none
FIM 2010 R2 - SSPR policy enforcement prevents all passwords RRS feed

  • Question

  • I have deployed FIM 2010 R2 for a client, who requires a minimum password length enforced in order to prevent sync issues with Live@edu. However, no matter what the policy is set to - or where - all passwords set in the reset portal are rejected. I have attempted with the policy undefined at all levels, minimally defined at the OU level, fully defined at the domain level, all with little effect.

    I have ensured all the requirements of KB2443871 have been met; there is a root CA and DC certificate in place, and the root CA cert has been added to the trusted certs on the FIM sync server. The PDC has been updated and has the PDC Emulator FSMO role. LDP.exe can connect properly over SSL and the OID is visible. SSPR works properly without ADMAEnforcePasswordPolicy set to 1.

    After failures, the event log on the FIM service/portal server shows:

    Error: PWReset Activity's MIIS Password Set call failed because of a policy violation.

    Error: The web portal received a fault error from the FIM service.
    Details:
    Microsoft.ResourceManagement.WebServices.Faults.ServiceFaultException: DataRequiredFaultReason
       at Microsoft.ResourceManagement.WebServices.ResourceFactoryClient.Create(Message request)
       at Microsoft.IdentityManagement.CredentialManagement.Portal.Common.ResetProxy.InteractWithPasswordResetActivity(SecureString newPassword, String activityEndpoint, String workflowInstanceId, ContextualSecurityToken sessionSecurityToken)
    Web Portal: FIM Password Reset Portal
    Session Id: [snip]
    IP Address: 10.x.x.xx

    Any help would be greatly appreciated. I'd like to avoid a pricy call to Microsoft support. Thanks!

    James J.

    Flashpoint CS, LLC



    Friday, August 10, 2012 7:56 PM

All replies

  • Are there any error messages on the FIM Sync Service host, and/or just prior to this one from the FIM Service?  The one above (from the FIM Service / client tier) isn't informative.

    You might try independently testing that your PDC really, really does support the server-side LDAP control for checking password policy during reset.

    Friday, August 10, 2012 10:09 PM
  • Are there any error messages on the FIM Sync Service host, and/or just prior to this one from the FIM Service?  The one above (from the FIM Service / client tier) isn't informative.

    You might try independently testing that your PDC really, really does support the server-side LDAP control for checking password policy during reset.

    I didn't see anything informative (or really anything at all, and logging is already level 3) on the FIM sync service host. As for checking the LDAP control, I did verify it's available; I don't know of a better way to test it at the moment. It works with AD clients. Any suggestions?

    Saturday, August 11, 2012 4:14 AM
  • I just tested this and it worked...  What do your registry settings look like?  KB2443871 doesn't appear to recommend any particular datatype for the registry value, although dword and string seemed to proceed with no ill effects.

    AD clients don't use LDAP(S) for password reset--it is doable with LDP, although the effort to do so is perhaps a bit steep.

    Monday, August 13, 2012 9:04 PM
  • I had the same problem. The fix that worked for me was to go into the Sync Service, edit Properties for the AD MA, Configure Directory Partitions and tell it to use the PDC as the "preferred domain controller".

    HTH

    • Proposed as answer by GlenMunro Tuesday, September 10, 2013 9:10 PM
    Friday, October 5, 2012 4:15 PM