none
FIM Self-Service Password Reset - No such user Domain\svc-FIMPassword RRS feed

  • Question

  • Hi all,

     

    I inherited one FIM implementation with FIM SSPR functionality.

    I am too new to this SSPR functionality, but anyway will try to give you all the information.

    It seems that FIM is working well so far except for FIM Password Reset.

    The issue is when user is accessing the Password Reset Portal, enter the username “USER1” and click "Next", he received an error message 3001, which is stating that the identity doesn’t exist.

    I checked in FIM portal for the user and he is present, Password Registration has been done in the past and now the user wants to reset the password.

     

    Looking into the Event Viewer logs I extracted the following relevant entries there it this order:

    1. Source:        Microsoft.ResourceManagement

    GetCurrentUserFromSecurityIdentifier: No such user DOMAIN\svc-FIMPassword, S-1-5-21-xxx

     

    Note: user DOMAIN\svc-FIMPassword is the service account that FIM Password Reset application pool is run in IIS.

                  Shouldn’t be here the actual user name that the user has been entered on the initial screen – “USER1”?

     

    2. Source:        Microsoft.ResourceManagement

    Microsoft.ResourceManagement.Service: Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: IdentityIsNotFound

     

    3. Source:        Microsoft.CredentialManagement.ResetPortal

    Microsoft.IdentityManagement.CredentialManagement.Portal: System.Web.HttpUnhandledException: ScriptManager_AsyncPostBackError ---> The web service client has encountered the following class of error: IdentityIsNotFound

    Details: Additional Text Details: The requestor’s identity was not found.

     

    4. Source:        Microsoft.CredentialManagement.ResetPortal

    Message: Error processing your request: The server was unwilling to perform the requested operation.

    Source: The requester of this operation is invalid.

    Attributes:

    Details: The requestor’s identity was not found.

    ErrorCode: 3001

     

    So all the logs state that the identity couldn’t be found, but checked in Portal and he exists and also the password registration has been done in the past.

    And my questions are:

    1. GetCurrentUserFromSecurityIdentifier: No such user DOMAIN\svc-FIMPassword, S-1-5-21-xxx

     

    How to interpret this message , because it confuses me - Why do I have here service account for FIM Password Reset application pool in IIS instead of the account that the user entered on the Portal?

    Or indeed it states that the service account is missing, and if it is like that, where should be present, because the account exists in AD but it doesn’t exists in the Portal, because it is not part of any sync rules.

     

    2. Any other checks to make sure the user identity is present and available for Password Reset?

     

    Thank you in advance!

    Wednesday, December 30, 2015 12:53 PM

All replies

  • Popopopo

    Make sure that the SSPR password reset portal is using only anonymous authentication and that Windows Authentication is not enabled. I'm thinking based on your error that anonymouse is either not enabled at all or not the only auth mechansim selected.

    Thursday, December 31, 2015 7:07 AM
  • Thanks Glenn for the answer,Just checked Password Reset Portal and the only enabled authentication is "Anonymous Authentication"
    Thursday, December 31, 2015 10:43 AM
  • Hi,

    On the server running the FIM Service, look at:

    HKLM\System\CurrentControlSet\services\FIMService\PasswordResetServiceAccountSID
    HKLM\System\CurrentControlSet\services\FIMService\PasswordRegistrationServiceAccountSID

    and verify the SID value(s) matches the account(s) being used by the IIS application pool for password registration and password reset.

    If there is a difference you can rerun the FIM Service setup (Change via add/remove programs), enter in the correct service accounts, and complete the change.

    Best,

    Jeff Ingalls

    Friday, January 1, 2016 2:17 AM
  • Hi Jeff,

    I followed your steps to check SIDs for both accounts used for PasswordReset and PasswordRegistration app pools.

    The SIDs are matched the accounts used by app pools.

    Anyway , i have other idea in order to make the things easier instead of digging into the current situation, so your opinion will be very helpful to me.

    Current setup is single server deployment - all FIM options are installed on one server , except for DB.

    As i am currently reading/learning about FIM SSPR functionality, i simply could install on new server only SSPR using different URLs.

    In this way i can preserve current broken SSPR and to deal later with it and to have eventually new working SSPR using new URLs, right?

    Going through documentation about SSPR , it seems that i need only to run setup for FIM Server on the new server and to choose only the options for Password Reset and Password Registration , right?

    Is it a good idea to use the same Password Reset and Password Registration service accounts used by the broken SSPR, or it is better to create new ones for the new SSPR?

    My understanding is that on the FIM Server itself i don't need to do anything like run change mode etc., right?

    Sunday, January 3, 2016 12:47 PM
  • p,

    You are correct, you should be able to just install the SSPR portals on a different machine without having to disturb the current FIM server. One more suggestion for problem SSPR portals..........verify that in the web.config file for password reset portal that it is pointing to the correct FIM service instance and not a different instance such as non-production/dev...........

    Monday, January 4, 2016 3:23 AM
  • Thanks Glenn for the reply.

    Did you mean to check C:\inetpub\wwwroot\wss\VirtualDirectories\80\web.config

    Following your guideline on the problematic SSPR portals i did the following checks:

    1. Checked C:\inetpub\wwwroot\wss\VirtualDirectories\80\web.config

    Strange, there is no section <resourceManagementClient

    I compared the same file with my test environment that i built quickly  and there is a such a section  there:<resourceManagementClient requireKerberos="true" resourceManagementServiceBaseAddress="http://FIMsrv.src.local:5725" timeoutInMilliseconds="60000" />

    Shouldn't be there such a section on the problematic SSPR portals ?

    Monday, January 4, 2016 11:21 AM
  • Ok, i just found the web.config for SSPR portals :

    C:\Program Files\Microsoft Forefront Identity Manager\2010\Password Reset Portal

    C:\Program Files\Microsoft Forefront Identity Manager\2010\Password Registration Portal

    I checked  <resourceManagementClient for both web.config files and they are pointing to the correct FIM service server.

    Monday, January 4, 2016 1:29 PM
  • You can install SSPR on other servers, although I would guess the 3001 error will remain.

    If the SIDs in the application pool match then verify these Management Policy Rules are enabled:

    * Anonymous users can reset their password
    * Password reset users can read password reset resources
    * Password reset users can update the lockout attribute of themselves
    * User management: Users can read attributes of their own
    * General: Users can read non-administrative configuration resources
    * Administration: Administrations can read and update Users

    then make sure your SPNs are set.

    Here's an article that explains it:

    http://social.technet.microsoft.com/wiki/contents/articles/4118.fim-2010-r2-kerberos-authentication-setup.aspx#Password_Registration_Site_amp_Password_Reset_Site

    Lastly, make sure the useAppPoolCredentials is TRUE in the applicationHost.config

    Best,

    Jeff Ingalls

    Monday, January 4, 2016 6:06 PM