none
FIM 2010 R2 SSPR Reset Problem RRS feed

  • Question

  • When submitting the answers to the QA Gate questions I'm getting an error
    3000. When look at the requests in the portal I'm seeing a post processing
    error each time I submit the answers and when I look at the details of the
    request it states:

    'System.Workflow.ComponentModel.WorkflowTerminatedException'
    Any ideas?


    Paul Adare
    MVP - Forefront Identity Manager
    http://www.identit.ca
    Save energy:  Drive a smaller shell.

    Monday, December 10, 2012 10:40 PM

Answers

  • On Tue, 11 Dec 2012 17:09:56 +0000, Paul Adare wrote:

    I don?t think that we?re even getting off of the portal server as we tried
    changing the password to the same as the current password and if we were
    getting to AD that should at least told us we were violating password
    policy as they are enforcing password history.

    Resolved. It was the Microsoft guidance to use Denies in the User Rights
    Assignments that was causing our problem. As soon as we removed those (and
    this is probably the first deployment that I've ever used them in) we were
    able to reset the password.

    As an aside I was a SME on the Microsoft MMS and ILM courses and remember
    when the PM responsible included that guidance in the docs and the message
    box warning you that the install wasn't secure in its current state. A
    bunch of us argued against using denies way back then.


    Paul Adare
    MVP - Forefront Identity Manager
    http://www.identit.ca
    No line available at 300 baud.

    Tuesday, December 11, 2012 6:53 PM

All replies

  • On Mon, 10 Dec 2012 22:40:44 +0000, Paul Adare wrote:

    When submitting the answers to the QA Gate questions I'm getting an error
    3000. When look at the requests in the portal I'm seeing a post processing
    error each time I submit the answers and when I look at the details of the
    request it states:

    'System.Workflow.ComponentModel.WorkflowTerminatedException' Any ideas?

    Sorry the error is hit when submitting the new password, not the answers.
    I'm going confirm the permissions for password reset for the AD MA account
    in the morning.


    Paul Adare
    MVP - Forefront Identity Manager
    http://www.identit.ca
    Any sufficiently advanced bug is indistinguishable from a feature.  --
    Kulawiec

    Tuesday, December 11, 2012 12:23 AM
  • Paul,

    Can you share what the FIM event log shows on FIM service machine and also what application event log shows on sync box? Usually, when the error happens during the reset process on AD MA itself, there is an event log entry in app log on sync server. I would think this could help narrow it down.........

    Tuesday, December 11, 2012 5:57 AM
  • On Tue, 11 Dec 2012 05:57:17 +0000, Glenn Zuckerman [MSFT] wrote:

    Can you share what the FIM event log shows on FIM service machine and also what application event log shows on sync box? Usually, when the error happens during the reset process on AD MA itself, there is an event log entry in app log on sync server. I would think this could help narrow it down........

    Glenn, that has been my experience as well. IIRC there was no error in the
    FIM Service box, other than looking at the request itself, and if there was
    an error on the FIM Sync box it was the same as the error in the request.
    I'll confirm this morning when we start up again.

    A colleague indicated that he'd had the same error last week and that it
    was indeed permissions. I searched for this error on microsoft.com and the
    only hit I got was a forum post from 2007 about a SharePoint (and not a
    FIM) problem.

    Thanks.


    Paul Adare
    MVP - Forefront Identity Manager
    http://www.identit.ca
    APL is a write-only language.  -- Roy Keir

    Tuesday, December 11, 2012 10:10 AM
  • Hey Paul,

    Found this good blog that may help: http://blogs.msdn.com/b/karchworld_identity/archive/2012/08/02/debugging-the-fim-2010-sspr-quot-pwunrecoverableerror-quot-error.aspx

    In addition, if you make where you enter the password, in most cases the problem is going to be between the FIM Synchronization Server and the Active Directory.  In some cases it has to do with WMI and connecting to Active Directory to do the search.

    Tim


    Tim Macaulay Security Identity Support Team Support Escalation Engineer

    Tuesday, December 11, 2012 1:17 PM
  • On Tue, 11 Dec 2012 13:17:58 +0000, Tim Macaulay [MSFT] wrote:

    Found this good blog that may help: http://blogs.msdn.com/b/karchworld_identity/archive/2012/08/02/debugging-the-fim-2010-sspr-quot-pwunrecoverableerror-quot-error.aspx

    In addition, if you make where you enter the password, in most cases the problem is going to be between the FIM Synchronization Server and the Active Directory.? In some cases it has to do with WMI and connecting to Active Directory to do the search.

    Ok, so we?ve been over and over the permissions, the WMI/DCOM stuff and
    we?re no further along.

    We?re still getting the error 3000 when we submit the password change, the
    request still shows the
    'System.Workflow.ComponentModel.WorkflowTerminatedException' error which
    also shows in the FIM event log on the portal server. Nothing at all in the
    logs on the Synch server.

    I don?t think that we?re even getting off of the portal server as we tried
    changing the password to the same as the current password and if we were
    getting to AD that should at least told us we were violating password
    policy as they are enforcing password history.

    Any other ideas before we open a support case?


    Paul Adare
    MVP - Forefront Identity Manager
    http://www.identit.ca
    My computer NEVER cras...DOH!

    Tuesday, December 11, 2012 5:09 PM
  • On Tue, 11 Dec 2012 17:09:56 +0000, Paul Adare wrote:

    I don?t think that we?re even getting off of the portal server as we tried
    changing the password to the same as the current password and if we were
    getting to AD that should at least told us we were violating password
    policy as they are enforcing password history.

    Resolved. It was the Microsoft guidance to use Denies in the User Rights
    Assignments that was causing our problem. As soon as we removed those (and
    this is probably the first deployment that I've ever used them in) we were
    able to reset the password.

    As an aside I was a SME on the Microsoft MMS and ILM courses and remember
    when the PM responsible included that guidance in the docs and the message
    box warning you that the install wasn't secure in its current state. A
    bunch of us argued against using denies way back then.


    Paul Adare
    MVP - Forefront Identity Manager
    http://www.identit.ca
    No line available at 300 baud.

    Tuesday, December 11, 2012 6:53 PM