Hi Everyone! Over the past couple of days we have been working on an issue related to portal access where the root cause was not immediately evident and took some digging to get to.
Just to clarify the overall problem; when attempting to access the portal we were seeing a pretty common error from FIM/MIM (“Error processing your request: The server was unwilling to perform the requested operation”). This is often seen during workflow failures, but I don’t recall ever seeing it in the context of portal access. The other more telling error was an event that was getting logged in the “Forefront Identity Manager” log within the Windows Event Viewer. This one said it all, however, it took some time to figure out root cause.
A partial excerpt of the stack trace from my lab environment is below:
Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other —> System.Data.SqlClient.SqlException: The server principal “S-1-9-3-4146432808-1139677015-2502263453-1403466755” is not able to access the database “FIMService” under the current security context.
Just looking at the error indicates that there is an issue with SQL permission which is understandable. In this case an identifier that starts with S-1-9-3 is a SQL specific security principal so we know that it not actually associated to an Active Directory principal. After digging into this some more, we determined that someone changed the default permissions to the SQL logins which were created during the FIMService install. This prevented all read and write access to the FIMService database via the Portal, PowerShell, and FIMMA.
As a final note; it is important to remember that directly changing the FIMService database or the Schema are not supported changes. These types of changes can frequently result in very strange undocumented errors and additional can put your environment into an unsupported configuration scenario.
Thanks and have a great day everyone!