Share via


After installing v4.4.1642, unable to elevate to PAM Roles

After installing v4.4.1642, we were unable to elevate.  Running Get-PAMUsers returned a not authorize error.  Steps that were taken to resolve the issue:

 On the Sync server modify the object deletion run as below – this is done on the Person metaverse person object

  1. Delete the connector space of the CTRL MA
  2. Ran Full import on the CTRL MA, this step triggers the metaverse deletion rule and then FIM MA deprovisioning rule. Note: No sync profile was needed here. This action delete all the users in the metaverse.
  3. Ran Export on FIM MA deleting all the users in FIM Service . Except for the Bulit-In Syanchronization serviceand  dte.* accounts
  4. Reverted the change done in step 1
  5. Ran Full Import Full Sync on CTRL MA
  6. Ran Export on FIM MA
  7. Ran Full Import Full Sync on FIM MA
  8. Ran Export on FIM MA
  9. Ran powershell script to set each users ResourceSID in the CtrlPortal
  10. Removed and re-added Users into PAM Roles in the portal.
  11. Corrected DNS entry for ctrlpamportal (one address was correct and one was wrong
  12. In IIS removed host header for the MIM Privileged Access Management API (was ctrlportal.dte.ic.gov)
  13. Add ctrlpamportal as the host header for MIM Access Management Portal
  14. Change MIM Access Management Portal App Pool to PamRestApiAppPool
  15. Did iisreset