none
Error 3008 RRS feed

  • Question

  • I have 2 Windows 2008 R2 Servers, where I have installed FIM SSPR. Server1 is holding FIM Sync, FIMService and Password registration portal. Server2 is holding SQL Database and password reset portal.

    Problem 1: All AD Users are not reflecting in FIM Portal. Only 2 users are visible in FIM Portal. While running the import run profile for importing AD Users in FIM Portal is running successfully and showing no of users have been imported but in FIM Portal no user has been created.

    Problem 2. If I am trying to register my id which is existing in FIM Portal it is giving me 3008 error. I am pasting a event log which I am getting due to this on my FIMServer1

    System.Web.Services: System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
       at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
       at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
       at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
       at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
       at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
       at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
       at System.Net.ConnectStream.WriteHeaders(Boolean async)
       --- End of inner exception stack trace ---
       at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
       at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
       at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
       at Microsoft.ResourceManagement.WebServices.Mail.Exchange.ExchangeServiceBinding.FindItem(FindItemType FindItem1)
       at Microsoft.ResourceManagement.WebServices.Mail.Exchange.MailChannel.ExchangeMailChannelListener`1.ExchangeMailListener.<OnPollTimerExpired>b__0(Boolean findUnreadItems)
       at Microsoft.ResourceManagement.WebServices.Mail.Exchange.MailChannel.ExchangeMailChannelListener`1.ExchangeMailListener.OnPollTimerExpired(Object state)

    Wednesday, July 16, 2014 9:27 AM

All replies

  • You need to make sure that whatever SSL cert on the site you are trying to access is trusted on your machine.  Is the cert from a local PKI or a major vendor like Verisign?   The error you described indicates a trust problem, and most likely you have a non-third party cert, so you need to make sure that SSL is trusted on your local machine.  See this for more info.

    If this post has been useful please click the green arrow to the left or click Propose as answer

    Wednesday, July 16, 2014 11:09 AM
  • Hello,

    Problem1:

    • Do you have set a projection rule on AD MA? Or an import synchronization rule from FIMService?
    • Can you check if your AD users are in the metaverse (Tab "Metaverse search" on the fim sync client)?
    • In addition, be sure to import login, domain and objectsid from AD To FIMSevice/Portal

    Problem2: To complete what Scott says, check if the certificate name match the server name

    Regards,


    Sylvain

    Wednesday, July 16, 2014 11:54 AM
  • I have selected Metaverse Search after opening the Synchronization Service Manager. I have selected person under the scope by object type and collation as a default but in search result only 2 users i got one is my id and another one is Built-in Synchronization Account. Even though it is showing Retrieved 1961 of 1961 matching records. Need your suggestion on the same

    Problem 2: I am checking the certificate what Scott has suggected

    Wednesday, July 16, 2014 12:09 PM
  • AD Provisioning rule has already been created in FIM as per the Microsoft SSRP Guide but import synchronization rule is not created. How to proceed with configuration and I don't want any projection in AD through FIM Portal as I am going to use this only for Password reset functionality. Kindly suggest
    Wednesday, July 16, 2014 12:24 PM
  • In the metaverse search, you probably doesn't have the displayname attribute.

    Add the "accountname" column to see the login name.

    After that, check if objects are connected to FIM and AD MAs


    Sylvain

    Wednesday, July 16, 2014 12:41 PM
  • Mohit,

    Firstly you need to check the Certificate details and post these details verification, do check is the certificate properly configured? If yes, then after applying the certificate Stop-Start the FIM services. If the services are up then I believe you are good to go with your certificate.

    SSPR is a functionality that doesn't work properly if there is certificate issue. Also, you also need to check the Certificate's thumbprint in the registry and it should match exactly with the certificate you have configured.


    Regards,
    Manuj Khurana

    Wednesday, July 16, 2014 2:49 PM
  • When I am trying reaching on this url https://myexchangeserver/ews/exchange.asmx invalid certificate error is coming. We have certificate installed on our exchange server and this has been authorized by external authority. This exchange server certificate have different subject name like webmail.mydomain.com and doesn't have the above mentioned url which I am trying to access. I have internal root CA, I can built a new certificate will this work or do I need to do something else 
    Wednesday, July 16, 2014 3:48 PM