Anteckning
Åtkomst till den här sidan kräver auktorisering. Du kan prova att logga in eller ändra kataloger.
Åtkomst till den här sidan kräver auktorisering. Du kan prova att ändra kataloger.
When installing Microsoft Identity Manager Service Pack 1 (MIM SP1) with PAM using an installer account (MIMAdmin), you encounter a SILO error. When installing with verbose logging enabled ( msiexec /i "Service and Portal.msi" /l*v C:\temp\setup.log ) you will see the following:
Failed creating authentication policy/silo.The user has insufficient access rights.at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)at Microsoft.ResourceManagement.Utilities.DirectoryObjectManager.CreateObject(String dn, DirectoryAttributeCollection attributeCollection)at Microsoft.IdentityManagement.ManagedCustomActions.PAMRelatedCustomActions.CreateAuthenticationPolicyAndSilo(Session session, AuthenticationPolicyManager manager, ICollection`1 accounts)at Microsoft.IdentityManagement.ManagedCustomActions.PAMRelatedCustomActions.CreateAuthenticationPolicyAndSilo(Session session)CustomAction CreateAuthenticationPolicyAndSilo returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)Action ended 17:44:35: InstallFinalize. Return value 3.
To resolve this problem, run the following as part of the delegation setup on the PRIV DC (i.e. Step 2: Prepare the PRIV domain controller /en-us/microsoft-identity-manager/pam/step-2-prepare-priv-domain-controlleRat):
dsacls "CN=AuthN Policies,CN=AuthN Policy Configuration,CN=Services,<the DN of PRIV Domain’s Configuration NC>” /g mimadmin:RPWPRCWD;;msDS-AuthNPolicy /i:sdsacls "CN=AuthN Policies,CN=AuthN Policy Configuration,CN=Services,<the DN of PRIV Domain’s Configuration NC>” /g mimadmin:CCDC;msDS-AuthNPolicydsacls "CN=AuthN Silos,CN=AuthN Policy Configuration,CN=Services,<the DN of PRIV Domain’s Configuration NC>” /g mimadmin:RPWPRCWD;;msDS-AuthNPolicySilo /i:sdsacls "CN=AuthN Silos,CN=AuthN Policy Configuration,CN=Services,<the DN of PRIV Domain’s Configuration NC>” /g mimadmin:CCDC;msDS-AuthNPolicySilo
This command will add the required permissions in the authn policy/silo containers in the PRIV domain’s Configuration NC to allow the MIM/PAM setup to set up the PAM authn polic/silo.
MIMPAM Module: /en-us/powershell/identitymanager/mimpam/vlatest/mimpam
- PAM RESET API Service Details: /en-us/microsoft-identity-manager/reference/privileged-access-management-rest-api-service-details
- Privileged Access Management Rest API Reference: /en-us/microsoft-identity-manager/reference/privileged-access-management-rest-api-reference
- Privileged Access Management for Active Directory Domain Services: /en-us/microsoft-identity-manager/pam/privileged-identity-management-for-active-directory-domain-services