Tuesday, October 13, 2009

FIM Service Management Agent Creation Error

I recently began building a FIM 2010 RC1 VM for testing/demo purposes.  This is an all-in-one Server 2008 machine, so in addition to FIM 2010, it has AD DS, Exchange 2007, SQL 2008, SharePoint Services, and Visual Studio 2008.

FIM 2010 recommends three FIM related user accounts:

  • FIM Synchronization Engine
  • FIM Service
  • FIM Management Agent

I created the accounts and set up the Sync service without issue.  After installing the FIM portal and service, I went to set up the FIM Service Management Agent, but received the following error:

imageFailed to retrieve the schema.

Failed to connect to the specified database or Forefront Identity Manager Service. Please check the specified database location, service host address, and account information.

I double checked all of my information (and even re-installed the FIM Service to verify the settings I used when installing it), but nothing seemed to be wrong.  I enabled all success and failure auditing on the DC, and found the following event when I retried the information:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/13/2009 11:19:43 AM
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      FIM.lab.loc
Description:
An account failed to log on.

Subject:
    Security ID:        LAB\FIM_sync
    Account Name:        FIM_sync
    Account Domain:        LAB
    Logon ID:        0x130e4c

Logon Type:            2

Account For Which Logon Failed:
    Security ID:        NULL SID
    Account Name:        FIM_ma
    Account Domain:        LAB

Failure Information:
    Failure Reason:        The user has not been granted the requested logon type at this machine.
    Status:            0xc000015b
    Sub Status:        0x0

Process Information:
    Caller Process ID:    0x168c
    Caller Process Name:    C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Bin\miiserver.exe

Network Information:
    Workstation Name:    FIM
    Source Network Address:    -
    Source Port:        -

Detailed Authentication Information:
    Logon Process:        Advapi 
    Authentication Package:    Negotiate
    Transited Services:    -
    Package Name (NTLM only):    -
    Key Length:        0

Note the “The user has not been granted the requested logon type at this machine” message.  In my case, the server is a DC, so that account has no rights to log on.  Once I put the account into the domain local Administrators group, the MA creation process proceeded just fine.

Posted by at 3 comments:
Labels:
Subscribe to: Posts (Atom)