Support Tip: MIM SP1 PAM install failure: CreateAuthenticationPolicyAndSilo Error The user has insufficient access rights.

When installing Microsoft Identity Manager Service Pack 1 (MIM SP1) with PAM using an installer account (MIMAdmin), you encounter a SILO error. When installing with verbose logging enabled ( msiexec /i “Service and Portal.msi” /l*v C:\temp\setup.log ) you will see the following:

Failed creating authentication policy/silo.The user has insufficient access rights.at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)at Microsoft.ResourceManagement.Utilities.DirectoryObjectManager.CreateObject(String dn, DirectoryAttributeCollection attributeCollection)at Microsoft.IdentityManagement.ManagedCustomActions.PAMRelatedCustomActions.CreateAuthenticationPolicyAndSilo(Session session, AuthenticationPolicyManager manager, ICollection`1 accounts)at Microsoft.IdentityManagement.ManagedCustomActions.PAMRelatedCustomActions.CreateAuthenticationPolicyAndSilo(Session session)CustomAction CreateAuthenticationPolicyAndSilo returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)Action ended 17:44:35: InstallFinalize. Return value 3.

To resolve this problem, run the following as part of the delegation setup on the PRIV DC (i.e. Step 2: Prepare the PRIV domain controller https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/step-2-prepare-priv-domain-controlleRat):

dsacls “CN=AuthN Policies,CN=AuthN Policy Configuration,CN=Services,<the DN of PRIV Domain’s Configuration NC>” /g mimadmin:RPWPRCWD;;msDS-AuthNPolicy /i:s
dsacls “CN=AuthN Policies,CN=AuthN Policy Configuration,CN=Services,<the DN of PRIV Domain’s Configuration NC>” /g mimadmin:CCDC;msDS-AuthNPolicy
dsacls “CN=AuthN Silos,CN=AuthN Policy Configuration,CN=Services,<the DN of PRIV Domain’s Configuration NC>” /g mimadmin:RPWPRCWD;;msDS-AuthNPolicySilo /i:s
dsacls “CN=AuthN Silos,CN=AuthN Policy Configuration,CN=Services,<the DN of PRIV Domain’s Configuration NC>” /g mimadmin:CCDC;msDS-AuthNPolicySilo

This command will add the required permissions in the authn policy/silo containers in the PRIV domain’s Configuration NC to allow the MIM/PAM setup to set up the PAM authn polic/silo.

 

MIMPAM Module: https://docs.microsoft.com/en-us/powershell/identitymanager/mimpam/vlatest/mimpam