locked
FIM Admin Accound ObjectSID is deleted by FIMMA Sync Rule - ADMA is not doing its job. RRS feed

  • Question

  • Hi!

    I'm trying to populate FIM DB with AD Accounts.

    ObjectSID is configured to flow from AD to FIM DB.

    My problem is Any time I run FIMMA Export, it deletes the SID of my FIM Admin Account.

    After this I lost my FIM admin access, and the only solution It is to install everything again from scratch.

    It supossed that ADMA should populates the SID, but when finnally it does, the FIM Admin account only gets "normal user priveligies".

    And again.. re-install is the only solution.

    Any recommendation on how to avoid this painful situation?

    Alejandro

    Monday, November 29, 2010 3:27 AM

Answers

  • One way is to filter out the administrator account from both the AD and FIM MAs.  Next is to deny the Sync Service the rights to modify the administrator account (which should already have the right objectSid at install time anyhow).  Agreed - nasty loophole to avoid ... everyone makes this mistake once ...
    Bob Bradley, www.unifysolutions.net (FIMBob?)
    Monday, November 29, 2010 7:01 AM
  • If you're coming in the situation of lost objectSIDs and cannot access the FIM Portal anymore, there might be two workarounds to get back access:

    1. Use PowerShell to fix objectSID misconfigurations. Look here
    2. Use FIM MA to repopulate the objectSID from Active Directory

    In the latter case you may temporary reconfigure the FIM & Active Directory MA so that attribute flow can happen from Active Directory to FIM DB (including joining of objects if they are disconnected).

    Keep in mind that both workarounds may have some prerequisites, e.g. FIM MA can access and update the FIM DB.

    It supossed that ADMA should populates the SID, but when finnally it does, the FIM Admin account only gets "normal user priveligies".

    Something else should be going wrong here. I did the “re-deployment” of Admin’s objectSID with the FIM MA successfully and had full Admin privileges afterwards.

     


    /Matthias
    Monday, November 29, 2010 8:13 AM
  • One way is to filter out the administrator account from both the AD and FIM MAs.  Next is to deny the Sync Service the rights to modify the administrator account (which should already have the right objectSid at install time anyhow). 


    Correct and even stronger, this is the recommended best practice.
    In addition to that, you should also create a backup account (disabled in AD DS) and synchronize the required attributes manually.
    See "A method to set the required attributes for the FIM Portal access" for more details.

    Cheers,
    Markus 


    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation
    Monday, November 29, 2010 4:31 PM

All replies

  • One way is to filter out the administrator account from both the AD and FIM MAs.  Next is to deny the Sync Service the rights to modify the administrator account (which should already have the right objectSid at install time anyhow).  Agreed - nasty loophole to avoid ... everyone makes this mistake once ...
    Bob Bradley, www.unifysolutions.net (FIMBob?)
    Monday, November 29, 2010 7:01 AM
  • If you're coming in the situation of lost objectSIDs and cannot access the FIM Portal anymore, there might be two workarounds to get back access:

    1. Use PowerShell to fix objectSID misconfigurations. Look here
    2. Use FIM MA to repopulate the objectSID from Active Directory

    In the latter case you may temporary reconfigure the FIM & Active Directory MA so that attribute flow can happen from Active Directory to FIM DB (including joining of objects if they are disconnected).

    Keep in mind that both workarounds may have some prerequisites, e.g. FIM MA can access and update the FIM DB.

    It supossed that ADMA should populates the SID, but when finnally it does, the FIM Admin account only gets "normal user priveligies".

    Something else should be going wrong here. I did the “re-deployment” of Admin’s objectSID with the FIM MA successfully and had full Admin privileges afterwards.

     


    /Matthias
    Monday, November 29, 2010 8:13 AM
  • One way is to filter out the administrator account from both the AD and FIM MAs.  Next is to deny the Sync Service the rights to modify the administrator account (which should already have the right objectSid at install time anyhow). 


    Correct and even stronger, this is the recommended best practice.
    In addition to that, you should also create a backup account (disabled in AD DS) and synchronize the required attributes manually.
    See "A method to set the required attributes for the FIM Portal access" for more details.

    Cheers,
    Markus 


    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation
    Monday, November 29, 2010 4:31 PM
  • Thanks Guys!!!

    I'm configuring the filters now.

    Markus: One question about Backup Account:  does ADMA import Disabled Accounts??


    Alejandro
    Monday, November 29, 2010 5:19 PM
  • The short answer is yes, the MA imports disabled accounts.

    Cheers,
    Markus


    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation
    Monday, November 29, 2010 5:38 PM