0
Answered

UNIFY FIM Event Broker v3.2.1: The agent FIM Agent has failed with the message: Access denied

Anthony Soquin 1 year ago • updated by anonymous 1 year ago 7

Hi I have the following error: 

  • The agent FIM Agent has failed with the message: Access denied
  • I followed the requirements  which are in the page: https://unifysolutions.jira.com/wiki/spaces/EB32/pages/93454604/Prerequisites

    Firewall: Checked: Able to connect to SQL Server via telnet

    • Log on as a service. For details see hereChecked
    • Access to write to its Logs directory. Defaults to: Checked FULL CONTROL
      • C:\Program Files\UNIFY Solutions\Event Broker\Services\Logs
    • Ability to create the Logs file directory;Checked
    • Full update access to the Extensibility directory. Defaults to:  Checked FULL CONTROL
      • C:\Program Files\UNIFY Solutions\Event Broker\Services\Extensibility
    • Permission to create a WCF end-point (see Create WCF end-point); Checked 

    PS C:\> netsh.exe http add urlacl url=http://+:59990/ user=****\svc_fimeb

    Url reservation add failed, Error: 183
    Cannot create a file when that file already exists.


    • Permission to write to C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files; Checked FULL CONTROL
    • Membership in the FIMSyncAdmins group. Checked
    • Read permission (db_datareader) to the FIMSynchronizationService database, either for the service account, or a separate SQL authentication login. Checked Created a SQL agent with same connection string. Work perfectly


    If installed on the same machine as Microsoft Identity Lifecycle Manager or Microsoft Forefront Identity Manager, the service account also requires the following:

     Checked FIMSYNCADMINS group full control on MicrosoftIdentityIntegrationServer 

    Do you have another ideas about the root cause?


    Thanks in advance.

    Answer

    Answer

    Issue resolved.

    It was linked to a MIM/FIM Corrupted files found thanks to your help and the WMI Diagnosis Utility tool.

    If something similar appears in the report, please reinstall/repair FIM/MIM sync service:

    30646 14:40:48 (0) ** ----------------------------------------------------------------------------------------------------------------------------------

    30647 14:40:48 (1) !! ERROR: Unable to locate MOF file(s) in the WBEM folder or in Auto-Recovery list for the

    30648 14:40:48 (1) !! ERROR: following CIM registered WMI provider(s): .................................................................... 2 ERROR(S)!

    30649 14:40:48 (0) ** - ROOT/MICROSOFTIDENTITYINTEGRATIONSERVER, MIIS ({9A6AE3F8-5DEF-416E-A569-BB74B3184DC6})

    30650 14:40:48 (0) ** - ROOT/SERVICEMODEL, SERVICEMODEL ()

    30651 14:40:48 (0) ** => If the WMI repository is rebuilt, the listed provider(s) may not be available anymore

    30652 14:40:48 (0) **    because the registration data is not located in the list of known MOF files. You can either:

    30653 14:40:48 (0) **    - Locate the MOF file(s) and manually recompile the corresponding MOF file(s) with

    30654 14:40:48 (0) **      the 'MOFCOMP.EXE <FileName.MOF>' command.

    30655 14:40:48 (0) **    - Retrieve a copy of the missing MOF file(s) and make sure there are part of the Auto-Recovery.

    30656 14:40:48 (0) **      registry key.

    30657 14:40:48 (0) **    Note: If you want the MOF file to be part of the Auto-Recovery, make sure the

    30658 14:40:48 (0) **          statement '#PRAGMA AUTORECOVER' is included.

    30659 14:40:48 (0) **    - If the corresponding MOF file can't be located, the MOF file can be recreated with

    30660 14:40:48 (0) **      WBEMTEST and/or CIM Studio available at

    30661 14:40:48 (0) **      http://www.microsoft.com/downloads/details.aspx?FamilyID=6430f853-1120-48db-8cc5-f2abdc3ed314&DisplayLang=en

    30662 14:40:48 (0) **    - It is also possible that the application implemented its own recovery mechanism.

    30663 14:40:48 (0) **      In that case, no action is required.

    30664 14:40:48 (0) **      You must verify with the application vendor if the application has this capability (i.e. Microsoft SMS)

     

     


    Under review

    Could you please attach the full stack-trace from the error in the logs?

    Here the log

    The test of Agent FIM Agent (f7463f5e-56fd-4734-86c5-f3118ed39456) failed with message:
    System.Management.ManagementException: Access denied 
       at System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus errorCode)
       at System.Management.ManagementObjectCollection.ManagementObjectEnumerator.MoveNext()
       at System.Management.ManagementObjectCollection.get_Count()
       at Unify.Product.EventBroker.FIMAgent.TestConnection()
       at Unify.Product.EventBroker.AgentEngine.Notify(ITestAgentConnectionMessage message)
    

    Just noticed the log refers to the agent: f7463f5e-56fd-4734-86c5-f3118ed39456 but my FIM agent has the ID: 

    <id>{1A65CB1E-4E10-4837-81E0-FC6A4436788F}</id>

    How can I change the link to the correct FIM MA?

    The ID listed in the logs is the ID of the agent as defined by the Event Broker service, and is entirely unrelated to the ID of the Management Agent as defined by FIM/MIM.

    The logs show that the permission error is on connecting to the FIM/MIM instance via WMI. Please make sure that your credentials are correct and the account has appropriate permissions.

    Hi,

    I set up the permissions as below:


    It's a local instance, (FIM Event Broker and FIM SYNC on the same server). Do I still need to set credential somewhere?

    Answered

    Hi Anthony,

    Permissions are a pre-requisite of the service, and we aren't experts on diagnosing issues like this. I would recommend reading WMI Diagnosis Utility or checking for differences with other environments that don't have this issue.

    Please let us know what the resolution was once you've found it, to help others who experience this problem in the future.

    Answer

    Issue resolved.

    It was linked to a MIM/FIM Corrupted files found thanks to your help and the WMI Diagnosis Utility tool.

    If something similar appears in the report, please reinstall/repair FIM/MIM sync service:

    30646 14:40:48 (0) ** ----------------------------------------------------------------------------------------------------------------------------------

    30647 14:40:48 (1) !! ERROR: Unable to locate MOF file(s) in the WBEM folder or in Auto-Recovery list for the

    30648 14:40:48 (1) !! ERROR: following CIM registered WMI provider(s): .................................................................... 2 ERROR(S)!

    30649 14:40:48 (0) ** - ROOT/MICROSOFTIDENTITYINTEGRATIONSERVER, MIIS ({9A6AE3F8-5DEF-416E-A569-BB74B3184DC6})

    30650 14:40:48 (0) ** - ROOT/SERVICEMODEL, SERVICEMODEL ()

    30651 14:40:48 (0) ** => If the WMI repository is rebuilt, the listed provider(s) may not be available anymore

    30652 14:40:48 (0) **    because the registration data is not located in the list of known MOF files. You can either:

    30653 14:40:48 (0) **    - Locate the MOF file(s) and manually recompile the corresponding MOF file(s) with

    30654 14:40:48 (0) **      the 'MOFCOMP.EXE <FileName.MOF>' command.

    30655 14:40:48 (0) **    - Retrieve a copy of the missing MOF file(s) and make sure there are part of the Auto-Recovery.

    30656 14:40:48 (0) **      registry key.

    30657 14:40:48 (0) **    Note: If you want the MOF file to be part of the Auto-Recovery, make sure the

    30658 14:40:48 (0) **          statement '#PRAGMA AUTORECOVER' is included.

    30659 14:40:48 (0) **    - If the corresponding MOF file can't be located, the MOF file can be recreated with

    30660 14:40:48 (0) **      WBEMTEST and/or CIM Studio available at

    30661 14:40:48 (0) **      http://www.microsoft.com/downloads/details.aspx?FamilyID=6430f853-1120-48db-8cc5-f2abdc3ed314&DisplayLang=en

    30662 14:40:48 (0) **    - It is also possible that the application implemented its own recovery mechanism.

    30663 14:40:48 (0) **      In that case, no action is required.

    30664 14:40:48 (0) **      You must verify with the application vendor if the application has this capability (i.e. Microsoft SMS)

     

     


    Thanks for the update, Anthony.