I am using FIM RC1. I have connections to AD and to the FIM MA. I am getting the 'failed-modification-via-web-services' error when I try to export to the FIM MA. I do have a custom attribute that I am trying to export. I have read in other threads that I needed to set'allow the synchronization account to control the users it synchronizes' and 'Administrators can read and update users' to cover all attributes, which i have done. However I am still experiencing the error. Does anyone have any other ideas?

Have you looked at this post yet?Cheers,MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

I did see that post before posting my question. Do you think either of the scripts mentioned will help me? and if so, where canI get the fimma.cmd script? Am I correct in assuming that is included in a downloadable vhd?

The scripts have not been released yet.I'm still working on them. The question is whether your current FIM MA account is the same as the oneyou have specified during setup your FIM MA account has been granted logon locally Cheers,MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

You can find the script here.Cheers,MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

I will download the script and run it. I thought i set the FIMMA account up correctly, but we will see. Thanks for posting the script.

Thanks for your help Markus. Below is the results of the script.FIM MA Account Test====================-Reading registry configuration-FIM MA account name: VCORPLAB3\fimma-s-FIM MA account SID : S-1-5-21-2025429265-162531612-682003330-2878031-Reading MA configuration-FIM MA account name: vcorplab3\fimma-s Enter the password for vcorplab3\fimma-s:Attempting to start cmd /c as user "vcorplab3\fimma-s" ... Command completed successfullyIt seems that the script didn't find any problems with the fimma-s account. Any other ideas?

OK, this eliminates the FIM MA account as issue.Have you looked at eventlog yet?You should find some more details there.Also, when you get a 'failed-modification-via-web-services', you typically also get a type.Is this an access denied?Cheers,MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

The export jobs are the only times i see any errors in the synchronization service manager. When i run the export jobs, i don't see any errors in the FIM event log. Occasionally I do see: Microsoft.ResourceManagement.Service: Procedure: ReRaiseException. Line number: 31. Message: No value was provided for this attribute, for which a value is required: MembershipLocked." in the FIM event log. I'm not sure if that is related.I get the "failed-modification-via-web-services" error for all user objects in AD except for the FIMMA-s account and my admin account. Those two accounts have their data exported successfully.

Hi! Syncing groups to FIM MA is a bit special, MembershipLocked is for example a required attribute you must flow ... Have look at this post... http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/439e87f7-681d-4f63-a1fd-62a47bfb2684 I'm not sure if it applies 100% to RC1 thought... //Henrik Henrik Nilsson Blog: http://www.idmcrisis.com Company: Cortego (http://www.cortego.se)

but I'm not doing anything with groups so far. I'm only flowing data for users objects

Just a thought... //HHenrik Nilsson Blog: http://www.idmcrisis.com Company: Cortego (http://www.cortego.se)

Sorry Markus, I didn't see your question about error type.I don't see a type reference on the error in the sync gui. All it says is "failed-modification-via-web-services", and then if I click the detail button it says "There is an error executing a web service object modification request. Please look in the Forefront Identity Manager eventlog on the FIM Service machine for more information." However it shows nothing new in the FIM event log. The only thing that it does show in the FIM event log is an information alert that says:Log Name: Forefront Identity ManagerSource: Microsoft.ResourceManagementDate: 10/27/2009 2:54:42 PMEvent ID: 0Task Category: NoneLevel: InformationKeywords: ClassicUser: N/AComputer: **removed**Description:<duration stage=Enumerate query="/ManagementPolicyRule" milliseconds=450/>Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft.ResourceManagement" /> <EventID Qualifiers="0">0</EventID> <Level>4</Level> <Task>0</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2009-10-27T21:54:42.000Z" /> <EventRecordID>376219</EventRecordID> <Channel>Forefront Identity Manager</Channel> <Computer>**removed**</Computer> <Security /> </System> <EventData> <Data>&lt;duration stage=Enumerate query="/ManagementPolicyRule" milliseconds=450/&gt;</Data> </EventData></Event>

That's a bit odd.In case of missing persmissions, you should see an access denied.Just making sure, have you verified that you have enabled the right MPRs?Cheers,MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

I did see posts here about enabling certain MPRs.I went through each of the MPRs starting with Synchronization: Synchronization account* and enabled it and also set it to all attributes. I also set 'Administrators can read and update users' to cover all attributes as well. However it didn't seem to fix the issue.

Does anyone have any more ideas on this issue?

Hi,I had a similar problem and fixed it by creating a new MPR that grants permission for the sync service account to modify all attributes of all objects. There is an MPR that I expect is intended to control this (Systenization account sontrols users it sync, or something like that), but it was simpler for me to grant all as I have a lot of new objects and attributes.Steve Mitchell Technical Director - Oxford Computer Group

Thanks for the idea. I did create a new MPR granting permission to all attributes of all objects to the sync account, unfortunately I'm still getting the error message. This issue does seem like it is a permission issue to me, but now the sync account has rights to everything, so i'm at a bit of a loss.

Let's see if this can help shedding some light on this...Could you please post the outcome of the script?Cheers,Markus #-------------------------------------------------------------------------------------------------------------------------- function ShowResults([ref]$bActionItem, $lstAttributes, $msgMissing) { if($lstAttributes.length -eq 0) {return} $bActionItem.value = $true write-host "`n$msgMissing" -foregroundcolor black -backgroundcolor yellow foreach($attributeName in $lstAttributes) {write-host " -$attributeName"} } #--------------------------------------------------------------------------------------------------------------------------------------------------------- set-variable -name nodeHead -value "ResourceManagementObject[ObjectType='ManagementPolicyRule' " -option constant set-variable -name nodeBody -value "ResourceManagementAttributes/ResourceManagementAttribute" -option constant set-variable -name nodeTail -value "export-flow[direct-mapping]/@cd-attribute" -option constant set-variable -name attrDisabled -value "[AttributeName='Disabled']/Value" -option constant set-variable -name flowHead -value "ResourceManagementObject[ObjectType='ma-data']" -option constant set-variable -name eafAttrName -value "AttributeName='SyncConfig-export-attribute-flow'" -option constant set-variable -name msgWarning -value "Caution: Your current MPR configuration requires your attention!" set-variable -name msgOK -value "Your current MPR configuration meets all requirements" #-------------------------------------------------------------------------------------------------------------------------- write-host "`nFIM MPR Configuration For Synchronization Check" write-host "===============================================" #-------------------------------------------------------------------------------------------------------------------------- $curFolder = Split-Path -Parent $MyInvocation.MyCommand.Path if(@(get-pssnapin | where-object {$_.Name -eq "FIMAutomation"} ).count -eq 0) {add-pssnapin FIMAutomation} #-------------------------------------------------------------------------------------------------------------------------- $maDataFile = "$curFolder\MAData.xml" $data = export-fimconfig -uri http://localhost:5725/resourcemanagementservice -customconfig ("ma-data[SyncConfig-category='FIM']") if($data -eq $null) {throw "There is no FIM MA configured on your system!"} $data | convertfrom-fimresource -file $maDataFile [xml]$xmlMAData = get-content $maDataFile [xml]$xmlFlow = "<Root>" + $xmlMAData.selectSingleNode("//$flowHead/$nodeBody[$eafAttrName]/Value").get_InnerText() + "</Root>" $userFlowPath = "//export-flow-set[@cd-object-type='Person' and @mv-object-type='person']/export-flow[direct-mapping]/@cd-attribute" $groupFlowPath = "//export-flow-set[@cd-object-type='Group' and @mv-object-type='group']/export-flow[direct-mapping]/@cd-attribute" if($xmlFlow.selectNodes($userFlowPath).get_count() -eq 0) {throw "There are export attribute flows for the object type person configured"} $bHasGroups = $xmlFlow.selectNodes($groupFlowPath).get_count() -gt 0 #--------------------------------------------------------------------------------------------------------------------------------------------------------- $mprDataFile = "$curFolder\MPRData.xml" $data = export-fimconfig -uri http://localhost:5725/resourcemanagementservice -customconfig ("ManagementPolicyRule") if($data -eq $null) {throw "The are no objects with this object type configured on your FIM server"} $data | convertfrom-fimresource -file $mprDataFile $mprNames = @() $mprNames += "General: Users can read schema related resources" $mprNames += "General: Users can read non-administrative configuration resources" $mprNames += "User management: Users can read attributes of their own" $mprNames += "Synchronization: Synchronization account can delete and update expected rule entry resources" $mprNames += "Synchronization: Synchronization account can read schema related resources" $mprNames += "Synchronization: Synchronization account can read synchronization related resources" $mprNames += "Synchronization: Synchronization account can read users it synchronizes" $mprNames += "Synchronization: Synchronization account controls detected rule entry resources" $mprNames += "Synchronization: Synchronization account controls synchronization configuration resources" $mprNames += "Synchronization: Synchronization account controls users it synchronizes" if($bHasGroups -eq $true) { $mprNames += "Synchronization: Synchronization account can read group resources it synchronizes" $mprNames += "Synchronization: Synchronization account controls group resources it synchronizes" $mprNames += "Security group management: Owners can read selected attributes of group resources" $mprNames += "Security group management: Owners can update and delete groups they own" $mprNames += "Security group management: Users can add or remove any member of groups subject to owner approval" $mprNames += "Security group management: Users can create group resources" $mprNames += "Security group management: Users can read selected attributes of group resources" $mprNames += "Security groups: Users can add and remove members to open groups" } $bActionItem = $false $disabledMPRs = @() $missingMPRs = @() [xml]$mprDoc = get-content $mprDataFile foreach($mprName in $mprNames) { $curMprNode = $mprDoc.selectSingleNode("//$nodeHead and $nodeBody[AttributeName='DisplayName' and Value='$mprName']]") if($curMprNode -eq $null) {$missingMPRs += $mprName} else {if($curMprNode.selectSingleNode("$nodeBody$attrDisabled").get_InnerText() -eq "True") {$disabledMPRs += $mprName}} } ShowResults ([ref]$bActionItem) $missingMPRs "Missing MPRs:" ShowResults ([ref]$bActionItem) $disabledMPRs "MPRs that need to be enabled:" #--------------------------------------------------------------------------------------------------------------------------------------------------------- $dataList = @() if(!($missingMPRs -contains "Synchronization: Synchronization account controls users it synchronizes")) {$dataList += "Synchronization: Synchronization account controls users it synchronizes|Person|person"} if($bHasGroups -eq $true) { if(!($missingMPRs -contains "Synchronization: Synchronization account controls group resources it synchronizes")) {$dataList += "Synchronization: Synchronization account controls group resources it synchronizes|Group|group"} } foreach($dataItem in $dataList) { $a = $dataItem.split("|") $missingAttributes = @() $maAttributes = @() foreach($attrName in $xmlFlow.selectNodes("//export-flow-set[@cd-object-type='$($a[1])' and @mv-object-type='$($a[2])']/$nodeTail")) {$maAttributes += $attrName.get_InnerText()} $mprAttributes = @() $curMprNode = $mprDoc.selectSingleNode("//$nodeHead and $nodeBody[AttributeName='DisplayName' and Value='$($a[0])']]") foreach($attrName in $curMprNode.selectNodes("$nodeBody[AttributeName='ActionParameter']/Values/string")) {$mprAttributes += $attrName.get_InnerText()} foreach($curAttribute in $maAttributes) {if(!($mprAttributes -contains $curAttribute)) {$missingAttributes += $curAttribute}} ShowResults([ref]$bActionItem) $missingAttributes "Missing Resource Attributes on MPR $mprName" } #--------------------------------------------------------------------------------------------------------------------------------------------------------- if($bActionItem -eq $true) {write-host "`n$msgWarning`n" -foregroundcolor white -backgroundcolor darkblue} else {write-host "`n$msgOK"} if(test-path $mprDataFile) {remove-item $mprDataFile} if(test-path $maDataFile) {remove-item $maDataFile} write-host "`nCommand completed successfully`n" #--------------------------------------------------------------------------------------------------------------------------------------------------------- trap { Write-Host "`nError: $($_.Exception.Message)`n" -foregroundcolor white -backgroundcolor darkred if(test-path $mprDataFile) {remove-item $mprDataFile} if(test-path $maDataFile) {remove-item $maDataFile} Exit } #--------------------------------------------------------------------------------------------------------------------------------------------------------- Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Well, i'm not sure if I need to tweak something in the script to customize it for my environment or not, but here is the result.FIM MPR Configuration For Synchronization Check=============================================== Error: There is no FIM MA configured on your system!I do have a FIM MA, named 'FIM MA'. So maybe the script has detected something wrong. What does it mean when the script doesn't detect the FIM MA?

There is nothing you need to tweak.What is the outcome of the script code below?You might see a lot of warnings - you can ignore them!Cheers,Markus #-------------------------------------------------------------------------------------------------------------------------------------------- $curFolder = Split-Path -Parent $MyInvocation.MyCommand.Path if(@(get-pssnapin | where-object {$_.Name -eq "FIMAutomation"} ).count -eq 0) {add-pssnapin FIMAutomation} $maDataFile = "$curFolder\MAData.xml" $data = export-fimconfig -uri http://localhost:5725/resourcemanagementservice -customconfig ("ma-data") if($data -eq $null) {throw "There is no MA configured on your system!"} $data | convertfrom-fimresource -file $maDataFile [xml]$xmlMAData = get-content $maDataFile #-------------------------------------------------------------------------------------------------------------------------------------------- clear-host write-host "`nFIM Management Agent Configuration" write-host "==================================" foreach($ma in $xmlMAData.selectNodes("//ExportObject/ResourceManagementObject/ResourceManagementAttributes")) { write-host "Name: " $ma.selectSingleNode("ResourceManagementAttribute[AttributeName='DisplayName']/Value").get_InnerText() write-host "Type: " $ma.selectSingleNode("ResourceManagementAttribute[AttributeName='SyncConfig-category']/Value").get_InnerText() "`n" } if(test-path $maDataFile) {remove-item $maDataFile} write-host "`nCommand completed successfully`n" #-------------------------------------------------------------------------------------------------------------------------------------------- trap { Write-Host "`nError: $($_.Exception.Message)`n" -foregroundcolor white -backgroundcolor darkred if(test-path $maDataFile) {remove-item $maDataFile} Exit } #-------------------------------------------------------------------------------------------------------------------------------------------- Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

hmm, it says:Error: There is no MA configured on your system!So, it seems I have done something wrong in the configuration of the MA. What info can i give you to help?

The MA is functional. I can import & sync just fine. Its just the FIM MA export that isn't working.

Apparently, there is something wrongwith your system.Try this script.What happens, when you try to configure an outbound synchronization rule?When you create a new synchronization rule, you just need to do this up to the Scope tab.Are your MAs listed under "External System"?Cheers,MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

it shows both of my MAsConfigured Management Agents============================ Name : AD MAType : Active DirectoryGuid : {D523DFE6-8E50-491C-AE2F-D06296057A51} Name : FIM MAType : Forefront Identity Management (FIM)Guid : {C5E26489-BA38-4AE3-AFF6-D28D9281279E}In the previous script, am I supposed to be running that from a certain folder? it looks like it is looking for a file called madata.xml.

When i try to configure a new outbound sync rule, my MAs do not show up under 'external system'

The first script (that doesn't show the MAs) requests the information from the FIM service.The second script (that does show the MAs) requests the information from the synchronization engine.There is something broken in the internal replication chain between the synchronization engine and the FIM service.I don't think that this will really fix your issue; however, as a quick test, you could export one of the MAs in the Synchronization Service Manager.This triggers replication between the synchronization engine and the FIM service.As long as thefirst script doesn't show the MAs, your system is inoperable!The question is whether it makes sense to put time into trying to fix this since this can be on a forum a pretty time consuming task.If this is just a lab environment, you are probably better off reinstaling FIM.Has this ever worked - have you ever been able to configure a synchronization rule?If so, there must be a reason why it doesn't work anymore.Have you looked at the event log yet?Cheers,MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

it shows both of my MAsConfigured Management Agents============================ Name : AD MAType : Active DirectoryGuid : {D523DFE6-8E50-491C-AE2F-D06296057A51} Name : FIM MAType : Forefront Identity Management (FIM)Guid : {C5E26489-BA38-4AE3-AFF6-D28D9281279E}In the previous script, am I supposed to be running that from a certain folder? it looks like it is looking for a file called madata.xml. No, you don't need to run this script from a specific folder.Please see my other response...Cheers,MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

One thing in common between the scripts Markus has provided and what the MA tries to do on export is that they both call the webservice. In the case of the script, the call to the webservice is failing and telling you that there is no FIM MA configured when you clearly do have one. Export is failing as well. Export uses the web service. Have you checked the FIM service WCF traces and fusion logs to see if there are any errors on the web service side?AhmadAW

When the portal fails to see the MA, I've solved it by fixing permissions for the FIM MA account. IIRC you can run the FIM Service setup in 'repair mode' to have it re-apply the permissions to the FIM MA account.CraigMartin Oxford Computer Group http://identitytrench.com