Hello I'm having troubles with accessing the FIM portal, like many others only the install account can browse to the portal. I think its because of the userSID missing in the FIM Portal. In the process to track down the problem I tried running the display user attributes power shell script but get the following error. Error: A Positional Paramter cannot be found that accepts argument 'If'. If I execute the fix objectSID powershell script it reports back the Existing value is correct for my account name. When I search for users in the portal with the install account I can see Display Name, accountname, domain in the list. If I display the extended attributes for a user the ResourceSID field is blank with an Export, Browse and Clear buttons. I have followed the guide 'How do I synchronize users from AD to FIM' and double checked that I Configured Attribute Flow set for the ObjectSID. Thanks Here is the debug information when I browse to the portal as a user. The request for security token could not be satisfied because authentication failed. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. Exception Details: System.ServiceModel.FaultException: The request for security token could not be satisfied because authentication failed. Source Error: An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below. Stack Trace: [FaultException: The request for security token could not be satisfied because authentication failed.] System.ServiceModel.Security.SecurityUtils.ThrowIfNegotiationFault(Message message, EndpointAddress target) +15323386 System.ServiceModel.Security.IssuanceTokenProviderBase`1.ThrowIfFault(Message message, EndpointAddress target) +18 System.ServiceModel.Security.SspiNegotiationTokenProvider.GetNextOutgoingMessageBody(Message incomingMessage, SspiNegotiationTokenProviderState sspiState) +167 [SecurityNegotiationException: The caller was not authenticated by the service.] Microsoft.ResourceManagement.WebServices.Client.ResourceTemplate.EnumerateResources(SearchParameters parameters) +1605 Microsoft.IdentityManagement.WebUI.Controls.ConfigurationModelBase.RetrieveResources(String type, String filter, List`1 attributes) +499 [ServerDownException: Error connecting to server] Microsoft.IdentityManagement.WebUI.Controls.ConfigurationModelBase.RetrieveResources(String type, String filter, List`1 attributes) +1171 Microsoft.IdentityManagement.WebUI.Controls.PortalUIConfigurationModel.RetrievePortalUIConfiguration() +269 Microsoft.IdentityManagement.WebUI.Controls.PortalUIConfigurationModel.get_PortalUI() +118 Microsoft.IdentityManagement.WebUI.Controls.PortalUIConfigurationModel.get_BrandingLeftImageUrl() +16 Microsoft.IdentityManagement.WebUI.Controls.BrandBar.get_BrandTable() +117 Microsoft.IdentityManagement.WebUI.Controls.BrandBar.CreateChildControls() +32 System.Web.UI.Control.EnsureChildControls() +146 System.Web.UI.Control.PreRenderRecursiveInternal() +61 System.Web.UI.Control.PreRenderRecursiveInternal() +224 System.Web.UI.Control.PreRenderRecursiveInternal() +224 System.Web.UI.Control.PreRenderRecursiveInternal() +224 System.Web.UI.Control.PreRenderRecursiveInternal() +224 System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3394

You probably had a copy & paste error with the script code. I have uploaded the code to the MSDN ScriptBox Code Gallery. Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Markus Thanks for the link, downloading the file fixed the problem. After running the script all four values are populated for users, so I can rule out the SID missing problem. So something else is wrong with my portal install.

Just be careful with this – having the SID populated is not sufficient – it also has to be the right SID. Have you also verified that the SID values are correct (I don’t know how you have populated the value)? Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Thanks Markus I have verified the SID its the same in AD. I also found the problem, little type-o in the SPN. Since I had been doing all the browsing from the server browser it didn't come into play. When I logged out of the server, and then in as my account the page loaded. After I corrected the SPN page loads from a workstation with no problems.