FIM RC1 U3 and admin rights

So I tried to install the FIM RC (u3) in a demo environment, and what a hush hush was that.. My setup was fairly easy, all (except SQL) on a single box.. offcourse reading is not my best skill, but the install went fine.. and the portal was ready for the administrator account (installed it with). It opened on the fim server without a problem, but getting it to work remotely, that was another problem..

The guide tells you to register SPN’s for the Kerberos to work if the FIM Portal and FIM service are on seperate servers, but ALSO if you want to use the FIM password reset extension.. however registering the http/servername to a service account renders the remote login useless.. you will receive an HTTP Error 401. The requested resource required used authentication.

If you where to google (or bing) on that error code the links tell you to disable Kernel Mode kerberos in IIS.. well that kinda did NOT do the trick either and although the Sharepoint site comes up then, the FIM portal dies..

SPN Registration

So to the good news then.. I tried installing the FIM portal under a different name: FIMPortal.domain.local and added the appropriate CNAME in DNS.  And registered the Service Name for FIM to be FIM.domain.local and added those to the SPN of the FIM Service Account.

C:UsersAdministrator.DEMODC>setspn -l Sa-nldemofm02-sc
Registered ServicePrincipalNames for CN=SA-NLDEMOFM02-SC,OU=Service Accounts,OU=
Identity Management,OU=Services,DC=AVALAB,DC=LOCAL:

setspn -l Sa-nldemofm02-sc

Registered ServicePrincipalNames for CN=SA-NLDEMOFM02-SC,OU=Service Accounts,OU=Identity Management,OU=Services,DC=DOMAIN,DC=LOCAL:

And added the FIMportal.domain.local URL to the server account (since this is the URL the server is serving)

setspn -l nldemofm02

Registered ServicePrincipalNames for CN=NLDEMOFM02,CN=Computers,DC=DOMAIN,DC=LOCAL:

So with that hurdle we could finally login to the website and provision some users.. now the Administrator account is an account you probably don’t like using and you wish to work with named accounts. I added my personal admin account to the FIM portal and tried to logon.. Service Unavailable

Fixing WSS

So we went into the eventlog and there were some/alot of errors:

The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID




to the user NT AUTHORITYNETWORK SERVICE SID (S-1-5-20) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

This error is actually the DCOM permissions on the server to fix on 2008R2:

Start the registry editor; go to HLKM and search for the {61738644-F196-11D0-9953-00C04FD919C1} string. Right click the folder/hyve with the name  and select permissions, take ownership of the key and assign the Administrators full permissions.

Next, go to Component Services and dive down to ComputersMy ComputerDCOM Config and look for the IIS WAMREG admin service. Then open the properties of that one. Go to the security tab and select edit on the launch and activation part. Add the Network Service account and grant it Local Activation and Local Launch rights. Click OK to close

Now that still did not resolve the issue since the error is also showing when not installing FIM and only the Sharepoint services.. so to look further, I noticed the error from Sharepoint claiming the name is not in the alternate access list:

Go to Sharepoint Central Administration, select operations and select Alternate Access Mappings. Select Add Internal URL’s and give in the new URL: fimportal.domain.local.

Still no access

And that still does not do the trick.. let’s dive deeper in the eventlog:

The Portal cannot connect to the middle tier using the web service interface.  This failure prevents all portal scenarios from functioning correctly.

The cause may be due to a missing or invalid server url, a downed server, or an invalid server firewall configuration. Ensure the portal configuration is present and points to the resource management service.

Now that explains a lot did it not… since it talkes about a middle tier, I thought of the SQL, the kerberos tickets for the SQL account, but no no no.. it’s far easier.. there is an (hidden for me at least) additional Eventlog.. in Windows 2008R2 the eventlog is filtered by application and service and etc etc.. (ANOYING!).. So there is also a Forefront Identity Manager Eventlog! and that gave the following error simultaneous with the error above:

GetCurrentUserFromSecurityIdentifier: No such user DOMAINadm-rzomerman, S-1-5-21-14987678272-33490897-4157649111-1133

Getting SID across

I know I created the user, but that was not enough.. it wanted the SID of my account in AD bound to the object in FIM.. and some transport rules connectors and other things made that work! You can follow the publishing active directory users from two authoritative data sources manual from MS. Change just one little thing in the AD connector:

Go to the ADMA connector and select properties, select Configure Join and Projection Rules

On the top end, select user and click New Join Rule, select sAMAccountName on the left and accountName on the right, set the mapping type to direct and click OK.

Rerun the sync processes in the document and you will notice that the users in FIM are mapped to the users in AD including their SID.

Add to Administrators Group for Portal Access

To finish it off, go to set’s in the FIM portal and select Administrators. Go to the manually managed members tab and add your account.