Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2013-01-09) FIM Portal Access For Any Regular AD User Account – How To Enable And Troubleshoot

Posted by Jorge on 2013-01-09


The article mentioned here and here, which was written by me is based upon FIM 2010. This article however, will be based upon FIM 2010 R2, and you can also consider it to be an updated version of the article on the FIM TechNet Forum.

Let’s start at the beginning…

To be able to logon and access the FIM Portal as any regular user account, the following MUST be true:

  1. A user account exists in AD and is enabled;
  2. The attributes “Domain”, “Account Name” and “Resource SID” on the Person object in the FIM Portal must have matching values of the corresponding user account in AD;
  3. The correct permissions within the FIM Portal must be in place

[AD.1]

This is a no-brainer, but it is the most important one. No user = no access!

[AD.2]

Now you have a user account in AD, must create a corresponding identity in the FIM Portal for the user account in AD. HOW you achieve that is not really important in the context of getting access. The following options exists to create the identity within the FIM Portal:

image

Figure 1: Fixing The ObjectSID (Repairing Or Adding) Of A Person Object In The FIM Portal

When you are done you can check the attributes on the Person object in the FIM Portal by using the following PowerShell script as an example: How to Use PowerShell to Display a User’s Attribute Values for FIM Portal Access (en-US). To see the corresponding values in AD you can issue the following PowerShell command:

Import-Module ActiveDirectory Get-ADUser "<sAMAccountName>" -Properties displayName,sAMAccountName,userPrincipalName,objectSID | Select displayName,sAMAccountName,userPrincipalName,objectSID | FL

image

Figure 2: Viewing The Minimum Required Attributes Of An Object In The FIM Portal And Compare It To The Values In AD

[AD.3]

During the installation of the FIM Portal you need to grant authenticated users access within the sharepoint site(s). So the checkbox(es), shown during the install, when checked, configure the sharepoint based permissions for the site collection. If you want to see how it looks like for the FIM Portal, see the picture below.

image

Figure 3: The Result In Sharepoint Of Checking “Grant Authenticated Users access to the FIM Portal Site” During The Installation Of The FIM Portal

Be aware though! There is a subtle difference between FIM 2010 and FIM 2010 R2.

If you are installing Forefront Identity Manager 2010 (FIM 2010), during the installation of the FIM Portal you, at some point, will be presented with the following screen.

image

Figure 4: Configuring The FIM Service And FIM Portal During The Installation Of FIM 2010

In FIM 2010 both the FIM Portal and the FIM Password Reset Portal are sharepoint based and because of that the following applies:

  • Checking the option “Grant Authenticated Users access to the FIM Portal Site” will grant the Authenticated Users the READ permission within the Sharepoint Site for the FIM Portal (~/IdentityManagement)
  • Checking the option “Grant Authenticated Users access to the FIM Password Reset Site” will grant the Authenticated Users the READ permission within the Sharepoint Site for the FIM Password Reset Portal (~/PasswordPortal)

So, if you did not check those checkboxes during the installation of the FIM Portal and you are having issues with accessing the FIM Portal, you can configure the correct permissions using the FIM Admin account, which is the account that installed the FIM Portal. That account gets Full Control by default within the sharepoint site(s). See figure 3 for this.

Site Actions (in upper right corner) –> Site Settings –> Site Permissions (under “Users and Permissions”) –> Authenticated Users with READ

If you are installing Forefront Identity Manager 2010 R2 (FIM 2010 R2), during the installation of the FIM Portal you, at some point, will be presented with the following screen.

image

Figure 5: Configuring The FIM Service And FIM Portal During The Installation Of FIM 2010 R2

In FIM 2010 R2 only the FIM Portal is sharepoint based and because of that the following applies:

  • Checking the option “Grant Authenticated Users access to the FIM Portal Site” will grant the Authenticated Users the READ permission within the Sharepoint Site for the FIM Portal (~/IdentityManagement)

So, if you did not check those checkboxes during the installation of the FIM Portal and you are having issues with accessing the FIM Portal, you can configure the correct permissions using the FIM Admin account, which is the account that installed the FIM Portal. That account gets Full Control by default within the sharepoint site. See figure 3 for this.

So, are we there yet? Nope!

One final step to go. While logged on as a FIM Admin, you need to enable the following MPRs that are by default disabled:

  • “General: Users can read non-administrative configuration resources”
  • “User management: Users can read attributes of their own”

To check if those MPRs are enabled you can use the following script as an example: How to Use PowerShell to Check Your MPR Configuration for FIM Portal Access (en-US)

ALL OF THE ABOVE IS REQUIRED TO BE ABLE TO ACCESS THE FIM PORTAL AS A REGULAR USER!!!

Below you will some examples about what you will see when something is wrong.

You will see the following error when the user does not exist at all as an identity in the FIM Portal or when an identity does exist in the FIM Portal but it does not have the objectSID attribute populated. In FIM 2010 R2 it actually tells you what is wrong. In FIM 2010 it presented you a vague error.

image

Figure 6: The Error You Will See In FIM 2010 R2 When No Valid Person Object Exists In The FIM Portal Or It Does Not Have The ObjectSID Populated

When you look in the Forefront Identity Manager Event Log you will find the following event ID actually telling the identity does not exist in the FIM Portal

image

Figure 7: The Error You Will See In FIM 2010 R2 When No Valid Person Object Exists In The FIM Portal OR When It Does Exist But It Has No ObjectSID Populated

You will see the following error when the user does exist as an identity in the FIM Portal (with ObjectSID et all populated), but the checkbox for “Grant Authenticated Users access to the FIM Portal Site” was not checked or someone removed the READ permissions for Authenticated Users in the Sharepoint Site. Most likely it will be the case the checkbox was not checked.

image

Figure 8: The Error You Will See When Authenticated Users Was Not Configured With At Least READ Permissions

Yes! And below is how it looks like when everything is OK for a regular user account.

image

Figure 9: The FIM Portal For A Regular User Account

image

Figure 10: The FIM Portal For The FIM Admin Account (Includes More Than The Default Stuff As I added It)

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

2 Responses to “(2013-01-09) FIM Portal Access For Any Regular AD User Account – How To Enable And Troubleshoot”

  1. Matt said

    Users may also see a Service Not Available message if their IE browser doesn’t trust the FIM Portal site for Windows Integrated Authenticatio. FIM 2010 R2.

  2. […] had already eliminated the usual suspects for not being able to access the portal (ObjectSID, MPRs, etc), so this stumped me for a little […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: