Hi, I have already done with success: • Inbound Sync Rule FileMA to FIM •Outbound Sync Rule FIM to AD Like in the post: • Introduction to Inbound Synchronization http://technet.microsoft.com/en-us/library/ee534911(WS.10).aspx •How Do I Provision Users to AD DS http://technet.microsoft.com/en-us/library/ff686263(WS.10).aspx When the user account is created since FIM Portal and Exported to AD DS: OK The User Account is Exported to ADDS OK The Users Log on into Client PC OK The Question and Answer Gate for Self Service Password Reset registration Appears OK The User Can Answer the Q&A Gate for Registration BUT If the user account is created since FileMA, Imported to FIM and Exported to AD DS: OK The User Account is Exported to ADDS OK The Users Log on into Client PC NO The Question and Answer Gate for Self Service Password Reset registration Does NOT Appears NO The User Can NOT Answer the Q&A Gate for Registration Because It Does NOT Appears My FileMA Schema is like this: "EmployeeID","EmployeeType","FirstName","LastName",”Domain” "7","Contractor","Britta","Simon",”Lab” Do I need to Add another Attribute? Or another configuration? Thanks.

Are you able to log on to the portal using the user which was provisioned based on the FILE MA - > FIM MA -> AD MA flow? You might have a precedence issue with a given attribute. Make sure those users have ObjectSid, Domain and AccountName present. Perhaps you can compare the FIM MA connector space for a user which is working and a user which is not working. See what attributes are different/missing. And abovisouly you'll have to make sure they are part of the SET granting them permissions to register for SSPR.http://setspn.blogspot.com

You need to look at what you're setting when you create a user via the portal as opposed to the HR feed. It looks like the users created via the Synchronization engine are not part of the Password Reset Users set. If you manually invoke the registration process you'll probably get an error. Look at the criteria for the password reset users set. If that doesn't help, invoke the registration process manually and feedback the error. I would also enable client side logging but let's check to be sure the user is within scope of all necessary MPRs first.

Thomas is probably right, you need at least Domain AccountName ObjectSid (and optionally) DisplayName The FIM Password Reset Blog http://blogs.technet.com/aho/

To reiterate what Thomas, Anthony and paul have already said; Goto the user in the portal, Click on the "Advanced View" tab and make sure the follwoing attributes are set; "Account Name" "Domain" "Resource SID" With "Resource SID" if the "Export" button is enabled you will have a SID stored, otherwise you will probably see "No value specified for this attribuute" If all this is correct then check the "Password Reset Users Set" and ensure your user is within this set Also make sure thet the "Domain" attribute you are flowing in via the FileMA is the correct MA the user logged into the PC as. If you are still having issues you can turn on the trace, for more info see Thomas' blog post http://setspn.blogspot.com/2010/09/fim-2010-sspr-client-extension-advanced.html [ theres a plug for ya Thomas :) ] Phil