ILM key management export, access denied RRS feed

  • Question

  • I am starting a migration from ILM to FIM.  Trying to export the key set on ILM, I'm getting an error "The credentials do not have access to the MIIS database."

    I'm using the service account the ILM uses.  I've also tried the service account that the SQL server instance runs under and my personal ID, which can successfully backup the database using the SQL Server Management Studion Express.  All get the same error.

    What permissions on the database are required to perform this operation?

    Ed Bell - Specialist, Network Services, Convergys

    Wednesday, April 10, 2013 4:37 PM

All replies

  • Make sure you are using the ILM service account that runs the MIIS service on the server, not one of the accounts configured to access external resources in your management agents.

    I've never seen that happen before using the correct account.  Just some ideas here...I would suspect there is something else wrong besides a permissions issue...perhaps some kind of connectivity or configuration problem.  Is the SSMS installed on the same server?  If so, you've probably got the SQL Server native client...otherwise you might want to install that.  If this is on Server 2008 x86, make sure you run any utility "as Administrator" if it gives you problems without doing so just to rule out UAC (or better yet, turn off UAC at least temporarily).  In each case that I did attempt to use the key export tool, the service account was a sysadmin on the SQL Server instance, and I had *not* applied the Microsoft-recommended lock-downs to prevent the service account from logging on to the server.  If the account logon types were restricted, you might try undoing all that and making sure the account can log on.  Also check the security logs for details on the authentication failure, if in fact that is what it is.

    If you aren't able to export the key set, you should still be able to restore the database on a new SQL Server and do a FIM 2010 (not R2!) installation on top of it.  The down side would be you would have to re-enter any secured data (MA service account passwords).


    Wednesday, April 10, 2013 8:11 PM