none
FIM 2010 R2 Registration Portal (Error 3001) - Access Denied

    질문

  • I am getting the following error when connecting to the FIM Password Registration Portal :

    Ensure you enter your user name correctly. If you still cannot reset your password, please contact your helpdesk for assistance. (Error 3001)

    Error log shows :

    Access Denied
    Ensure you enter your user name correctly. If you still cannot reset your password, please contact your helpdesk for assistance. (Error 3001)
    Go to Self-Service Password Reset home page
    Reason:
    The supplied request content violates system rules.
    Correlation Id:
    a95d50ee-ece1-4f82-b92c-edccdb0075f2
    Request Id:
    c6884324-7de6-48cb-b634-077d8a95252c
    Details:
    The Request contains changes that violate system constraints.

    I enabled server side trace (Microsoft.ResourceManagement.Service.exe.config) which shows apart from othr data :

    Permission is denied: IsRegistering=False, IsLockedOut=False, IsRegistered=False

    The account is a valid and active account and also included in the "Password Reset User Set"

    I know that there are post with similar issue in this forum but didnt find a definite resolution to this issue.

    Regards,

    Reshma


    • 편집됨 Reshma_Mistry 2013년 4월 6일 토요일 오후 4:51
    2013년 4월 6일 토요일 오후 4:47

모든 응답

  • Hello Reshma,

    It could be a SPN error, so make sure you have the following:

    To establish the SPNs for the FIM Service

      • Establish the SPNs for the FIM Service by running the following command:

        • setspn –S FIMService/<alias> <domain>\<serviceaccount> 
        • The <alias> above is the address that is entered during FIM Service setup and used by the clients and the FIM Portal to contact the Web Service. This can be a CNAME or host (A) resource record in DNS. If you are using Network Load Balancing (NLB), this is the name of the cluster. 
        • The <serviceaccount> above is the account that is used by the FIM Service.
        • If you are using several different names—for instance, fully qualified domain names (FQDNs) and NetBIOS names—to contact the server, repeat the steps for every name.
      • Turn on Kerberos delegation for the FIM Service service account in AD DS. You can turn on delegation for all services either by selecting Trust this user for delegation to any service (not recommended) or by using constrained delegation (recommended) by selecting Trust this user for delegation to the specified services only. If you use constrained delegation, search for the FIM Service service account, and then select the entry that you added in the previous step.

    For the FIM Portal server, complete the steps in the next procedure.

    • If the address that the clients use to contact the FIM Portal is not the same as the server address, you have to establish an SPN for HTTP. That is, if you use a CNAME resource record in DNS, have a SharePoint farm, or use NLB, this address must be registered or Internet Explorer cannot use the Kerberos protocol when it contacts the portal. Run the following command:

      setspn –S HTTP/<FIMPortalAlias> <domain>\<sharepointserviceaccount>

      • The <FIMPortalAlias> is the address that clients use to contact the FIM Portal server.
      • The <domain>\sharepointserviceaccount> is the account that the SharePoint Application Pool uses, as defined in IIS.
      • If you are using several different names, that is, FQDN and NetBIOS names, to contact the server, repeat the steps for every name.
    • The SharePoint service account must be allowed to delegate to the FIM Service. You can choose to enable delegation for all services either by selecting Trust this user for delegation to any service (not recommended) or by using constrained delegation (recommended) by selecting Trust this user for delegation to the selected services only. If you use constrained delegation, search for the FIM Service service account, and then select the entry that you added in the FIM Service step.

    Regards, John Atick

    • 답변으로 제안됨 John Atick 2013년 4월 6일 토요일 오후 8:50
    2013년 4월 6일 토요일 오후 8:49
  • Hi John,

    Thanks for the response. I have already set the SPN as specified in the setup guide.

    i.e HTTP/passwordreset.fim.test.com
        HTTP/passwordregistration.fim.test.com
    for FIMPassword account

    Is there any way I can troubleshoot to find if its SPN issue?

    Regards,
    Reshma

    2013년 4월 8일 월요일 오후 12:37
  • disable Windows Auth, enable Basic Auth

    if that fixes your problem, then it's kerberos... otherwise it's something else


    The FIM Password Reset Blog http://blogs.technet.com/aho/

    2013년 4월 9일 화요일 오전 3:25
  • btw, have u look at http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/51054fd1-8949-4b1c-af6c-127ce554ede5 ?

    Looks like it's the same issue


    The FIM Password Reset Blog http://blogs.technet.com/aho/

    2013년 4월 9일 화요일 오전 3:26