No Users Exept Administrator can access FIM Portal https://myFIMserver/identitymanage ment
Hi, I having TWO issues with FIM, first when i run Export profile against FIM management agent, i get "Failed-Creation-from-web-services" error second issue is noone exept Administrator can accessing FIM portal, users get "Service Not Available" when try to logon. i configured the server exactly per below documents http://technet.microsoft.com/en-us/library/ff575965(WS.10).aspx http://social.technet.microsoft.com/wiki/contents/articles/how-do-i-synchronize-users-from-active-directory-domain-services-to-fim.aspx?Sort=MostUseful&PageIndex=1 in Event log i get too many below error: The description for Event ID 8214 from source Windows SharePoint Services 3 cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. If the event originated on another computer, the display information had to be saved with the event. The following information was included with the event: A request was made for a URL, http://suprize, which has not been configured in Alternate Access Mappings. Some links may point to the Alternate Access URL for the default zone, https://suprize. Review the Alternate Access mappings for this Web application at http://suprize:22409/_admin/AlternateUrlCollections.aspx and consider adding http://suprize as a Public Alternate Access URL if it will be used frequently. Help on this error: http://go.microsoft.com/fwlink/?LinkId=114854 Your advice is much appreciated
July 21st, 2011 3:50am
first when i run Export profile against FIM management agent, i get "Failed-Creation-from-web-services" error Possibly permissions related, have you enabled the correct Synchronization MPR? second issue is noone exept Administrator can accessing FIM portal, users get "Service Not Available" when try to logon In order for regular users to log on to the Portal, they must exist in the FIM Service database, with Domain, AccountName & ObjectSID attributes. If you fix the FIM Service MA Export error so that users are exported to the FIM Service database, then (providing the correct attributes exist) they should be able to log on to the portal at https://myFIMserver/identitymanagement.. Cheers Tom Houston
July 21st, 2011 4:18am
i enabled all MPR mentioned on documents and my FIM accounts has enough privilage to control over AD users is there any specific MBR for this ? for second issue i get that i should firstly fix first issue to etablish synch between AD and FIM and i can import all my ysers to FIM database ?
July 21st, 2011 4:34am
As for the "Alternate Access Mapping" error check this article: http://blog.msresource.net/2011/06/08/installing-fim-portal-and-service-with-a-load-balanced-name/ Regards, Thomashttp://setspn.blogspot.com
July 21st, 2011 4:36am
Can you check 'Requests' in the FIM Portal for Failed requests, & post here. Also, check the FIM MA account configuration using this PowerShell script.. Cheers Tom Houston
July 21st, 2011 4:38am
can you walk mr thru how can i get "request" for failed request, i am in Request & Approvals section and cannot find and failed request Thanks
July 21st, 2011 4:46am
for second issue i get that i should firstly fix first issue to etablish synch between AD and FIM and i can import all my ysers to FIM database ? Correct: before a given user can log on to the FIM Portal it has to be created in the FIM Portal. Typically there are two possiblities: You creata user in the portal (first & last name, accountName). FIM provisions this user to AD, the ObjectSID & Domain are flowed back and populated in the portal You a bunch of existing users in AD. FIM imports these from AD into the MV and exports them towards the FIM Portal (Service) you are probably following scenario 2. As long as you're getting export errors, your users are absent from the FIM Service. Could you give some more info regarding the failed creation from web services? Does it reference an attribute or so?http://setspn.blogspot.com
July 21st, 2011 4:48am
Rafatifard, if you have searched Requests for "All from today", & no failed requests are returned, then it may not be permission related.. There are a couple of things here: 1. Check the FIM Service MA account configuration as per my previous post. 2. Check the "Forefront Identity Manager" Event Log for more details regarding the failed-creation-via-webservices. Cheers Tom Houston
July 21st, 2011 5:10am
Just a sanity check, did you correctly register the SPN for the correct urls and serviceaccounts? Described on the following url: http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/8bd7aca0-2e97-4cf7-8555-61b8817dd215 Need realtime FIM synchronization? check out the new http://www.traxionsolutions.com/imsequencer that supports FIM 2010 and Omada Identity Manager real time synchronization!
July 21st, 2011 5:49am
i had setup SPN incorrectly, now i create spn per below: my FIM's netbious name server is "SUPRIZE" my share point Accont is SVC_SPService my FIM user account is SVC_FIMService my domain name is anmm i ran below command to setyp SPN: setspn -s HTTP/suprize anmm\svc_spservice setspn -s HTTP/suprize.anmm.gov.au anmm\svc_spservice setspn -s FIMService/suprize anmm\svc_fimservice setspn -s FIMService/suprize.anmm.gov.au anmm\svc_fimservice so this should work..... when i run EXPORT profile on my FIMMA MA i get "failed-modification-via-web-services" below is the error: Fault Reason: The endpoint could not dispatch the request. Fault Details: <DispatchRequestFailures xmlns="http://schemas.microsoft.com/2006/11/ResourceManagement" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="Request" _mce_href="http://www.w3.org/2001/XMLSchema"><DispatchRequestAdministratorDetails><FailureMessage>Request" rel="nofollow">http://www.w3.org/2001/XMLSchema"><DispatchRequestAdministratorDetails><FailureMessage>Request could not be dispatched. Exception: Other Stack Trace: Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---&gt; System.Data.SqlClient.SqlException: Procedure or function 'GetDomainConfigurationIdentifiersFromDomain' expects parameter '@domainName', which was not supplied. at Microsoft.ResourceManagement.Utilities.ExceptionManager.ThrowException(Exception exception) at Microsoft.ResourceManagement.Data.Exception.DataAccessExceptionManager.ThrowException(SqlException innerException) at Microsoft.ResourceManagement.Data.DataAccess.GetDomainConfigurationIdentifiersFromDomain(String domainName) at Microsoft.ResourceManagement.ActionProcessor.DomainConfigurationSynchronizer.SetDomainConfigurationFromDomain(RequestType request, CreateRequestParameter domainNameParameter) at Microsoft.ResourceManagement.ActionProcessor.DomainConfigurationSynchronizer.Synchronize(RequestType request) at Microsoft.ResourceManagement.ActionProcessor.UserActionProcessor.PreProcessRequestFromObjectType(RequestType request) at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.PreProcessRequestFromObjectType(RequestType request) at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(CreateRequestDispatchParameter dispatchParameter) at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean isChildRequest, Guid cause, Boolean doEvaluation, Nullable`1 serviceId, Nullable`1 servicePartitionId) at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean isChildRequest, Guid cause, Boolean doEvaluation) at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Put(Message request) --- End of inner exception stack trace ---</FailureMessage><DispatchRequestFailureSource>Other</DispatchRequestFailureSource></DispatchRequestAdministratorDetails></DispatchRequestFailures> i have created object attribute on FIMMA MA per below: i have created Synchronization role per below: Destination Source displayName displayName firstName givenName domain CustomExpression(IIF(Eq(Left(ConvertSidToString(objectSid),41),"S-1-5-21-4220550486-1538840966-3184992408"),"ANMM","Unknown")) objectSid objectSid accountName sAMAccountName lastName sn i used anmm\fimma account to create FIMMA MA and used anmm\svc_fimservice to create AD MA your assist is much appreciated
July 21st, 2011 6:57am
Maybe this will help you, http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/2d169d27-94e0-48d6-902e-aa87b4448863 Seems your are missing some attributes, is the "domain" attribute set for this specific user in the FIM portal? Need realtime FIM synchronization? check out the new http://www.traxionsolutions.com/imsequencer that supports FIM 2010 and Omada Identity Manager real time synchronization!
July 21st, 2011 7:03am
So as you can see the FIMMA needs a domain value. Couple of things: In your IIF you might want to consider using Null() instead of "Unknown". Null means don't flow anything. Do you really need to compare the domain-part of the SID to get the NetBIOS name? Are you sure that your Eq() function is actually returning a value? If you only have one domain, which it looks like you do, you should consider flowing a string constant for the domain from your HR source. I usually have a computed column in my view that FIM simply flows. I can perform rudimentary logic within my view re. location and business unit if required.
July 21st, 2011 7:11am
my domain customeExpression is IIF(Eq(Left(ConvertSidToString(objectSid),41),"S-1-5-21-2035599408-432449382-2062506072"),"ANMM","UnKnown") i changed unknown to Null() but still getting same error. i am in properies of my domain name in AD users and computers console and in attribute editor TAB under objectSid is S-1-5-21-2035599408-432449382-2062506072 so is this the sid need to be in my customeexpression ? how can i check that my Eq() function is actually returning a value ? Please drive me thu step by step as i am new with FIM stuff :)
July 21st, 2011 7:29am
I'll try & keep this as simple as possible for you Rafatifard.. As Paul states, can you configure your AD DS inbound synchronization rule (in the FIM Portal) to flow a constant string "ANMM" into the FIM Sync Service metaverse. Then, from the Synchronization Service Manager, in your FIM Service management agent, flow the value of domain, "ANMM", into the FIM Service - so you need to configure an export attribute flow mapping for: [metaverse] domain --> Domain [FIM Service] Run a Full Import (Stage Only) run profile, followed by a Full Synchronization run profile on the FIM Service management agent. Then run a Delta Import and Delta Synchronization on your AD DS management agent, followed by an Export on your FIM Service management agent. Cheers Tom Houston
July 21st, 2011 8:10am
Thanks Thomas i had some progress, i changed on Inbound Attribute Flow on source select String "ANMM" and destination "domain" I ran profiles per above as well, i can see some users are imported to FIM portal but with no Account name and display name is "No Display Name" also on my Client PC, when i login with one of account (which asume is imported to portal) and browse to https://suprize/identitymanagement i get "You do Not Have Permission to Access This Site" I know that i enabled all relevent MPRs... Cheers
July 21st, 2011 10:01am
As mentioned in a previous post, regular users in the Portal must have Domain, AccountName & ObjectSID attributes, otherwise they will not be able to log into the Portal. There are also two key MPRs that will need enabling: 1. General: Users can read non-administrative configuration resources 2. User management: Users can read attributes of their own Cheers Tom Houston
July 21st, 2011 10:12am
your are correct, i dont have any of them on my users in portal i have no idea why FIM imported uses from AD without domain,accountname and SID objects when i run profiles, i dont get any error can you advice where should i look to see if wrong Thanks
July 21st, 2011 10:44am
you should check your sync rule that imports users to the fim portal you should see your import flows the other place to look is in the metaverse designer see in the person object if these attributes are synced and check the predecence (it should be equal or set to active directory)Hitch Bardawil
July 21st, 2011 10:54am
I finally managed to fix import users from AD to fim, i had issue with customexpression SID which is now working fine but i cannot synch new users created on FI to Ad (outbound synchronization) my import attribute is same as export attributes on FIM MA, i configured synchronization roles, MPR and object workflow per this url http://technet.microsoft.com/en-us/forefront/ff182885.aspx any advice is much appreciate
July 25th, 2011 11:09pm
For me ulitmately it was adding a sharepoint permission that adds domain users to the "Team Site Members" group. I love that this isnt spelled out anywhere in the Fim deployment guides (&%$^^). 1. Browse to the default site above identity management. 2. Click site actions, then site settings. 3. Click People and groups. 4. Under groups click "Team Site Members" 5. Click New and add users. Add "Domain Users" I was then able to have users see the identitymanagement site.
November 16th, 2011 10:08am
you can do change installation of FIM portal and select the checkbox "Grant authenticated Users access to FIM portal site", it will add the right permissions to SharePoint site ... nevertheless if you want manual actions you need to go Site settings -> users and groups -> select from the right "Site Permissions" -> add Users, "NT Authority\Authenticated Users" and give them Read access. that's the SharePoint part, further more you need to import the users into FIM service with ObjectSIDIt's never too late in life ... to start living
November 16th, 2011 1:51pm
Hi Which attributes are you flowing to AD ? Is the export attributes the same as the import attributes ? Why? You cannot set SID in AD it is handled by AD itself. You will need to set DN in AD to create the account. AD will create the name and CN from this attribute. Please post the attribute flows that you have in your outbound sync rule, because it makes it easier to help you. Another thing that you might need to verify is that all attributes that you are flowing to AD is in the Sync Metaverse and not only in the FIM portal. //Christian Dommersnes www.cortego.se
November 17th, 2011 3:51am
Having the same Issues, The FIM admins are fine but the regular users are having the problems, It has some thing to do with one of the MPR's when I disable it the user logs in and I see the message "welcome ( Username) " but when I enable the MPR back the user is not allowed to login. The user is present in FIM , is a member of AD What do I need to do ??????
July 25th, 2012 7:33am