I have setup the portal with multiple object types (users, contractors, generic, etc) and completed the configuration and implementation for all my design requirements. I have users able to log into the portal and make all necessary updates and syncing these to AD as required. I have also setup OVCs for contractor creation, updates, etc and have everything configured as desired to allow me to create contractors in the portal and sync them to AD. The contractors are able to log into AD with no issues, but they cannot log into the portal for some reason. I have set the Domain, DomainConfiguration, accountName, displayName, etc on the contractor object.I have created a set containing one specific contractor and I have created an MPR to grant permissions for this set to All Objects for all actions(create, read, delete, modify, etc). I have restarted services for FIM and iisreset.Unfortunately, all I get for the Sharepoint error is: Error....an unexpected error has occurred.First - can anyone confirm non-user objects can authenticate to the portal?Second - can anyone provide any insight on what attribute or configuration I may have missed to allow the contractors to auth.Thanks

Hi Bob,You might try enabling debug messages in SharePoint instead of getting the generic "unexpected error" page.http://weblogs.asp.net/jan/archive/2004/07/14/183155.aspxYour web.config file should be located somewhere similar to:C:\Inetpub\wwwroot\wss\VirtualDirectories\80Don't forget iisreset after making the changes.Good luck,Joe

Thanks Joe - I would have sworn I had already done that...my mistake.Now the error is:[PermissionDeniedException: Exception of type 'Microsoft.ResourceManagement.WebServices.Client.PermissionDeniedException' was thrown.] Microsoft.IdentityManagement.WebUI.Controls.UIUserDataUtils.get_UserData() +178 Microsoft.IdentityManagement.WebUI.Controls.Welcome.GetDisplayName() +39 Microsoft.IdentityManagement.WebUI.Controls.Welcome.get_WelcomeLabel() +43 Microsoft.IdentityManagement.WebUI.Controls.Welcome.CreateChildControls() +22 System.Web.UI.Control.EnsureChildControls() +146 System.Web.UI.Control.PreRenderRecursiveInternal() +61 System.Web.UI.Control.PreRenderRecursiveInternal() +224 System.Web.UI.Control.PreRenderRecursiveInternal() +224 System.Web.UI.Control.PreRenderRecursiveInternal() +224 System.Web.UI.Control.PreRenderRecursiveInternal() +224 System.Web.UI.Control.PreRenderRecursiveInternal() +224 System.Web.UI.Control.PreRenderRecursiveInternal() +224 System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3394Which is inline with what I was thinking - for some reason the contractor object cannot authenticate to the portal, even though the user objects can auth with no issues.

In that case you want to turn on trace logging for Microsoft.ResourceManagement:The config file on my system it at:C:\Program Files\Microsoft Identity Management\Common Services\Microsoft.ResourceManagement.Service.exe.configHere is the config file snippet I use: <system.diagnostics> <sources> <source name="Microsoft.ResourceManagement" switchValue="Verbose"> <listeners> <add name="FimTraceFile"/> </listeners> </source> </sources> <sharedListeners> <add name="FimTraceFile" type="System.Diagnostics.TextWriterTraceListener" initializeData="C:\Program Files\Microsoft Identity Management\Common Services\Fim.log" /> </sharedListeners> <trace autoflush="true" /> </system.diagnostics> The don't forget to restart the FIM service:Restart-Service identitymanagementserviceCraigMartin Oxford Computer Group http://identitytrench.com

Someone PLEASE tell me MS did not limit the authentication within the portal to only /Person objects. I am looking at the log and get the following:Microsoft.ResourceManagement Verbose: 0 : WS: GetUser.Enter: xxxx\usernameMicrosoft.ResourceManagement Verbose: 0 : WS: GetUser.ExitMicrosoft.ResourceManagement Verbose: 0 : XPathDialectParser.Enumerate.Enter(/Person[Domain='XXXX' and AccountName='username'])Microsoft.ResourceManagement Verbose: 0 : XPathDialectParser.Enumerate.BuilderResult(/Person[(Domain = 'XXXX' ) and (AccountName = 'username')])Microsoft.ResourceManagement Verbose: 0 : XPathDialectParser.Enumerate.Exit(/Person[(Domain = 'XXXX' ) and (AccountName = 'username')])looking at this...the query only looks for /Person.....this CANNOT possibly be the case.

Pretty sure that you need a Person object in order to authenticate to the Portal. If you need to use the custom object type then a workaround is to automatically create an additional object of type Person in order to make the Portal access work. Otherwise consider using the Person object type.CraigMartin Oxford Computer Group http://identitytrench.com

Pretty sure that you need a Person object in order to authenticate to the Portal. If you need to use the custom object type then a workaround is to automatically create an additional object of type Person in order to make the Portal access work. Otherwise consider using the Person object type. CraigMartin Oxford Computer Group http://identitytrench.com Yes, authenticating with FIM means locating the Person object in the FIM Service.

Please tell me MS is looking to change this moving forward. My requirements for OVCs are so extremely different between person and contractor objects, it only makes since to use multiple object types in the portal. It seems odd that I would need to reproduce all my contractor objects as person objects (more than doubling the size of the portal) just because the current query for authentication is set to /Person.

You only need to populate the Account, Domain and ObjectSID values on the Person object.. That can be done via workflow..EricEric

Hi Eric,I don't necessarily agree with that solution (if I'm reading it correctly). It appears you're talking about creating a person "stub" that would authenticate the contractor user in the environment. This would bring about the following concerns in a solution where I had multiple object types that I wanted to have authenticate:1. Two records in FIM portal for each non-person object (primary contractor record and secondary stub person record). 2. MPRs for the contractors would have to be based on their person stub for permissions granting tasks whereas group memberships for distribution lists would have to be based on the contractor object.3. MPRs would have to be defined to block the "stub" entries from the normal view for the regular users.All Bob is really asking for is for the ability to have non-person objects authenticate to the portal. There is a lot of precedent in asking for this, especially with the mindset around directory services where you can define an object class for a specific purpose and make it a security principal.Really, that is all he wants, the same information (Account, Domain and ObjectSID) to be made applicable to all objects in the portal so that the limitation isn't just on Person. If desired, to limit the scope of the objects, placing a simple "security principal" toggle on the objectclass could be used as well. Thanks.B

No, actuially I an referring to having an Identity object and seperate Account objects... For my customer that is a requirement due to visualizations.. It's isn't fun to maintain the relationships but it does solve some problems (granted, it does make others).I can't talk for the PG why they put this limitation in. From an audit perspective, it would be very difficult to track all of the all of the activities of one person if they can log on with multiple objects. I do know from recent testing that Account + Domain and ObjectSID are globally unique across objects. So if you do the trick I mentioned earlier, you need to create new attributes to store the account name, domain and objectSIDvalues. Eric

Bob, can I ask what you ended up doing?Did you create "stub" user objects for your contractors as well as the custom contractor object type?Or did you create "account" objects for all the accounts and "person" objects for all people?Or throw your hands up in despair and try something else entirely...

Same here, anxious to know what you finally ended up doing....Anu