SSPR SMS OTP Registration 3004 Error


  • Hi guys,

    So I set up SSPR QA-gate and with a different set SMS-OTP. Using a custom attribute I let users decide in which set they are transitioned. So far so good!

    When registering on the SMS OTP I get the following permission error:

    The error page was displayed to the user.
    Title: Unauthorized User
    Message: You are not authorized to register for password reset. Please contact your help desk or system administrator. (Error 3004)
    Details: Microsoft.IdentityManagement.CredentialManagement.Portal.Exceptions.NotAuthorizedException: Expected authentication.
       at Microsoft.IdentityManagement.CredentialManagement.Portal.Common.RegistrationProxy.GetNextChallenge(String domain, String username, ChallengeContext gateChallengeResponse, FaultExceptionHandlerDelegate faultExceptionHandler)
       at Microsoft.IdentityManagement.CredentialManagement.Portal.Components.RegistrationDriver.InitiateRegistration()
       at Microsoft.IdentityManagement.CredentialManagement.Portal.Registration.Next()
       at System.Web.UI.WebControls.Button.OnClick(EventArgs e)
       at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)
       at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)
       at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
    ErrorCode: 3004
    CaughtTime: 01/25/2013 14:56:00

    Web Portal: FIM Password Registration Portal
    Session Id: 5vjeeh55ittajs2zu04p33ib
    IP Address:


    I noticed that Administrators COULD register, so I added a MPR which gives users from the SMS Set permission to READ All Attributes from All Objects.

    With this MPR enabled I can register normal users for registration. But this is not safe, I don't want the users to read other objects. 

    So my question states: What attribute is needed/red while registering for SMS OTP?


    • Edited by Vvouterr Friday, January 25, 2013 2:05 PM
    Friday, January 25, 2013 2:03 PM

All replies

  • The FIM SSPR Deployment Guide describes exactly which MPRs and attributes to configure for custom SSPR workflows.  I'll followed the instructions and they work well, but are a little long for reposting here.

    Steve Kradel, Zetetic LLC SMS OTP for FIM | Salesforce MA for FIM

    Friday, January 25, 2013 5:28 PM
  • You mean this guide? (

    Because Microsoft's deployment guides go from the assumption that you are adding SMS OTP to the existing workflows, MPR's & sets. I'm starting from zero, and they are not made for that. That's why I asked here :)

    Thursday, January 31, 2013 9:26 AM

    Thats what you are looking for :)

    Regards Furqan Asghar

    Thursday, January 31, 2013 9:55 PM
  • Close but not quite... I mean the really big guide to deploying FIM Password Reset:

    This guide describes exactly how to configure new Password Authorization Workflows for different sets of users, how to hook up the MPRs, etc.  It is a much superior reference compared to any of the webpage SSPR guidance.


    Steve Kradel, Zetetic LLC SMS OTP for FIM | Salesforce MA for FIM

    Thursday, January 31, 2013 10:06 PM