(2013-01-09) FIM Portal Access For Any Regular AD User Account – How To Enable And Troubleshoot

The article mentioned here and here, which was written by me is based upon FIM 2010. This article however, will be based upon FIM 2010 R2, and you can also consider it to be an updated version of the article on the FIM TechNet Forum.

–

Let’s start at the beginning…

–

To be able to logon and access the FIM Portal as any regular user account, the following MUST be true:

1. A user account exists in AD and is enabled;
2. The attributes “Domain”, “Account Name” and “Resource SID” on the Person object in the FIM Portal must have matching values of the corresponding user account in AD;
3. The correct permissions within the FIM Portal must be in place

–

[AD.1]

This is a no-brainer, but it is the most important one. No user = no access!

–

[AD.2]

Now you have a user account in AD, must create a corresponding identity in the FIM Portal for the user account in AD. HOW you achieve that is not really important in the context of getting access. The following options exists to create the identity within the FIM Portal:

• Synchronize the AD user account into the FIM Portal using the FIM Sync Engine. As an example of how you can achieve that, have a look at How Do I Synchronize Users from Active Directory Domain Services to FIM
• If the AD user account does not yet exist in AD, because the FIM Portal is the authoritative source, you can manually create the identity in the FIM Portal, provision it into the AD and make sure to sync back the objectSID. As an exmaple of how you can achieve that, have a look at How Do I Provision Users to AD DS
• If the AD user account does exist in AD, but not yet in the FIM Portal, you can create the user in the FIM Portal by using either one of the following PowerShell scripts as an example:
  • How to use PowerShell to Add a User (after using this script, the Person object still lacks the objectSID)
  • How to Use PowerShell to Create a User in the FIM Portal (en-US) (after using this script, the Person object still lacks the objectSID)
  • How to Use PowerShell to Fix an ObjectSID on an FIM Portal Object (en-US) (by using this script the (correct) objectSID from the user account in AD is populated into the Person object in the FIM Portal) (figure 1)

Figure 1: Fixing The ObjectSID (Repairing Or Adding) Of A Person Object In The FIM Portal

–

When you are done you can check the attributes on the Person object in the FIM Portal by using the following PowerShell script as an example: How to Use PowerShell to Display a User’s Attribute Values for FIM Portal Access (en-US). To see the corresponding values in AD you can issue the following PowerShell command:

Import-Module ActiveDirectory
Get-ADUser "<sAMAccountName>" -Properties displayName,sAMAccountName,userPrincipalName,objectSID | Select displayName,sAMAccountName,userPrincipalName,objectSID | FL

Figure 2: Viewing The Minimum Required Attributes Of An Object In The FIM Portal And Compare It To The Values In AD

–

[AD.3]

During the installation of the FIM Portal you need to grant authenticated users access within the sharepoint site(s). So the checkbox(es), shown during the install, when checked, configure the sharepoint based permissions for the site collection. If you want to see how it looks like for the FIM Portal, see the picture below.

Figure 3: The Result In Sharepoint Of Checking “Grant Authenticated Users access to the FIM Portal Site” During The Installation Of The FIM Portal

–

Be aware though! There is a subtle difference between FIM 2010 and FIM 2010 R2.

–

If you are installing Forefront Identity Manager 2010 (FIM 2010), during the installation of the FIM Portal you, at some point, will be presented with the following screen.

Figure 4: Configuring The FIM Service And FIM Portal During The Installation Of FIM 2010

–

In FIM 2010 both the FIM Portal and the FIM Password Reset Portal are sharepoint based and because of that the following applies:

• Checking the option “Grant Authenticated Users access to the FIM Portal Site” will grant the Authenticated Users the READ permission within the Sharepoint Site for the FIM Portal (~/IdentityManagement)
• Checking the option “Grant Authenticated Users access to the FIM Password Reset Site” will grant the Authenticated Users the READ permission within the Sharepoint Site for the FIM Password Reset Portal (~/PasswordPortal)

–

So, if you did not check those checkboxes during the installation of the FIM Portal and you are having issues with accessing the FIM Portal, you can configure the correct permissions using the FIM Admin account, which is the account that installed the FIM Portal. That account gets Full Control by default within the sharepoint site(s). See figure 3 for this.

Site Actions (in upper right corner) –> Site Settings –> Site Permissions (under “Users and Permissions”) –> Authenticated Users with READ

–

If you are installing Forefront Identity Manager 2010 R2 (FIM 2010 R2), during the installation of the FIM Portal you, at some point, will be presented with the following screen.

Figure 5: Configuring The FIM Service And FIM Portal During The Installation Of FIM 2010 R2

–

In FIM 2010 R2 only the FIM Portal is sharepoint based and because of that the following applies:

• Checking the option “Grant Authenticated Users access to the FIM Portal Site” will grant the Authenticated Users the READ permission within the Sharepoint Site for the FIM Portal (~/IdentityManagement)

–

So, if you did not check those checkboxes during the installation of the FIM Portal and you are having issues with accessing the FIM Portal, you can configure the correct permissions using the FIM Admin account, which is the account that installed the FIM Portal. That account gets Full Control by default within the sharepoint site. See figure 3 for this.

–

So, are we there yet? Nope!

–

One final step to go. While logged on as a FIM Admin, you need to enable the following MPRs that are by default disabled:

• “General: Users can read non-administrative configuration resources”
• “User management: Users can read attributes of their own”

–

To check if those MPRs are enabled you can use the following script as an example: How to Use PowerShell to Check Your MPR Configuration for FIM Portal Access (en-US)

–

ALL OF THE ABOVE IS REQUIRED TO BE ABLE TO ACCESS THE FIM PORTAL AS A REGULAR USER!!!

–

Below you will some examples about what you will see when something is wrong.

–

You will see the following error when the user does not exist at all as an identity in the FIM Portal or when an identity does exist in the FIM Portal but it does not have the objectSID attribute populated. In FIM 2010 R2 it actually tells you what is wrong. In FIM 2010 it presented you a vague error.

Figure 6: The Error You Will See In FIM 2010 R2 When No Valid Person Object Exists In The FIM Portal Or It Does Not Have The ObjectSID Populated

–

When you look in the Forefront Identity Manager Event Log you will find the following event ID actually telling the identity does not exist in the FIM Portal

Figure 7: The Error You Will See In FIM 2010 R2 When No Valid Person Object Exists In The FIM Portal OR When It Does Exist But It Has No ObjectSID Populated

–

You will see the following error when the user does exist as an identity in the FIM Portal (with ObjectSID et all populated), but the checkbox for “Grant Authenticated Users access to the FIM Portal Site” was not checked or someone removed the READ permissions for Authenticated Users in the Sharepoint Site. Most likely it will be the case the checkbox was not checked.

Figure 8: The Error You Will See When Authenticated Users Was Not Configured With At Least READ Permissions

–

Yes! And below is how it looks like when everything is OK for a regular user account.

Figure 9: The FIM Portal For A Regular User Account

–

Figure 10: The FIM Portal For The FIM Admin Account (Includes More Than The Default Stuff As I added It)

–

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————