FIM 2010 / MIM 2016 Troubleshooting: The requestor's identity was not found.
Credits
Issue
On-screen error
When you try to login to the FIM or MIM portal you get an error message:
Unable to process your request.
Please contact your help desk or system administrator.
Error processing your request: The server was unwilling to perform the requested operation.
Reason: The requester of this operation is invalid.
Correlation Id: <long hexadecimal number>
Details: The requestor's identity was not found.
##Screenshot
https://social.technet.microsoft.com/Forums/getfile/807848
Event Viewer
Forefront Identity Manager log: Error 523
Log Name: Forefront Identity Manager
Source: Microsoft.ResourceManagement
Date: 1/1/2016 0:00:00 PM
Event ID: 3
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: FIMPORTAL.contoso.test
Description:
GetCurrentUserFromSecurityIdentifier: No such user CONTOSO\sAMAccountname, S-1-5-21-1<sid>
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft.ResourceManagement" />
<EventID Qualifiers="0">3</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2015-01-14T01:48:08.000000000Z" />
<EventRecordID>523</EventRecordID>
<Channel>Forefront Identity Manager</Channel>
<Computer>SPF1.testdomain.internal</Computer>
<Security />
</System>
<EventData>
<Data>GetCurrentUserFromSecurityIdentifier: No such user CONTOSO\sAMAccountname, S-1-5-21-1<sid></Data>
</EventData>
</Event>
Event viewer Forefront Identity manager log Event ID 3
Log Name: Forefront Identity Manager
Source: Microsoft.ResourceManagement
Date: 1/1/2016 0:0:00 PM
Event ID: 3
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: FIMPORTAL.contoso.test
Description:
Requestor: Internal Service
Correlation Identifier: da87f241-eee5-4bf5-b1dd-8a6728a2c627
Microsoft.ResourceManagement.Service: Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: IdentityIsNotFound
at Microsoft.ResourceManagement.WebServices.ResourceManagementService.GetUserFromSecurityIdentifier(SecurityIdentifier securityIdentifier)
at Microsoft.ResourceManagement.WebServices.ResourceManagementService.GetCurrentUser()
at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Enumerate(Message request)
XML
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft.ResourceManagement" />
<EventID Qualifiers="0">3</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2016-01-01T00:00:00.000000000Z" />
<EventRecordID>522</EventRecordID>
<Channel>Forefront Identity Manager</Channel>
<Computer>FIMPORTAL.contoso.test</Computer>
<Security />
</System>
<EventData>
<Data>Requestor: Internal Service
Correlation Identifier: da87f241-eee5-4bf5-b1dd-8a6728a2c627
Microsoft.ResourceManagement.Service: Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: IdentityIsNotFound
at Microsoft.ResourceManagement.WebServices.ResourceManagementService.GetUserFromSecurityIdentifier(SecurityIdentifier securityIdentifier)
at Microsoft.ResourceManagement.WebServices.ResourceManagementService.GetCurrentUser()
at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Enumerate(Message request)</Data>
</EventData>
</Event>
Background
See: Enabling FIM Portal Access for a Regular AD User Account
To log on to the portal a user must have three parameters set:
- accountName
- domain
- objectSid
You can enable the user in the portal in two ways, manually or synchronized by the FIM/MIM Sync engine.
Manual connection
When you create a user manually in the portal by creating a user and adding the domain and Account name.
But you can't add the ObjectSid. You need to fix the Object with a script like described in How to Use PowerShell to Fix an ObjectSID on an FIM Portal Object (http://aka.ms/fixobjectsid).
Synchronized connection
When you set up the FIMMA that connects the FIM/MIM portal with the Sync engine, it will automatically add users to the portal when provisioned from AD.
For more information: see How Do I Synchronize Users from Active Directory Domain Services to FIM
Troubleshooting
Check the Sync Engine
As mentioned in the original source forum thread, check if the Sync engine is connected to the portal to provision users to the portal.
Check that an AD MA is connected and feeding data into the MV.
Check the data flows
As described in the source forum thread:
- AD NetBIOS domain --> Portal domain
- AD sAMAccountName --> Portal accountname
- AD ObjectSID --> Portal objectSID
FIM MA
Check if the three core attributes are set for export attribute flow in the FIM MA.
AD MA
Check if the three attribute flows are populated by the AD MA.
Data quality (trace impacted user)
From portal to AD
Carefully trace the user:
- from the FIM/MIM Portal
- into the FIM MA connector space
- into the MV
- to the AD MA
- to AD
Make sure the three attributes exactly match.
From AD to portal
Or /And the reverse way, back from AD to the FIM portal.
References
- https://social.technet.microsoft.com/Forums/en-US/35ebc6a7-5ee7-4306-a126-1117a04383e9/error-when-loading-fim-portal-in-new-installation-the-requestors-identity-was-not-found?forum=ilm2
- Administrator Locked Out of FIM Portal
- Introduction to Publishing To Active Directory from Two Authoritative Data Sources
See Also
- Enabling FIM Portal Access for a Regular AD User Account
- https://jorgequestforknowledge.wordpress.com/2013/01/09/fim-portal-access-for-any-regular-ad-user-account-how-to-enable-and-troubleshoot/
- Using PowerShell to check your MPR configuration for FIM Portal Access
- How to Use PowerShell to Fix an ObjectSID on an FIM Portal Object (http://aka.ms/fixobjectsid)