Environment 

  • Forefront Identity Manager 2010 R2
  • Remote SQL Server
  • Using a SQL Server Alias 

Overview

Attempting to reset a password via Self-Service Password Reset (SSPR) feature of FIM 2010 R2, we receive an error 3000 and are not able to reset the password. In the review of the Application Event Log, we can see the following "Access Denied" message.

APPLICATION EVENT LOG

mscorlib: System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo) at System.Management.ManagementScope.InitializeGuts(Object o) at System.Management.ManagementScope.Initialize() at System.Management.ManagementObjectSearcher.Initialize() at System.Management.ManagementObjectSearcher.Get() at Microsoft.ResourceManagement.PasswordReset.ResetPassword.ResetPasswordHelper(String domainName, String userName, String newPasswordText)

 

FIM SERVICE TRACE LOG

WQL:SELECT * FROM MIIS_CSObject WHERE (Domain='DOM' AND Account='user1') or (FullyQualifiedDomain='DOM' AND Account=' user1') or (Domain='DOM' AND UserPrincipalName='user1') or (FullyQualifiedDomain='DOM' AND UserPrincipalName='user1')

Cause

From the WQL statement, we can see that we are accessing SQL Server. In this case, we were using a SQL Server Alias to connect to the backend SQL Server. The SQL Server Alias was configured incorrectly.

Resolution

SQL Alias

Fixed the SQL Server Alias to reference the correct SQL Server.

Alternate Cause and Resolution (added by Carol Wapshere)

In this case, this was because the MIM Service account had "Deny access to this computer from the network" configured for the MIM Sync server. Which was only done because it is the recommendation in the MIM installation instructions here: https://docs.microsoft.com/en-us/microsoft-identity-manager/deploy-use/prepare-server-ws2012r2

To verify access to WMI:
1. On the MIM Service server, run WBEMTEST as the MIM Service account
2. Test if you can connect to \\MIMSyncServer\root\MicrosoftIdentityIntegrationServer

In this case, we got the Access Denied when attempting to connect to the MIM Service account. Which using our own admin account we could connect fine. After revoking the "Deny access to this computer from the network" limitation on the MIM Service account the WMI test was then successful, and SSPR was also successful.