none
FIM R2 SSPR Issue: An AuthenticationRequiredException is expected when setting the ResetPassword attribute for the user RRS feed

  • Question

  • Hello everybody,

    I have an issue on Reset password portal. After migrated from FIM 2010 to FIM 2010 R2, and installed the SSPR component on dedicated server, users can't reset theirs password.

    Registration portal works well, but when an user (administators included) tries to reset the password, the "Reset Portal" display an error 3000.

    I have no error on FIM service or FIM Sync, but I have following trace on SSPR server:

    #1 Event:

    An AuthenticationRequiredException is expected when setting the ResetPassword attribute for the user

    #2 Event:

    Microsoft.IdentityManagement.CredentialManagement.Portal: System.Web.HttpUnhandledException: ScriptManager_AsyncPostBackError ---> System.InvalidOperationException: An AuthenticationRequiredException is expected when setting the ResetPassword attribute for the user

       at Microsoft.IdentityManagement.CredentialManagement.Portal.Common.ResetProxy.GetChallenge(String domain, String userName, ChallengeContext gateChallengeResponse)

       at Microsoft.IdentityManagement.CredentialManagement.Portal.Common.ResetProxy.GetNextChallenge(String domain, String userName, ChallengeContext gateChallengeResponse, FaultExceptionHandlerDelegate faultExceptionHandler)

       at Microsoft.IdentityManagement.CredentialManagement.Portal.Components.ResetDriver.InitiatePasswordReset(String domain, String username)

       at Microsoft.IdentityManagement.CredentialManagement.Portal.Reset.MoveToAuthenticationGates()

       at System.Web.UI.WebControls.Button.OnClick(EventArgs e)

       at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)

       at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)

       at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

       --- End of inner exception stack trace ---

       at Microsoft.IdentityManagement.CredentialManagement.Portal.Site.ScriptManager_AsyncPostBackError(Object sender, AsyncPostBackErrorEventArgs eventArgs)

       at System.Web.UI.ScriptManager.OnAsyncPostBackError(AsyncPostBackErrorEventArgs e)

       at System.Web.UI.PageRequestManager.OnPageError(Object sender, EventArgs e)

       at System.Web.UI.TemplateControl.OnError(EventArgs e)

       at System.Web.UI.Page.HandleError(Exception e)

       at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

       at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

       at System.Web.UI.Page.ProcessRequest()

       at System.Web.UI.Page.ProcessRequest(HttpContext context)

       at ASP.default_aspx.ProcessRequest(HttpContext context)

       at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()

       at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

    #3 Event:

    The error page was displayed to the user.

    Details:

    Title: Error

    Message: An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3000)

    Source:

    Attributes:

    Details: System.InvalidOperationException: An AuthenticationRequiredException is expected when setting the ResetPassword attribute for the user

       at Microsoft.IdentityManagement.CredentialManagement.Portal.Common.ResetProxy.GetChallenge(String domain, String userName, ChallengeContext gateChallengeResponse)

       at Microsoft.IdentityManagement.CredentialManagement.Portal.Common.ResetProxy.GetNextChallenge(String domain, String userName, ChallengeContext gateChallengeResponse, FaultExceptionHandlerDelegate faultExceptionHandler)

       at Microsoft.IdentityManagement.CredentialManagement.Portal.Components.ResetDriver.InitiatePasswordReset(String domain, String username)

       at Microsoft.IdentityManagement.CredentialManagement.Portal.Reset.MoveToAuthenticationGates()

       at System.Web.UI.WebControls.Button.OnClick(EventArgs e)

       at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)

       at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)

       at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

    CorrelationId:

    RequestId:

    ErrorCode: 3000

    CaughtTime: 01/24/2013 10:24:07

     

    Web Portal: FIM Password Reset Portal

    Session Id: nnnnnnn

    IP Address: xxxx

    Do you have any idea of the origin of this issue ?

    Thanks a lot !!



    • Edited by Antho09 Thursday, January 24, 2013 10:38 AM
    Thursday, January 24, 2013 10:36 AM

Answers

  • I found the issue.

    During upgrade, I saw that some objects was corrupted.

    On the password registration/reset part, some SET was empty. In my case, the SET "anonymous users" doesn't contain any object. I add the user "anonymous user" and SSPR works well. Previously, the set "Password Reset Objects Set" was also empty. 

    For information, if after an upgrade you have any issue, check following SET:

    - SET Anonymous users has to contain: anonymous user

    - SET Password Reset Objects Set has to contain: All Gate Registrations, Anonymous users can reset their password, Password Reset Auth Workflow, Password Reset Users Set

    NOTE: On this last SET, if you configure others gates or users set, you have to add it here.

    Thanks for your help !

    • Marked as answer by Antho09 Tuesday, January 29, 2013 10:15 AM
    Tuesday, January 29, 2013 10:15 AM

All replies

  • Check your MPRs/Sets/Workflow

    In particular, check the the MPR "Anonymous ....."


    The FIM Password Reset Blog http://blogs.technet.com/aho/

    Friday, January 25, 2013 3:40 AM
  • MPR/Sets/WF are corrects. I checked also anonymous access on WSS, access right on synchronization server and AD. I don't understand...

    Monday, January 28, 2013 9:04 AM
  • Nothing related to WSS. It's all FIM

    Can u post the details of your MPR: "Anonymous users can reset their password"


    The FIM Password Reset Blog http://blogs.technet.com/aho/

    Monday, January 28, 2013 9:07 AM
  • Yes, normally it's the default MPR:

    Requestors: Anonymous Users

    Operation: Modify a single-valued attribute

    Permissions: Grants permission

    Target resource definition before request: Password Reset Users Set

    Target resource definition after request: Password Reset Users Set

    Rsource attributes: Reset Password

    Authentication WF: Password Reset AuthN Workflow

    Action WF: Password Reset Action Workflow

    The policy is enabled.

    The SET "Password Reset Users Set" contains all portal users.

    Monday, January 28, 2013 9:28 AM
  • this is how i would troubleshoot:

    1. as admin (the user who has problem resetting pwd)

    2. attempt to reset the pwd

    3. now login to FIMPortal and find the request (as a result of step #2).

    4. check what MPRs and workflows are triggerred


    The FIM Password Reset Blog http://blogs.technet.com/aho/

    Monday, January 28, 2013 9:33 AM
  • I see the issue.

    In fact, the default MPR "anonymous..." started after the registration was never completed. The status is "validated".

    So, i tried the created new MPR with same value than default => same comportment.

    I created new MPR and change "requestors" by setting "all objects" and it works !

    I have to check why "anonymous users" doesn' t work but now i know that the problem is here.

    Thanks for your help ! :)

    Monday, January 28, 2013 9:54 AM
  • I wouldn't do that.

    Another troubleshoot tip:

    1. repeat the same steps i mentioned ablve

    2. after you find the request, see who the requestor is. It should be Anonymous. But i bet in your case, it's the name of the actual user.

    If that's the case, you want to make sure the ONLY IIS authentication module used in the SSPR-Reset-Portal is Anonymous authentication (Windows Auth and Basic Auth needs to be disabled)

    the other possibility is that, the IIS AppPool account you use to run SSPR-Reset-Portal is in FIM (just my guess... u probably have that sync-ed in). If that's the case, try to delete the AppPool account from FIM


    The FIM Password Reset Blog http://blogs.technet.com/aho/

    Monday, January 28, 2013 10:01 AM
  • I performed your process with the initial MPR (anonymous...).

    The registering works well. When I tried to reset the passowrd, there is the error. This is the detail of the request:

    Requestor: Anonymous User

    Status: Validating

    Request Contents: Reset Password => Modify => Value=True

    MPR applied: No MPR....

    The MPR "anonymous..." seems not applied when I try to reset a password.

    For information, the APPPool Account of SSPR is not in FIM (Sync or Service).

    Monday, January 28, 2013 1:16 PM
  • Can you look for errors in FIMService machine's event log? (Those you posted at the beginning of the tread are coming from the SSPR portal. I want the ones, if any, from FIMService)

    The FIM Password Reset Blog http://blogs.technet.com/aho/

    Monday, January 28, 2013 4:04 PM
  • I have no error in FIMService machine's event log.

    I tried to activate verbose in log file, but no other trace.

    Monday, January 28, 2013 4:10 PM
  • If (instead of cloning the MPR), directly modify the MPR "Anonymous...". Change the requestor to all objects

    Repeat the steps.

    Compare the request generated and see what might be different


    The FIM Password Reset Blog http://blogs.technet.com/aho/

    Monday, January 28, 2013 4:16 PM
  • when I keep the current configuration, and add following MPR, it works:

    Requestors: All objects

    Operation: Modify a single-valued attribute

    Permissions: Grants permission

    Target resource definition before request: Password Reset Users Set

    Target resource definition after request: Password Reset Users Set

    Rsource attributes: Reset Password

    Authentication WF: Password Reset AuthN Workflow

    Action WF: Password Reset Action Workflow

    The policy is enabled.

    /

    The first MPR (anonymous...) is started when an user is registered. This second MPR is started when an user reset the password.

    I don't understand the issue on the first MPR...

    Monday, January 28, 2013 4:17 PM
  • i know when u add the second MPR, it works. What i am interesting is in the working case, what is the REQUEST generated by FIM looks like. Is the requestor still Anonymous or something else

    The FIM Password Reset Blog http://blogs.technet.com/aho/

    Monday, January 28, 2013 4:21 PM
  • If I change the original MPR and set "all objects" instead of "anonymous users", the registration doesn't work (error: Unauthorized user)

    • Edited by Antho09 Monday, January 28, 2013 4:21 PM
    Monday, January 28, 2013 4:21 PM
  • when it works:

    - the requestor for a "registering" request is the user account

    - the requestor for a "reset" request is anonymous user

    Monday, January 28, 2013 4:27 PM
  • I found the issue.

    During upgrade, I saw that some objects was corrupted.

    On the password registration/reset part, some SET was empty. In my case, the SET "anonymous users" doesn't contain any object. I add the user "anonymous user" and SSPR works well. Previously, the set "Password Reset Objects Set" was also empty. 

    For information, if after an upgrade you have any issue, check following SET:

    - SET Anonymous users has to contain: anonymous user

    - SET Password Reset Objects Set has to contain: All Gate Registrations, Anonymous users can reset their password, Password Reset Auth Workflow, Password Reset Users Set

    NOTE: On this last SET, if you configure others gates or users set, you have to add it here.

    Thanks for your help !

    • Marked as answer by Antho09 Tuesday, January 29, 2013 10:15 AM
    Tuesday, January 29, 2013 10:15 AM
  • Do you have a repro environment?

    i.e. a snapshot before the upgrade and after upgrade, u get a currupted DB.

    It's a pretty bad issue and if you have a repro, we should try to get PSS to look at it


    The FIM Password Reset Blog http://blogs.technet.com/aho/

    Tuesday, January 29, 2013 10:19 AM
  • I see an impact on RCDC too after migration. Yes, I think the DB is corrupted... :(

    I will see if I can perform new upgrade.

    Tuesday, January 29, 2013 10:35 AM