none
MIM 2016 Admin Account login issue - MIM 2016 Admin Portal RRS feed

  • Question

  • Hi folks

    Product: MIM 2016 (SSPR)

    We're currently using MIM 2016 purely for SSPR to sync against one domain.  Everything is working as expected fine and dandy; users are able to Password Register and Reset etc.  No issues there.  Recently, the MIM 2016 Portal admin account object was a) changed in AD from usernameA to usernameB and this AD object was moved into a new OU once the username was changed.  The following day, we tried to log into the MIM 2016 Admin Portal and I got the following error:

    You do not have permission to access this site.  
       Please contact your help desk or system administrator. 
     
        > Go to Forefront Identity Manager home page 
     

    I then checked for the new username using Metaverse Search within Synchronization Services Manager and could not find the modified username, only the old one.  I tried the old username and this too would not let me log into the Admin Portal either - same error as above.

    I then performed an Export, Full Import (Stage Only) followed by a Full Synchronization on both the MIM Management Agent and the same again on the MIM AD Management Agent.  I still couldn't see the correct (changed) username in the metaverse and obviously still couldn't log in to the MIM 2016 Admin Portal (as above error again).

    I then modified the MIM AD Management Agent within the Directory Partitions to include the new OU (to sync in) with the renamed/moved MIM 2016 admin account to sync across.  I then performed an Export, Full Import (Stage Only) followed by a Full Synchronization on both the MIM Management Agent and the same again on the MIM AD Management Agent.  I could then see the renamed MIM 2016 Admin account but still couldn't log in.  I now realise that this should be a flow filtered account to protect the MIM 2016 admin account but was not aware of this at the time.

    What is the current status on this account, based on the above?  Has it gone?  Am I blocked now from accessing the MIM 2016 Portal?  I search and see the new account in the MIM 2016 metaverse and it exists but I cannot log into the MIM 2016 Admin Portal - I get the error above.  The account was modified and moved to a new OU in AD and not deleted and then the changes (I assume) sync'd in.  Have I lost access to the MIM 2016 Admin Portal or can I still access the system?

    I found the following article recently - https://www.ccrossan.com/blog/identity-management/fim-portal-no-access-for-fim-admin-account/ - which uses a Powershell script to set the AccountName attribute of the MIM Admin account - identified by a well-known admin user GUID) - is this attribute different between FIM 2010/R2 and MIM 2016?  Is this Powershell script of any use here?

    If someone could assist me here in any way I can get access back to the Admin Portal, I'd appreciate it.  Has the account in the MIM 2016 Admin Portal been deleted?  Surely not, as I can see it - it has just had a modification.

    Any help on this, really, really appreciated folks! :)





    • Edited by RDWUK Tuesday, November 1, 2016 5:12 PM
    Tuesday, November 1, 2016 2:54 PM

Answers

  • Hi all

    Just to add that this has been resolved.  This is what I did...

    Renamed the account back to the original AD username in AD and moved the  back into the original OU.  I then performed a sync and ran the following, using Brad Turner's Powershell sync:

    https://social.technet.microsoft.com/Forums/en-US/54cb4f23-df98-4d11-a185-67e6d179a70a/using-powershell-to-fix-an-objectsid-on-a-portal-object?forum=ilm2

    It didn't find any issues with the account I referenced (it said the GUID was present and correct) but after I tried the Admin Portal, it let me back in.

    After, I removed any sync to the OU with the admin accounts in etc and protected the accounts.

    All now working which is a relief.

    Rob

    • Marked as answer by RDWUK Monday, November 7, 2016 9:22 AM
    Monday, November 7, 2016 8:15 AM

All replies

  • Hi all

    Just to add that this has been resolved.  This is what I did...

    Renamed the account back to the original AD username in AD and moved the  back into the original OU.  I then performed a sync and ran the following, using Brad Turner's Powershell sync:

    https://social.technet.microsoft.com/Forums/en-US/54cb4f23-df98-4d11-a185-67e6d179a70a/using-powershell-to-fix-an-objectsid-on-a-portal-object?forum=ilm2

    It didn't find any issues with the account I referenced (it said the GUID was present and correct) but after I tried the Admin Portal, it let me back in.

    After, I removed any sync to the OU with the admin accounts in etc and protected the accounts.

    All now working which is a relief.

    Rob

    • Marked as answer by RDWUK Monday, November 7, 2016 9:22 AM
    Monday, November 7, 2016 8:15 AM
  • I think the problem is that your admin account has a different account name in the portal than in the ad. Why you changed the account name in the ad at the beginning?

    Do you have any other account which have admin privileges in the portal?

    Monday, November 7, 2016 8:16 AM