none
FIM Export Fails - Fault Reason: The endpoint could not dispatch the request. FIM Account Issue? RRS feed

  • Question

  • Hi,

     I have 3 fim servers:

    fimportal - has fim service & portal running (uses account service.fim & service.sharepoint)
    fimsync - has synchronisation service & synchronisation DB (uses account service.fimsync)
    fimsql - holds portal DB for server fimportal

     I've created an AD MA, FIM MA and an inbound AD sync rule. On my FIM MA I've used account svc-fim (i.e. the account I've used to install FIM). This is not the same account that runs the synchronisation service on fimsync (account svc-fimsync is used for this).

     I've ran a FIM MA import and full sync without issue (I can see my built in, admin account and the sync rule brought into the metaverse). When I do an export I receive an error as shown below.

    What I'm not sure about is if it's because I'm using the wrong account for the FIM MA. If so, which account should I use and what's the best way to change my config (without a total reinstall)?

    I've selected domain (as a text value), accountname and objectsid in my attribute flow, but I may have configured something wrong here.

    Thanks

    Fault Reason: The endpoint could not dispatch the request.\r\n\r\nFault Details: <DispatchRequestFailures xmlns="http://schemas.microsoft.com/2006/11/ResourceManagement" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><DispatchRequestAdministratorDetails><FailureMessage>Exception: Other 
    Stack Trace: Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---&gt; System.Data.SqlClient.SqlException: Procedure or function 'GetDomainConfigurationIdentifiersFromDomain' expects parameter '@domainName', which was not supplied.
       at Microsoft.ResourceManagement.Utilities.ExceptionManager.ThrowException(Exception exception)
       at Microsoft.ResourceManagement.Data.Exception.DataAccessExceptionManager.ThrowException(SqlException innerException, TransactionAndConnectionScope scope)
       at Microsoft.ResourceManagement.Data.DataAccess.GetDomainConfigurationIdentifiersFromDomain(String domainName)
       at Microsoft.ResourceManagement.ActionProcessor.DomainConfigurationActionProcessor.AddDomainConfigurationFromDomain(CreateRequestParameter domainNameParameter, RequestType request)
       at Microsoft.ResourceManagement.ActionProcessor.DomainConfigurationActionProcessor.DoRequestCreationPreProcessByAttribute(RequestType request)
       at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.DoRequestCreationPreProcessByAttribute(RequestType request)
       at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean isChildRequest, Guid cause, Boolean doEvaluation, Nullable`1 serviceId, Nullable`1 servicePartitionId, UniqueId messageIdentifier, UniqueIdentifier requestContextIdentifier, Boolean maintenanceMode)
       at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Put(Message request)
       --- End of inner exception stack trace ---</FailureMessage><DispatchRequestFailureSource>Other</DispatchRequestFailureSource><AdditionalTextDetails>Request could not be dispatched.</AdditionalTextDetails></DispatchRequestAdministratorDetails><CorrelationId>0c7141ca-63a2-42ae-92c3-a0c95de0d940</CorrelationId></DispatchRequestFailures>

    Below shows separate MA account and separate FIM Sync Account


    IT Support/Everything

    Thursday, December 19, 2013 6:08 PM

Answers

  • Just in case anyone else comes across this - the issue was due to the FIM installation account "admin.joe" being in an OU outside of FIM's scope. Rather than bring admin.joe within scope of FIM, I did the following:

    - Created a declared connection filter on person with a DN value that contains my admin account's DN

    Restarted FIM sync service and re-ran export. Worked fine :-)

    Thanks to Tomasz for his advice


    IT Support/Everything

    • Marked as answer by Aetius2012 Monday, March 24, 2014 7:37 PM
    Monday, March 24, 2014 7:37 PM

All replies

  • (...) rocedure or function 'GetDomainConfigurationIdentifiersFromDomain' expects parameter '@domainName', which was not supplied. (...)

    Set Domain attribute value for objects exported to FIM Service and you will be fine.


    Tomek Onyszko, memberOf Predica FIM Team (http://www.predica.pl), IdAM knowledge provider @ http://blog.predica.pl

    Thursday, December 19, 2013 8:16 PM
  • It is better to filter the account used to install FIM see best practices for the fim portal administrator account

    Create a separate account for the FIM MA (e.g. svc_fimma), this should be specified during install.

    This account should also be filtered to avoid problems with applied sync rules or even object deletions.

    Thursday, December 19, 2013 9:15 PM
  • Tomasz,

     I'm already flowing domain (see pic). Do I need to flow objectsid in my AD inbound sync rule to get users in the portal and the flow to work?

    Fer, I've already installed FIM, what's the easiest way to get around this? I'd rather avoid a total re-install...

    Thanks


    IT Support/Everything

    Sunday, December 22, 2013 10:20 PM
  • OK - this is configuration. Can you check actual pending export for this user if it contains domain name? 

    Tomek Onyszko, memberOf Predica FIM Team (http://www.predica.pl), IdAM knowledge provider @ http://blog.predica.pl

    Monday, December 23, 2013 9:02 AM
  • Hi Tomek,

     Apologies for the delay, been a busy festive period :-)

    The account in question with the export flow error is my admin account that I used during installation (where prompted I did enter service account credentials).

    Searching the FIM CS on the source object details show all attributes present (including domain), but looking at the export attribute flow shows a final value of deleted! See below.

     I'm following the TechNet guide: http://technet.microsoft.com/en-us/library/ff686264(v=ws.10).aspx and hit the error with the FIM MA export run profile when I run the below steps:

    FIM MA - Full import
    FIM MA - Full synchronization
    FIM MA - Export
    FIM MA - Delta import

    AD MA - Fullll import
    AD MA - Full synchronization

    Initially my admin account was not in the selected containers as configured in the AD MA, however I've now ran that and re-ran the sync, which resulted in my test user being provisioned in the portal. My admin account is still not provisioned - I now get 2 export errors, 1 as before complaining of missing domain and another which complains of my admin account being a duplicate entry.

    Please let me know if anything comes to mind.

    Thanks


    IT Support/Everything



    • Edited by Aetius2012 Tuesday, December 31, 2013 3:00 PM
    Tuesday, December 31, 2013 2:57 PM
  • From what I've read this could be to do with the installation account I've used. Here's how I did the installer:

    1. ran the installer as "admin.mike" for FIM 2010 R2
    2. Used "service.fim" as the dedicated fim service account
        Used service.fimma as the dedicated AD MA account
       User service.fimsync on the fim sync service

     My admin.mike account is in AD as well as the MV and FIM portal. When installing FIM should the installation be done under a separate account that is not imported with an AD import?

    Thanks


    IT Support/Everything


    • Edited by Aetius2012 Monday, January 13, 2014 4:14 PM
    Monday, January 13, 2014 12:53 PM
  • Just in case anyone else comes across this - the issue was due to the FIM installation account "admin.joe" being in an OU outside of FIM's scope. Rather than bring admin.joe within scope of FIM, I did the following:

    - Created a declared connection filter on person with a DN value that contains my admin account's DN

    Restarted FIM sync service and re-ran export. Worked fine :-)

    Thanks to Tomasz for his advice


    IT Support/Everything

    • Marked as answer by Aetius2012 Monday, March 24, 2014 7:37 PM
    Monday, March 24, 2014 7:37 PM