AD Provisioning Issue..

Similar Messages

• AE 5.1 - User provisioning issue - new user provisioned at end of request

  Hi All,
  re: AE 5.1 - User provisioning issue - new user provisioned at end of request when AE Config is set to NO
  We have an interesting issue. An Access Enforcer Change Request was initiated with the incorrect userID (the userID did not yet exist in the system) and that Change Request flowed through and made it to the end of the path. At the end of the path, it created a new userID (since the incorrect one was entered). However, we have the following AE Config:
  Auto Provisioning - Status: Auto Provsioning Type: "Auto Provision At End of Each Path"
  Auto Provisioning - Change Request: Create if user does not exist: "NO"
  Any ideas as to why the new userID was provisioned even though we have it set to "NO"?
  We are on AE v5.1, SP4.
  Thanks in advance!

  Gary,
  Similar kind of issue.,
  The Change User BAPI works differently than we normally think.
  It wipes off everything and reassign the modification.
  This I figured it in one of my implementation. You try add some roles to the user it wipes off all the roles and reassign the roles along with the new requested one's.
  The client is also in SP4 still they have issue.
  Will that not be good, AE checks for the ID before it actually submits the request.
  Thanks.
  Note : The issue mentioned by you doesnt exist in AE5.2
  Regards,
  Muthu Kumaran KG
  Edited by: Muthukumaran Krishnan Govindan on Mar 13, 2008 2:38 PM

• Developer Application Provisioning Issues -- Only one app at a time?

  _The upshot:_
  You can have one and only one developer provision and developer application on the iPhone at a time otherwise you get installation errors (i.e. 0xe8000001).
  _To fix:_
  Use Xcode Organizer to ensure that you have one and only one application and provision installed to the iPhone that uses your developer certificate.
  _To any Apple people:_
  If I am wrong about any of this, please let me know. I have wasted 3-4 days over the past 2 weeks due to these issues, and any explanation would be well received! Having one and only one application and provision installed to the iPhone fixed the 0xe8000001 issues for me.
  _Long winded explanation:_
  It turns out that I am working on multiple iPhone applications at the same time.
  Each application has a different AppID (as registered on the iPhone Developer Portal).
  I have spent quite a bit of time having major issues with Developer Provisioning and application installation from within Xcode and Xcode Organizer, which led me to not be able to debug my application on a live iPhone.
  I finally discovered my problem: I can only have one app and one provision on the iPhone that uses the same developer certificate.
  When swapping between Xcode projects if I remove all provisions and applications using Organizer and re-add only the provision of the application I am working on, then the install errors at build time go away.
  Samples of install errors that manifest themselves using the 0xe8000001 code:
  Thu Aug 21 16:56:02 unknown mobileinstallationproxy[770] <Error>: entitlement 'application-identifier' has value not permitted by provisioning profile
  Thu Aug 21 16:56:02 unknown mobileinstallationproxy[770] <Error>: verify_executable: Could not validate signature: e8008016
  -- Taken from the Xcode Organizer Console window for my development iPhone --
  These errors seem to be occurring because of an install time check against the installed provision files to verify the app, and it seems the provision from an already installed application is being used.
  This is probably occurring because the main developer certificate has to be the same between the 2 applications. As the scan through the provisions is occurring, the certificate of the new app matches the certificate from the already installed app, and the provision check fails due to different App IDs.
  There is one and only one developer certificate allowed per iPhone Standard program.
  I hope that this helps some other people out there with their development provisioning and debug / installation errors.
  --Batgar

  This is why you should create a wildcard developer certificate (com.youcompany.*)...follow the directions in the program portal. Then you can then install all your apps on your phone.

• AD Provisioning Issue OIM 11.1.1.5

  HI,
  We had created a Role to Provision AD Resource to user using Access Policy. Role is being assigned to user and We are able to see that resource is being assigned to user But its state is Provisioning not Provisioned.
  We had checked that System Validation task is being Pending for the user and Process form is blank for the user.
  We had Checked the Auto prepopulate and Auto save form checkbox on process form of AD.
  While when we manually assigned the Resoruce to user...Form is auto popualted and resource is provisioned to user.
  We are not able to configure out why process form is blank while we are able to see from logs that prepopulate adapters are being called but process form is blank.
  Please Help.

  It is really strange. If you have checked both Auto Save and Auto Prepopulate it should work
  But you try to update your access policy. Edit it and put the IT resource value in the process form and save it. Even verify once again any mandatory field is blank.
  Still not able to do. just go to process form create new version and remove the required property from the given attribute and update it
  If it works fine you can find the issue and update mandatory.
  regards,
  Nishith Nayan

• Multiple resource objects provision issue in OIM10g

  Hi Team,
  We're facing an issue regarding multiple access policy trigger for a specific resource object in OIM.
  The scenario is whenever we try to process the enablement or creation of users through flat file recon, users are created / enabled with multiple resource objects in their resource profiles.
  When we checked in User Resource Access History report, we observe that the access policy has been triggering multiple times for these users resulting in users with multiple resource objects. Amongst these one shows provisioned/Enabled and the other shows provisioning/in some cases Provisioned/Enabled.
  Please advise as this has become an ongoing issue and also has led into data mess-up.
  Appreciate your help on this one..
  Regards,
  Sagar

  The terminology sounds a little confusing to me:
  If you mean you wanna create multiple IT Resources for a single IT Resource Instance so that the user can select the appropriate IT Resource during request creation -> All good upto here. But then since the Object/Request Form attached to a resource would be the same, so any user would always see the same form fields for creationg request.
  Example: Users creating request for Oracle Database Accounts but different server locations
  If it means you just need to create multiple Resource Objects then its a straighaway standard requirement and could be handled with normal Connector Development methodology.
  Example: Users creating requests for different resources like Oracle Database Accounts & Active Directory Accounts

• OID Provisioning issue on OIM 11g

  Hi,
  I have ran the target user recon for OID and noticed from the events that users are not linked. I tried assigning OID User resource from the provisioning workflow on the admin console but I am seeing the following the issue:
  DOBJ.ORC_NO_ORDER
  An error occurred while retrieving process information null : null
  Please help.

  Hi
  Can you verify On your OID resource object in desing console 'Order For User' is chosen.
  Regards
  user12841694

• Out-of-Band provisioning issue

  Hi there,
  I'm migrating from Configmanager 2007 to 2012 SP1 at a customer.
  With CM 2007 I'd succesfully implemented Out-of-band management. Now I'm having some issues with provisioning AMT from CM2012.
  The testing machines have never been provisioned with CM2007.
  The oobmgmt.log at the client logs succesful activated the device.
  At the server in the amtopmgr.log file the follwoing error is logged:
  Error: Can NOT get OTP from target device (MachineId = 16777220)
  I know this has to do with a one time password that is generated...I dont know where I have to look to resolve this issue.
  Part of the amtopmgr logfile:
  >>>>>>>>>>>>>>>Provision task (In Band Provision) begin<<<<<<<<<<<<<<<    SMS_AMT_OPERATION_MANAGER    28-10-2013 13:34:23  
   5268 (0x1494)
  Provision target is indicated with SMS resource id. (MachineId = 16777220 DSK-0925.water.intern)    SMS_AMT_OPERATION_MANAGER    28-10-2013 13:34:23    5268 (0x1494)
  Found valid basic machine property for machine id = 16777220.    SMS_AMT_OPERATION_MANAGER    28-10-2013 13:34:23    5268 (0x1494)
  Warning: Currently we don't support mutual auth. Change to TLS server auth mode.    SMS_AMT_OPERATION_MANAGER    28-10-2013 13:34:23    5268 (0x1494)
  The provision mode for device DSK-0925.water.intern is 1.    SMS_AMT_OPERATION_MANAGER    28-10-2013 13:34:23    5268 (0x1494)
  The IP addresses of the host DSK-0925.water.intern are 10.10.128.76.    SMS_AMT_OPERATION_MANAGER    28-10-2013 13:34:23    5268 (0x1494)
  Root hash of provisioning certificate is 2796BAE63F1801E277261BA0D77770028F20EEE4.    SMS_AMT_OPERATION_MANAGER    28-10-2013 13:34:23    5268 (0x1494)
  Attempting to establish connection with target device using SOAP.    SMS_AMT_OPERATION_MANAGER    28-10-2013 13:34:23    5268 (0x1494)
  Create provisionHelper with (Hash: FD16D8C6A482C73C12832BC19D5BCABD4460D5A3)    SMS_AMT_OPERATION_MANAGER    28-10-2013 13:34:23    5268 (0x1494)
  Set credential on provisionHelper...    SMS_AMT_OPERATION_MANAGER    28-10-2013 13:34:23    5268 (0x1494)
  Try to use provisioning account to connect target machine 10.10.128.76...    SMS_AMT_OPERATION_MANAGER    28-10-2013 13:34:23    5268 (0x1494)
  Core version of target machine 10.10.128.76 is: 9.0.3.    SMS_AMT_OPERATION_MANAGER    28-10-2013 13:34:24    5268 (0x1494)
  Succeed to connect target machine 10.10.128.76 using provisioning account #0.    SMS_AMT_OPERATION_MANAGER    28-10-2013 13:34:24    5268 (0x1494)
  GeneralInfo.GetProvisioningState finished with HResult = 0x0, status = 0x0, clientErr = 0.    SMS_AMT_OPERATION_MANAGER    28-10-2013 13:34:24    5268 (0x1494)
  Get device provisioning state is In Provisioning    SMS_AMT_OPERATION_MANAGER    28-10-2013 13:34:24    5268 (0x1494)
  Error: Can NOT get OTP from target device. (MachineId = 16777220)    SMS_AMT_OPERATION_MANAGER    28-10-2013 13:34:25    5268 (0x1494)
  CStateMsgReporter::DeliverMessages - Queued message: TT=1201 TIDT=0 TID='Unspecified' SID=13 MUF=0 PCNT=1, P1='DSK-0925.water.intern' P2='' P3='' P4='' P5=''    SMS_AMT_OPERATION_MANAGER    28-10-2013 13:34:25    5268
  (0x1494)
  CStateMsgReporter::DeliverMessages - Created state message file: C:\Program Files\Microsoft Configuration Manager\inboxes\auth\statesys.box\incoming\ikjsq3c0.SMX    SMS_AMT_OPERATION_MANAGER    28-10-2013 13:34:25  
   5268 (0x1494)
  >>>>>>>>>>>>>>>Provision task (In Band Provision) end<<<<<<<<<<<<<<<    SMS_AMT_OPERATION_MANAGER    28-10-2013 13:34:25  
   5268 (0x1494)
  Anyone has a good idea?
  Thanks in advance.
  Mark

  Hi Mark,
  I am experiencing the same issue you are, but only with one machine. I have over 1000 machines that have successfully provisioned, so it's a bit of a mystery at the moment.
  I have confirmed that my failing machine does have a OTP in the SCCM database by running the following query:
  select MachineID ,OTP from dbo.AMT_MachineProperties where HostName = '<machine name>'
  This shows a OTP for each machine, but I'm still having trouble with this one. Did you ever find a solution?
  Thanks,
  Russel

• User Provisioning Issue in Essbase 11.1.2.2

  Hi Experts,
  We have done migration from 11.1.1 to 11.1.2.2 version.Everything went fine but got problem with User provisioning.
  All our users provisioning are managed via Native Groups
  Eg: FIJI_READ,FIJI_WRITE are the Native Groups.
  What we have done is created the Native group provisioned the group with the roles and added the user to the group.
  The problem is the users assigned to these groups “lose” their permissions after sometime. They do still appear to be part of the group when we check in Shared Services, but when we run a MAXL command for a user, say VIBIN:
  DISPLAY USER PRIVILEGE VIBIN;
  It shows the user has having none. The user doesn’t see any cubes on logging in too. From what we’ve seen so far, we can trust the MAXL command output, but not what we see in Shared Services. The user VIBIN still shows as being part of the group FIJI_READ which is provisioned with READ role for the FIJI database. This is very inconsistent behavior.
  The only workaround so far is to directly provision users (i.e.  bypass provisioning via Groups):
  GRANT READ ON DATABASE FIJI.CONSOL TO VIBIN;
  This isn’t very manageable but the ONLY option that seems to be “sticky”. Have anyone gone through this issue  before? Any idea/advice?
  Regards,
  Naveen

  I  exported the Sec file from Security and when i see the content i cant see any groups which are created in Shared Services but only all the applications,databases  and some of the Administrators of the applications only i can see. But normal users who are added in Shared Services to the group i cant able to see.Is there any thing wrong in it.
  Regards,
  Naveen

• ISE Provisioning Issues - Public Certificate & EAP-TLS

  Anyone run into the issues similar to the below?:
  Public Certificate bound for HTTPS
  Internal AD Certificate Bound for EAP
  Issue is SPW or Native Supplicant will be provisioned with Root CA of Public Cert then SCEP enrolls EAP-TLS with Internal CA however as client device (ipad/iphone/android) doesnt get the Internal Root CA provisioned they will fail EAP-TLS communication
  Running ISE 1.1.2 patch2, 2 node-cluster
  Guest Portal being used for Provisioning if AD credentials passed
  Works a treat if i bind both https & eap on the Internal identity ceritficate (only issue then is Guests/BYOD devices get Certificate Warnings on the portal)
  Cheers
  Kam

  the process doesnt fail as such for the onboarding/provisioning on the iphone, however the when entering domain credentials to the guest portal which intiates the onboarding/provisioning process, i notice the root CA certificate is prompted to be installed on the iphone is that of the public certificate instead of the internal root CA, the rest of the user certificate and scep process properly completes however as the root CA for the internal CA wasnt installed i get warnings when connect to our dot1x eap-tls SSID.
  On other devices this process fails which i can only assume is down to the lack of internal root CA cert
  so as per the above im pretty much following this (differentiated access via certificates) :
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_60_byod_certificates.pdf
  however my setup is slighlty different as the EAP & HTTPS indentity certificate is not the internal, i have installed a public cert for HTTPS to remove certificate warnings on guest portal (as BYOD devices and guests will only have non-domain machines thus a public cert removes the certificate warnings)
  does that clarify anymore?
  Cheers
  Kam

• OIM-OID provisionning issue with external plug in with AD

  Hi OIM/OID Guru's,
  We are using OIM with OID connector and having external authentication plug-in feature of OID with AD. Here we are using OID for user profile storage and doing password validation by using external plugin through AD however we have been
  facing one issue which is mentioned below :-
  Whenever we are creating any user in through OIM and found that user is provisioned to the OID target source but populating wrong value of attribute orclSourceObjectDN in OID process form:-
  orclSourceObjectDN = cn=OIDTEST3,CN=Users,DC=oracle-test,DC=oracle,DC=com
  correct value should be orclSourceObjectDN =cn=OIDTEST3,CN=Users,DC=oracle,DC=com
  we don't have any container in OID with DC=oracle-test however not sure how the process form is picking up this value?
  However could you please put more light why it is appending wrong DN in OIM process form? Where should i check for this from OIM side?

  Hi Dear,
  thanks for your reply and we are using OIM 9.x version. Checked Root DN value as you suggested (see below snap shot for oid resource definition):-
  Admin Id     cn=username
  Admin Password     *******
  Group Reconciliation Time Stamp     
  Last Target Delete Recon TimeStamp     
  Last Target Recon TimeStamp     
  Last Trusted Delete Recon TimeStamp     
  Last Trusted Recon TimeStamp     
  Port     6060
  Prov Attribute Lookup Code     AttrName.Prov.Map.OID
  Prov Group Attribute Lookup Code     AttrName.Group.Prov.Map.OID
  Prov Role Attribute Lookup Code     AttrName.Role.Prov.Map.OID
  Role Reconciliation Time Stamp     
  Root DN     DC=oracle,DC=com
  SSL     false
  Server Address     My server name
  Use XL Org Structure     false

• Business Roles Provisioning - Issue

  Hi All,
  We are on GRC SP13.
  We are using business roles for provisioning.
  When i select "CHANGE ACCOUNT" request type and request for business roles through GRC, roles are being assigned to UserID and everything is working fine.
  Issue is with the notification mail user is getting after provisioning. My notification email has details as shown below.
  Hi Padmavathi Sai,
  The Request number : 453 , has been processed and the Request is Closed. The details are as follows:
  PREDDY User created in XXXXXXX
  XXXXXXXXX Business role assigned to PREDDY
  Kind regards,
  Access Control Administrator
  PREDDY UserID is already available in the target system and user selected change account request type, but notification email says that user is created
  Anyone came across this issue?
  Regards,
  Sai.

  Hi Colleen,
  I am using the standard notification template GRAC_AR_CLOSE.
  Hi %FIRST_NAME% %LAST_NAME% (%USER_ID%),
  The Request number : %REQNO% , has been processed and the Request is
  Closed. The details are as follows:
  %PROVISIONING%
  Kind regards,
  Access Control Administrator
  %PROVISIONING% variable shows mail notification as I have mentioned above
  Can you help me with this?
  Regards,
  Sai.

• OIM PeopleSoft UM Connector Provisioning Issue

  Oracle Identity Manager 11.1.2.2.0
  PeopleSoft User Management 11.1.1.6.0
  I am getting the error below whenever I try to provision a peoplesoft account through OIM:
  "Error while executing utility: Cannot connect to peoplesoft : OIMUM@[HOSTNAME] is an Invalid User ID, or you typed the wrong password.  User ID and Password are required and case-sensitive.  Make sure you're typing in the correct upper and lower case."
  For some reason the OIM hostname is appended to the service account when attempting a connection to the target system, and that might be causing the problem. My PeopleSoft system is on a different machine. I tried looking how the hostname gets appended but I no luck in finding the cause of it.
  Any insights on this would be great.

  This issue was resolved due to the system pointing to the wrong PeopleSoft target system.

• OIM AD Provisioning Issue -urgent prodution issue

  Hi,
  We are facing this wierd issue where in user's manager get back the approval screen with Approve button activated even after they have hit the approve button. This is causing partial provisioning to trigger. For the first time provisioning process gets triggered but nothing appears on the resource list for the user, but when the user's manager hits approve button (thinking that approval did not succeed) resource appears on the users resource list in provisioning status, task which determines if account already exist says "Account Already exist".
  Any suggestions or solutions are highly appreciated.
  Thanks in advance

  Hi,
  I just looked into logs for a failed user and found the following:
  ERROR,14 Jan 2011 08:53:52,188,[ABC.ALM.ADAPTER.ACTIVEDIRECTORY],Class/Method: ProcessFormUtil/setValueOnProcessForm encounter some problems: EJB Exception: : java.rmi.AccessException: [EJB:010160]Security Violation: User: '<anonymous>' has insufficient permission to access EJB: type=<ejb>, application=WLXellerateFull, module=xlDataObjectBeans.jar, ejb=tcFormInstanceOperations, method=setProcessFormData, methodInterface=Remote, signature={long,java.util.Map}.
  at weblogic.ejb.container.internal.MethodDescriptor.checkMethodPermissionsRemote(MethodDescriptor.java:560)
  at weblogic.ejb.container.internal.BaseRemoteObject.checkMethodPermissions(BaseRemoteObject.java:115)
  at weblogic.ejb.container.internal.BaseRemoteObject.preInvoke(BaseRemoteObject.java:272)
  at weblogic.ejb.container.internal.StatelessRemoteObject.preInvoke(StatelessRemoteObject.java:52)
  at com.thortech.xl.ejb.beans.tcFormInstanceOperations_2j82mm_EOImpl.setProcessFormData(tcFormInstanceOperations_2j82mm_EOImpl.java:1706)
  at Thor.API.Operations.tcFormInstanceOperationsClient.setProcessFormData(Unknown Source)
  at sun.reflect.GeneratedMethodAccessor368.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at Thor.API.Base.SecurityInvocationHandler$1.run(Unknown Source)
  at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
  at weblogic.security.service.SecurityManager.runAs(Unknown Source)
  at weblogic.security.Security.runAs(Security.java:41)
  at Thor.API.Security.LoginHandler.weblogicLoginSession.runAs(Unknown Source)
  at Thor.API.Base.SecurityInvocationHandler.invoke(Unknown Source)
  at $Proxy82.setProcessFormData(Unknown Source)
  So is this the issue? If yes how can we over come this?
  Thanks again

• OIM 11g R2 PS1 Installation - DBUM provisioning issue

  Hi,
  I am facing issue in DBUM connector provisioning. I have installed connector server and connector on OIM side successfully.
  BUt, when i try to check for Direct Provisioning i get exception log as :
  Thread Id: 20 Time: 2013-06-07 18:18:30.886 Class: org.identityconnectors.framework.server.impl.ConnectionListener Method: processOperationRequest Level: ERROR Message: org.identityconnectors.framework.common.objects.AttributeInfoBuilder.buildCurrentAttributes(Ljava/lang/String;)Lorg/identityconnectors/framework/common/objects/AttributeInfo;
  java.lang.NoSuchMethodError: org.identityconnectors.framework.common.objects.AttributeInfoBuilder.buildCurrentAttributes(Ljava/lang/String;)Lorg/identityconnectors/framework/common/objects/AttributeInfo;
  at org.identityconnectors.dbum.DBSchemaOp.schema(DBSchemaOp.java:80)
  at org.identityconnectors.dbum.DBUMConnector.schema(DBUMConnector.java:310)
  at org.identityconnectors.framework.impl.api.local.operations.SchemaImpl.schema(SchemaImpl.java:45)
  at sun.reflect.GeneratedMethodAccessor25.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at org.identityconnectors.framework.impl.api.local.operations.ConnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:93)
  at $Proxy5.schema(Unknown Source)
  at sun.reflect.GeneratedMethodAccessor25.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at org.identityconnectors.framework.impl.api.local.operations.ThreadClassLoaderManagerProxy.invoke(ThreadClassLoaderManagerProxy.java:107)
  at $Proxy5.schema(Unknown Source)
  at sun.reflect.GeneratedMethodAccessor25.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at org.identityconnectors.framework.impl.api.DelegatingTimeoutProxy.invoke(DelegatingTimeoutProxy.java:107)
  at $Proxy5.schema(Unknown Source)
  at sun.reflect.GeneratedMethodAccessor25.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at org.identityconnectors.framework.impl.api.LoggingProxy.invoke(LoggingProxy.java:76)
  at $Proxy5.schema(Unknown Source)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at org.identityconnectors.framework.server.impl.ConnectionProcessor.processOperationRequest(ConnectionProcessor.java:287)
  at org.identityconnectors.framework.server.impl.ConnectionProcessor.processRequest(ConnectionProcessor.java:191)
  at org.identityconnectors.framework.server.impl.ConnectionProcessor.run(ConnectionProcessor.java:121)
  at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
  at java.lang.Thread.run(Thread.java:662)
  Please provide input to resolve this issue.
  Thanks,
  RPB

  If anyone is faced this issue...please provide helpful pointer on this
  Is it from OIM side or problem with Connector Server installed on DB side ?
  Thanks,
  RPB

• Provisioning issues with password changes

  I have installed and configured IDM7.1+sp3 with our AS Java portal. Most features seems to work OK, except:
  1.1. Changing fullname, display name, address, etc work - but salutation or title info doesn't display correctly (only when language independant).
  1.2. Can lock the user - but not unlock.
  1.3. Can change password (self service or via Management tab) - but password "disappears" and user can't login again via the UI or directly thru the LogonGUI.
  1.4. If the user's password expires, he gets prompted to change it - this change works fine.
  After "devouring" all the documentation I could fine... I read in the Release Notes the following:
  2.1. Users are authenticated by the SAP NetWeaver AS Java (and not by the Identity Center). The password policy of the Identity Center is not used.
        = enabling or disabling "password provisioning" in the Password Policy tab makes no difference then?
  2.2 The login task does no longer exist since the authentication is done by the SAP NetWeaver AS Java (UME).
        = ok I get this part...
  2.3 Change of password is handled by SAP NetWeaver AS Java (UME) and the change password task is no longer available.
        = so the Password Reset tab is also "pointless"?
  2.4 A user's MSKEYVALUE is used as the UME logon ID.
        = right
  2.5 Password reset is handled by SAP NetWeaver AS Java. See SAP NetWeaver Identity Management Identity Center Implementation Guide u2013 Self-service password reset for details
        = (what should I do with this?) I did get this working but stopped with some error about the "encrypt password".
  My SAP landscape is pretty standard (no custom fields/attributes) - so the IDM Provisioning framework should work "out of the box" - in my understanding...
  Any ideas?
  Sorry about the multiple postings - issue with proxy server. Pls ignore/remove the extras.

  Hi.
  I try to give some answers based on my experience below:
  1.1. Changing fullname, display name, address, etc work - but salutation or title info doesn't display correctly (only when language independant).
  >> Have you checked that the user has correct language set in Java UME? Also check that in Presentation page of the corresponding Attribute the Display name parameter is set with corresponding languages used.
  1.2. Can lock the user - but not unlock.
  >> Can you see any errors e.g. in Job Log? Would help to solve the issue
  1.3. Can change password (self service or via Management tab) - but password "disappears" and user can't login again via the UI or directly thru the LogonGUI.
  >> The reason might be the encryption of the password. Typically the UI should take care of the encrypting the password into MX_ENCRYPTED_PASSWORD attribute, especially when you're implementing tasks like Self Service Password Reset. I've noticed that when I disabled the Enable Password Provisioning option for the Identity Store, I got rid of the error regarding attribute MX_ENCRYPTED_PASSWORD and UI automatic encryption started to work. (In my case two way pwd provisioning is not needed) Otherwise if you have issues with encrypted password in your custom tasks, check whether the value is encrypted and use java script to encrypt the password when reading the value form the UI field and saving it to MX_ENCRYPTED_PASSWORD attribute, if applicable.
  Hopefully this helps you even a bit.
  Br. Jukka

• Ordering Resource Provisioning Issues

  Hello Kind IDM Folks,
  We are having a small issue with some of the automatic provisioning IDM handles through roles. We have a role that will provision two resources. One resource is our definitive LDAP resource, and the other resource calls to our LDAP resource to get user attributes from. What we are starting to notice, is that the resource that requires LDAP is being called to provision first, then the LDAP provision is happening. So the first resource provisioning errors out. Then the account is loaded into LDAP fine. The next time the account is updated / saved, a provisioning event is fired off and it works fine.
  Is there any way to control the order that the resources are provisioned to when they are assigned by a role?
  Thanks!
  Jim

  Yes! Order the resources in the order desired and then check the "Update resources in order" checkbox (below the Resources multi-select).
  That setting manifests itself as
  <Role ... ordered='true' ...>
  [etc etc etc]
  </Role>Hope this helps.
  Jason