Experts Corner Article To be able to access the FIM portal as a regular user, the following MUST be true: · The user has an AD user account · The attributes “Domain”, “AccountName” and “ObjectSID” must have values populated about that AD user account synched by the FIM Sync Engine · The correct permissions have been configured for the AD user account in the FIM Portal (see more below) To configure the correct permissions in the FIM Portal to allow portal access for regular users, additional configuration checkboxes appear during the installation of the FIM Portal: · Grant Authenticated Users access to the FIM Portal Site (must be checked if you want to allow access to the FIM Portal) · Grant Authenticated Users access to the FIM Password Reset Site (must be checked if you want to allow access to the FIM Password Portal) In addition to this all, you as an administrator need to enable a few MPRs which by default are disabled. I’m talking about the following MPRs: · ”General: Users can read non-administrative configuration resources” · “User management: Users can read attributes of their own” You can check the MPRs in the FIM Portal or use can use this powershell script to do that for you. This is for simple plain FIM Portal access. If you want to allow a user to do more, you need to create and/or enable additional MPRs. Go to the Experts Corner Jorge de Almeida Pinto [MVP-DS / AD DS TechNet Forums Moderator] [Sr. Technical Consultant @ Oxford Computer Group] (http://blogs.dirteam.com/blogs/jorge/default.aspx) (http://www.oxfordcomputergroup.com/)

You can use this script to test your MPR configuration for this scenario.Cheers,MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

You can now use this powershell script to fix missing ObjectSID's - just pass in the account name and domain for the account you wish to fix...Brad Turner, ILM MVP - Ensynch, Inc - www.identitychaos.com

To configure the correct permissions in the FIM Portal to allow portal access for regular users, additional configuration checkboxes appear during the installation of the FIM Portal: · Grant Authenticated Users access to the FIM Portal Site (must be checked if you want to allow access to the FIM Portal) · Grant Authenticated Users access to the FIM Password Reset Site (must be checked if you want to allow access to the FIM Password Portal) Can we set this after the installation? I have enabled all the required MPRs, ObjectSID's, Domain and AccountName correctly set. Still a regular user is not able to log in. Getting an error, You do not have permission to access this site. Please contact your help desk or system administrator. > Go to Forefront Identity Manager home page Am I missing something here? Cheers Sachin

These settings can be found inside SharePoint itself. As a SharePoint admin, select "Site Actions" in the top right corner and then select "Advanced Permissions". In the permissions for the site itself those checkboxes will grant "NT Authority\Authenticated Users" Read access. /AndreasThis posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/copyright.htm

Jorge >>The attributes “Domain”, “AccountName” and “ObjectSID” must have values populated about that AD user account synched by the FIM Sync Engine u missed DisplayName

Thanks Andreas. I have checked the "Advance Persmission" and they are configured as, 1. Users/Groups Type User Name Permissions NT AUTHORITY\authenticated users Domain Group NT AUTHORITY\authenticated users Read 2. Ran the script provided by Markus to config that the req MPRs are enabled 3. Ran the script provided by Brad to check the ObjectSID. It matches the AD ObjectSID Still getting the same error. Could I be missing any other attributes/settings? Cheers Sachin

I had this problem and if you are following the Syncronize Users from Active Directory Domain Services on the Wiki you need to add a attribute flow on the FIMMA Management Agent for the accountName item in the Person object! This solved the issue for me!James Bulgo Snr ICT Officer Linc Cymru Housing Association

I had this problem and if you are following the Syncronize Users from Active Directory Domain Services on the Wiki you need to add a attribute flow on the FIMMA Management Agent for the accountName item in the Person object! This solved the issue for me!James Bulgo Snr ICT Officer Linc Cymru Housing Association

Thanks, James...I had the same issue which was resolved by following your steps.