none
SSPR fails while usine Network Service instead of FIM service Account. Where can I re-configure it? RRS feed

  • Question

  • SSPR fails when trying to reset the password. Registration is working fine. Reset is working until the last step. Than, after typing the new password twice, I get an error: An error has occurred when trying to reset your password, please contact the helpdesk for assistance".

    The following error is written in the System log:
    ^^^^^^^^^^^^^^^^^^^
    Log Name:      System
    Source:        Microsoft-Windows-DistributedCOM
    Date:          11/18/2014 3:34:32 PM
    Event ID:      10016
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          NETWORK SERVICE
    Computer:      SR0435.intranet.<client>.nl
    Description:
    The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
    {000C101C-0000-0000-C000-000000000046}
    and APPID
    {000C101C-0000-0000-C000-000000000046}
    to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
    ^^^^^^^^^^^^^^^^^^^^^

    The user mentioned is not the one I expect. I expected the FIM service account to do that. Not the Network service. There is a blog here (http://www.identitychaos.com/2009/06/dcom-error-10016-and-sharepoint.html) that deals with this issue. But there the user is a service account. 

    My topology is as followed:
    Server 1 en 2: SharePoint 2013 farm members. No FIM Components except BRIX DLLs.
    Server 3: Service, Portal, SharePoint 2013 Farm administration and portal. Used only by servers 1 and 2.
    server 4: SSPR password reset
    server 5: SSPR password registration
    server 6: Synchronization server

    SQL server is elsewhere.

    Just to be sure the servers are configured correctly I re-run the SSPR Password Reset installation wizard on server 4 and the Service and portal installation wizard on server 3.  The configuration is as you may expect.

    I tried to add the NETWORK SERVICE to the DCOM and give it permissions. The DCOM error in the event viewer disappeared but the password reset failed as well.

    The user resetting the password has sufficient permissions to reset passwords.

    My first question is: Why the Network Service is used and not the FIM Service account? Where can I change it?


    GH

    Wednesday, November 19, 2014 7:34 AM

Answers

  • Most of the persistent settings for things are documented here:

    https://msdn.microsoft.com/en-us/library/ff800821(v=ws.10).aspx

    However this setting is not there. The account that is used by the Password Registration Portal is "persisted both in the Application Pool Identity settings in IIS as well as In the registry on the FIM Service Server in the  FIMService key of the SERVICES branch there is a value called PasswordResetServiceAccountSID" -- FIM Best Practices Vol 1 Ch 8

    During the install you should have been prompted for an existing domain account that the FIM Password Reset application pool would use.


    David Lundell, Get your copy of FIM Best Practices Volume 1 http://blog.ilmbestpractices.com/2010/08/book-is-here-fim-best-practices-volume.html

    • Marked as answer by Guy Horn Friday, June 24, 2016 2:21 PM
    Monday, July 20, 2015 8:43 PM