FIM portal access
There are allready a few toppics about this, but i cant seem to get this right. I have the required MPR's enabled, I also checked this with the script. I know I need the Domain, accountname and SID matchting that in Active Directory. I Created inbound attribute flow for this to sync this from AD to the MV In my FIMMA I export these attributes from MV to the portal. When I log in with my users I get the Error Acces Denied.
April 19th, 2010 10:50am

as an admin, open the user's detail from the Portal. verify Domain, Account, SID and DisplayName are all there... (u didn't mention display name in ur post)
Free Windows Admin Tool Kit Click here and download it now
April 19th, 2010 1:30pm

Display name is there, Where should the SID be displayed ? I can see this in the connectorspace but not in the portal when I look at the user.
April 19th, 2010 2:40pm

Robin, Do you have inbound synchronization from multiple AD domains? If so, make sure you are flowing the ObjectSID from the correct AD domain into the metaverse. You might also want to make sure the attribute precedance is configured correctly in the Synchronization Service. Thanks & Regards, Jameel Syed Principal Consultant, fimGuru - Your window into simplified identities jameel.syed@fimguru.com - http://www.fimguru.com
Free Windows Admin Tool Kit Click here and download it now
April 19th, 2010 5:42pm

Can you try to open the user (as an Admin) and hit Advanced view? in the 'extended attributes' tab you should be able to observe the SID, if it was provisioned properly
April 20th, 2010 3:04am

I only have one domain. The only flow comes out of my AD into the MV, so there is no precedance. I have the SID setup the same as Domain attribute, its outbound out AD into the MV with the sync rule. Then an export in the FIMMA from objectsid to objectsid. Domain clearly shows up after syncing it. I cant see the SID in the advanced view under resource SID, its empty, with some buttons next to it: Export, Import and Clear. If I flow in a new user to the portal without provisioning it to AD yet there is no Export button and below it says no value specified, so something does change, but I cant see the SID itself there...
Free Windows Admin Tool Kit Click here and download it now
April 20th, 2010 10:33am

I am having the exact same problem. When the user goes to http://servername/IdentityManagement, they get You do not have permission to access this site. I have enabled all the MPR's, I have imported the user, and can see them in the Portal. In the FIM Management Agent, Configure Attribe Flow, exporting DispalyName, Domain, FirstName,Lastname, ObjectSID and Importing ExpectedRulesList. But looking at the user details in the portal, using Advanced View - Extended Attributes, I can only Domain, First Name, Last Name. I must be doing something wrong as you guys have it working OK. Any ideas would be great, Thanks.
April 20th, 2010 4:56pm

Robin, I believe your problem may be the fact that you have an outbound rule FIM(objectSid)-->MV(objectSid). In my experience, you should only have this FIM(objectSid)<--MV(objectSid) Try removing the outbound attribute flow in your SR.Thanks & Regards, Jameel Syed Principal Consultant, fimGuru - Your window into simplified identities jameel.syed@fimguru.com - http://www.fimguru.com
Free Windows Admin Tool Kit Click here and download it now
April 20th, 2010 11:53pm

That would make sence but I confused Outbound with Inbound in my post. The rule is setup as inbound so Domain and SID flow out of AD into the MV. Then an Export mapping in the FIMMA on objectSID (and domain) to flow it from MV -> Portal. My administrator doesnt display its SID either. Its the same for him as my other accounts, there is an export button that kinda shows something is there, but cant really see anything. Edit: changed my rule a bit to flow all attributes (also displayname and accountname) from AD -> MV -> portal. Created a user in AD flowed him to the portal. Still same result. Mabe i'll try a new install to see if that gets me anywhere
April 21st, 2010 9:17am

Would someone be able to provide some screen shots of working Configure Attribut Flow settings? Thanks
Free Windows Admin Tool Kit Click here and download it now
April 21st, 2010 11:36am

I reinstalled my sync engine and portal to make sure there was no conflict. Then followed the 'Common Configuration for Getting Started Guides' since thats the easiest setup, flowing a user with the needed attribute tfrom AD->MV to ->portal. Same result as before. Gave my user admin rights to make sure nothing else was bothering him but no luck. I used Brad his script to fix the SID, but it said the SID is correct and didnt need to change it. So my flows are good
April 21st, 2010 4:07pm

I get the same thing following the Guide, in the URL you get http://fimservername/_layouts/MSILM2/ErrorPage.aspx?ErrorCode=2000 And You do not have permisssion to access this site. Another How Do I guides covering the whole process, would be very nice for us ILM noobs. Have been playing with this for a few weeks now, with not much joy. Thanks
Free Windows Admin Tool Kit Click here and download it now
April 21st, 2010 4:50pm

I fixed it but not sure if its the propper way so would be great if someone with some more FIM knowledge would give some input on this. went to the sharepoint portal settings as admin(right corner and site action) advanced permissions and I added my user there.
April 21st, 2010 4:57pm

that's probably the right thing to do. in fact, the FIM Service & Portal msi would ask if u want to grant users permission to access the sharepoint site
Free Windows Admin Tool Kit Click here and download it now
April 22nd, 2010 5:19am

I have already manually added the user, but still get You do not have permissions to access this site. But the users should have access through the Authenticated Users group. This does not get round the problem of the data not being imported properly into the FIM portal. Any more ideas out there? Screen shots of working imports / exports? Thanks
April 22nd, 2010 10:21am

that's probably the right thing to do. in fact, the FIM Service & Portal msi would ask if u want to grant users permission to access the sharepoint site Yes it does, and I'm sure that I checked that box so not sure why this wasnt set right, but at least now I know where the problem was comming from
Free Windows Admin Tool Kit Click here and download it now
April 22nd, 2010 10:26am

C:\inetpub\wwwroot\wss\VirtualDirectories\80\web.config change <customErrors mode="On" /> to <customErrors mode="Off" /> change CallStack="false" to CallStack="true" Comment out <add name="ILMError" type="Microsoft.IdentityManagement.WebUI.Controls.ErrorHandlingModule, Microsoft.IdentityManagement.WebUI.Controls, Version=4.0.2592.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> try again and post the call stack
April 22nd, 2010 10:31am

Server Error in '/' Application. Object reference not set to an instance of an object. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. Exception Details: System.NullReferenceException: Object reference not set to an instance of an object. Source Error: An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below. Stack Trace: [NullReferenceException: Object reference not set to an instance of an object.] Microsoft.IdentityManagement.WebUI.Controls.UICacheUtils.RetrieveFromServerCache(String key) +32 Microsoft.IdentityManagement.WebUI.Controls.PortalUIConfigurationModel.get_PortalUI() +86 Microsoft.IdentityManagement.WebUI.Controls.PortalUIConfigurationModel.get_BrandingLeftImageUrl() +15 Microsoft.IdentityManagement.WebUI.Controls.BrandBar.get_BrandTable() +116 Microsoft.IdentityManagement.WebUI.Controls.BrandBar.CreateChildControls() +31 System.Web.UI.Control.EnsureChildControls() +145 System.Web.UI.Control.PreRenderRecursiveInternal() +60 System.Web.UI.Control.PreRenderRecursiveInternal() +223 System.Web.UI.Control.PreRenderRecursiveInternal() +223 System.Web.UI.Control.PreRenderRecursiveInternal() +223 System.Web.UI.Control.PreRenderRecursiveInternal() +223 System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3393 is this what you wanted ? Version Information: Microsoft .NET Framework Version:2.0.50727.4927; ASP.NET Version:2.0.50727.4927
Free Windows Admin Tool Kit Click here and download it now
April 22nd, 2010 11:00am

yes.. but first do iisreset and try again?
April 22nd, 2010 11:02am

Server Error in '/' Application. startIndex cannot be larger than length of string. Parameter name: startIndex Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. Exception Details: System.ArgumentOutOfRangeException: startIndex cannot be larger than length of string. Parameter name: startIndex Source Error: An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below. Stack Trace: [ArgumentOutOfRangeException: startIndex cannot be larger than length of string. Parameter name: startIndex] System.String.InternalSubStringWithChecks(Int32 startIndex, Int32 length, Boolean fAlwaysCopy) +10081820 System.String.Substring(Int32 startIndex) +19 Microsoft.SharePoint.ApplicationRuntime.SPRequestModule.Log(HttpContext context, SPWeb spWeb, Int64 bytes, UInt32 version) +836 Microsoft.SharePoint.ApplicationRuntime.SPRequestModule.PostRequestExecuteHandler(Object oSender, EventArgs ea) +403 System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +171 after issreset
Free Windows Admin Tool Kit Click here and download it now
April 22nd, 2010 11:04am

ar ha.. check your sharepoint alternate site mapping
April 22nd, 2010 11:07am

what Am I checking for ? I found the site mapping is just says: http://compname Http://compname:31499 should the http://compname/identitymanagement be added there ?
Free Windows Admin Tool Kit Click here and download it now
April 22nd, 2010 11:19am

I get this error with my user [UserNotFoundException: This user does not have access to FIM store] Microsoft.IdentityManagement.WebUI.Controls.UIUserDataUtils.get_UserData() +204 Microsoft.IdentityManagement.WebUI.Controls.NavigationBarProvider.GetUserIdentityAndTimeZone(Guid& userIdentity, TimeZoneInfo& userTimeZone) +47 Microsoft.IdentityManagement.WebUI.Controls.NavigationBarProvider.AddChildren(SiteMapNode rootNode, NavigationBarItem[] navigationBars) +91 Microsoft.IdentityManagement.WebUI.Controls.NavigationBarProvider.BuildSiteMap() +283 Microsoft.IdentityManagement.WebUI.Controls.NavigationBarProvider.get_RootNode() +13 System.Web.UI.WebControls.SiteMapDataSource.GetNodes() +231 System.Web.UI.WebControls.SiteMapDataSource.GetTreeView(String viewPath) +35 System.Web.UI.WebControls.HierarchicalDataBoundControl.GetData(String viewPath) +43 System.Web.UI.WebControls.Menu.DataBindItem(MenuItem item) +53 System.Web.UI.WebControls.Menu.PerformDataBinding() +49 System.Web.UI.WebControls.HierarchicalDataBoundControl.PerformSelect() +114 System.Web.UI.WebControls.BaseDataBoundControl.EnsureDataBound() +82 System.Web.UI.WebControls.Menu.EnsureDataBound() +38 System.Web.UI.WebControls.Menu.OnPreRender(EventArgs e, Boolean registerScript) +64 Microsoft.SharePoint.WebControls.AspMenu.OnPreRender(EventArgs e) +166 System.Web.UI.Control.PreRenderRecursiveInternal() +108 System.Web.UI.Control.PreRenderRecursiveInternal() +224 System.Web.UI.Control.PreRenderRecursiveInternal() +224 System.Web.UI.Control.PreRenderRecursiveInternal() +224 System.Web.UI.Control.PreRenderRecursiveInternal() +224 System.Web.UI.Control.PreRenderRecursiveInternal() +224 System.Web.UI.Control.PreRenderRecursiveInternal() +224 System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3394
April 22nd, 2010 11:22am

u are getting two different error... i assume u are using different machines..?!? [UserNotFoundException: This user does not have access to FIM store] Microsoft.IdentityManagement.WebUI.Controls.UIUserDataUtils.get_UserData() +204 indicates that the user isn't flown in correctly
Free Windows Admin Tool Kit Click here and download it now
April 22nd, 2010 11:25am

He is Robin DB and I am Petrolman, same type of problem, users not getting imported properly. Only partial data getting imported, I did indicate in earlier postings. Thanks
April 22nd, 2010 11:34am

sorry, got mixed up... You two have different issues... Petrolman, you are having problem when user is trying to do /Person[AccountName='xxx' and Domain='yyy']... you need to make sure... DisplayName, account name, domain, objectSid are imported MPRs "General: Users can read non-administrative configuration resources" and "User management: Users can read attributes of their own" are enabled. For #1, you should be able to verify that in FIM or FIM Connected Space (in sync) Robin, on the other hand, is having problem with his alt access mapping in Sharepoint
Free Windows Admin Tool Kit Click here and download it now
April 22nd, 2010 11:47am

The MPR's are fine, could you provide a screen shot of your Configure Attribute Flow settings for the FIM Service Management Agent. Thanks
April 22nd, 2010 12:11pm

Sorry i can't. You should be able to verify those attributes (except for sid) in FIM Portal easily by logon to portal as the install user search the user who have access problem the first 3 columns are showing Displayname, Domain, AccountName respectivly
Free Windows Admin Tool Kit Click here and download it now
April 22nd, 2010 12:24pm

This is what I posted earlier In the FIM Management Agent, Configure Attribe Flow, exporting DispalyName, Domain, FirstName,Lastname, ObjectSID and Importing ExpectedRulesList. But looking at the user details in the portal, using Advanced View - Extended Attributes, I can only Domain, First Name, Last Name. Thanks
April 22nd, 2010 12:29pm

how about AccountName?
Free Windows Admin Tool Kit Click here and download it now
April 22nd, 2010 12:33pm

you could use brad his script(somewhere in the thread in export corner post about normal user portal access) to check the SID. This way you can isolate your problem by knowing the SID isnt the problem. I still have mine, not sure what to do with those sharepoint settings
April 22nd, 2010 12:43pm

That is not getting imported, I have deleted the users from the portal, and trying to import again.
Free Windows Admin Tool Kit Click here and download it now
April 22nd, 2010 12:48pm

Robin, just making some random guesses... add localhost and FQDN in the alt mapping... see how that goes
April 22nd, 2010 12:49pm

no luck with that yet
Free Windows Admin Tool Kit Click here and download it now
April 22nd, 2010 1:02pm

while i don't know how to help u, there are a few things u should post here so others might assist you 1. screenshot of ur alt mapping 2. url that u are trying to access the portal
April 22nd, 2010 5:23pm

Using PowerShell to display a user’s attribute values for FIM Portal access. Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation
Free Windows Admin Tool Kit Click here and download it now
April 29th, 2010 10:20pm

Thanks thats a usefull script, but the users where correct in my portal. Problem for me seems the rights on the site for the users. Caused by sharepoint alt mappings (assuming nthony ho is right). I went around this by just adding the rights manually. my site runs on http://machinename/identitymanagement. Thats not in my site mappings but cant seem to add it either.
May 3rd, 2010 10:11am

maybe... this one can help u http://russellgiddings.blogspot.com/2009/07/alternate-access-mapping-issue.htmlThe FIM Password Reset Blog http://blogs.technet.com/aho/
Free Windows Admin Tool Kit Click here and download it now
May 29th, 2010 5:22pm

All, I had the same problem and realized that the documentation didn't say anything about the accountname attribute flow between the Metaverse and the FIM MA. So the account name (logon name) wasn't provisioned. As soon as I updated the management agent to include this flow all worked well. I got confused between display name and account name. Hope this helps. Cheers JesusJesus Martin
June 12th, 2010 11:57pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics