Thursday, December 23, 2010

FIM CM Search Errors

We recently deployed FIM CM at a client with a large Active Directory (120000+ objects), and ran into two very specific issues when we tried to search for a user to enroll them for a smart card. Here are both issues listed with both solutions:
1.       'ADSDSOObject' Failed with no error message available, result code:  -2147016669(0x80072023).
This error code simply means that the search scope you are trying to read is too large. Plainly your result set is too large; add additional search parameters to limit the search scope. By default AD has a search scope limit for queries and the amount of AD objects a FIM CM search can return is limited by these same limits (to my knowledge it is 1000 objects). Unfortunately this value cannot be increased in FIM CM.
Firstly You need to make sure that you limit the search scope by adding the FIM CM group you created for FIM CM users to the CLM.RequestSecurity.Groups in the FIM CM web.config file. This will allow FIM CM to determine which users are elligible for using FIM CM.
Secondly, if you are searching in a big directory, try to further limit the scope by typing at least 3 or more characters of the login name and adding additional search fields like email address, first name or last name to the search criteria.

2.       “value does not fall within the expected range” error
In short this error occurs because Authorization Agent account does not have sufficient rights on the object it is trying to access. Check that the account is part of the “Pre-Windows 2000 Compatible Access” Group and that the group rights are not applied differently across the Active Directory. Our problem stemmed from the fact that a set of OU’s had the permission for the group altered from the initially delegated permission. So if you get this error on a user, you can be sure that there is a permissions issue on the OU where they are located.