1
Vote

Impersonating failes for others than 'FIm synchronization Service Account'

description

Hi,
All other users except the 'FIM Synchronization Service Account' fail to impersonate. I added the 'failing' service account explicitly to the security options:
  • Log on as a service;
  • Impersonate a client after authentication.
I'm using MIM 2010 version 4.3.2195.0 on Windows 2012 R2 VM in Windows Azure.


Error:

^^^^^^^^^^^^^^^^^^^^^^^

Log Name: Application
Source: FIMSynchronizationService
Date: 6/16/2016 10:22:35 AM
Event ID: 6801
Task Category: Server
Level: Error
Keywords: Classic
User: N/A
Computer: mimsync.demo.lan
Description:
The extensible extension returned an unsupported error.
The stack trace is:

"System.Management.Automation.PSSecurityException: AuthorizationManager check failed. ---> System.Security.SecurityException: Requested registry access is not allowed.
at Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable)
at System.Management.Automation.SecuritySupport.GetLocalPreferenceValue(String shellId, ExecutionPolicyScope scope)
at System.Management.Automation.SecuritySupport.GetExecutionPolicy(String shellId, ExecutionPolicyScope scope)
at System.Management.Automation.SecuritySupport.GetExecutionPolicy(String shellId)
at Microsoft.PowerShell.PSAuthorizationManager.CheckPolicy(ExternalScriptInfo script, PSHost host, Exception& reason)
at Microsoft.PowerShell.PSAuthorizationManager.ShouldRun(CommandInfo commandInfo, CommandOrigin origin, PSHost host, Exception& reason)
at System.Management.Automation.AuthorizationManager.ShouldRunInternal(CommandInfo commandInfo, CommandOrigin origin, PSHost host)
--- End of inner exception stack trace ---
at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)
at System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke)
at System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync)
at System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection1 input, PSDataCollection1 output, PSInvocationSettings settings)
at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection1 input, PSDataCollection1 output, PSInvocationSettings settings)
at System.Management.Automation.PowerShell.CoreInvoke[TOutput](IEnumerable input, PSDataCollection1 output, PSInvocationSettings settings)
at System.Management.Automation.PowerShell.Invoke[T](IEnumerable input, IList
1 output, PSInvocationSettings settings)
at Granfeldt.PowerShellManagementAgent.InvokePowerShellScript(Command command, PSDataCollection1 pipelineInput)
at Granfeldt.PowerShellManagementAgent.Microsoft.MetadirectoryServices.IMAExtensible2GetSchema.GetSchema(KeyedCollection
2 configParameters)
Forefront Identity Manager 4.3.2195.0"
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="FIMSynchronizationService" />
<EventID Qualifiers="49152">6801</EventID>
<Level>2</Level>
<Task>3</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2016-06-16T10:22:35.000000000Z" />
<EventRecordID>3888</EventRecordID>
<Channel>Application</Channel>
<Computer>mimsync.demo.lan</Computer>
<Security />
</System>
<EventData>
<Data>System.Management.Automation.PSSecurityException: AuthorizationManager check failed. ---> System.Security.SecurityException: Requested registry access is not allowed.
at Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable)
at System.Management.Automation.SecuritySupport.GetLocalPreferenceValue(String shellId, ExecutionPolicyScope scope)
at System.Management.Automation.SecuritySupport.GetExecutionPolicy(String shellId, ExecutionPolicyScope scope)
at System.Management.Automation.SecuritySupport.GetExecutionPolicy(String shellId)
at Microsoft.PowerShell.PSAuthorizationManager.CheckPolicy(ExternalScriptInfo script, PSHost host, Exception& reason)
at Microsoft.PowerShell.PSAuthorizationManager.ShouldRun(CommandInfo commandInfo, CommandOrigin origin, PSHost host, Exception& reason)
at System.Management.Automation.AuthorizationManager.ShouldRunInternal(CommandInfo commandInfo, CommandOrigin origin, PSHost host)
--- End of inner exception stack trace ---
at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)
at System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke)
at System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync)
at System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection1 input, PSDataCollection1 output, PSInvocationSettings settings)
at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection1 input, PSDataCollection1 output, PSInvocationSettings settings)
at System.Management.Automation.PowerShell.CoreInvoke[TOutput](IEnumerable input, PSDataCollection1 output, PSInvocationSettings settings)
at System.Management.Automation.PowerShell.Invoke[T](IEnumerable input, IList
1 output, PSInvocationSettings settings)
at Granfeldt.PowerShellManagementAgent.InvokePowerShellScript(Command command, PSDataCollection1 pipelineInput)
at Granfeldt.PowerShellManagementAgent.Microsoft.MetadirectoryServices.IMAExtensible2GetSchema.GetSchema(KeyedCollection
2 configParameters)
Forefront Identity Manager 4.3.2195.0</Data>
</EventData>
</Event>

------------------------------------

comments

Granfeldt wrote Jun 17, 2016 at 6:33 AM

I've seen this issue with Windows 2012 R2 and impersonation. I have a new version in pipeline that does impersonation in another way which I have running at a customer.

I can get you a link for download to try this...

guyhorn wrote Jun 17, 2016 at 7:22 AM

Please do. I can inform you if it works for me, if you want.

PS there's a nasty PowerShell catch I ran into when using the 'activedirectory' module. It has nothing with your ECMA to do but I guess more and more people will run into it. And you will get questions about it.

Long story short:

Add the following lines in the config file of FIMService (C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\Microsoft.ResourceManagement.Service.exe.config) :

<startup>
<supportedRuntime version="v4.0"/>
<supportedRuntime version="v2.0.50727"/>
</startup>

under the “configuration” node et voilà!

Long story and credits: https://idmgnt.wordpress.com/2014/04/25/fim-powershell-wf-does-not-load-module-active-directory-on-windows-server-2012/

Granfeldt wrote Jun 24, 2016 at 8:44 AM

Try this version (not released, so own risk) that does impersonation in a different way and let me know - https://www.dropbox.com/s/5day0rxqjs73rkj/Granfeldt.PowerShell.ManagementAgent.dll?dl=0

guyhorn wrote Jul 29, 2016 at 11:03 AM

Hi,
I tried the new dll but it didn't work for me. Now I can successfully save the Ma configuration. But, the impersonation is ignored without any visible reason. The user running the MA is still the Sync service Account. I configured the windows audit policy to get all failures and there's nothing there. Hope it helps.