FIM 2010 R2 Portal: Microsoft.ResourceManagement.Service: Microsoft.ResourceManagement.WebServices.Exceptions.PermissionDeniedException: ResourceIsMissing
I received a very strange errors at one of my clients when a approver view/refresh his "Approve Requests"
There is no errors within the FIM portal requests, but in the FIM Event get the following error:
Source: Microsoft.ResourceManagemt
Event ID: 3
Requestor: urn:uuid:10c491fb-a0fa-4dd5-9a27-66f5a4465963
Correlation Identifier: 42f74d59-bb91-480a-9582-d9c588436ebb
Microsoft.ResourceManagement.Service: Microsoft.ResourceManagement.WebServices.Exceptions.PermissionDeniedException: ResourceIsMissing
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteGetAction(RequestType request)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction(RequestType request)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction[ResponseBodyType](RequestType request)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request, Guid requestIdentifier, Object redispatchSingleInstanceKey, Boolean isRedispatch)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request)
at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Get(Message request)
After quite a bit of research and setting the event logging to Verbose logging I have discover teh following:
The error only appear in the event viewer when we do a search on approvals when the originator is the service account which update users. The approvers which have this error does not have the correct rights, due to that we used a web service call from another domain which uses a service account to make the changes in the FIM Portal and the account is part of the FIM Administrators. Grant the users the correct permissions and the error is resolved.
The Identity Newbie
Wednesday, 21 November 2012
Wednesday, 2 May 2012
Move to Australia
After a month of saying my goodbuys to all my friends and family in South Africa I have made a successful move to Canberra, Australia and joined one of the Industry Leaders in FIM, Unify Solutions.
Goodbuy South Africa, Hallo Australia.
Goodbuy South Africa, Hallo Australia.
Friday, 6 April 2012
Problem registering for password reset after FIM 2010 Update 2 was applied
I have encounter an issue with the SSPR registration as per http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/f90bb6f0-6318-4085-9575-6175187c6ed7/
I receive the following:
I have installed FIM 2010 and have updated it with Update 2. When I try to register for password reset and after answering the security gate questions I get the following error:
An error was encountered. Please call helpdesk or your system
administrator.
When I enable verbose logging for SSPR, I
received a different error in the Password Management Proxy Log:
mscorlib: System.ServiceModel.CommunicationException: An error
occurred while receiving the HTTP response to http://fimserver:5726/ResourceManagementService/SecurityTokenService/Registration. This could be due to the service endpoint binding not using
the HTTP protocol. This could also be due to an HTTP request context being
aborted by the server (possibly due to the service shutting down). See server
logs for more details. ---> System.Net.WebException: The underlying
connection was closed: An unexpected error occurred on a receive. ---> System.IO.IOException:
Unable to read data from the transport connection: An existing connection was
forcibly closed by the remote host. ---> System.Net.Sockets.SocketException:
An existing connection was forcibly closed by the remote host
at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
--- End of inner exception stack trace ---
at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.PooledStream.Read(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.Connection.SyncRead(HttpWebRequest request, Boolean userRetrievedStream, Boolean probeRead)
--- End of inner exception stack trace ---
at System.Net.HttpWebRequest.GetResponse()
at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
--- End of inner exception stack trace ---
at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
--- End of inner exception stack trace ---
at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.PooledStream.Read(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.Connection.SyncRead(HttpWebRequest request, Boolean userRetrievedStream, Boolean probeRead)
--- End of inner exception stack trace ---
at System.Net.HttpWebRequest.GetResponse()
at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
--- End of inner exception stack trace ---
Server
stack trace:
at System.ServiceModel.Channels.HttpChannelUtilities.ProcessGetResponseWebException(WebException webException, HttpWebRequest request, HttpAbortReason abortReason)
at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.ContextRequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
at System.ServiceModel.Channels.HttpChannelUtilities.ProcessGetResponseWebException(WebException webException, HttpWebRequest request, HttpAbortReason abortReason)
at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.ContextRequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception
rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at Microsoft.ResourceManagement.WebServices.WSTrust.ISecurityTokenService.RequestSecurityTokenResponse(Message request)
at Microsoft.ResourceManagement.WebServices.SecurityTokenServiceClient.RequestSecurityTokenResponse(Message request)
at Microsoft.ResourceManagement.WebServices.SecurityTokenServiceClient.RequestSecurityTokenResponse(RequestSecurityTokenResponseType request, MessageBuffer& messageBuffer)
at Microsoft.ResourceManagement.WebServices.Client.AuthenticationRequiredException.Authenticate(AuthenticationChallengeResponseType[] authenticationChallengeResponses, MessageBuffer& messageBuffer)
at Microsoft.IdentityManagement.PasswordReset.GinaOperation.STSSubmitAndRetrieveChallenges(Byte[] gateData)
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at Microsoft.ResourceManagement.WebServices.WSTrust.ISecurityTokenService.RequestSecurityTokenResponse(Message request)
at Microsoft.ResourceManagement.WebServices.SecurityTokenServiceClient.RequestSecurityTokenResponse(Message request)
at Microsoft.ResourceManagement.WebServices.SecurityTokenServiceClient.RequestSecurityTokenResponse(RequestSecurityTokenResponseType request, MessageBuffer& messageBuffer)
at Microsoft.ResourceManagement.WebServices.Client.AuthenticationRequiredException.Authenticate(AuthenticationChallengeResponseType[] authenticationChallengeResponses, MessageBuffer& messageBuffer)
at Microsoft.IdentityManagement.PasswordReset.GinaOperation.STSSubmitAndRetrieveChallenges(Byte[] gateData)
The fix was the same as per the http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/f90bb6f0-6318-4085-9575-6175187c6ed7/:
you patched your deployment somehow?
That's a bug and fixed in RTM Update1
psexec.exe -s -d -i cmd.exe
mmc.exe
add Cert snap-in -> local machine -> computer account
Personal store --> right click the cert --> all tasks -->manage private key
grant FIMService service account read permission.
mmc.exe
add Cert snap-in -> local machine -> computer account
Personal store --> right click the cert --> all tasks -->manage private key
grant FIMService service account read permission.
psexec can be found at http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
I first downloaded PStools from the above link. I opened CMD and went to the folder were PSTools was installed. I then run the following command:
psexec.exe -s -d -i cmd.exe
A second cmd screen opens and I run the following command and steps:
mmc.exe
add Cert snap-in -> local machine -> computer accountPersonal store --> right click the cert --> all tasks -->manage private keygrant FIMService service account read permission.
After this I could successfully register for SSPR and could change the password.
Tuesday, 13 March 2012
FIM Service database could not be successfully deployed. Error: Timeout Expired
I had a simmilar issue as per http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/b2de9b59-0ce4-4c9b-bfec-95662a4aa373.
The setup is on a LAB environment with AD, SQL 2008 R2, Exchange 2010 and the FIM server is on different servers. FIM Synchronization completed succesfully on the same server and there is no connection problem with SQL.
The FIM Server details:
OS:Windows Server 2008 R2 SP1,
SQL Native Client 2008 R2 is install
SQL Envirinment:
OS:Windows Server 2008 R2 SP1,
SQL 2008 R2
The Installation account of the "FIM Service & Portal" is the FIM Service account and have SYSADMIN rights on SQL,
There is a mailbox for the FIM service account and it can access owa. The EWS certifacte was aso added to "Trusted People - Local Computer". The FIM Service and Portal Setup run and then give the following errors:
The first error screen:
The second error screen:
After the setup has performed a rollback the following error is found in the Application Log:
Product: Forefront Identity Manager Service and Portal
-- Error 1722. There is a problem with this Windows Installer package. A
program run as part of the setup did not finish as expected. Contact your
support personnel or package vendor. Action DeployAndPopulateDatabase,
location: C:\Windows\Installer\MSI40E7.tmp, command: installApp=FIM
action=DeployAndPopulateDatabase databaseName=FIMService
namespaceName="fim" datFilesInstallDir="C:\Program
Files\Microsoft Forefront Identity Manager\2010\Service\Data"
sqlserverName=****sql01.***.***.com FIMServiceAccountDomain=tlab
FIMServiceAccountName=fimsvc SyncServiceAccountDomain=****
SyncServiceAccountName=fimma RunningUserDomain=**** RunningUserName=FIMsvc RunningUserEmail=CreateDatabase=True
This is the same as "Yoann-78" posted on, but the FIM Service account does have a mailbox and it does show in AD.
I Got a workaround on this issue:
I got FIM Portal & Service installed using SQL locally on the server. I have made a backup of the database and restore it to the SQL Cluster. I could then install FIM Portal & Service by selecting using the existing database, but could not install FIM Portal & Service by selecting creates a new database. I have set the SQL Timeout to "0" (Unlimited) and we still encountered the issue.
Anybody any ideas for what we can check to see why the database are not being created with the installation?
I could also successfully install FIM Portal & Service on the SQL Cluster in the PRoduction environment, so the issue is with Lab's SQL Cluster envorinmnet configuration but we could not troubleshoot the issue anymore as we were on a scheduled timeline to complete the project.
Subscribe to:
Posts (Atom)