https://voice.unifysolutions.net/knowledge-bases/8/articles/2717-unifynow-security says "Operations on the UNIFYNow website require the user to be in one of the following four roles: Read, Write, Full, Admin"

How is this done - i.e. how is a user put in a Role?

New UNIFYNow installation with extensibility files copied across from an older server as part of a server migration.  Other parts of the UNIFYNow UI are working fine, such as below.  It seems to be just the /Operation/CreateRunProfileOperationChooseManagementAgentByViewInformation that shows the error.

Both the old and new UNIFYNow installs are v4.0.4

What have I misconfigured or missed?

When a FIM Event Broker configuration includes an incoming operation list for the WAAD (OOTB Windows Azure AD) connector, a check operation is required which can be used to poll AAD for changes.

Microsoft server hardening for DCOM and RPC is now underway with the stage 2 (June 14, 2022) of the timeline described in KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414) (microsoft.com) having just passed.

At least one customer has reported that the Microsoft Security Update has adversely impacted one or more MIM agents, and have sited the above article as how they have identified the root cause.  This customer is now after a patch before stage 3 has elapsed and the stated registry key override setting will no longer work.

There is now a possibility other UNIFYNow customers who have also installed the same security update(s) are going to also run into similar problems in the coming weeks, and as a result there will need to be a patch developed for all such customers.

Between now and March 14 2023, the registry change described in the linked article above will allow business continuity for UNIFYNow customers, while advice on the availability of a patch is pending.

Thanks.

A fresh installation of EB 3.0.0. SQL is local with only the Default instance. The customer has installed EB using the FIM Sync service account which is a local administrator and a member of the FIMSyncAdmins group. We also have the same config in Dev which worked fine.

The FIM Agent fails with "Invalid namespace". I search jira for this message but couldn't find anything. Do you know what it means?

Note: customer wants to test update to 3.2.0 on this server which is why we've installed an older version.

Sometimes I wish I could pause an Operation List (after the current operation completes, obviously), perform some manual steps, and then restart it from the same place.

Getting the following error in Event Broker. Running version: 4.0.4 Rev 1

Operation AD MA - Delta Import and Delta Sync  with id 72e8799b-cbf2-402b-9d2e-119957d9cfc2 failed in the operation list REDACTED Outgoing with id 21bb9f43-c07e-42db-bb21-118e7752123c for the following reason. This is retry number 0: System.InvalidCastException: The agent of type IdentityBrokerAgentAuditingDecorator was not of requested type IMIMAgent.
   at Unify.Product.EventBroker.AgentExtensions.GetTypedAgent[TAgent](IAgent agent)
   at Unify.Product.EventBroker.AgentEngineRepository.GetAgent[TAgent](Guid agentId)
   at Unify.Product.EventBroker.RunProfilePlugInFactory.CreateComponent(IOperationFactoryInformation factoryInformation)
   at Unify.Framework.ExtensibilityPlugInGenerator`4.CreateComponent(TFactoryInfo factoryInformation)
   at Unify.Product.EventBroker.OperationListExecutorBase.RunNextOperations(IEnumerator`1 operationEnumerator)

In attempting to upgrade an existing UNIFYNow site to work with the latest AAD Connect version, I found that the microsoftidentityintegrationservice WMI namespace was missing.  This was preventing the successful creation of an AAD Connect agent for the new AAD Connect host.

After locating articles on how to restore this namespace, I found this reference which stated "... the deprecated WMI endpoints for MIIS_Service have now been removed ...".  Furthermore, the local ADSyncAdmins, ADSyncBrowse, ADSyncOperators and ADSyncPasswordSet groups no longer exist - these being the security roles associated to the WMI namespace.

Guidance in the above reference is now this: "Any WMI operations should now be done via PS cmdlets"

Does this mean that UNIFYNow will not support AAD Connect from version 1.4.18.0 onwards, or is work underway to change the agent to connect via PS?

Microsoft has just published this MIM article which explains how to configure the MIM Sync and Server service accounts to be gMSA (ones that don't require passwords).

To make for a more compelling business case to leverage this at MIM sites it would help if UNIFYNow (and UNIFYBroker for that matter) also supported gMSA.  This would help simplify MIM/Broker deployments at customer sites.

Can we please have this feature request put forward for consideration?

Hi Guys,

Just a feature request that I think would bring some useful functionality. I have recently had some scenarios where queued operation lists have execute when the shouldn't have due to the scheduler running throughout a change. Or where I have accidentally queue a long running operation twice. Currently the only way to clear the queue is to restart the service, which then disposes of all other operations that have been queued.

I think it would be beneficial to be able to view and clear specified operations from the operation list queue. Let me know what you think or whether you need any further information.

Thanks,

Hayden