Enforce Password History FIM 2010 R2
-
Friday, August 17, 2012 3:40 PM
Hello all,
I´m having issues trying to make FIM 2010 R2 validate the enforce Password History, all the DC´s have this enforcement because have W2008R2 SP1 and the FIM get it with the Upgrade to R2.
I´ve an scenario with different domains so i´ve configured one MA per domain, i´ve added the Registry keys and required parameters:
Parameters\PerMAInstance\Domain1 ADMA
ADMAEnforcePasswordPolicy (Key: RegDword Value: 1Hex)
\Domain2 ADMA
ADMAEnforcePasswordPolicy (Key: RegDword Value: 1Hex)
...
One Registry Key per domain and i´ve restarted the FIM Services.This changes were made to apply the policy but just work on two domains and i´ve other two that doesnt apply it and by this reason i set remove the value "1" in the registry to "0" to remove the enforcement.
One shows the error: The password does not comply with your organization´s password policy.
And then permits to provide another one but dont accept any new password suggestion.
At eventviewer it shows:
PWReset Activity's MIIS Password Set call failed because of a policy violation.
The web portal received a fault error from the FIM service. Details: Microsoft.ResourceManagement.WebServices.Faults.ServiceFaultException: DataRequiredFaultReason at Microsoft.ResourceManagement.WebServices.ResourceFactoryClient.Create(Message request) at Microsoft.IdentityManagement.CredentialManagement.Portal.Common.ResetProxy.InteractWithPasswordResetActivity(SecureString newPassword, String activityEndpoint, String workflowInstanceId, ContextualSecurityToken sessionSecurityToken) Web Portal: FIM Password Reset Portal Session Id: 1ydljtrpp3e5xy55jpaqya45 IP Address:The second one shows the error:
Message: An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3000)
Source:
Attributes:
Details: System.InvalidProgramException: Error while performing the password reset operation: PWUnrecoverableError
at Microsoft.IdentityManagement.CredentialManagement.Portal.Reset.AttemptToResetPassword()
at System.Web.UI.WebControls.Button.OnClick(EventArgs e)
at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)
at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
CorrelationId:
RequestId:
ErrorCode: 3000I´ll appreciate the help on this,
Regards
All Replies
-
Sunday, August 19, 2012 3:14 PMu need to look at the error from FIMService and understand why PWUnrecoverableError is returned
The FIM Password Reset Blog http://blogs.technet.com/aho/
-
Monday, August 20, 2012 10:40 PM
Thanks Anthony, its now solved:
Reviewing the EventViewer i´ve a previous error: Password Reset Activity could not find Mv record for user.
So i double check that the user were at FIM Portal and in the MV, also review the Permissions of the "FIM AD Sync" Account in AD and some parameters were pendant so I validate:
At OU Root:
FIM AD Sync should have:
Replicating Directory Changes
Read domain password & lockout policies
Read other domain parameters(for use by...)At OU of Users:
FIM AD Sync should have Special Permissions- Change Password
- Reset Password
- Read userAccountControl
- Write userAccountControl
- Read lockoutTime
- Write lockoutTime
- List Contents
- Read all properties
- Read permissionsAlso validate that the users account get the OU policy reviewing that the: “Include inheritable permissions from this object´s parent”
Regards,
- Marked As Answer by Elías De la Garza Monday, August 20, 2012 10:40 PM
.png)
