When someone approves or declines a request through Outlook they do not get processed by FIM. My FIMService account gets the mail in its mailbox, but it's never processed and the request will expire unless it's approved manually through the Portal which works fine. Does anyone have any suggestions or ideas on where I should start with troubleshooting this?

I would look in the FIM event log on the FIM Service server. It's a custom event log, so those events are not listed below "application". If the FIM Service has issues accessing it's mailbox it should be listed there. http://setspn.blogspot.com

Thanks for the reply. I don't see anything in the log unfortunately.

Do you have configured the FIM Service to poll for it's messages? Below: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FIMService Value: PollExchangeEnabled 1 = enabledhttp://setspn.blogspot.com

Yes.

Long shot question: does the e-mail address configured in the FIM Service configuration file (program files\fim\2010\FIm Service) match the e-mail address receiving those mails? If it is, I think I'm out of options, haven't done this myself yet :)http://setspn.blogspot.com

Yeah it does. Of note, I see this line: <add key="mailServer" value="https://mailservername.fqdn/ews/exchange.asmx" /> Is that right or should it just be the server name without the "/ews/exchange.asmx"? Thanks for the replies!

Imo that is correct. The setup appends that part for you. I must admit that I would expect to see errors in the log. Can you reach https://mailservername.fqdn/... from the fim service server without errors?http://setspn.blogspot.com

Yeah if I goto https://mailservername.fqdn/ews/exchange.asmx it takes me to the Services.wsdl page with no certificate error. I manually installed the untrusted certificate as detailed in the install guide. The only exception is that in the install guide it says to install the certificate in "Trusted People/Local Computer" but all I see is an option for "Trusted People/Registry". So I ended up installing it just under "Trusted People" and in the "Trusted Root Certificate Authorities". Not sure if that really matters. On the FIM Service server I cleared the Application log, System log, and Forefront Identity Manager log (under Application and Service Logs) and then tried to do the approval again. The approval email goes to the owner, I click approve, and then it just sits in the FIMService mailbox unread and membership doesn't change. No entries in any of the three logs mentioned above.

Josh, This is the final suggestion I can make on the topic I think. If I were you I would enable FIM Service tracing. I have enabled it a few times in the past to troubleshoot other items, and as the polling happens every 5 minutes, you will see information being logged about the querying of the mailbox and it's items. There might be a clue there. How to enable FIM Service tracing: http://setspn.blogspot.com/2010/06/fim-2010-enable-advanced-error-logging.html As a sidenote, don't read the svclog file using notepad, use the traceviewer! An example is here: http://setspn.blogspot.com/2010/09/fim-2010-sspr-client-extension-advanced.html Regards, Thomas http://setspn.blogspot.com

Wow I feel dumb. After enabling the tracing as you suggested I restarted the Forefront Identity Manager Service service and it started processing as the emails as normal. I undid the tracing settings, restarted the service again, and it works fine now. I guess all it really need was a restart... Thanks for all your help with this.