none
Some users cannot access the portal.

    Question

  • Hello everyone

    I have an issue and I still haven't been able to get to the bottom of it. 

    We use FIM 2010 R2

    All of the older users are able to access the portal. However, newer users, although they were created through FIM are not able to access the portal. a You do not have permission to access this site    error occurs. 

    I have looked at the provisioning tab of older users and compared it with the provisioning tab of the newer users and found that older users which are able to access the portal have 2 detected rules that apply. The rules are something like DRE for AD Active CON accounts Sync and DRE for AD Active FTE Accounts Sync

    I'm pretty sure that the issue has to be related in some way with this. The newer users don't have these rules detected. 

    Is there any way that they can be applied so that newer users would be able to access the portal? 

    In FIM's sharepoint site all authenticated users have read access, so there's not a permissions problem. 

    I have no ideea why older users are able to log on to the portal and newer ones not... 

    Tuesday, November 19, 2013 10:56 AM

All replies

  • Hi,

    You have to make sure that they have ObjectSID, accountName and domain from AD imported to the portal (do you have flow for that?).


    Borys Majewski, Identity Management Solutions Architect (http://IDArchitect.NET)

    Tuesday, November 19, 2013 11:14 AM
  • Actually no... and I have no idea how to do it. Furthermore, I was told by the last person who implemented it that at some point he messed something up and deleted 70 user accounts from AD

    So I'm a bit reluctant on this matter, but If I could find a step by step tutorial maybe i'd try it....

    At the moment I have to use old admin accounts to access the site and make modifications. 

    Furthermore, there are some admin accounts made by hand in AD which are not imported in FIM although several other accounts are... 

    Tuesday, November 19, 2013 12:33 PM
  • There is article which explains process of loading users into portal here: How Do I Synchronize Users from AD DS to FIM.

    However there are several ways of implementing this so your configuration can use different approach.

    Be careful (FIM can be really destructive tool if you don't know what you are doing ;-) )


    Borys Majewski, Identity Management Solutions Architect (http://IDArchitect.NET)

    Tuesday, November 19, 2013 2:08 PM
  • Is there any way I could apply the aforementioned rules to the existing users who don't have them? 

    Thank you

    Wednesday, November 20, 2013 7:45 AM
  • Yes of course.

    Synchronization rules works for existing objects.


    Borys Majewski, Identity Management Solutions Architect (http://IDArchitect.NET)

    Wednesday, November 20, 2013 10:38 AM
  • Can you help me with a step by step procedure? if I'm not asking too much?

    I'm reluctant to do things on my own because of the mess that you can do with FIM if you screw something up... :) 

    You said it yourself that it can be a destructive weapon if used improperly

    Wednesday, November 20, 2013 12:19 PM
  • You can create a sync rule with mappings of various attributes. For those attributes you want to send to AD, use the Outbound mapping, and for those whose values you want to import from AD you can use inbound flow. If you want users to access portal then as said to you in above threads, do flow ObjectSID, Domain, Account Name back to portal from AD i.e. you can use these mappings in inbound flow also. For more details about creating a sync rule, you can refer to technet guide.

    Thursday, November 21, 2013 11:20 AM
  • but wouldn't that mess up my users in the portal? 

    Maybe it will import random stuff and delete the AD users once it syncs... 

    Does importing what you stated above, mess up my existing users? 

    I mean delete and re-create them... ?

    Thursday, November 21, 2013 2:27 PM
  • anyone?
    Monday, November 25, 2013 8:29 AM