Forefront Identity Manager 2010 Installation & Configuration Troubleshoot and Resolve Common Request Errors Anthony Marsiglia & Kristopher Tackett Microsoft Premier Field Engineering Forefront Identity Manager 2010 Installation & Configuration MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, our provision of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The descriptions of other companies’ products in this document, if any, are provided only as a convenience to you. Any such references should not be considered an endorsement or support by Microsoft. Microsoft cannot guarantee their accuracy, and the products may change over time. Also, the descriptions are intended as brief highlights to aid understanding, rather than as thorough coverage. For authoritative descriptions of these products, please consult their respective manufacturers. © 2013 Microsoft Corporation. All rights reserved. Any use or distribution of these materials without express authorization of Microsoft Corp. is strictly prohibited. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. ii Prepared by Anthony Marsiglia & Kristopher Tackett Microsoft Premier Field Engineering Forefront Identity Manager 2010 Installation & Configuration Troubleshoot and Resolve Common Request Errors Use the following steps to search for specific requests in the request log. Click on the Search Requests link in the left navigation bar of the FIM Portal. Select the search scope “Errors from today” and click on the search button to look for all the requests that led to an error during the last 24 hours. To change the default search criteria, click on the Advanced Search link and change the filter: Click on one of the request to see its content. For example below we have clicked on the request "Update to Person: ‘Kadiyala, Raja’ Request”. Page 3 Prepared by Anthony Marsiglia & Kristopher Tackett Microsoft Premier Field Engineering Forefront Identity Manager 2010 Installation & Configuration The General tab displays information about the requestor, the request date and the request status. Notice that the FIM Synchronization Service issued this request. The FIM MA running under the security context of the FIM Synchronization Service is the one issuing these requests. The request status is very important to monitor as we should be watching for any request status that either never completed or completed with an error. In this case the request reported the status “PostProcessingError” which indicates that an error occurred “Post” completion of the operation. That is an indication that an Action workflow (and not an Authentication or Authorization workflow) caused the error. The error reported indicates that FIM could not send notifications to an email address. Page 4 Prepared by Anthony Marsiglia & Kristopher Tackett Microsoft Premier Field Engineering Forefront Identity Manager 2010 Installation & Configuration The Detailed Content tab shows you what the FIM MA is changing in the object: The Applied Policy tab shows that the following MPRs were applied: By clicking on the second MPR you would notice that it calls an action workflow that sends a notification to the user’s manager and the user’s manager delegates confirming the creation of the user’s account in AD. As the manager does not have any delegate selected, the error shown above is generated. Page 5 Prepared by Anthony Marsiglia & Kristopher Tackett Microsoft Premier Field Engineering Forefront Identity Manager 2010 Installation & Configuration If you click on the request "Update to Person: ‘Del Rosario, Krisley Ruth P.’ Request”. Yo u will see the following error: In this example this error indicates that a PowerShell script called by one of the workflows caused the error. If you login on FIM Service Server, you will see additional details in the Forefront Identity Management event log. The Detailed Content tab shows you what the FIM MA is changing in the object: Page 6 Prepared by Anthony Marsiglia & Kristopher Tackett Microsoft Premier Field Engineering Forefront Identity Manager 2010 Installation & Configuration The FIM MA is flowing back the Home Directory attribute, meaning that someone set those attributes for the user in Active Directory. The transition MPR “_Provision User Home Directory” gets called on objects that have an account in AD and have a Home Directory attribute. That MPR calls the workflow “_Provision User Home-Directory” which creates a home share for the user on using a PowerShell script activity. However, as you can see in the error message, the script failed because the home directory was created from AD and therefore already existed when the script ran. To prevent such errors you need to create the Home Directory from FIM by selecting the checkbox Home Directory Required from the Advanced View. Page 7 Prepared by Anthony Marsiglia & Kristopher Tackett Microsoft Premier Field Engineering Forefront Identity Manager 2010 Installation & Configuration Sometimes you may see errors that are not very descriptive, such as: The error generated is the following: The Workflow Instance '2bb5c91a-cd84-4220-a010-a9ad3890a97c' encountered an internal error during processing. Contact your system administrator for more information. This error is typically returned when an unhandled exception is thrown in a custom workflow activity. In other words it is typically indicating a bug in the code of a custom workflow activity. If you search for the GUID displayed, you will get the workflow instance that threw that error. To search for the GUID you have to click on the Administration link in the left navigation bar and then change the search scope to Search Resources by Resource ID as shown below. Page 8 Prepared by Anthony Marsiglia & Kristopher Tackett Microsoft Premier Field Engineering Forefront Identity Manager 2010 Installation & Configuration If you click on the workflow instance returned and look at its Workflow Status Detail property, you will see more information about the error returned. In this case you will see the error message: Object reference not set to an instance of an object. Go back to the Request object and click on its Detailed Content tab. The Detailed Content tab displays information about the operation performed by the request. As you can see below the request created a resource of type person with a number of attributes that are listed. Note the user does not have a Last Name. Click on the Applied Policy tab. Page 9 Prepared by Anthony Marsiglia & Kristopher Tackett Microsoft Premier Field Engineering Forefront Identity Manager 2010 Installation & Configuration The Applied Policy tab displays information about the Management Policy Rules (MPRs) that were applied to this request. If you click on these MPRs you will see the workflows that they instantiated. Click on the MPR “_User Creation from the FIM Portal” and go to the Workflow tab. Click on the Action workflow “_Construct Attributes on User Creation”. Notice that we are using a Custom Workflow Activity called “Construct Attribute Activity”. Page 10 Prepared by Anthony Marsiglia & Kristopher Tackett Microsoft Premier Field Engineering Forefront Identity Manager 2010 Installation & Configuration The exception that caused the error must have occurred in this activity. You can also refer to the Event Log to get more information as all custom workflow activities log their processing in the Forefront Identity Manager log as shown below. You can see above that at the exact time that the error occurred there are several log entries that were generated by “FIM Custom Workflow Activities”. The one displayed above clearly shows that the custom workflow activity ConstructAttributeActivity was initiated and that an error was returned right after the function ConstructDisplayName() was called. If you click on the errors that follows that entry you will see the following: ConstructAttributeActivity: Caught Exception:System.NullReferenceException ConstructAttributeActivity: Message: Object reference not set to an instance of an object. Page 11 Prepared by Anthony Marsiglia & Kristopher Tackett Microsoft Premier Field Engineering Forefront Identity Manager 2010 Installation & Configuration Now we know that in order to debug the issue we have to place a breakpoint in the function ConstructDisplayName() of the custom workflow activity ConstructAttributeActivity (see the section below “Debug the Custom Workflow Activity Logic” for information on how to debug a custom workflow activity). The line highlighted above is the one causing the error because when the Last Name is not specified in the request then calling the method Trim() on the null variable lastName causes the exception: Object reference not set to an instance of an object. This code can be fixed by making sure that the variable is not null as follow: if (!String.IsNullOrEmpty(lastName)) lastName = lastName.Trim(); Note 1: the last example shown above is for illustration purpose only. The custom workflow activity that is causing the error is not actually implemented at Providence. Note 2: when troubleshooting request-related failures, always start with viewing the request that failed from the FIM Portal. Look at the Request Status Details on the Request object and the Workflow Status Details on the related Workflow Instance object. These attributes contain information about the errors that occurred when the request and its associated workflows were processed. Also if you suspect the failure occurred in a custom workflow activity, look in the Event Viewer log Forefront Identity Manager for entries generated by “FIM Custom Workflow Activities”. You have to look in the event log on both FIM servers (WNP2386 and WNP2387) as we can’t tell from the request entry which server processed the request. Page 12 Prepared by Anthony Marsiglia & Kristopher Tackett Microsoft Premier Field Engineering