i got following error while running Export on FIM MA . There is an error executing a web service object modification request. Type: Microsoft.ResourceManagement.WebServices.Client.PermissionDeniedException Message: Access to the requested resource(s) is denied Stack Trace: at Microsoft.ResourceManagement.WebServices.Client.UninitializedResource.PerformUpdate() at Microsoft.ResourceManagement.WebServices.Client.UninitializedResource.Update() at MIIS.ManagementAgent.RavenMA.ExportObjectModification(DataSourceObject dsObject, SchemaManager schemaManager) at MIIS.ManagementAgent.RavenMA.Export(DataSourceObject dsObject) Inner Exception: please assist. Mohit Goyal

Hi Mohit, could you provide some more details on what you are trying to do? In particular, which type of resource are you trying to export when you get the error? A user? A group? Did you add some custom attributes to the object type? If so, be aware that RC1 comes with more restrictive permissions than RC0 by default, and you should explicitly enable access to the new attribute by update the MPR "Administration: Administrators can read and update Users" (or equivalent for Groups). Hope this helps, Paolo

This thread may be helpful:http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/aa5ac051-8ae4-49ea-abcc-9d7a5890a08b

hi Paolo, i am trying to export a user not any group. i did not added any custom attribute to object type. in fact i am doing this under lab environment with document for "Publishing Active Directory Users From Two Authoritative Data Sources " i checked MRP which you mentioned and is enabled. Mohit Goyal

The user had already been created and the export fails when you try to modify it? is the error code "failed-modification-via-webservices"? How is your lab environment? Are the portal and the synchronization service on different machines or on the same? Maybe you did not configure properly the FIM service accounts. You could check this TechnoVanza blog post to see if there is something relavant for you. CheersPaolo Tedesco http://espace.cern.ch/idm

Thanks Paolo, i found out what i missed and i hope it is corrected now.could not check it now. i have lab environment which contain all services on single computer including SQL server. i missed certain attribute for initial flow only check box. somehow i forgot to check DN attribute flow for initial flow so i got following error " Microsoft.MetadirectoryServices.ProvisioningBySyncRuleException: The DN must be set before calling CSEntry.CommitNewConnector" as this error says o missed check on DN attribute flow so i went to sync rule and checked DN attribute flow but to my surprise i got same error this time with different text "Microsoft.MetadirectoryServices.ProvisioningBySyncRuleException: The partition filter criteria for management agent "FIM AD MA" do not include an object with DN "CN=Mohit GoyalOU\=FIMObjects,DC=test,DC=local" and object classes user." Also tried to put criteria under partition filter for Management Agent "FIM AD MA" but ended up with no success. Please guide me if i missed anything this time. Mohit Goyal

I don't know if it's relevant, but you are missing a comma between the CN and the first OU component in the DN: CN=Mohit GoyalOU=... should be: CN=Mohit Goyal,OU=... Check how you configured the flow for the DN attribute in the synchronization rule. CheersPaolo Tedesco - http://espace.cern.ch/idm

If I read your post correctly, you get the error during an export on the FIM MA.Also, the error is an access denied.Verify whether the FIM MA account has the right to logon locally.If this is not the case, grant the right, and then run the export again.Does this fix your issue?Cheers,MarkusMarkus Vilcinskas, Technical Content Developer, Microsoft Corporation

Hello Markus, Yes it is correct that i am getting error of access denied during Export on the FIM MA. i checked the local policy on the same server and under "deny logon locally" there is nothing. i think then it is allowed to logon locally. Just to make it clear FIM MA account would be then account which is under "Built-in Synchronization Account" . Please help.Mohit Goyal

does any one have any workaround for this issue? i am still suffering from this pain. Please help!!!!!!!!!!! :(Cheers, Mohit Goyal

Log on as adminitrator to your FIM server, and then run following command on the command line:runas /user:fabrikam\fimma cmdYou will have to replace the account with the FIM MA account you are using in your environment.If the command fails, your account doesn't have the right to logon locally.In this case, fix the rights issue and run your export again.Cheers,MarkusMarkus Vilcinskas, Technical Content Developer, Microsoft Corporation

Hi Markus,i had tried it and i am able to logon with it, which means logon locally is granted to FIM MA account.i checked requested made today in portal and found "update to person" request is denied and originator is administrator . if i check 'Applied Plicy' could not find anything. is it due to any policiy not applied or any other issue.Also i has enabled all MPR1. General: Users can read schema related resources2. General: Users can read non-administrative configuration resources3. User management: Users can read attributes of their ownnow please letme know did i still missed anything?I understand that i becomes frustrating sometime for silly questions, but i appriciate you take so kind approach to questions. please help me.Cheers, Mohit Goyal

No sweat we want you guys to be happy with the product.A forum is the right place to ask these questions. Mohit, please run this script and post the outcome.The script does a bit more than just looking at logon locally.We need to make sure that there is no issue with your FIM MA account, first.Cheers,MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Hello Markus,Thanks for the reply,PS C:\> .\script.ps1 FIM MA Account Test====================-Reading registry configuration-FIM MA account name: TEST\ilmma-FIM MA account SID : S-1-5-21-1511427291-1577385093-316865315-1173-Reading MA configuration-FIM MA account name: test\administrator Error: Rgistry configuration and FIM MA configuration for MA account don't match!here is the output of the script.please let me know what i have to do now.Cheers, Mohit Goyal

This is good!At least, we know now, what the problem is.The account you have specified as FIM MA account during setup and the account you are actually using right now don't match.Run setup again (Control Panel/Programs and Features/Change), reconfigure FIM, and then run the script again.Cheers,MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Hey markus,Thanks a lot , i found the error and i did not performed reinstall. the error was when i configured FIM MA for "connect to Database" where i accedentally provided test\administrator to connect to DB.after providing FIM MA (in my case ilmma) credentials, attributes starts flowing in.Thanks a Lot again. :)Cheers, Mohit Goyal

Good post. I'm having the same problem. I ran the script but it fails reading the MA configuration. Any ideas? FIM MA Account Test ==================== -Reading registry configuration -FIM MA account name: GLOBAL\svc_fimma -FIM MA account SID : S-1-5-21-2010550861-1320369007-2453991459-152258 -Reading MA configuration Error: Failure on making enumeration web service call. Filter = /ma-data[SyncConfig-category='FIM'] Error= Microsoft.ResourceManagement.WebServices.Faults.ServiceFaultException: The endpoint could not dispatch the reques t. at Microsoft.ResourceManagement.WebServices.Client.ResourceTemplate.EnumerateResources(SearchParameters parameters) at Microsoft.ResourceManagement.WebServices.ResourceManager.MoveNext() at Microsoft.ResourceManagement.Automation.ExportConfig.EndProcessing() -Mike Kirtland

Mike, I have seen this error when the objectSID of the admin user is removed from the portal via the sync service and therefore, also the admin set. If you have another admin user, try using that to log into portal, run scripts, etc...If there is no other admin user and the objectSID is in fact gone, the only thing you can do is to reinstall with clean FIMService DB(and thus lose your configuration). It is very important to make 'backup' admin user as soon as you can to avoid this problem.

I have the problem with an EXPORT profile in the FIM MA. I tested my MA account and MPRs by scripts. All was ok. but the error appears: failed-modification-via-web-services Inner Exception: Security Support Provider Interface (SSPI) authentication failed. The server may not be running in an account with identity 'FIMService/my_srv_name. If the server is running in a service account (Network Service for example), specify the account's ServicePrincipalName as the identity in the EndpointAddress for the server. If the server is running in a user account, specify the account's UserPrincipalName as the identity in the EndpointAddress for the server. FIM 2010 vertion 4.0.2592.0 2 Server Installation: FIM Service and FIMSyncService both Win2008 R2 Ent x64 SQL 2008TVV

In my case, I reinstall FIM Service and on the tab "Configure FIM Service and Portal – Configure connection to the FIM Service" I type FQDN for server name. Spent 2 weeks to resolve it.TVV