Is it normal that FIM Synchronization Account is being used sometimes during sync exports to FIM? My FIM MA is configured to use separate FIM MA account and basically it works. Today I tried to synchronize groups from AD into FIM and because sync account-related MPRs were disabled all of the requests were denied. But my export task keeps running and produces access denied entry in the system log. Should not it be FIM MA account? Unhandled exception, the CLR will not terminate: Microsoft.ResourceManagement.WebServices.Exceptions.EndpointUnavailableException: Other ---> System.Data.SqlClient.SqlException: Cannot open database "FIMService" requested by the login. The login failed. Login failed for user 'CORP\FIMSyncService'. at Microsoft.ResourceManagement.Utilities.ExceptionManager.ThrowException(Exception exception) at Microsoft.ResourceManagement.Data.DatabaseConnection.Open(SqlConnection connection) at Microsoft.ResourceManagement.Data.DatabaseConnection.Open(DataStore store) --- End of inner exception stack trace --- at Microsoft.ResourceManagement.Data.DatabaseConnection.Open(DataStore store) at Microsoft.ResourceManagement.Data.TransactionAndConnectionScope..ctor(Boolean createTransaction, IsolationLevel isolationLevel, DataStore dataStore) at Microsoft.ResourceManagement.Data.Exception.SynchronizationFaultException.Get(Int64 key) at Microsoft.ResourceManagement.WebServices.Synchronization.NegativeSynchronizationRequestAcknowledgement.get_Exception() at MIIS.ManagementAgent.Export.AcknowledgementParser.ParseAcknowledgement(Guid sessionIdentifier, NegativeSynchronizationRequestAcknowledgement negativeAcknowledgement, ReadOnlyCollection`1 acknowledgedItems) at MIIS.ManagementAgent.Export.AcknowledgementParser.ParseAcknowledgement(Guid sessionIdentifier, SynchronizationRequestAcknowledgement acknowledgement, ReadOnlyCollection`1 acknowledgedItems) at MIIS.ManagementAgent.Export.AcknowledgementParser.ParseAcknowledgement(Guid sessionIdentifier, SynchronizationRequestAcknowledgementType acknowledgement, ReadOnlyCollection`1 acknowledgedItems) at MIIS.ManagementAgent.RavenMA.DoProcessExportResultMessage(Guid exportSessionIdentifier, String acknowledgedMessageIdentifier, SynchronizationRequestAcknowledgementType acknowledgement) at MIIS.ManagementAgent.RavenMA.ProcessExportResultMessage(Guid exportSessionIdentifier, String acknowledgedMessageIdentifier, SynchronizationRequestAcknowledgementType acknowledgement) at MIIS.ManagementAgent.Export.ExportAcknowledger.ProcessExportResultMessage(Guid exportSessionIdentifier, String acknowledgedMessageIdentifier, SynchronizationRequestAcknowledgementType acknowledgement) at MIIS.ManagementAgent.Export.ExportAcknowledger.<>c__DisplayClass2.<AcknowledgeExport>b__0() at ResourceManagement.Utilities.ProducerConsumerQueue.WorkerConsume() at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean ignoreSyncCtx) at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state) at System.Threading.ThreadHelper.ThreadStart(Object obj).

Yes, the Sync engine needs direct access to the FIMService database. If you look at the DB you'll see there is a dedicated role or two for it.My Book - Active Directory, 4th Edition My Blog - www.briandesmond.com

Yes, the Sync engine needs direct access to the FIMService database. If you look at the DB you'll see there is a dedicated role or two for it.My Book - Active Directory, 4th Edition My Blog - www.briandesmond.com

Yes, the Sync engine needs direct access to the FIMService database. If you look at the DB you'll see there is a dedicated role or two for it.My Book - Active Directory, 4th Edition My Blog - www.briandesmond.com

Rafal, The Sync Service engine accesses the FIMService database using the FIM MA service account. The FIM Sync service account should not get access to the database. When the FIM Service MA connects to the FIMService database, the FIM Sync service account impersonates the FIM MA service account, which is why you'll see the FIM MA service account has permissions to access the FIMService database. In relation to your error, I have seen that occur when the FIM Sync Service configuration is incorrectly configured. During the configuration, you are prompted to enter the service account name that will be connecting to the FIM Service. It should be the FIM MA service account, but I've seen instances when the FIM Sync service account is entered here. Regardless of what you put configure in the FIM Service MA, if this configuration is set to the FIM Sync service account, you will see the error you've noted. Additionally, I believe with the FIM R2 Release Candidate, there was bug (fixed with the release), where the FIM Sync service was always trying to connect with the FIM Sync service account, regardless of the above configuration. Cheers, MarcMarc Mac Donell, VP Identity and Access Solutions, Avaleris Inc. http://www.avaleris.com

Rafal, The Sync Service engine accesses the FIMService database using the FIM MA service account. The FIM Sync service account should not get access to the database. When the FIM Service MA connects to the FIMService database, the FIM Sync service account impersonates the FIM MA service account, which is why you'll see the FIM MA service account has permissions to access the FIMService database. In relation to your error, I have seen that occur when the FIM Sync Service configuration is incorrectly configured. During the configuration, you are prompted to enter the service account name that will be connecting to the FIM Service. It should be the FIM MA service account, but I've seen instances when the FIM Sync service account is entered here. Regardless of what you put configure in the FIM Service MA, if this configuration is set to the FIM Sync service account, you will see the error you've noted. Additionally, I believe with the FIM R2 Release Candidate, there was bug (fixed with the release), where the FIM Sync service was always trying to connect with the FIM Sync service account, regardless of the above configuration. Cheers, MarcMarc Mac Donell, VP Identity and Access Solutions, Avaleris Inc. http://www.avaleris.com

Rafal, The Sync Service engine accesses the FIMService database using the FIM MA service account. The FIM Sync service account should not get access to the database. When the FIM Service MA connects to the FIMService database, the FIM Sync service account impersonates the FIM MA service account, which is why you'll see the FIM MA service account has permissions to access the FIMService database. In relation to your error, I have seen that occur when the FIM Sync Service configuration is incorrectly configured. During the configuration, you are prompted to enter the service account name that will be connecting to the FIM Service. It should be the FIM MA service account, but I've seen instances when the FIM Sync service account is entered here. Regardless of what you put configure in the FIM Service MA, if this configuration is set to the FIM Sync service account, you will see the error you've noted. Additionally, I believe with the FIM R2 Release Candidate, there was bug (fixed with the release), where the FIM Sync service was always trying to connect with the FIM Sync service account, regardless of the above configuration. Cheers, MarcMarc Mac Donell, VP Identity and Access Solutions, Avaleris Inc. http://www.avaleris.com

Rafal, The Sync Service engine accesses the FIMService database using the FIM MA service account. The FIM Sync service account should not get access to the database. When the FIM Service MA connects to the FIMService database, the FIM Sync service account impersonates the FIM MA service account, which is why you'll see the FIM MA service account has permissions to access the FIMService database. In relation to your error, I have seen that occur when the FIM Sync Service configuration is incorrectly configured. During the configuration, you are prompted to enter the service account name that will be connecting to the FIM Service. It should be the FIM MA service account, but I've seen instances when the FIM Sync service account is entered here. Regardless of what you put configure in the FIM Service MA, if this configuration is set to the FIM Sync service account, you will see the error you've noted. Additionally, I believe with the FIM R2 Release Candidate, there was bug (fixed with the release), where the FIM Sync service was always trying to connect with the FIM Sync service account, regardless of the above configuration. Cheers, Marc Marc Mac Donell, VP Identity and Access Solutions, Avaleris Inc. http://www.avaleris.com Marc, Thank you for clarification. My FIM MA is configured to use separate FIMMA account. That's why I was surprised seeing this. The version is 2010 R2 RC. And FIM connector worked fine if everything was fine. So I believe, somehow configured account for FIM MA was used on normal circumstances and only when failed FIM synchronization engine switched to use FIMSyncService. Best regards Rafal Grzybowski

Rafal, The Sync Service engine accesses the FIMService database using the FIM MA service account. The FIM Sync service account should not get access to the database. When the FIM Service MA connects to the FIMService database, the FIM Sync service account impersonates the FIM MA service account, which is why you'll see the FIM MA service account has permissions to access the FIMService database. In relation to your error, I have seen that occur when the FIM Sync Service configuration is incorrectly configured. During the configuration, you are prompted to enter the service account name that will be connecting to the FIM Service. It should be the FIM MA service account, but I've seen instances when the FIM Sync service account is entered here. Regardless of what you put configure in the FIM Service MA, if this configuration is set to the FIM Sync service account, you will see the error you've noted. Additionally, I believe with the FIM R2 Release Candidate, there was bug (fixed with the release), where the FIM Sync service was always trying to connect with the FIM Sync service account, regardless of the above configuration. Cheers, Marc Marc Mac Donell, VP Identity and Access Solutions, Avaleris Inc. http://www.avaleris.com Marc, Thank you for clarification. My FIM MA is configured to use separate FIMMA account. That's why I was surprised seeing this. The version is 2010 R2 RC. And FIM connector worked fine if everything was fine. So I believe, somehow configured account for FIM MA was used on normal circumstances and only when failed FIM synchronization engine switched to use FIMSyncService. Best regards Rafal Grzybowski

Rafal, The Sync Service engine accesses the FIMService database using the FIM MA service account. The FIM Sync service account should not get access to the database. When the FIM Service MA connects to the FIMService database, the FIM Sync service account impersonates the FIM MA service account, which is why you'll see the FIM MA service account has permissions to access the FIMService database. In relation to your error, I have seen that occur when the FIM Sync Service configuration is incorrectly configured. During the configuration, you are prompted to enter the service account name that will be connecting to the FIM Service. It should be the FIM MA service account, but I've seen instances when the FIM Sync service account is entered here. Regardless of what you put configure in the FIM Service MA, if this configuration is set to the FIM Sync service account, you will see the error you've noted. Additionally, I believe with the FIM R2 Release Candidate, there was bug (fixed with the release), where the FIM Sync service was always trying to connect with the FIM Sync service account, regardless of the above configuration. Cheers, Marc Marc Mac Donell, VP Identity and Access Solutions, Avaleris Inc. http://www.avaleris.com Marc, Thank you for clarification. My FIM MA is configured to use separate FIMMA account. That's why I was surprised seeing this. The version is 2010 R2 RC. And FIM connector worked fine if everything was fine. So I believe, somehow configured account for FIM MA was used on normal circumstances and only when failed FIM synchronization engine switched to use FIMSyncService. Best regards Rafal Grzybowski

If you are using the FIM R2 RC version, there is a bug that requires you to grant the FIM Sync service account access to the FIMService database; it will need to the following user mappings: Database: FIMService, Role Memberships: FIM_SynchronizationService and public These permissions are assigned to the FIM MA service account, if things are properly configured. However, with the RC version, the FIM Sync service doesn't use the FIM MA service account but rather its account, so you need to manually grant permissions. This is not the case with the released versions of FIM or FIM R2. MarcMarc Mac Donell, VP Identity and Access Solutions, Avaleris Inc. http://www.avaleris.com

If you are using the FIM R2 RC version, there is a bug that requires you to grant the FIM Sync service account access to the FIMService database; it will need to the following user mappings: Database: FIMService, Role Memberships: FIM_SynchronizationService and public These permissions are assigned to the FIM MA service account, if things are properly configured. However, with the RC version, the FIM Sync service doesn't use the FIM MA service account but rather its account, so you need to manually grant permissions. This is not the case with the released versions of FIM or FIM R2. MarcMarc Mac Donell, VP Identity and Access Solutions, Avaleris Inc. http://www.avaleris.com

If you are using the FIM R2 RC version, there is a bug that requires you to grant the FIM Sync service account access to the FIMService database; it will need to the following user mappings: Database: FIMService, Role Memberships: FIM_SynchronizationService and public These permissions are assigned to the FIM MA service account, if things are properly configured. However, with the RC version, the FIM Sync service doesn't use the FIM MA service account but rather its account, so you need to manually grant permissions. This is not the case with the released versions of FIM or FIM R2. MarcMarc Mac Donell, VP Identity and Access Solutions, Avaleris Inc. http://www.avaleris.com

If you are using the FIM R2 RC version, there is a bug that requires you to grant the FIM Sync service account access to the FIMService database; it will need to the following user mappings: Database: FIMService, Role Memberships: FIM_SynchronizationService and public These permissions are assigned to the FIM MA service account, if things are properly configured. However, with the RC version, the FIM Sync service doesn't use the FIM MA service account but rather its account, so you need to manually grant permissions. This is not the case with the released versions of FIM or FIM R2. Marc Marc Mac Donell, VP Identity and Access Solutions, Avaleris Inc. http://www.avaleris.com Marc, I did such mapping to solve my issue. But in my case, I had working FIM MA without any grants fro FIM Sync Service account to FIMService database for few days. I synced users from Active Directory this way. Then I wanted to sync groups. MPR's were not enabled so there was an error. Only then FIM Sync Engine tried to access my FIMService database with FIM Sync account not FIM MA. Anyway, thank you for your help. It was also my understanding that FIM MA account should be used instead of FIM Sync account. If it is a bug in RC, then all I need is to migrate to the current version. Best regards Rafal Grzybowski

If you are using the FIM R2 RC version, there is a bug that requires you to grant the FIM Sync service account access to the FIMService database; it will need to the following user mappings: Database: FIMService, Role Memberships: FIM_SynchronizationService and public These permissions are assigned to the FIM MA service account, if things are properly configured. However, with the RC version, the FIM Sync service doesn't use the FIM MA service account but rather its account, so you need to manually grant permissions. This is not the case with the released versions of FIM or FIM R2. Marc Marc Mac Donell, VP Identity and Access Solutions, Avaleris Inc. http://www.avaleris.com Marc, I did such mapping to solve my issue. But in my case, I had working FIM MA without any grants fro FIM Sync Service account to FIMService database for few days. I synced users from Active Directory this way. Then I wanted to sync groups. MPR's were not enabled so there was an error. Only then FIM Sync Engine tried to access my FIMService database with FIM Sync account not FIM MA. Anyway, thank you for your help. It was also my understanding that FIM MA account should be used instead of FIM Sync account. If it is a bug in RC, then all I need is to migrate to the current version. Best regards Rafal Grzybowski

If you are using the FIM R2 RC version, there is a bug that requires you to grant the FIM Sync service account access to the FIMService database; it will need to the following user mappings: Database: FIMService, Role Memberships: FIM_SynchronizationService and public These permissions are assigned to the FIM MA service account, if things are properly configured. However, with the RC version, the FIM Sync service doesn't use the FIM MA service account but rather its account, so you need to manually grant permissions. This is not the case with the released versions of FIM or FIM R2. Marc Marc Mac Donell, VP Identity and Access Solutions, Avaleris Inc. http://www.avaleris.com Marc, I did such mapping to solve my issue. But in my case, I had working FIM MA without any grants fro FIM Sync Service account to FIMService database for few days. I synced users from Active Directory this way. Then I wanted to sync groups. MPR's were not enabled so there was an error. Only then FIM Sync Engine tried to access my FIMService database with FIM Sync account not FIM MA. Anyway, thank you for your help. It was also my understanding that FIM MA account should be used instead of FIM Sync account. If it is a bug in RC, then all I need is to migrate to the current version. Best regards Rafal Grzybowski