FIMSpecialist

Author: RossDCurrie

  • CustomizedObjects.aspx: Unable to process your request

    Having recently performed a FIM 2010 R2 SP1 Upgrade, I was then required to apply some changes made in an earlier release using the FIM 2010 Migration scripts. In hindsight, I probably should have done this in reverse order (apply changes, then upgrade), as the changes.xml file contained a bunch of deletions related to specific R2 SP1 functionality. Anyway, I cleaned up the XML, ensuring it contained only changes relevant to the development work, but after deploying, I was receiving this error when trying to access  ~/identitymanagement/aspx/customized/CustomizedObjects.aspx?type=CustomType&display=CustomType from my FIM Navigation Bar:

    Customized Objects Error

    Interestingly, this error only seemed to present for one type of custom resource type – I had one which worked fine, and one which did not. After checking all the MPR permissions around my custom object type, I went into Administration->All Resources and tried to view the resources through there. Same error presented. Not surprising, since I think this page uses CustomizedObjects.aspx also, but this made it obvious that there was something else going on here. I could even create a test custom object and CustomizedObjects.aspx worked fine for it.

    The surprising part, to me, was that nothing of use was showing in Event Viewer – just an error saying something was wrong – and even when I enabled verbose logging, nothing turned up. Finally, I went into Administration->Schema Management and compared my initial two custom resource types. I noticed pretty quickly that there was some vital  schema elements missing from my resource type that wasn’t working:

    • Created Time
    • Creator
    • Deleted Time
    • Description
    • Detected Rules
    • Display Name
    • Expected Rules
    • Expiration Time
    • Locale
    • MV Resource ID
    • Resource Time
    • Resource Type

    Now, looking at the attributes missing, it’s pretty obvious why CustomizedObjects.aspx wasn’t working for my custom resource type – these are the base attributes used by the system! The only thing that I can imagine happened is that when I was modifying changes.xml for my schema, I must have removed any references to these attributes by accident… though looking back, I don’t recall modifying the schema changes much at all.

    Regardless, once I added these attribute bindings back in through Schema Managemet, my CustomizedObjects.aspx started working again and my issue was resolved. This is a pretty obscure one, so I doubt anyone will encounter it in the future, but listing it here just in case.

  • FIM R2 SP1: FIM Service and Portal Setup Wizard ended prematurely

    Recently, I had to perform an upgrade to FIM 2010 R2 SP1 from FIM 2010 (pre-R2) in a development environment. After a few issues performing the upgrade, I was installing  the FIM 2010 R2 SP1 Service and Portal on SharePoint Foundation 2013 and I kept running into the error: Forefront Identity Manager Service and Portal Setup Wizard ended prematurely.

    Forefront Identity Manager Service and Portal Setup Wizard ended prematurely

    Background

    Because I was upgrading directly from FIM 2010, I couldn’t use the R2 to R2 SP1 Update from KB2772429, which requires you to already be running FIM 2010 R2 build 4.1.2273.0 or later, so I had to perform an upgrade using the full installation media. My FIM Sync Service installation detected it was an upgrade and went through fine. Very pain free! However, when I installed the FIM Service and Portal, it didn’t seem to detect my existing installation. When I told it to proceed anyway, and told it to use my existing database, it didn’t install the SP1 Portal, it just uninstalled my existing Portal instead.

    This was a bit weird, but since my Portal had already been uninstalled anyway, I decided I’d give it another try, but this time take it as an opportunity to upgrade to SharePoint Foundation 2013.

    Installing FIM 2010 R2 SP1 on SharePoint Foundation 2013

    I referred to the Microsoft documentation regarding Installing FIM 2010 R2 on SharePoint Foundation 2013 and found it to be pretty pitiful. In fact, there really doesn’t seem to be any benefit to using SPF2013 with FIM unless you’re running Windows Server 2012 (no SPF2010 support until SP2), and several reasons not to (I’ll get to that in a later post) but I was committed by this stage.

    The main hurdle was that Classic Authentication has been deprecated in SPF 2013 and removed from the GUI options for creating a web application. Since FIM 2010 doesn’t support Claims-Based authentication, you have to create the web application using the SharePoint 2013 Management Shell. Of course, the “Standalone” installation method with SPF2013 pre-installs your application with Claims Based, so you first need to delete  that web application, then create another one via the Management Shell… anyway, all things for a later post.

    FIM R2 SP1: FIM Service and Portal Setup Wizard ended prematurely

    In true FIM fashion, this error is about as undescriptive as they come. So, in order to delve a little deeper, I executed the installation exceutable with verbose logging switched on:

    msiexec /i “Service and Portal.msi /L*v “c:\temp\file.log

    This time, when the installer ran, I was able to glean a bit more information:

    MSI (s) (54:1C) [14:26:22:593]: Invoking remote custom action. DLL: C:\Windows\Installer\MSI2922.tmp, Entrypoint: AddServiceToPerformanceMonitors
SFXCA: Extracting custom action to temporary directory: C:\Windows\Installer\MSI2922.tmp-\
SFXCA: Binding to CLR version v2.0.50727
Calling custom action Microsoft.IdentityManagement.ServerCustomActions!Microsoft.IdentityManagement.ServerCustomActions.CustomActions.AddServiceToPerformanceMonitors
Adding FIMService account to 'Performance Monitor Users' group
Property name = 'ServiceAccount', value = 'ourDomain\FIMService'.
DomainName='ourDomain'
AccountName='FIMService'
Domain AD found
Exception thrown by custom action:
System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Runtime.InteropServices.COMException (0x800706BA): The RPC server is unavailable.

   at System.DirectoryServices.DirectoryEntries.Find(String name, String schemaClassName)
   at Microsoft.IdentityManagement.ServerCustomActions.CustomActions.ChangeUserMembershipInGroup(Session session, Boolean addUser)
   --- End of inner exception stack trace ---
   at System.RuntimeMethodHandle._InvokeMethodFast(Object target, Object arguments, SignatureStruct& sig, MethodAttributes methodAttributes, RuntimeTypeHandle typeOwner)
   at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object parameters, CultureInfo culture, Boolean skipVisibilityChecks)
   at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object parameters, CultureInfo culture)
   at Microsoft.Deployment.WindowsInstaller.CustomActionProxy.InvokeCustomAction(Int32 sessionHandle, String entryPoint, IntPtr remotingDelegatePtr)
CustomAction AddServiceToPerformanceMonitors returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Action ended 14:26:25: InstallExecute. Return value 3.

    Note the three bolded bits: While trying to add the FIMService account to the Performance Monitors group, the ChangeUserMembershipInGroup method throws “The RCP Server is unavailable”. I put this information up on a post I started on Microsoft Technet and was also able to find another post by Robin Gaal over at Traxion who had been having a similar issue when upgrading to FIM 2010 R2, which I posted on to see if he could provide more detail.

    Between the two posts, the three bits of advice that came back were:

    1. Ensure you’re using a domain user and a local admin
      Well, the account I was using was a domain user, a domain admin, a local admin and domain admins were also in the local admins group. I was also running the installer as administrator. I ruled this one out pretty quickly, but was good to do a sanity check.

    2. Check for AD Security customisations 
      This one came from Glenn Zuckerman at Microsoft in reply to my Technet post, who had debugged a similar issue and found that it was caused by some AD changes made in order to lock down security in the organisation. The result of these changes was that “the ‘Authenticated Users’ group had been removed from the Pre-Windows 2000 Compatible group” – so, another permissions issue.  I had a look at our AD, but couldn’t see anything obvious that would cause any issues with performing the necessary tasks – I mean, I was able to add the user manually to that group, using the same user account performing the installation.
    3. DNS Suffix Incorrectly Configured – SUCCESS!
      Robin Gaal had previously reported in his post that this was the issue behind their installation issue and that he was able to resolve it, so I asked him for some more detail. It turns out, his situation was very similar to mine – he was installing the FIM Service and Portal into a Test/Acceptance environment, where the default server configuration was registering the server to the  production domain. The solution was as easy as going into the advanced settings for the server’s network adapter, and changing the DNS settings:
      FIM 2010 R2 SP1 DNS Settings

    Of course, when I tried this, the FIM Service and Portal installed perfectly first try, and I was even able to use and upgrade my existing database (which took almost no time at all to upgrade). Success!!

    Overall, a very frustrating installation experience – I’d planned the upgrade to take two days, which I thought was pretty generous, and it ended up taking me about 7. The good news is, I learnt a lot about installing and configuring SharePoint Foundation 2013, as well as some new tricks for debugging FIM installations. Thanks to the folks on the Technet forums for their help, particularly Robin Gaal, Glenn Zuckerman and Varun Kohli.

    FIM Service and Portal Installation Completed

  • OCG to host Redmond Identity, Access, and Directory Knowledge Summit 2014

    Just over a month ago, in January 2013, I had the extreme luck and pleasure to be able to attend the first annual Redmond IAM Summit, hosted by the Oxford Computer Group at the Microsoft campus in Redmond, Seattle. I say luck, because I live in Perth Western Australia – and it was only by chance that I was passing through Seattle around the same time the summit was on, on the way home from visiting family in Canada. Having attended this year, I’ve just received an e-mail inviting me to register for the 2014 summit, and it looks like OCG are stepping things up a notch, as this year’s conference isn’t just IAM, but also directory.

    This isn’t a huge surprise, as with the recent announcement that The Experts Conference (TEC), the conference that was all things FIM, IAM and Directory, is no longer happening, there’s a huge gap to fill. And, OCG are extremely well placed to fill that gap, being what most would consider the premier global Microsoft Partner when it comes to FIM.

    With regards to this year’s conference, the thing I enjoyed most was the networking opportunities it afforded. I got to meet people like Dave Lundell, Craig Martin and other names I’ve seen posting for years, as well as a number of the OCG and other consultants from across North America. Content-wise, I would have liked to have seen more FIM-specific content – I’ve never been to TEC, but from what I see of the presentation briefs, TEC’s content appears to be more targeted at consultants working in the field, while I guess I felt the IAM summit was more targeted at clients. I’m sure that will change as the summit grows, however.

    Another interesting thing I found about the conference was seeing some of the case studies presented. Overall, I found they tended to be a lot more simple than some of the solutions I’ve had to deploy. I had previously thought that no FIM deployment was simple – now I am beginning to wonder if there really are solutions that are as simple as out-of-the-box deployment.

    Anyway, the early bird rate for this year’s conference is $US650 – people who attended this year get a discount on top of that if they register via March 31 (you should have received an e-mail from OCG explaining this). Registration is here. It’ll be interesting to see how much bigger a event this will be in 2014 in the wake of TEC’s demise.

  • Now Offering ECMA 2.0 Development Services

    With the number of FIM 2010 implementations growing at a staggering rate, the variety of systems that FIM is being used to integrate with is similarly growing. To meet the rising need for customised FIM Management Agents, and recognising that not every organisation has the in-house capability to develop its own, I am now offering Custom ECMA 2.0 MA Connector Development.

    Furthermore, for organisations that already have their own xMA’s built using the original ECMA 1 framework, but who are concerned about its recent deprecation, I am also now offering ECMA 1 to ECMA 2.0 Upgrade services. Upgrading early will not only ensure you are protected against when this functionality finally becomes obsolete, but it will also allow you to take advantage of some of the new functionality provided by the ECMA 2.0 framework.

    If you’re interested in taking advantage of either of these services, please view the “Our Services” menu in the top right, or refer directly to my Contact page.

  • What’s New in FIM 2010 R2 Sp1 and Release Notes

    Looks like Microsoft have uploaded the Release Notes for FIM 2010 R2 SP1 and also a “What’s New” page describing all the new features.

    Key improvements that stand out to me in this release are:

    • Improvements in the upgrade process from FIM 2010 to FIM 2010 R2, including significant performance enhancements to the database upgrade. This will only be relevant for those not yet running R2 yet.
    • Improvements mentioned in my last post on the MA’s for Active Directory Domain Services, FIM Service Management Agent, and Extensible Connectivity 2.0to with regards to importing reference (group) objects.
    • Deferred Evaluation for criteria-based groups configured in the FIM Portal – ie, a single group can be configured to evaluate only on a certain schedule.
    • ECMA 2.1 released with minor changes.
    • Minor changes to Powershell cmdlets.
    • Support for various ‘2012’ Software components – MA support for AD 2012, SQL Server 2012; Environment support for Windows Server 2012, SQL Server 2012, Visual Studio 2012 (.NET 4.5 support added), Sharepoint Foundation 2013 etc.

    Some interesting stuff in here. I’m glad to see that it appears you can update directly from FIM 2010 to R2 SP1 without upgrading to R2 first (as I’m currently in a situation where I need to do this). Will be keen to get it installed and to start playing with some of those new features!

    Source: What’s New in FIM 2010 R2 Sp1

    Source: Release Notes for FIM 2010 R2 SP1

  • FIM 2010 R2 SP1 Released!

    Am currently attending the first annual Oxford Computer Group Redmond Identity, Access & Directory Summit at Microsoft HQ. In a talk given by Andreas Kjellman a few minutes ago, he announced FIM 2010 R2 SP1 just went public – no KB or release notes, but you can download via your MSDN subscriber benefits.

    A number of benefits in the service pack, including support for 2012 releases (Sharepoint and so forth). More details sure to follow with the KN, but main benefits I see are the further enhancements to group management performance on the AD and ECMA2 MA’s. Apparently the groups went 2.4x faster on their sample set.

    Update: Spoke to Andreas again later last night – he expressed that this really is just a service pack, so don’t expect a lot of new functionality – the real focus was on providing compatibility. Probably one thing which will interest people however is that System Center 2012 is now supported for the FIM reporting, whereas pre-SP1 you were limited to System Center 2010 SP1 (and indeed, the EULA actually said you weren’t permitted to use 2012, not that it worked anyway). Anyway, I’m sure that will come in handy for some people.