Troubleshoot and Resolve Common Request Errors

Forefront Identity Manager
2010 Installation &
Configuration
Troubleshoot and Resolve Common Request Errors
Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration
MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for
any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights
covering subject matter in this document. Except as expressly provided in any written license agreement from
Microsoft, our provision of this document does not give you any license to these patents, trademarks, copyrights,
or other intellectual property.
The descriptions of other companies’ products in this document, if any, are provided only as a convenience to
you. Any such references should not be considered an endorsement or support by Microsoft. Microsoft cannot
guarantee their accuracy, and the products may change over time. Also, the descriptions are intended as brief
highlights to aid understanding, rather than as thorough coverage. For authoritative descriptions of these
products, please consult their respective manufacturers.
© 2013 Microsoft Corporation. All rights reserved. Any use or distribution of these materials without express
authorization of Microsoft Corp. is strictly prohibited.
Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United
States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective
owners.
ii
Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration
Troubleshoot and Resolve Common Request Errors
Use the following steps to search for specific requests in the request log.
Click on the Search Requests link in the left navigation bar of the FIM Portal.
Select the search scope “Errors from today” and click on the search button to look for all the requests that led
to an error during the last 24 hours.
To change the default search criteria, click on the Advanced Search link and change the filter:
Click on one of the request to see its content. For example below we have clicked on the request "Update to
Person: ‘Kadiyala, Raja’ Request”.
Page 3
Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration
The General tab displays information about the requestor, the request date and the request status. Notice that
the FIM Synchronization Service issued this request. The FIM MA running under the security context of the FIM
Synchronization Service is the one issuing these requests. The request status is very important to monitor as we
should be watching for any request status that either never completed or completed with an error. In this case
the request reported the status “PostProcessingError” which indicates that an error occurred “Post”
completion of the operation. That is an indication that an Action workflow (and not an Authentication or
Authorization workflow) caused the error.
The error reported indicates that FIM could not send notifications to an email address.
Page 4
Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration
The Detailed Content tab shows you what the FIM MA is changing in the object:
The Applied Policy tab shows that the following MPRs were applied:
By clicking on the second MPR you would notice that it calls an action workflow that sends a notification to the
user’s manager and the user’s manager delegates confirming the creation of the user’s account in AD. As the
manager does not have any delegate selected, the error shown above is generated.
Page 5
Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration
If you click on the request "Update to Person: ‘Del Rosario, Krisley Ruth P.’ Request”. Yo u will see the
following error:
In this example this error indicates that a PowerShell script called by one of the workflows caused the error. If
you login on FIM Service Server, you will see additional details in the Forefront Identity Management event log.
The Detailed Content tab shows you what the FIM MA is changing in the object:
Page 6
Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration
The FIM MA is flowing back the Home Directory attribute, meaning that someone set those attributes for the
user in Active Directory.
The transition MPR “_Provision User Home Directory” gets called on objects that have an account in AD and
have a Home Directory attribute. That MPR calls the workflow “_Provision User Home-Directory” which creates
a home share for the user on using a PowerShell script activity. However, as you can see in the error message,
the script failed because the home directory was created from AD and therefore already existed when the script
ran. To prevent such errors you need to create the Home Directory from FIM by selecting the checkbox Home
Directory Required from the Advanced View.
Page 7
Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration
Sometimes you may see errors that are not very descriptive, such as:
The error generated is the following:
The Workflow Instance '2bb5c91a-cd84-4220-a010-a9ad3890a97c' encountered an internal error during
processing. Contact your system administrator for more information.
This error is typically returned when an unhandled exception is thrown in a custom workflow activity. In other
words it is typically indicating a bug in the code of a custom workflow activity. If you search for the GUID
displayed, you will get the workflow instance that threw that error. To search for the GUID you have to click on
the Administration link in the left navigation bar and then change the search scope to Search Resources by
Resource ID as shown below.
Page 8
Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration
If you click on the workflow instance returned and look at its Workflow Status Detail property, you will see
more information about the error returned. In this case you will see the error message:
Object reference not set to an instance of an object.
Go back to the Request object and click on its Detailed Content tab. The Detailed Content tab displays
information about the operation performed by the request. As you can see below the request created a
resource of type person with a number of attributes that are listed. Note the user does not have a Last Name.
Click on the Applied Policy tab.
Page 9
Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration
The Applied Policy tab displays information about the Management Policy Rules (MPRs) that were applied to
this request. If you click on these MPRs you will see the workflows that they instantiated. Click on the MPR
“_User Creation from the FIM Portal” and go to the Workflow tab.
Click on the Action workflow “_Construct Attributes on User Creation”.
Notice that we are using a Custom Workflow Activity called “Construct Attribute Activity”.
Page 10
Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration
The exception that caused the error must have occurred in this activity. You can also refer to the Event Log to
get more information as all custom workflow activities log their processing in the Forefront Identity Manager
log as shown below.
You can see above that at the exact time that the error occurred there are several log entries that were
generated by “FIM Custom Workflow Activities”. The one displayed above clearly shows that the custom
workflow activity ConstructAttributeActivity was initiated and that an error was returned right after the
function ConstructDisplayName() was called. If you click on the errors that follows that entry you will see the
following:
ConstructAttributeActivity: Caught Exception:System.NullReferenceException
ConstructAttributeActivity: Message: Object reference not set to an instance of an object.
Page 11
Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration
Now we know that in order to debug the issue we have to place a breakpoint in the function
ConstructDisplayName() of the custom workflow activity ConstructAttributeActivity (see the section below
“Debug the Custom Workflow Activity Logic” for information on how to debug a custom workflow activity).
The line highlighted above is the one causing the error because when the Last Name is not specified in the
request then calling the method Trim() on the null variable lastName causes the exception:
Object reference not set to an instance of an object.
This code can be fixed by making sure that the variable is not null as follow:
if (!String.IsNullOrEmpty(lastName)) lastName = lastName.Trim();
Note 1: the last example shown above is for illustration purpose only. The custom workflow activity that
is causing the error is not actually implemented at Providence.
Note 2: when troubleshooting request-related failures, always start with viewing the request that failed
from the FIM Portal. Look at the Request Status Details on the Request object and the Workflow
Status Details on the related Workflow Instance object. These attributes contain information about
the errors that occurred when the request and its associated workflows were processed. Also if you
suspect the failure occurred in a custom workflow activity, look in the Event Viewer log Forefront
Identity Manager for entries generated by “FIM Custom Workflow Activities”. You have to look in
the event log on both FIM servers (WNP2386 and WNP2387) as we can’t tell from the request entry
which server processed the request.
Page 12
Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering