none
Enabling FIM Portal Access for a Regular AD User Account RRS feed

  • General discussion

  •   Experts Corner Article

     

    To be able to access the FIM portal as a regular user, the following MUST be true:

    ·        The user has an AD user account

    ·        The attributes “Domain”, “AccountName” and “ObjectSID” must have values populated about that AD user account synched by the FIM Sync Engine

    ·        The correct permissions have been configured for the AD user account in the FIM Portal (see more below)

     

    To configure the correct permissions in the FIM Portal to allow portal access for regular users, additional configuration checkboxes appear during the installation of the FIM Portal:

    ·        Grant Authenticated Users access to the FIM Portal Site (must be checked if you want to allow access to the FIM Portal)

    ·        Grant Authenticated Users access to the FIM Password Reset Site (must be checked if you want to allow access to the FIM Password Portal)

     

    In addition to this all, you as an administrator need to enable a few MPRs which by default are disabled. I’m talking about the following MPRs:

    ·        ”General: Users can read non-administrative configuration resources”

    ·        “User management: Users can read attributes of their own”

     You can check the MPRs in the FIM Portal or use can use this powershell script to do that for you.

    This is for simple plain FIM Portal access. If you want to allow a user to do more, you need to create and/or enable additional MPRs.

     

      Go to the Experts Corner

     


    Jorge de Almeida Pinto [MVP-DS / AD DS TechNet Forums Moderator] [Sr. Technical Consultant @ Oxford Computer Group] (http://blogs.dirteam.com/blogs/jorge/default.aspx) (http://www.oxfordcomputergroup.com/)
    Friday, December 11, 2009 8:08 PM

All replies

  • You can use this script to test your MPR configuration for this scenario.

    Cheers,
    Markus
    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation
    Friday, December 11, 2009 10:07 PM
  • You can now use this powershell script to fix missing ObjectSID's - just pass in the account name and domain for the account you wish to fix...
    Brad Turner, ILM MVP - Ensynch, Inc - www.identitychaos.com
    Monday, March 29, 2010 4:54 AM
  • To configure the correct permissions in the FIM Portal to allow portal access for regular users, additional configuration checkboxes appear during the installation of the FIM Portal:

    ·         Grant Authenticated Users access to the FIM Portal Site (must be checked if you want to allow access to the FIM Portal)

    ·         Grant Authenticated Users access to the FIM Password Reset Site (must be checked if you want to allow access to the FIM Password Portal)

     

    Can we set this after the installation?

    I have enabled all the required MPRs, ObjectSID's, Domain and AccountName correctly set.

    Still a regular user is not able to log in. Getting an error,

    You do not have permission to access this site. 
       Please contact your help desk or system administrator.
      > Go to Forefront Identity Manager home page

    Am I missing something here?

    Cheers

    Sachin

    Friday, April 23, 2010 4:22 PM
  • These settings can be found inside SharePoint itself.

    As a SharePoint admin, select "Site Actions" in the top right corner and then select "Advanced Permissions".
    In the permissions for the site itself those checkboxes will grant "NT Authority\Authenticated Users" Read access.

    /Andreas


    This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/copyright.htm
    Friday, April 23, 2010 4:30 PM
  • Jorge

     

    >>The attributes “Domain”, “AccountName” and “ObjectSID” must have values populated about that AD user account synched by the FIM Sync Engine

    u missed DisplayName

    Friday, April 23, 2010 6:36 PM
  • Thanks Andreas.

    I have checked the "Advance Persmission" and they are configured as,

    1.

    Users/Groups                Type         User Name                Permissions
    NT AUTHORITY\authenticated users    Domain Group    NT AUTHORITY\authenticated users      Read 

    2. Ran the script provided by Markus to config that the req MPRs are enabled

    3. Ran the script provided by Brad to check the ObjectSID. It matches the AD ObjectSID

    Still getting the same error. Could I be missing any other attributes/settings?

    Cheers

    Sachin

     

     

    Monday, April 26, 2010 10:06 AM
  • I had this problem and if you are following the Syncronize Users from Active Directory Domain Services on the Wiki you need to add a attribute flow on the FIMMA Management Agent for the accountName item in the Person object! This solved the issue for me!
    James Bulgo Snr ICT Officer Linc Cymru Housing Association
    Tuesday, November 16, 2010 1:08 PM
  • Thanks, James...I had the same issue which was resolved by following your steps.
    Monday, December 20, 2010 5:12 PM
  • Thanks for the tips.

    I have user accounts in AD already created.

    I have not validated "The attributes “Domain”, “AccountName” and “ObjectSID” must have values populated about that AD user account synched by the FIM Sync Engine".  I'm not sure how to in FIM.

    I have already validated the following:

    · Grant Authenticated Users access to the FIM Portal Site (must be checked if you want to allow access to the FIM Portal)

    · Grant Authenticated Users access to the FIM Password Reset Site (must be checked if you want to allow access to the FIM Password Portal)

    I have also run the PowerShell script to validate these settings:

    · ”General: Users can read non-administrative configuration resources”

    · “User management: Users can read attributes of their own”

    • Edited by MRMO Tuesday, October 4, 2011 2:43 AM
    Tuesday, October 4, 2011 2:41 AM
  • Having the same Issues, The FIM admins are fine but the regular users are having the problems, It has some thing to do with one of the MPR's when I disable it the user logs in and I see the message "welcome ( Username) " but when I enable the MPR back the user is not allowed to login. The user is present in FIM , is a member of AD 

    What do I need to do ??????

    Wednesday, July 25, 2012 11:10 AM
  • Hi,

    I have enable the attributes “Domain”, “AccountName” and “ObjectSID”  and values are populated about that AD user account synched by the FIM Sync Engine".

    Please find the below attributes values

    Account Name: fimadmin
    Domain Name : TESTNET
    Object SID  : AQUAAAAAAAUVAAAAeZI7Xt/AsWwbRQVrlAQAAA==

    I have already validated the following:

    ·Grant Authenticated Users access to the FIM Portal Site (must be checked if you want to allow access to the FIM Portal)

    ·Grant Authenticated Users access to the FIM Password Reset Site (must be checked if you want to allow access to the FIM Password Portal)

    I have also run the PowerShell script to validate these settings:

    ·”General: Users can read non-administrative configuration resources”

    ·“User management: Users can read attributes of their own”

    BUT STILL NOT ABLE TO LOGIN AS A REGULAR USER ... PLEASE HELP ME OR SUGGEST ME HOW TO DEBUG TO IDENTIFY THE ISSUE.  IF SOME ONE GIVE ME THE STEPS THAT WOULD BE GREAT HELP.


    • Edited by Raveendra Raju Thursday, January 3, 2013 9:42 AM update the attribute values
    Thursday, January 3, 2013 9:37 AM
  • that�??s the output of the FIMADMIN. Can you exec that script for the user account you are having problems with?
     

    Cheers,


    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always evaluate/test yourself before using/implementing this!
    * DISCLAIMER:
    http://jorgequestforknowledge.wordpress.com/disclaimer/
    -------------------------------------------------------------------------------------------------------
    ################# Jorge's Quest For Knowledge ###############
    ###### BLOG URL:
    http://JorgeQuestForKnowledge.wordpress.com/ #####
    #### RSS Feed URL:
    http://jorgequestforknowledge.wordpress.com/feed/ ####
    -------------------------------------------------------------------------------------------------------
    <>

    "Raveendra Raju" wrote in message news:1ab11403-737d-4b0d-8808-f5bb1e659a28@communitybridge.codeplex.com...

    Hi,

    I have enable the attributes �??Domain�?�, �??AccountName�?� and �??ObjectSID�?�  and values are populated about that AD user account synched by the FIM Sync Engine".

    Please find the below attributes values

    Account Name: fimadmin
    Domain Name : TESTNET
    Object SID  : AQUAAAAAAAUVAAAAeZI7Xt/AsWwbRQVrlAQAAA==

    I have already validated the following:

    ·Grant Authenticated Users access to the FIM Portal Site (must be checked if you want to allow access to the FIM Portal)

    ·Grant Authenticated Users access to the FIM Password Reset Site (must be checked if you want to allow access to the FIM Password Portal)

    I have also run the PowerShell script to validate these settings:

    ·�?�General: Users can read non-administrative configuration resources�?�

    ·�??User management: Users can read attributes of their own�?�

    BUT STILL NOT ABLE TO LOGIN AS A REGULAR USER ... PLEASE HELP ME OR SUGGEST ME HOW TO DEBUG TO IDENTIFY THE ISSUE.  IF SOME ONE GIVE ME THE STEPS THAT WOULD BE GREAT HELP.



    Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/
    Thursday, January 3, 2013 9:07 PM
  • Hi Jorge,

    The script which I ran was normal user only, I have create the user name as fimadmin, actual admin name is administrator.

    Thanks,

    Raju


    ravindraraju

    Friday, January 4, 2013 5:50 AM
  • does the info that is generated by the script (domain, username and objectsid) match the actual user in AD?
     

    Cheers,


    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always evaluate/test yourself before using/implementing this!
    * DISCLAIMER:
    http://jorgequestforknowledge.wordpress.com/disclaimer/
    -------------------------------------------------------------------------------------------------------
    ################# Jorge's Quest For Knowledge ###############
    ###### BLOG URL:
    http://JorgeQuestForKnowledge.wordpress.com/ #####
    #### RSS Feed URL:
    http://jorgequestforknowledge.wordpress.com/feed/ ####
    -------------------------------------------------------------------------------------------------------
    <>

    "Raveendra Raju" wrote in message news:341ba1ee-516e-45b9-b3a1-37f6b15ceb7f@communitybridge.codeplex.com...

    Hi Jorge,

    The script which I ran was normal user only, I have create the user name as fimadmin, actual admin name is administrator.

    Thanks,

    Raju


    ravindraraju


    Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/
    Friday, January 4, 2013 8:10 AM
  • Hi Jorge,

    I am getting same person object sid in fim and AD. Please find the below script result

    FIM person object sid.

    Account Name: demo
    Domain Name : DEMONET
    Object SID : AQUAAAAAAAUVAAAAeZI7Xt/AsWwbRQVrpgQAAA==

    AD person object sid

    AQUAAAAAAAUVAAAAeZI7Xt/AsWwbRQVrpgQAAA==

    Thanks,


    ravindraraju



    Tuesday, January 8, 2013 5:12 AM
  • what�??s the real error you are seeing... provide a screendump please
     

    Cheers,


    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always evaluate/test yourself before using/implementing this!
    * DISCLAIMER:
    http://jorgequestforknowledge.wordpress.com/disclaimer/
    -------------------------------------------------------------------------------------------------------
    ################# Jorge's Quest For Knowledge ###############
    ###### BLOG URL:
    http://JorgeQuestForKnowledge.wordpress.com/ #####
    #### RSS Feed URL:
    http://jorgequestforknowledge.wordpress.com/feed/ ####
    -------------------------------------------------------------------------------------------------------
    <>

    "Raveendra Raju" wrote in message news:025d7a9b-bd6c-43d7-8492-28c59e242c45@communitybridge.codeplex.com...

    Hi Jorge,

    I am getting same person object sid in fim and AD. Please find the below script result

    FIM person object sid.

    Account Name: demo
    Domain Name : DEMONET
    Object SID : AQUAAAAAAAUVAAAAeZI7Xt/AsWwbRQVrpgQAAA==

    AD person object sid

    AQUAAAAAAAUVAAAAeZI7Xt/AsWwbRQVrpgQAAA==

    Thanks,


    ravindraraju




    Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/
    Tuesday, January 8, 2013 9:17 AM
  • Hi Jorge,

    I am unable to attach the screen shot. Please find the below error in fim portal login page for regular user.


    Please contact your help desk or system administrator. [-] Additional information.

    Include this information when contacting your help desk or system administrator.

    Error processing your request: The server was unwilling to perform the requested operation.

    Reason:

    The requester of this operation is invalid.

    Attributes:

    Correlation Id:

    eb74b922-7cf3-42c4-b556-b0431847a495

    Request Id:

    Details:

    The requestor’s identity was not found.

    Below error is in Event Log

    Requestor: Internal Service

    Correlation Identifier: eb74b922-7cf3-42c4-b556-b0431847a495

    Microsoft.ResourceManagement.Service: Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: IdentityIsNotFound

    at Microsoft.ResourceManagement.WebServices.ResourceManagementService.GetUserFromSecurityIdentifier(SecurityIdentifier securityIdentifier)

    at Microsoft.ResourceManagement.WebServices.ResourceManagementService.GetCurrentUser()

    at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Enumerate(Message request)

    Cheers,


    ravindraraju

    Wednesday, January 9, 2013 4:18 AM
  • Updated version of the article:

    http://jorgequestforknowledge.wordpress.com/2013/01/09/fim-portal-access-for-any-regular-ad-user-account-how-to-enable-and-troubleshoot/

    Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/

    Wednesday, January 9, 2013 9:50 PM
  • Hi Jorge,

     Thanks for updating step by step. I have gone through your below link

    http://jorgequestforknowledge.wordpress.com/2013/01/09/fim-portal-access-for-any-regular-ad-user-account-how-to-enable-and-troubleshoot/

    When I run the below powershell script.

     How to Use PowerShell to Display a User’s Attribute Values for FIM Portal Access (en-US).

    I am not getting the StringSID value.

    Could you please suggest me. I am not able to upload screenshots here.

    Thanks,



    ravindraraju

    Thursday, January 10, 2013 4:10 PM
  • >>>>>>>I am not getting the StringSID value
     
    If the user does not have a SID value populated, it cannot log on. Check my blog post as it contains a reference to the script to manually populate the SID from AD to the FIM portal

    Cheers,


    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always evaluate/test yourself before using/implementing this!
    * DISCLAIMER:
    http://jorgequestforknowledge.wordpress.com/disclaimer/
    -------------------------------------------------------------------------------------------------------
    ################# Jorge's Quest For Knowledge ###############
    ###### BLOG URL:
    http://JorgeQuestForKnowledge.wordpress.com/ #####
    #### RSS Feed URL:
    http://jorgequestforknowledge.wordpress.com/feed/ ####
    -------------------------------------------------------------------------------------------------------
    <>

    "Raveendra Raju" wrote in message news:f17e79e6-175f-47ea-9eec-aeb84d089639@communitybridge.codeplex.com...

    Hi Jorge,

    Thanks for updating step by step. I have gone through your below link

    http://jorgequestforknowledge.wordpress.com/2013/01/09/fim-portal-access-for-any-regular-ad-user-account-how-to-enable-and-troubleshoot/

    When I run the below powershell script.

     How to Use PowerShell to Display a User�??s Attribute Values for FIM Portal Access (en-US).

    I am not getting the StringSID value.

    Could you please suggest me. I am not able to upload screenshots here.

    Thanks,



    ravindraraju


    Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/
    Saturday, January 12, 2013 6:02 PM
  • Hi Brad,

    How do I use the powershell script to populate missing objectsid for multiple users on the FIM portal.

    Josephine

    Tuesday, May 20, 2014 3:16 AM
  • Josephine,

    You use the FixSid.ps1 script from above to populate the objectSID of user object in the FIM portal. The syntax is similar to the following: (from elevated PS prompt)

    ./FixSid.ps1 BSimon FABRIKAM

    where BSimon is both the AccountName value in the portal of the user as well as the sAMAccountName value in AD for this same user and FABRIKAM is the NETBIOS domain name where BSimon resides. After running this script, the objectSID value should be populated in the portal. You can verify by going to details of user and then advanced view->extended attribute and seeing that there is an 'export' button available.

    FixSid.ps1 is available here:

    http://social.technet.microsoft.com/wiki/contents/articles/3614.how-to-use-powershell-to-fix-an-objectsid-on-an-fim-portal-object.aspx

    Tuesday, May 20, 2014 5:05 AM
  • Having the same problem, using FIM 2010 R2 SP1 on Server 2012 and Sharepoint Foundation 2013.

    Checked:

    • MPRs are OK
    • Site permissions are OK
    • The user and needed attributes are in place in the portal

    When trying to access the portal it just says:

    Error: Access Denied

    Current User

    You are currently signed as CONTOSO\DummyUser

    Any suggestions?

    Wednesday, July 23, 2014 11:40 AM
  • False alarm, it just took some time before user could access after enabling the MPRs...

    Thursday, July 24, 2014 3:47 AM
  • THANK YOU SOOO MUCH Jorge!! I spent approx. 2 hrs before I found your response and noticed those 2 MPRs are also required (which somehow I forgot to enable).

    Sunday, August 24, 2014 6:38 PM