none
Request to join group stuck in 'Authorizing' state RRS feed

  • Question

  • Okay this is a bizarre one.

    I'm using the default MPRs to enable users to request to join Security Groups via the Portal. Users are able to see the group fine in the Portal, and to send of the Join request. The request shows as 'Pending Approval' as expected.

    The Owner of the group receives the request as expected, and if they click 'Approve' the request shows as 'Completed'.

    However, if I then look at the membership of the group in the Portal, the new user is not added to the group. If I search all requests and find the request as originated by the user, it's status appears as 'Authorizing'. If I open up the request, and look at the Approval Information, the 'Update to Group: '<groupname>' Request still shows as 'Pending'.

    If I then click on this approval and try to approve it again, I get a status of 'Request Failed'. 

    Looking at the Event Viewer, I see some errors corresponding to the original request:

    Requestor: urn:uuid:9f545868-9bda-462e-b5f9-3abdb2dc0202

    Microsoft.ResourceManagement.Service: Microsoft.ResourceManagement.WebServices.Exceptions.PermissionDeniedException: Exception of type 'Microsoft.ResourceManagement.WebServices.Exceptions.PermissionDeniedException' was thrown.  

    at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteGetAction(RequestType request)  

    at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction(RequestType request)  

    at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction[ResponseBodyType](RequestType request)  

    at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request, Guid requestIdentifier, Object redispatchSingleInstanceKey, Boolean isRedispatch)  

    at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request)  

    at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Get(Message request)

    The urn/uuid is the requesting users.

    I guess the requestor doesn't have access to something within FIM, but I'm at a loss to explain what. All of the MPRs are unchanged from the original install, I just added the user to Security Group Users set in order to test the basic approach.

    Any ideas?

    Thursday, May 31, 2012 1:54 PM

Answers

  • Sounds to me like somewhere an email is being sent to a user who has no email address.  Check the people who are involved in the email trail (including the submitter) and see which one it might be ... if they all have a valid mailbox then we can look at the next possibility, but mostly I find the problems are to do with email inconsistency.

    Bob Bradley (FIMBob @ http://thefimteam.com/) ... now using Event Broker 3.0 @ http://www.fimeventbroker.com/ for just-in-time delivery of FIM 2010 policy via the sync engine

    • Marked as answer by MS_83 Friday, June 1, 2012 8:29 AM
    Thursday, May 31, 2012 2:58 PM
  • Okay, I figured it out.

    It turns out the mail server that the customer gave me (mail.corp.com) was not accepting SMTP traffic from the svc-fim-service@corp.com account, even though I could access that email account via OWA. It seems that the Owner Approval workflow breaks if the approval email fails to send properly, leaving it stuck in the 'Pending' state and causing the request to appear as 'Authorizing' in the request log.

    Leaving the mail server blank in the Service and Portal setup process allowed requests to work normally via the Portal, even if the Outlook side of things isn't going to work until the customer fixes Exchange.

    Thanks Bob - your comment got me thinking down the lines of it being an email problem and it turns out that's what it was.

    • Marked as answer by MS_83 Friday, June 1, 2012 8:28 AM
    Friday, June 1, 2012 8:27 AM

All replies

  • Sounds to me like somewhere an email is being sent to a user who has no email address.  Check the people who are involved in the email trail (including the submitter) and see which one it might be ... if they all have a valid mailbox then we can look at the next possibility, but mostly I find the problems are to do with email inconsistency.

    Bob Bradley (FIMBob @ http://thefimteam.com/) ... now using Event Broker 3.0 @ http://www.fimeventbroker.com/ for just-in-time delivery of FIM 2010 policy via the sync engine

    • Marked as answer by MS_83 Friday, June 1, 2012 8:29 AM
    Thursday, May 31, 2012 2:58 PM
  • Both the requestor and the approver have email addresses, both in Exchange and within the FIM Portal. The owner of this group is my default admin account called FIM_admin (email fim_admin@corp.com), the requestor is John Doe (john.doe@corp.com) - names changed to protect the innocent, naturally.

    A bit of searching leads my to believe that the Event Log error is along the lines of the usual 'No permitting MPR exists', but I don't really know at which point the error is occuring, or which object/attribute is being altered - could it be the group, or the request? Not sure.

    On a whim I tried making John Doe the owner of the group, and tried requesting access as FIM_Admin - I get the same error. Since FIM_Admin is, well, an admin, I'm struggling to come up with a theory of where the lack of permission lies...unless I'm barking up the wrong tree completely.

    Thursday, May 31, 2012 3:23 PM
  • Okay, I figured it out.

    It turns out the mail server that the customer gave me (mail.corp.com) was not accepting SMTP traffic from the svc-fim-service@corp.com account, even though I could access that email account via OWA. It seems that the Owner Approval workflow breaks if the approval email fails to send properly, leaving it stuck in the 'Pending' state and causing the request to appear as 'Authorizing' in the request log.

    Leaving the mail server blank in the Service and Portal setup process allowed requests to work normally via the Portal, even if the Outlook side of things isn't going to work until the customer fixes Exchange.

    Thanks Bob - your comment got me thinking down the lines of it being an email problem and it turns out that's what it was.

    • Marked as answer by MS_83 Friday, June 1, 2012 8:28 AM
    Friday, June 1, 2012 8:27 AM
  • Hello,

    I am having the same issue like MS_83. The requestor and the approver have mail addresses and there is no problem with their mailboxes. Also the mail server accepts SMTP traffic from the sending account. The request stucks in "Authorizing" state. I get the same error like MS_83 in the Event Viewer. I tried to put in comments the cofiguration of mail server in "Microsoft.ResourceManagement.Service.exe.config" file, but I get the same error and another error concerning the mail server. How can I remove the mail server from FIM 2010 and try to work just with the requests in FIM Portal without email sending?

    Thanks,

    Griselda

    Wednesday, February 6, 2013 10:56 AM