error exporting to FIM MA
I am using FIM RC1. I have connections to AD and to the FIM MA. I am getting the 'failed-modification-via-web-services' error when I try to export to the FIM MA. I do have a custom attribute that I am trying to export. I have read in other threads that I needed to set'allow the synchronization account to control the users it synchronizes' and 'Administrators can read and update users' to cover all attributes, which i have done. However I am still experiencing the error. Does anyone have any other ideas?
October 24th, 2009 2:18am
Have you looked at this post yet?Cheers,MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation
Free Windows Admin Tool Kit Click here and download it now
October 25th, 2009 5:54am
I did see that post before posting my question. Do you think either of the scripts mentioned will help me? and if so, where canI get the fimma.cmd script? Am I correct in assuming that is included in a downloadable vhd?
October 26th, 2009 2:22am
The scripts have not been released yet.I'm still working on them.
The question is whether
your current FIM MA account is the same as the oneyou have specified during setup
your FIM MA account has been granted logon locally
Cheers,MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation
Free Windows Admin Tool Kit Click here and download it now
October 26th, 2009 3:50pm
You can find the script here.Cheers,MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation
October 27th, 2009 1:31am
I will download the script and run it. I thought i set the FIMMA account up correctly, but we will see. Thanks for posting the script.
Free Windows Admin Tool Kit Click here and download it now
October 27th, 2009 7:48pm
Thanks for your help Markus. Below is the results of the script.FIM MA Account Test====================-Reading registry configuration-FIM MA account name: VCORPLAB3\fimma-s-FIM MA account SID : S-1-5-21-2025429265-162531612-682003330-2878031-Reading MA configuration-FIM MA account name: vcorplab3\fimma-s
Enter the password for vcorplab3\fimma-s:Attempting to start cmd /c as user "vcorplab3\fimma-s" ...
Command completed successfullyIt seems that the script didn't find any problems with the fimma-s account. Any other ideas?
October 27th, 2009 8:10pm
OK, this eliminates the FIM MA account as issue.Have you looked at eventlog yet?You should find some more details there.Also, when you get a 'failed-modification-via-web-services', you typically also get a type.Is this an access denied?Cheers,MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation
Free Windows Admin Tool Kit Click here and download it now
October 27th, 2009 8:14pm
The export jobs are the only times i see any errors in the synchronization service manager. When i run the export jobs, i don't see any errors in the FIM event log. Occasionally I do see: Microsoft.ResourceManagement.Service: Procedure: ReRaiseException. Line number: 31. Message: No value was provided for this attribute, for which a value is required: MembershipLocked." in the FIM event log. I'm not sure if that is related.I get the "failed-modification-via-web-services" error for all user objects in AD except for the FIMMA-s account and my admin account. Those two accounts have their data exported successfully.
October 27th, 2009 9:11pm
Hi! Syncing groups to FIM MA is a bit special, MembershipLocked is for example a required attribute you must flow ... Have look at this post... http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/439e87f7-681d-4f63-a1fd-62a47bfb2684 I'm not sure if it applies 100% to RC1 thought... //Henrik
Henrik Nilsson Blog: http://www.idmcrisis.com Company: Cortego (http://www.cortego.se)
Free Windows Admin Tool Kit Click here and download it now
October 27th, 2009 9:18pm
but I'm not doing anything with groups so far. I'm only flowing data for users objects
October 27th, 2009 11:10pm
Just a thought... //HHenrik Nilsson
Blog: http://www.idmcrisis.com
Company: Cortego (http://www.cortego.se)
Free Windows Admin Tool Kit Click here and download it now
October 27th, 2009 11:19pm
Sorry Markus, I didn't see your question about error type.I don't see a type reference on the error in the sync gui. All it says is "failed-modification-via-web-services", and then if I click the detail button it says "There is an error executing a web service object modification request. Please look in the Forefront Identity Manager eventlog on the FIM Service machine for more information." However it shows nothing new in the FIM event log. The only thing that it does show in the FIM event log is an information alert that says:Log Name: Forefront Identity ManagerSource: Microsoft.ResourceManagementDate: 10/27/2009 2:54:42 PMEvent ID: 0Task Category: NoneLevel: InformationKeywords: ClassicUser: N/AComputer: **removed**Description:<duration stage=Enumerate query="/ManagementPolicyRule" milliseconds=450/>Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft.ResourceManagement" /> <EventID Qualifiers="0">0</EventID> <Level>4</Level> <Task>0</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2009-10-27T21:54:42.000Z" /> <EventRecordID>376219</EventRecordID> <Channel>Forefront Identity Manager</Channel> <Computer>**removed**</Computer> <Security /> </System> <EventData> <Data><duration stage=Enumerate query="/ManagementPolicyRule" milliseconds=450/></Data> </EventData></Event>
October 28th, 2009 8:07pm
That's a bit odd.In case of missing persmissions, you should see an access denied.Just making sure, have you verified that you have enabled the right MPRs?Cheers,MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation
Free Windows Admin Tool Kit Click here and download it now
October 28th, 2009 8:19pm
I did see posts here about enabling certain MPRs.I went through each of the MPRs starting with Synchronization: Synchronization account* and enabled it and also set it to all attributes. I also set 'Administrators can read and update users' to cover all attributes as well. However it didn't seem to fix the issue.
October 28th, 2009 8:44pm
Does anyone have any more ideas on this issue?
Free Windows Admin Tool Kit Click here and download it now
November 2nd, 2009 8:27pm
Hi,I had a similar problem and fixed it by creating a new MPR that grants permission for the sync service account to modify all attributes of all objects. There is an MPR that I expect is intended to control this (Systenization account sontrols users it sync, or something like that), but it was simpler for me to grant all as I have a lot of new objects and attributes.Steve Mitchell
Technical Director - Oxford Computer Group
November 3rd, 2009 2:23pm
Thanks for the idea. I did create a new MPR granting permission to all attributes of all objects to the sync account, unfortunately I'm still getting the error message. This issue does seem like it is a permission issue to me, but now the sync account has rights to everything, so i'm at a bit of a loss.
Free Windows Admin Tool Kit Click here and download it now
November 4th, 2009 8:40pm
Let's see if this can help shedding some light on this...Could you please post the outcome of the script?Cheers,Markus
#--------------------------------------------------------------------------------------------------------------------------
function ShowResults([ref]$bActionItem, $lstAttributes, $msgMissing)
{
if($lstAttributes.length -eq 0) {return}
$bActionItem.value = $true
write-host "`n$msgMissing" -foregroundcolor black -backgroundcolor yellow
foreach($attributeName in $lstAttributes) {write-host " -$attributeName"}
}
#---------------------------------------------------------------------------------------------------------------------------------------------------------
set-variable -name nodeHead -value "ResourceManagementObject[ObjectType='ManagementPolicyRule' " -option constant
set-variable -name nodeBody -value "ResourceManagementAttributes/ResourceManagementAttribute" -option constant
set-variable -name nodeTail -value "export-flow[direct-mapping]/@cd-attribute" -option constant
set-variable -name attrDisabled -value "[AttributeName='Disabled']/Value" -option constant
set-variable -name flowHead -value "ResourceManagementObject[ObjectType='ma-data']" -option constant
set-variable -name eafAttrName -value "AttributeName='SyncConfig-export-attribute-flow'" -option constant
set-variable -name msgWarning -value "Caution: Your current MPR configuration requires your attention!"
set-variable -name msgOK -value "Your current MPR configuration meets all requirements"
#--------------------------------------------------------------------------------------------------------------------------
write-host "`nFIM MPR Configuration For Synchronization Check"
write-host "==============================================="
#--------------------------------------------------------------------------------------------------------------------------
$curFolder = Split-Path -Parent $MyInvocation.MyCommand.Path
if(@(get-pssnapin | where-object {$_.Name -eq "FIMAutomation"} ).count -eq 0) {add-pssnapin FIMAutomation}
#--------------------------------------------------------------------------------------------------------------------------
$maDataFile = "$curFolder\MAData.xml"
$data = export-fimconfig -uri http://localhost:5725/resourcemanagementservice -customconfig ("ma-data[SyncConfig-category='FIM']")
if($data -eq $null) {throw "There is no FIM MA configured on your system!"}
$data | convertfrom-fimresource -file $maDataFile
[xml]$xmlMAData = get-content $maDataFile
[xml]$xmlFlow = "<Root>" + $xmlMAData.selectSingleNode("//$flowHead/$nodeBody[$eafAttrName]/Value").get_InnerText() + "</Root>"
$userFlowPath = "//export-flow-set[@cd-object-type='Person' and @mv-object-type='person']/export-flow[direct-mapping]/@cd-attribute"
$groupFlowPath = "//export-flow-set[@cd-object-type='Group' and @mv-object-type='group']/export-flow[direct-mapping]/@cd-attribute"
if($xmlFlow.selectNodes($userFlowPath).get_count() -eq 0) {throw "There are export attribute flows for the object type person configured"}
$bHasGroups = $xmlFlow.selectNodes($groupFlowPath).get_count() -gt 0
#---------------------------------------------------------------------------------------------------------------------------------------------------------
$mprDataFile = "$curFolder\MPRData.xml"
$data = export-fimconfig -uri http://localhost:5725/resourcemanagementservice -customconfig ("ManagementPolicyRule")
if($data -eq $null) {throw "The are no objects with this object type configured on your FIM server"}
$data | convertfrom-fimresource -file $mprDataFile
$mprNames = @()
$mprNames += "General: Users can read schema related resources"
$mprNames += "General: Users can read non-administrative configuration resources"
$mprNames += "User management: Users can read attributes of their own"
$mprNames += "Synchronization: Synchronization account can delete and update expected rule entry resources"
$mprNames += "Synchronization: Synchronization account can read schema related resources"
$mprNames += "Synchronization: Synchronization account can read synchronization related resources"
$mprNames += "Synchronization: Synchronization account can read users it synchronizes"
$mprNames += "Synchronization: Synchronization account controls detected rule entry resources"
$mprNames += "Synchronization: Synchronization account controls synchronization configuration resources"
$mprNames += "Synchronization: Synchronization account controls users it synchronizes"
if($bHasGroups -eq $true)
{
$mprNames += "Synchronization: Synchronization account can read group resources it synchronizes"
$mprNames += "Synchronization: Synchronization account controls group resources it synchronizes"
$mprNames += "Security group management: Owners can read selected attributes of group resources"
$mprNames += "Security group management: Owners can update and delete groups they own"
$mprNames += "Security group management: Users can add or remove any member of groups subject to owner approval"
$mprNames += "Security group management: Users can create group resources"
$mprNames += "Security group management: Users can read selected attributes of group resources"
$mprNames += "Security groups: Users can add and remove members to open groups"
}
$bActionItem = $false
$disabledMPRs = @()
$missingMPRs = @()
[xml]$mprDoc = get-content $mprDataFile
foreach($mprName in $mprNames)
{
$curMprNode = $mprDoc.selectSingleNode("//$nodeHead and $nodeBody[AttributeName='DisplayName' and Value='$mprName']]")
if($curMprNode -eq $null) {$missingMPRs += $mprName}
else {if($curMprNode.selectSingleNode("$nodeBody$attrDisabled").get_InnerText() -eq "True") {$disabledMPRs += $mprName}}
}
ShowResults ([ref]$bActionItem) $missingMPRs "Missing MPRs:"
ShowResults ([ref]$bActionItem) $disabledMPRs "MPRs that need to be enabled:"
#---------------------------------------------------------------------------------------------------------------------------------------------------------
$dataList = @()
if(!($missingMPRs -contains "Synchronization: Synchronization account controls users it synchronizes"))
{$dataList += "Synchronization: Synchronization account controls users it synchronizes|Person|person"}
if($bHasGroups -eq $true)
{
if(!($missingMPRs -contains "Synchronization: Synchronization account controls group resources it synchronizes"))
{$dataList += "Synchronization: Synchronization account controls group resources it synchronizes|Group|group"}
}
foreach($dataItem in $dataList)
{
$a = $dataItem.split("|")
$missingAttributes = @()
$maAttributes = @()
foreach($attrName in $xmlFlow.selectNodes("//export-flow-set[@cd-object-type='$($a[1])' and @mv-object-type='$($a[2])']/$nodeTail"))
{$maAttributes += $attrName.get_InnerText()}
$mprAttributes = @()
$curMprNode = $mprDoc.selectSingleNode("//$nodeHead and $nodeBody[AttributeName='DisplayName' and Value='$($a[0])']]")
foreach($attrName in $curMprNode.selectNodes("$nodeBody[AttributeName='ActionParameter']/Values/string"))
{$mprAttributes += $attrName.get_InnerText()}
foreach($curAttribute in $maAttributes) {if(!($mprAttributes -contains $curAttribute)) {$missingAttributes += $curAttribute}}
ShowResults([ref]$bActionItem) $missingAttributes "Missing Resource Attributes on MPR $mprName"
}
#---------------------------------------------------------------------------------------------------------------------------------------------------------
if($bActionItem -eq $true) {write-host "`n$msgWarning`n" -foregroundcolor white -backgroundcolor darkblue}
else {write-host "`n$msgOK"}
if(test-path $mprDataFile) {remove-item $mprDataFile}
if(test-path $maDataFile) {remove-item $maDataFile}
write-host "`nCommand completed successfully`n"
#---------------------------------------------------------------------------------------------------------------------------------------------------------
trap
{
Write-Host "`nError: $($_.Exception.Message)`n" -foregroundcolor white -backgroundcolor darkred
if(test-path $mprDataFile) {remove-item $mprDataFile}
if(test-path $maDataFile) {remove-item $maDataFile}
Exit
}
#---------------------------------------------------------------------------------------------------------------------------------------------------------
Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation
November 4th, 2009 9:20pm
Well, i'm not sure if I need to tweak something in the script to customize it for my environment or not, but here is the result.FIM MPR Configuration For Synchronization Check===============================================
Error: There is no FIM MA configured on your system!I do have a FIM MA, named 'FIM MA'. So maybe the script has detected something wrong. What does it mean when the script doesn't detect the FIM MA?
Free Windows Admin Tool Kit Click here and download it now
November 6th, 2009 8:36pm
There is nothing you need to tweak.What is the outcome of the script code below?You might see a lot of warnings - you can ignore them!Cheers,Markus
#--------------------------------------------------------------------------------------------------------------------------------------------
$curFolder = Split-Path -Parent $MyInvocation.MyCommand.Path
if(@(get-pssnapin | where-object {$_.Name -eq "FIMAutomation"} ).count -eq 0) {add-pssnapin FIMAutomation}
$maDataFile = "$curFolder\MAData.xml"
$data = export-fimconfig -uri http://localhost:5725/resourcemanagementservice -customconfig ("ma-data")
if($data -eq $null) {throw "There is no MA configured on your system!"}
$data | convertfrom-fimresource -file $maDataFile
[xml]$xmlMAData = get-content $maDataFile
#--------------------------------------------------------------------------------------------------------------------------------------------
clear-host
write-host "`nFIM Management Agent Configuration"
write-host "=================================="
foreach($ma in $xmlMAData.selectNodes("//ExportObject/ResourceManagementObject/ResourceManagementAttributes"))
{
write-host "Name: " $ma.selectSingleNode("ResourceManagementAttribute[AttributeName='DisplayName']/Value").get_InnerText()
write-host "Type: " $ma.selectSingleNode("ResourceManagementAttribute[AttributeName='SyncConfig-category']/Value").get_InnerText() "`n"
}
if(test-path $maDataFile) {remove-item $maDataFile}
write-host "`nCommand completed successfully`n"
#--------------------------------------------------------------------------------------------------------------------------------------------
trap
{
Write-Host "`nError: $($_.Exception.Message)`n" -foregroundcolor white -backgroundcolor darkred
if(test-path $maDataFile) {remove-item $maDataFile}
Exit
}
#--------------------------------------------------------------------------------------------------------------------------------------------
Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation
November 6th, 2009 9:13pm
hmm, it says:Error: There is no MA configured on your system!So, it seems I have done something wrong in the configuration of the MA. What info can i give you to help?
Free Windows Admin Tool Kit Click here and download it now
November 6th, 2009 10:49pm
The MA is functional. I can import & sync just fine. Its just the FIM MA export that isn't working.
November 6th, 2009 11:03pm
Apparently, there is something wrongwith your system.Try this script.What happens, when you try to configure an outbound synchronization rule?When you create a new synchronization rule, you just need to do this up to the Scope tab.Are your MAs listed under "External System"?Cheers,MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation
Free Windows Admin Tool Kit Click here and download it now
November 6th, 2009 11:12pm
it shows both of my MAsConfigured Management Agents============================
Name : AD MAType : Active DirectoryGuid : {D523DFE6-8E50-491C-AE2F-D06296057A51}
Name : FIM MAType : Forefront Identity Management (FIM)Guid : {C5E26489-BA38-4AE3-AFF6-D28D9281279E}In the previous script, am I supposed to be running that from a certain folder? it looks like it is looking for a file called madata.xml.
November 7th, 2009 1:28am
When i try to configure a new outbound sync rule, my MAs do not show up under 'external system'
Free Windows Admin Tool Kit Click here and download it now
November 7th, 2009 1:33am
The first script (that doesn't show the MAs) requests the information from the FIM service.The second script (that does show the MAs) requests the information from the synchronization engine.There is something broken in the internal replication chain between the synchronization engine and the FIM service.I don't think that this will really fix your issue; however, as a quick test, you could export one of the MAs in the Synchronization Service Manager.This triggers replication between the synchronization engine and the FIM service.As long as thefirst script doesn't show the MAs, your system is inoperable!The question is whether it makes sense to put time into trying to fix this since this can be on a forum a pretty time consuming task.If this is just a lab environment, you are probably better off reinstaling FIM.Has this ever worked - have you ever been able to configure a synchronization rule?If so, there must be a reason why it doesn't work anymore.Have you looked at the event log yet?Cheers,MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation
November 7th, 2009 1:52am
it shows both of my MAsConfigured Management Agents============================
Name : AD MAType : Active DirectoryGuid : {D523DFE6-8E50-491C-AE2F-D06296057A51}
Name : FIM MAType : Forefront Identity Management (FIM)Guid : {C5E26489-BA38-4AE3-AFF6-D28D9281279E}In the previous script, am I supposed to be running that from a certain folder? it looks like it is looking for a file called madata.xml.
No, you don't need to run this script from a specific folder.Please see my other response...Cheers,MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation
Free Windows Admin Tool Kit Click here and download it now
November 7th, 2009 1:53am
One thing in common between the scripts Markus has provided and what the MA tries to do on export is that they both call the webservice. In the case of the script, the call to the webservice is failing and telling you that there is no FIM MA configured when you clearly do have one. Export is failing as well. Export uses the web service. Have you checked the FIM service WCF traces and fusion logs to see if there are any errors on the web service side?AhmadAW
November 10th, 2009 9:34pm
When the portal fails to see the MA, I've solved it by fixing permissions for the FIM MA account. IIRC you can run the FIM Service setup in 'repair mode' to have it re-apply the permissions to the FIM MA account.CraigMartin Oxford Computer Group http://identitytrench.com
Free Windows Admin Tool Kit Click here and download it now
November 10th, 2009 9:35pm