Troubleshooting In FIM portal
Hi All We have an issue where the user is not able to login to FIM portal.We checked the objectSID,Domain and AccoutnName against AD.All are looking fine.But still the user is not able to login.What could be the cause for this issue. Thanks in AdvanceHBB
August 18th, 2011 2:11pm

Does ths user also have Display Name populated in the portal? That is required. Thanks, Sami
Free Windows Admin Tool Kit Click here and download it now
August 18th, 2011 2:20pm

Yes.DisplyName is also populated for this Person.What might be the cause for this issue. Thanks HBBHBB
August 18th, 2011 4:53pm

Have you granted "authenticated" users access to the portal during the FIM Portal setup? From the installation guide: On the Configure FIM Service and Portal – Configure security changes configured by setup page, click Grant authenticated users access to the FIM Portal site to grant read permissions on the FIM Portal sitehttp://setspn.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
August 18th, 2011 6:32pm

Yes.Some users are able to login to FIM portal without any issues.Only few users are facing this problem.Your valuable suggestion will help us to analyse the cause for this issue. Thanks in Advance HBBHBB
August 18th, 2011 6:50pm

What happens when the user tries to log in? Are there any error message displayed? Have you checked that the user is in the Set that grants the user permissions to access the portal? (I think by default it's "All People"?) Thanks, Sami
Free Windows Admin Tool Kit Click here and download it now
August 18th, 2011 8:20pm

Hi "Page cannot be displayed" is displayed when user tries to login.Yes it belongs to that Set.we didnt change any configuration. Thanks in Advance HBB.HBB
August 19th, 2011 4:31pm

Is the MPR "User Management: user can read attributes of their own" enabled? Are there any messages in the Event Viewer or in the Request History? Thanks, Sami
Free Windows Admin Tool Kit Click here and download it now
August 22nd, 2011 8:19am

Hi All those MPR are enabled and also in event viewer i dont find any revelant error message for the these user.I can see some exception like Permission Issue,Unwilling to performException -GetCurrentUserFromSecurityIdentifier(). Let me know wht is to be done? Thanks in Advance HBB. HBB
August 22nd, 2011 1:51pm

Is the "General: Users can read non-administrative configuration resources" MPR enabled as well? And the user definitely has an objectSid (Resource ID) in the FIM Portal, right? The errour sounds like the objectSid didn't get imported back to the FIM Portal (http://www.puttyq.com/blog/2010/service-not-available-to-new-fim-portal-users) If the objectSid is definitely on the portal user, were you able to see anything in the request history in the portal? And you checked the FIM event log as well as general application event log? Thanks, Sami
Free Windows Admin Tool Kit Click here and download it now
August 22nd, 2011 1:58pm

Hi I ran one of the powershell script which will fetch the object sid ,Accountname and domain attribute for an specific user.The Result seems to be fine.MPR is also enabled .All other users are able to login except few users.Is there a way to debug this issue? Thanks in Advance HBB.HBB
August 22nd, 2011 2:09pm

Have you tried comparing the attributes of a user who can log in to one who can't to see if perhaps something jumps out at you as a discrepancy between the two?
Free Windows Admin Tool Kit Click here and download it now
August 22nd, 2011 2:24pm

I compared more than one user .Both are looking same.Even i checked with AD attribute.Instead of displaying the error message as "Page cannot displayed" .Is there a way to dispaly the original exception in IE. Thanks in Advance HBB.HBB
August 22nd, 2011 5:15pm

Have you changed the web.config file to turn off custom errors and enable the stack trace? (http://blogs.dirteam.com/blogs/jorge/archive/2008/12/07/ilm-2-web-portal-shows-an-unexpected-error-has-occured.aspx will show you how.) Thanks, Sami
Free Windows Admin Tool Kit Click here and download it now
August 22nd, 2011 7:44pm

This might also help: http://msdn.microsoft.com/en-us/library/ff357802.aspx
August 23rd, 2011 8:54am

Hi Still i am encountering same type of error Microsoft.ResourceManagement.Service: Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Exception of type 'Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException' was thrown. at Microsoft.ResourceManagement.WebServices.ResourceManagementService.GetCurrentUserFromSecurityIdentifier() at Microsoft.ResourceManagement.WebServices.ResourceManagementService.GetCurrentUser() at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Enumerate(Message request) I ran the powershell script to fetch the objectSID,AccountName,Domain and DisplayName.Everything seems to be fine. Suggest me some idea to fix this issue. Thanks in Advance HBBHBB
Free Windows Admin Tool Kit Click here and download it now
August 31st, 2011 5:19pm

can u copy and paste here the output from the powershell for a user that have access to the portal and another user that doesn't have access?The FIM Password Reset Blog http://blogs.technet.com/aho/
August 31st, 2011 7:07pm

If you are getting message in FIM event log that shows function name similar to GetCurrentUserFromSecurityIdentifier this typically means that it can't find either the user or the user's SID in the portal. By any chance, do you have multiple AD MAs and if so, these objects exist in both? If that is true, you might be using the objectSID from wrong AD org, I've seen this a few times when user exists in multiple AD orgs and both are being synced by FIM.
Free Windows Admin Tool Kit Click here and download it now
September 1st, 2011 1:50am

Hi All Thanks for your suggestion.We are using single AD MA to populate the value.I tried to login to FIM portal for some users,it worked and few users i m unable to login.It showed access denied.There is no event logged for these users.Above mentioned event log is no more available for these users.What might be the cause for this issue. Please find the Sample data while executing the powershell script. ObjectSID:ARKABBBBBAUVAAAAFXkrl+iEQ7BxyFRr8yQCAB== AccountName:Test Domain:test Dispalyname:Test,Sample String SID:S-1-5-21-2535487765-1234567890-12345678910-56784 Waiting for your valuable suggestion. Thanks in Advance HBB.HBB
September 1st, 2011 1:20pm

have you verified against AD to make sure the SID is correct?The FIM Password Reset Blog http://blogs.technet.com/aho/
Free Windows Admin Tool Kit Click here and download it now
September 1st, 2011 3:23pm

Yes.I verified once again.Object SId is same in FIM and AD.I am unable to access the FIM portal when i login with those users.But if i login with some other user in same machine i am able to access FIM portal.It doesnt throw any exception.Any idea is highly appreciated. Thanks in Advance HBB HBB
September 1st, 2011 3:53pm

can u create a testing MPR that grants everyone full permission on everything? i.e. Principal = Target Before = Target After = ALL OBJECTS. then check all possible actions and attributesThe FIM Password Reset Blog http://blogs.technet.com/aho/
Free Windows Admin Tool Kit Click here and download it now
September 1st, 2011 3:54pm

No progress.Still facing the same issue. Thanks in Advance HBBHBB
September 1st, 2011 5:54pm

To check if the problem is something to do with set memberships you could write a custom search scope that finds all the sets that the user in question is a member of then go through the permissions for each set. I don't know the search scope exactly but something like Set[ComputedMembers='the loginID of the user in question']
Free Windows Admin Tool Kit Click here and download it now
September 2nd, 2011 12:18am

try this then http://social.technet.microsoft.com/wiki/contents/articles/how-to-use-powershell-to-fix-an-objectsid-on-an-fim-portal-object.aspx Also check if the sid is being updated or notThe FIM Password Reset Blog http://blogs.technet.com/aho/
September 2nd, 2011 5:00am

Longshot: Do you have any sync rules that could be changing the user's password or UAC? Might be worth double checking those in AD.
Free Windows Admin Tool Kit Click here and download it now
September 2nd, 2011 8:53am

Hi All Thanks a lot.issue got fixed. Cheers HBB HBB
September 14th, 2011 1:46pm

Hi HBB, Would you have time to share the resolution please? Might help others in the future. And I'm curious. :) Thanks, Sami
Free Windows Admin Tool Kit Click here and download it now
September 14th, 2011 2:10pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics