Monday, January 21, 2013

FIM Portal Scripting error

You may find yourself or your users with an ugly Script Error dialog when using the portal, essentially when using controls that require popups like the Identity Picker control. You might see something like this:

An error has occurred in the script on this page.

Line: 205

Char: 5

Error: Object doesn’t support this property or method

Code: 0

URL: https://myfimportal/_layouts/images/MSILM2/Scripts/IdentityPicker.js?v=1075712000

You may see this more now than in the past given the heightened state of awareness around Java vulnerabilities as people tend to crank up the paranoia settings a bit. In this case, the culprit is encountered whenever you enable Popup blocker in the Security settings of the zone you’re in. By default you should have your FIM portal in Local intranet, which defaults to security level Medium-low. As soon as you bump up to Medium or higher you’ll hit the “Use Pop-up Blocker – Enable” setting on that zone and you will see controls like this one fail.

Resolution

To fix or workaround the issue you have several options:

Reset security back to defaults (Medium-low for Local Intranet)
Override the zone setting for Pop-up Blocker and set to Disabled
Leave everything on and set an exception for your FIM Portal

To set the exception, open the Privacy tab under Internet Options and click the Settings button next to Turn on Pop-up Blocker. In the Address of website to allow control, add your site and click the Add button. This will allow you to keep your settings cranked up to 11 and still get to the FIM Portal.

Wednesday, May 16, 2012

FIM Sync Installation fails with Invalid object name 'mms_management_agent'. Access is denied

Found this error today while installing the FIM Synchronization Service:

Error 25009.The Forefront Identity Manager Synchronization Service setup wizard cannot configure the specified database. Invalid object name 'mms_management_agent'. Access is denied.

This turned up an old post of mine that matched the error:

http://www.identitychaos.com/2009/09/issues-with-sql-server-in-windows-2008.html

…but that wasn’t the cause. This is probably an edge case, but in this particular situation it was due to the image not having been SysPrep’d. This error turned up in the System Log which led us to the resolution:

Event ID: 5516
The computer or domain FOO trusts domain BAR. (This may be an indirect trust.) However, FOO and BAR have the same machine security identifier (SID). NT should be re-installed on either FOO or BAR

Refer to Brian Desmond’s blog here for proper SysPrep techniques:

http://briandesmond.com/blog/how-to-sysprep-in-windows-2008/

Monday, April 30, 2012

FIM Security–The management agent failed to validate against the application store with the specified credentials

Last week I ran into the follow event log error after applying some GPO lockdown policies:

Log Name: Application

Source: FIMSynchronizationService

Date: 4/25/2012 10:52:34 AM

Event ID: 6309

Task Category: Server

Level: Error

Keywords: Classic

User: N/A

Computer: fimsync.contoso.com

Description:

The server encountered an unexpected error while performing an operation for a management agent.

"BAIL: MMS(5612): manhost.cpp(713): 0x80230709 (The extension operation aborted due to an internal error in FIM Synchronization Service.)

BAIL: MMS(5612): nathost.cpp(198): 0x80231317 (The management agent failed to validate against the application store with the specified credentials.)

BAIL: MMS(5612): cntrler.cpp(543): 0x80231317 (The management agent failed to validate against the application store with the specified credentials.)

BAIL: MMS(5612): ma.cpp(3668): 0x80231317 (The management agent failed to validate against the application store with the specified credentials.)

Forefront Identity Manager 4.0.3606.2"

This can manifest itself in the following ways:

The event log error above
Run Profile failures on the FIM MA with the same error text

This can happen if you’ve inadvertently denied access to the FIM MA account while applying group policy. There are two policies where you need to ensure you aren’t clobbering this account:

Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Allow log on locally – if you take a restrictive approach and only specify “Administrators” then you will see this
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Deny log on locally – if you specify a group containing the FIM MA account then you’ll see this

This is consistent with the following TechNet article – Before You Begin, as part of the Installation Guide.

Tuesday, February 28, 2012

Update Rollup 2 (build 4.0.3606.2) is available for Forefront Identity Manager 2010

Update Rollup 2 is available now and there are lots of goodies available including:

Extensible Connectivity Management Agent 2 Framework (ECMA 2) - this is the new XMA framework which removes many of the previous limitations on writing your own MA (now just called Connectors!
NOTE: If you are upgrading from the RC version of ECMA2 then you will have some manual steps; please see the KB article for more info
Password Reset (via FIM Sync) obeys the UserCannotChangePassword flag in AD – self-service resets will now obey this setting
Rules extensions now support .NET 4.0 – compile your projects targeted for .NET 4
SQL Wildcard update in build 4.0.3594.2 has been reversed – support for underscore, percent and square bracket are back in same as the previous 4.0.3576.2 build
Set Partitioning and Tabular Functions – this feature fixes some scalability issues with large complex “OR” filters in dynamic groups and sets;
NOTE: You will need to execute a stored procedure to enable this, refer to the KB article for more information

Update Rollup 2 (build 4.0.3606.2) is available for Forefront Identity Manager 2010

Wednesday, November 23, 2011

Forefront Identity Manager 2010 R2 Release Candidate Now Available

Cross-posting from the Server and Cloud blog:

Microsoft is pleased to announce the availability of Forefront Identity Manager 2010 R2 release candidate. It is available for download from Microsoft Connect, as described below.

This release candidate includes new and updated features for FIM 2010 R2:

Historical reporting using integration to the System Center Service Manager data warehouse
Web-based Self-Service Password Reset
Scale and performance improvements
Outlook® 2010 support for the FIM add-ins and extensions and SharePoint® 2010 support for the FIM Portal

In particular, this release candidate introduces numerous functional improvements, including:

New authentication gates for self-service password reset
Additional reports
Extensible Connectivity Management Agent 2

For complete information, see the Release Notes and feature-specific documents.

If you have already joined the FIM 2010 Community Evaluation Program or downloaded the beta, you can obtain FIM 2010 R2 RC from the FIM 2010 Connect web site. The downloads link is in the left column.

To join the program and download the software, click here. Once you answer the survey questions, the Connect site will auto-approve your access.

Thanks,

Mark Wahl

Principal Program Manager

Forefront Identity Manager 2010 R2 Release Candidate Now Available - Microsoft Server and Cloud Platform Blog - Site Home - TechNet Blogs

Tuesday, November 22, 2011

UAG “Activation will start soon” stuck when joining a node to the array

This one terrorized me all day and just wouldn’t go away no matter what I did:

As it turns out, this is a symptom of having your nodes on different patch levels of UAG. The first node was SP1 with Update 1 while the second node only had SP1 applied. After applying Update 1 to the second node the array converged once I activated the configuration again.

I borrowed the following list from Ben Ari’s blog:

Here are some links that are related to these released: