I am trying to understand below mentioned points related to fim service db. 1- If a user is fim portal admin , then what permissions this user should have on fim service DB ? 2- What permissions "fim service" service account should have on fim service db ? in my situation 1-Fim portal admin can login to the portal, can create users and delete users. 2-fim portal admin can not create Security groups and distribution list , gets access denied. 3-fim admin can change MPR and is member of administrator set in fim portal. Please advise

1- If a user is fim portal admin , then what permissions this user should have on fim service DB ? --Shouldn't need any. 2- What permissions "fim service" service account should have on fim service db ? --The installation and creation of the database should add the appropriate permissions via the FIM_Service_Write role. in my situation 1-Fim portal admin can login to the portal, can create users and delete users. 2-fim portal admin can not create Security groups and distribution list , gets access denied. --Have you checked that the MPRs for managing groups are enabled and that the Admin account is in the set that the MPR has in the Requestors set? (i.e. Group Administrators) Also, you can go to "Search Requests" and look for the request that got you the "Access Denied" message. The "Applied Policy" tab may tell you which MPR is blocking you. 3-fim admin can change MPR and is member of administrator set in fim portal. This link has more information on the service account configuration: http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/6549c8f8-a867-4c07-9319-842a913b00a5/

in the error details general tab : Request Workflow Remarks --> This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms. applied policies tab: Matched Management Policy Rules Group management workflow: Group information validation for static groups grant rights - no Authentication workflow No Authrorisation rules Yes Action work flow - no Group management: Group administrators can create and delete group resources grant rights - yes Authentication workflow No Authrorisation rules No Action work flow - no I am a member of group administrator enabled following MPR Security Group management: Users can create Static Security Groups Still get access deniedAdiKumar

I've never seen that error: " This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms."... You might want to research that? If you've verified that your account is listed in the requestors for the MPRs the request lists, then I'm not sure what else I can offer. (Maybe the Event Viewer can yield up some extra information--there's a FIM application log in the EV.)

on the fim portal server i can see DCOM errors 10016 , pointing to sharepoint service account not being granted enough rights The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {XXXXXXXX} and APPID {XXXXXXXX} to the user Domain\sp account SID (XXXXXX) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool. Do you think fixing this will help ? AdiKumar

I'm not sure if that's the cause of your error, but it looks like it might mean the service account is in an insecure state somehow? A search for "DCOM errors 10016" turns up some ideas you could try to troubleshoot that. Sorry I'm not more familiar with this issue.

I have chnaged the following regisrrt HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy changed the value from 1 to 0 ie disabled FIPS algorithm , which has resolved my issue . I no longer get access denied. AdiKumar

I have chnaged the following regisrrt HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy changed the value from 1 to 0 ie disabled FIPS algorithm , which has resolved my issue . I no longer get access denied. AdiKumar