locked
Error while Export in FIM MA RRS feed

  • Question

  • i got following error while running Export on FIM MA .

    There is an error executing a web service object modification request. 
    Type: Microsoft.ResourceManagement.WebServices.Client.PermissionDeniedException 

    Message: Access to the requested resource(s) is denied

    Stack Trace:    at Microsoft.ResourceManagement.WebServices.Client.UninitializedResource.PerformUpdate()
       at Microsoft.ResourceManagement.WebServices.Client.UninitializedResource.Update()
       at MIIS.ManagementAgent.RavenMA.ExportObjectModification(DataSourceObject dsObject, SchemaManager schemaManager)
       at MIIS.ManagementAgent.RavenMA.Export(DataSourceObject dsObject)

    Inner Exception: 



    please assist.

    Mohit Goyal
    Thursday, October 8, 2009 12:06 PM

Answers

  • This is good!
    At least, we know now, what the problem is.

    The account you have specified as FIM MA account during setup and the account you are actually using right now don't match.

    Run setup again (Control Panel/Programs and Features/Change), reconfigure FIM, and then run the script again.

    Cheers,
    Markus
    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation
    Friday, November 6, 2009 12:23 PM
  • Hey markus,

    Thanks a lot , i found the error and i did not performed reinstall.
    the error was when i configured FIM MA for "connect to Database" where i accedentally provided test\administrator to connect to DB.

    after providing FIM MA (in my case ilmma) credentials, attributes starts flowing in.


    Thanks a Lot again. :)
    Cheers, Mohit Goyal
    Friday, November 6, 2009 12:51 PM

All replies

  • Hi Mohit,
    could you provide some more details on what you are trying to do?

    In particular, which type of resource are you trying to export when you get the error? A user? A group?

    Did you add some custom attributes to the object type? If so, be aware that RC1 comes with more restrictive permissions than RC0 by default, and you should explicitly enable access to the new attribute by update the MPR "Administration: Administrators can read and update Users" (or equivalent for Groups).

    Hope this helps,
    Paolo
    Thursday, October 8, 2009 12:14 PM
  • hi Paolo,

    i am trying to export a user not any group.

    i did not added any custom attribute to object type. in fact i am doing this under lab environment with document for "Publishing Active Directory Users From Two Authoritative Data Sources "

    i checked MRP which you mentioned and is enabled.



    Mohit Goyal
    Friday, October 9, 2009 5:42 AM
  • The user had already been created and the export fails when you try to modify it? is the error code "failed-modification-via-webservices"?

    How is your lab environment? Are the portal and the synchronization service on different machines or on the same?

    Maybe you did not configure properly the FIM service accounts. You could check this TechnoVanza blog post to see if there is something relavant for you.

    Cheers
    Paolo Tedesco http://espace.cern.ch/idm
    Friday, October 9, 2009 7:32 AM
  • Thanks Paolo,

    i found out what i missed and i hope it is corrected now.could not check it now. i have lab environment which contain all services on single computer including SQL server. i missed certain attribute for initial flow only check box. 

    somehow i forgot to check DN attribute flow for initial flow so i got following error " Microsoft.MetadirectoryServices.ProvisioningBySyncRuleException: The DN must be set before calling CSEntry.CommitNewConnector" as  this error says o missed check on DN attribute flow so i went to sync rule and checked DN attribute flow but to my surprise i got same error this time with different text "Microsoft.MetadirectoryServices.ProvisioningBySyncRuleException: The partition filter criteria for management agent "FIM AD MA" do not include an object with DN "CN=Mohit GoyalOU\=FIMObjects,DC=test,DC=local" and object classes user." 

    Also tried to put criteria under partition filter for Management Agent "FIM AD MA" but ended up with no success.

    Please guide me if i missed anything this time.



    Mohit Goyal
    Friday, October 9, 2009 11:16 AM
  • I don't know if it's relevant, but you are missing a comma between the CN and the first OU component in the DN:

    CN=Mohit GoyalOU=...

    should be:

    CN=Mohit Goyal,OU=...

    Check how you configured the flow for the DN attribute in the synchronization rule.

    Cheers
    Paolo Tedesco - http://espace.cern.ch/idm
    Friday, October 9, 2009 11:38 AM
  • If I read your post correctly, you get the error during an export on the FIM MA.
    Also, the error is an access denied.
    Verify whether the FIM MA account has the right to logon locally.
    If this is not the case, grant the right, and then run the export again.
    Does this fix your issue?

    Cheers,
    Markus
    Markus Vilcinskas, Technical Content Developer, Microsoft Corporation
    Friday, October 9, 2009 12:21 PM
  • Hello Markus,

    Yes it is correct that i am getting error of access denied during Export on the FIM MA. i checked the local policy on the same server and under "deny logon locally" there is nothing. i think then it is allowed to logon locally.

    Just to make it clear FIM MA account would be then account which is under "Built-in Synchronization Account" . 

    Please help.

    Mohit Goyal
    Monday, October 12, 2009 10:22 AM
  • does any one have any workaround for this issue? i am still suffering from this pain.


    Please help!!!!!!!!!!! :(

    Cheers, Mohit Goyal
    Wednesday, October 14, 2009 7:44 AM
  • Log on as adminitrator to your FIM server, and then run following command on the command line:
    runas /user:fabrikam\fimma cmd

    You will have to replace the account with the FIM MA account you are using in your environment.
    If the command fails, your account doesn't have the right to logon locally.
    In this case, fix the rights issue and run your export again.

    Cheers,
    Markus
    Markus Vilcinskas, Technical Content Developer, Microsoft Corporation
    Wednesday, October 14, 2009 10:47 AM
  • Hi Markus,


    i had tried it and i am able to logon with it, which means logon locally is granted to FIM MA account.
    i checked requested made today in portal and found "update to person" request is denied and originator is administrator . if i check 'Applied Plicy' could not find anything. is it due to any policiy not applied or any other issue.

    Also i has enabled all MPR
    1. General: Users can read schema related resources
    2. General: Users can read non-administrative configuration resources
    3. User management: Users can read attributes of their own

    now please letme know did i still missed anything?


    I understand that i becomes frustrating sometime for silly questions, but i appriciate you take so kind approach to questions.

    please help me.

    Cheers, Mohit Goyal
    Thursday, November 5, 2009 1:00 PM
  • No sweat – we want you guys to be happy with the product.
    A forum is the right place to ask these questions.

    Mohit, please run this script and post the outcome.
    The script does a bit more than just looking at logon locally.

    We need to make sure that there is no issue with your FIM MA account, first.

    Cheers,
    Markus


    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation
    Thursday, November 5, 2009 2:54 PM
  • Hello Markus,

    Thanks for the reply,

    PS C:\> .\script.ps1

    FIM MA Account Test
    ====================
     -Reading registry configuration
     -FIM MA account name: TEST\ilmma
     -FIM MA account SID : S-1-5-21-1511427291-1577385093-316865315-1173
     -Reading MA configuration
     -FIM MA account name: test\administrator

    Error: Rgistry configuration and FIM MA configuration for MA account don't match!

    here is the output of the script.


    please let me know what i have to do now.


    Cheers, Mohit Goyal
    Friday, November 6, 2009 8:57 AM
  • This is good!
    At least, we know now, what the problem is.

    The account you have specified as FIM MA account during setup and the account you are actually using right now don't match.

    Run setup again (Control Panel/Programs and Features/Change), reconfigure FIM, and then run the script again.

    Cheers,
    Markus
    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation
    Friday, November 6, 2009 12:23 PM
  • Hey markus,

    Thanks a lot , i found the error and i did not performed reinstall.
    the error was when i configured FIM MA for "connect to Database" where i accedentally provided test\administrator to connect to DB.

    after providing FIM MA (in my case ilmma) credentials, attributes starts flowing in.


    Thanks a Lot again. :)
    Cheers, Mohit Goyal
    Friday, November 6, 2009 12:51 PM
  • Good post.  I'm having the same problem.

     I ran the script but it fails reading the MA configuration.  Any ideas?

    FIM MA Account Test
    ====================
     -Reading registry configuration
     -FIM MA account name: GLOBAL\svc_fimma
     -FIM MA account SID : S-1-5-21-2010550861-1320369007-2453991459-152258
     -Reading MA configuration

    Error: Failure on making enumeration web service call.

    Filter = /ma-data[SyncConfig-category='FIM']
    Error= Microsoft.ResourceManagement.WebServices.Faults.ServiceFaultException: The endpoint could not dispatch the reques
    t.
       at Microsoft.ResourceManagement.WebServices.Client.ResourceTemplate.EnumerateResources(SearchParameters parameters)
       at Microsoft.ResourceManagement.WebServices.ResourceManager.MoveNext()
       at Microsoft.ResourceManagement.Automation.ExportConfig.EndProcessing()

    -Mike Kirtland

    Sunday, September 19, 2010 6:36 AM
  • Mike,

     

    I have seen this error when the objectSID of the admin user is removed from the portal via the sync service and therefore, also the admin set. If you have another admin user, try using that to log into portal, run scripts, etc...If there is no other admin user and the objectSID is in fact gone, the only thing you can do is to reinstall with clean FIMService DB(and thus lose your configuration). It is very important to make 'backup' admin user as soon as you can to avoid this problem.

    Sunday, September 19, 2010 1:48 PM
  • I have the problem with an EXPORT profile in the FIM MA.

    I tested my MA account and MPRs by scripts. All was ok.

     

    but the error appears:

    failed-modification-via-web-services

    Inner Exception: Security Support Provider Interface (SSPI) authentication failed. The server may not be running in an account with identity 'FIMService/my_srv_name. If the server is running in a service account (Network Service for example), specify the account's ServicePrincipalName as the identity in the EndpointAddress for the server. If the server is running in a user account, specify the account's UserPrincipalName as the identity in the EndpointAddress for the server.

    FIM 2010 vertion 4.0.2592.0

    2 Server Installation: FIM Service and FIMSyncService

    both Win2008 R2 Ent x64

    SQL 2008


    TVV
    Friday, June 3, 2011 2:59 PM
  • In my case, I reinstall FIM Service and on the tab "Configure FIM Service and Portal – Configure connection to the FIM Service" I type FQDN for server name.

    Spent 2 weeks to resolve it.


    TVV
    Tuesday, June 14, 2011 11:19 AM