- UNIFYNow Forum
-
Questions
UNIFY FIM Event Broker v3.2.1: The agent FIM Agent has failed with the message: Access denied
Hi I have the following error:
I followed the requirements which are in the page: https://unifysolutions.jira.com/wiki/spaces/EB32/pages/93454604/Prerequisites
Firewall: Checked: Able to connect to SQL Server via telnet
- Log on as a service. For details see here; Checked
- Access to write to its Logs directory. Defaults to: Checked FULL CONTROL
C:\Program Files\UNIFY Solutions\Event Broker\Services\Logs
- Ability to create the Logs file directory;Checked
- Full update access to the Extensibility directory. Defaults to: Checked FULL CONTROL
C:\Program Files\UNIFY Solutions\Event Broker\Services\Extensibility
- Permission to create a WCF end-point (see Create WCF end-point); Checked
PS C:\> netsh.exe http add urlacl url=http://+:59990/ user=****\svc_fimeb
Url reservation add failed, Error: 183
Cannot create a file when that file already exists.
- Permission to write to C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files; Checked FULL CONTROL
- Membership in the FIMSyncAdmins group. Checked
- Read permission (db_datareader) to the FIMSynchronizationService database, either for the service account, or a separate SQL authentication login. Checked Created a SQL agent with same connection string. Work perfectly
If installed on the same machine as Microsoft Identity Lifecycle Manager or Microsoft Forefront Identity Manager, the service account also requires the following:
- Read access to the local FIM WMI namespace (overview, Setting Namespace Security)
Checked FIMSYNCADMINS group full control on MicrosoftIdentityIntegrationServer
Do you have another ideas about the root cause?
Thanks in advance.
Answer
Could you please attach the full stack-trace from the error in the logs?
Here the log
The test of Agent FIM Agent (f7463f5e-56fd-4734-86c5-f3118ed39456) failed with message: System.Management.ManagementException: Access denied at System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus errorCode) at System.Management.ManagementObjectCollection.ManagementObjectEnumerator.MoveNext() at System.Management.ManagementObjectCollection.get_Count() at Unify.Product.EventBroker.FIMAgent.TestConnection() at Unify.Product.EventBroker.AgentEngine.Notify(ITestAgentConnectionMessage message)
Just noticed the log refers to the agent: f7463f5e-56fd-4734-86c5-f3118ed39456 but my FIM agent has the ID:
<id>{1A65CB1E-4E10-4837-81E0-FC6A4436788F}</id>
How can I change the link to the correct FIM MA?
The ID listed in the logs is the ID of the agent as defined by the Event Broker service, and is entirely unrelated to the ID of the Management Agent as defined by FIM/MIM.
The logs show that the permission error is on connecting to the FIM/MIM instance via WMI. Please make sure that your credentials are correct and the account has appropriate permissions.
Hi,
I set up the permissions as below:
It's a local instance, (FIM Event Broker and FIM SYNC on the same server). Do I still need to set credential somewhere?
Hi Anthony,
Permissions are a pre-requisite of the service, and we aren't experts on diagnosing issues like this. I would recommend reading WMI Diagnosis Utility or checking for differences with other environments that don't have this issue.
Please let us know what the resolution was once you've found it, to help others who experience this problem in the future.
Issue resolved.
It was linked to a MIM/FIM Corrupted files found thanks to your help and the WMI Diagnosis Utility tool.
If something similar appears in the report, please reinstall/repair FIM/MIM sync service:
30646 14:40:48 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
30647 14:40:48 (1) !! ERROR: Unable to locate MOF file(s) in the WBEM folder or in Auto-Recovery list for the
30648 14:40:48 (1) !! ERROR: following CIM registered WMI provider(s): .................................................................... 2 ERROR(S)!
30649 14:40:48 (0) ** - ROOT/MICROSOFTIDENTITYINTEGRATIONSERVER, MIIS ({9A6AE3F8-5DEF-416E-A569-BB74B3184DC6})
30650 14:40:48 (0) ** - ROOT/SERVICEMODEL, SERVICEMODEL ()
30651 14:40:48 (0) ** => If the WMI repository is rebuilt, the listed provider(s) may not be available anymore
30652 14:40:48 (0) ** because the registration data is not located in the list of known MOF files. You can either:
30653 14:40:48 (0) ** - Locate the MOF file(s) and manually recompile the corresponding MOF file(s) with
30654 14:40:48 (0) ** the 'MOFCOMP.EXE <FileName.MOF>' command.
30655 14:40:48 (0) ** - Retrieve a copy of the missing MOF file(s) and make sure there are part of the Auto-Recovery.
30656 14:40:48 (0) ** registry key.
30657 14:40:48 (0) ** Note: If you want the MOF file to be part of the Auto-Recovery, make sure the
30658 14:40:48 (0) ** statement '#PRAGMA AUTORECOVER' is included.
30659 14:40:48 (0) ** - If the corresponding MOF file can't be located, the MOF file can be recreated with
30660 14:40:48 (0) ** WBEMTEST and/or CIM Studio available at
30661 14:40:48 (0) ** http://www.microsoft.com/downloads/details.aspx?FamilyID=6430f853-1120-48db-8cc5-f2abdc3ed314&DisplayLang=en
30662 14:40:48 (0) ** - It is also possible that the application implemented its own recovery mechanism.
30663 14:40:48 (0) ** In that case, no action is required.
30664 14:40:48 (0) ** You must verify with the application vendor if the application has this capability (i.e. Microsoft SMS)
Customer support service by UserEcho
Issue resolved.
It was linked to a MIM/FIM Corrupted files found thanks to your help and the WMI Diagnosis Utility tool.
If something similar appears in the report, please reinstall/repair FIM/MIM sync service:
30646 14:40:48 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
30647 14:40:48 (1) !! ERROR: Unable to locate MOF file(s) in the WBEM folder or in Auto-Recovery list for the
30648 14:40:48 (1) !! ERROR: following CIM registered WMI provider(s): .................................................................... 2 ERROR(S)!
30649 14:40:48 (0) ** - ROOT/MICROSOFTIDENTITYINTEGRATIONSERVER, MIIS ({9A6AE3F8-5DEF-416E-A569-BB74B3184DC6})
30650 14:40:48 (0) ** - ROOT/SERVICEMODEL, SERVICEMODEL ()
30651 14:40:48 (0) ** => If the WMI repository is rebuilt, the listed provider(s) may not be available anymore
30652 14:40:48 (0) ** because the registration data is not located in the list of known MOF files. You can either:
30653 14:40:48 (0) ** - Locate the MOF file(s) and manually recompile the corresponding MOF file(s) with
30654 14:40:48 (0) ** the 'MOFCOMP.EXE <FileName.MOF>' command.
30655 14:40:48 (0) ** - Retrieve a copy of the missing MOF file(s) and make sure there are part of the Auto-Recovery.
30656 14:40:48 (0) ** registry key.
30657 14:40:48 (0) ** Note: If you want the MOF file to be part of the Auto-Recovery, make sure the
30658 14:40:48 (0) ** statement '#PRAGMA AUTORECOVER' is included.
30659 14:40:48 (0) ** - If the corresponding MOF file can't be located, the MOF file can be recreated with
30660 14:40:48 (0) ** WBEMTEST and/or CIM Studio available at
30661 14:40:48 (0) ** http://www.microsoft.com/downloads/details.aspx?FamilyID=6430f853-1120-48db-8cc5-f2abdc3ed314&DisplayLang=en
30662 14:40:48 (0) ** - It is also possible that the application implemented its own recovery mechanism.
30663 14:40:48 (0) ** In that case, no action is required.
30664 14:40:48 (0) ** You must verify with the application vendor if the application has this capability (i.e. Microsoft SMS)