4 comments

FIM: SSPR: Verify WMI Permissions

Published on Monday, September 13, 2010 in , ,

While setting up Self Service Password Reset (SSPR) in FIM 2010 I initially encountered some problems so I started verifying my configuration. One of the more elaborate configuration steps of the SSPR functionality is the configuration of DCOM and WMI. The FIM scriptbox has some PowerShell scripts who can do it for you: WMI and DCOM (Brad Turner) Nevertheless I choose to do it manually.

If you’re in doubt whether your FIM Service account has all the required permissions you can perform the following steps:

  1. Make sure your FIM Service account has “allow logon locally” on your FIM Synchronization Server, this is just so we can do the “runas /u cmd”. Besides that this is not a required privilege for SSPR to work.
  2. Start a cmd and execute: runas /u:domain\fim_svcacct cmd
  3. In the new cmd, execute: WBEMTEST
  4. An utility which looks like this will be launched:
    clip_image006
  5. Connect to root\MicrosoftIdentityIntegrationServer
  6. Click Query…
  7. Execute this query: select * from MIIS_CSObject WHERE Domain='domain' and Account='fim_svcacct'
    clip_image002
  8. Double click the result and copy paste the MaGuid and PartitionGuid to a temporary notepad window. You can easily copy them by selecting the property and choosing “Edit Property”.
    image  
  9. Back to “Query….”: execute the following query:SELECT * FROM MIIS_ManagementAgent WHERE guid='{ma guid}'
  10. You should see your AD MA
  11. Get the __PATH of that object (e.g. \\FIMSERVER\root\MicrosoftIdentityIntegrationServer:MIIS_ManagementAgent.Name="AD")
  12. Back to WBEMTEST, choose “Execute Method”
  13. Type the entire path from (11)
  14. Change the Method to “GetServerStatus”
    image 
  15. Click “Edit In Paramaters…”
  16. Change PartitionGuid: Edit Property –> Not null –> {partition guid} –> save property –> save object
  17. Execute
  18. You should see success as return value:
    clip_image010
  19. Don’t forget to edit out the parameter!

As usual I didn’t figured this out all by myself. The procedure was found at http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/618a78ae-e150-4269-a2eb-5ccc40229e7e and originally provided by Anthony Ho. It’s more or less a copy paste of his information. Thanks Anthony!

Related Posts

Posted by Thomas at 10:17 PM
Labels: , ,

4 Response to FIM: SSPR: Verify WMI Permissions

Anonymous
06 February, 2012 23:03

What does it mean if the query turns up empty?
All Security settings for dcom and and wmi are set for the service account and wmi is enabled in the firewall

Anonymous
06 February, 2012 23:41

Thanks but, well, you tell what we should get if all is AOK but not much help when is not AOK.
Some information for each step if we do not see the expected results would be more helpful.

Thomas
10 February, 2012 12:39

I understand your frustration in troubleshooting this particular feature. However this article is meant to help with troubleshooting the password reset functionality in general. Meaning if this test (this post) show you have errors, then the next step is to take the TechNet documentation again and triplecheck the WMI configuration steps.

Hope that helps...

Anonymous
23 April, 2014 17:55

My FIM implementation appears to work fine, passwords are reset - but this query still returned 0 results

Add Your Comment

Subscribe to: Post Comments (Atom)