Description

FIM Event Broker fails with a System.Management.ManagementException: Access denied error.

Affected software

• FIM Event Broker

Symptom

FIM Event Broker FIM agent operations fail with an access denied exception.

Solution

This issue is caused by incorrectly configured WMI security settings for the service account. Ensure that WMI Prerequisites have been met.

Description

An exception is thrown when running the ConfigureEventBrokerChangesActivity.ps1 PowerShell script under PowerShell ISE.

Affected Software

• FIM Event Broker Portal Workflow

Symptom

Attempting to run the ConfigureEventBrokerChangesActivity.ps1 PowerShell script under PowerShell ISE causes the following exception to be raised:

Exception calling "ReadKey" with "1" argument(s): "The method or operation is not implemented."
At C:\Program Files\UNIFY Solutions\Event Broker\Portal Workflow\ConfigureEventBrokerChangesActivity.ps1:68 char:1
+ $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : NotImplementedException

Resolution

The ConfigureEventBrokerChangesActivity.ps1 PowerShell script is not intended to be run under PowerShell ISE. It is possible to execute it under PowerShell ISE anyway by removing or commenting out lines 37 and 68, which contain:

$host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")

Description

The Database Execute Query Operation, in combination with the Oracle Database Agent, fails to execute a stored procedure.

Affected Software

• FIM Event Broker
• Oracle database

Symptom

When executing a stored procedure using the Database Execute Query Operation against the Oracle Database Agent, the following error (or similar) appears:

Operation c8dc0587-f197-4cb9-b15d-243629bad723 failed in operation list with id c1c7e163-d3a0-49ad-997f-ee818cf8d8d0 for the following reason. This is retry number 0: Oracle.DataAccess.Client.OracleException ORA-00900: invalid SQL statement at Oracle.DataAccess.Client.OracleException.HandleErrorHelper(Int32 errCode, OracleConnection conn, IntPtr opsErrCtx, OpoSqlValCtx* pOpoSqlValCtx, Object src, String procedure, Boolean bCheck, Int32 isRecoverable)
at Oracle.DataAccess.Client.OracleException.HandleError(Int32 errCode, OracleConnection conn, String procedure, IntPtr opsErrCtx, OpoSqlValCtx* pOpoSqlValCtx, Object src, Boolean bCheck)
at Oracle.DataAccess.Client.OracleCommand.ExecuteNonQuery()
at Unify.Framework.Data.AdoNetDataControl.ExecuteNonQuery(String commandText, IEnumerable`1 parameters, CommandType commandType)
at Unify.Product.EventBroker.OperationListExecutorBase.RunNextOperations(IEnumerator`1 operationEnumerator)
        

Solution

This error means that either the service account for the Oracle Database Agent does not have correct permission, or that the format of the operation statement is not correct.

The correct format is similar to the following:

BEGIN
    SCHEMA_NAME.STORED_PROCEDURE_NAME();
END

To grant the stored procedure to the service account:

grant EXECUTE on "SCHEMA_NAME"."STORED_PROCEDURE_NAME" to "EBUSER";

Description

FIM Event Broker configuration is lost following a restart of the service.

Affected software

• FIM Event Broker

Symptom

Previous configuration is not maintained following a restart of the service.

Solution

The occurs due to the permissions on the directory containing the FIM Event Broker configuration.

Possible steps to resolve:

• Verify that the account configured to run the FIM Event Broker service has been given update access to the Extensibility directory, as per Prerequisites. This directory is located under the installation directory of FIM Event Broker.

Description

Following a Windows account rename, FIM Event Broker operations dependent on SQL Server Windows authentication fail with a message similar to the following:

Agent test is failing with the message: "Cannot open database "FIMSyncronizationService" requested by login. The login failed.

Affected software

• FIM Event Broker.

Symptom

Following a Windows account rename, all SQL Server operations dependent on the account could potentially fail with a "login failed" message.

Solution

SQL Server logins can become out of sync with the Windows account name following a rename. The login must be updated to match the Windows account name. To update the details, see http://msdn.microsoft.com/en-us/library/aa337562.aspx (for Microsoft SQL Server Management Studio), or http://msdn.microsoft.com/en-us/library/ms189828.aspx (for Transact-SQL).

Description

Attempting to run an AD Changes or AD Sync Changes Operation fails. Examining the logs shows that this was due to a COMException.

Affected Software

• FIM Event Broker

Symptom

A COMException such as the following appears in the Event Broker logs:

System.Runtime.InteropServices.COMException(0x8007200A): The specified directory service attribute or value does not exist.

Resolution

This error can be caused due to a number of reasons:

• The target AD instance does not exist or cannot be found
• The account being used does not have adequate permissions to access the target AD instance

It is recommended that you use an application such as ADSI Edit or LDP.exe from the same machine as the Event Broker instance to ensure that aliases are properly resolving, the LDAP filter is correct, and the account in question has correct permissions.

Description

Attempting to run an Active Directory operation fails. Examining the logs shows DirectoryServicesCOMException.

Affected Software

• FIM Event Broker

Symptom

A DirectoryServicesCOMException such as the following appears in the Event Broker logs:

System.DirectoryServices.DirectoryServicesCOMException (0x800700EA): More data is available.
at System.DirectoryServices.SearchResultCollection.ResultsEnumerator.MoveNext()
at System.DirectoryServices.SearchResultCollection.get_InnerList()
at System.DirectoryServices.SearchResultCollection.get_Count()
at Unify.Product.EventBroker.ADSyncChangesPlugIn.GetChanges(DirectorySearcher searcher)
at Unify.Product.EventBroker.ADChangesPlugInBase.Check()
at Unify.Product.EventBroker.OperationListExecutorBase.RunCheck(ICheckOperationFactoryInformation checkOperation)

Resolution

Locate the *.exe.config in the Event Broker services directory, for an x64 installation this will be (by default):

C:\Program Files\UNIFY Solutions\Event Broker\Services\Unify.Service.Event.exe.config

and for an x86 installation this will be (by default):

C:\Program Files\UNIFY Solutions\Event Broker\Services\Unify.Service.Event32.exe.config

Add the following to the *.exe.config of the Event Broker services directory, inside the <configuration> element:

<configSections>
    <section name="system.directoryservices" type="System.DirectoryServices.SearchWaitHandler, System.DirectoryServices, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
  </configSections>
  <system.directoryservices>
    <DirectorySearcher waitForPagedSearchData="true" />
  </system.directoryservices>

Description

The Active Directory operations do not retrieve changes from the target instances correctly.

Affected Software

• FIM Event Broker
• Active Directory
• Active Directory Domain Services
• ADAM and ADLDS

Symptom

Following changes to the Active Directory instance or target organizational unit, the operation fails to detect a change.

Resolution

There are a number of reasons that Active Directory operations may not detect changes correctly:

• The specified account does not have complete permissions to retrieve changes, and the Active Directory query returns no objects rather than an error message in some cases. Refer to Active Directory Changes and Active Directory Sync Changes for information on specific account requirements for each operation.
• The target organizational unit or LDAP filter is incorrect, or does not contain the expected change. Ensure that the operation is configured correctly. Note that the AD Sync Changes operation cannot target a specific organizational unit.
• Changes have not yet been replicated across domain controllers.

Refer to an Active Directory expert or the Microsoft documentation for more information on specific configurations and instances.

Using

• UNIFY FIM Event Broker v3.2.1 RTM x64

The following was written to the Event Broker logs last night:

System.DirectoryServices.Protocols:
System.ArgumentException: The async result is invalid.
   at System.DirectoryServices.Protocols.LdapPartialResultsProcessor.GetPartialResults(LdapPartialAsyncResult asyncResult)
   at Unify.Product.EventBroker.OpenLDAPListenPlugIn.ResultsCallback(IAsyncResult result)

The error was thrown by the AD listener for the AU.QBE.PRI forest in Production.

Related JIRA issue here.

Using

Operation 1d3f5988-7166-4e06-9596-ee0c58dc2823 failed in operation list with id 4e8908b6-3e19-494a-a50e-55ac8680124a <span class="code-keyword">for</span> the following reason. This is retry number 0: <span class="code-object">System</span>.DirectoryServices.DirectoryServicesCOMException (0x800700EA): More data is available.
   at <span class="code-object">System</span>.DirectoryServices.SearchResultCollection.ResultsEnumerator.MoveNext()
   at <span class="code-object">System</span>.DirectoryServices.SearchResultCollection.get_InnerList()
   at <span class="code-object">System</span>.DirectoryServices.SearchResultCollection.get_Count()
   at Unify.Product.EventBroker.ADSyncChangesPlugIn.GetChanges(DirectorySearcher searcher)
   at Unify.Product.EventBroker.ADChangesPlugInBase.Check()
   at Unify.Product.EventBroker.OperationListExecutorBase.RunCheck(ICheckOperationFactoryInformation checkOperation)