locked
You do not have permission to access this site RRS feed

  • Question

  • Hi,

    So my admin user can password enroll/reset and see the portal, none of the domain users can. I am provisioning users from an HR system into the Portal and then into AD & exchange. This is what I have checked thus far:

    •The user has an AD user account
    •The attributes “Domain”, “AccountName” and “ObjectSID” have values populated about that AD user account (synched by the FIM Sync Engine)
    •Selected these during installation:
    •Grant Authenticated Users access to the FIM Portal Site
    Grant Authenticated Users access to the FIM Password Reset Site
    •MPRs enabled:
    •”General: Users can read non-administrative configuration resources”
    “User management: Users can read attributes of their own”
    •Ran this to verify the MPRs http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/73954797-afb4-4448-8c3e-af5b4f9e2eb5
    •Ran this script against the few accounts I am testing to check if any had missing ObjectSID values (all were there) http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/54cb4f23-df98-4d11-a185-67e6d179a70a
    •I have also verified this: As a SharePoint admin, select "Site Actions" in the top right corner and then select "Advanced Permissions".
    In the permissions for the site itself review checkboxes will grant "NT Authority\Authenticated Users" Read access.

    In addition the following also has been done:

    confirmed the necesary firewall ports are open
    confirmed FIm Service account is part of FIMSyncPasswordSet group
    On the AD MA, enabled the 'Enable password management' check box
    Modified the 'Password Reset AuthN Workflow' to 'require re-registration' and set up the QA Gate questions
    Verified that the 'Password reset action workflow' is as per default configuration
    review the Set 'password reset users set' to ensure all the users I want to test are there
    confirmed that the 'password reset objects set' contains the following: All gate registration (Set); anonymous users can reset their password (MPR); password reset authn workflow (Workflow); password reset users set (set)
    ensure the following MPRs are enabled and configured as per lab guide: password reset users can read password reset objects; anonymous users can reset their password; password users can update the lockout attributes of themsleves; users can create registration objects for themselves; user management: users can read attributes of their own; general: users can read non-administrative configuration resources; general workflow: registration initiation for authentication activity;
    deployed the FIM extensions on a Windows 7 client (domain member)


    However, whenever a domain user tries to access the Portal they see "You do not have permission to access this site"

    Any ideas on what else to check please?
    thank you

     

    Thursday, April 7, 2011 9:56 AM

Answers

  • Hi S.Kwan,

    I'd check the event viewer as it can often give the reason away.

    Have you flowed objectSID back from the users once they've been created in AD, and from there have you flowed it into the object in the portal?  It might be worth just checking a user's extended attributes to check the ResourceSID isn't empty.

    Paul.

    Friday, April 8, 2011 12:29 PM
  • You've no doubt checked all the ideas on this thread, but just in case you haven't ... :)


    Bob Bradley, www.unifysolutions.net (FIMBob?)
    Saturday, April 9, 2011 4:02 AM

All replies

  • Curious, Did you give them access when you did the install?

    There's a checkbox:

    Grant authenticated users access to the FIM Portal Site.

    That could be your problem.


    Joe Stepongzi - Identity Management Consultant ilmXframework.codeplex.com
    Thursday, April 7, 2011 1:58 PM
  • Hi,

    I have done quite a few installs of the Portal, and I am 99,999% certain I ticked the checkboxes.

    If however, I did not - how would one correct this after the Portal has been deployed?

     

    Thursday, April 7, 2011 5:33 PM
  • Control panel programs and just do a change install and readd the params.

    Its worth a shot to check.. :)


    Joe Stepongzi - Identity Management Consultant ilmXframework.codeplex.com
    Thursday, April 7, 2011 5:35 PM
  • You can also do it in sharepoint.. thats basically what the checkbox does.. And its there for you.


    Finally read your whole message.. sorry about that... rofl...

    Looks like you did post of it..

    Can you tell if the error message is from sharepoint or FIM itself?  Usually if its site access it wouldn't show you the FIM borders..

    If its FIM permissions, then its likely an MPR issues..

    Have you confirmed the user you are using is part of the sets?

    Joe Stepongzi - Identity Management Consultant ilmXframework.codeplex.com

    Thursday, April 7, 2011 5:37 PM
  • Are you prompted for username and password multiple times before eventually getting an access denied? 

    Can you access the parent WSS site? 

    Can you access the site on-box using the IP address instead of a hostname?

     

    Thursday, April 7, 2011 8:34 PM
  • Hi S.Kwan,

    I'd check the event viewer as it can often give the reason away.

    Have you flowed objectSID back from the users once they've been created in AD, and from there have you flowed it into the object in the portal?  It might be worth just checking a user's extended attributes to check the ResourceSID isn't empty.

    Paul.

    Friday, April 8, 2011 12:29 PM
  • You've no doubt checked all the ideas on this thread, but just in case you haven't ... :)


    Bob Bradley, www.unifysolutions.net (FIMBob?)
    Saturday, April 9, 2011 4:02 AM