Identity Manager Troubleshooting : FIM Portal, SharePoint and Logon Name displaying on FIM Portal Site

>

OVERVIEW

Recently support worked on an issue concerning how a logged on user's name is displayed in the FIM Portal.  The information in this wiki goes through the steps to reproduce the issue, and possible work arounds to resolve the issue.  The wiki assumes that you are familiar with working inside of the Microsoft Forefront Identity Manager product. 

FIM TOPOLOGY

• Microsoft Forefront Identity Manager 2010 R2 ( FIM 2010 R2 )
• 2 FIM Portal Servers
  • One hosted on Windows SharePoint Server 3.0 ( WSS 3.0 )
  • One hosted on SharePoint Foundation Server 2010 ( SFS 2010 )

The SharePoint servers are not installed in a SharePoint Farm Configuration, so each server has its own SharePoint Database.

PROBLEM STATEMENT

The display name of the user logged into the FIM Portal would not change, even if the user name in the Active Directory and the FIMService backend SQL Server database changed.

REPRO STEPS

1. Create a new test user in the Active Directory ( DisplayName Format = FirstName(space)LastName [e.g. John Doefim] )
2. Synchronize the user to the FIMService Database (FIM Portal) ( How to synchronize users from Active Directory to FIM )
3. Log into the FIM Portal on the SharePoint Foundation Server as that user
4. Change the name of the user in the Active Directory ( DisplayName Format = FirstName(space)Part of LastName [e.g. John Doe] )
5. Synchronize the change to the FIMService Database (FIM Portal)
6. Log onto the FIM Portal on the WSS 3.0 machine as the test user

Result

• The name on the SharePoint Foundation Server stays as "John Doefim"
• The name on the WSS 3.0 server is now "John Doe"

CAUSE

When a user first logs into a SharePoint Server, SharePoint looks in the user cache in the SharePoint database.  If it does not find the user who is accessing the site, it adds that user to the database using the current naming values found in the Active Directory.  If it does find the user ( by objectGuid or objectSID, not sure which), it does not go to the Active Directory to grab the naming attributes.

IMPACT

• Users whose name change in the Active Directory will not be reflected on the FIM Portal home page.
• Given a high-availability topology that uses a NLB where SharePoint Services are installed on each node as stand-alone installs, could end up with different display names, depending on which SharePoint server they happen to access.

POSSIBLE WORK AROUNDS

• Review the SharePoint PowerShell CMDLETs, as there are some that could be utilized to help update this information.
• Develop an Extensible Management Agent that could possibly use the SharePoint PowerShell CMDLETs to possibly update the SharePoint Database to reflect the new information to the FIM Portal.
  • If you have more than one SharePoint Server hosting the FIM Portal and they are not configured in a SharePoint Farm Configuration, there will need to be an Extensible Management Agent for each SharePoint Database.
  • SharePoint Farm Configurations can be more difficult to configure and maintain, they create a single point of update, rather than multiple places where names need to be updated.
• BLOGS
  • UserName showing up as DomainName\UserName instead of Full Name in SharePoint 2010
  • SharePoint 2010 Change your display of welcome name
• TECHNICAL LIBRARY
  • Set-SPUser
  • Get-SPUser

ADDITIONAL FIM RESOURCES

• Current Forefront Identity Manager Resources
• Current Certificate Lifecycle Management Resources
• GalSync Resources
• PCNS-Password Synchronization Resources
• Self-Service Password Reset (SSPR) Resources
• Extension-DLL-Exception Resources