none
How to recover ObjectSID fim admin and built-on Synchronization User

    Question

  • Hi All,

    FIM Admin ObjectSID deleted by FIM MA synchronization rule, so now I cannot access the FIM Portal. I'm tyring to get back the ObjectSID using Brad Turner Script, still no luck with notification below:

     -Account SID : (domain.com\fimadmin) S-1-5-21-1681229994-153652202-3788437857-34961
     -Reading Account information

    Error: Failure on making enumeration web service call.

    Filter = /Person[AccountName='fimadmin']
    Error= The web service client has encountered the following class of error: IdentityIsNotFound
    Details: Additional Text Details: The requestor's identity was not found.
    Correlation Identifier: 705c19b5-0d03-45c0-b306-c46553eb804e
    Failure Message:
    Request Identifier:

    anyone can tell me how to fix this?

    Thanks.
    Endrik


    Endrik | blog: itendrik.wordpress.com Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.


    • Edited by Endrik Wednesday, March 13, 2013 12:23 PM
    Wednesday, March 13, 2013 12:16 PM

Answers

All replies

  • I guess domain.com\fimadmin is just a property for the actual user name. Check what your sAMAccountname of your fim admin account is and put that one into the filter.
    • Proposed as answer by Moritz Anders Thursday, March 14, 2013 10:00 AM
    Thursday, March 14, 2013 10:00 AM
  • Hi Moritz, 

    FIM Admin Object SID was deleted, how to recover the object SID?

    I think put FIM Admin into connection filtering cannot recover object SID.

    I still can find FIM Admin and Builtin Synchronization account on Metaverse.

    Any other clue?

    Thanks.

    Endrik


    Endrik | blog: itendrik.wordpress.com Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Thursday, March 14, 2013 10:06 AM
  • Best bet is to contact Microsoft support. You're going to need to edit the FIM database to fix this.

    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com

    Thursday, March 14, 2013 3:58 PM
    Moderator
  • Hi Endrik,

    Is the ObjectSID deleted from FIM metaverse, can try the following steps

    1. If not move the FIM admin account to the OU/container seleted under FIM ADMA
    2. Create a AD inbound rule, under inbound attribute flow tab map ObectSID => ObjectSID.
    3. Run Import & Sync of FIMMA then delta Import , Full Sync of ADMA and finally run FIMMA export
    4. Check in metaverse search whether ID is retrieved or not

    Regards,
    Varun


    Saturday, March 16, 2013 6:50 AM
  • Hi Varun, 

    still no luck.

    The solution is restore back the database, Portal now can access.. I put fim admin and fim adma to the filter like moritz said.

    Thank you all for the support.


    Endrik | blog: itendrik.wordpress.com Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Saturday, April 06, 2013 4:29 PM
  • I'm facing the same issue too, but for my regular users; so, how can i debbug it?
    Sunday, December 08, 2013 12:59 AM
  • You can fix ObjectSID for a regular user by using powershell script. This script will restore AD ObjectSID to FIM Portal user :

    PARAM([string]$AccountName,[string]$Domain)
    cls
    #------------------------------------------------------------------------------------------------------
     set-variable -name URI    -value "http://localhost:5725/resourcemanagementservice"    -option constant
     
     function GetSidAsBase64
    {
        PARAM($AccountName, $Domain)
        END
        {
            $sidArray = [System.Convert]::FromBase64String("AQUAAAAAAAUVAAAA71I1JzEyxT2s9UYraQQAAA==") # This sid is a random value to allocate the byte array
            $args = (,$Domain)
            $args += $AccountName
            $ntaccount = New-Object System.Security.Principal.NTAccount $args
            $desiredSid = $ntaccount.Translate([System.Security.Principal.SecurityIdentifier])
    write-host " -Account SID : ($Domain\$AccountName) $desiredSid"
            $desiredSid.GetBinaryForm($sidArray,0)
            $desiredSidString = [System.Convert]::ToBase64String($sidArray)
            $desiredSidString
        }
    }
    #------------------------------------------------------------------------------------------------------
     write-host "`nFix Account ObjectSID"
     write-host "=========================="
    #------------------------------------------------------------------------------------------------------
    #Retrieve the Base64 encoded SID for the referenced user
     $accountSid = GetSidAsBase64 $AccountName $Domain
    #------------------------------------------------------------------------------------------------------
    #Export the account configuration from the service:
     write-host " -Reading Account information"
     if(@(get-pssnapin | where-object {$_.Name -eq "FIMAutomation"} ).count -eq 0) 
     {add-pssnapin FIMAutomation}
     
     $exportObject = export-fimconfig -uri $URI `
                                      -onlyBaseResources `
                                      -customconfig ("/Person[AccountName='$AccountName']")
     if($exportObject -eq $null) {throw "Cannot find an account by that name"} 
     $objectSID = $exportObject.ResourceManagementObject.ResourceManagementAttributes | `
                     Where-Object {$_.AttributeName -eq "ObjectSID"}

     Write-Host " -New Value = $accountSid"
     Write-Host " -Old Value =" $objectSID.Value
     
     if($accountSid -eq $objectSID.Value)
      {
    Write-Host "Existing value is correct!"
    }
     else
      {
    $importChange = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportChange
    $importChange.Operation = 1
    $importChange.AttributeName = "ObjectSID"
    $importChange.AttributeValue = $accountSid
    $importChange.FullyResolved = 1
    $importChange.Locale = "Invariant"
    $importObject = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject
    $importObject.ObjectType = $exportObject.ResourceManagementObject.ObjectType
    $importObject.TargetObjectIdentifier = $exportObject.ResourceManagementObject.ObjectIdentifier
    $importObject.SourceObjectIdentifier = $exportObject.ResourceManagementObject.ObjectIdentifier
    $importObject.State = 1 
    $importObject.Changes = (,$importChange)
    write-host " -Writing Account information ObjectSID = $accountSid"
    $importObject | Import-FIMConfig -uri $URI -ErrorVariable Err -ErrorAction SilentlyContinue
    if($Err){throw $Err}
    Write-Host "Success!"
    }
    #------------------------------------------------------------------------------------------------------
     trap
     { 
        Write-Host "`nError: $($_.Exception.Message)`n" -foregroundcolor white -backgroundcolor darkred
        Exit
     }
    #------------------------------------------------------------------------------------------------------

    https://social.technet.microsoft.com/wiki/contents/articles/3614.how-to-use-powershell-to-fix-an-objectsid-on-an-fim-portal-object.aspx

    Monday, December 09, 2013 5:02 PM