{"id":123,"date":"2015-03-04T12:27:35","date_gmt":"2015-03-04T17:27:35","guid":{"rendered":"http:\/\/www.ccrossan.com\/?p=123"},"modified":"2015-03-04T12:27:35","modified_gmt":"2015-03-04T17:27:35","slug":"fim-portal-no-access-for-fim-admin-account","status":"publish","type":"post","link":"https:\/\/crossan007.dev\/blog\/identity-management\/fim-portal-no-access-for-fim-admin-account\/","title":{"rendered":"FIM Portal No Access for FIM Admin Account"},"content":{"rendered":"\n
Tweet<\/a><\/div>\n

Today’s adventure with Forefront Identity Manager started when I was unable to log into the FIM portal<\/strong>. \u00a0Some digging revealed that the accountName attribute for my admin user had been set to null (probably from too much tinkering with sync rules).<\/p>\n

I realized that the accountName was probably the issue by two indicators: there was no account name attribute for the FIM Admin object in the FIM Synchronization Service Manager<\/strong> application, and because the query below referencing the ObjectValueString table lacked some attributes. The change-fimadmin.ps1<\/a> script helped me determine these\u00a0SQL sanity check queries.<\/p>\n

I had already eliminated the usual suspects<\/a> for not being able to access the portal (ObjectSID, MPRs, etc), so this stumped me for a little while<\/p>\n

Anyway, I needed a way to get back in the portal (and I didn’t want to re-install), so I came up with this script that uses the FIM PowerShell<\/strong> modules to set the accountName attribute of the FIM Admin user (identified by the well-known admin user GUID<\/a>).<\/p>\n

I used the script on\u00a0How to Use PowerShell to Set the Required Attributes for the FIM Portal Access<\/a>\u00a0as a starting point, modifying it to set only the accountName attribute.<\/p>\n

$adminAccountName=”accountNameHere”<\/p>\n

If(@(get-pssnapin | where-object {$_.Name -eq “FIMAutomation”} ).count -eq 0) {add-pssnapin FIMAutomation}<\/p>\n

Function SetAttribute
\n{
\nPARAM($CurObject, $AttributeName, $AttributeValue)
\nEND
\n{
\n$ImportChange = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportChange
\n$ImportChange.Operation = 1
\n$ImportChange.AttributeName = $AttributeName
\n$ImportChange.AttributeValue = $AttributeValue
\n$ImportChange.FullyResolved = 1
\n$ImportChange.Locale = “Invariant”
\nIf ($CurObject.Changes -eq $null) {$CurObject.Changes = (,$ImportChange)}
\nElse {$CurObject.Changes += $ImportChange}
\n}
\n}
\n$curObject= export-fimconfig -uri $URI \u2013onlyBaseResources -customconfig (“\/Person[ObjectID='{7fb2b853-24f0-4498-9534-4e10589723c4}’]”)<\/p>\n

$ImportObject = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject<\/p>\n

$ImportObject.ObjectType = $curObject.ResourceManagementObject.ObjectType
\n$ImportObject.TargetObjectIdentifier = $CurObject.ResourceManagementObject.ObjectIdentifier
\n$ImportObject.SourceObjectIdentifier = $CurObject.ResourceManagementObject.ObjectIdentifier
\n$ImportObject.State = 1<\/p>\n

SetAttribute -CurObject $ImportObject -AttributeName “AccountName” -AttributeValue\u00a0$adminAccountName
\n$ImportObject | Import-FIMConfig -uri $URI -ErrorVariable Err -ErrorAction SilentlyContinue<\/p>\n

 <\/p><\/blockquote>\n

After running this script, you should be able to log into the FIM portal again.<\/p>\n

Helpful places to look also include the FIMService database. \u00a0Particularly the ObjectValueString and UserSecurityIdentifiers Tables.<\/p>\n

 <\/p>\n

The following query represents the values for the FIM Admin User, and should yield 7 rows(Attribute Keys 1,66,68,70,117,125,132)<\/p>\n

SELECT TOP 1000 [AttributeID]
\n,[ObjectKey]
\n,[ObjectTypeKey]
\n,[AttributeKey]
\n,[SequenceID]
\n,[LocaleKey]
\n,[ValueString]
\n,[Multivalued]
\nFROM [FIMService].[fim].[ObjectValueString]<\/p>\n

where ObjectKey =2340<\/p><\/blockquote>\n

The following query represents the SID, in HEX form, of the FIM Admin User, and should yield 1 row:<\/p>\n

SELECT TOP 1000 [UserObjectKey]
\n,[SecurityIdentifier]
\nFROM [FIMService].[fim].[UserSecurityIdentifiers]
\nwhere UserObjectKey =2340<\/p>\n

 <\/p><\/blockquote>\n

 <\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

Today’s adventure with Forefront Identity Manager started when I was unable to log into the FIM portal. \u00a0Some digging revealed that the accountName attribute for my admin user had been set to null (probably from too much tinkering with sync rules). I realized that the accountName was probably the issue by two indicators: there was … Continue reading FIM Portal No Access for FIM Admin Account<\/span> →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[5],"tags":[58,56,44,47,29],"yoast_head":"\n\n\n\n\n\n\n\n\n\n\n\t\n\t\n\t\n