I'm attempting to setup an ILM 2 RC0 server for Self Service Password Reset purposes.The install went pretty smoothly. Importing data from Active Directory (2008) into the Metaverse was fairly straight forward once I set the appropriate AD replication permissions for the ILM Service service account. (This should be in the main install docs)I then had some difficulty getting the Metaverse data to export via the ILM MA. Dealt with the regex constraint on EmployeeType field and finally got that going.So as it stands, all of my users are showing up in ILM. When I view a user in the ILM portal the accountname and domain fields are properly populated.I have the site permissions within sharepoint set so that all authenticated users have Contributor level access.I followed the Password Reset and Registration technet instructions, including the corrections to the MPR at the end of the doc.Anonymous site access is allowed for the PasswordPortal (this actually works, I can get to that page without any authentication).At this point I would have thought that I would be able to access the main ILM Portal with any AD user account.Unfortunately when I access http://ilmservername.domain.com/identitymanagement I get prompted for auth, which works fine, but then I get the dreaded sharepoint An unexpectedd error has occured.Is there somewhere else that I need to modify permissions or is there something else that has to be done with the users account in ILM?

Hi Just quick question - are you doing this by any chance locally on ILM box? With RC0 I had strange problems that when I tried to access ILM2 portal as user other than admin using browser locally on ILM box (hey, this is just a lab) it failed with such "self explaining" error. However when I accessed this portal from other machine it worked out fine. I just blamed it on RC0 oddity and I didn't dug deeper into a cause. So if you are doing this from ILM2 box itself try to access a portal from other machine.

Have you actually set the domain attribute? There's a bug in the RC0 portal whereby it shows the default domain regardless. Check the request log to ascertain whether you've actually set the domain attribute and therefore, importantly, invoked the domain configuration workflow, which looks up a domain configuration object with a display name of your domain's NetBIOS name and then writes the domain configuration reference attribute with the GUID of the DC object.In RC0 the best options for the domain attribute are either a constant string in one of the inbound flow rules, or a direct flow rule from one of your connected data sources, e.g. I added a column to my database called NTDomainName and flowed it from there.The other option is the function evaluator. You canwrite the domain attribute with a string constant by triggering this w/f on user creation events. I invoke for creation events performed by the ilmma and scope with "target after". I couldn't get this to work in RC0 but it seems to work fine on newer builds, so this will be an option for you in RC1. Obviously a custom activity can be used in place of the function evaluator and if you don't feel like writing your own the ensynch guys have written one and made it available publically via codeplex.-- http://ilm2rc0enswf.codeplex.com/

I've been trying from remote workstations as well as locally on the server. I get the same results.

Ok, looks like the domain value wasn't being flowed from anywhere. I added the domain value as a string flowing to the "domain"attribute via the "Inbound Attribute Flow" tab in my sycronization rule in the ILM portal.I did a full import & sync and then export on the ILMMA, but the original problem is still occuring.Where is the ILM request log you referred to located?

The "request log" is accessed via the "search all requests" option in the navigation pane, under requests (assuming you logon as a member of the ILM administrators set).If you changed the sync rule via the portal you need to perform an import and synchronisation on the ILM MA, and then an import and full synchronisation on whichever MA you configured the static flow rule. Basically, you first bring the configuration into the sync service and then utilise that config. Make sense?

Have you actually set the domain attribute? There's a bug in the RC0 portal whereby it shows the default domain regardless. Check the request log to ascertain whether you've actually set the domain attribute and therefore, importantly, invoked the domain configuration workflow, which looks up a domain configuration object with a display name of your domain's NetBIOS name and then writes the domain configuration reference attribute with the GUID of the DC object.In RC0 the best options for the domain attribute are either a constant string in one of the inbound flow rules, or a direct flow rule from one of your connected data sources, e.g. I added a column to my database called NTDomainName and flowed it from there. When you say you added a column to your database, what database are you talking about? Did you add this in the Metaverse designer, or did you add it via the Syncronization Rule in the ILM Portal?I tried setting it as a string in the attribute flow rules tab ofmy Active DirectorySyncronization Rule in the ILM Portal, but it seems to have duplicated all of my Person records in ILM. I have a bunch of records that have the Domain field set to the string I specified, but all other data is blank, then I have all of my AD users, but I'm guessing the Domain field isn't actually populated on those (even though it shows, because of the bug you mentioned). I only have one Sync Rule which specifies all of the mapped fields as well as the string constant, so I'm not sure why the extra person entries are being created instead of correlating all of the data.

> When you say you added a column to your database, what database are you talking about? A seperate database that I called HRTOO (I find it quite witty) that provides some organisational information as well as the NetBIOS name of the domain.> Did you add this in the Metaverse designer, or did you add it via the Syncronization Rule in the ILM Portal?The flow rule was configured in an inbound synchronisation rule (ISR) for the SQL MA to my HRTOO system.> I tried setting it as a string in the attribute flow rules tab ofmy Active DirectorySyncronization Rule in the ILM Portal, but it seems to have duplicated all of my Person records in ILM. I have a bunch of records that have the Domain field set to the string I specified, but all other data is blank, then I have all of my AD users, but I'm guessing the Domain field isn't actually populated on those (even though it shows, because of the bug you mentioned).Yes, a fixed string in the AD ISR is probably the easiest way to go. There's a little bug in the identity manager that won't allow you to define precedence for this attribute, but don't worry about that too much. Just set it as Equal to get around the fact that the ILM MA is the "owner" of the flow.The rest of your post reads as an attribute precedence issue too. Once you make changes to the ILM MA or sync rules and synchronise these changes some condition (haven't tracked down the specifics but it's fixed in the current builds) makes the ILM MA precedence all over again. So, what you need to do is delete the CS of both AD and ILM, import ILM and AD, synchronise ILM, fix the precedence (MV designer), then run some previews against objects in the AD CS. If they're successfully joining and the attributes are flowing as expected, run a full sync on the AD MA and then export to ILM.