Tracking down a duplicate ObjectSid

Most people who work with FIM will be familiar with the “Value Violates Uniquess” errors when you try to export an object through the FIM MA that conflicts with an existing object on an attribute that has enforced uniqueness in the FIM Service. If the duplicate is on a string attribute like AccountName then it’s pretty easy to track down the conflicting object in the Portal. This one, however, is not so simple:

Attribute Failure Code: ‘ValueViolatesUniqueness’, Attribute Name: ‘ObjectSID’

You can’t search for a binary value in the Portal and you can’t use XPath so I couldn’t see any other choice than search directly in the FIMService database.

First you copy the offending Sid out of the pending-export object in the FIM MA connector space:

objectsid

 

Strip all the spaces out of it and run this query against the FIM Service database:

SELECT * from [fim].[ObjectValueString] s
join [fim].[ObjectValueBinary] b
on s.ObjectKey = b.ObjectKey
where CONVERT(VARCHAR(MAX), ValueBinary, 2) = ‘010500000000000515000000AD2CB2AE9F3EB92608ED3E3016C00500’

This should show you enough information about the conflicting object in the FIM Portal.

About: Carol

I've been doing IT for 30 years, and IdM for 15. I live in Australia and build IdM solutions based on Microsoft Identity Manager. I also play the violin, but that doesn't help much with the IdM solutions.


Leave a Reply

Your email address will not be published. Required fields are marked *


*