none
password reset process through SSPR. RRS feed

  • Question

  • Our AD GPO stipulates users can reset password every 3 days only and cannot reuse last 25 passwords.

    I was able to circumvent these 2 policies thru SSPR  but it did stop a user from creating a password that does not meet min length.

    found this articles http://setspn.blogspot.com/2010/11/fim-2010-sspr-enforces-password-history.html and

    http://setspn.blogspot.com/2010/12/fim-sspr-password-history-enforcement.html

    we have FIM sync, FIM service and Portal v 4.1.3114.0 2010 R2

    I have checked with AD domain admin about hotfix KB2386717 and KB2443871, they do not apply to our PDC , since we have newer ones already updated.

    I checked on KB2417774 which is for FIM 2010 , we have newer version on that front also.

     the below patch KB2417774_Rev5 is for old vesion , is there one for our build? please help

    Forefront Identity Manager 2010 All (Global) x64 KB2417774_Rev5 nosp 2010 4.0.3573.2 145742679 2/12/2011 12:20:46 AM

    Wednesday, June 5, 2013 11:08 PM

All replies

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FIMSynchronizationService\Parameters\PerMAInstance\(AD MA inst)

    I do not see ADMAEnforcePasswordPolicy nor PerMAInstance

    ca someone explain why is that

    Thursday, June 6, 2013 6:40 PM
  • Hi,

    You have to manually create the items into your registry as this is disabled by default. Please do the following:

    1. Open regedit and navigate to "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FIMSynchronizationService\Parameters"
    2. Right click on Parameter and create New "Key"
    3. Name the new key PerMAInstance
    4. Right click on PerMAInstance and create New "Key"
    5. Name the new key the exact name of your Active Directory Management Agent
    6. Do step 4 & 5 again if you deploy SSPR-password management to different Active Directory Management Agents
    7. Right click on the Active Directory Management Agent name and create New "DWORD (32-bit) value"
    8. Rename the DWORD to ADMAEnforcePasswordPolicy
    9. Change the ADMAEnforcePasswordPolicy Hex value to 1
    10. Confirm that you have enable password management for the Active Directory Management Agent
    11. Have you configure for LDAP over SSL connections between the FIM Synchronization Service and PDC Emulator role as per http://support.microsoft.com/KB/2443871
    12. Restart the FIM Synchronization Server.


    Regards Andre van der Westhuizen

    Friday, June 7, 2013 5:45 AM
  • Yes I did that but noticed once i change ADMAEnforcePasswordPolicy Hex value to 1 , it stops the user from reseting the password altogether
    Friday, June 7, 2013 10:41 PM
  • This will only enforce the AD Password Policy. What error do the users get when they try and reset there passwords.

    Regards Andre van der Westhuizen


    Monday, June 10, 2013 2:53 AM
  • on the SSPR password reset page it displays

    The password you entered does not comply with the security policy. Please choose a new password or check with your system administrator for details on the password policy requirements”. 

    I tried giving password that meet policy still did not allow reset to happen

    Monday, June 10, 2013 4:13 PM
  • i tested LDAP SSL Connection by using Ldp.exe, i got a rootDSE information with the successful connection
    Monday, June 10, 2013 5:43 PM
  • As per http://setspn.blogspot.com.au/2010/12/fim-sspr-password-history-enforcement.html, check your password policy that the minimum password age is not set to 0. Also try to reset the password without SSPR, using the same password what you have used when you have tried to reset it with SSPR.


    Regards Andre van der Westhuizen

    Wednesday, June 12, 2013 3:58 AM