: Unauthorized User error while registering user in SSPR

All Replies

• Thursday, January 03, 2013 2:51 PM

   

   
  

  0
  Not sure I completely understand your situation, but have you checked that the users are in the "Password Reset Users Set" and can log into the portal OK?
  • Reply
  • Quote

   
• Thursday, January 03, 2013 4:52 PM

   

   
  

  0

  The domain names *must* match exactly.  If a user's Windows identity is NET1\jsmith then there must also exist a FIM user with domain=NET1, accountName=jsmith, objectSid=<NET1\jsmith's SID> for any of the password functions to work properly.

  Of particular note when you attempt to reset a password, behind the scenes the FIM Sync Service searches AD--not just the connector spaces--by domain name and user ID to verify the target account.

  ---

  Steve Kradel, Zetetic LLC SMS OTP for FIM | Salesforce MA for FIM

  • Reply
  • Quote

   
• Thursday, January 03, 2013 5:40 PM

   

   
  

  0

  Hi

  Seems like this is the Management Policy Rule that is Stopping the user from registration.

  Have you enabled the correct MPRs and Sets as per the article below.

  http://technet.microsoft.com/en-us/library/ee534892(v=ws.10).aspx

  Also please make sure the FIM portal users have ObjectSIDs imported from AD, that means you should have an import Synchronization Rule from AD to FIM importing ObjectSIDs to ObjectSid.

  Cheers

  • Reply
  • Quote

   
• Friday, January 04, 2013 1:19 PM

   

   
  

  0

  Hi ,

  Thank you for you quick reply. I have two AD's(AD1 & AD2). Users from AD1 are able to register/reset their passwords. Similarly from AD2 is configured and ObjectSid is imported into FIM.

  So the set of MPR's configured is working fine because the users from AD1 are able to register in SSPR.

  Now domain name and windows identity is also same and exist in FIM. Still I am getting the same error.
  Could you please suggest.

  • Reply
  • Quote

   
• Friday, January 04, 2013 2:39 PM

   

   
  

  0

  The logon user is able to access FIM portal and the user is exist in "Password reset user set".

  The SVC-FIM user is exist in AD1 and used for FIM portal admin service account. So will it create problem. Do I need to
  create any user in AD2 and need to make them as an FIm administrator?

  • Reply
  • Quote

   
• Saturday, January 05, 2013 7:33 AM

   

   
  

  0

  Praveena,

  You said you have 2 ADs, AD1 and AD2..............so it sounds like users from AD1 work but users from AD2 don't........? If this is the case, is there a trust between AD2 and the domain where FIM is installed(presumably AD1)?

  
  Assuming there is a trust, make sure the domain name for the users in AD2 is being populated with the correct AD NETBIOS domain name in the portal. SSPR does actually go to AD and validate the user first..............

  • Reply
  • Quote

   
• Sunday, January 06, 2013 5:46 PM

   

   
  

  0

  Hi Glenn,

  Your assumption is correct like My FIM is installed in AD1 and also the NETBIOS domain name is the same as AD2 domain. 

  But how we can verify the trust is established successfully between two domains(FIM installed domain(Here it is not AD1) and AD2). Could you please suggest.

  Regards,

  praveena

  • Reply
  • Quote

   
• Monday, January 07, 2013 9:16 AM

   

   
  

  0

  Hi Praveena

  As you say that the users from AD1 and AD2 are able to logon Successfully in to the FIM Portal, I assume you have the right configuration.

  All you need to see is the Event Logs, they always provide information. You need to look at the following Event Logs

  Windows Logs -> Application

  Windows Logs -> System

  Applications and Services Log -> Forefront Identity Manager

  Sometimes two or three subsequent logs are related to each other.

  • Reply
  • Quote

   
• Monday, January 07, 2013 12:18 PM

   

   
  

  0

  Hi Furqan,

  There are no application or system log is generated after the event occur.

  There is a Applications and Services Log and posted in my initial request.

  Regards,

  Praveena B

  • Reply
  • Quote

   
• Monday, January 07, 2013 3:19 PM

   

   
  

  0

  Hi all,

  When I am trying different possibilities in SSPR, the existing setup also not working like AD1 users also not able to access registration portal. I am getting the below error in event logs:

  The error page was displayed to the user.
  Details:
  Title: Error
  Message: An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3000)
  Source:
  Attributes:
  Details: System.InvalidOperationException: HttpContext.Current.User.Identity.Name is Null or Empty
     at Microsoft.IdentityManagement.CredentialManagement.Portal.Components.RegistrationDriver.GetDomainAndUserName(String& domain, String& userName)
     at Microsoft.IdentityManagement.CredentialManagement.Portal.Components.RegistrationDriver.InitiateRegistration()
     at Microsoft.IdentityManagement.CredentialManagement.Portal.Registration.Next()
     at System.Web.UI.WebControls.Button.OnClick(EventArgs e)
     at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)
     at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)
     at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
  CorrelationId:
  RequestId:
  ErrorCode: 3000
  CaughtTime: 01/07/2013 08:23:31
  
  Web Portal: FIM Password Registration Portal
  Session Id:
  IP Address:

  And in the SSPR console iam getting the error:

  Error

  <center>

  Loading ...

  </center>

  An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3000)

  Go to Self-Service Password Registration home page

  Please help me. I am deadly stuck with this from past one week.

  • Reply
  • Quote