Question Status

Verified
Brian_DiFi asked a question on 7 Nov 2011 1:45 PM

I have BP 5.1 R2 with GP 2010 R2.

I've created a rule within the security synchronization utility to sync the SharePoint "BP Employee" group to the BP MBF "Employee" role.  

The users come across but all of the Employee's are showing as "unspeficied" and are not linked to their employee record.  

Can I make the utility search by last name or anything similar?  

Will I need to touch each record and choose the right employee number?

Thanks!

Reply
Verified Answer
Grant Swenson[MSFT] responded on 7 Nov 2011 2:24 PM

Brian, thanks for using the forums!

The security synchronization utility is not designed to bring across the specific employee IDs, it can only map the role itself, between the systems. Another option would be to "add" these users via the BP Add Users Wizard, which has some Employee ID matching logic, and then synchronize that group from BP MBF Employee over to Sharepoint "BP Employee". Otherwise, yes, you will need to touch each MBF mapping to assign a specific instance of an employee to each user.

Good luck!

Grant Swenson [MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights.

Reply
Verified Answer
Grant Swenson[MSFT] responded on 7 Nov 2011 2:24 PM

Brian, thanks for using the forums!

The security synchronization utility is not designed to bring across the specific employee IDs, it can only map the role itself, between the systems. Another option would be to "add" these users via the BP Add Users Wizard, which has some Employee ID matching logic, and then synchronize that group from BP MBF Employee over to Sharepoint "BP Employee". Otherwise, yes, you will need to touch each MBF mapping to assign a specific instance of an employee to each user.

Good luck!

Grant Swenson [MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights.

Reply
Brian_DiFi responded on 7 Nov 2011 2:34 PM

Thank you.  The plan was to keep an AD group in the SP group and push it through into BP's MBF.  

Sounds like we may still do that for the initial load and then match the records.  

The Add New Users domain drop down doesn't work which makes adding them one by one tedious.

Reply
Grant Swenson[MSFT] responded on 7 Nov 2011 3:06 PM

Yes, that sounds like a good plan.

Have you looked into the BusinessFramework.config file, in the "bin" directory? You may want to try editing the Microsoft.BusinessFramework.Portal.Administration.ActiveDirectoryReaderConfig section with a tag called: "useAlternativeDomainLookup". Flipping it's value may help (from true to false, or vice versa). There are a few ways to interact with Active Directory. (Don't forget to make a backup of that file--I believe it's in your WSS Virtual Directory's bin folder.)

Grant Swenson [MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights.

Reply
Brian_DiFi responded on 8 Nov 2011 7:02 AM

I did not try that, didn't know about that item.  Is there a white paper or a blog post about that file and it's switches?

Reply
Grant Swenson[MSFT] responded on 8 Nov 2011 7:37 AM

I could find KB 914166 on that setting, but it's not very descriptive. I recall it has something to do with NT4 compatibility (which was necessary when BP 1.0 shipped, but hasn't been as important since then).

I also found some other directions, you may or may not find helpful:

(RE: issue with Mixed Mode Windows 2000 domains)

The workaround is to set Microsoft.BusinessFrameworkIdentity COM+ Object to run under a Domain User account rather then Network Service.

Use the following steps below to change it.

1. At the web server, go to Start | Administrative Tools | Component Services.

2. Click the + sign next to Component Services.

3. Click the + sign next to Computers.

4. Click the + sign next to My Computer.

5. Click the + sign next to COM + Applications.

6. Right-click the Microsoft.BusinessFrameworkIdentity and go to Properties.

7. Choose the Identity Tab and make sure to use a Domain User account and not the default Network Service.

I'm not sure if the above is reversible, so please use your best judgement when following those steps.

Grant Swenson [MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights.

Reply
Brian_DiFi responded on 8 Nov 2011 9:19 AM

Thank you very much for that KB article!  I switched it from False to True, restarted IIS, and wallah, there is the domain and the groups.  

Reply
Grant Swenson[MSFT] responded on 8 Nov 2011 10:03 AM

Glad to hear it!

Reply