mapping with destination attribute ‘name’ has a source attribute marked as export-only

Recently I have faced an issue with MIM 2016 and SharePoint 2016 while exporting string (Multi-Value) from SharePoint to AD.

Well , i will not go in detail for MIM and SharePoint 2016 configuration for export operations . There are articles around , if you interested :
please check:
https://thesharepointfarm.com/2016/03/using-mim-to-export-attributes-from-sharepoint-2016/

So the reproduce the issue;
I have create a User Profile Property as string (Multi-Value) from User Profile Service-> Manage User Properties. That was the easy part . (Please notice i didn’t select any TermSetId when i creating the property)

We need to “Refresh Schema” of the Management Agent for SharePoint (SPMA) to discover newly created property .Well it succeeded without issue. But there is a problem , when you export the schema.xml of the SPMA you will notice that property marked as “Export-Only” .

dsml:attribute ref="#Rooms" required="false" ms-dsml:isAnchor="false" ms-dsml:allowedOperation="ExportOnly"

Thats means you can not import from SharePoint to Metaverse that property . (It is working in contrawise , Export for SPMA means Metaverse to SharePoint , Import means SharePoint to Metaverse)

So it will not allow you to create “Attribute Flow” other direction (Import) in SPMA Properties. I have faced a very definitive error that is “EXPORT-ONLY”

So i have tried to mitigate this by modify SPMA schema xml . “Export Management Agent then modify the xml and get rid of dsml:allowedOperation="ExportOnly" , and again update management agent with new xml. But no luck.
Well it is worked at the beginning and i able to export my value to the AD until when i need to “Refresh Schema” for SPMA . I have faced following error in event viewer.

“BAIL: MMS(10132): ..\cdext.cpp(416): 0x80070057 (The parameter is incorrect.)
BAIL: MMS(10132): ..\xstack.cpp(405): 0x80070057 (The parameter is incorrect.)
BAIL: MMS(10132): ..\xparse.cpp(436): 0x80070057 (The parameter is incorrect.)
BAIL: MMS(10132): ..\iafparse.cpp(2423): 0x8023050e (The import attribute flow rules XML defines an invalid/incomplete rule.): IAF: mapping with destination attribute ‘Rooms’ has a source attribute marked as export-only
BAIL: MMS(10132): ..\xstack.cpp(540): 0x8023050e (The import attribute flow rules XML defines an invalid/incomplete rule.)
BAIL: MMS(10132): ..\xparse.cpp(544): 0x8023050e (The import attribute flow rules XML defines an invalid/incomplete rule.)
BAIL: MMS(10132): ..\iafexec.cpp(141): 0x8023050e (The import attribute flow rules XML defines an invalid/incomplete rule.)
ERR_: MMS(10132): ..\mastate.cpp(12497): Error creating import attribute flow rules object: 0x8023050e
BAIL: MMS(10132): ..\mastate.cpp(12585): 0x8023050e (The import attribute flow rules XML defines an invalid/incomplete rule.)
BAIL: MMS(10132): ..\mastate.cpp(6263): 0x8023050e (The import attribute flow rules XML defines an invalid/incomplete rule.)
BAIL: MMS(10132): ..\ma.cpp(670): 0x8023050e (The import attribute flow rules XML defines an invalid/incomplete rule.)
BAIL: MMS(10132): ..\ma.cpp(928): 0x8023050e (The import attribute flow rules XML defines an invalid/incomplete rule.)
Forefront Identity Manager 4.4.1302.0”

After hours of investigation noticed that it is related with  TermSetId in Profile DB.
I have checked and compare the properties in the database and noticed if  i create a multi-value string even without termset id it is storing an emty guid inside ,well the other properties was null. So I have done a manuel set NULL (which is not supported) to test. Voila , now i can able to refresh schema again and everithing works fine. But this is not a valid resolution . It is not supported . And what if i want to use Term Set Id with that Profile Property   ?

Luckly it was resolved by SharePoint team long time ago . But not documented any where or i didn’t find it.

Resolution:
SharePoint connector (build 4.3.2036.0 or higher) have a new setting .Enabling the new setting “Import auto-updated attributes” on the Connectivity tab of the SharePoint Connector allows us to import an attribute that has a TermSetID other than NULL.

https://support.microsoft.com/en-us/help/3156030/hotfix-rollup-build-4.3.2201.0-is-available-for-forefront-identity-man

It was also resolve my issue with Multi-Value string without TermSetId (even so it has a empty guid it is not NULL) .
SPConnector

Advertisements

Unable to open BDC Service Application UI from Central Admin site

Here is the issue definition that If we go to Central Admin – Manage service Applications -> Businees Datas Conectivity Service Application we obtain an error:

“Something went wrong” and a Correlation ID
Error message seen:
Event ID 8085 Event Viewer The BDC Service application Business Data Connectivity Service is not accessible. The full exception text is: Access is denied.
At logs:
SPIisWebServiceAuthorizationManager: SPIisWebServiceApplication with name ‘Business Data Connectivity Service’ and type ‘Microsoft.SharePoint.BusinessData.SharedService.BdcServiceApplication’ received request with ServiceSecurityContext whose primary identity has no valid data to check against ACL.
An exception occurred while writing a service call usage entry. Exception details: System.ObjectDisposedException: Safe handle has been closed
at System.Runtime.InteropServices.SafeHandle.DangerousAddRef(Boolean& success)
at Microsoft.Win32.Win32Native.GetTokenInformation(SafeTokenHandle TokenHandle, UInt32 TokenInformationClass, SafeLocalAllocHandle TokenInformation, UInt32 TokenInformationLength, UInt32& ReturnLength)
at System.Security.Principal.WindowsIdentity.GetTokenInformation(SafeTokenHandle tokenHandle, TokenInformationClass tokenInformationClass)
at System.Security.Principal.WindowsIdentity.get_User()
at System.Security.Principal.WindowsIdentity.GetName()
at System.Security.Principal.WindowsIdentity.get_Name()
at Microsoft.SharePoint.Utilities.SPUtility.GetCurrentThreadUserLogin(Boolean fFallbackToEnv)
at Microsoft.SharePoint.Administration.SPUsageManager.LogUsage(SPUsageEntry usageEntry)

The BDC Service application Business Data Connectivity Service is not accessible. The full exception text is: Access is denied.

From Central Administration Site when we try to open BDC service we have making a WCF request to Business Connectivity Service

Name=Request (GET:http://contoso.com:3760/_admin/BDC/ViewBDCApplication.aspx?AppId=ec61c2eb-a874-4dfd-8245-0476da3d2731)
WcfSendRequest: RemoteAddress: ‘http://contoso.com:32843/b02ca86c7cb94143bb8277579dbc505c/BdcService.svc/http’ Channel: ‘Microsoft.SharePoint.BusinessData.SharedService.IBdcServiceApplication’ Action: ‘http://www.microsoft.com/Office/2009/BusinessDataCatalog/BusinessDataCatalogSharedService/MetadataObjectCreate’
WcfReceiveRequest: LocalAddress: ‘http://contoso.com:32843/b02ca86c7cb94143bb8277579dbc505c/bdcservice.svc/http’ Channel: ‘System.ServiceModel.Channels.ServiceChannel’ Action: ‘http://www.microsoft.com/Office/2009/BusinessDataCatalog/BusinessDataCatalogSharedService/MetadataObjectCreate’

We have facing an authentication problem on Claims authentication. Looks that “User is not authenticated”

So it bring us to “Security Token Service” Application before calling BDC request

Claims Authentication af3y2 VerboseEx STS Call Claims Windows: Adding claim with type ‘http://sharepoint.microsoft.com/claims/2009/08/isauthenticated’, value ‘False’, value type ‘http://www.w3.org/2001/XMLSchema#string’, issuer ‘SharePoint’ and original issuer ‘SecurityTokenService’.
Claims Authentication af3y1 VerboseEx We are copying claim with type ‘http://sharepoint.microsoft.com/claims/2009/08/isauthenticated’, value ‘False’, value type ‘http://www.w3.org/2001/XMLSchema#string’, issuer ‘SharePoint’ and original issuer ‘SecurityTokenService’.

For Resolution and TroubleShooting suggestions

-> Check BDC Service Application has only Anonymous Authentication has enabled and “windows authentication” has disabled.
-> Check The Security Token Service Authentications are “Anonymous” and “Windows Authentication” has enabled.
-> Check IIS > SharePoint Web Services > Only Windows Auth should be selected.
-> Check BDC Service Application Anonymous Authentication Identity has set for “IUSR”
-> Check Top Level IIS Anonymous Authentication Identity has set for “IUSR”

1. Open IIS manager
2. Highlighted server name
3. Select Authentication from center pane
4. Highlight “Anonymous Authentication” and be sure it is Enabled
5. Click on “Edit…”
6. Select the “Specific User” radio box and click “Set”
7. Enter IUSR in the “User name:” box on the Set Credentials window.
— Note you do not need to enter a password.
8. Click OK to apply, then OK to apply.

Loading this assembly would produce a different grant set from other instances. (Exception from HRESULT: 0x80131401)

The error when the issue happens: (Related with legacyCAS issue)
Loading this assembly would produce a different grant set from other instances. (Exception from HRESULT: 0x80131401)

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.IO.FileLoadException: Loading this assembly would produce a different grant set from other instances. (Exception from HRESULT: 0x80131401)

Recently we have facing many issues with above exception .Effected products are SharePoint 2013 and SharePoint 2016.Mostly the cases are open as CritSit because of SharePoint down.

• We typically see these errors with non-SharePoint code running, such as SCOM’s APM agent or 3rd party monitoring software, or very unlikely .Net patches.
• Specifically in our case, we found the environment running APM monitoring Agent: APMAGT
• The most likely way that this issue came to be is that the CLR core was trying to optimize a reload of the instrumentation agent with an incompatible CAS grant set. This usually happens when the SharePoint site web.config is set to use the legacy CAS model, as introduced in .NET version 4 and provokes the error as described previously. Refer to https://msdn.microsoft.com/en-us/library/vstudio/dd984947(v=vs.100).aspx for a reference of CAS changes in ASP.NET 4.

I have seen many misredirected articles even in technet blogs and incorrect resolutions are suggested for resolving this problem.

One of them changing legacy cas model settings.
Which is out of the box for SharePoint products the Legacy CAS model is a requirement.So we have this value in every SharePoint web sites.
trust level="Full" originUrl="" legacyCasModel="true"
(This is correct!!!)
People are resolving this problem by setting legacyCasModel=”false” which is NOT SUPPORTED .

You shouldn’t change it because of backward compatibility and dependancy reasons we need that. Disabling this property cause anomalies.

Please be aware meaning of NOT SUPPORTED ,does not mean your SharePoint not work. It may work but  we may not give support unless you rollback your changes or can not forseen any other anomalies .

Another incorrect resolution.
Create a new registry DWORD value called LoaderOptimization and give it the value 1 within the key
“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework”
Perform IISRESET and check Web Apps behavior.

In key ‘HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework’, create a new ‘DWORD (32-bit) Value’ named “LoaderOptimization” with a value 1 (either in decimal or hexadecimal as they are the same).
In key ‘HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework‘, create a new ‘DWORD (32-bit) Value’ named “LoaderOptimization” with a value 1 (either in decimal or hexadecimal as they are the same).

This configuration will disable the loader optimization of assemblies that provoke the aforementioned behaviour by setting assembly loading into SingleDomain mode.

And this is also NOT SUPPORTED by Microsoft.
There is two reason for this.
1) These settings are not tested by product group. (It is not design to work in SingleDomain mode)
2) Let’s have look what is LoaderOptimization enumeration
https://msdn.microsoft.com/en-us/library/system.loaderoptimization(v=vs.100).aspx
We have setting “LoaderOptimization” as 1 which means the “SingleDomain” mode.
“Indicates that the application will probably have a single domain, and loader must not share internal resources across application domains.”
SharePoint have many assemblies with many different locations and permission, also have a very complex loading models depend on logic and fallbacks to CAS to GAC or vise versa.
Forcing SharePoint to use singledomain mode prevents the power of shareing loaded images and assembilies with different inter processes operations which effects performance and loading times and
SharePoint uses different permissions sets for appdomain level , multi domain is a requirement to provide all functionalities for SharePoint by security concerns.

And another one , this registry change may also effect your other .net applications (any kind of) because it is .net level change.

So what we should do ?
– First you should find it out which Dll(s) causing this problem. And verify the issue resolved when you uninstall related product.
Like
“Microsoft.EnterpriseManagement.OperationsManager.Apm.Instrumentation, Version=7.0.5000.0”
“Microsoft.EnterpriseManagement.OperationsManager.Apm.InstrumentationUtils, Version=7.0.5000.0”
– This is mostly a Third Party Monitoring tool or even Microsoft SCOM.
These kind of tools or a component belong these tools have inject their assemblies in SharePoint worker process.
And SharePoint is very special,complex blackbox what ever you say that we can not support if you do this.
For SCOM 2012/2016 we know the reason that APM component causing this.
And we have following article that you can not deploy APM for SharePoint servers. It is NOT SUPPORTED .

https://technet.microsoft.com/en-us/library/jj614617.aspx?tduid=(1dfb939b69d4a5ed09b44f51992a8b97)(256380)(2459594)(TnL5HPStwNw-v0X_tBOK3jzpbtaadMW8RA)()
Client-side .NET Application Performance Monitoring (APM) is not supported for SharePoint. Enabling client-side .NET Application Performance Monitoring for SharePoint can result in unpredictable application behavior and failures.

Well , i am not a SCOM expert but following action help you deploy SCOM without APM.

NOTE ! Workaround – Installing the SCOM Agent with the NOAPM=1 switch prevents the copy of the .NET APM related DLL’s as a result w3wp.exe process cannot load the problematic components which are available under C:\Program Files\Microsoft Monitoring Agent\Agent\APMDOTNETAgent\*.

1) Uninstall the SCOM Agent manually on the SharePoint Servers.
2) Delete the “C:\Program Files\Microsoft Monitoring Agent” folder on your SharePoint Servers.
3) Copy the SCOM Agent folder from your SCOM Management Server to the SharePoint Servers. The Agent folder can be found under C:\Program Files\Microsoft System Center 2012 R2\Operations Manager\Server\AgentManagement\amd64 on your SCOM Management Servers.
4) Open an elevated cmd window and on your SharePoint Server and install the SCOM Agent manually with the NOAPM=1 switch like in the example below.
Example : msiexec /i momagent.msi NOAPM=1
5) Afterwards please kindly install your Update Rollups. The current installed Update Rollup on your SCOM Management Server is also inside the Agent folder available.
C:\Program Files\Microsoft System Center 2012 R2\Operations Manager\Server\AgentManagement\amd64

Recently we face some other issues with SCOM , even you have not deploy APM, it is still injecting some code in SharePoint which breaking our workerprocess.
In this condition please open a ticket for MS SCOM support team.
Related DLLs was;
“C:\Program Files\Microsoft Monitoring Agent\Agent\APMDOTNETAgent\V7.1.10184.0\PerfMon64.dll”

I hope this helps for correct actions.