#MIM2016 Troubleshooting: SQL Connection issues

On TNWiki you’ll find my latest article on MIM 2016 troubleshooting.

MIM 2016 Troubleshooting: SQL Connection issues

This week I got (dragged into/) involved in a MIM 2016 performance troubleshooting, on a test / dev server, facing a large bunch of errors.

The first detection happened on the sync server, but apparently rather it’s twin brother was causing the issues.

It became pretty quickly obvious that MIM was not able to connect to (one of) it’s databases on the SQL server, so the sync engine was unable to pull information from the MIM service.

Also bizar, we could still work on the MIM sync GUI, but almost any MA action in the GUI failed…

Furthermore the Portal did not respond and finally the “MIM Service” service, didn’t behave as expected, not willing to start.

The event viewer contained the obvious amount of errors…

Finally,  the SQL DBA to the rescue.

I’ve added a lot of significant technical event info into the article, to make it easy to search for you, for later reference.

Read the tech details in: MIM 2016 Troubleshooting: SQL Connection issues

Updated: 2020-12-29

Note-to-self: #MIM2016 & #FIM2010 Config documenter released on GitHub

Source: Announcement on MIM 2016 Group on LinkedIn by  Jef Kazimer

Source Code: https://github.com/Microsoft/MIMConfigDocumenter

Jef announced that the Identity Community Projects team has published the MIM Config Documenter tool to the Microsoft GitHub Organization as an open source community project.

The MIM configuration documenter is a very nice and easy tool to generate documentation of a MIM / FIM synchronization or service installation.

It allows to: 

• Document deployment configuration details for the MIM / FIM solution, including MIMWAL Workflow definitions
• Track any configuration changes you have made since a specific baseline
• Build confidence in getting things right when making changes to the deployed solution

You can find the project code, releases, and documentation at https://github.com/Microsoft/MIMConfigDocumenter

 

#MIM2016 Troubleshooting: Uninstall fails with error – Administrator privileges are required to run installer. Please re-launch installer with administrator privileges.

I’ve got a new post up on TechNet Wiki about MIM2016 troubleshooting:

Full version at the TNWIKI: MIM2016/FIM2010 Troubleshooting: Uninstall fails with error – Administrator privileges required

Feel free to add useful information yourself, I’m looking forward to your feedback and cooperation to make it better.

The short version is below.

Rikard Strand has published a similar article, which has served as baseline for this article. Rik’s article is focussed on DirSync, but the troubleshooting below is more widely applicable and even programs not related to FIM/MIM/DirSync…

When you try to uninstall or to change the component from the Control Panel > Programs (Uninstall a program), you get a error pop up, saying:

Administrator privileges are required to run installer. Please re-launch installer with administrator privileges.

 

There are some troubleshooting steps, including running the Control Panel in administrator mode.

 

If that doesn’t work, you need to find the uninstaller info in the registry and run the msiexec command with the uninstaller info.

Open the registry editor and navigate to

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

In this directory you’ll find the installed programs with their GUID, which is mostly fixed per application.

Eg

• MIM 2016: {5A7CB0A3-7AA2-4F40-8899-02B83694085F}
• DirSync/AADConnect: {C9139DEA-F758-4177-8E0F-AA5B09628136}

And finally, the quick and dirty option is to kill the uninstall registry key before your run the uninstall from the control panel again

In case of MIM2016

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5A7CB0A3-7AA2-4F40-8899-02B83694085F}

 

You know the usual warning: I didn’t tell you to delete the registry key.

Last update: 2020-12-30

Note-to-self: Hotfix rollup package (build 4.4.1459.0) is available for #MIM2016 SP1

Microsoft has released an hotfix for MIM2016 SP, with an awful lot of updates and improvements.. to much to list… but more to read:

See here: https://support.microsoft.com/en-us/help/4012498/hotfix-rollup-package-build-4-4-1459-0-is-available-for-microsoft-iden

Last update: 2020-12-30

Protecting your #FIM2010/#MIM2016: Core account type differentiators

When handling solutions in the identity & access management area (and practically speaking working with FIM/MIM), a very basic discussion is always coming back: which types of accounts do you need?
It’s seems a trivial question but you can apply it to different areas of the solution, both from a technical as from a logical perspective…

When talking about the technical perspective, I’m looking at securing your technical implementation.

A more practical question would be: what user accounts do I need to prepare before I start implementing my IAM solution? What is needed to implement my solution in a secure, but manageable way, with respect to principles of “segregation of duties” and “least-privilege“, but also “due care”, “due governance”…

With a bit of experience (referring to the installation requirement of a typical FIM/MIM configuration), you can easily list at 5 categories of accounts you need:

1. installer accounts: typically administrator accounts to run the setup, with some privileges on the server and back-end systems to get the server components running
2. service accounts: account that will be configured on applications running continuously in the background (FIM Sync service, FIM Service service, SQL Database services
3. account that are not running full time in the background, but run a technical task now and then, not continuously, but automated without user interaction (eg like the FIM Sync run profile scheduling, …)
4. personal accounts, that logon to the desktop, what every single person is using to do his daily job and IT work (logging on on your laptop, remotely connecting to the server,… )
5. personal administrator accounts: that logon to the desktop, or to the server desktop for highly priviledged IT work (logging on your laptop as admin, connecting to the server as admin, administrative tasks…)

So what are the key differentiators to define and separate these accounts?

One of the primary differentiators is interactive desktop logon (1).
Typically an installation account or an administrator needs to logon…. A service account running the application in the background on the server, … does not.

Also, when securing your environment this is a key parameter to lock down the privileges.

This differentiator is also directly related to password management.

Account logging on in the desktop can change their passwords. Accounts running in the background, without interaction will have major trouble when they are under password change policy.
Unless the application supports managed service accounts, but that’s not wide spread yet, certainly not for the FIM/MIM components…so I’ll skip that track for now.

But an installer account, DOES NEED desktop logon, but SHOULD NOT be deleted when someone leaves the company.
The best example of this difference is the FIM Installer account, that gets local admin access to the Windows server and to the SQL server as SA. This account is also injected in the FIM portal as default (GOD MODE) admin, so you DON’T want to loose this account.

So, another easy differentiator is the link to a physical person (2).
Typically physical persons are ‘managed’ with a lifecycle (eg under contract with your company). You know the typical hire-change-fire processes… (people on-board, people change jobs, people leave the company)

You don’t want to run your background services on a personal account, because… if you are running your identity management the proper way (and you will), they will be deprovisioned one time, right?

In normal (I should rather say normalized) security situations, the principle of least-privilege dictates that normal user accounts should not have extensive administrative rights, these should be attributed to separate administrative accounts.

So, the parameter: “highly privileged rights” (3) is a another key differentiator between the different types of accounts that can logon to a desktop.

The opposite of the ‘physical’ account are accounts that are not (or better, SHOULD not be) used by people, but run in the background, most server and/or Active Directory admins immediately think about the following system / GPO settings

• deny run as a service
• deny logon as a batch job

So, considering “segregation of duties” and “least-privilege” makes them mutually exclusive. (I beg you to disagree and provide me motivated arguments …), which provides me 2 other differentiators

• run as a background service (4)
• run as a batch job (5)

Based on these differentiators, the basic accounts types you can define are

• service accounts
• technical accounts
• functional accounts
• personal accounts
• personal admin accounts

	Account Type
Task type	Service Account	Technical Account	Functional Account	Personal Account	Personal Administrator  Account
Run as a Background Service (continuously)	YES	NO	NO	NO	NO
Running a batch job (Specific Task or script)	NO	YES	NO	NO	NO
Interact with desktop/Physical Logon	NO	NO	YES	YES	YES
Highly Privileged Rights	NO	NO	YES	NO	YES
Direct Link to physical person (link to HR)	NO	NO	NO	YES	YES

I’ve been working with a variety of customers and environments and I challenge this matrix every single time.

So I would like to challenge you to find a better, easier, more solid matrix.
Is there anything in this set of parameters that doesn’t make sense? Too simple, to complex, anything missing?

If yes, let me know and we go for the next version.

More information

You can find more information on the TechNet Wiki in a series of articles on FIM/MIM security hardening and implementation:

1. FIM 2010: Planning security setup for accounts, groups and services – Part 1. Introduction
2. FIM 2010: Planning security setup for accounts, groups and services – Part 2. FIM Security principles
3. FIM 2010: Planning security setup for accounts, groups and services – Part 3. Compact Checklist
4. FIM 2010: Planning security setup for accounts, groups and services – Part 4. Detailed Description
5. FIM 2010: Planning security setup for accounts, groups and services – Part 5. Operational Best Practices
6. FIM 2010: Planning security setup for accounts, groups and services – Part 6. References & authoritative resources
7. FIM 2010: Planning security setup for accounts, groups and services – Part 7. Additional resources
8. FIM 2010: Planning security setup for accounts, groups and services – Part 8. Glossary
9. FIM 2010: Planning security setup for accounts, groups and services – Part 9. Release Schedule
10. Identity Manager: Planning security for accounts, groups and services – Core account type differentiators (Part 10)
11. FIM 2010 & MIM 2016: Planning security setup for accounts, groups and services – Appendix B (Compact Check List)
12. FIM 2010: Planning security setup for accounts, groups and services – Table of contents

Download from Gallery/Github

PDF version from Technet Gallery.

Github: FIM/MIM Planning security setup for accounts, groups and services

Last update: 2020-12-30

Keywords: accounts, account; segregation, separation, segregation of duties, SoD,

Note-to-self: Got #MIM2016 product feedback, feature wish list? aka.ms/mimfeedback

Very short note-to-myself (#memory-function-on)…

David Steadman, respected @fimguy, now  @TheMIMGuy posted an interesting poke…

#MIM2016 Have an Idea? Have Feedback? https://aka.ms/mimfeedback

— David Steadman (@TheMIMGuy) February 14, 2017

So, got any constructive suggestion, move over to that feedback page at: https://aka.ms/mimfeedback

(Last update: 2020-12-31)

Microsoft released #MIM2016 Service Pack 1 UPDATE package

Source: https://aka.ms/mim2016sp1upgrade

Since the release of MIM 2016 SP1 just a few weeks ago, Microsoft received significant feedback from the community, their partners and customers regarding the upgrade paths for the service pack.

8th of November, Microsoft announced the availability of the MIM 2016 SP1 Update MSP.

This MSP allows current customers on MIM 2016 RTM, or any hotfix build since 2016 RTM to perform an in-place upgrade to the current build of this MSP (4.4.1302.0).

The supported in-place upgrade scenarios are outlined in the table below. To obtain this update, please click here.

Please note, an updated MSI for new implementations is likely to be released soon.

Carefully check the upgrade paths, as this MSP cannot be applied to build 4.4.1296.0 (MIM 2016 SP1 RTM).

The download page explicitly mentions: “MIM 2016 RTM Versions to update their infrastructure to the latest SP1 Build without complete uninstall. Customers already on MIM 2016 SP1 (4.4.1237) can not install this patch. 

Supported Operating System

Windows Server 2012, Windows Server 2012 R2, Windows Server 2016

MIM 2016 RTM or one of the following hotfix builds: 4.3.2064.0 4.3.2195.0 4.3.2266.0″

Initial Build	Hotfix Applied	Build after SP1 Update
RTM	None	4.4.1302.0
RTM	4.3.2064.0	4.4.1302.0
RTM	4.3.2064.0, 4.3.2195.0	4.4.1302.0
RTM	4.3.2195.0	4.4.1302.0
RTM	4.3.2266.0	4.4.1302.0

Additionally, for customers running Office 2010 needing the x86 Add-ins and Extensions, do not update using this MSP, a forthcoming hotfix will be made available in the coming months.

If you have any comments for the Product Group, please send us an email at: mim2016@microsoft.com

(Last update: 2020-12-31)

#FIM2010 & #MIM2016 Error 25009 fun stuff on #TNWiki

For the FIM Geeks, I’ve submitted some new FIM/MIM 25009 event troubleshooting articles on TechNet Wiki (http://aka.ms/Wiki)

• MIM Troubleshooting: Sync engine installation failure – error 25009 <hr=0x80131700>, and
• MIM Troubleshooting: upgrade from ILM fails with error 25009 (<hr=0x80230406>)

Plus, a page the collects all the 25009 troubleshooting resources, including lots of fun stuff of Tim Macauly.

• FIM/MIM Troubleshooting Error 25009 Resource page

If you got more of this 25009 fun stuff yourself, feel free to add your articles and add them to the collection page.

Updated: 2020-12-30

A hotfix rollup package (build 4.1.3765.0) is available for #FIM2010

Source: https://support.microsoft.com/en-us/kb/3171318

Issues that are fixed and features that are added in this update

This update fixes the following issues and adds the following features that were not previously documented in the Microsoft Knowledge Base.

FIM Certificate Management

• Issue 1 A smart card search takes 3.5 minutes on an idle server. Additionally, the search never ends if the server is stressed.
• Issue 2 The Duplicate Revocation Settings policy is replaced because some users could not set it.
• Issue 3 There is a redundant space in the “Profile Summary” string on the Request Complete page for some languages.

FIM Synchronization Service

• Issue 1 In a metaverse search and when you view the object, there is a Last Modified field. But when you sort that field, it sorts as a generic text field instead of as a date field.
• Issue 2 Error messages (such as Event ID 6313) are logged in the event log. Additionally, performance counters don’t work.
• Issue 3 The Sync Service crashes when you run a Full Synchronization process that has Equal Precedence set for attributes that exist in IAF or EAF.
• Issue 4 When an incorrect page size (either less than the minimum or more than the maximum) is used for the run profile of the ECMA2 management agent, the size value quietly changes to the minimum or the maximum after you click Finish.
• Issue 5 An error message from the Management Agent cannot be parsed if it contains some special symbols. Therefore, the error message doesn’t appear in the error list as expected, and a non-informative error window appears.
• Issue 6 You receive a “Reference to undeclared entity ‘qt'” error message when you run the history process and the history text contains the “greater than” symbol (>).
• Issue 7 Under certain conditions, the file selection dialog box does not appear on the MA configuration wizard pages.
• Issue 8 A “MEMORY_ALLOCATION_FAILURE” error occurs in the Performance Monitoring tool when the performance data .dll file cannot open the process.

FIM Portal

• Issue 1 Multivalued labels are displayed incorrectly in a single line in the UI.

FIM Service

• Issue 1 During an Export process between the Synchronization and FIM Service, the msidmCompositeType request may fail if some multivalued string attribute value is changed in the scope of the Export session. This behavior affects performance.
• Issue 2 In SharePoint Server 2013 and later versions, if you change a workflow or update an email template by using the FIM Portal, the version is automatically updated to 4.0.0.0. This causes a system error message during processing.

BHOLD

• Issue 1 When you add a user to an organizational unit (OU) that has some incompatible permissions in the OUs role, all the incompatible permissions are assigned.
• Issue 2 Some issues are fixed for attribute-based authorization (ABA) roles that are assigned to a user when the roles have incompatible permissions.
• Issue 3 When you use the Access Management Connector to provision new OUs with a parent OU, all the parent OU roles are inherited but are also disabled.
• Issue 4 An error occurs in BHOLD during installation in Internet Information Services (IIS) 10.
• Issue 5 If two or more roles assigned to a user who has the same permissions as the roles, and the roles use the endDate attribute, you cannot extract a user permission that has the latest date.
• Issue 6 An email alias is truncated if it is longer than 30 characters.

Updated: 2020-12-30

Note-to-self: #FIM2010 Quick Tip – Who has NOT Registered for SSPR

Just a quick useful tip to solve the practical question…

Question already asked (a few times) on the FIM forum: how to “Query FIM user not registered for SSPR”?

https://social.technet.microsoft.com/Forums/en-US/b44a4a2c-ebc2-45e2-9afd-1d083c7be3ad/query-fim-user-not-registered-for-sspr?forum=ilm2

Answers:

• See Tomasz Onysko’s response on the FIM Forum thread.
• Anthony Marsiglia (FIM Devil) on the the Connector Space blog: Who has Not Registered for SSPR
• Revert the logic on this solution of Markus Vilcinskas , published on TNWiki at: How to Use PowerShell to Export All Users Who Have Registered for Self-Service Password Reset (SSPR)
• https://jorgequestforknowledge.wordpress.com/2012/11/11/finding-all-users-within-fim-that-have-not-registered-for-sspr/

See also:

http://social.technet.microsoft.com/wiki/contents/articles/9846.fim-self-service-password-reset-sspr-resources.aspx by Tim Macaulay

Updated: 2020-12-30