The Request contains changes that violate system constraints?
Hi,
I am trying to provision groups into FIM from SQL. I have successfully provisioned users, but the groups are giving me a permissions error I'll post below.
I have run the script to check if the sync account is properly configured and that was successful.
I ran the sync to test the MPRs and it returned that there were "Missing attributes of Synchronization" in the Synchronization account controls group resources it synchronizes. However, I looked at the MPR and those attributes are specified in
the "Target Resources". I even changed it to "All Attributes" and the script returned the same results.
The MPR is enabled.
Nothing is reported in the "Search Requests".
Is there another place I am supposed to look granting permissions to manage the attributes?
Many thanks for any help. I'm stumped.
Sami
There is an error executing a web service object creation request.
Type: Microsoft.ResourceManagement.WebServices.Client.PermissionDeniedException
Message: Fault Reason: Policy prohibits the request from completing.
Fault Details: <RequestFailures xmlns="http://schemas.microsoft.com/2006/11/ResourceManagement" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><RequestAdministratorDetails><FailureMessage>The
Request contains changes that violate system constraints.
Exception: Exception of type 'Microsoft.ResourceManagement.WebServices.Exceptions.PermissionDeniedException' was thrown.
Stack Trace: Microsoft.ResourceManagement.WebServices.Exceptions.PermissionDeniedException: Exception of type 'Microsoft.ResourceManagement.WebServices.Exceptions.PermissionDeniedException' was thrown.
at Microsoft.ResourceManagement.ActionProcessor.FilteredResourceActionProcessor.FilteredResourceActionProcessHelper.DoPreProcessRequest(RequestType request)
at Microsoft.ResourceManagement.ActionProcessor.FilteredResourceActionProcessor.PreProcessRequestFromAttribute(RequestType request)
at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.PreProcessRequestFromAttribute(RequestType request)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(CreateRequestDispatchParameter dispatchParameter)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean
isChildRequest, Guid cause, Boolean doEvaluation, Nullable`1 serviceId, Nullable`1 servicePartitionId)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean
isChildRequest, Guid cause, Boolean doEvaluation)
at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Create(Message request)</FailureMessage><RequestFailureSource>SystemConstraint</RequestFailureSource></RequestAdministratorDetails></RequestFailures>
Stack Trace: at Microsoft.ResourceManagement.WebServices.ResourceFactoryClient.Create(Message request)
at Microsoft.ResourceManagement.WebServices.ResourceFactoryClient.Create(Create createBody)
at Microsoft.ResourceManagement.WebServices.Client.ResourceTemplate.CreateResource()
Inner Exception: Policy prohibits the request from completing.
July 31st, 2010 10:11pm
Using PowerShell to check your MPR configuration for synchronization.
Cheers,
MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation
Free Windows Admin Tool Kit Click here and download it now
August 1st, 2010 12:17am
Hi Sami,
The error is likely because the request being submitted to create the group is attemping to set an attribute that is not permitted by the FIM service, or set a value that is not permitted.
You are creating this group through sync, correct? Can you check the metaverse and see what the properties of the group there are, before it is exported unsuccessfuly to the FIM service DB?
Thanks,
Nima
August 1st, 2010 12:56am
Hi Nima,
Correct--I am creating it through sync.
In the metaverse, here's what I see for one of the groups. Do any of these look incorrect? :
AccountName: 0041
DisplayName: 0041
Domain: mydomain
Filter: <Filter xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" Dialect="http://schemas.microsoft.com/2006/11/XPathFilterDialect" xmlns="http://schemas.xmlsoap.org/ws/2004/09/enumeration">/Person[OfficeLocation
= ''0041'']</Filter>
MembershipAddWorkflow: None
MembershipLocked: true
Scope: Universal
Type: Security
MVObjectID: {2B4D73A8-E615-4050-A489-2E1020A6121A}
Thank you again for any help. I appreciate it.
Sami
Free Windows Admin Tool Kit Click here and download it now
August 1st, 2010 3:51pm
Hi Markus,
I used that tool and it reports the following:
"Missing attributes of Synchronization: Synchronization account controls groups resources it synchronizes:
MVObjectID AccountName Displayname Filter MembershipAddWorkflow MembershipLocked Type Domain Scope ObjectSID"
However, when I look at the Sync Rule in the portal, the following are in the "Action Parameter":
AccountName
ComputedMember
Description
DetectedRulesList
DisplayedOwner
DisplayName
Domain
DomainConfiguration
Email
ExpectedRulesList
ExpirationTime
ExplicitMember
Filter
MailNickname
MembershipAddWorkflow
MembershipLocked
MVObjectID
ObjectSID
Owner
Scope
SIDHistory
Temporal
Type
The sync rule is enabled.
I even tried setting it to "All Attributes" instead of "Specific Attributes" and got the same message.
Am I missing a step somewhere to correct this?
I appreciate any help.
Thank you,
Sami
August 1st, 2010 4:23pm
Something I just noticed. When I run the script to verify the MPR configuration, it reports all of the MPRs listed in the script as missing. However, they are in the portal and I can create users in FIM and AD--just not groups.
It's making me wonder if something could be corrupted somewhere?
Any ideas or help is greatly appreciated.
Many thanks,
Sami
Free Windows Admin Tool Kit Click here and download it now
August 2nd, 2010 9:39pm
Thanks to Glenn Zuckerman for helping me with this. It turns out I had an error in the memberFilter attribute, which actually threw the "failed-creation-via-web-services" error with an "object reference not set to an instance of an object"
error.
August 3rd, 2010 12:19am