1dent1ty cHa0s

RC1 of Forefront Identity Manager 2010 is out, go get it!

Download details: FIM 2010 Release Candidate 1

• Domain service account
• Member of the ILM Administrators domain group (our renamed MIISAdmins)
• Granted the "Logon as batch" right via policy
• Runs fine logged in as the service account interactively

 1: # Call ClearHistory.ps1 from a CMD file 

 2: powershell -nologo -command "& D:\ILMTasks\ClearHistory.ps1 5 10"

ClearHistory.ps1

 1: # Setup the argument parameters and declare defaults

 2: # Default is two weeks of history to retain

 3: param([string]$NumDaysToKeepRunHistory = 14,[string]$NumDaysToKeepPwdHistory = 14)

 4:  

 5: # Calculate the date to clear runs against

 6: [string]$ClearRunsDate = [DateTime]::Now.AddDays(-$NumDaysToKeepRunHistory).ToUniversalTime()

 7: # Calculate the date to clear password history against

 8: [string]$ClearPwdHistoryDate = [DateTime]::Now.AddDays(-$NumDaysToKeepPwdHistory).ToUniversalTime()

 9:  

 10: # Get the WMI Object for MIIS_Server

 11: $miiserver = @(get-wmiobject -class "MIIS_SERVER" -namespace "root\MicrosoftIdentityIntegrationServer" -computer ".")

 12:  

 13: # Clear the Run History

 14: Write-Host "Clearing the Run History prior to (UTC)" $ClearRunsDate

 15: Write-Host "Result: " $miiserver[0].ClearRuns($ClearRunsDate).ReturnValue

 16: #--------------------------------------------------------------------------------------------------------------------

 17:  trap 

 18:  { 

 19:     Write-Host "`nError: $($_.Exception.Message)`n" -foregroundcolor white -backgroundcolor darkred

 20:  }

 21: #--------------------------------------------------------------------------------------------------------------------

 22:  

 23: # Clear the Password History

 24: Write-Host "Clearing the Password History prior to (UTC)" $ClearPwdHistoryDate

 25: Write-Host "Result: " $miiserver[0].ClearPasswordHistory($ClearPwdHistoryDate).ReturnValue

 26: #--------------------------------------------------------------------------------------------------------------------

 27:  trap 

 28:  { 

 29:     Write-Host "`nError: $($_.Exception.Message)`n" -foregroundcolor white -backgroundcolor darkred

 30:  }

 31: #--------------------------------------------------------------------------------------------------------------------

Our daily morning team meetings for the project I'm currently on have become less team meeting and more confessional now that we're getting close to go-live. This is what a typical morning sounds like now:

Tester 1: Bless me PM for I have tested. I found 4 bugs today.

PM: Very good, hand your results to the developer.

Tester 2: Bless me PM for I have tested. I found 2 bugs today.

PM: Very good, hand your results to the developer.

You get the idea, it was much funnier when I made the observation this morning.

Oh boy, where to start, we have been having various issues with SQL applications failing with different security related error messages and we did not see a connection until just today. The two prominent issues we saw were:

• Could not apply patches to an ILM 2007 FP1 installation running on SQL Server 2008 with the servers in a Windows 2008 domain/forest, the errors we got were:

Error 25009.The Microsoft Identity Integration Server FP1 setup wizard cannot configure the specified database. Invalid object name 'mms_management_agent'. A required privilege is not held by the client.

MSI (s) (6C!80) [16:34:17:656]: Product: Microsoft Identity Integration Server -- Error 25009.The Microsoft Identity Integration Server FP1 setup wizard cannot configure the specified database. Invalid object name 'mms_management_agent'. A required privilege is not held by the client.

• SQL Server Reporting Services report subscriptions were failing to run in the SQL Agent with the following errors:

SQL Server Scheduled Job '52840C4F-5D9F-4CAA-96BE-4C587F655571' (0xBB61E338688B8C459E28A61A6761669D) - Status: Failed - Invoked on: 2009-09-03 17:40:03 - Message: The job failed.  Unable to determine if the owner (DEV\svc.ssrs.ilm) of job 52840C4F-5D9F-4CAA-96BE-4C587F655571 has server access (reason: Could not obtain information about Windows NT group/user DEV\svc.ssrs.ilm', error code 0x5. [SQLSTATE 42000] (Error 15404)).

Subsequently, it was this troubleshooting technique using xp_logininfo found by Jaime Martinez that led us to the eventual solution posted by Matticus:

• Find the account that you're getting the error on and open up a new query in SQL Management Studio and then run the xp_logininfo command against it – in our case it looked like this:

xp_logininfo 'DEV\svc.ssrs.ilm'

• This command generated the following new error:

Msg 15404, Level 16, State 11, Procedure xp_logininfo, Line 62
Could not obtain information about Windows NT group/user DEV\svc.ssrs.ilm', error code 0x5.

As it turns out there is a new built-in security group in Windows Server 2008 domains called BUILTIN\Windows Authorization Access Group. The description on this group reads, "Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects". This somehow causes issues when certain operations require enumeration of a person's group memberships (the computed tokenGroupsGlobalAndUniversal attribute).

Resolution

Add the domain service account for your SQL Server (your SQL Server service account) to the BUILTIN\Windows Authorization Access Group group. You don't need to restart anything, it just starts working from that point forward. What was bizarre is that this also fixed my problem with applying the patches to ILM!

I've been running the Office 2010 Technical Preview for a few weeks now and I really like it…once again. For a time there I was really cursing it due to some issues when reading or writing changes to documents (in this case Office 2007 documents, including OneNote notebooks) stored in our Microsoft Office SharePoint Server 2007 document libraries. I first noticed the issue when attempting to modify a shared OneNote 2007 notebook which, again, is hosted in MOSS 2007 – changes could not be replicated back to the document library and OneNote 2010 would return the following error:

This section contains changes that could not be synced because the
section file was not found. The section may have been moved or
deleted. If OneNote finds the section file later, it will sync the
changes. Alternatively, you can move this section to a new location.
Click here for more information.

I would get a similar problem when using Word 2010 to check out and edit a document hosted in a MOSS 2007 document library; however, in this case it manifested in the Office Synchronization Center failing to upload the modified document. You get a nasty red bar in the Pending Uploads section.

If you're part of the Technical Preview then you can track down these threads and the solutions in microsoft.connect.o2010techprev._general and search for "sharepoint". This problem has affected people in the following conditions it seems:

• MOSS 2007 or WSS 3.0 document libraries
• Opening files in a document library
• Opening local files
• Saving files to a document library

Mark Knight of Microsoft posted the workaround as follows:

1. In your LAN settings, check "Use a proxy server for your LAN" (you can
keep "Automatically detect" checked)
2. Assuming you do not require proxy to reach any servers, you can specify
http://fake in the Address field to give it a fake proxy
3. Click Advanced
4. In the Exceptions field, type the wildcard * to manually bypass the fake
proxy for all servers you are trying to reach.
5. OK out of the dialogs to accept the settings and retry opening files from
SharePoint.

The only thing I did differently was in step 2 I used http://127.0.0.1 instead of http://fake since I don't seemingly random hosts. At least in my case, using the above workaround has resolved my issues. If you continue to have issues I would encourage you to post to the newsgroup.