none
Password Reset Failed RRS feed

  • Question

  • My password reset portal is using SMS gate, it has been working and recently has problem. 

    FIM Portal Server eventlog shows PermissionDeniedException:

    Requestor: urn:uuid:b0b36673-d43b-4cfa-a7a2-aff14fd90522

    Correlation Identifier: f0f5c811-a595-4f1b-984d-3e2d8d61dee2

    Microsoft.ResourceManagement.Service: Microsoft.ResourceManagement.WebServices.Exceptions.PermissionDeniedException: SystemConstraint

       at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteInitialAuthentication(RequestType request)

       at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAuthentication(RequestType request)

       at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request, Guid requestIdentifier, Object redispatchSingleInstanceKey, Boolean isRedispatch)

       at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request)

       at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest(RequestType request)

       at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Put(Message request)


    Anyone has any idea for this issue?


    Jason

    Friday, October 10, 2014 5:06 AM

Answers

  • Problem resolved. it's due to register "Password Reset AuthN Workflow" to "authNWFRegistered" failed.

    Jason

    • Marked as answer by Jason2804 Thursday, October 16, 2014 1:43 AM
    Thursday, October 16, 2014 1:43 AM

All replies

  • Make sure you have SPNs registered correctly and delegation is still configured.

    Make sure your FIM Service account is in proper groups (FIMSyncBrowse and FIMSyncPasswordSet).

    Check if ADMA service account has suitable permissions to reset this user password. Maybe you have deployed those permissions on a couple OUs only and this account is in other OU?


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    Friday, October 10, 2014 6:38 AM
  • SPN:

    Registered ServicePrincipalNames for CN=FIMSPService,OU=Service Accounts,DC=abc,DC=com:
            HTTP/fimportal.devresource.abc.com
            HTTP/fimportal

    Registered ServicePrincipalNames for CN=FIMPWService,OU=Service Accounts,DC=abc,DC=com:
            HTTP/register.devresource.abc.com
            HTTP/reset.devresource.abc.com

    Registered ServicePrincipalNames for CN=FIMService,OU=Service Accounts,DC=abc,DC=com:
            FIMService/ResFIMSvr-Dev.devresource.abc.com
            FIMService/ResFIMSvr-Dev
            FIMService/fimportal
            FIMService/fimportal.devresource.abc.com

    Delegation:

    Group:

    FIMService is member of FIMSyncBrowse and FIMSyncPasswordSet

    ADMA permission:

    temporary gave Domain Admins right, issue persist


    Jason

    Friday, October 10, 2014 9:01 AM
  • Hi Jason,

    Unfortunately, that error is pretty generic, and covers a number of scenarios. 

    Is the user actually registered for SSPR?

    Are you using the correct username (as defined in FIM)?

    Have you verified the user account isn't permanently locked out from SSPR in FIM, according to your lockout gate settings?

    Cheers,

    Marc


    Marc Mac Donell, VP Identity and Access Solutions, Avaleris Inc.
    http://www.avaleris.com

    Friday, October 10, 2014 2:13 PM
  • Thanks Marc,

    I'm using auto registration and that user is able to reset his password before.

    I even tried to reinstall FIM service and portal with Change, issue persists.

    SSPR error:


    Jason

    Friday, October 10, 2014 9:26 PM
  • Problem resolved. it's due to register "Password Reset AuthN Workflow" to "authNWFRegistered" failed.

    Jason

    • Marked as answer by Jason2804 Thursday, October 16, 2014 1:43 AM
    Thursday, October 16, 2014 1:43 AM