locked
An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3000) RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Receiving this error:

    An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3000)

    I have been through this article (https://jorgequestforknowledge.wordpress.com/2015/03/08/resolving-the-pwunrecoverableerror-error-with-fim-self-service-password-reset-sspr/) and still getting the same error. 

    At a bit of a loss now. Hoping someone could shed some light on this and help me out.

    Thanks

    Stephen

    Monday, September 19, 2016 3:07 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    Thanks to all who have contributed to this thread. Paul has helped me narrow the issue down. 

    It appeared that the objects weren't getting the inheritance on the OU where my user object was located, so I created a new user in one of the containers where I found the inheritance was working and all worked fine. 

    We checked the inheritance by checking the "Effective Permissions" under properties --> security of the OU's and objects.

    Password reset worked on the other test object within a different OU. 

    Thanks again everyone!

    Off to reinstall the entire thing tomorrow as I've somehow managed to delete the Administrator from the user portal and can't access the MPRs or users etc when logging in as administrator! Aaaaaargh!!!

    • Marked as answer by Stephen_Clark Tuesday, September 27, 2016 4:22 PM
    Tuesday, September 27, 2016 4:22 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Stephen,

    Do you mind telling us where and when this error occurs? 

    What have you don't to troubleshoot? Have you looked any logs, etc.

    Thanks,

    Nosh

    Nosh Mernacaj, Identity Management Specialist

    Monday, September 19, 2016 3:11 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Please see following errors from Event Viewer:

    Event 3:

    The web portal received a fault error from the FIM service.
    Details:
    Microsoft.ResourceManagement.WebServices.Faults.ServiceFaultException: DataRequiredFaultReason
       at Microsoft.ResourceManagement.WebServices.ResourceFactoryClient.Create(Message request)
       at Microsoft.IdentityManagement.CredentialManagement.Portal.Common.ResetProxy.InteractWithPasswordResetActivity(SecureString newPassword, String activityEndpoint, String workflowInstanceId, ContextualSecurityToken sessionSecurityToken)
    Web Portal: FIM Password Reset Portal
    Session Id: 4klimk55lvogjrbapzkfna55
    IP Address: 10.220.81.114

    ----------------------------------

    Microsoft.IdentityManagement.CredentialManagement.Portal: System.Web.HttpUnhandledException: ScriptManager_AsyncPostBackError ---> System.InvalidProgramException: Error while performing the password reset operation: PWUnrecoverableError
       at Microsoft.IdentityManagement.CredentialManagement.Portal.Reset.AttemptToResetPassword()
       at System.Web.UI.WebControls.Button.OnClick(EventArgs e)
       at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)
       at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)
       at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
       --- End of inner exception stack trace ---
       at Microsoft.IdentityManagement.CredentialManagement.Portal.Site.ScriptManager_AsyncPostBackError(Object sender, AsyncPostBackErrorEventArgs eventArgs)
       at System.Web.UI.ScriptManager.OnAsyncPostBackError(AsyncPostBackErrorEventArgs e)
       at System.Web.UI.PageRequestManager.OnPageError(Object sender, EventArgs e)
       at System.Web.UI.TemplateControl.OnError(EventArgs e)
       at System.Web.UI.Page.HandleError(Exception e)
       at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
       at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
       at System.Web.UI.Page.ProcessRequest()
       at System.Web.UI.Page.ProcessRequest(HttpContext context)
       at ASP.default_aspx.ProcessRequest(HttpContext context)
       at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
       at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

    --------------------------------------

    The error page was displayed to the user.
    Details:
    Title: Error
    Message: An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3000)
    Source: 
    Attributes: 
    Details: System.InvalidProgramException: Error while performing the password reset operation: PWUnrecoverableError
       at Microsoft.IdentityManagement.CredentialManagement.Portal.Reset.AttemptToResetPassword()
       at System.Web.UI.WebControls.Button.OnClick(EventArgs e)
       at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)
       at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)
       at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
    CorrelationId: 
    RequestId: 
    ErrorCode: 3000
    CaughtTime: 09/19/2016 15:57:50

    Web Portal: FIM Password Reset Portal
    Session Id: 4klimk55lvogjrbapzkfna55
    IP Address: 10.220.81.114

    -----------------------------------------

    PWReset Activity's MIIS Password Set call failed with ma-access-denied

    ---------------------------------------------------

    Even ID 2:

    Unable to resolve resource:Microsoft.ResourceManagement.Workflow.Activities.AuthenticationGateActivity.rules.

    ---------------------------------------------------
    Unable to resolve resource:Microsoft.ResourceManagement.Workflow.Activities.PWResetActivity.rules.

    -----------------------------------------

    System.Workflow.ComponentModel.WorkflowTerminatedException: Exception of type 'System.Workflow.ComponentModel.WorkflowTerminatedException' was thrown.

    -----------------------------------------

    System.Workflow.ComponentModel.WorkflowTerminatedException: Exception of type 'System.Workflow.ComponentModel.WorkflowTerminatedException' was thrown.

    Monday, September 19, 2016 3:12 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Thanks, a little better, but still does not tell us the issue? What is not working?

    Nosh Mernacaj, Identity Management Specialist

    Monday, September 19, 2016 3:13 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Nosh,

    The error appears after entering the new password on the reset portal (after entering all the security questions etc).

    I've posted the logs from event viewer below and have tried setting the permissions for my mimservice account as described in the following article:

    https://jorgequestforknowledge.wordpress.com/2015/03/08/resolving-the-pwunrecoverableerror-error-with-fim-self-service-password-reset-sspr/

    I can the same error once completing the procedures in this article so still really confused. 

    The only thing I can think of trying next is trying different accounts used to setup the portals, which I'm going to do today.

    Any advice always appreciated.

    Tuesday, September 20, 2016 8:19 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Stepehen,

    The error is pretty clear. "PWReset Activity's MIIS Password Set call failed with ma-access-denied".  Revisit the setup and ensure the access is granted to the account that runs AD MA. 

    Here is the TechNet Documentation for SSPR setup. 

    https://technet.microsoft.com/en-us/library/hh824694(v=ws.10).aspx

    Nosh Mernacaj, Identity Management Specialist

    Tuesday, September 20, 2016 11:33 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Aah, that's what I was confused with - which account it used. I'll go back and give that a shot and mark this as answered. 

    Apologies for my lack of knowledge here, this is the first time I've worked with any identity software, so it's quite a learning curve.

    Thanks

    Stephen

    Tuesday, September 20, 2016 12:35 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Stephen,

    Just remember what you are trying to do, Reset a password. So the account that runs that process, requires the right access for it.

    Nosh

    Nosh Mernacaj, Identity Management Specialist

    Tuesday, September 20, 2016 1:42 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Nosh,

    Thanks again - still fighting here.

    I've tried every account I've used to configured MIM 2016 and i'm still getting the same ma-access-denied error message. 

    I've followed the link you posted above to the letter and still nowhere further.

    Could it be something to from within the MIM Portal itself - like a workflow / set or anything like that?

    I'm thinking a call to Microsoft is coming soon :(

    Thanks

    Stephen

    Tuesday, September 20, 2016 2:58 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Did you follow the guide I sent you? It is important that you follow it step by step.

    Nosh Mernacaj, Identity Management Specialist

    Wednesday, September 21, 2016 12:56 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Yes, I'm going to try again today.

    thanks again.

    Stephen 

    Wednesday, September 21, 2016 8:21 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Still struggling Stephen?

    That message would be the account that's running the AD management agent that doesn't have permission to reset the AD password of the user who's trying.

    Just a few other things to try, though I'm certain it's that:

    1. Ensure Password Synchronization is Enabled (Sync Service: Tools > Options)
    2. Ensure the MIM Service is a member of MIMSyncBrowse and MIMSyncPasswordSet (these might be domain or local groups).
    3. Check DCOM and WMI permissions.
    4. Check the AD management agent that password management enabled (Sync Service: Management Agent Properties > Configure Extensions > Enable Password Management).

    Actually definitely check #4 :-)

    If that's still not working, give me a shout.

    Thanks,

    Paul


    • Edited by Paul Green Wednesday, September 21, 2016 3:34 PM
    Wednesday, September 21, 2016 3:33 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello Stephen/Paul,

    Point mentioned by Paul are absolutely correct.

    However i would like to know you that I was also facing the same issue with one of the domain user and i found that the AD MA account must have a "RESET Pass" and "CHANGE Pass" permission on the users OU.(Provided all the settings mentioned by Paul is there).

    Thank you.

    Regards,

    SUman


    Wednesday, September 21, 2016 3:43 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Quite right, thanks Suman.

    In addition, read/write userAccountControl and lockoutTime if you want to unlock accounts too, either via MIM SSAU or upon password reset via the checkbox "unlock locked accounts when setting passwords" on that last page of the AD management agent properties.

    Thanks,

    Paul.

    Wednesday, September 21, 2016 4:19 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Paul,

    Believe it or not, I didn't have the Password Synchronization Enabled as mentioned in point 1 above (Sync Service: Tools > Options).

    I'm still getting the same error.

    I have a feeling it's something to do with the accounts I've used when setting up the software. I have added "svc-mimservice" account and also the account used by the AD Management Agent (SVC-ADMA) in Sync Service Manager to the WMI and DCOM permissions. Should it only be the account that is in the AD Management Agent that I should be assigning to the DCOM/WMI/Active Directory permissions? 

    Regarding Suman's comment, I've checked the security on the OU's and they look correct, however, when I drill down onto a user object, the account isn't showing in the security tab - is this how it should be?

    Appreciate everyone's assistance here. 

    Thursday, September 22, 2016 8:45 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Suman,

    Thanks for your input here. I'm trying to check these permissions. This is what I am doing:

    1. Go onto my domain controller and open Active Directory

    2. Right click on the OU where I want the permissions to be in place and to propagate down to. Our OU structure is like this, so in my case I right click "DEPARTMENTS":

    OU=Users,OU=IT Dept,OU=DEPARTMENTS,DC=mydomain,DC=org

    3. Select Properties

    4. Security tab

    5. Click Advanced

    6. Select Principal and add the SVC-ADMA domain account which is used for the AD Management Agent

    7. Then I have the following permissions for SVC-ADMA:

    Full Control to "Descendant Group Objects"

    Full Control to "Descendant User Objects"

    Create/delete User objects

    Create/delete Group objects

    8. When I look for the RESET & CHANGE Password options, I can't see them in the list of permissions.

    I feel I'm getting closer to getting this resolved, so I really appreciate all your help with this.

    Thanks

    Stephen

    Thursday, September 22, 2016 9:13 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Stephen,

    It's the MIM service account you're granting DCOM and WMI permissions to.

    The AD management agent account needs rights to AD.

    You could try adding the AD management agent service account into domain admins, just for testing.

    I'm free after 3pm if you want me to dial in again? :)

    Cheers,

    Paul.

    Thursday, September 22, 2016 10:10 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Stephen,

    You to provide permissions to the ADMA account on "users" container for "change pass".(Go to OU->Security->advanced -->permissions-->click on add--> provide your AD MA account-->select the permissions)

    And then go to user account and check permissions to "reset pass" and change pass permissions to ADMA account there.

    Hope this helps you.

    Regards,

    SUman

    Thursday, September 22, 2016 12:06 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Thanks Suman, 

    I've tried to share a screenshot on here, but it says I'm not verified, so heres how the permissions look on the "Users" OU:

    Does this look right? 

    TYPE    PRINCIPAL ACCESS                   INHERITANCE        APPLIES TO

    Allow SVC-ADMA     Change Password      None                        Descendant User objects
    Allow SVC-ADMA     Reset Password         None                        Descendant User objects

    Does this look correct?

    The permissions still haven't passed down to the user object within the OU.

    Very confused.

    Many thanks,

    Stephen

    Thursday, September 22, 2016 2:54 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Saying that, I've just manually added those permissions on the user object i'm trying to change the password for and the same error occurs. 

    Totally lost with this now. 

    Thursday, September 22, 2016 2:58 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    I have done this many many times, and almost every time I have issues on the first run.  My experience has taught me that the best thing to do is go over the guide again and check every step.  Trial and error will take a lot longer.  The guide is pretty good if you follow it.

    Nosh Mernacaj, Identity Management Specialist

    Thursday, September 22, 2016 3:39 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello Stephen,

    NO there is something wrong here. In the "INHERITANCE" field it should actually show somehting like " OU=department, DC=mydomain,DC=org".

    Sorry, but can you please check again you parent OU (DePartment)s once and share. It should have same reset and change pass permissions

    Regards,

    Suman

    Thursday, September 22, 2016 4:06 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Thanks Suman, I've now got the inheritance showing as you mentioned by removing and adding the account in again (I followed this https://technet.microsoft.com/en-us/library/ee534892(v=ws.10).aspx) 

    Went all the way through the procedures and still getting the error. 

    I'll keep on going through the steps as Nosh mentioned until I get it working.

    Thanks again. 

    Stephen

    Friday, September 23, 2016 9:05 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Just out of interest, when installing MIM I decided to use domain security groups during the setup which I created:

    DOMAIN\MIMSyncAdmins, DOMAIN\MIMSyncBrowse etc...

    would this make any difference, as the articles I'm following suggest that the groups are local groups on the MIM server?

    Also, when I'm testing the password reset, I am testing from a browser from a computer which is on a completely different domain - all firewalls are disabled for testing purposes - would this have an effect on the error?

    Friday, September 23, 2016 9:10 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Stephen,

    Domain groups are fine, and there's no problem with where you access the portal from: it's just HTTP(S) from the browser to the SSPR portal.

    Give me a shout if you want a second pair of eyes.

    You can simulate a password reset using Powershell and WMI to save it being quite so tedious too.

    Cheers,

    Paul.

    Monday, September 26, 2016 3:29 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Thanks Paul. Yes, I feel I'm losing this battle with MIM now. A second pair of eyes would be great!

    Thanks

    Stephen

    Tuesday, September 27, 2016 8:55 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Thanks to all who have contributed to this thread. Paul has helped me narrow the issue down. 

    It appeared that the objects weren't getting the inheritance on the OU where my user object was located, so I created a new user in one of the containers where I found the inheritance was working and all worked fine. 

    We checked the inheritance by checking the "Effective Permissions" under properties --> security of the OU's and objects.

    Password reset worked on the other test object within a different OU. 

    Thanks again everyone!

    Off to reinstall the entire thing tomorrow as I've somehow managed to delete the Administrator from the user portal and can't access the MPRs or users etc when logging in as administrator! Aaaaaargh!!!

    • Marked as answer by Stephen_Clark Tuesday, September 27, 2016 4:22 PM
    Tuesday, September 27, 2016 4:22 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Hi Stephen, I MIGHT be able to help you hack it back into the database if you want to save yourself a job.. but I'm stacked for a few days. Thanks Paul
    Tuesday, September 27, 2016 5:49 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    OK appreciated Paul. I'll hang back before uninstalling and reinstalling. I don't want to be taking a lend of you, I know you've done so much for me already!
    Wednesday, September 28, 2016 8:13 AM