FIM 2010 R2 - User Access Validation

Hi,
Does FIM 2010 R2 provide any feature for performing user access revalidation? If not, are there any 3rd party tools that can be used along with FIM. Is this something being introduced in MIM.
Thanks in Advance.

All, I have started seeing sporadic validation viewstate MAC errors in a non-HA password portal environment.  I have done some research on this but have not found a definitive fix.  Does anyone know what the best practice, or most effective way,
is to solve this error?
Thanks,
Scott
If this post has been useful please click the green arrow to the left or click Propose as answer

Similar Messages

  • How to show register attribute value in my register users report in FIM 2010 R2

    Hi,
    How to show register attribute value in my register users report in FIM 2010 R2?
    Please suggest on this.
    Regards
    Anil Kumar

    hello,
    the only way I know is manage the attribute descriptiona s a property and then enable the pivot table option "Show properties in tooltip".
    But I'm interested in what you mean with  "using
    "OLAP pivot table extension" is an option". How this works?
    Thanks
    bye
    Norman

  • Non-SysAdmins get error 18456 Severity 14 State 11 Login Failed for user _ Reason Token-based server access validation failed with an infrastructure error.

    I have a SQL 2008 R2 system (10.50.4000) where I'm having problems connecting any user that is not a SysAdmin.  Example: I setup a new SQL Login to use Windows Authentication and grant that user db_datareader on the target database.  The user attempts
    to connect using Excel client or Access or SQL Management Studio and receives Error 18456.  The SQL Server Logs shows Error 18456 Severity 14 State 11 Login Failed for user _ Reason Token-based server access validation failed with an infrastructure error.
    The strange part is that if I temporarily grant the user the sysadmin server role then the user can connect successfully and retrieve data.  But, if I take away that sysadmin server role then the user can no longer connect but again receives the Error
    18456 Severity 14 State 11 Login Failed for user _ Reason Token-based server access validation failed with an infrastructure error.
    We've turned off UAC on the client machine to see if that was the problem, but no change.
    I have dropped and re-added the user's SQL Login (and the related database user login info).  No success.
    The Ring Buffers output shows:
    The Calling API Name: LookupAccountSidInternal
    API Name: LookupAccountSid
    Error Code: 0x534
    Thanks for any help.
    -Walt

    Yes, you understand correctly.  The user is logging onto a workstation (not the server) with a Windows Authenticated id.  The user is using either Excel or Access or SSMS and connecting to the server using a Windows Authenticated SQL Login account.
     If the account has sysadmin role (which is only for testing) then the connection is successful.  If I take away sysadmin role from the account then the connection is unsuccessful and the SQL Server Log shows Error
    18456 Severity 14 State 11 Login Failed for user _ Reason Token-based server access validation failed with an infrastructure error.
    (SQL Authentication is not an option here.  I must use Windows Authentication).
    Any other troubleshooting assistance you can offer would be appreciated.  Thanks.
    -Walt 

  • How to get Reports for specific User that how many password has been reset using FIM SSPR in FIM 2010 R2 SSPR

    Hi,
    How to get Reports for specific User that how many password has been reset using FIM SSPR in FIM 2010 R2 SSPR
    Regards
    Anil Kumar

    Hello there Anil,
    A simple way to quickly get a overview is to look at the request history within the portal environment (note that this will expire in a few day based on your environment, after that you would need to FIM Reporting Module - but you could increase this to
    maybe 60 days to so, watch the DB size).
    To do this you could create some custom search scopes of do some custom queries. The creator of the SSPR activities always has the same GUID so you can use that so search.
    In your search scope you can use the following XPath to play with.
    - All Password Reset Requests - /Request[Creator='b0b36673-d43b-4cfa-a7a2-aff14fd90522' and Operation='Put']
    - All Completed Password Reset Requests - /Request[Creator='b0b36673-d43b-4cfa-a7a2-aff14fd90522' and RequestStatus=‘Completed']
    You can play with the "RequestStatus".
    Hope this helps.
    Almero Steyn (http://www.puttyq.com) [If a post helps to resolve your issue, please click the "Mark as Answer" of that post or "Helpful" button of that post. By marking a post as Answered or Helpful, you help others find the answer
    faster.]

  • FIM 2010 can provide user authentication?

    Hi
    Can FIM 2010 be used to provide authentication to a 3th party applcation developed, for example, in .NET?
    These are the steps the application must accomplish:
    1. User provides his username and his password on login page.
    2. .NET app calls FIM 2010 and validate user and password with the user informations created in a previous synchronization with AD.
    Thanks 

    On Wed, 3 Sep 2014 11:08:14 +0000, Kusma wrote:
    Can FIM 2010 be used to provide authentication to a 3th party applcation developed, for example, in .NET?
    These are the steps the application must accomplish:
    1. User provides his username and his password on login page.
    2. .NET app calls FIM 2010 and validate user and password with the user informations created in a previous synchronization with AD.
    FIM does not provide login authorization.
    Paul Adare - FIM CM MVP
    About the use of language: it is impossible to sharpen a pencil with a
    blunt
    ax. It is equally vain to try to do it with ten blunt axes instead.
    -- Dijkstra

  • How to trigger email notification when users fail to reset your password in fim 2010 r2.

    Hi,
    how to trigger email notification when users fail to reset  your password in fim 2010 r2
    Regards
    Anil Kumar

    Hi Sylvain,
    I did all thing as you told me.First i created Criteria based Set after this we created a Workflow type Action and Actvities Type Notifcation Email template and finally i called this Workflow in MPR as Set Transition and call Set that i was created below.and
    check Advance View of Set this gives
    <Filter xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" Dialect="http://schemas.microsoft.com/2006/11/XPathFilterDialect"
    xmlns="/Request[(Creator">http://schemas.xmlsoap.org/ws/2004/09/enumeration">/Request[(Creator = 'b0b36673-d43b-4cfa-a7a2-aff14fd90522') and (RequestStatus = 'Denied or PostProcessingError')]</Filter>
    But this is not working for me so please tell me where i am wrong.
    Regards
    Anil Kumar

  • How to trigger email notification when users fail to give correct answers to reset your password in fim 2010 r2

    Hi,
    How to trigger email notification when users fail to give correct answers to reset your password in fim 2010 r2
    Senario:I want put wrong answering to the Questions that i was during registration if i give wrong answers to the questions then a Email Notification should be trigger to Users.
    Regards
    Anil Kumar

    Hi Sylvain,
    I did all thing as you told me.First i created Criteria based Set after this we created a Workflow type Action and Actvities Type Notifcation Email template and finally i called this Workflow in MPR as Set Transition and call Set that i was created below.and
    check Advance View of Set this gives
    <Filter xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" Dialect="http://schemas.microsoft.com/2006/11/XPathFilterDialect"
    xmlns="/Request[(Creator">http://schemas.xmlsoap.org/ws/2004/09/enumeration">/Request[(Creator = 'b0b36673-d43b-4cfa-a7a2-aff14fd90522') and (RequestStatus = 'Denied or PostProcessingError')]</Filter>
    But this is not working for me so please tell me where i am wrong.
    Regards
    Anil Kumar

  • FIM 2010 Reporting installation reinstalls FIM portal

    Hi,
    We have FIM 2010 R2 running in production environment. We have added some of our custom developed sharepoint forms inside FIM's sharepoint site to enhance the User Interface.
    We now want to deploy FIM reporting feature. But, the installer of FIM re-installs the FIM portal along with installing reporting feature. After reporting feature installation wizard completes, we see that all our customized sharepoint pages are lost and
    default FIM web portal appears again.
    Is there any method of installing reporting feature withou reinstalling FIM portal?
    Mayank Vaish

    I would start with the IIS Bindings -- to which IPs and names is the Password Registration Portal bound?
    Try to access the site directly. It could simply be that the link is incorrect. The link is stored on the FIM Portal server in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Forefront Identity Manager\2010\Portal  and look at the value of
    RegistrationPortalUrl
    David Lundell, Get your copy of FIM Best Practices Volume 1 http://blog.ilmbestpractices.com/2010/08/book-is-here-fim-best-practices-volume.html

  • SharePoint Foundation 2013 SP1 for Microsoft Forefront Identity Manager (FIM) 2010 R2 SP1

    For subsequent installation FIM 2010
    R2 SP1, I must create a Web application
    with the classical method of authentication. According to
    Microsoft (http://technet.microsoft.com/en-us/library/jj863242(v=ws.10).aspx),
    it is created using PowerShell the following commands:
    $ AdminCredentials = Get-user domain
    \ contosoAdmin
    • $ adminManagedAccount = New-SPManagedAccount -Credential $ adminCredentials
    • New-SPWebApplication -Name "FIM SharePoint Web Application" -ApplicationPool "FIMAppPool" -AuthenticationMethod "Kerberos" -ApplicationPoolAccount $ adminManagedAccount -Port
    80 -URL http://www.contoso.com
    But these commands do not specify an account for
    Web services applications,
    and services of that applications will run under the account
    under which installed Sharepoint. As a result,
    the Administration Console Sharepoint error occurs:
    the application service account has
    local administrator rights. But it should not
    be.
      I ask for advice on how to solve this problem.

    Where I can found ULS Log and configuration details as well?
    I have errors:
    Accounts used by application pools or service identities are in the local machine Administrators group.
    One or more web applications are configured to use Windows Classic authentication.
    When I create a Web application through the
    web interface, and select
    the account for the application pool and application services
    (see. Screenshot). So I decided
    that the account application services
    become account under which installed
    Sharepoint, which has local administrator rights.
    And the application pool account to the
    administrators group is not included. Therefore,
    the question arises: what kind of account
    reports error :: 
    there is only one Web application (but
    before I create and delete the same):
    New-SpWebApplication
    DisplayName                    Url
    Sharepoint-FIM                
    http://www.contoso.com
    help to solve the error, please.

  • WebLogic 10.3.0 WLI Domain - Microsoft AD administrator user access issue.

    Hi SOA Experts,
    We are facing issue of getting noaccess exception on console (below) when doing datasource testing using Microsoft AD administrator user. The same works fine when testing using WLS embedded LDAP administrator user in WLI domain. In plain WLS 10.3.0 domain (without WLI) with same Microsoft AD configuration they do not see this issue, they are able to successfully test data source using both embedded WLS administrator and Microsoft AD administrator user.
    I enabled security ATN and ATZ debug flags and below is my observation.
    In plain WLS 10.3.0 domain I see that default weblogic administrator user in embedded LDAP is part of administrators group. Microsoft AD administrator user is part of Administrators group from MS AD.
    Whereas in WLI domain I see that default weblogic administrator user is part of Administrators & IntegrationAdministrators groups. In WLI domain Administrators group is again part of IntegrationAdministrators group (below is debug logs).
    Below is Plain WLS Domain Debug log
    ####<Dec 6, 2010 5:20:14 PM EST> <Debug> <SecurityAtz> <slsol10> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)
    '> <<WLS Kernel>> <> <> <1291674014123> <BEA-000000> < Subject: 2
    Principal = weblogic.security.principal.WLSUserImpl("weblogic")
    Principal = weblogic.security.principal.WLSGroupImpl("Administrators")
    Below is WLI Domain Debug Log
    <> <1291669863989> <BEA-000000> <XACML Authorization isAccessAllowed(): input arguments:>
    ####<Dec 6, 2010 4:11:03 PM EST> <Debug> <SecurityAtz> <slsol10> <AdminServer> <[ACTIVE] ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <>
    <> <1291669863989> <BEA-000000> < Subject: 3
    Principal = weblogic.security.principal.WLSUserImpl("weblogic")
    Principal = weblogic.security.principal.WLSGroupImpl("Administrators")
    Principal = weblogic.security.principal.WLSGroupImpl("IntegrationAdministrators")
    The issue of Microsoft AD administrator user not able to test datasource in WLI domain seems to be happening because of IntegrationAdministrators group which comes by default with WLI domain (in plain WLS domain we do not have this group). Looks like the datasource which is being created in WLI domain seems to be being treated as WLI resource and user accessing it is being checked if it part of IntegrationAdministrators group. In this case weblogic default administrator user is part of IntegrationAdministrators, for which we do not see issue where as Microsoft AD administrator user which is not part of IntegrationAdministrators seems to be having problem.
    Below is snipper of Microsoft AD administrator user in Debug logs
    ####<Dec 6, 2010 4:13:31 PM EST> <Debug> <SecurityAtz> <slsol10> <AdminServer> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <>
    <> <1291670011687> <BEA-000000> <XACML Authorization isAccessAllowed(): input arguments:>
    ####<Dec 6, 2010 4:13:31 PM EST> <Debug> <SecurityAtz> <slsol10> <AdminServer> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <>
    <> <1291670011687> <BEA-000000> < Subject: 2
    Principal = weblogic.security.principal.WLSUserImpl("MSADAdminUser")
    Principal = weblogic.security.principal.WLSGroupImpl("Administrators")
    Also one more observation about datasource which is created is in plain WLS & WLI domain created datasource resource type is shown as “jdbc” which is expected, but in addition in WLI domain I observe that created datasource resource type is marked as JMX and DS is being considered as application (below), not sure if this has something to do with the issue.
    Below is WLS domain debug log, below you can see that datasource is being treated as JDBC resource which is expected.
    ####<Dec 6, 2010 5:21:03 PM EST> <Debug> <SecurityAtz> <slsol10> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1291674063776> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Resource=type=<jdbc>, application=, module=, resourceType=ConnectionPool, resource=testDS, action=reserve>
    Below is WLI domain debug log, below you can see that datasource is being treated as application and it says resource type as JMX
    ####<Dec 6, 2010 4:12:17 PM EST> <Debug> <SecurityAtz> <slsol10> <AdminServer> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1291669937755> <BEA-000000> < Resource: type=<jmx>, operation=get, application=testDS, mbeanType=weblogic.j2ee.descriptor.wl.JDBCDataSourceBean, target=Name>
    I created user in embedded LDAP in WLI domain with same name as MS AD administrator user and assigned it to Administrators group, that obviously works but is not acceptable solution.
    Below is exception thrown on console when testing datasource using Microsoft AD administrator user.
    weblogic.management.NoAccessRuntimeException: Access not allowed for subject: principals=[MSADAdminUser, Administrators], on Resource weblogic.management.runtime.JDBCDataSourceRuntimeMBean Operation: invoke , Target: testPool at weblogic.rmi.internal.ServerRequest.sendReceive(ServerRequest.java:205) at weblogic.rmi.internal.BasicRemoteRef.invoke(BasicRemoteRef.java:222) at javax.management.remote.rmi.RMIConnectionImpl_1030_WLStub.invoke(Unknown Source) at javax.management.remote.rmi.RMIConnector$RemoteMBeanServerConnection.invoke(RMIConnector.java:978) at weblogic.management.jmx.MBeanServerInvocationHandler.doInvoke(MBeanServerInvocationHandler.java:544) at weblogic.management.jmx.MBeanServerInvocationHandler.invoke(MBeanServerInvocationHandler.java:380) at $Proxy92.testPool(Unknown Source) at com.bea.console.actions.jdbc.datasources.testjdbcdatasource.TestJDBCDataSource.begin(TestJDBCDataSource.java:114) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.beehive.netui.pageflow.FlowController.invokeActionMethod(FlowController.java:870) at org.apache.beehive.netui.pageflow.FlowController.getActionMethodForward(FlowController.java:809) at org.apache.beehive.netui.pageflow.FlowController.internalExecute(FlowController.java:478) at org.apache.beehive.netui.pageflow.PageFlowController.internalExecute(PageFlowController.java:306) at
    - BoyelT

    This issue has been resolved.
    The problem of Microsoft active directory administrator user not able to test the datasource in WLI domain is caused because of IntegrationAdministrators group & IntegrationAdmin role which comes in WLI domain. Assigning the Microsoft Administrator group to IntegrationAdmin role from WebLogic console has resolved the issue.
    Below are steps for assigning the MS AD administrator group to IntegrationAdmin role from console in WLI domain.
    ======================================================
    - Login to console and click on "Security Realms" and "myrealm"
    - Go to "Roles and Policies" tab and expand "Global Roles" tree and "Roles" tree view under it.
    - Click on "View Role Conditions" link for "IntegrationAdmin" role.
    - Click on "Add Conditions" button select Group (default) for "Predicate List" drop down box and click Next button.
    - Specify MS AD admin group name for "Group Argument Name" text box and hit on Add button.
    ======================================================
    - BoyelT
    Edited by: BoyelT on Dec 20, 2010 1:36 PM

  • How to do provisioning in Active Directory multiple lavel OU structure from FIM 2010 R2 with Country basis.

    Hi,
    I want to do provisioning in Active Directory multiple level Organization Unit(OU) from FIM 2010 R2  with country name basis.
    Suppose i have Asia,Europe,UK,USA region OU and they have another OU in Asia OU like India,china etc if country name is India then Users should be go in India OU and if  if country name is China then Users should be go
    in China OU.so please give me any idea on this this would be very helpful for me
    Regards
    Anil Kumar

     
    Do you have Region attribute in your user object? If yes, then you can do something like this
    "CN="+displayname+
    ",OU="+country+
    ",OU="+region+
    ",DC=mycompany,DC=local"
    If you don’t have region attribute, then you have to write own IIF statement for every county
    IIF(Eq(contry,"China",",OU=China,OU=Asia","")
    You can also parse your dn for synchronization rule in some other place (e.g. metaverse extension), but if you want to do it codeless, IIFs are the way to go.

  • Problems Managing User Access Rights for Web Gallery

    Has anyone else had issues changing the user access rights for a web gallery? It seems like the access is everyone or no one. Are the user rights handled per event in the gallery? I had issues adding events to the user's view/download rights in the publish settings.
    Also, can these settings only be set when an event is first published? Attempting to change the user access rights after the event is published seems to require a re-upload of the images.
    Any thoughts?

    Problem solved.
    I had to put the following lines in the specified "0000_any_80.my.website.conf" file:
            <Directory "/Library/WebServer/subdomain.domain">
                    Options All +MultiViews -ExecCGI -Indexes -Includes
                    AllowOverride None
                    # For Password protection
                    AuthType Digest
                    AuthName "Password Protection"
                    require valid-user
                    <IfModule mod_dav.c>
                            DAV Off
                    </IfModule>
            </Directory>

  • FIM 2010 Workflow Processing Issue

    Hi All,
    We are having a problem with FIM 2010 (Update Rollup 2) workflow processing.
    Background is:
                Set: Object State 2 set (criteria based membership, criteria includes AUX_Attr1 ‘NOT Equal’ 3)
                Set Object State 3 Set (Manually managed membership)
    WF1: set AUX_Attr1 to 3
    WF2 : Set AUX_Attr1 to 2
    MPR 1: Transition in MPR (Transition set = Object State 2 set), fires WF2
    MPR 2: Transition in MPR (Transition Set = Object State 3 Set), fires WF1
    What we are seeing is the following:
                We add a user to “Object State 3 Set”
    From the request history we can see that:
    The successful request for the set membership change (transition in Object State 3 Set)
    The successful request by the Forefront Identity Manager Service Account to set AUX_Attr1 to 3
    and FIM correctly fires MPR 2, this sets AUX_Attr1 to 3 and this has been verified by looking through the request history
                A couple of seconds later FIM fires WF2 which sets AUX_Attr1 back to 2.
                The request history shows no signs of the object transitioning back into “Object State 2 set” so I am unsure why this
    workflow would trigger again.

    Best thing to do with this problem is look at the request that caused this to happen and look for parent requests and for the applied policies
    David Lundell, Get your copy of FIM Best Practices Volume 1 http://blog.ilmbestpractices.com/2010/08/book-is-here-fim-best-practices-volume.html

  • Self Service Password Registration Page taking more time for loading in FIM 2010 R2

    Hi,
    I have beeen successfullly installed FIM 2010 R2 SSPR and it is working fine
    but my problem is that Self Service Password Registration Page taking more time for loading when i provide Window Credential,it is taking approximate 50 to 60 Seconds for loading a page in FIM 2010 R2
    very urgent requirement.
    Regards
    Anil Kumar

    Double check that the objectSid, accountname and domain is populated for the users in the FIM portal, and each user is connected to their AD counterparts
    Check here for more info:
    http://social.technet.microsoft.com/wiki/contents/articles/20213.troubleshooting-fim-sspr-error-3003-the-current-user-account-is-not-recognized-by-forefront-identity-manager-please-contact-your-help-desk-or-system-administrator.aspx

  • FIM 2010 management agent support Oracle Identity directory OID 10.1.4.2.0

    Does FIM 2010 R2 SP1 support  OID version  10.1.4.2.0 ? If there is no support for OID then what is the alternative for making its connectivity?

    The error indicates that the password (or wallet) files oidpwdldap1 and oidpwdr<ORACLE_SID> do NOT exist under $ORACLE_HOME/ldap/admin or your $ORACLE_HOME and $PATH are set incorrectly (a bit unlikely).
    Assuming that the $ORACLE_HOME and $PATH are indeed set to correct values, if the 2 files mentioned above do not exist under $ORACLE_HOME/ldap/admin, then perform the below action plan:
    1. Set the ORACLE_HOME to INFRASTRUCTURE ORACLE_HOME
    2. set the PATH to $ORACLE_HOME/bin:$ORACLE_HOME/ldap/bin:$ORACLE_HOME/opmn/bin:$PATH
    3. Ensure that you are able to login to sqlplus as "ods" user.
    4. If you do NOT know the password of ods user, then reset the password.
    5. Run the below command and enter the ods password when prompted for it.
    oidpasswd create_wallet=true
    6. Voila! The Wallet files are created under $ORACLE_HOME/ldap/admin.
    HTH,
    Regards,
    Praveen
    Edited by: Praveen B K on Aug 28, 2009 3:20 AM

Maybe you are looking for