I am currently installing fore front, and having been working through the documents 'Installation Gide' and 'Installing the FIM 2010 Server components'. I have got to the stage where I should be able to test the portal by going to http://servername/indentitymanagement However, when I do this, all I get is a message which says Service not available in bold red. In the event log the following appears each time I try; The Portal cannot connect to the middle tier using the web service interface. This failure prevents all portal scenarios from functioning correctly. The cause may be due to a missing or invalid server url, a downed server, or an invalid server firewall configuration. Ensure the portal configuration is present and points to the resource management service. The server is 2008r2, with SQL 2008 sp1. All sharepoint SQL and FIM services installed onto the same server. Interestingly, if I log into a workstation as the domain admin account (which was used to set the server up) it works fine. I only get the error as a normal user account. I've also tried logging into the server using a normal user account and the same problem occurs. So from the above, I think this is a forefront security issue. Is there somwhere that I need to give users permission to use the FIM portal?

Enabling FIM Portal Access for a Regular AD User Account Using PowerShell to display a user’s attribute values for FIM Portal access Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

I have followed through step1, and rebooted the server. I have run the check attributes script, which displays the following; Cheking MPRs ============ General: Users can read non-administrative configuration resources Enabled: Yes User management: Users can read attributes of their own Enabled: Yes However, users still cannot get to the portal. The same message appears. thank you for your help.

OK I think I've nearly sussed it, just need a little more help; I noticed that there are no accounts listed in forefront, and if I run the Fix an ObjectSID script, it came back indicating it had found the AD object, but not the object in fim. So....I created a test ID of an ID user manually in FIM....tried with that user...it still didnt work. I the ran the Fix an ObjectSID script against the test user, and it worked. So....I guess the question is how do I get all my AD users in FIM...isnt that when the sync service is supposed to do?

This is correct. FIM How Do I Guides. Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Hi The same problem: Service not available (http://fim2010/_layouts/MSILM2/ErrorPage.aspx?ErrorCode=3000) Tell my what I did wrong: "Fim2010" - server name "Domain" - my domain "Domain \ user1" - the user to install the components (administrator at fim2010) 1. Installed SQL Server 2008 SP1 2. Installed Sharepoint Services 3.0 SP2 (site http://fim2010 works) 3. Create user domain \ fim2010service, domain \ fim2010agent, domain \ fim2010notify 3.1 setspn-S HTTP/fim2010 domain \ fim2010notify 3.2 setspn-S FIMService/fim2010 domain \ fim2010notify 4. Established FIM Sync Service (using user domain \ fim2010service) 5. Established FIM Service and Portal 5.1 Certificate: Generate a new self-issued certificate 5.2 Service account name: fim2010agent 5.3 Service account domain: domain 5.4 Service email account: fim2010agent@domain.com 5.5 Synchronization Server: fim2010 5.6 FIM Management Agent Account: domain \ fim2010notify 5.7 FIM Service Server address: fim2010 5.8 Sharepoint site collection URL: http://fim2010 5.9 Check Grant authenticated users access to the FIM Portal site 5.10 Check Grant authenticated users access to the FIM Password Reset site After the installation has successfully entered the portal at http://fim2010/IdentityManagement/default.aspx under the user domain \ user1 In Management Policy Rules General: Users can read schema related resources = allow General: Users can read non-administrative configuration resources = allow User management: Users can read attributes of their own = allow User management: Users can read selected attributes of other users = allow In the Synchronization Service Manager configure agents to import users from Active Directory: 1. Management Agents -> Create 2. Name: Sync from Ad 3.1 Forest name: domain.com 3.2 User name: user1 3.3 Domain: domain 4 reported a special OU with a test user in Active Directory 5 Select Object Types - Posted by User 6 Select Attributes - displayName, givenName, objectSid, sAMAccountName, sn Adding a Run Profile follow these steps: Full Import (Stage Only), Full Synchronization, Export, Delta Import (Stage Only) The agent has successfully started and finds the test users. Make a second agent for the FIM 1. Management Agents -> Create 2. Name: Sync with FIM DB 3.1 Server: fim2010 3.2 Datebase: FIMService 3.3 FIM Service base address: http://fim2010:5725 3.4 Authentication mode - Windows integrated authentication 3.5 User name: fim2010notify 3.6 Domain: domain 4 Select object type - Added Group and Person 5 Configure object type mappings - Added Group = group, and Person = person 6.1 Configure attribute flow Data soutce object type: Person Metaverse object type: person Mapping Type: Direct Flow Direction: Export DisplayName <- displayName Domain <- domain FirstName <- firstName LastName <- lastName ObjectSID <- objectSid 6.2 Configure attribute flow Data soutce object type: Group Metaverse object type: group Mapping Type: Direct Flow Direction: Export DisplayName <- displayName Domain <- domain ObjectSID <- objectSid Adding a Run Profile follow these steps: Full Import and Full Synchronization, Export Under User1 I go to the portal without any problems. Under the test user - error Service Not Available PowerShell script http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/3ec55d52-df26-4c09-9d92-24716636e460 fails: Error: Registry configuration and FIM MA configuration for MA account don't match! Where I was mistaken, and that missed?