Recently I worked an issue involving the FIM 2010 Self-Service Password Reset (SSPR) product. It took me a bit of time to locate the problem, and we had to check several things before we were able to resolve the issue. We were receiving “An error was encountered. Please call helpdesk or your system administrator for further assistance.”
In troubleshooting a SSPR issue, I always start with the Password Reset Deployment Guide. I go through each of the sections in there to ensure that I have the needed MPRs enabled, DCOM and WMI security set, etc.
Once we went through the Password Reset Deployment Guide, we validated the settings for the resourceManagementServiceBaseAddress and the externalHostName attributes in the %programfiles%\Microsoft Forefront Identity Manager\2010\Service\Microsoft.ResourceManagement.Service.Exe.Config file.
These settings need to be the machine name of where the FIM Service is installed. You can view these settings through the following steps:
In the issue that I was working, we had something similar as below documented.
<resourceManagementClient resourceManagementServiceBaseAddress="http://machinename/" />
<resourceManagementClient resourceManagementServiceBaseAddress="machine name only" />
<resourceManagementService externalHostName="machine name only"/>
Now that we have validated the FIM Service Configuration File, we then checked the web.config file under C:\Inetpub\wwwroot\wss\VirtualDirectories\80. The goal here is to confirm the the resourceManagementServiceBaseAddress is correct. It should be http://machinename:5725/, which is the FIM Service.
In the issue, that I was working, we found that the resourceManagementServiceBaseAddress contained an additional http:// at the beginning of the http://machinename:5725/.
<resourceManagementClient resourceManagementServiceBaseAddress="http://http//machinename:5725" timeoutInMilliseconds="60000" />
<resourceManagementClient resourceManagementServiceBaseAddress="http://machinename:5725/" timeoutInMilliseconds="60000" />
We then pressed on to confirm Anonymous Authentication in SharePoint Central Administration. This should be checked to allow for people to be able to reset their passwords. In the issue that I was working, this was not enabled.
Since we were experiencing problems with the Password Reset Client, we investigated the SiteLock key. In the issue, we were using a DNS Alias to access the FIM Portal. I was able to spot the DNS Alias in the SiteLock key, but not the machine name. We added the machine name to the SiteLock.
We were still receiving the following error message in the Forefront Identity Manager Event Log.
System.ServiceModel: System.ServiceModel.CommunicationObjectFaultedException: The communication object, Microsoft.ResourceManagement.Workflow.Hosting.ResourceManagementWorkflowServiceHost, cannot be used for communication because it is in the Faulted state.
at System.ServiceModel.Channels.CommunicationObject.Close(TimeSpan timeout)
at Microsoft.ResourceManagement.Workflow.Hosting.HostActivator.CloseServiceHosts(IList`1 workflowServiceHosts)
at Microsoft.ResourceManagement.Workflow.Hosting.HostActivator.ActivateHost(ResourceManagementWorkflowDefinition workflowDefinition, Boolean suspendWorkflowStartupAndTimerOperations)
at Microsoft.ResourceManagement.Workflow.Hosting.HostActivator.UpdateServiceHosts(Object source, ElapsedEventArgs e)
We then checked Internet Information Server (IIS) to see how the authentication settings were set. In checking these settings, we noticed that we had the Enable Kernel-mode authentication checked. We disabled this check box and restarted the Password Reset Client Service. Password Reset client began to work.