Sudden Access Denied in Group Join Approval Workflow in MIM 2016

On a Windows Server 2012 R2 server, running latest version of MIM 2016 on SPS Foundation 2013 with roll-ups; after editing the default Owner Approval workflow I started to get the following error when attempting to Join or Leave any groups with Ownership Approval:

JoinError1Error details:
JoinError2

I cried, then I cried some more.  Then I went and visited Mr. Google (What if Google was a Guy?) and stumbled upon this gem from the Technet forums that turned out to be the resolution… yes, it’s a FIM bug that’s still in MIM… not a feature 🙂

Error message from Event ID 3:

Microsoft.ResourceManagement.Service: System.NullReferenceException: Object reference not set to an instance of an object.
at Microsoft.ResourceManagement.Workflow.Hosting.HostActivator.ActivateHost(ResourceManagementWorkflowDefinition workflowDefinition, Boolean suspendWorkflowStartupAndTimerOperations)
at Microsoft.ResourceManagement.Workflow.Hosting.WorkflowManager.StartWorkflowInstance(Guid workflowInstanceIdentifier, KeyValuePair`2[] additionalParameters)

 

When a new approval workflow is created and approval activity is placed in this workflow it contains the following element in a XOML definition:

(…)

xmlns:ns1=”clr-namespace:System.Workflow.Activities;Assembly=System.WorkflowServices, Version=3.5.0.0 (…)

Pre-Edit

Above is from the standard approval workflow delivered with FIM that works out of the box, after editing the standard workflow or in any custom authorization workflow you create it changes to the following:

Post-Edit

(…) xmlns:ns1=”clr-namespace:System.Workflow.Activities;Assembly=System.WorkflowServices, Version=4.0.0.0, (…)

 

JoinSuccess1

…Editing the XOML in Extended Attributes and changing it back to 3.5.0.0 and saving the workflow resolves the issue.  The bad news is it breaks again the next time you do any editing of the workflow 🙁

 

Details:

https://social.technet.microsoft.com/Forums/en-US/1b76672d-1276-4c71-b9fc-5bb1fcb36877/event-id-3-with-approval-activity?forum=ilm2

Unexpected timeout issue when updating FIM 2010 to latest roll-up package

ExtensionsCache-Issue2This one came as a surprise – the setup of the latest FIM 2010 roll-up was repeatedly timing out and Event ID: 6311 and 6401 kept popping up in the Application log during the operation.

After a couple of pints of coffee I eventually decided to run Procmon from Sysinternals to peek at what was going on while the setup was apparently sitting around doing nothing.

Turns out there were 521,750 ghost items with names such as Sync Rule Callout <GUID> and Common MA Callout Extension>GUID> hanging around in the hidden ExtensionsCache folder under the Synchronization Service installation directory.

Stopping the FIMSync Service prior to deleting the ghost items not only allowed the update to proceed but also markedly improved performance on the MA’s on the box by at least a factor of ~3.

Office 365: Using Lync or Skype on Linux

SkypeDebian-openlogo-50 Ubuntu-Logo FreeBSD Logo RedHat-logo

When you have a *nix crowd to cater for in your Office 365 or Lync deployment the following information will be useful:

– You can use the SIPE plugin to enable your *nix users to chat on O365 or Lync servers

– There’s a client-side bug in pidgin-sipe v. 1.18.2 where it used the user’s SIP address entered as the login address being presented to the ADFS server regardless of what was entered into the console

– This was fixed upstream in v 1.18.4

– This bug is invisible when the user has the same UPN and SIP address

– On the AD FS server side a workaround would be to allow extended attribute lookup during logon (f.x. use the ‘mail’ attribute if it matches the SIP address)

Note: The Alternate Login ID feature is not compatible with Exchange Online Hybrid Deployments. Customers that wish to configure Exchange Online Hybrid Deployments with Office 365 must not configure Alternate Login ID.

The Alternate Login ID feature may impact various other Azure AD and Office 365 scenarios including:

  • Office 365 ProPlus activation may require explicit sign-in
  • InTune customers using SCCM connectors may require additional configuration.


Further details:

Configuring Alternate Login ID [for AD FS 3.0]
https://technet.microsoft.com/en-us/library/dn659436.aspx?f=255&MSPPError=-2147217396

The SIPE project
http://sipe.sourceforge.net/

Pidgin IM
http://pidgin.im/

Office 365: Using Lync or Skype on Linux

Ubuntu-LogoDebian logoRedHat-logoFreeBSD Logo

When you have a *nix crowd to cater for in your Office 365 or Lync deployment the following information will be useful:

– You can use the SIPE plugin to enable your *nix users to chat on O365 or Lync servers with several IM products, f.x. Pidgin

– There’s a client-side bug in pidgin-sipe v. 1.18.2 where it used the user’s SIP address entered as the login address being presented to the ADFS server regardless of what was entered into the console

– This was fixed upstream in v 1.18.4

– This bug is invisible when the user has the same UPN and SIP address

– On the AD FS server side a possible workaround would be to allow extended attribute lookup during logon (f.x. use the ‘mail’ attribute if it matches the SIP address)

Note: The Alternate Login ID feature is not compatible with Exchange Online Hybrid Deployments.
Customers that wish to configure Exchange Online Hybrid Deployments with Office 365 must not configure Alternate Login ID.

The Alternate Login ID feature may impact various other Azure AD and Office 365 scenarios including:

  • Office 365 ProPlus activation may require explicit sign-in
  • InTune customers using SCCM connectors may require additional configuration.

Further details:

Configuring Alternate Login ID [for AD FS 3.0]
https://technet.microsoft.com/en-us/library/dn659436.aspx?f=255&MSPPError=-2147217396

Pidgin IM
http://pidgin.im/

The SIPE project
http://sipe.sourceforge.net/