{"id":1065,"date":"2010-11-13T18:41:00","date_gmt":"2010-11-13T18:41:00","guid":{"rendered":"https:\/\/www.wapshere.com\/missmiis\/?p=1065"},"modified":"2022-10-31T02:52:26","modified_gmt":"2022-10-31T02:52:26","slug":"importing-groups-from-ad-to-the-fim-portal-using-classic-flow-rules","status":"publish","type":"post","link":"https:\/\/www.wapshere.com\/missmiis\/importing-groups-from-ad-to-the-fim-portal-using-classic-flow-rules","title":{"rendered":"Importing groups from AD to the FIM Portal using classic flow rules"},"content":{"rendered":"

My general negativity about FIM codeless sync aka “declarative provisioning” aka “Synchronization Rule Provisioning” is, I think, reasonably well-known by now. While Markus wrote an excellent document<\/a> about importing AD groups into the FIM Portal using the codeless rules, I think there are still plenty of reasons to go old skool, and here’s how you’d do it.<\/p>\n

<\/p>\n

PreReqs<\/h3>\n

Custom sync rules do involve .NET coding, so you’re going to need Visual Studio installed on the Sync server. My example code in is VB.NET so you’ll need the Visual Basic libraries installed to use them.<\/p>\n

And it’s only a minusculey tiny bit of code, okay?<\/p><\/blockquote>\n

I will assume you’ve already managed to create your AD and FIM management agents, and<\/em> that you have already sucessfully imported or joined the group members – ie the users and contacts.<\/p>\n

The “member” attribute is relational, meaning it effectively points to other objects that it also knows about. To maintain the referential relationship from AD through to the FIM Portal you must satisfy the following requirements:<\/p>\n

    \n
  • The groups and<\/em> their member objects must exist within the connector space of the same AD MA. You can’t import groups from one MA and users from another – you have to have the groups and users together.<\/li>\n
  • The groups and<\/em> their members must be joined to their metaverse counterparts, either through Join or Projection rules.<\/li>\n
  • The groups and<\/em> their members must be exported through the same FIM MA to the FIM Portal (though AFAIK you can only have one FIM MA anyway).<\/li>\n<\/ul>\n

    Step 1: Importing the AD Groups into the Metaverse<\/h3>\n\n\n\n\n\n\n\n\n\n\n\n\n\n
    First make sure that the OU(s) containing the groups are within the scope of your MA.<\/td>\n\"\"<\/td>\n<\/tr>\n
    Next check the “group” object type.<\/p>\n

    Note I also have my potential group member object types selected, and within the scope of the MA – see the comment above about maintaining references in the prereqs section above.<\/td>\n

    		\"\"<\/td>\n<\/tr>\n
    And make sure the following attributes are selected: displayName, domain, groupType, member, sAMAccountName, (and for Distribution Lists) mail, mailNickname.<\/td>\n\"\"<\/td>\n<\/tr>\n
    Create a Projection Rule. This will project AD groups as new group objects in the Metaverse. Note the following points:<\/p>\n
      \n
    1. You should also create a Join Rule so that already-projected groups may be rejoined automatically if they happen to become disconnected,<\/li>\n
    2. If you want some groups to be ignored then the simplest way is with a Connector Filter. Otherwise you can use a coded Projection Rule, but I won’t be going into that here.<\/li>\n<\/ol>\n<\/td>\n
    		\"\"<\/td>\n<\/tr>\n
    Next create Direct import flow rules for the following attributes:<\/p>\n

    displayName –> displayName
    \nsAMAccountName –> accountName
    \nmember –> member
    \nmail –> mail
    \nmailNickname –> mailNickname<\/td>\n

    		\"\"<\/td>\n<\/tr>\n
    At this point you can save the MA and go ahead and run an Import-Sync.<\/p>\n

    What you should see is some group objects projected into the Metaverse. If you’ve already mapped the group object type in the FIM MA you should see objects created there too, but don’t try to export them yet, we need to add a few more attributes.<\/td>\n

    		\"\"<\/td>\n<\/tr>\n
    Now go back into your AD MA and add the following Advanced import flow rules:<\/p>\n

    Constant: your NETBIOS domain name –> domain
    \nConstant: “Owner Approval” –> membershipAddWorkflow
    \nConstant: “false” –> membershipLocked
    \ngroupType –> Rules Extension: “import_scope” –> scope
    \ngroupType –> Rules Extension: “import_type” –> type<\/td>\n

    		\"\"<\/td>\n<\/tr>\n
    When you try and save the MA now you should get this error:
    \n“Rules Extension validation error: Please specify a valid rules extension name.”<\/p>\n

    When you click OK you will be taken to the place where you can specify the name of the dll where those two advanced rules (import_scope and import_type) are to be found. In fact we haven’t written the dll yet, but that’s ok, just accept the default name.<\/td>\n

    		\"\"<\/td>\n<\/tr>\n
    Now it is time to create the extension project.<\/p>\n

    Select your MA and click Create Extension Project<\/strong>. You want to create a project of type “Rules Extension”.<\/p>\n

    Check the default name – it should be the same as already set in the MA in the previous step (if it somehow isn’t don’t worry, you can always change the dll referenced in the MA later).<\/p>\n

    The only thing you might want to change is the folder where the project will be created.<\/p>\n

    When you’re ready, click OK and the new project will be created and opened in Visual Studio for you (assuming you installed Visual Studio on the server).<\/td>\n

    		\"\"<\/td>\n<\/tr>\n
    Now fill in the MapAttributesForImport section of the project as shown here.<\/p>\n

    Once you’ve done that you can compile the code. The dll shoud be put straight into the correct folder for you (normally C:\\Program Files\\Microsoft Forefront Identity Manager\\2010\\Synchronization Service\\Extensions).<\/td>\n

    		\n
    Public Sub MapAttributesForImport(ByVal FlowRuleName As String, ByVal csentry As CSEntry,\n ByVal mventry As MVEntry) Implements IMASynchronization.MapAttributesForImport\n\n    Select Case FlowRuleName\n        Case \"import_type\"\n            Select Case csentry(\"groupType\").IntegerValue\n                Case 2, 4, 8\n                    mventry(\"type\").Value = \"Distribution\"\n                Case Else\n                    mventry(\"type\").Value = \"Security\"\n            End Select\n\n        Case \"import_scope\"\n            Select Case csentry(\"groupType\").IntegerValue\n                Case 2, -2147483646\n                    mventry(\"scope\").Value = \"Global\"\n                Case 4, -2147483644\n                    mventry(\"scope\").Value = \"DomainLocal\"\n                Case Else\n                    mventry(\"scope\").Value = \"Universal\"\n            End Select\n\n        Case Else\n            Throw New EntryPointNotImplementedException()\n\n    End Select\nEnd Sub<\/pre>\n<\/td>\n<\/tr>\n
    Now you should be able to Sync the AD MA and check how the group objects look in the Metaverse.<\/td>\n\"\"<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

    Step 2: Exporting the Groups from the Metaverse to the FIM Portal<\/h3>\n\n\n\n\n\n\n\n\n
    There are a couple of Portal MPRs that must be enabled to allow the Sync Service to create groups in the Portal.<\/td>\n\"\"<\/td>\n<\/tr>\n
    If you haven’t already done so, select the group object type in your FIM MA.<\/td>\n\"\"<\/td>\n<\/tr>\n
    And add the mapping to the Metaverse group type.<\/td>\n\"\"<\/td>\n<\/tr>\n
    Now all you should need to do is add simple export flow rules for these attributes: accountName, displayName, domain, scope, type, membershipAddWorkflow, membershipLocked, member, (and for Distribution groups) mail, mailNickname .<\/td>\n\"\"<\/td>\n<\/tr>\n
    Run another Sync on the AD MA and now you should be able to see the group objects in the FIM connector space, ready to export.<\/td>\n\"\"<\/td>\n<\/tr>\n
    After running an Export from the FIM MA the groups should be in the Portal, and you can start to manage them there.<\/p>\n

    Note there is an error being reported about selecting a manger. If you do happen to have the group manager field populated in AD then by all means go ahead and import it from AD through to the Portal. Otherwise you will have to chose a manager directly in the Portal.<\/td>\n

    		\"\"<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

    Troubleshooting FIM MA export errors<\/h3>\n

    The FIM MA can give you some rather cryptic looking failed-creation-via-web-services messages, but usually if you read them properly you can work out the problem.<\/p>\n

    1. Missing Required Attribute<\/h4>\n

    Here I have forgotten to populate the “Domain” attribute<\/p>\n

    Fault Reason: The request message contains errors that prevent processing the request.<\/code><\/div>\n
    Fault Details: <RepresentationFailures xmlns=\"http:\/\/schemas.microsoft.com\/2006\/11\/ResourceManagement\" xmlns:xsi=\"http:\/\/www.w3.org\/2001\/XMLSchema-instance\" xmlns:xsd=\"http:\/\/www.w3.org\/2001\/XMLSchema\"><AttributeRepresentationFailure><AttributeType>Domain<\/span><\/AttributeType><\/code><\/div>\n
    <AttributeValue><\/AttributeValue><FailureMessage>An attribute is required to complete the operation.<\/span><\/FailureMessage><\/code><\/div>\n
    <AttributeFailureCode>RequiredValueIsMissing<\/AttributeFailureCode><\/AttributeRepresentationFailure><\/RepresentationFailures><\/code><\/div>\n

    2. Incorrect Attribute Value<\/h4>\n

    Some attributes in the Portal Schema have validation strings listing which values are allowed. Here I’ve tried to export a type of “Distribution List” instead of “Distribution”, and that has been blocked.<\/p>\n


    \nFault Reason: The request message contains errors that prevent processing the request.<\/code><\/div>\n

    Fault Details: <RepresentationFailures xmlns=\"http:\/\/schemas.microsoft.com\/2006\/11\/ResourceManagement\" xmlns:xsi=\"http:\/\/www.w3.org\/2001\/XMLSchema-instance\" xmlns:xsd=\"http:\/\/www.w3.org\/2001\/XMLSchema\"><AttributeRepresentationFailure><AttributeType>Type<\/span><\/AttributeType>
    \n<AttributeValue>Distribution List<\/span><\/AttributeValue><FailureMessage>The specified attribute value does not satisfy the regular expression.<\/span><\/FailureMessage><AttributeFailureCode>ValueViolatesRegularExpression<\/AttributeFailureCode><\/AttributeRepresentationFailure><\/RepresentationFailures>
    \n<\/code><\/p>\n

    3. Permissions failure<\/h4>\n

    Your MPRs need to allow the Built-In Synchronization account to create Group objects in the Portal. In this rather long-winded messages there are a few immediate giveaways.<\/p>\n


    \nThere is an error executing a web service object creation request.
    \nType: Microsoft.ResourceManagement.WebServices.Client.PermissionDeniedException <\/code><\/div>\n
    Message: Fault Reason: Policy prohibits the request from completing.<\/span><\/code><\/div>\n
    Fault Details:<\/code><\/div>\n
    No policy grants the Requestor permission to complete all changes.<\/span><\/div>\n

    Exception: ManagementPolicyRule
    \nStack Trace: Microsoft.ResourceManagement.WebServices.Exceptions.PermissionDeniedException: ManagementPolicyRule —> System.Data.SqlClient.SqlException: Reraised Error 50000, Level 16, State 1, Procedure DoEvaluateRequestInner, Line 462, Message: Permission denied.
    \nat System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection)
    \nat System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)
    \nat System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
    \nat System.Data.SqlClient.SqlDataReader.ConsumeMetaData()
    \nat System.Data.SqlClient.SqlDataReader.get_MetaData()
    \nat System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString)
    \nat System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async)
    \nat System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, DbAsyncResult result)
    \nat System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method)
    \nat System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior, String method)
    \nat System.Data.SqlClient.SqlCommand.ExecuteReader()
    \nat Microsoft.ResourceManagement.Data.DataAccess.DoRequestCreation(RequestType request, Guid cause, Guid requestMarker, Boolean doEvaluation, Int16 serviceId, Int16 servicePartitionId)
    \n— End of inner exception stack trace —
    \nat Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(CreateRequestDispatchParameter dispatchParameter)
    \nat Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean isChildRequest, Guid cause, Boolean doEvaluation, Nullable`1 serviceId, Nullable`1 servicePartitionId)
    \nat Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean isChildRequest, Guid cause, Boolean doEvaluation)
    \nat Microsoft.ResourceManagement.WebServices.ResourceManagementService.Create(Message request)ManagementPolicyRule<\/p>\n

    Stack Trace: at Microsoft.ResourceManagement.WebServices.ResourceFactoryClient.Create(Message request)
    \nat Microsoft.ResourceManagement.WebServices.ResourceFactoryClient.Create(Create createBody)
    \nat Microsoft.ResourceManagement.WebServices.Client.ResourceTemplate.CreateResource()<\/p>\n

    Inner Exception: Policy prohibits the request from completing.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

    My general negativity about FIM codeless sync aka “declarative provisioning” aka “Synchronization Rule Provisioning” is, I think, reasonably well-known by now. While Markus wrote an excellent document about importing AD groups into the FIM Portal using the codeless rules, I think there are still plenty of reasons to go old skool, and here’s how you’d…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"footnotes":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":[]},"categories":[24,42,22],"tags":[],"class_list":["post-1065","post","type-post","status-publish","format-standard","hentry","category-ad","category-fim-2010","category-groups"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pkp1o-hb","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/posts\/1065","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/comments?post=1065"}],"version-history":[{"count":15,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/posts\/1065\/revisions"}],"predecessor-version":[{"id":3306,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/posts\/1065\/revisions\/3306"}],"wp:attachment":[{"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/media?parent=1065"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/categories?post=1065"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/tags?post=1065"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}