emails and after spending an amount of time pulling apart the code it occurred to me that nothing in the workflow could actually be causing this and it was the user account transitioning into the temporal set that was executing a day early (obvious in hindsight Sad smile ) – seeing as I had visual studio hooked up to the workflow, I moved a few more users about and it turned out that even though their leaving date was set correctly – e..g 03/06/2015 – FIM was transposing this in the background and storing it as 02/06/2015 23:00.

What it appears is that when FIM is presented with a date, it’s transposing it into UTC for internal storage and as during June GMT (the configured time zone for the solution) is +1 hour compared to UTC, it’s removing the hour and bringing the user’s leaving date forward into the previous day – allowing it to trigger the removal notification effectively 24 hours early.

Fortunately as FIM is using its configured time zone to work this out, it’s a fairly simple case (in this instance!) to create a new UTC TimeZone object and then configure FIM to use this instead of the previous GMT one although this probably isn’t going to be a fix in all instances!

Posted in FIM, Troubleshooting | Tagged , , , , , , , | Leave a comment

HomepageConfiguration–IsConfigurationType

I’m currently working on some tools to upload portal elements and have been struggling with uploaded Homepage Configuration items – they upload, but they don’t display.

Turns out that the IsConfigurationType flag needs to be set otherwise the Homepage item doesn’t display – simple when you know… (as usual)

Note – IsConfigurationType doesn’t appear on the standard RCDC, you need to go into advanced view to be able to see / update it (doesn’t really help if you’re troubleshooting and can’t see an obvious difference between one Homepage item that displays and another that doesn’t!)

Note – looks like there’s similar behaviour on Navigation Bar Items as well – at least it’s consistent!

Posted in FIM, Snippets, Tools | Tagged , , , , , , | Leave a comment

Adding PCNS to an ECMA2.0

One of my favourite tools that comes with working at Oxford Computer Group is an ECMA2 called the “delta generator” – at it’s simplest it’s a faster version of the FIM SQL management agent, but it’s got a few extra tricks up its sleeve that make it an common tool to reach for whenever I’m working on a project.

This time, I’ve been asked to add a password hash to an existing SQL database and to treat the connector as a PCNS target.

Initially I thought it wouldn’t be a problem until I got into FIM to configure myself a Password extension and was faced with the Extensions page of the MA Properties:

image

As you can see, I’ve checked the ‘Enable Password Management’ box however this has defaulted to the delta generator DLL rather than allowing me to insert my own code.

Usually this wouldn’t be a problem – most of the time I’ve either built the ECMA2 myself or its source is part of the project, however this is one of our stock tools and creating a custom version would cause no end of downstream issues – especially as this tool sometimes crops up several times on the same FIM configuration and I really don’t want to have a password extension for one part of the project cropping up on management agents for other systems – or the overhead of trying to manage any future updates to delta generator back into the new connector.

In order to work around this, I built myself a brand new ECMA2 and added a reference to the original delta generator – the interfaces call for public methods and no parameters on the constructor so in theory it should be fairly simple to create my own instance of the delta generator within my ECMA and pass parameters back and forth between FIM and the underlying code as follows:

From here, I added the core interfaces one at a time, passing in any parameters and returning any values from the delta generator back out to FIM – for example, the CallExport interface is implemented as follows:

Working back from the interfaces exposed from the original Management Agent, it should be relatively simple to stand up matching interfaces on the Wrapper MA and fill in the blanks in the same manner as above – passing the values back and forth between the FIM and the core DLL.

Once this was working (and tested) I added the IMAExtensible2Password interface (this one isn’t automatically provided by the template generator for some reason) and started to implement the new Password Extension methods.

While these are a major improvement over the original Password Extension as you can access the same set of configuration parameters used by the hosting Management Agent, it quickly became obvious that I was missing a key detail that was unique to the Password Extension – the name of the certificate to use for encryption and signing.

Fortunately as well as wrapping up the existing DLL, because the Parameters are passed back from the original delta generator via our wrapper, it is possible to inject additional items – as far as FIM is concerned, it is still retrieving a legitimate collection of parameters to query the user for.

Once compiled and built, this wrapper can now be dropped into place within the Management Agent in place of the delta generator and refreshing it’s interfaces brings the new Password capabilities into play:

image

This time, visiting the Configure Extensions page and enabling password management still refers back to the ECMA2 DLL however this time, the correct Password Extension is in place to be able to perform the required updates:

image

Posted in Certificate, ECMA 2.0, FIM, Snippets | Tagged , , , , , , , , , , | Leave a comment