Some notes on installing FIM Reporting

I’m writing this as I go through the installation process to keep a note of what steps I’ve had to take and what troubleshooting issues I come across.

1. Install SQL Server on the SCSM DA and DW servers. The DW server also needs SSRS installed. See this (http://technet.microsoft.com/en-us/library/ff461215.aspx) for steps to configure SSRS.

2. Created AD groups for use during the installation of both the DA and DW.

3. Despite what’s written in a lot of documentation, the Authorization Manager hotfix isn’t required.

4. Installed SCSM DA, SCSM DW and ran Windows Update.

5. Installed the following hotfixes on the SCSM server: KB2542118, KB2561430, KB2561415. [Note: if you need the SCSM reporting portal, install it before applying these updates. If they’ve already been applied, there’s an unsupported workaround herehttp://systemscentre.blogspot.com/2011/03/installing-service-manager-sp1…. One step not mentioned in the post is to re-apply the CU after you install the portal to make sure all applications receive the patch. That will also re-apply the registry key correctly.)

6. Installed the SCSM Service Manager Console on the same server that hosts the FIM Reporting Services.

7. In the FIM portal, enabled ReportLogging via All Resources–> System Configuration Settings.

8. In the SCSM DA application, registered the data warehouse.

9. Waiting, waiting, waiting for the MPSync job to complete. To verify, when the job has stopped, double click the job and verify everything has a status of Associated or Imported. I left this running overnight, so not sure how long it takes.

10. Installed FIM Reporting feature on the portal. Waited for the management packs to complete. (This took a decent amount of time.)

11. Installed Powershell on SCSM DW and ran set-executionpolicy unrestricted.

12. Backed up SQL databases and then, ran the ./FIMPostInstallScriptsForDatawarehouse.ps1 script found in the separate download on the connect site for tech notes. (Documentation says to be sure the MPSync process is done before doing this.)

13. On FIM portal, executed Start-FIMReportingInitialSync.ps1. Waited on the ETL jobs to complete in the Service Manager. [Note: in the FIM_R2_TestLabGuide_Reporting.aspx document there is a PowerShell script that can optionally be run after this completes to see the data immediately in the reports.]

14. Ran a report in the Service Manager. Now trying to figure out what use to make of them.

Note: On Step 13, I received the error described here: http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/b38429f7-00…

The solution (for me) was to roll back the FIM Reporting installation, the SCSM DA and SCSM DW application installations and to re-install SQL on both SCSM servers to start from scratch. I was then extra careful to be sure the MPSync had completed, checking in multiple places (the Management Packs and the MPSync job details).

The URL for the reporting service can be configured via the SQL Reporting Services Configuration Manager. (http://msdn.microsoft.com/en-us/library/ms188133.aspx)

EDIT:
I just saw on this page (http://technet.microsoft.com/en-us/library/jj133844%28v=ws.10%29.aspx) that there is a script that can be run in a loop to speed up the initial reporting load process. Will have to try it next time.

SERVICE ACCOUNTS:
http://www.bpmi.nl/blog/?p=1033 provides information on the service accounts:

SVC_SCSM_Install: SCSM Install Account

SVC_SCSM_Service: SCSM service Account. Must have rights on the SQL Server and must be local admin. Must also be local admin on the SQL server during installation

SVC_SCSM_Workflow: Workflow Account, must be mail enabled

SVC_SCSM_Report: Report Service Accounts, must have rights on the SCSM_DW databases

Next we must give the SVC_SCSM_Install Account local Admin rights on the SCSM01 Server, we must give the SVC_SCSM_Service Account local admin rights on the SQL Server and we must give the SVC_SCSM_Service Account Create DB rights on the SQL Server.

RESOURCES:
1. The documentation that comes in the download from the connect site.
2. http://www.wapshere.com/missmiis/installing-reporting-for-fim-r2
3. http://tassietech.blogspot.com/
4. http://www.virmansec.com/blogs/oalomari/archive/2010/05/15/installing-an…
5. http://technet.microsoft.com/en-us/library/hh552491(v=ws.10).aspx

NOTE: I was getting an error 1503 when trying to start the System Center Data Access Service. Although I followed the instructions here 9http://blogs.technet.com/b/csstwplatform/archive/2012/01/02/scom-2007-r2-unable-to-open-the-scom-console-after-server-reboot-the-sdk-service-is-stopped.aspx) I think the real fix was closing the Service Manager Console and then trying to start the service.

FK_ObjectValueReference_BindingInternal Conflict

I was receiving this error when exporting to FIM:

The INSERT statement conflicted with the FOREIGN KEY constraint “FK_ObjectValueReference_BindingInternal”. The conflict occurred in database “FIMService”, table “fim.BindingInternal”.

I also noticed I could not write to one of the new multivalued string attributes I had created via the portal. That would fail with a notice that the reason for failure was “Other”.

Eventually, removing the binding and the attribute and recreating those seemed to fix it. I’m not sure if the deletion of just the binding would have worked, but it may have.

UPDATE: This happened again and I just removed the binding and that didn’t solve the problem. I did notice that it was just one particular value that I couldn’t set in the MVA. Strange. Still working on figuring this out.

EXECUTE permission was denied on the object ‘ReadSynchronizationError’

I received messages about the Export on the FIM MA taking too long and my previous trick of restarting the FIM Service didn’t help.

Looking in the event viewer, I saw this error reported:

Unhandled exception, the CLR will not terminate: System.Data.SqlClient.SqlException (0x80131904): The EXECUTE permission was denied on the object ‘ReadSynchronizationError’, database ‘FIMService’, schema ‘sync’.

I know better than to change anything in the FIMService database, but I did compare permissions from a working instance for the service accounts and everything seemed to be in order.

After some pondering on the error message, I cleared out the connector spaces and re-initiated the environment. Seems to have worked. Glad this was on a dev server.

Didn’t see anything else posted online about this error, so maybe it’s a one off and it’ll never happen to anyone else again…

Exporting to FIM “export session has timed out”

While exporting a very tiny number of objects to FIM, the export operation gave a stopped-server error and the Event Viewer for FIM reported the “export session has timed out”. It the rambled on a bit about connection times taking too long, resetting the timeout value, etc.

After failed attempts to fix this by rebooting the FIM Sync Server, clearing out the metaverse, etc. the solution turned out to be blindingly obvious–restart the FIM Service.

Email Address as Login for AD

This is a simple thing I get asked about from time to time. Frequently, there is a requirement for users to be able to login to the Forefront Identity Manager (FIM) portal with an email address that does not have the same domain as the AD domain the portal is authenticating to.

The implementation of this is so simple, just create an attribute flow from the EmailAddress to the userPrincipalName. That should do it.

FIMAutomation on a computer without the FIM service

Yet again Paolo has a useful FIM post: https://espace.cern.ch/idm/Lists/Posts/Post.aspx?ID=25 (Thank you, Paolo!)

This time it’s on installing the FIMAutomation on a computer without the FIM service installed.

I had to change one minor thing in his steps, so wanted to post them here mainly as a bookmark for myself. I’ve just copied and pasted his post but changed the step to what worked for me.

From the C:\Program Files\Microsoft Forefront Identity Manager\2010\Service folder on the FIM server, copy the following files:
•Microsoft.ResourceManagement.Automation.dll
•Microsoft.IdentityManagement.Logging.dll
•Microsoft.ResourceManagement.dll
Then, from an elevated visual studio prompt [edit: I was able to do this with a regular command prompt opened via “Run as Administrator”], register the snapin and GAC-install the other assemblies:
(1) > InstallUtil.exe -i .\Microsoft.ResourceManagement.Automation.dll
(2) > gacutil -i Microsoft.ResourceManagement.dll
(3) > gacutil -i Microsoft.IdentityManagement.Logging.dll
If you are installing the FIM PowerShell snapin on a 64-bit machine, make sure that you are running the correct version of InstallUtil, which should be
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exewhile the VS prompt picks by default the one in
C:\Windows\Microsoft.NET\Framework\v2.0.50727\

SharePoint CheckSuspiciousFilePath

I recently installed SharePoint Foundation and when I tried to navigate to Central Administration, I was receiving the Resource Not Found 404 error.

By doing a View Source on the page, I saw that the error was being thrown in a method called CheckSuspiciousFilePath.

So, I went to IIS and checked the physical path in the basic settings for the administration site. Turns out, the file path had a duplicate \ in it: D:\\. By changing that to D:\, the site started working.

(Thanks to this post: http://mosshowto.blogspot.com/2008/10/ressource-cannot-be-found-error.ht… for the helpful tip on using View Source to see the error.)

FIM Troubleshooting

The “Service not available” message is one of the most frustrating things to see when working with FIM. Thomas posted a great post on how to get the stack trace instead. (http://setspn.blogspot.com/2010/06/fim-2010-enable-advanced-error-loggin…) I always forget commenting out the ILMErrors section. (Thanks, Thomas!)

Additionally, the problem I encounter sometimes is a double http://http:// in the service address in the web.config. Not sure what causes the FIM installation to do that on repair (I probably did something wrong), but it’s easy to fix once you can see the error messages.

C# Create Management Policy Rule (MPR) with FIM 2010 Resource Management Client

The developers of the Codeplex project for the FIM 2010 Resource Management Client (http://fim2010client.codeplex.com/) did a great job providing a tool that is straightforward to use and easy to learn.

One thing I could not find an example for was creating a management policy rule. It didn’t take too long to figure out, but I thought I’d post the code here.

There are functions to do the following:

– Create a Set
– Retrieve the ObjectID of the Set
– Create the MPR

I only needed one specific type of MPR, so the code isn’t ideal, but may help someone get started a little faster than I did.

==========
CREATE SET
==========
public void CreateSet(string sSetName, string sFilter)
{
using (DefaultClient client = new DefaultClient())
{

credentials = new NetworkCredential(“user”, “pwd”, “domain”);
client.ClientCredential = credentials;
client.RefreshSchema();

RmSet set = new RmSet()
{
DisplayName = sSetName,
Filter = @”” + sFilter + “”
};

RmReference newSetId = client.Create(set);

}

}

=================
GET SET OBJECT ID
=================
private RmReference GetSetObjectID(string sDisplayName)
{

RmReference sObjectID = null;
credentials = new NetworkCredential(“user”, “password”, “domain”);
using (DefaultClient client = new DefaultClient())
{

client.ClientCredential = credentials;

lblResults.Text = “/Set[DisplayName='” + sDisplayName + “‘]”;

foreach (RmSet set in client.Enumerate(“/Set[DisplayName='” + sDisplayName + “‘]”))
{
sObjectID = set.ObjectID;

}

}

return sObjectID;
}

==========
CREATE MPR
==========
public void CreateMPR(string sMPRName, string sRequestorSet, string sTargetSet)
{
using (DefaultClient client = new DefaultClient())
{

credentials = new NetworkCredential(“user”, “password”, “domain”);
client.ClientCredential = credentials;
client.RefreshSchema();

RmResource mprNew = new RmResource();

mprNew.ObjectType = “ManagementPolicyRule”;
mprNew.DisplayName = sMPRName;
//Grant Right
var keyGrantRight = new RmAttributeName(“GrantRight”);
if (!mprNew.Attributes.ContainsKey(keyGrantRight))
{
var attributeValueGrantRight = new RmAttributeValueSingle();
//Have to add the attribute to the user since the request would not have returned it.
mprNew.Attributes.Add(keyGrantRight, attributeValueGrantRight);
}
mprNew[“GrantRight”].Value = “true”;

//Action Parameter
var keyActionParameter = new RmAttributeName(“ActionParameter”);
if (!mprNew.Attributes.ContainsKey(keyActionParameter))
{
var attributeValueActionParameter = new RmAttributeValueSingle();

mprNew.Attributes.Add(keyActionParameter, attributeValueActionParameter);
}
mprNew[“ActionParameter”].Value = “*”;

//ActionType – Multivalued attribute
var keyActionType = new RmAttributeName(“ActionType”);
if (!mprNew.Attributes.ContainsKey(keyActionType))
{
var attributeValueActionType = new RmAttributeValueMulti();
mprNew.Attributes.Add(keyActionType, attributeValueActionType);
}
mprNew[“ActionType”].Values.Add(“Create”);
mprNew[“ActionType”].Values.Add(“Delete”);
mprNew[“ActionType”].Values.Add(“Modify”);
mprNew[“ActionType”].Values.Add(“Read”);
mprNew[“ActionType”].Values.Add(“Add”);
mprNew[“ActionType”].Values.Add(“Remove”);

//Principal Set
var keyPrincipalSet = new RmAttributeName(“PrincipalSet”);
if (!mprNew.Attributes.ContainsKey(keyPrincipalSet))
{
var attributeValuePrincipalSet = new RmAttributeValueSingle();

mprNew.Attributes.Add(keyPrincipalSet, attributeValuePrincipalSet);
}
mprNew[“PrincipalSet”].Value = GetSetObjectID(sRequestorSet);

//Resource Current Set
var keyResourceCurrentSet = new RmAttributeName(“ResourceCurrentSet”);
if (!mprNew.Attributes.ContainsKey(keyResourceCurrentSet))
{
var attributeValueResourceCurrentSet = new RmAttributeValueSingle();

mprNew.Attributes.Add(keyResourceCurrentSet, attributeValueResourceCurrentSet);
}
mprNew[“ResourceCurrentSet”].Value = GetSetObjectID(sTargetSet);

//Resource Final Set
var keyResourceFinalSet = new RmAttributeName(“ResourceFinalSet”);
if (!mprNew.Attributes.ContainsKey(keyResourceFinalSet))
{
var attributeValueResourceFinalSet = new RmAttributeValueSingle();

mprNew.Attributes.Add(keyResourceFinalSet, attributeValueResourceFinalSet);
}
mprNew[“ResourceFinalSet”].Value = GetSetObjectID(sTargetSet);

//Management Policy Rule Type
var keyManagementPolicyRuleType = new RmAttributeName(“ManagementPolicyRuleType”);
if (!mprNew.Attributes.ContainsKey(keyManagementPolicyRuleType))
{
var attributeValueManagementPolicyRuleType = new RmAttributeValueSingle();

mprNew.Attributes.Add(keyManagementPolicyRuleType, attributeValueManagementPolicyRuleType);
}
mprNew[“ManagementPolicyRuleType”].Value = “Request”;

RmReference newMprId = client.Create(mprNew);
}
}

FIM: failed to process the request: unknownerror and Unable to Process Your Request errors

I was getting variations on the Unable to Process Your Request error in the FIM portal whenever I tried to update or delete an object.

In addition to the generic error, I also received “failed to process the request: unknownerror” and my PowerShell commands all failed with refusing to dispatch the endpoint.

After about an hour of stumbling around, I realized the disk on the SQL Server was full.