AD Troubleshooting

AD and Domain-related issues and troubleshooting methods for Active Directory.

How FIM2010 CM & CLM 2007 search for users

How FIM2010 CM & CLM 2007 search for users

  • Comments 6
  • Likes

  1. User with FIM2010/CLM/ILM management permissions logs on to the CM website, accesses one of the search pages and clicks Search
  2. The CLM Auth Agent service account makes an LDAP query to a DC and retrieves the names of all users matching the search criteria
  3. The FIM code steps through the list that it has obtained from AD and checks if the logged on user has read permissions to each - if so then it is added to the list
  4. Once all users in the list have been checked the filtered list is displayed to the logged on user.

Two things have to be in place for a user to be displayed on the Search Results page when the search operation is performed:

  • the logged on user (i.e. FIM Admin) must have Read Properties permissions on the account(s) being searched for in order for them to be displayed in the search results
  • the CLMAuthAgent account must have sufficient AD permissions and user rights as defined on http://technet.microsoft.com/en-us/library/cc708677(WS.10).aspx

If either of these is missing or incomplete then the list of returned users will be filtered accordingly or an error message returned.

Installing and Configuring CLM 2007 on a Server
http://technet.microsoft.com/en-us/library/cc708677(WS.10).aspx

A hotfix rollup package (build 3.3.1118.02) is available for Identity Lifecycle Manager 2007 Feature Pack 1
http://support.microsoft.com/kb/969742

 

Comments
  • I have never got this to work for FIM CM 2010 without having to give the Users managing the FIM CM direct read against the users participating.

    Authenticated users doesn't seem to propogate through and I don't understand why.

  • This works for Authenticated Users by default in a freshly installed domain - in the case where it requires direct permissions then the default ACL's in AD have been modified.

    One suspicion that I had was that this might be related to domains that have been upgraded all the way from NT 4 (if the ACL's haven't simply been modified at some point) - but I didn't investigate this beyond confirming it works this way for a vanilla W2k8 R2 domain.

  • Just to clarify.

    My issue is that when I search for users in FIM CM I currently have to have the give the logged in user specific Read permissions against the AD users I wish to manage..

    Are you stating that this should be picked up through Authenticated Users ?

    I have installed fresh W2k8 R2 domains as test environments but I still seem to get this issue. I must be doing something potentially incorrect when I create the domain?

  • This should flow down via Authenticated Users being a member of the Pre-Windows 2000 Compatible Access group as this group by default has the required permissions - perhaps your user isn't properly authenticated and doesn't get the group SId for the contruscted AU group?

    At any rate, I ran the forest setup with the defaults (a click-next installation) and it worked out of the box for a non-admin user.

  • Ingolfur,

    In your testing, are your domain controller and FIM installation on the same server?  If so, then Auth Users will work via the nesting in PreWindows 2000 Compat Access.

  • Good point, I typically use FIM and DC on the same server in test scenarios.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment