locked
error exporting to FIM MA RRS feed

  • Question

  • I am using FIM RC1.  I have connections to AD and to the FIM MA.  I am getting the 'failed-modification-via-web-services' error when I try to export to the FIM MA.  I do have a custom attribute that I am trying to export.  I have read in other threads that I needed to set 'allow the synchronization account to control the users it synchronizes' and 'Administrators can read and update users' to cover all attributes, which i have done.  However I am still experiencing the error.  Does anyone have any other ideas?
    Friday, October 23, 2009 11:18 PM

Answers

  • When the portal fails to see the MA, I've solved it by fixing permissions for the FIM MA account.  IIRC you can run the FIM Service setup in 'repair mode' to have it re-apply the permissions to the FIM MA account.
    CraigMartin – Oxford Computer Group – http://identitytrench.com
    Tuesday, November 10, 2009 6:35 PM

All replies

  • Have you looked at this post yet?

    Cheers,
    Markus
    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation
    Sunday, October 25, 2009 2:54 AM
  • I did see that post before posting my question.  Do you think either of the scripts mentioned will help me?  and if so, where can I get the fimma.cmd script?  Am I correct in assuming that is included in a downloadable vhd?
    Sunday, October 25, 2009 11:22 PM
  • The scripts have not been released yet.
    I'm still working on them.

    The question is whether

  • your current FIM MA account is the same as the one you have specified during setup 
  • your FIM MA account has been granted logon locally
  • Cheers,
    Markus


    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation
Monday, October 26, 2009 12:50 PM
  • You can find the script here.

    Cheers,
    Markus

    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation
    Monday, October 26, 2009 10:31 PM
  • I will download the script and run it.  I thought i set the FIMMA account up correctly, but we will see.  Thanks for posting the script.
    Tuesday, October 27, 2009 4:48 PM
  • Thanks for your help Markus.  Below is the results of the script.


    FIM MA Account Test
    ====================
     -Reading registry configuration
     -FIM MA account name: VCORPLAB3\fimma-s
     -FIM MA account SID : S-1-5-21-2025429265-162531612-682003330-2878031
     -Reading MA configuration
     -FIM MA account name: vcorplab3\fimma-s


    Enter the password for vcorplab3\fimma-s:
    Attempting to start cmd /c as user "vcorplab3\fimma-s" ...


    Command completed successfully


    It seems that the script didn't find any problems with the fimma-s account.  Any other ideas?

    Tuesday, October 27, 2009 5:10 PM
  • OK, this eliminates the FIM MA account as issue.
    Have you looked at eventlog yet?
    You should find some more details there.
    Also, when you get a 'failed-modification-via-web-services', you typically also get a type.
    Is this an access denied?

    Cheers,
    Markus
    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation
    Tuesday, October 27, 2009 5:14 PM
  • The export jobs are the only times i see any errors in the synchronization service manager.  When i run the export jobs, i don't see any errors in the FIM event log.  Occasionally I do see: Microsoft.ResourceManagement.Service: Procedure: ReRaiseException. Line number: 31. Message: No value was provided for this attribute, for which a value is required: MembershipLocked." in the FIM event log.  I'm not sure if that is related.

    I get the "failed-modification-via-web-services" error for all user objects in AD except for the FIMMA-s account and my admin account.  Those two accounts have their data exported successfully.

    Tuesday, October 27, 2009 6:11 PM
  • Hi!
    Syncing groups to FIM MA is a bit special, MembershipLocked is for example a required attribute you must flow ... Have look at this post... http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/439e87f7-681d-4f63-a1fd-62a47bfb2684

    I'm not sure if it applies 100% to RC1 thought...

    //Henrik
    Henrik Nilsson Blog: http://www.idmcrisis.com Company: Cortego (http://www.cortego.se)
    Tuesday, October 27, 2009 6:18 PM
  • but I'm not doing anything with groups so far.  I'm only flowing data for users objects
    Tuesday, October 27, 2009 8:10 PM
  • Just a thought...
    //H

    Henrik Nilsson Blog: http://www.idmcrisis.com Company: Cortego (http://www.cortego.se)
    Tuesday, October 27, 2009 8:19 PM
  • Sorry Markus, I didn't see your question about error type.

    I don't see a type reference on the error in the sync gui.  All it says is "failed-modification-via-web-services", and then if I click the detail button it says "There is an error executing a web service object modification request. Please look in the Forefront Identity Manager eventlog on the FIM Service machine for more information."  However it shows nothing new in the FIM event log.  The only thing that it does show in the FIM event log is an information alert that says:

    Log Name:      Forefront Identity Manager
    Source:        Microsoft.ResourceManagement
    Date:          10/27/2009 2:54:42 PM
    Event ID:      0
    Task Category: None
    Level:         Information
    Keywords:      Classic
    User:          N/A
    Computer:      **removed**
    Description:
    <duration stage=Enumerate query="/ManagementPolicyRule" milliseconds=450/>
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft.ResourceManagement" />
        <EventID Qualifiers="0">0</EventID>
        <Level>4</Level>
        <Task>0</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2009-10-27T21:54:42.000Z" />
        <EventRecordID>376219</EventRecordID>
        <Channel>Forefront Identity Manager</Channel>
        <Computer>**removed**</Computer>
        <Security />
      </System>
      <EventData>
        <Data>&lt;duration stage=Enumerate query="/ManagementPolicyRule" milliseconds=450/&gt;</Data>
      </EventData>
    </Event>
    Wednesday, October 28, 2009 5:07 PM
  • That's a bit odd.
    In case of missing persmissions, you should see an access denied.
    Just making sure, have you verified that you have enabled the right MPRs?

    Cheers,
    Markus
    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation
    Wednesday, October 28, 2009 5:19 PM
  • I did see posts here about enabling certain MPRs.  I went through each of the MPRs starting with Synchronization: Synchronization account* and enabled it and also set it to all attributes.  I also set 'Administrators can read and update users' to cover all attributes as well.  However it didn't seem to fix the issue.
    Wednesday, October 28, 2009 5:44 PM
  • Does anyone have any more ideas on this issue?
    Monday, November 2, 2009 5:27 PM
  • Hi,

    I had a similar problem and fixed it by creating a new MPR that grants permission for the sync service account to modify all attributes of all objects. There is an MPR that I expect is intended to control this (Systenization account sontrols users it sync, or something like that), but it was simpler for me to grant all as I have a lot of new objects and attributes.
    Steve Mitchell Technical Director - Oxford Computer Group
    Tuesday, November 3, 2009 11:23 AM
  • Thanks for the idea.  I did create a new MPR granting permission to all attributes of all objects to the sync account, unfortunately I'm still getting the error message.  This issue does seem like it is a permission issue to me, but now the sync account has rights to everything, so i'm at a bit of a loss.
    Wednesday, November 4, 2009 5:40 PM
  • Let's see if this can help shedding some light on this...
    Could you please post the outcome of the script?

    Cheers,
    Markus

    #--------------------------------------------------------------------------------------------------------------------------
     function ShowResults([ref]$bActionItem, $lstAttributes, $msgMissing)
     {
        if($lstAttributes.length -eq 0) {return}
        $bActionItem.value = $true
        write-host "`n$msgMissing" -foregroundcolor black -backgroundcolor yellow
          foreach($attributeName in $lstAttributes) {write-host " -$attributeName"}
     } 
    #---------------------------------------------------------------------------------------------------------------------------------------------------------
     set-variable -name nodeHead     -value "ResourceManagementObject[ObjectType='ManagementPolicyRule' " -option constant 
     set-variable -name nodeBody     -value "ResourceManagementAttributes/ResourceManagementAttribute" -option constant 
     set-variable -name nodeTail     -value "export-flow[direct-mapping]/@cd-attribute" -option constant
     set-variable -name attrDisabled -value "[AttributeName='Disabled']/Value" -option constant 
     set-variable -name flowHead     -value "ResourceManagementObject[ObjectType='ma-data']" -option constant 
     set-variable -name eafAttrName  -value "AttributeName='SyncConfig-export-attribute-flow'" -option constant
     set-variable -name msgWarning   -value "Caution: Your current MPR configuration requires your attention!"
     set-variable -name msgOK        -value "Your current MPR configuration meets all requirements"
    #--------------------------------------------------------------------------------------------------------------------------
     write-host "`nFIM MPR Configuration For Synchronization Check"
     write-host "==============================================="
    #--------------------------------------------------------------------------------------------------------------------------
     $curFolder   = Split-Path -Parent $MyInvocation.MyCommand.Path
     if(@(get-pssnapin | where-object {$_.Name -eq "FIMAutomation"} ).count -eq 0) {add-pssnapin FIMAutomation}
    #--------------------------------------------------------------------------------------------------------------------------
     $maDataFile = "$curFolder\MAData.xml"
     $data = export-fimconfig -uri http://localhost:5725/resourcemanagementservice -customconfig ("ma-data[SyncConfig-category='FIM']")
     if($data -eq $null) {throw "There is no FIM MA configured on your system!"} 
     $data | convertfrom-fimresource -file $maDataFile
     [xml]$xmlMAData = get-content $maDataFile 
     [xml]$xmlFlow   = "<Root>" + $xmlMAData.selectSingleNode("//$flowHead/$nodeBody[$eafAttrName]/Value").get_InnerText() + "</Root>"
     
     $userFlowPath  = "//export-flow-set[@cd-object-type='Person' and @mv-object-type='person']/export-flow[direct-mapping]/@cd-attribute"
     $groupFlowPath = "//export-flow-set[@cd-object-type='Group' and @mv-object-type='group']/export-flow[direct-mapping]/@cd-attribute"
     
     if($xmlFlow.selectNodes($userFlowPath).get_count() -eq 0) {throw "There are export attribute flows for the object type person configured"}
     $bHasGroups = $xmlFlow.selectNodes($groupFlowPath).get_count() -gt 0
    #---------------------------------------------------------------------------------------------------------------------------------------------------------
     $mprDataFile = "$curFolder\MPRData.xml"
     $data = export-fimconfig -uri http://localhost:5725/resourcemanagementservice -customconfig ("ManagementPolicyRule")
     if($data -eq $null) {throw "The are no objects with this object type configured on your FIM server"} 
     $data | convertfrom-fimresource -file $mprDataFile
      
     $mprNames = @()
     $mprNames += "General: Users can read schema related resources"
     $mprNames += "General: Users can read non-administrative configuration resources"
     $mprNames += "User management: Users can read attributes of their own"
     $mprNames += "Synchronization: Synchronization account can delete and update expected rule entry resources"
     $mprNames += "Synchronization: Synchronization account can read schema related resources"
     $mprNames += "Synchronization: Synchronization account can read synchronization related resources"
     $mprNames += "Synchronization: Synchronization account can read users it synchronizes"
     $mprNames += "Synchronization: Synchronization account controls detected rule entry resources"
     $mprNames += "Synchronization: Synchronization account controls synchronization configuration resources"
     $mprNames += "Synchronization: Synchronization account controls users it synchronizes"
     
     if($bHasGroups -eq $true)
     {
        $mprNames += "Synchronization: Synchronization account can read group resources it synchronizes"
          $mprNames += "Synchronization: Synchronization account controls group resources it synchronizes"
          $mprNames += "Security group management: Owners can read selected attributes of group resources"
          $mprNames += "Security group management: Owners can update and delete groups they own"
          $mprNames += "Security group management: Users can add or remove any member of groups subject to owner approval"
          $mprNames += "Security group management: Users can create group resources"
          $mprNames += "Security group management: Users can read selected attributes of group resources"
          $mprNames += "Security groups: Users can add and remove members to open groups"
     }
               
     $bActionItem = $false 
     $disabledMPRs = @()
     $missingMPRs  = @()  
     [xml]$mprDoc = get-content $mprDataFile
     foreach($mprName in $mprNames)
     {
        $curMprNode = $mprDoc.selectSingleNode("//$nodeHead and $nodeBody[AttributeName='DisplayName' and Value='$mprName']]")
        if($curMprNode -eq $null) {$missingMPRs += $mprName}
        else {if($curMprNode.selectSingleNode("$nodeBody$attrDisabled").get_InnerText() -eq "True") {$disabledMPRs += $mprName}}
     }
     
     ShowResults ([ref]$bActionItem) $missingMPRs "Missing MPRs:"
     ShowResults ([ref]$bActionItem) $disabledMPRs "MPRs that need to be enabled:"
    #---------------------------------------------------------------------------------------------------------------------------------------------------------
     $dataList = @()
     if(!($missingMPRs -contains "Synchronization: Synchronization account controls users it synchronizes"))
     {$dataList += "Synchronization: Synchronization account controls users it synchronizes|Person|person"}
     
     if($bHasGroups -eq $true)
     {
        if(!($missingMPRs -contains "Synchronization: Synchronization account controls group resources it synchronizes"))
          {$dataList += "Synchronization: Synchronization account controls group resources it synchronizes|Group|group"}
     }
     
     foreach($dataItem in $dataList)
     {
        $a = $dataItem.split("|")
        $missingAttributes = @()
        $maAttributes = @() 
        foreach($attrName in $xmlFlow.selectNodes("//export-flow-set[@cd-object-type='$($a[1])' and @mv-object-type='$($a[2])']/$nodeTail"))
        {$maAttributes += $attrName.get_InnerText()}
            
        $mprAttributes = @()
        $curMprNode = $mprDoc.selectSingleNode("//$nodeHead and $nodeBody[AttributeName='DisplayName' and Value='$($a[0])']]")
        foreach($attrName in $curMprNode.selectNodes("$nodeBody[AttributeName='ActionParameter']/Values/string")) 
        {$mprAttributes += $attrName.get_InnerText()}
           
        foreach($curAttribute in $maAttributes) {if(!($mprAttributes -contains $curAttribute)) {$missingAttributes += $curAttribute}}
          ShowResults([ref]$bActionItem) $missingAttributes "Missing Resource Attributes on MPR $mprName"
    }
    #---------------------------------------------------------------------------------------------------------------------------------------------------------
     if($bActionItem -eq $true) {write-host "`n$msgWarning`n" -foregroundcolor white -backgroundcolor darkblue}
     else {write-host "`n$msgOK"}
     
     if(test-path $mprDataFile) {remove-item $mprDataFile}
     if(test-path $maDataFile)  {remove-item $maDataFile}
    
     write-host "`nCommand completed successfully`n" 
    #---------------------------------------------------------------------------------------------------------------------------------------------------------
     trap 
     { 
        Write-Host "`nError: $($_.Exception.Message)`n" -foregroundcolor white -backgroundcolor darkred
        if(test-path $mprDataFile) {remove-item $mprDataFile}
        if(test-path $maDataFile)  {remove-item $maDataFile}
        Exit
     }
    #---------------------------------------------------------------------------------------------------------------------------------------------------------
    

    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation
    Wednesday, November 4, 2009 6:20 PM
  • Well, i'm not sure if I need to tweak something in the script to customize it for my environment or not, but here is the result.

    FIM MPR Configuration For Synchronization Check
    ===============================================

    Error: There is no FIM MA configured on your system!


    I do have a FIM MA, named 'FIM MA'.  So maybe the script has detected something wrong.  What does it mean when the script doesn't detect the FIM MA?

    Friday, November 6, 2009 5:36 PM
  • There is nothing you need to tweak.
    What is the outcome of the script code below?
    You might see a lot of warnings - you can ignore them!

    Cheers,
    Markus

    #--------------------------------------------------------------------------------------------------------------------------------------------
     $curFolder   = Split-Path -Parent $MyInvocation.MyCommand.Path
     if(@(get-pssnapin | where-object {$_.Name -eq "FIMAutomation"} ).count -eq 0) {add-pssnapin FIMAutomation}
     $maDataFile = "$curFolder\MAData.xml"
     $data = export-fimconfig -uri http://localhost:5725/resourcemanagementservice -customconfig ("ma-data")
     if($data -eq $null) {throw "There is no MA configured on your system!"} 
     $data | convertfrom-fimresource -file $maDataFile
     [xml]$xmlMAData = get-content $maDataFile 
    #--------------------------------------------------------------------------------------------------------------------------------------------
     clear-host
     write-host "`nFIM Management Agent Configuration"
     write-host "=================================="
     foreach($ma in $xmlMAData.selectNodes("//ExportObject/ResourceManagementObject/ResourceManagementAttributes"))
     {
       write-host "Name: " $ma.selectSingleNode("ResourceManagementAttribute[AttributeName='DisplayName']/Value").get_InnerText()
       write-host "Type: " $ma.selectSingleNode("ResourceManagementAttribute[AttributeName='SyncConfig-category']/Value").get_InnerText() "`n"
     } 
    
     if(test-path $maDataFile)  {remove-item $maDataFile}
     write-host "`nCommand completed successfully`n" 
    #--------------------------------------------------------------------------------------------------------------------------------------------
     trap 
     { 
        Write-Host "`nError: $($_.Exception.Message)`n" -foregroundcolor white -backgroundcolor darkred
        if(test-path $maDataFile)  {remove-item $maDataFile}
        Exit
     }
    #--------------------------------------------------------------------------------------------------------------------------------------------
    

    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation
    Friday, November 6, 2009 6:13 PM
  • hmm, it says:

    Error: There is no MA configured on your system!


    So, it seems I have done something wrong in the configuration of the MA.  What info can i give you to help?
    Friday, November 6, 2009 7:49 PM
  • The MA is functional.  I can import & sync just fine.  Its just the FIM MA export that isn't working.
    Friday, November 6, 2009 8:03 PM
  • Apparently, there is something wrong with your system.
    Try this script.

    What happens, when you try to configure an outbound synchronization rule?
    When you create a new synchronization rule, you just need to do this up to the Scope tab.
    Are your MAs listed under "External System"?

    Cheers,
    Markus

    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation
    Friday, November 6, 2009 8:12 PM
  • it shows both of my MAs

    Configured Management Agents
    ============================


    Name : AD MA
    Type : Active Directory
    Guid : {D523DFE6-8E50-491C-AE2F-D06296057A51}

    Name : FIM MA
    Type : Forefront Identity Management (FIM)
    Guid : {C5E26489-BA38-4AE3-AFF6-D28D9281279E}


    In the previous script, am I supposed to be running that from a certain folder?  it looks like it is looking for a file called madata.xml.

    Friday, November 6, 2009 10:28 PM
  • When i try to configure a new outbound sync rule, my MAs do not show up under 'external system'
    Friday, November 6, 2009 10:33 PM
  • The first script (that doesn't show the MAs) requests the information from the FIM service.
    The second script (that does show the MAs) requests the information from the synchronization engine.

    There is something broken in the internal replication chain between the synchronization engine and the FIM service.
    I don't think that this will really fix your issue; however, as a quick test, you could export one of the MAs in the Synchronization Service Manager.
    This triggers replication between the synchronization engine and the FIM service.

    As long as the first script doesn't show the MAs, your system is inoperable! 

    The question is whether it makes sense to put time into trying to fix this since this can be on a forum a pretty time consuming task.
    If this is just a lab environment, you are probably better off reinstaling FIM.

    Has this ever worked - have you ever been able to configure a synchronization rule?
    If so, there must be a reason why it doesn't work anymore.

    Have you looked at the event log yet?

    Cheers,
    Markus
    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation
    Friday, November 6, 2009 10:52 PM
  • it shows both of my MAs

    Configured Management Agents
    ============================


    Name : AD MA
    Type : Active Directory
    Guid : {D523DFE6-8E50-491C-AE2F-D06296057A51}

    Name : FIM MA
    Type : Forefront Identity Management (FIM)
    Guid : {C5E26489-BA38-4AE3-AFF6-D28D9281279E}


    In the previous script, am I supposed to be running that from a certain folder?  it looks like it is looking for a file called madata.xml.


    No, you don't need to run this script from a specific folder.
    Please see my other response...

    Cheers,
    Markus
    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation
    Friday, November 6, 2009 10:53 PM
  • One thing in common between the scripts Markus has provided and what the MA tries to do on export is that they both call the webservice.  In the case of the script, the call to the webservice is failing and telling you that there is no FIM MA configured when you clearly do have one.  Export is failing as well.  Export uses the web service.  Have you checked the FIM service WCF traces and fusion logs to see if there are any errors on the web service side?
    AhmadAW
    Tuesday, November 10, 2009 6:34 PM
  • When the portal fails to see the MA, I've solved it by fixing permissions for the FIM MA account.  IIRC you can run the FIM Service setup in 'repair mode' to have it re-apply the permissions to the FIM MA account.
    CraigMartin – Oxford Computer Group – http://identitytrench.com
    Tuesday, November 10, 2009 6:35 PM