FIM Synchronization Engine accout tries to access FIMService database directly
Is it normal that FIM Synchronization Account is being used sometimes during sync exports to FIM?
My FIM MA is configured to use separate FIM MA account and basically it works.
Today I tried to synchronize groups from AD into FIM and because sync account-related MPRs were disabled all of the requests were denied. But my export task keeps running and produces access denied entry in the system log. Should not it be FIM MA account?
Unhandled exception, the CLR will not terminate: Microsoft.ResourceManagement.WebServices.Exceptions.EndpointUnavailableException: Other ---> System.Data.SqlClient.SqlException: Cannot open database "FIMService" requested by the login. The login failed.
Login failed for user 'CORP\FIMSyncService'.
at Microsoft.ResourceManagement.Utilities.ExceptionManager.ThrowException(Exception exception)
at Microsoft.ResourceManagement.Data.DatabaseConnection.Open(SqlConnection connection)
at Microsoft.ResourceManagement.Data.DatabaseConnection.Open(DataStore store)
--- End of inner exception stack trace ---
at Microsoft.ResourceManagement.Data.DatabaseConnection.Open(DataStore store)
at Microsoft.ResourceManagement.Data.TransactionAndConnectionScope..ctor(Boolean createTransaction, IsolationLevel isolationLevel, DataStore dataStore)
at Microsoft.ResourceManagement.Data.Exception.SynchronizationFaultException.Get(Int64 key)
at Microsoft.ResourceManagement.WebServices.Synchronization.NegativeSynchronizationRequestAcknowledgement.get_Exception()
at MIIS.ManagementAgent.Export.AcknowledgementParser.ParseAcknowledgement(Guid sessionIdentifier, NegativeSynchronizationRequestAcknowledgement negativeAcknowledgement, ReadOnlyCollection`1 acknowledgedItems)
at MIIS.ManagementAgent.Export.AcknowledgementParser.ParseAcknowledgement(Guid sessionIdentifier, SynchronizationRequestAcknowledgement acknowledgement, ReadOnlyCollection`1 acknowledgedItems)
at MIIS.ManagementAgent.Export.AcknowledgementParser.ParseAcknowledgement(Guid sessionIdentifier, SynchronizationRequestAcknowledgementType acknowledgement, ReadOnlyCollection`1 acknowledgedItems)
at MIIS.ManagementAgent.RavenMA.DoProcessExportResultMessage(Guid exportSessionIdentifier, String acknowledgedMessageIdentifier, SynchronizationRequestAcknowledgementType acknowledgement)
at MIIS.ManagementAgent.RavenMA.ProcessExportResultMessage(Guid exportSessionIdentifier, String acknowledgedMessageIdentifier, SynchronizationRequestAcknowledgementType acknowledgement)
at MIIS.ManagementAgent.Export.ExportAcknowledger.ProcessExportResultMessage(Guid exportSessionIdentifier, String acknowledgedMessageIdentifier, SynchronizationRequestAcknowledgementType acknowledgement)
at MIIS.ManagementAgent.Export.ExportAcknowledger.<>c__DisplayClass2.<AcknowledgeExport>b__0()
at ResourceManagement.Utilities.ProducerConsumerQueue.WorkerConsume()
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean ignoreSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Threading.ThreadHelper.ThreadStart(Object obj).
October 22nd, 2012 6:20am
Yes, the Sync engine needs direct access to the FIMService database. If you look at the DB you'll see there is a dedicated role or two for it.My Book - Active Directory, 4th Edition
My Blog - www.briandesmond.com
Free Windows Admin Tool Kit Click here and download it now
October 25th, 2012 6:19pm
Yes, the Sync engine needs direct access to the FIMService database. If you look at the DB you'll see there is a dedicated role or two for it.My Book - Active Directory, 4th Edition
My Blog - www.briandesmond.com
October 25th, 2012 6:19pm
Yes, the Sync engine needs direct access to the FIMService database. If you look at the DB you'll see there is a dedicated role or two for it.My Book - Active Directory, 4th Edition
My Blog - www.briandesmond.com
Free Windows Admin Tool Kit Click here and download it now
October 25th, 2012 6:19pm
Rafal,
The Sync Service engine accesses the FIMService database using the FIM MA service account. The FIM Sync service account should not get access to the database. When the FIM Service MA connects to the FIMService database, the FIM Sync service account
impersonates the FIM MA service account, which is why you'll see the FIM MA service account has permissions to access the FIMService database.
In relation to your error, I have seen that occur when the FIM Sync Service configuration is incorrectly configured. During the configuration, you are prompted to enter the service account name that will be connecting to the FIM Service. It should
be the FIM MA service account, but I've seen instances when the FIM Sync service account is entered here. Regardless of what you put configure in the FIM Service MA, if this configuration is set to the FIM Sync service account, you will see the error
you've noted.
Additionally, I believe with the FIM R2 Release Candidate, there was bug (fixed with the release), where the FIM Sync service was always trying to connect with the FIM Sync service account, regardless of the above configuration.
Cheers,
MarcMarc Mac Donell, VP Identity and Access Solutions, Avaleris Inc.
http://www.avaleris.com
October 26th, 2012 10:05am
Rafal,
The Sync Service engine accesses the FIMService database using the FIM MA service account. The FIM Sync service account should not get access to the database. When the FIM Service MA connects to the FIMService database, the FIM Sync service account
impersonates the FIM MA service account, which is why you'll see the FIM MA service account has permissions to access the FIMService database.
In relation to your error, I have seen that occur when the FIM Sync Service configuration is incorrectly configured. During the configuration, you are prompted to enter the service account name that will be connecting to the FIM Service. It should
be the FIM MA service account, but I've seen instances when the FIM Sync service account is entered here. Regardless of what you put configure in the FIM Service MA, if this configuration is set to the FIM Sync service account, you will see the error
you've noted.
Additionally, I believe with the FIM R2 Release Candidate, there was bug (fixed with the release), where the FIM Sync service was always trying to connect with the FIM Sync service account, regardless of the above configuration.
Cheers,
MarcMarc Mac Donell, VP Identity and Access Solutions, Avaleris Inc.
http://www.avaleris.com
Free Windows Admin Tool Kit Click here and download it now
October 26th, 2012 10:05am
Rafal,
The Sync Service engine accesses the FIMService database using the FIM MA service account. The FIM Sync service account should not get access to the database. When the FIM Service MA connects to the FIMService database, the FIM Sync service account
impersonates the FIM MA service account, which is why you'll see the FIM MA service account has permissions to access the FIMService database.
In relation to your error, I have seen that occur when the FIM Sync Service configuration is incorrectly configured. During the configuration, you are prompted to enter the service account name that will be connecting to the FIM Service. It should
be the FIM MA service account, but I've seen instances when the FIM Sync service account is entered here. Regardless of what you put configure in the FIM Service MA, if this configuration is set to the FIM Sync service account, you will see the error
you've noted.
Additionally, I believe with the FIM R2 Release Candidate, there was bug (fixed with the release), where the FIM Sync service was always trying to connect with the FIM Sync service account, regardless of the above configuration.
Cheers,
MarcMarc Mac Donell, VP Identity and Access Solutions, Avaleris Inc.
http://www.avaleris.com
October 26th, 2012 10:05am
Rafal,
The Sync Service engine accesses the FIMService database using the FIM MA service account. The FIM Sync service account should not get access to the database. When the FIM Service MA connects to the FIMService database, the FIM Sync service account
impersonates the FIM MA service account, which is why you'll see the FIM MA service account has permissions to access the FIMService database.
In relation to your error, I have seen that occur when the FIM Sync Service configuration is incorrectly configured. During the configuration, you are prompted to enter the service account name that will be connecting to the FIM Service. It should
be the FIM MA service account, but I've seen instances when the FIM Sync service account is entered here. Regardless of what you put configure in the FIM Service MA, if this configuration is set to the FIM Sync service account, you will see the error
you've noted.
Additionally, I believe with the FIM R2 Release Candidate, there was bug (fixed with the release), where the FIM Sync service was always trying to connect with the FIM Sync service account, regardless of the above configuration.
Cheers,
Marc
Marc Mac Donell, VP Identity and Access Solutions, Avaleris Inc.
http://www.avaleris.com
Marc,
Thank you for clarification. My FIM MA is configured to use separate FIMMA account.
That's why I was surprised seeing this. The version is 2010 R2 RC. And FIM connector worked fine if everything was fine.
So I believe, somehow configured account for FIM MA was used on normal circumstances and only when failed FIM synchronization engine switched to use FIMSyncService.
Best regards
Rafal Grzybowski
Free Windows Admin Tool Kit Click here and download it now
October 26th, 2012 10:11am
Rafal,
The Sync Service engine accesses the FIMService database using the FIM MA service account. The FIM Sync service account should not get access to the database. When the FIM Service MA connects to the FIMService database, the FIM Sync service account
impersonates the FIM MA service account, which is why you'll see the FIM MA service account has permissions to access the FIMService database.
In relation to your error, I have seen that occur when the FIM Sync Service configuration is incorrectly configured. During the configuration, you are prompted to enter the service account name that will be connecting to the FIM Service. It should
be the FIM MA service account, but I've seen instances when the FIM Sync service account is entered here. Regardless of what you put configure in the FIM Service MA, if this configuration is set to the FIM Sync service account, you will see the error
you've noted.
Additionally, I believe with the FIM R2 Release Candidate, there was bug (fixed with the release), where the FIM Sync service was always trying to connect with the FIM Sync service account, regardless of the above configuration.
Cheers,
Marc
Marc Mac Donell, VP Identity and Access Solutions, Avaleris Inc.
http://www.avaleris.com
Marc,
Thank you for clarification. My FIM MA is configured to use separate FIMMA account.
That's why I was surprised seeing this. The version is 2010 R2 RC. And FIM connector worked fine if everything was fine.
So I believe, somehow configured account for FIM MA was used on normal circumstances and only when failed FIM synchronization engine switched to use FIMSyncService.
Best regards
Rafal Grzybowski
October 26th, 2012 10:11am
Rafal,
The Sync Service engine accesses the FIMService database using the FIM MA service account. The FIM Sync service account should not get access to the database. When the FIM Service MA connects to the FIMService database, the FIM Sync service account
impersonates the FIM MA service account, which is why you'll see the FIM MA service account has permissions to access the FIMService database.
In relation to your error, I have seen that occur when the FIM Sync Service configuration is incorrectly configured. During the configuration, you are prompted to enter the service account name that will be connecting to the FIM Service. It should
be the FIM MA service account, but I've seen instances when the FIM Sync service account is entered here. Regardless of what you put configure in the FIM Service MA, if this configuration is set to the FIM Sync service account, you will see the error
you've noted.
Additionally, I believe with the FIM R2 Release Candidate, there was bug (fixed with the release), where the FIM Sync service was always trying to connect with the FIM Sync service account, regardless of the above configuration.
Cheers,
Marc
Marc Mac Donell, VP Identity and Access Solutions, Avaleris Inc.
http://www.avaleris.com
Marc,
Thank you for clarification. My FIM MA is configured to use separate FIMMA account.
That's why I was surprised seeing this. The version is 2010 R2 RC. And FIM connector worked fine if everything was fine.
So I believe, somehow configured account for FIM MA was used on normal circumstances and only when failed FIM synchronization engine switched to use FIMSyncService.
Best regards
Rafal Grzybowski
Free Windows Admin Tool Kit Click here and download it now
October 26th, 2012 10:11am
If you are using the FIM R2 RC version, there is a bug that requires you to grant the FIM Sync service account access to the FIMService database; it will need to the following user mappings:
Database: FIMService, Role Memberships: FIM_SynchronizationService and public
These permissions are assigned to the FIM MA service account, if things are properly configured. However, with the RC version, the FIM Sync service doesn't use the FIM MA service account but rather its account, so you need to manually grant permissions.
This is not the case with the released versions of FIM or FIM R2.
MarcMarc Mac Donell, VP Identity and Access Solutions, Avaleris Inc.
http://www.avaleris.com
October 26th, 2012 10:34am
If you are using the FIM R2 RC version, there is a bug that requires you to grant the FIM Sync service account access to the FIMService database; it will need to the following user mappings:
Database: FIMService, Role Memberships: FIM_SynchronizationService and public
These permissions are assigned to the FIM MA service account, if things are properly configured. However, with the RC version, the FIM Sync service doesn't use the FIM MA service account but rather its account, so you need to manually grant permissions.
This is not the case with the released versions of FIM or FIM R2.
MarcMarc Mac Donell, VP Identity and Access Solutions, Avaleris Inc.
http://www.avaleris.com
Free Windows Admin Tool Kit Click here and download it now
October 26th, 2012 10:34am
If you are using the FIM R2 RC version, there is a bug that requires you to grant the FIM Sync service account access to the FIMService database; it will need to the following user mappings:
Database: FIMService, Role Memberships: FIM_SynchronizationService and public
These permissions are assigned to the FIM MA service account, if things are properly configured. However, with the RC version, the FIM Sync service doesn't use the FIM MA service account but rather its account, so you need to manually grant permissions.
This is not the case with the released versions of FIM or FIM R2.
MarcMarc Mac Donell, VP Identity and Access Solutions, Avaleris Inc.
http://www.avaleris.com
October 26th, 2012 10:34am
If you are using the FIM R2 RC version, there is a bug that requires you to grant the FIM Sync service account access to the FIMService database; it will need to the following user mappings:
Database: FIMService, Role Memberships: FIM_SynchronizationService and public
These permissions are assigned to the FIM MA service account, if things are properly configured. However, with the RC version, the FIM Sync service doesn't use the FIM MA service account but rather its account, so you need to manually grant permissions.
This is not the case with the released versions of FIM or FIM R2.
Marc
Marc Mac Donell, VP Identity and Access Solutions, Avaleris Inc.
http://www.avaleris.com
Marc,
I did such mapping to solve my issue. But in my case, I had working FIM MA without any grants fro FIM Sync Service account to FIMService database for few days. I synced users from Active Directory this way. Then I wanted to sync groups. MPR's were not enabled
so there was an error. Only then FIM Sync Engine tried to access my FIMService database with FIM Sync account not FIM MA.
Anyway, thank you for your help. It was also my understanding that FIM MA account should be used instead of FIM Sync account. If it is a bug in RC, then all I need is to migrate to the current version.
Best regards
Rafal Grzybowski
Free Windows Admin Tool Kit Click here and download it now
October 26th, 2012 10:58am
If you are using the FIM R2 RC version, there is a bug that requires you to grant the FIM Sync service account access to the FIMService database; it will need to the following user mappings:
Database: FIMService, Role Memberships: FIM_SynchronizationService and public
These permissions are assigned to the FIM MA service account, if things are properly configured. However, with the RC version, the FIM Sync service doesn't use the FIM MA service account but rather its account, so you need to manually grant permissions.
This is not the case with the released versions of FIM or FIM R2.
Marc
Marc Mac Donell, VP Identity and Access Solutions, Avaleris Inc.
http://www.avaleris.com
Marc,
I did such mapping to solve my issue. But in my case, I had working FIM MA without any grants fro FIM Sync Service account to FIMService database for few days. I synced users from Active Directory this way. Then I wanted to sync groups. MPR's were not enabled
so there was an error. Only then FIM Sync Engine tried to access my FIMService database with FIM Sync account not FIM MA.
Anyway, thank you for your help. It was also my understanding that FIM MA account should be used instead of FIM Sync account. If it is a bug in RC, then all I need is to migrate to the current version.
Best regards
Rafal Grzybowski
October 26th, 2012 10:58am
If you are using the FIM R2 RC version, there is a bug that requires you to grant the FIM Sync service account access to the FIMService database; it will need to the following user mappings:
Database: FIMService, Role Memberships: FIM_SynchronizationService and public
These permissions are assigned to the FIM MA service account, if things are properly configured. However, with the RC version, the FIM Sync service doesn't use the FIM MA service account but rather its account, so you need to manually grant permissions.
This is not the case with the released versions of FIM or FIM R2.
Marc
Marc Mac Donell, VP Identity and Access Solutions, Avaleris Inc.
http://www.avaleris.com
Marc,
I did such mapping to solve my issue. But in my case, I had working FIM MA without any grants fro FIM Sync Service account to FIMService database for few days. I synced users from Active Directory this way. Then I wanted to sync groups. MPR's were not enabled
so there was an error. Only then FIM Sync Engine tried to access my FIMService database with FIM Sync account not FIM MA.
Anyway, thank you for your help. It was also my understanding that FIM MA account should be used instead of FIM Sync account. If it is a bug in RC, then all I need is to migrate to the current version.
Best regards
Rafal Grzybowski
Free Windows Admin Tool Kit Click here and download it now
October 26th, 2012 10:58am