Cannot find imported users on FIM portal
Hi guys,
I'm doing a lest lab from technet:
Importing users from AD to FIM
http://social.technet.microsoft.com/wiki/contents/articles/how-do-i-synchronize-users-from-active-directory-domain-services-to-fim.aspx
After import I can see Projection number grater then 0, so some user objects have been imported to FIM. But when I open FIM portal I cannot find any AD users on
Users tab.
Any ideas?
May 20th, 2011 1:32pm
If I search connector space both AD agent and FIM agent I can see users there though...
Free Windows Admin Tool Kit Click here and download it now
May 20th, 2011 3:09pm
I think you need to run an export for the FIM MA, that will create the users within the FIM portal.Need realtime FIM synchronization? check out the new
http://www.traxionsolutions.com/imsequencer that supports FIM 2010 and Omada Identity Manager real time synchronization!
May 20th, 2011 4:11pm
I get this error when try to run Export for FIM MA:
There is an error executing a web service object creation request.
Type: Microsoft.ResourceManagement.WebServices.Client.PermissionDeniedException
Message: Fault Reason: Policy prohibits the request from completing.
Fault Details: <RequestFailures xmlns="http://schemas.microsoft.com/2006/11/ResourceManagement" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"></RequestFailures>
Stack Trace: at Microsoft.ResourceManagement.WebServices.ResourceFactoryClient.Create(Message request)
at Microsoft.ResourceManagement.WebServices.ResourceFactoryClient.Create(Create createBody)
at Microsoft.ResourceManagement.WebServices.Client.ResourceTemplate.CreateResource()
Inner Exception: Policy prohibits the request from completing.
Free Windows Admin Tool Kit Click here and download it now
May 20th, 2011 4:39pm
There is a MPR probably that is not configured to allow what you want, what are you creating ? groups, users?Need realtime FIM synchronization? check out the new
http://www.traxionsolutions.com/imsequencer that supports FIM 2010 and Omada Identity Manager real time synchronization!
May 20th, 2011 4:46pm
users
that's what I have when check MPR status with script:
FIM MPR Configuration For Synchronization Check
===============================================
PS C:\Users\fimservice> c:\checkmpr
MPRs that need to be enabled:
-General: Users can read non-administrative configuration resources
-User management: Users can read attributes of their own
Caution: Your current MPR configuration requires your attention!
Free Windows Admin Tool Kit Click here and download it now
May 20th, 2011 5:12pm
Can u use the Policy Explorer and check if the sync engine is allowed to create the users maybe you missed some MPRNeed realtime FIM synchronization? check out the new
http://www.traxionsolutions.com/imsequencer that supports FIM 2010 and Omada Identity Manager real time synchronization!
May 23rd, 2011 9:59am
I enabled both rules that were pointed by the script so now it says everything is ok with policies but I still get the same error.
I check MPR list on FIM portal - looks fine to me (though I don't exactly know how they have to be set)
Free Windows Admin Tool Kit Click here and download it now
May 23rd, 2011 12:32pm
You can use the policy explorer and set the requestor to the Synchronization account and see if there is a grant permission on the user (People) object
But i think this policy should be there in default
"Synchronization: Synchronization account controls users it synchronizes" that has checked "Create Resource"
Are you sure you are only creating users on export? Is the error thrown for all objects in the connector space during export?
Need realtime FIM synchronization? check out the new
http://www.traxionsolutions.com/imsequencer that supports FIM 2010 and Omada Identity Manager real time synchronization!
May 23rd, 2011 12:53pm
Yes, Paul, it's for all objects which are to export.
Just to make it clear, do you mean this page as a policy explorer?
http://rmststim01/IdentityManagement/aspx/policy/AllPolicies.aspx
I've enabled all rules except hte ones that are abou permissions for users themselves...
Synchronization: Synchronization account controls users it synchronizes rule has following settings:
Create, Delete, Add, Modify, Remove
Free Windows Admin Tool Kit Click here and download it now
May 23rd, 2011 1:53pm
No i mean this link:
http://localhost/identitymanagement/aspx/policy/PolicyExplorer.aspx?_p=1
The url you provided is showing all the policies, the button "Explore" is on the above button bar next to "New, Details and Delete"
Need realtime FIM synchronization? check out the new
http://www.traxionsolutions.com/imsequencer that supports FIM 2010 and Omada Identity Manager real time synchronization!
May 23rd, 2011 1:57pm
I've tied to check permssions via Policy browser, but cannot define
target resource. I can only choose from 2 accounts: fim service and
built-in syncronization account
Free Windows Admin Tool Kit Click here and download it now
May 23rd, 2011 6:13pm
I've added FIM Service account to Domain Admins group. Now while trying to export users I get following error message:
There is an error executing a web service object request.
Type: System.ServiceModel.EndpointNotFoundException
Message: Could not connect to http://localhost:5725/ResourceManagementService/MEX. TCP error code 10061: No connection could be made because the target machine actively refused it 127.0.0.1:5725.
Stack Trace:
Server stack trace:
at System.ServiceModel.Channels.HttpOutput.WebRequestHttpOutput.GetOutputStream()
at System.ServiceModel.Channels.HttpOutput.Send(TimeSpan timeout)
at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.SendRequest(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at System.ServiceModel.Description.IMetadataExchange.Get(Message request)
at Microsoft.ResourceManagement.WebServices.MetadataClient.Get(String dialect, String identifier)
at Microsoft.ResourceManagement.WebServices.Client.ResourceManagementClient.SchemaManagerImplementation.RefreshSchema()
at Microsoft.ResourceManagement.WebServices.Client.ResourceManagementClient.SchemaManagerImplementation.get_Instance()
at Microsoft.ResourceManagement.WebServices.Client.ResourceManagementClient.get_SchemaManager()
at MIIS.ManagementAgent.RavenMA.Export(DataSourceObject dsObject)
Inner Exception: Unable to connect to the remote server
And after it there're all usual PermissionDeniedException errors...
How can I check whether web services are ok?
May 23rd, 2011 6:28pm
Created user on FIM portal and check Built-in Synchronization Account permissions on it. There's
Synchronization: Synchronization account controls users it synchronizes rule with
Create Delete Add Modify Remove permissions.
I suppose it's a web service or SQL issue...
Free Windows Admin Tool Kit Click here and download it now
May 24th, 2011 5:56pm
I'm still looking for the answer...
June 15th, 2011 9:29am
There is no reason why you should add the FIM Service account to Domain Admins. Portal permissions are managed entirely internally and are not effected by AD permissions. You mention an EndpointNotFoundException - did this happen right after you added the
acount to domain admins? What happens when you remove it from that group?
The error "Policy prevents the request from completing" is only ever about one thing - MPRs not set correctly. You mentioned the Sync account MPR - but what is listed in Target Attributes? The simplest thing is to set it to "All attributes" because there
may be just one single attribute not explicitly listed, but which you are trying to export to the Portal. That is enough to block the export.
http://www.wapshere.com/missmiis
Free Windows Admin Tool Kit Click here and download it now
June 15th, 2011 10:21am
hi Carol,
EndpointNotFoundException is gone now.
I changed Synchronization: Synchronization account controls users it synchronizes rule parameter to All atributes as you said, but it didn't help...
June 15th, 2011 8:18pm