Problem
A MIMWAL workflow fails, and the ForeFront Identity Manager event log records Event ID 3 from Microsoft.Resourcemanager with the message:
GetCurrentUserFromSecurityIdentifier: No such user [DOMAIN\USER], [SID]
The WAL event log was not particularly helpful in this case, it just threw out generic exceptions:
Event ID 40405: WAL (2.17.0927.0): 09/27/2018 14:20:47.3127: The type initializer for ‘Microsoft.ResourceManagement.WebServices.Client.ResourceManagementClient’ threw an exception.
Analysis
The Workflow in question tries to execute a PowerShell script, and we spent quite a lot of time troubleshooting the script to no avail. In retrospect, the problem is actually stated quite directly in the first event from the MIM/FIM log: “No such user”.
The user mentioned is the service account for the FIM Service, and both the username and SID is correct. Thus the error message did not really make any sense, I was not able to figure out why MIM could not find the user in AD when both the sAMAccountName and SID were correct. Wherein lies the problem. I was thinking backwards. The problem was not in AD, but in the FIMService database. For some reason the service account was not registered with a SID in the database. To troubleshoot you have to run some queries against the FIMService database.
Find the ObjectKey for the user
USE FIMService;
SELECT [ObjectKey],[DomainAndAccountName]
FROM [FIMService].[fim].[DomainAndAccountName]
WHERE DomainAndAccountName = 'DOMAIN\USER';
ObjectKey DomainAndAccountName -------------------- ---------------------------------------------------- 12345 DOMAIN\USER (1 row affected)
We find the object key “12345” and place it into the where-clause for the next query.
Find the SID
USE FIMService;
SELECT [UserObjectKey] ,[SecurityIdentifier]
FROM [FIMService].[fim].[UserSecurityIdentifiers]
WHERE UserObjectKey = '12345';
UserObjectKey SecurityIdentifier -------------------- ---------------------- (0 rows affected)
This query returns no result. It should return the SID for the user in hexadecimal format.
Solution
Add the SID <-> ObjectKey mapping. As usual, make sure that you understand these steps before you execute them.
- Get the hexadecimal SID. You can get it from AD Users and Computers in advanced mode.
- Open your user, look at the attribute list and find the ObjectSID attribute.
- View the attribute in hexadecimal form. It should look something like 01 05 00 00 00 and so on.
- Remove the spaces using your favorite text editor, and add a 0x prefix to indicate that this is a hex value.
- Your result should look like this: 0x010500000000000512345234504560734063457AFCDEBB69EE0000
- Run the following query, inserting the username and hexadecimal SID
USE FIMService;
INSERT INTO [FIMService].[fim].UserSecurityIdentifiers VALUES ('12345', 0x010500000000000512345234504560734063457AFCDEBB69EE0000);
To verify, run the query against UserSecurityIdentifiers again (the one that returned 0 rows) and verify that you now get a response mapping your ObjectKey to your SID. If you are lucky, your workflow is now working as expected. If you are not so lucky, you should at least get a different error message…