FIM Service Event Log Messages

I’ve just been documenting various FIM Event Log messages for a client as part of the solution Operations Guide, and figured I may as well post them here too, where I can add events as I see new ones.

All of these errors and warnings are posted to the Forefront Identity Manager event log and I observed them on FIM 2010 R2.


Workflow grammar refers to an attribute which does not have a value

Level Warning
Message Workflow grammar refers to an attribute AttributeName, which does not have a value on the referenced resource.
Explanation An email template specifies [//WorkflowData/AttributeName] and no value was found. This Warning can normally be ignored. The email will be sent but will contain a blank space at that spot.

Invalid or NULL email address

Level Error
Message Microsoft.ResourceManagement.Service: System.ArgumentException: Invalid or NULL email address
at Microsoft.ResourceManagement.Mail.Utilities.ValidateMailMessage(GenericMessage message, IMailServer mailServer)
at Microsoft.ResourceManagement.Mail.NotificationMessage.Send(Int32 timeoutInMilliseconds)
at Microsoft.ResourceManagement.Workflow.Hosting.SendMailWorkItemProcessor.SendMailMessage(MessageContent messageContent, Int32 timeoutInMilliseconds)
at Microsoft.ResourceManagement.Workflow.Hosting.SendMailWorkItemProcessor.ProcessWorkItem(WorkItem workItem) The target of an email notification does not have an email address set.
Explanation A Notification or Approval workflow has attempted to email an object which has no email address.
This event appears whether you have SuppressException set to True or False (the Notification flag you set in the XOML to prevent the Workflow from failing outright if you don’t care about the Notification step failing).

No such user

Level Error
Message GetCurrentUserFromSecurityIdentifier: No such user Domain\User, SID
Explanation A user account has attempted to log in to the Portal where no Person object matching that Domain, AccountName and SID exists in the Portal.
If the specified user is “NT AUTHORITY\LOCAL SERVICE, S-1-5-19” then check if the SharePoint Timer Job “SharePoint Foundation Search Refresh” is enabled. This job should be disabled to prevent it attempting to index the FIM site.

UnwillingToPerformException: IdentityIsNotFound

Level Error
Message Microsoft.ResourceManagement.Service: Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: IdentityIsNotFound
at Microsoft.ResourceManagement.WebServices.ResourceManagementService.GetUserFromSecurityIdentifier(SecurityIdentifier securityIdentifier)
at Microsoft.ResourceManagement.WebServices.ResourceManagementService.GetCurrentUser()
at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Enumerate(Message request)
Explanation This is usually seen at the same time as the “No such user” error, and has the same cause.

Cannot insert duplicate key row in object ‘fim.ObjectValueString’

Level Error
Message Reraised Error 50000, Level 14, State 1, Procedure ReRaiseException, Line 37, Message: Reraised Error 50000, Level 14, State 1, Procedure ReRaiseException, Line 37, Message: Reraised Error 2601, Level 14, State 1, Procedure UpdateResource, Line 575, Message: Cannot insert duplicate key row in object ‘fim.ObjectValueString’ with unique index ‘IX_ObjectValueString_ObjectKey_AttributeKey_LocaleKey-Filtered_Multivalued’. The duplicate key value is (num1, num2, num3).
Explanation Two processes have attempted to update the same string value on an object at the same time.
To find out which attribute use the num2 value from the error message to query the FIMService database:
   select * from fim.AttributeInternal where [Key] = num2

Cannot insert duplicate key in object ‘fim.ObjectValueBoolean’

Level Error
Message Reraised Error 50000, Level 14, State 1, Procedure ReRaiseException, Line 37, Message: Reraised Error 50000, Level 14, State 1, Procedure ReRaiseException, Line 37, Message: Reraised Error 2627, Level 14, State 1, Procedure UpdateResource, Line 220, Message: Violation of PRIMARY KEY constraint ‘PK_ObjectValueBoolean’. Cannot insert duplicate key in object ‘fim.ObjectValueBoolean’. The duplicate key value is (num1, num2, num3).
Explanation Two processes have attempted to update the same Boolean value on an object at the same time.
This is very similar to the duplicate string error above, however for some reason the numbers identifying the attribute are in a different order – so this time use the num1 value to query the FIMService database:
   select * from fim.AttributeInternal where [Key] = num1

An approval has timed out waiting for a response

Level Error
Message ReceiveCreateResourceActivity ‘authenticationGateActivity1.receiveApprovalResponse’ running in WorkflowInstance ‘guid‘ timed out waiting for response. An approval has timed out waiting for a response.
Explanation An approval has timed out. This is probably completely fine – approvals should time out if they haven’t been responded to in the configured time.

PermissionDeniedException

Level Error
Message The following is an example. There are other variations but all include “PermissionDeniedException” in them somewhere. Sometimes you will see a lot of errors which all relate to a single Denied request in the Portal.Requestor: urn:uuid:guid
Correlation Identifier: guid
Microsoft.ResourceManagement.Service: Microsoft.ResourceManagement.WebServices.Exceptions.PermissionDeniedException: Workflow
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAuthorization(RequestType request)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request, Guid requestIdentifier, Object redispatchSingleInstanceKey, Boolean isRedispatch)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest(RequestType request)
at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Put(Message request)
Explanation A Workflow failed with a Denied status. To find out what happened look for it in the Requests history in the Portal.
I haven’t been able to figure out any use for the Correlation Identifier, which does not appear in the Portal, and which seems to change from one event to another, event when they have the same root cause.

About: Carol

I've been doing IT for 30 years, and IdM for 15. I live in Australia and build IdM solutions based on Microsoft Identity Manager. I also play the violin, but that doesn't help much with the IdM solutions.


Leave a Reply

Your email address will not be published. Required fields are marked *


*