Make the installation and FIM MA accounts filtered disconnectors and save yourself a headache (and possibly a rebuild).

I know others have written and talked about this but please, please implement the following two connector filters on your FIM MA.

image

Two separate filters defined for the Person data source object type: <dn> equals <GUID>.  In case the screenshot isn’t clear the filters are:

  1. <dn> Equals fb89aefa-5ea1-47f1-8890-abe7797d6497
  2. <dn> Equals 7fb2b853-24f0-4498-9534-4e10589723c4

Basically that’s telling the FIM Synchronization Service to make the installation account (often referred to as the administrator account with a well-known GUID of 7fb2b853-24f0-4498-9534-4e10589723c4) and the Built-in Synchronization Account (the FIM MA account with a well-known GUID of fb89aefa-5ea1-47f1-8890-abe7797d6497) filtered disconnectors, i.e. exclude those two accounts from synchronisation.

Why, you might ask.  Here’s why:

  • You have an inbound flow defined from your AD DS MA that flows objectSid into the MV.
  • You have an outbound flow rule defined on the FIM MA that flows objectSid out to the FIM Service.
  • You have configured the flow to flow NULL values (i.e. delete values). 

Right, so what?

Well when you import and synchronise the FIM MA (to get your SRs into the MV for example) you will delete the ObjectSid value of both the administrator and FIM MA account because they’re usually not joined to anything else and the MV attribute is null because you haven’t flowed the FIM Service value into it because that configuration is more or less pointless (except to possibly save this issue Smile).

And?

Well no ObjectSID == no access to the FIM Service which means you can’t render the portal.  Sure, if you poke around in the SQL database (perhaps you’ll look at the SPROCs in the [debug] schema), you can fix it but many people don’t and therefore end up rebuilding because the environment is new and nothing’s been backed up yet!

I’ve fielded two separate instances of the above in as many weeks, plus a colleague new to FIM did it about a month ago and two people on my FIM training course at the start of the month!  So please implement the connector filters and be safe.  Smile

For more info. on and around this topic look at Carol’s blog post on her recommended practices for the installation/administrator account: Best practices for the FIM Portal Administrator account.

About these ads

About Paul Williams

IT consultant working for Microsoft specialising in Identity Management and Directory Services.
This entry was posted in FIM and tagged , , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s