I have setup FIM, and set it to cync with AD. It appears to be doing so without errors. However, if I try to acces the portal with a normal user account it loads a page saying Error: Access Denied If I log into the same workstation as the administrator account which setup FIM, it works perfectly. I can find and view the users in FIM when logged in as admin, and their domain is set correctly. Does anyone know what could be causing this?

There are several attributes that must be set in order for the user to be able to access the FIM portal. Check the thread Using PowerShell to display a user’s attribute values for FIM Portal access for more details. Cheers, PaoloPaolo Tedesco - http://cern.ch/idm

Ahh. I'm getting the following result....I guess AccountName is the problem? AccountName : DisplayName : britta simons Domain : STAFF ObjectSID : AQUAAAAAAAUVAAAAKbPHALt7sxNcdnfAXlUAAA==

Would say so :) Check your attributes flows... Paolo Tedesco - http://cern.ch/idm

I used the "how do i synchronize users from active directory domain services to fim" document, and I'm just double checking it. On page 9 it lists the attribute flow, and the five listed to setup are dsiplayname,domain,firstname,lastname and objectsid. Perhaps the document needs amending to add accountname Anyway, I've added accountname, and created another test user; AccountName : wtest DisplayName : wibble test Domain : STAFF ObjectSID : AQUAAAAAAAUVAAAAKbPHALt7sxNcdnfAX1UAAA== However, when I log in with this user, same problem (Access Denied) Any other ideas?

Have you seen this yet? Cheers, Markus Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

The link seems to be for this thread?

Yes, if an URL is included :o) Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Do you have them added into the permissions for WSS?Derek A. Hanson / derekis.com

Do you have them added into the permissions for WSS? Derek A. Hanson / derekis.com WSS?

Do you have them added into the permissions for WSS? Derek A. Hanson / derekis.com WSS? Windows SharePoint Services is what the Portal is hosted on. Make sure that NT Authority\Authenticated Users is added into the Site Permissions and given Read access. Derek A. Hanson / derekis.com

Thank you for that. I must admit I'm very new to SPoint. Just having a look now, are Site Permissions changed via the sharepoint portal?

I'm not an expert either, but i had the same problem. You should use the sharepoint central administration that you can find in your admin tools. Here go to application management and then policy for web application. I'm not sure bout that last step, but I think I added a group here that solved my problems with the access (dont forget what paolo and markus said though, you should check that first)

You can also do it on the FIM Portal. Clic on the link on the upper-right call "Site Actions" then "Site Settings". On the column "Users and Permissions" clic "People and groups". On the displaying list, select "New / Add users" and complete the information by specifying "NT Authority\Authenticated Users" and give permission "Read - can view only"

I have tried adding NT Authority\Authenticated Users and giving it read permission. I found another article which also suggested adding domain/domain users and making it a member of team site visitors. However, neither of the above seem to have worked, I still get the same Error: Access Denied I have also tried adding a user manually to Team Site Visitors but that didnt make a difference either. I've also tried creating a new AD user and re-syncing, but still got the same problem. Anything else which could be going wrong here?

problems I had with doing it in the site actions is its not perminent if you reset you have to add it again., and i indeed did it with domain members. Try giving them full control. Does that work ? I remember I also did that when I used the site actions and site settings bc read dididnt seem suffecient. Its not really what you want to give them though.

for any FIM Portal issue, the first thing i would do is to disable the custom error page to do so, please follow the steps in the following thread http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/af1a96df-0a89-4f95-86b4-93379a66b968/ then iisreset repro the problem post the call stack, and screenshot if applicable. The FIM Password Reset Blog http://blogs.technet.com/aho/

do you have an MPR which allows non-admin users to read configuration objects enabled? check 'General: Users can read non-administrative configuration resources' and 'General: Users can read schema related resources' to be enabled.

Ok, I've edited a user by giving them full control. But still had the same issue. I've made the changes suggested in the other thread to web.config and restarted iis, but the error hasnt changed. I've also checked the following two settings; Users can read non-administrative configuration resources Users can read schema related resources Both of them are enabled (i.e the check box to disable them is NOT ticked). Sorry guys you've been really helpful, and I really hope I'm not doing somethin daft!!

I would say that an account of a user trying to access portal doesn't exist in FIM users list then. or missing some attributes

The script to test id creation is indicating that the IDs are there with all the required attributes populated (see above) AccountName : delta DisplayName : delta\scripts\checkuser.ps1 Domain : STAFF ObjectSID : AQUAAAAAAAUVAAAAKbPHALt7sxNcdnfAYlUAAA==

well, you can also try to change the FIM portal installation by going on the server > control panel > Programm and Features > Forefront identity manager portal and service. At the end of the steps (which looks like the installation), check the box "grant authenticated users access to the fim portal site"

How did you populate the SID values? Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

GREAT, that has worked a treat....thanks Michael! Markus......you now have me a little worried about my SIDs. I got the SID by using this guide "Using PowerShell To Generate The Custom Expression For The Domain Attribute Flow" Then edited the Provisioning Synchronization Rule with the custom expression obtained from the powershell script. Is that correct?

the 'custom expression for the domain attribute flow' should be used for the domain attribute, the SID is used there to check the domain. Mabe you misread there. SID should be an inbound flown from AD to the portal. This thread explains how it should be done: http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/defcc6a5-30f0-4b9d-82a0-faa9438cd98e

I have also modified "Using PowerShell to display a user’s attribute values for FIM Portal access". It looks like something is wrong with your SID values, which is why I've asked how you did populate the attribute. Apparently, all your objects do have the same SID - which can't be :o) The updated script to also display the user-friendly string representation of a SID. This makes it a bit easier to identify mistakes - I think... Cheers, Markus Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Last, but not least, there is also a new script to retrieve an object's SID from Active Directory. Cheers, Markus Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

I have also modified "Using PowerShell to display a user’s attribute values for FIM Portal access". It looks like something is wrong with your SID values, which is why I've asked how you did populate the attribute. Apparently, all your objects do have the same SID - which can't be :o) The updated script to also display the user-friendly string representation of a SID. This makes it a bit easier to identify mistakes - I think... Cheers, Markus Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation I have run the script again against all my 5 users which have imported so far....they all have different SIDs. Only slightly different, but they are different.

I have run the script again against all my 5 users which have imported so far....they all have different SIDs. Only slightly different, but they are different.

Amongst other "things" the SID of a user contains a domain identifier and a relative identifier (RID): In the SID above, the blue part is the domain identifier and the green part is the relative identifier in the domain database. "Slightly different" means, that your objects have different RIDs since they are all from the same domain. This is OK as long as the SID values in FIM are the same as the values in Active Directory. If the values match, you can remove the attribute values from the list of possible problems. Cheers, Markus Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

What is the status of this? Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Answer marked.

Unbelivable after solving this problem, it has reoccured. Users are now getting access denied if you go to the portal. the system is now live, so Im slightly reluctant to go through the setup (program features) as I dont want to damage anything. Apart from the portal website everything is working beautifully. I assume the installer just sets some security options in IIS for the app pool and share point website. Could anyone advise what these settings should be so that I can try setting them manually?

Hi... check if the following MPR´s are enabled: General: Users can read non-administrative configuration resources User management: Users can read attributes of their own If these policies are not enabled, only administrators can log in the portal. There is a script in the scriptbox that checks these MPR´s http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/73954797-afb4-4448-8c3e-af5b4f9e2eb5 Cheers,***** Paulo H. Campos - So Paulo/Brasil ***** http://identitypedia.blogspot.com (in PT-BR)

Hi... check if the following MPR´s are enabled: General: Users can read non-administrative configuration resources User management: Users can read attributes of their own If these policies are not enabled, only administrators can log in the portal. There is a script in the scriptbox that checks these MPR´s http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/73954797-afb4-4448-8c3e-af5b4f9e2eb5 Cheers, ***** Paulo H. Campos - São Paulo/Brasil ***** http://identitypedia.blogspot.com (in PT-BR) Both of those policies are set to DISABLED:NO Running the script shows the following; Cheking MPRs ============ General: Users can read non-administrative configuration resources Enabled: Yes User management: Users can read attributes of their own Enabled: Yes Command completed successfully