Resources for IT Professionals >
Forums Home
>
Identity Management Forums
>
Identity Lifecycle Manager 2
>
Error while Export in FIM MA
Error while Export in FIM MA
- i got following error while running Export on FIM MA .There is an error executing a web service object modification request.Type: Microsoft.ResourceManagement.WebServices.Client.PermissionDeniedExceptionMessage: Access to the requested resource(s) is deniedStack Trace: at Microsoft.ResourceManagement.WebServices.Client.UninitializedResource.PerformUpdate()at Microsoft.ResourceManagement.WebServices.Client.UninitializedResource.Update()at MIIS.ManagementAgent.RavenMA.ExportObjectModification(DataSourceObject dsObject, SchemaManager schemaManager)at MIIS.ManagementAgent.RavenMA.Export(DataSourceObject dsObject)Inner Exception:please assist.
Mohit Goyal
Answers
- This is good!
At least, we know now, what the problem is.
The account you have specified as FIM MA account during setup and the account you are actually using right now don't match.
Run setup again (Control Panel/Programs and Features/Change), reconfigure FIM, and then run the script again.
Cheers,
Markus
Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation- Marked As Answer byMarkus VilcinskasMSFT, ModeratorFriday, November 06, 2009 2:18 PM
- Hey markus,
Thanks a lot , i found the error and i did not performed reinstall.
the error was when i configured FIM MA for "connect to Database" where i accedentally provided test\administrator to connect to DB.
after providing FIM MA (in my case ilmma) credentials, attributes starts flowing in.
Thanks a Lot again. :)
Cheers, Mohit Goyal- Marked As Answer byMarkus VilcinskasMSFT, ModeratorFriday, November 06, 2009 2:18 PM
All Replies
- Hi Mohit,
could you provide some more details on what you are trying to do?
In particular, which type of resource are you trying to export when you get the error? A user? A group?
Did you add some custom attributes to the object type? If so, be aware that RC1 comes with more restrictive permissions than RC0 by default, and you should explicitly enable access to the new attribute by update the MPR "Administration: Administrators can read and update Users" (or equivalent for Groups).
Hope this helps,
Paolo - This thread may be helpful:
http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/aa5ac051-8ae4-49ea-abcc-9d7a5890a08b - hi Paolo,i am trying to export a user not any group.i did not added any custom attribute to object type. in fact i am doing this under lab environment with document for "Publishing Active Directory Users From Two Authoritative Data Sources "i checked MRP which you mentioned and is enabled.
Mohit Goyal - The user had already been created and the export fails when you try to modify it? is the error code "failed-modification-via-webservices"?
How is your lab environment? Are the portal and the synchronization service on different machines or on the same?
Maybe you did not configure properly the FIM service accounts. You could check this TechnoVanza blog post to see if there is something relavant for you.
Cheers
Paolo Tedesco http://espace.cern.ch/idm - Thanks Paolo,i found out what i missed and i hope it is corrected now.could not check it now. i have lab environment which contain all services on single computer including SQL server. i missed certain attribute for initial flow only check box.somehow i forgot to check DN attribute flow for initial flow so i got following error " Microsoft.MetadirectoryServices.ProvisioningBySyncRuleException: The DN must be set before calling CSEntry.CommitNewConnector" as this error says o missed check on DN attribute flow so i went to sync rule and checked DN attribute flow but to my surprise i got same error this time with different text "Microsoft.MetadirectoryServices.ProvisioningBySyncRuleException: The partition filter criteria for management agent "FIM AD MA" do not include an object with DN "CN=Mohit GoyalOU\=FIMObjects,DC=test,DC=local" and object classes user."Also tried to put criteria under partition filter for Management Agent "FIM AD MA" but ended up with no success.Please guide me if i missed anything this time.
Mohit Goyal - I don't know if it's relevant, but you are missing a comma between the CN and the first OU component in the DN:
CN=Mohit GoyalOU=...
should be:
CN=Mohit Goyal,OU=...
Check how you configured the flow for the DN attribute in the synchronization rule.
Cheers
Paolo Tedesco - http://espace.cern.ch/idm - If I read your post correctly, you get the error during an export on the FIM MA.
Also, the error is an access denied.
Verify whether the FIM MA account has the right to logon locally.
If this is not the case, grant the right, and then run the export again.
Does this fix your issue?
Cheers,
Markus
Markus Vilcinskas, Technical Content Developer, Microsoft Corporation - Hello Markus,Yes it is correct that i am getting error of access denied during Export on the FIM MA. i checked the local policy on the same server and under "deny logon locally" there is nothing. i think then it is allowed to logon locally.Just to make it clear FIM MA account would be then account which is under "Built-in Synchronization Account" .Please help.
Mohit Goyal - does any one have any workaround for this issue? i am still suffering from this pain.Please help!!!!!!!!!!! :(
Cheers, Mohit Goyal - Log on as adminitrator to your FIM server, and then run following command on the command line:
runas /user:fabrikam\fimma cmd
You will have to replace the account with the FIM MA account you are using in your environment.
If the command fails, your account doesn't have the right to logon locally.
In this case, fix the rights issue and run your export again.
Cheers,
Markus
Markus Vilcinskas, Technical Content Developer, Microsoft Corporation - Hi Markus,
i had tried it and i am able to logon with it, which means logon locally is granted to FIM MA account.
i checked requested made today in portal and found "update to person" request is denied and originator is administrator . if i check 'Applied Plicy' could not find anything. is it due to any policiy not applied or any other issue.
Also i has enabled all MPR
1. General: Users can read schema related resources
2. General: Users can read non-administrative configuration resources
3. User management: Users can read attributes of their own
now please letme know did i still missed anything?
I understand that i becomes frustrating sometime for silly questions, but i appriciate you take so kind approach to questions.
please help me.
Cheers, Mohit Goyal No sweat – we want you guys to be happy with the product.
A forum is the right place to ask these questions.Mohit, please run this script and post the outcome.
The script does a bit more than just looking at logon locally.
We need to make sure that there is no issue with your FIM MA account, first.
Cheers,
Markus
Markus Vilcinskas, Knowledge Engineer, Microsoft CorporationHello Markus,
Thanks for the reply,
PS C:\> .\script.ps1FIM MA Account Test
====================
-Reading registry configuration
-FIM MA account name: TEST\ilmma
-FIM MA account SID : S-1-5-21-1511427291-1577385093-316865315-1173
-Reading MA configuration
-FIM MA account name: test\administratorError: Rgistry configuration and FIM MA configuration for MA account don't match!
here is the output of the script.
please let me know what i have to do now.
Cheers, Mohit Goyal- This is good!
At least, we know now, what the problem is.
The account you have specified as FIM MA account during setup and the account you are actually using right now don't match.
Run setup again (Control Panel/Programs and Features/Change), reconfigure FIM, and then run the script again.
Cheers,
Markus
Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation- Marked As Answer byMarkus VilcinskasMSFT, ModeratorFriday, November 06, 2009 2:18 PM
- Hey markus,
Thanks a lot , i found the error and i did not performed reinstall.
the error was when i configured FIM MA for "connect to Database" where i accedentally provided test\administrator to connect to DB.
after providing FIM MA (in my case ilmma) credentials, attributes starts flowing in.
Thanks a Lot again. :)
Cheers, Mohit Goyal- Marked As Answer byMarkus VilcinskasMSFT, ModeratorFriday, November 06, 2009 2:18 PM
