locked
FIM management agent for FIM CM RRS feed

  • General discussion

  • We have clean test environment for check all options and features of FIM and FIM CM. We have 5 test servers:

    1.       AD DS + DNS + AD CS on Win 2008 R2 SP1

    2.       SQL 2008 R2 on Win 2008 R2 SP1

    3.       Exchange 2010 on Win 2008 R2 SP1

    4.       FIM CM 2010 SP1 on Win 2008 R2 SP1

    5.       FIM 2010 SP1 on Win 2008 R2 SP1

    In first we installed 4 servers for test FIM CM. All ok, we can issue certificates, check them on portal, work with smartcards. So, but in this system very basic notification options. We need more extensions. So we installed next server №5 with FIM 2010 role. So, it very easy create MA with portal themselves and with AD DS. But we cann’t create management agent for FIM CM. it looks like something extraordinary!

    In first we update FIM, FIM CM and sync server up to SP1 (4.0.3531.2) – not work.

    Then reread help and recreate FIM CM MA – not work

    Add FIM CM MA account in local admins group and grand permissions for local activations – not work.

    We recheck all options and configurations – te same story, Syncronization Service Manager return us “stopped-extensible-extensions-error”

    In final we have this error when try to do full import:

    Event 6306, FIMSyncronisationServer

    The server encountered an unexpected error while perfoming an operation for the client.

    “BAIL: MMS(2556): server.cpp(1761):0x80070005(Access is denied)

    Forefront Identity Manager 4/0/3531/2”

    Can anybody give as normal actual “how to” for installing FIM CM MA. In official help file not correct some statements. Why so native operations is configuring so difficult?

    Thank you for attention and any help. 

    Sunday, April 17, 2011 6:14 PM

All replies

  • This walkthrough (although written for CLM) is about the best document out there on the topic

    http://download.microsoft.com/download/1/3/7/137d2f75-f95c-4aea-b553-a311203058cc/ManagementAgentforCertificationandSmartCardManagement.doc

    Brian

     

    Sunday, April 17, 2011 11:49 PM
  • Thank you Brian. Yes, we already read this document. As I sad we work on this problem more two week. We reading TechNet, this forum other blogs and no result. We do some preparation steps to deploy management agent, maybe we made mistake

    1.       Prepare AD  and CA by thechnet instructions http://technet.microsoft.com/en-us/library/gg430119(WS.10).aspx

    2.       PrepareSQL server and Exchange for open relay

    3.       Install FIM CM

    4.       Setup FIM CM to run from domain account

    5.       Create come custom templates and workflow scenarios. All ok.

    6.       Prepare another server and Install FIM sync and FIM portal

    7.       Install FIM CM client on FIM

    8.       Install FIM CM client on FIM CM

    9.       Update all FIM entities up to SP1 (not quite clear as see)

    10.   Create FIM AD MA – ok

    11.   Create FIM Portal MA – ok

    12.   Create FIM CM MA – fail (in this section)

    a.       Create objecGUID in person

    b.      Add additional string in web.conf

    c.       Add permissions for account FIM CM MA and add it to group FIMSyncJoiners

    d.      Create SQL account and configure MA to use it

    e.      Grant SQL account db_datareder

    We try to combine other parameters like ”ignoreCertWarnings” and “authenticationType” – no result. Can anybody help us to resolve this problem?

    When start Full import it finished with error “stopped-extensible-extesions-error”. In Application log we see first error FIMSyncronizarionService 6306, then warning FIMSyncronizarionService WF 8073, and after 3 more errors FIMSyncronizarionService WF 8038, FIMSyncronizarionService 6801, FIMSyncronizarionService 6803.

    Were we mistake in configuring steps?

    Monday, April 18, 2011 6:15 AM
  • 4. Setup FIM CM to run from domain account

    What did you mean herewith?

    7. Install FIM CM client on FIM


    Has no dependencies to the FIM CM MA, in other words not relevant for the errors of the MA

    8. Install FIM CM client on FIM CM

    same as above


    12. Create FIM CM MA – fail (in this section)


    Did you already fail to install the core files of the MA when executin ClmWfMASetup-MIIS.MSI?


    a. Create objecGUID in person

    Not realy important to run a Full Import /Full Sync successfully.

    b. Add additional string in web.conf

    Can you confirm that you edited the web.config on the FIM CM Server?


    c. Add permissions for account FIM CM MA and add it to group FIMSyncJoiners

    Can you confirm to add permissions in the registry of the FIM CM Server? It's important to add permissions for the account under which the FIM CM MA is running and the service account that runs the FIM SyncEngine.

    d. Create SQL account and configure MA to use it

    Can you confirm that you created an AD Account (similar to FIMCMMA), created an SQL Login for that FIMCMMA account and used the AD Account in the User parameter of the FIM CM MA configruation?

    Can you additionally post how you configured the ConnectTo and User paramter in the FIM CM MA configuraiton.

    Can you run the configuration test script (appendix 2 of the document) successfully?

    From the FIM SyncEngine Server are you able to the FIM CM Portal usinf the same URL, UserName and password as specified in in the FIM CM MA configuraiton?

    Can you furthermore post the error messages, not only the error numbers

     

     


    /Matthias
    Tuesday, April 19, 2011 6:56 AM
  • 1.       “4. Setup FIM CM to run from domain account What did you mean herewith?”

     It means that service “Forefront Identity Manager Update service” on FIM CM server start with domain account credential contoso\fimcmsrv For ease administration we grant it local administrator rights. For this user set SNP HTTP\FIMCM

    2.       “ Install FIM CM client on FIM Has no dependencies to the FIM CM MA, in other words not relevant for the errors of the MA 8. Install FIM CM client on FIM CM same as above”

    Ok, maybe so. But if application FIM CM client exist it no stand in the way on FIM CM MA. Am I right?

    3.       Create FIM CM MA – fail (in this section)

     here  I want to say that I can open “Syncronizarion manager on FIM” and can create other MA like AD DS, SQL and FIM portal. But when I create MA for FIM CM, successfully save it, add run profiles and try to start full import – my import is fail. In section of “Introduction to the Management Agent for Certificate and Smart Card Management” wrote:

    Installing the ILM components of the CLMMA

    This section lists the steps for installing the ILM components of the CLM MA.

    To install the ILM components of the CLMMA

    1.   In the Management Agents folder of your ILM installation folder, open the CLM folder.

    2.   Double-click ClmWfMASetup-MIIS.MSI to begin the installation process.

    3.   On the Certificate Lifecycle Manager License Agreement page, click I accept the terms in the license agreement, and then click Install.

    4.   When the installation completes, click Finish.

    I was try to find ClmWfMASetup-MIIS.MSI on FIM 2010 server – nowhere. I thought it’s about FIM CM client, and that’s why installed it on server.

     

    4.       Without obectGUID in person I can’t create successfully FIM CM MA. It needs this dependence parameter.

    5.       My web.conf section on FIM CM server is:

    <service>

                   <wellknown mode=”Singleton” type=”Microsoft.Clm.BusinessLayer.RemoteRequests, Microsoft.Clm.BusinessLayer” objectUri=”remoterequests.rem”/>

    <wellknown mode=”Singleton” type=”ExtensibleWfMA.ClmMaProxy, Microsoft.Clm.ClmMaProxy” objectUri=”clmManagementAgent.rem”/>

    </service>

    Of course after configuring run “iisreset” (and a lot of restart server later :) )

    6.       Yes, I confirm FIM CM MA user account have all need access in registry ( it’s member of local administrators group) and it’s member of the global security group FIMSyncJoiners. FIM synchronization service run form domain account with same configurations.

    7.       For SQL I create internal SQL user account (not domain). In help file I read that MA can use SQL server account for this purpose. I map it with FIMCertificateManagement database and grant db_public and db_datareader rights.

     

    Detail configuration of my FIM CM MA

    Properties

    Name FIM CM MA

                   Check “Run this management agent in a separate process”

    Configure connection information

                   Connect to         http://<FQDN>/certificatemanagement

                   User                      contoso\fimma

                   Password            ******

    Configure additional paramentrs

                   authenticationType       ntlm

                   defaultRequestComments Submitteb by the sync server

                   defaultRequestPriority 1

                   ignoreCertWarnings      True

                   typeOfReqToSubmitOnProfileDelete Disable

                   useSQLAuth      True

                   sqlUserName    fimcmma

                   sqlPassword      ******

    Other parameters without any change.

    No, I do not run script from appendix 2 because not sure that it compatible with FIM 2010, isn’t it?

    Yes, I can access form FIM to FIM CM web URL and after put credential get portal page.

    After each try full import I get this 5 events:

    *******************************************************

     

    FIMSynchronizationService

    6306

    Error

    The server encountered an unexpected error while performing an operation for the client.

     

     "BAIL: MMS(2404): server.cpp(1761): 0x80070005 (Access is denied.)

    Forefront Identity Manager 4.0.3531.2"

    ********************************************************

    FIMSynchronizationService WF

    8037

    Warning

    Error getting the pending deletes from the Clm connector space.Type: System.NullReferenceException

     

    Message: The Clm management agent must be configured to run in a spererate process and the MIIS service account must be a member of the FIMSyncAdmins group.  Error getting the search token: There are no statistics for the token passed in.

     

    Stack Trace:    at ExtensibleWfMA.ExportClmConnectorSpace.GetUnconfirmedDeletes(String maFolder)

       at ExtensibleWfMA.ImportWF.beginImportCode_ExecuteCode(Object sender, EventArgs e)

    ********************************************************

    FIMSynchronizationService WF

    8041

    Error

    There was an error in endImportCode_ExecuteCode.Type: System.Collections.Generic.KeyNotFoundException

     

    Message: The given key was not present in the dictionary.

     

    Stack Trace:    at System.ThrowHelper.ThrowKeyNotFoundException()

       at System.Collections.Generic.Dictionary`2.get_Item(TKey key)

       at ExtensibleWfMA.ImportWF.endImportCode_ExecuteCode(Object sender, EventArgs e)

    ********************************************************

    FIMSynchronizationService

    6801

    Error

    The extensible extension returned an unsupported error.

     The stack trace is:

     

     "Microsoft.MetadirectoryServices.ExtensibleExtensionException: The given key was not present in the dictionary.

       at System.ThrowHelper.ThrowKeyNotFoundException()

       at System.Collections.Generic.Dictionary`2.get_Item(TKey key)

       at ExtensibleWfMA.ImportWF.endImportCode_ExecuteCode(Object sender, EventArgs e)

       at ExtensibleWfMA.MACallExport.GenerateImportFile(String filename, String connectTo, String user, String password, ConfigParameterCollection configParameters, Boolean fullImport, TypeDescriptionCollection types, String& customData)

    Forefront Identity Manager 4.0.3531.2"

    ********************************************************

    FIMSynchronizationService

    6803

    Error

    The management agent "FIM CM" failed on run profile "Full Import" because the server encountered errors.

    ********************************************************

     

     

    Tuesday, April 19, 2011 9:15 PM
  • Did you check that the FIM SyncEngine service account is member of the FIMSyncAdmins group?
    /Matthias
    Wednesday, April 20, 2011 7:58 PM
  • Of course yes. In test purpose I grant this account all available rights.

    I forgot. I can not update FIM portal up to 4.0.3531.2 before reconfigure themselves using selfsigned cert with name “ForefrontIdentityManager”. Previosly in install we use correct certificate issued by CA.  Thanks this post.  look like bug. After update up to SP1 I not reconfigure FIM. So I run change and reconfigure FIM Portal to use back valid certificate issued by local CA for FQDN FIM.

    After successfully finished l run Full Import for FIM CM MA. Errors in log event FIM change and I see in log on SQL successful connect form my FIM under SQL account. Before this log not present.

    So, new error in my log

    *********************************************************

    FIMSynchronizationService WF

    8041

    There was an error in endImportCode_ExecuteCode.Type: System.Collections.Generic.KeyNotFoundException

     

    Message: The given key was not present in the dictionary.

    *********************************************************

    FIMSynchronizationService

    6801

    The extensible extension returned an unsupported error.

     The stack trace is:

     

     "Microsoft.MetadirectoryServices.ExtensibleExtensionException: The given key was not present in the dictionary.

       at System.ThrowHelper.ThrowKeyNotFoundException()

       at System.Collections.Generic.Dictionary`2.get_Item(TKey key)

       at ExtensibleWfMA.ImportWF.endImportCode_ExecuteCode(Object sender, EventArgs e)

       at ExtensibleWfMA.MACallExport.GenerateImportFile(String filename, String connectTo, String user, String password, ConfigParameterCollection configParameters, Boolean fullImport, TypeDescriptionCollection types, String& customData)

    Forefront Identity Manager 4.0.3531.2"

    *********************************************************

    FIMSynchronizationService

    6803

    The management agent "FIM CM" failed on run profile "Full Import" because the server encountered errors.

    *********************************************************

    Can anybody say that FIM CM MA work on FIM SP1 or can anybody say that he completely install this MA? I repeat, we use test environment and can reinstall all servers with your configuration help guide. Can anybody give as work guide for FIM 2010 SP1? The official document not correct and not helpful for us.

    Thank you.  


    Thursday, April 21, 2011 8:38 AM
  • Ok, I got it. As I said previously we have test environment. So I install new one infrastructure with this settings

    1.       Win2k8 R2 Ent AD DS, AD CS, DNS

    2.       Win2k8 R2 Ent SQL + FIM CM (not sp1)

    3.       Win2k8 R2 Ent FIM (not sp1)

    And all ok. Without any problems with same configurations we can create FIM CM MA. One main difference between this infractructure is SQL. In first environment we have separate SQL server, in second environment the SQL install with FIM CM. An everything work fine.

    SO question more clear, how does FIM CM MA work with SQL and what parameters do we need configure?

    Thank you.

    Friday, April 22, 2011 3:33 PM