Issue

If deprovisioning and object deletion rules are not configured correctly, we can see 'failed-creation-via-web-services' if the object is removed from AD and then put back in scope of FIM. 

Causes

  • AD object removed from scope
  • AD Import and sync deletes metaverse object
  • FIMMA deprovisioning is set to 'make them disconnectors'
  • FIMMA import and sync projects the object again and creates a metaverse object with just 'MVObjectID' attribute
  • Object put back in scope of AD
  • AD Import and Sync projects another metaverse object with attributes populated.  Join rules were not satisfied since the metaverse object does not have the join attribute populated.  If Sync rule provisioning is enabled, it then has an object pending export on FIMMA.

At this point we have 2 metaverse objects and 2 FIMMA connectorspace objects pending export. 

  • MV Object 1 - FIMMA connector only (FIMMA CS Object 1)
    • Only has MVObjectID attribute
  • MV Object 2 - FIMMA and AD connector (FIMMA CS Object 2 and ADMA CS Object)
    • Has all attributes configured in inbound sync rule

Errors

Failed-Modification-via-web-services: FIMMA CS Object 1 gets this error since domain attribute was wiped out on sync.

  • Fault Reason: The endpoint could not dispatch the request.
  • Microsoft.ResourceManagement.Data.DataAccess.GetDomainConfigurationIdentifiersFromDomain(String domain Name) .....

Failed-Creation-via-web-services: FIMMA CS Object 2 gets this errror since the objectSID violates uniqueness, as the original FIM Portal object has the same value populated. 

  • Value Violates Uniquenes at Microsoft.ResourceManagement.Utilities.ExceptionManager.ThrowException
  • </FailureMessage><AttributeFailureCode>ValueViolatesUniqueness</AttributeFialureCode>...

Resolution

Cleanup with this type of thing can seem tricky, especially if its affecting a fairly large number of objects, but not all objects.  We resolved the issue by adding an Import Attribute flow on the FIMMA for Domain->Domain.  We then Ran a Sync on the FIMMA.

  • CS Object 1 was updated and pending export with Domain populated, but ObjectSID null due to the initial deprovisioning from moving the AD object out of scope.
  • CS Object 2 was pending export

Running an Export was successful for both objects resolving the error.  We then deleted the bad objects from the Portal, and ran the following

  • FIMMA Full Import - Stage delete of CS object 1
  • FIMMA Full Sync - Deleted bad MV Object 1
  • FIMMA Export
  • FIMMA Delta Import

Alternatively, we could have also used attributes to find the 'bad' objects in the Portal that did not have AD connectors, and filtered them from the subsequent sync.  We configured FIMMA deprovisioning to 'stage a delete on next export run'. 

  • FIMMA Full Import - confirmed export
  • FIMMA Full Sync - Filtered and deprovisioned bad objects
  • FIMMA Export - Deleted bad objects
  • FIMMA Delta Import - confirmed delete of bad objects

Most of these 'failed-creation-via-web-services' or 'failed-modification-via-web-services' come about in a similar manner:  Object deletion rules and deprovisioning not configured correctly to handle the situation.


See also