Contractor accounts authenticating
I have setup the portal with multiple object types (users, contractors, generic, etc) and completed the configuration and implementation for all my design requirements. I have users able to log into the portal and make all necessary updates and syncing these to AD as required. I have also setup OVCs for contractor creation, updates, etc and have everything configured as desired to allow me to create contractors in the portal and sync them to AD. The contractors are able to log into AD with no issues, but they cannot log into the portal for some reason. I have set the Domain, DomainConfiguration, accountName, displayName, etc on the contractor object.I have created a set containing one specific contractor and I have created an MPR to grant permissions for this set to All Objects for all actions(create, read, delete, modify, etc). I have restarted services for FIM and iisreset.Unfortunately, all I get for the Sharepoint error is: Error....an unexpected error has occurred.First - can anyone confirm non-user objects can authenticate to the portal?Second - can anyone provide any insight on what attribute or configuration I may have missed to allow the contractors to auth.Thanks
August 31st, 2009 10:07pm
Hi Bob,You might try enabling debug messages in SharePoint instead of getting the generic "unexpected error" page.http://weblogs.asp.net/jan/archive/2004/07/14/183155.aspxYour web.config file should be located somewhere similar to:C:\Inetpub\wwwroot\wss\VirtualDirectories\80Don't forget iisreset after making the changes.Good luck,Joe
August 31st, 2009 10:35pm
Thanks Joe - I would have sworn I had already done that...my mistake.Now the error is:[PermissionDeniedException: Exception of type 'Microsoft.ResourceManagement.WebServices.Client.PermissionDeniedException' was thrown.] Microsoft.IdentityManagement.WebUI.Controls.UIUserDataUtils.get_UserData() +178 Microsoft.IdentityManagement.WebUI.Controls.Welcome.GetDisplayName() +39 Microsoft.IdentityManagement.WebUI.Controls.Welcome.get_WelcomeLabel() +43 Microsoft.IdentityManagement.WebUI.Controls.Welcome.CreateChildControls() +22 System.Web.UI.Control.EnsureChildControls() +146 System.Web.UI.Control.PreRenderRecursiveInternal() +61 System.Web.UI.Control.PreRenderRecursiveInternal() +224 System.Web.UI.Control.PreRenderRecursiveInternal() +224 System.Web.UI.Control.PreRenderRecursiveInternal() +224 System.Web.UI.Control.PreRenderRecursiveInternal() +224 System.Web.UI.Control.PreRenderRecursiveInternal() +224 System.Web.UI.Control.PreRenderRecursiveInternal() +224 System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3394Which is inline with what I was thinking - for some reason the contractor object cannot authenticate to the portal, even though the user objects can auth with no issues.
August 31st, 2009 10:51pm
In that case you want to turn on trace logging for Microsoft.ResourceManagement:The config file on my system it at:C:\Program Files\Microsoft Identity Management\Common Services\Microsoft.ResourceManagement.Service.exe.configHere is the config file snippet I use: <system.diagnostics> <sources> <source name="Microsoft.ResourceManagement" switchValue="Verbose"> <listeners> <add name="FimTraceFile"/> </listeners> </source> </sources> <sharedListeners> <add name="FimTraceFile" type="System.Diagnostics.TextWriterTraceListener" initializeData="C:\Program Files\Microsoft Identity Management\Common Services\Fim.log" /> </sharedListeners> <trace autoflush="true" /> </system.diagnostics> The don't forget to restart the FIM service:Restart-Service identitymanagementserviceCraigMartin Oxford Computer Group http://identitytrench.com
September 1st, 2009 2:34am
Someone PLEASE tell me MS did not limit the authentication within the portal to only /Person objects. I am looking at the log and get the following:Microsoft.ResourceManagement Verbose: 0 : WS: GetUser.Enter: xxxx\usernameMicrosoft.ResourceManagement Verbose: 0 : WS: GetUser.ExitMicrosoft.ResourceManagement Verbose: 0 : XPathDialectParser.Enumerate.Enter(/Person[Domain='XXXX' and AccountName='username'])Microsoft.ResourceManagement Verbose: 0 : XPathDialectParser.Enumerate.BuilderResult(/Person[(Domain = 'XXXX' ) and (AccountName = 'username')])Microsoft.ResourceManagement Verbose: 0 : XPathDialectParser.Enumerate.Exit(/Person[(Domain = 'XXXX' ) and (AccountName = 'username')])looking at this...the query only looks for /Person.....this CANNOT possibly be the case.
September 1st, 2009 4:10pm
Pretty sure that you need a Person object in order to authenticate to the Portal. If you need to use the custom object type then a workaround is to automatically create an additional object of type Person in order to make the Portal access work. Otherwise consider using the Person object type.CraigMartin Oxford Computer Group http://identitytrench.com
September 1st, 2009 6:22pm
Pretty sure that you need a Person object in order to authenticate to the Portal. If you need to use the custom object type then a workaround is to automatically create an additional object of type Person in order to make the Portal access work. Otherwise consider using the Person object type. CraigMartin Oxford Computer Group http://identitytrench.com Yes, authenticating with FIM means locating the Person object in the FIM Service.
September 1st, 2009 7:35pm
Please tell me MS is looking to change this moving forward. My requirements for OVCs are so extremely different between person and contractor objects, it only makes since to use multiple object types in the portal. It seems odd that I would need to reproduce all my contractor objects as person objects (more than doubling the size of the portal) just because the current query for authentication is set to /Person.
September 1st, 2009 8:19pm
You only need to populate the Account, Domain and ObjectSID values on the Person object.. That can be done via workflow..EricEric
September 9th, 2009 6:28pm
Hi Eric,I don't necessarily agree with that solution (if I'm reading it correctly). It appears you're talking about creating a person "stub" that would authenticate the contractor user in the environment. This would bring about the following concerns in a solution where I had multiple object types that I wanted to have authenticate:1. Two records in FIM portal for each non-person object (primary contractor record and secondary stub person record). 2. MPRs for the contractors would have to be based on their person stub for permissions granting tasks whereas group memberships for distribution lists would have to be based on the contractor object.3. MPRs would have to be defined to block the "stub" entries from the normal view for the regular users.All Bob is really asking for is for the ability to have non-person objects authenticate to the portal. There is a lot of precedent in asking for this, especially with the mindset around directory services where you can define an object class for a specific purpose and make it a security principal.Really, that is all he wants, the same information (Account, Domain and ObjectSID) to be made applicable to all objects in the portal so that the limitation isn't just on Person. If desired, to limit the scope of the objects, placing a simple "security principal" toggle on the objectclass could be used as well. Thanks.B
September 9th, 2009 7:12pm
No, actuially I an referring to having an Identity object and seperate Account objects... For my customer that is a requirement due to visualizations.. It's isn't fun to maintain the relationships but it does solve some problems (granted, it does make others).I can't talk for the PG why they put this limitation in. From an audit perspective, it would be very difficult to track all of the all of the activities of one person if they can log on with multiple objects. I do know from recent testing that Account + Domain and ObjectSID are globally unique across objects. So if you do the trick I mentioned earlier, you need to create new attributes to store the account name, domain and objectSIDvalues. Eric
September 9th, 2009 7:26pm
Bob, can I ask what you ended up doing?Did you create "stub" user objects for your contractors as well as the custom contractor object type?Or did you create "account" objects for all the accounts and "person" objects for all people?Or throw your hands up in despair and try something else entirely...
September 16th, 2009 7:40am
Same here, anxious to know what you finally ended up doing....Anu
October 29th, 2009 3:24pm