none
Password Reset Registration - Error 3003 - Some users unable to register RRS feed

  • Question

  • HI,

    We currently have FIM 2010 R2 installed (running MS SQL 2008 R2 and Share point Servie 3) and some users (not all) are unable to register themselves for the password reset.

    We have the FIM client installed on the client computers, which successfully prompts the users for registration.  However when some users log on they don't get prompted with the registration screen and when manually directing them to the registration portal they get the error:

    The current user account is not recognized by Forefront Identity Manager. Please contact the your administrator. (Error 3003)

    On the FIM server, in the event viewer we get:

    Log Name:      Forefront Identity Manager
    Source:        Microsoft.ResourceManagement
    Date:          29/09/2012 12:27:17
    Event ID:      3
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Description:
    GetCurrentUserFromSecurityIdentifier: No such user [DOMAIN]\[USERID], [SID]

    -------------------------------------------------------------------------------------------

    AND:

    -------------------------------------------------------------------------------------------

    Log Name:      Forefront Identity Manager
    Source:        Microsoft.ResourceManagement
    Date:          29/09/2012 12:27:17
    Event ID:      3
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Description:
    Requestor: Internal Service
    Correlation Identifier: 800abeaf-6b37-4f5a-b81f-438d63772127
    Microsoft.ResourceManagement.Service: Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: IdentityIsNotFound
       at Microsoft.ResourceManagement.WebServices.ResourceManagementService.GetUserFromSecurityIdentifier(SecurityIdentifier securityIdentifier)
       at Microsoft.ResourceManagement.WebServices.ResourceManagementService.GetCurrentUser()
       at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Enumerate(Message request)
    ----------------------------------------------------------------------------------------------------------

    Looking up the error on google:

    "GetCurrentUserFromSecurityIdentifier"

    gets me this web site:

    http://dloder.blogspot.co.uk/2011/12/administrator-locked-out-of-fim-portal.html

    I have also confirmed NULL is returned when I run the stored procedure "[fim].GetUserFromSecurityIdentifier" for one of the particular users who is unable to register.

    To give you an idea of scale, we have at least 1000+ users successfully registered for SSPR, BUT a lot of errors in the event viewer on the server for users who will be unable to register.

    We installed FIM from a clean install 2 months ago and used the QuickStart script to get the password reset functionality working (http://technet.microsoft.com/en-us/library/jj134297(v=ws.10).aspx)

    I am now stuck to find out:

    a) how many users are unable to register, because they don't have a security id in FIM database

    b) how to fix this?

    Therefore, any help would be appreciated to help me get to the bottom of this.

    Kind Regards

    Saturday, September 29, 2012 11:56 AM

Answers

  • I have resolved this issue now. Just in case anyone else has the same issue, I suppose there are a couple ways to resolve this:

    a) Log on to the FIM Indentity Manager portal -> Administration -> Search for user who is unable to register (because of the same event viewer appearing above) - Select user and delete.

    ---You may also have to ensure that in the FIM sync service (metaverse designer) you also disconnect these.

    Then run a sync from your Active Directory to FIM portal (Database) happen again to import the correct details.

    b) Due to large numbers of users, I used powershell cmdlets to export all the users from AD and convert their ObjectSID into Hex format.

    I then used the following SQL to update the ObjectSID in the FIM database:

    Update [FIMService].[fim].[UserSecurityIdentifiers] set SecurityIdentifier = {!!!PUT IN THE HEX FORMAT SID HERE!!!} where UserObjectKey = '{!!!replace with the userobjectKey!!!}'

    if you don't know the userobjectkey for the above statement you can use the SQL, similar to what i posted earlier:

    SELECT [UsrNme].[DomainAndAccountName], [O].[ObjectID], [Usi].[SecurityIdentifier], [Usi].[UserObjectKey]
      FROM [FIMService].[fim].[Objects] as [O]
      JOIN [FIMService].[fim].[DomainAndAccountName] AS [UsrNme]
      on [O].ObjectKey = [UsrNme].[ObjectKey]
      Join [FIMService].[fim].[UserSecurityIdentifiers] as [Usi]
      on [O].[ObjectKey] = [Usi].[UserObjectKey]

    • Marked as answer by fazza95 Wednesday, October 3, 2012 6:51 PM
    Wednesday, October 3, 2012 6:51 PM

All replies

  • fazza95,

    I found a way to do this. Not super elegant but it works. I created a set of all users other than admin and built-in sync account. I then created a workflow that is function evaluator, it updates a string attribute(description, in my case, but it could be anything). The expression I used to calculate is function->IsPresent(ObjectSID).

    This updates a string attribute with true or false depending on whether objectSID is populated. I then make another set that contains all users that are false. That would show everybody who will get this error and identifies the users you need to populate the SID for.

    You could populate the SID using the sync engine, perhaps these users are disconnected and that is why they don't have objectSID value to being with.

    Saturday, September 29, 2012 2:44 PM
  • why would you bother to know who hasnt got sid in FIM? just flow SID for EVERYONE? what could be easier? O_o
    Saturday, September 29, 2012 5:26 PM
  • Thanks Glenn,

    I ran this SQL statement which leads me to believe that all users have the objectSID in the FIM database:

    SELECT 

          [UsrNme].[DomainAndAccountName]
          ,[O].[ObjectID]
          ,[Usi].[SecurityIdentifier]
     
      FROM [FIMService].[fim].[Objects] as [O]
      JOIN [FIMService].[fim].[DomainAndAccountName] AS [UsrNme]
      on [O].ObjectKey = [UsrNme].[ObjectKey]
      Join [FIMService].[fim].[UserSecurityIdentifiers] as [Usi]
      on [O].[ObjectKey] = [Usi].[UserObjectKey]

    I have confirmed that the active directory management agent is pulling through the ObjectSID attribute and flowing it into the metaverse person attribute objectsid directly.

    So we still need to figure out why the user can't register and is leave the event viewer message above? Any ideas?

    Thanks

    Sunday, September 30, 2012 3:52 PM
  • I believe all the users are flowing the objectsid attribute through into the metaverse.

    E.g.

    FIM Sync Service -> Management Agents -> Right click Active Directory Management Agent and select properties

    In the management agent designer select the "Select attributes" tab and ensure ObjectSID is selected.

    On the "Configure Attribute Flow" tab ensured that the data source attribute for the user ObjectSID is directly importing into the metaverse person attribute ObjectSID.

    Any more help is appreciated on things that I should check as to why some users can't register even though I can clearly find them in the FIM metaverse using the identity management portal.

    Thanks

    Sunday, September 30, 2012 4:04 PM
  • After further investigation, We are experiencing this issue because the FIM database doesn’t have the correct ObjectSID.

    We input all the users from Active Directory into FIM.  But somehow the ObjectSid in active directory doesn’t match the objectSId in FIM.

    I confirmed this by:

    Running the SQL statements I mentioned above.

    Taking the value from the column “securityidentifier” for a user who was appearing in the event viewer with the error

    And compare this to the value in active directory for the SID (eg. Open AD users computers -> Find the user and select the attributes tab -> Looking at the attribute ObjectSID in hexadecimal format and compare to the value in the table)

    Therefore, I now need instruction on how to check that my attribute flow is setup to ensure that the ObjectSID is correct for all users in FIM.

    E.g. how do I force FIM to update the attribute objectsid from Active Directory.

    Here is what we have in Attribute flow in my Active Directory Management Agent designer:

    Wednesday, October 3, 2012 8:09 AM
  • I have resolved this issue now. Just in case anyone else has the same issue, I suppose there are a couple ways to resolve this:

    a) Log on to the FIM Indentity Manager portal -> Administration -> Search for user who is unable to register (because of the same event viewer appearing above) - Select user and delete.

    ---You may also have to ensure that in the FIM sync service (metaverse designer) you also disconnect these.

    Then run a sync from your Active Directory to FIM portal (Database) happen again to import the correct details.

    b) Due to large numbers of users, I used powershell cmdlets to export all the users from AD and convert their ObjectSID into Hex format.

    I then used the following SQL to update the ObjectSID in the FIM database:

    Update [FIMService].[fim].[UserSecurityIdentifiers] set SecurityIdentifier = {!!!PUT IN THE HEX FORMAT SID HERE!!!} where UserObjectKey = '{!!!replace with the userobjectKey!!!}'

    if you don't know the userobjectkey for the above statement you can use the SQL, similar to what i posted earlier:

    SELECT [UsrNme].[DomainAndAccountName], [O].[ObjectID], [Usi].[SecurityIdentifier], [Usi].[UserObjectKey]
      FROM [FIMService].[fim].[Objects] as [O]
      JOIN [FIMService].[fim].[DomainAndAccountName] AS [UsrNme]
      on [O].ObjectKey = [UsrNme].[ObjectKey]
      Join [FIMService].[fim].[UserSecurityIdentifiers] as [Usi]
      on [O].[ObjectKey] = [Usi].[UserObjectKey]

    • Marked as answer by fazza95 Wednesday, October 3, 2012 6:51 PM
    Wednesday, October 3, 2012 6:51 PM