Error: Display User Attributes Powershell script
Hello
I'm having troubles with accessing the FIM portal, like many others only the install account can browse to the portal. I think its because of the userSID missing in the FIM Portal. In the process to track down the problem
I tried running the display user attributes power shell script but get the following error.
Error: A Positional Paramter cannot be found that accepts argument 'If'.
If I execute the fix objectSID powershell script it reports back the Existing value is correct for my account name. When I search for users in the portal with the install account I can see Display Name, accountname, domain in the list.
If I display the extended attributes for a user the ResourceSID field is blank with an Export, Browse and Clear buttons. I have followed the guide 'How do I synchronize users from AD to FIM' and double checked that I Configured Attribute Flow set
for the ObjectSID.
Thanks
Here is the debug information when I browse to the portal as a user.
The request for security token could not be satisfied because authentication failed.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.ServiceModel.FaultException: The request for security token could not be satisfied because authentication failed.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[FaultException: The request for security token could not be satisfied because authentication failed.]
System.ServiceModel.Security.SecurityUtils.ThrowIfNegotiationFault(Message message, EndpointAddress target) +15323386
System.ServiceModel.Security.IssuanceTokenProviderBase`1.ThrowIfFault(Message message, EndpointAddress target) +18
System.ServiceModel.Security.SspiNegotiationTokenProvider.GetNextOutgoingMessageBody(Message incomingMessage, SspiNegotiationTokenProviderState sspiState) +167
[SecurityNegotiationException: The caller was not authenticated by the service.]
Microsoft.ResourceManagement.WebServices.Client.ResourceTemplate.EnumerateResources(SearchParameters parameters) +1605
Microsoft.IdentityManagement.WebUI.Controls.ConfigurationModelBase.RetrieveResources(String type, String filter, List`1 attributes) +499
[ServerDownException: Error connecting to server]
Microsoft.IdentityManagement.WebUI.Controls.ConfigurationModelBase.RetrieveResources(String type, String filter, List`1 attributes) +1171
Microsoft.IdentityManagement.WebUI.Controls.PortalUIConfigurationModel.RetrievePortalUIConfiguration() +269
Microsoft.IdentityManagement.WebUI.Controls.PortalUIConfigurationModel.get_PortalUI() +118
Microsoft.IdentityManagement.WebUI.Controls.PortalUIConfigurationModel.get_BrandingLeftImageUrl() +16
Microsoft.IdentityManagement.WebUI.Controls.BrandBar.get_BrandTable() +117
Microsoft.IdentityManagement.WebUI.Controls.BrandBar.CreateChildControls() +32
System.Web.UI.Control.EnsureChildControls() +146
System.Web.UI.Control.PreRenderRecursiveInternal() +61
System.Web.UI.Control.PreRenderRecursiveInternal() +224
System.Web.UI.Control.PreRenderRecursiveInternal() +224
System.Web.UI.Control.PreRenderRecursiveInternal() +224
System.Web.UI.Control.PreRenderRecursiveInternal() +224
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3394
June 23rd, 2010 5:16pm
You probably had a copy & paste error with the
script code.
I have uploaded the code to the MSDN ScriptBox Code Gallery.
Cheers,
MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation
Free Windows Admin Tool Kit Click here and download it now
June 23rd, 2010 6:05pm
Markus
Thanks for the link, downloading the file fixed the problem. After running the script all four values are populated for users, so I can rule out the SID missing problem. So something else is wrong with my portal install.
June 23rd, 2010 6:27pm
Just be careful with this – having the SID populated is not sufficient – it also has to be the right SID.
Have you also verified that the SID values are correct (I don’t know how you have populated the value)?
Cheers,
MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation
Free Windows Admin Tool Kit Click here and download it now
June 23rd, 2010 6:46pm
Thanks Markus
I have verified the SID its the same in AD.
I also found the problem, little type-o in the SPN. Since I had been doing all the browsing from the server browser it didn't come into play. When I logged out of the server, and then in as my account the page loaded.
After I corrected the SPN page loads from a workstation with no problems.
June 24th, 2010 12:14am