Failed-creation-via-web-services importing AD groups in ILM
I am trying to import AD groups from AD and then sent to ILM Portal. So the information flow in this way AD -> MV -> ILM Portal. I configured an InboundSync Rule at ILM Portalto send info from AD to MV and set the following attributes:- accountName- description- displayName- domain- scope ("Global") based on custom expression- type ("Security") based on custom expression- membershipAddWorkflow ("None")- membershipLocked ("false")-DisplayedOwner (administrator - csObjectID)- Owner (administrator - csObjectID) This portion is working fine, it is... the info is replicated from AD to MV as expected after Import and Sync Rules Profilesare run at ADMA and ILMMA.But, when I runExport Profileat ILMMAI get an error:failed-creation-via-webservices. This happens although export attribute flowforcorrespondent attributes areconfigured at ILMMA for Group Object.Also.. When click in the error to see the detail, I pick <Validate object against schema> it appears two attributes missing: ObjectType and CreatedTime (arent these not created automatically?)Note. User objects works without issues.Any ideas to solve this issue?DiegoV.IT Consultant
April 14th, 2009 3:31am
Unfortunately, the error is a bit misleading.This is a known RC0 issue.In other words please ignore the error details :o) It is good that you have the following flows configured:- DisplayedOwner (administrator - csObjectID)- Owner (administrator - csObjectID)However, do these attributes also have values?One common source for this error is that these attributes dont have anything they can point to.This is the first thing you should check prior to running an export.DisplayedOwner and Owner are required attributes Cheers,Markus///////////////////////////////////////////////////////////////////////Markus VilcinskasTechnical WriterIdentity Lifecycle Managermailto:firstname.lastname@example.org.NO_SPAMThis posting is provided "AS IS" with no warranties, and confers no rights.Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/copyright.htm///////////////////////////////////////////////////////////////////////
April 14th, 2009 4:27am
Hi Markus.Sure, DisplayedOwner andOwnerare passed to MVas constant to ensure they have a valid value.The actual value is the CSObject of the ILM Portal Administrator account which exist in ILM andMV.Thks, Diego
April 14th, 2009 4:58am
Hi Diego,Assuming the string value is resolving to the administrator account and the reference is therefore valid, you will get this problem if the ILM MA is running under any account *other than the Built-in synchronisation account*. The Built-in synchronisation account is the account you specified during installation as the ILM MA account. You can verify the account by looking at the Configuration XML (default location is "C:\Program Files\Microsoft Identity Management\Common Services\Microsoft.ResourceManagement.Service.exe.config"). Look for the <appSettings> node and the key of "SyncEngineAccount".I hit this issue because I'd specified my MA account during installation (CONTOSO\ilmma) and actually configured the MA with the administrator account. The builtin synchronisation account is exempt from AuthN and AuthZ whereas all other accounts are not. Because reference attributes are written as a second request, the initial request to create the groups has the displayedOwner as NULL. If you use any account other than the builtin sync account the AuthZ phase will not allow this mandatory attribute to be null, ergo you get a web services error.Hope this helps?--Paul
April 14th, 2009 3:18pm
Hi Diego! Are you sure you got all export attribute flows to ILM set up?I worked for hours with this today and I finally I got it all working...Import Attribute Flow (Set up in portal) AD -> Metaverse.Name: Ad Group Inbound SynchronizationFlow Type: InboundMetaverse Object Type: groupConnected System: ADMAConnected Object Type: GroupRelationship Criteria: accountName = sAMAccountNameObject Creation in ILM: Yes (checkbox)Inbound Attribute Flow: IIF(GreaterThanOrEquals(groupType,-2147483646),"Security","Distribution") -> type (Custom expression) sAMAccountName -> accountName IIF(Eq(BitAnd(2,groupType),2),"Global",IIF(Eq(BitAnd(4,groupType),4),"DomainLocal",IIF(Eq(BitAnd(8,groupType),8),"Universal",""))) -> scope (Custom expression) "None" -> membershipAddWorkflow (String constant) "false" -> membershipocked (String constant) "Domain"domain (String constant) "11111111-1111-1111-1111-111111111111"ownerDN (ownerDN is custom stringMV attributeI've created on the MVgroup object and the Guid is the csObjectIDfor the Built-in Synchronization Account as a string constant) IIF(Eq(displayName,""),sAMAccountName,displayName) -> displayName (Custom expression to ensure there is a displayName) membermember description -> description (configured "direct"in the MA since I haven't found a way to handle multi to single-valued attributes in the portal, anyone have an idea how to do this?) Attribute Flow MetaVerse <--> ILM<dn> <-sync-rule-mappingMVbjectID <- <object-id>DetectedRulesList <- detectedRulesListEmail <- emailObjectSid <- objectSidType <- typeScope <- scopeDomain <- domainMemberShipLocked <- membershipLockedMembershipAddWorkFlow <- membershipAddWorkFlowDisplayName <- displayNameOwner <- ownerDN (My custom MV attribute)DislayedOwner <- ownerDN(My custom MV attribute)Member <- memberDescription <- descriptionAccountName <- accountNameDescription -> descriptionDisplayName -> displayNameAccountName -> accountNameMember -> memberMemberShipLocked -> membershipLockedOwner -> ownerDN (My custom MV attribute)Type -> typeScope -> scopeMailNickName -> mailNickNameDisplayedOwner -> displayedOwnerExpectedRulesList -> expectedRulesList<dn> -> csObjectIDNote: I don't have an export mialNickName attribute since i don't use AD/Exchange and I still haven't specified all import attributes yet since the outbound rules remains.Long description but I hope others could have help from it and don't have to work with it for hours to get it working.//HenrikHenrik Nilsson - Cortego http://blog.softconstruction.se
April 14th, 2009 5:56pm
Hi PaulYes it was related to the account referred at "SyncEngineAccount"!The ILM installation was using two accounts- 1 synchronization account (usrilmSYNC) to run Microsoft Identity Integration Server- 1 service account account (usrilmSVC) to run Microsoft Identity Manager (the same user that was used to install ILM Portal)I changed at "C:\Program Files\Microsoft Identity Management\Common Services\Microsoft.ResourceManagement.Service.exe.config".<appSettings> node;"SyncEngineAccount" key from usrilmSYNC to usrilmSVC.This configuration has no issue with bi-directional synchronization of ILM users objects (inbound / outbound). However the issue appears when group objects are export from MV to ILM. For people wondering which expression used to generate scope and type attibutes... here they are:- type --> IIF(LessThan(groupType,0),"Security","Distribution")- scope --> IIF(Eq(groupType,-2147483646),"Global",IIF(Eq(groupType,-2147483644),"DomainLocal","Universal"))Note. Based on this result is betther to use a single account to install and configure all ILM services?Diego.
April 14th, 2009 6:07pm
By 'Built-in Synchronization Account', are you referring also to the account that I see in the ILM Portal under users. The account I have listed here in the ILM Portal as the 'Built-in Synchronization Account' is not the account that isrunning the ILM MA, nor is it the account that I see in "C:\Program Files\Microsoft Identity Management\Common Services\Microsoft.ResourceManagement.Service.exe.config". It's also not the account that I see under the Microsoft Identity Lifecycle Manager Service "Log on as:"Changing the account to reflect the 'Built-in Synchronization Account' I see in the ILM Portal in all of the places listed above results in me not being able to start the ILM Service, though. Any suggestions appreciated.
April 22nd, 2009 1:52am
Hi ucd_gms.Can you tell me which accounts do you have running each service and the accounts that appear at the portal?- Identitity Integration Service- Identity Lifecycle Manager Service- ILM Portal.Diego.Diego.
April 23rd, 2009 1:24am
Hey Diego,For the two services above, I have:Identity Integration Service -- Account 'A'Identity Lifecycle Manager Service -- Account 'B'For the ILM Portal, are you referring to the 'Built-in Synchronization Account?' If so, that is Account 'A'The account listed in C:\Program Files\Microsoft Identity Management\Common Services\Microsoft.ResourceManagement.Service.exe.config, however, is Account 'B'At some point in trying to implement a MS SQL to ILM strategy for creating and managing a collection of AD groups, the full synchronization of my ILM MA ceased to be functional. It stops the MIIS Service.... Grrrr. I've tried removing all of the changes I made through synchronization rules, but have not been able to resolve this issue. This is probably a separate issue, but thought I'd mention it, since it started about the same time I began fiddling with service accounts and synchronization rules to solve the problems described in this post above.Based on all of the problems I've had with using different service accounts, I'm temped to build another server using just one account to rule it all.Gary
April 23rd, 2009 8:33pm
Hi Gary!I've had the same kind of problem where the engine stops and it reports a strange message, maybe you have got the same error in the Application Log?...Faulting application miiserver.exe, version 4.0.2173.0, time stamp 0x4906670b, faulting module miiserver.exe, version 4.0.2173.0, time stamp 0x4906670b, exception code 0xc0000005, fault offset 0x00000000000e8a6d, process id 0x%9, application start time 0x%10.The only solution I've found to this is to removesync rules from the portal,delete the connectorspace (not MA) and fill it again.Henrik Nilsson - Cortego http://blog.softconstruction.se
April 23rd, 2009 8:40pm
Hi Gary.I think that all the account issues have to solved first. I just been able to solve that after rebuild the environment. So you have to choose if use 1 single account or 2 or more separate accounts. With the single accountI guess all will run more smooth.However if you choose to run with separate accounts, here some recomendations.1.Install Identity Integration Service with AccountA2. Important. Log with Account B and the run ILM setup and install Identity Lifecycle Manager Service with AccountB (Account B has to be a valid email address). Ifyouuseone account to log-in ex: AccountX, sothe ILM setup will suggest to use AccountX to be created at the ILM Portal; so it is better to log-in as AccountB before run ILM setup.3. Then ensure tha change at C:\Program Files\Microsoft Identity Management\Common Services\Microsoft.ResourceManagement.Service.exe.config to use AccountB at SyncEngineAccount keyAt the end, you will get:- AccountA runningIdentity Integration Service- AccountB running Identity Lifecycle Manager Service - Also at ILM Portal you wil get 2 WSS accounts.----- 'Built-in Synchronization Account'----- AccountBNote. AsHenrik mentioned,the MIIS service stop can be solved deleting allSync Rules at Portal. So I recommend youtoget a regular full backup of ILMDB, to rebuild ILM service as required.I hope this helps Diego.
April 23rd, 2009 10:36pm
Thanks, Diego,I started a rebuild this morning. Still have to decide whether to use one or two accounts for now, but I appreciate the input. Hopefully this will eventually lead to my synchronization rules working as applied to AD group management.Thanks again,Gary
April 23rd, 2009 11:59pm
Let me explain the different service accounts. Here is a picture listing the different service accounts:http://cid-96f8c283a8725225.skydrive.live.com/self.aspx/Microsoft%20Forefront%20Identity%20Manager%202010/ServiceAccounts.jpg The first one is the service account used by the FIM Synchronization Service. This is the account used by the Sync Engine itself. It only needs to be a user on the FIM Synchronization Service server and will be granted dbo permissions to the FIM Synchronization Service DB. The second account is used by the FIM MA. This is the account used to transport information between the FIM Service DB and the FIM Synchronization Engine. When it is exporting, it is using the WebService interface. When it is importing it is going to SQL. This account is also responsible for moving the Synchronization Service configuration to the FIM Service DB if it is changed on the Synchronization Service server. This account is granted the SQL role FIMSynchronizationService (ravendb_syncaccount in RC0) role in FIM Service SB. This account is specified in the config file described earlier in the thread. By RC1 we expect that we will identify this account by SID instead, so changing the config file directly will be hard. You would run a change install instead in RC1 to change this account. This account is special and AuthN and AuthZ will never run for it. Because of this, you should not install the product with the account you plan to use as the FIM MAaccount. If you try to login with this account, the portal will not show any useful content. The last account is the FIM Service account. This account is used by the FIM Service server and is used to process workflows and send email to Exchange (so it will need a mailbox). If you have several FIM Service servers, you should use the same account for all servers. This account is granted dbo permissions to the FIM Service DB. You can use the same account for several purposes if you want to. However, the FIM MA account should not be used for installation or as the FIM Service service account./Andreas This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/copyright.htm
April 27th, 2009 12:00am
If like me, you go to configure the attribute flow in the FIM MA and can't find member, membershipaddworkflow, membershiplocked, scope and type attributes in the data source attributes dropdown, go back to the select attributes page, tick show all and select them.
February 18th, 2010 11:59pm