locked
Register user to complete self-service password reset RRS feed

  • Question

  • Dear All,

    I have a problem to register user for self-service password reset.

    I already sync user between ADDS and FIM. I also added the user to password user reset Sets.

    But, when I try open identity management portal, but the browser error: you do not have permission .

    In other way, to register the user, i try click Reset Password link on logon windows, but pop-up windows error: you are not authorized to reset your password using self service password reset. you may need to register in order to complete self-service password reset.please contact your admin .

     

    Any suggestion for my check and configuration?

    Any idea?

    Iam new bie in FIM.

     

    regards,

    Endrik

     

     

    Monday, June 7, 2010 4:06 PM

Answers

  • Dear Aho,

     

    Thank a lot, User can complete to register self-service password.

    So the conclusion:

    1. User must have required attribute to go to the portal.

    2. The attributes are Account Name, Domain, Display Name, objectSid

    So for now, I need distribute the Adds-on and extension FIM for the client, and I will using SCCM, or GPO to distribute that adds-on.

    Are you have script to distribute adds-on with un-attend installation?

    I mean installation by using script with userless interaction

     

    Regards,

     

    Endrik

    Thursday, June 10, 2010 2:23 AM

All replies

  • 1. Clicking "Reset Password" will definitely NOT initiate the registration sequence.

    2. there are multiple possibilities to cause that permission issue: e.g. SPN, incorrect sync rule. does the user have all the required attributes set to go to the portal? (displayName, accountname, domain, objectSid)


    The FIM Password Reset Blog http://blogs.technet.com/aho/
    Monday, June 7, 2010 5:08 PM
  • try to enable more debug info on the portal

    C:\inetpub\www\wss\virtualdirectory\80\web.config

    search for "stack", change the callstack=true
    search for "custom", change the custom error page = Off
    search for ILMError, comment out that tag...

    try access the portal now and u should get the full stacktrace
    Tuesday, June 8, 2010 1:36 AM
  • Dear Antony,

     

    I was added the callstack to be true in web.config, the error is "you do not have permission".

    In FIM, the user have a detail with , displayName, accountname, domain, and objectSid.

    any idea?

     

    Regards,

    Endrik

    Tuesday, June 8, 2010 1:59 AM
  • with all those steps to enable portal diagnostic, now if u go to FIMPortal with that user, you still don't see a complete stack? Probably you have changed the wrong file
    The FIM Password Reset Blog http://blogs.technet.com/aho/
    Tuesday, June 8, 2010 3:13 AM
  • Dear Aho,

    Iam sure i edit the right file, and I still not see a complete task.

    how to make sure that the user in FIM have a detail accountname and objectSid?

     

    Regards,

    Endrik

     

    Tuesday, June 8, 2010 7:20 AM
  • http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/f3ae1913-4c9d-43a2-b2bd-830912d3792d

     

    would u please post a screenshot as well?


    The FIM Password Reset Blog http://blogs.technet.com/aho/
    Tuesday, June 8, 2010 7:31 AM
  • Dear Aho,

    For make sure:

    1. Change callstack=true and allowpageleveltrace=true

    <SafeMode MaxControls="200" CallStack="true" DirectFileDependencies="10" TotalFileDependencies="50" AllowPageLevelTrace="true">

    2. Change customerror mode="off"

      <customErrors mode="On" />

    is this right?


    I also try to check the user attribute value for FIM Portal access using powershell (http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/f3ae1913-4c9d-43a2-b2bd-830912d3792d), but the powershell getting error :

    File C:\accessfimportal.ps1 cannot be loaded because the execution of scripts is disabled on this system. Please see "g
    et-help about_signing" for more details.
    At line:1 char:22
    + .\accessfimportal.ps1 <<<<
        + CategoryInfo          : NotSpecified: (:) [], PSSecurityException
        + FullyQualifiedErrorId : RuntimeException

    Regards,

    Endrik

    Tuesday, June 8, 2010 9:29 AM
  • I try to set the executionpolicy to be unrestricted. And the powershell script can be execute. Here the result:

    AccountName : tukul
    DisplayName : Tukul Arwana
    Domain      : FABRIKAM
    ObjectSID   : AQUAAAAAAAUVAAAAssERljkC/LdotBlFZwQAAA==
    StringSID   : S-1-5-21-2517746098-3086746169-1159312488-1127

    so, any idea?

    regards

    Endrik

    Tuesday, June 8, 2010 9:43 AM
  • u didn't mention you have commented out the ILMError tag. would u like to double check on that one?

     

     

    have u enabled the 6 MPRs required for Password Reset (2 are for regular portal access)

    http://technet.microsoft.com/en-us/library/ee534892%28WS.10%29.aspx


    The FIM Password Reset Blog http://blogs.technet.com/aho/
    Tuesday, June 8, 2010 10:04 AM
  • Dear Aho,

    Now the user can view the portal via IE brower.

    but, i stil get error, when i try to register password in the portal, the appear Welcome screen FIM password reset registration, and pop-up error windows :

    An error occured while processing your request. Please try again later. If the error persists please contract your system administrator.

    Any idea Aho?

    Regards,

    Endrik

    Tuesday, June 8, 2010 11:30 AM
  • so enabling the 6 MPRs move u one step further? i would suggest u to read through the deployment guide first.

     

    so u just initiate the registration process (clicking on the registration link), and without doing anything, u see that error?

     

    i would check the FIMService config file, search for externalHostname attribute, make sure it is a DNS-resolvable hostname by the client (i.e. no localhost, no http:// prefix).


    The FIM Password Reset Blog http://blogs.technet.com/aho/
    Tuesday, June 8, 2010 1:45 PM
  • haven't heard back from you.

    Is there anything we can further assist you with?


    The FIM Password Reset Blog http://blogs.technet.com/aho/
    Wednesday, June 9, 2010 10:49 PM
  • Dear Aho,

     

    Thank a lot, User can complete to register self-service password.

    So the conclusion:

    1. User must have required attribute to go to the portal.

    2. The attributes are Account Name, Domain, Display Name, objectSid

    So for now, I need distribute the Adds-on and extension FIM for the client, and I will using SCCM, or GPO to distribute that adds-on.

    Are you have script to distribute adds-on with un-attend installation?

    I mean installation by using script with userless interaction

     

    Regards,

     

    Endrik

    Thursday, June 10, 2010 2:23 AM
  • Perfect. Glad to hear that.

    As for unattended installation, you might want to take a look at this one:
    http://technet.microsoft.com/en-us/library/ff602040%28WS.10%29.aspx

    i am going to mark this thread as resolved. If u have further questions around unattended installation, please start a new thread. :)


    The FIM Password Reset Blog http://blogs.technet.com/aho/
    Thursday, June 10, 2010 2:44 AM
  • Dear Aho,

    Two thumbs up for you.

     

    Regards,

    Endrik

    Thursday, June 10, 2010 8:26 AM