none
UPGRADE TO FIM 2010 R2 SSPR - RICH CLIENT ERROR: The remote server returned an unexpected response: (407) Proxy Authorization Required RRS feed

  • Question

  • Hi

    In urgent need of help with fFIM 2010 R2 Rich Client on WIN7.

    Scenario:

    - just upgraded fim service, portal and sync to R2...
    - current workstations dont have upgraded rich client installed.
    - have allowed legacy support for older rich clients from fim portal
    - sspr portals are installed on same server as fimportal with fimservice account.
    - passwordreset and passwordregistration are my portal URLS.
    - both of the above work in web browser.
    -have set SPNs for two portal URLS for IIS Machine account.
    - all is happening in INTRANET (no extranet)
    - have added proxy exceptions to the web proxy

    Problems

    - trying to reset password at logon screen. Get the vague error: "an error has occurred..please contact you helpdesk. blah blah blah"

    - Turned on Verbose logging on client. Get the below errors in the event vwr...(note it looks like it fails after this action "Retrieving the first gate from the STS."

    WARNING: FlushFileBuffers failed on pipe [[Unknown]] with error code [109].

    ERROR 1: 

    mscorlib: System.ServiceModel.ProtocolException: The remote server returned an unexpected response: (407) Proxy Authorization Required. ---> System.Net.WebException: The remote server returned an error: (407) Proxy Authentication Required.
       at System.Net.HttpWebRequest.GetResponse()
       at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
       --- End of inner exception stack trace ---

    Server stack trace: 
       at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout)
       at System.ServiceModel.Security.SspiNegotiationTokenProvider.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.Security.CommunicationObjectSecurityTokenProvider.Open(TimeSpan timeout)
       at System.ServiceModel.Security.SecurityUtils.OpenTokenProviderIfRequired(SecurityTokenProvider tokenProvider, TimeSpan timeout)
       at System.ServiceModel.Security.SymmetricSecurityProtocol.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.Channels.SecurityChannelFactory`1.ClientSecurityChannel`1.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.Channels.LayeredChannel`1.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.CallOpenOnce.System.ServiceModel.Channels.ServiceChannel.ICallOnce.Call(ServiceChannel channel, TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
       at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs)
       at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
       at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

    Exception rethrown at [0]: 
       at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
       at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
       at Microsoft.ResourceManagement.WebServices.WSTrust.ISecurityTokenService.RequestSecurityToken(Message request)
       at Microsoft.ResourceManagement.WebServices.SecurityTokenServiceClient.RequestSecurityToken(Message request)
       at Microsoft.ResourceManagement.WebServices.SecurityTokenServiceClient.RequestSecurityToken(RequestSecurityTokenType request, ClientOptionsHelper clientOptionsHelper, MessageBuffer& messageBuffer)
       at Microsoft.ResourceManagement.WebServices.Client.AuthenticationRequiredException.Authenticate(AuthenticationChallengeResponseType[] authenticationChallengeResponses, MessageBuffer& messageBuffer, ClientOptionsHelper clientOptionsHelper)
       at Microsoft.ResourceManagement.WebServices.Client.AuthenticationRequiredException.Authenticate(ClientOptionsHelper clientOptionsHelper)
       at Microsoft.IdentityManagement.PasswordReset.GinaOperation.STSInitiateCommunication()

    ERROR 2:

    PwdMgmtProxy: Microsoft.IdentityManagement.PasswordReset.Utilities.UserFailureException: An unexpected error has occurred.  Please contact helpdesk or your administrator.
       at Microsoft.IdentityManagement.PasswordReset.PasswordResetOperation.WriteGetNGateMsg(ClientPipeContext& client)
       at Microsoft.IdentityManagement.PasswordReset.PasswordResetOperation.GetNextGate(ClientPipeContext& client, Boolean registering)
       at Microsoft.IdentityManagement.PasswordReset.PasswordResetOperation.Authenticate(ClientPipeContext& client)
       at Microsoft.IdentityManagement.PasswordReset.PasswordManagementProxy.PipeCommunicationThread(Object context)

    I actn for the life of me figure out whatis going on. Can someone please assist?

    cheers

    stu

    Wednesday, April 16, 2014 4:13 AM

Answers

  • stu,

    You said in the above post that this all works if the users navigate to SSPR portals directly...........The difference between rich client and using browser, as I understand it, is that if using rich client the workstations themselves will connect to FIM service. Verify that access to both 5725 and 5726 from client workstations to FIM service machine(s) is open. I am thinking that 5726 is being blocked by something such as a firewall. IIRC, 5726 represents the STS on FIM service machine, which would only be used in SSPR scenarios and not by normal access to FIM user portal.

    • Marked as answer by mck_stu Thursday, April 17, 2014 12:39 AM
    Wednesday, April 16, 2014 5:06 AM
  • Resolved.

    Thanks glen for pointing me in the right direction...

    The FIM service server address was Fully quailified in the configuration. Therefore i tried to access HTTP://<FIMSERVER.DOMAIN.LOCAL>:5726 in a browser and it was blocked by Sophos due to the TCP port being denied/undefined.
    I missed this because i was originally just testing in a browser with just HTTP://FIMSERVER:5726 in a browser which connects.

    Defined the port and created and exception and away we go.

    Hope this helps someone else if this issue arises.


    • Marked as answer by mck_stu Thursday, April 17, 2014 12:39 AM
    Thursday, April 17, 2014 12:39 AM

All replies

  • stu,

    You said in the above post that this all works if the users navigate to SSPR portals directly...........The difference between rich client and using browser, as I understand it, is that if using rich client the workstations themselves will connect to FIM service. Verify that access to both 5725 and 5726 from client workstations to FIM service machine(s) is open. I am thinking that 5726 is being blocked by something such as a firewall. IIRC, 5726 represents the STS on FIM service machine, which would only be used in SSPR scenarios and not by normal access to FIM user portal.

    • Marked as answer by mck_stu Thursday, April 17, 2014 12:39 AM
    Wednesday, April 16, 2014 5:06 AM
  • Thank you Glen for the very quick reply..it is much appreciated!

    I have just checked on the client machine telnetting to the fimportal host address and the fim machine name on both ports 5725 and 5726 and both can connect?

    I can also hit both services in a web browser...so i dont think there is a firewall.

    Is it possible at some stage in the connection an actual proxy server (that requires auth is getting in the way?). Exceptions exist in the web proxy...or is this error referencing proxy auth referring to a FIM misconfiguration?

    cheers

    stu


    • Edited by mck_stu Wednesday, April 16, 2014 8:30 AM
    • Marked as answer by mck_stu Thursday, April 17, 2014 12:35 AM
    • Unmarked as answer by mck_stu Thursday, April 17, 2014 12:35 AM
    Wednesday, April 16, 2014 8:23 AM
  • Resolved.

    Thanks glen for pointing me in the right direction...

    The FIM service server address was Fully quailified in the configuration. Therefore i tried to access HTTP://<FIMSERVER.DOMAIN.LOCAL>:5726 in a browser and it was blocked by Sophos due to the TCP port being denied/undefined.
    I missed this because i was originally just testing in a browser with just HTTP://FIMSERVER:5726 in a browser which connects.

    Defined the port and created and exception and away we go.

    Hope this helps someone else if this issue arises.


    • Marked as answer by mck_stu Thursday, April 17, 2014 12:39 AM
    Thursday, April 17, 2014 12:39 AM