Permission denied on Recovery operation when called by Provision API
Hi All, I am calling the RequestOperations.InitateRecover method on a smartcard profile within a notification handler. As a result I get a the following exception: "Current user [FIMTEST\Administrator] is not authorized to initiate this operation [Recover] on Copy Of FIM CM Sample Smart Card Logon Profile Template." When I manually start a "Replace smart card that was lost or is no longer available" workflow with the same user, everything works fine. Now my first question is: Is that workflow identical to the RequestOperations.InitateRecover workflow? The user account I'm using for this is a domain administrator. Additionally and he is granted permission on "Initiate Enroll Request", "Initiate Recover on Behalf Requests" and "Enroll Agent for Recover on Behalf Requests". My second question is: Is there a difference between RequestOperations.InitateRecover and "Recover on Behalf"? Clm.txt yields this output immediately before the exception: "2010-04-09 12:27:29.28 +02" "Microsoft.Clm.BusinessLayer.AccessControlManager" "Boolean CheckGenericObjectAccess(System.Security.Principal.WindowsIdentity, System.String, System.DirectoryServices.ActiveDirectoryRights)" "OPENFIM\Administrator" "OPENFIM\Administrator" 0x00000FE0 0x00000003 Principal: OPENFIM\Administrator, securityDescriptor: O:S-1-5-21-3662825292-2200938975-31401343-1118G:DUD:AI(A;;LCRPRC;;;S-1-5-21-3662825292-2200938975-31401343-1103)(A;;LCSWRPWPLORC;;;S-1-5-21-3662825292-2200938975-31401343-1118)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(OA;;CR;f79c4213-4d44-4255-9440-8795bfa20281;;S-1-5-21-3662825292-2200938975-31401343-1103)(A;CIID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;EA)(A;CIID;CCLCSWRPWPLOCRSDRCWDWO;;;DA) , desiredAccess: ReadProperty "2010-04-09 12:27:29.29 +02" "Microsoft.Clm.Security.Authorization.AuthzManager" "Boolean AccessCheck(System.String, System.String, Int32)" "OPENFIM\Administrator" "OPENFIM\clmAuthAgent" 0x00000FE0 0x00000003 User: [OPENFIM\Administrator], Security descriptor: [O:LAD:(A;;CC;;;SY)], Desired access: 0x00000001 "2010-04-09 12:27:29.30 +02" "Microsoft.Clm.Security.Authorization.SecurityDescriptor" "Byte[] ConvertToByteArray(System.String)" "OPENFIM\Administrator" "OPENFIM\clmAuthAgent" 0x00000FE0 0x00000003 Converting SD from SDDL format: O:LAD:(A;;CC;;;SY) "2010-04-09 12:27:29.30 +02" "Microsoft.Clm.Security.Authorization.AuthzManager" "Boolean AccessCheck(System.String, IntPtr, Int32)" "OPENFIM\Administrator" "OPENFIM\clmAuthAgent" 0x00000FE0 0x00000003 User: [OPENFIM\Administrator], Security descriptor: 0x08448C70, Desired access: 0x00000001 "2010-04-09 12:27:29.31 +02" "Microsoft.Clm.Security.Authorization.AuthzManager" "Boolean AccessCheck(System.String, IntPtr, Int32)" "OPENFIM\Administrator" "OPENFIM\clmAuthAgent" 0x00000FE0 0x00000003 Granted: False, User: [OPENFIM\Administrator], Security descriptor: 0x08448C70, Desired access: 0x00000001 My third question is: how can I troubleshoot this? I don't know which permissions I have left to assign to the user... Thanks and best regards Nils Loeber
April 9th, 2010 1:51pm

I found out in the meantime. Question one: No. Question two: No. Solution: I had to add the user to the Recover workflow in the Replace Profile Template.
Free Windows Admin Tool Kit Click here and download it now
April 11th, 2010 6:57pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics