Hey all, I'm going a little crazy here, as I believe I've followed all the necessary steps to create a new SQL MA and have user accounts provisioned to it, yet provisioning doesn't happen, with the ERE for MA having a status of "not applied". I wish this would say WHY it hasn't been applied... Quick outline: We've got a SQL Server 2008 database we've created, with a USERS table. We want to export users to it. . I've created the SQL MA for it, set it up as per MS documentation found online, including run profiles I've created a new sync rule, as documented below I've modified our existing action workflow that provisions users to our connected systems, adding in the necessary sync rule action I've done a full import, then full sync on the FIM Service MA I've updated our provisioning script which calls the run profiles via external vbs' After this, I would expect to see some attempts at provisioning, when performing a provisioning cycle, but don't. Afterwards, looking at the ERL for a new user I've created to test this out, I see the ERE for the new MA shows as Not Applied. Any ideas what's wrong here please? Synchronization Rule Configuration Name UHDB - Out - Users Description Created Time 19/07/2011 Precedence 1 Data Flow Direction Outbound Dependency Scope Metaverse Resource Type person External System FIM UHDB - Users External System Resource Type person Relationship Create Resource In External System True Enable Deprovisioning True Relationship Criteria ILM Attribute Data Source Attribute accountName USER_NAME Persistent Outbound Attribute Flows Allow Nulls Destination Source false USER_NAME accountName false HIERARCHY_STATUS CustomExpression(IIF(Eq(hierarchyStatus,"Active"),1,0)) false OPERATIONAL_STATUS operationalStatus true CREATED_DATE createdTime true FAX_NUMBER facsimileTelephoneNumber true EMAIL_ADDRESS mail true USER_PRINCIPLE_NAME mail true PRIMARY_CRM_PROFILE primaryCRMProfile true SPEED_DIAL speedDial true UPDATED_DATE updatedDate true VALID_FROM validFrom true VALID_TO validTo true ENTERPRISE_GUID enterpriseGUID true FEE_EARNING feeEarning true FIRST_NAME givenName true JOB_TITLE jobTitle true MOBILE_TELEPHONE_NUMBER mobilePhone true PERSONAL_TITLE personalTitle true xxx xxx true LAST_NAME sn true TELEPHONE_NUMBER telephoneNumber The USERS table in the database is pretty simple. Here's the defniition: CREATE TABLE [uh].[USERS]( [ID] [int] IDENTITY(1,1) NOT NULL, [ENTERPRISE_GUID] [varchar](50) NULL, [PERSONAL_TITLE] [nvarchar](255) NULL, [FIRST_NAME] [nvarchar](255) NULL, [LAST_NAME] [nvarchar](255) NULL, [PERSONAL_SUFFIX] [nvarchar](255) NULL, [USER_NAME] [nvarchar](255) NULL, [USER_PRINCIPLE_NAME] [nvarchar](255) NULL, [VALID_FROM] [datetime] NULL, [VALID_TO] [datetime] NULL, [xxx] [nvarchar](255) NULL, [SPEED_DIAL] [nvarchar](255) NULL, [PRIMARY_TEAM_WEIGHTING] [int] NULL, [FEE_EARNING] [bit] NOT NULL, [EXTENDED_LEAVE_STATUS] [nvarchar](255) NULL, [LEAVE_START_DATE] [date] NULL, [LEAVE_END_DATE] [date] NULL, [JOB_TITLE] [nvarchar](255) NULL, [OPERATIONAL_STATUS] [nvarchar](255) NULL, [EMAIL_ADDRESS] [nvarchar](255) NULL, [PRIMARY_CRM_PROFILE] [nvarchar](255) NULL, [TELEPHONE_NUMBER] [nvarchar](255) NULL, [MOBILE_TELEPHONE_NUMBER] [nvarchar](255) NULL, [FAX_NUMBER] [nvarchar](255) NULL, [JOB_TYPE] [nvarchar](255) NULL, [ORGANISATIONAL_ROLE_ID] [int] NULL, [MANAGER_ID] [int] NULL, [HIERARCHY_STATUS] [bit] NOT NULL, [CREATED_BY] [nvarchar](255) NULL, [CREATED_DATE] [date] NOT NULL, [UPDATED_BY] [nvarchar](255) NULL, [UPDATED_DATE] [date] NULL, CONSTRAINT [PK_USERS] PRIMARY KEY CLUSTERED ( [ID] ASC )WITH (PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON) ON [PRIMARY] ) ON [PRIMARY] Provisioning works fine for our other connected systems.

Hi there Amethi, I would normally refer you to Mr Vilcinskas' FIM Synchronization Troubleshooting wiki article. Have you enabled 'Synchronization Rule Provisioning' and configured ERL attribute flows within the FIM Service MA.. CheersTom Houston, HP Enterprise Services - UK Identity Management Practice

Hi Thomas, yes. Provisioning works fine for our other three systems. It's just this new one which is failing.

and have user accounts provisioned to it, yet provisioning doesn't happen To be clear, are there any objects in the SQL MA CS?Tom Houston, HP Enterprise Services - UK Identity Management Practice

No, it's a completely empty database, and the CS is completely empty (did do a full import and full sync to do initial discovery).

There are no errors in the Request History, or any in the Event logs of the FIM Service or Synchronisation Manager servers. Well, I say there are no errors, but I've just seen this one in the FIM Service server event log. There's five such errors in succession, ranging back half the day: Requestor: urn:uuid:fb89aefa-5ea1-47f1-8890-abe7797d6497 Microsoft.ResourceManagement.Service: Microsoft.ResourceManagement.WebServices.Exceptions.InvalidRepresentationException: Exception of type 'Microsoft.ResourceManagement.WebServices.Exceptions.InvalidRepresentationException' was thrown. at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.ValidateObjectAttributes[T](String objectTypeName, IEnumerable`1 parameters, OperationType operationType) at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.ProcessInputRequest(RequestType request) at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction(RequestType request) at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction[ResponseBodyType](RequestType request) at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request, Guid requestIdentifier, Object redispatchSingleInstanceKey, Boolean isRedispatch) at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request) at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Create(Message request) I have no idea if this is related or not though. Edit: No, don't think this is related. It correlates with another user import operation that was denied for a known reason.

Ok, so user objects exist in the MV, but are not provisioning into the SQL MA's CS during sync. What were you planning with your anchor? Are you generating an anchor or allowing SQL too..? Tom Houston, HP Enterprise Services - UK Identity Management Practice

That's right Thomas, the object is in the MV. The anchor is the ID column in the database. This is a standard identity auto-increment column.

Do you have one or more attributes configured as "initial flow only"? I think this is also a trigger for provisioning. If these are absent the rule might remain as "not applied".http://setspn.blogspot.com

When using an auto-incremented identity column, & dealing with a CDS that generates the anchor... With classical provisioning, I construct a temporary DN value & set it before calling csentry.CommitNewConnector(); Looks like this may also be required with declarative provisioning - can you give it a go & let us know how you get on. Cheers Tom Houston, HP Enterprise Services - UK Identity Management Practice

Correct. Flow the csObjectID to the dn and mark it as initial flow only. This will allow the connector to be provisioned.

Thanks Paul, and everyone that helped, I've now got provisioning working! :) Well, there's some data-type mis-matches, but nothing I can't work through. Thanks again.

When using an auto-incremented identity column, & dealing with a CDS that generates the anchor... With classical provisioning, I construct a temporary DN value & set it before calling csentry.CommitNewConnector(); Looks like this may also be required with declarative provisioning - can you give it a go & let us know how you get on. Yep, this is correct - Provisioning objects to a SQL data source that is authoritative for the anchor value Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation