Environment 

  • Forefront Identity Manager 2010 R2
  • Remote SQL Server
  • Using a SQL Server Alias 

Overview

Attempting to reset a password via Self-Service Password Reset (SSPR) feature of FIM 2010 R2, we receive an error 3000 and are not able to reset the password. In review of the Application Event Log we can see the following "Access Denied" message.

APPLICATION EVENT LOG

mscorlib: System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)

at System.Management.ManagementScope.InitializeGuts(Object o)

at System.Management.ManagementScope.Initialize()

at System.Management.ManagementObjectSearcher.Initialize()

at System.Management.ManagementObjectSearcher.Get()

at Microsoft.ResourceManagement.PasswordReset.ResetPassword.ResetPasswordHelper(String domainName, String userName, String newPasswordText)

 

FIM SERVICE TRACE LOG

WQL:SELECT * FROM MIIS_CSObject WHERE (Domain='DOM' AND Account='user1') or (FullyQualifiedDomain='DOM' AND Account=' user1') or (Domain='DOM' AND UserPrincipalName='user1') or (FullyQualifiedDomain='DOM' AND UserPrincipalName='user1')

 

Cause

From the WQL statement, we can see that we are accessing SQL Server. In this case we were using a SQL Server Alias to connect to the backend SQL Server. The SQL Server Alias was configured incorrectly.

Resolution

Fixed the SQL Server Alias to reference the correct SQL Server

 

Alternate Cause and Resolution (added by Carol Wapshere)

In my case this was because the MIM Service account had "Deny access to this computer from the network" configured for the MIM Sync server. Which was only done because it is the recommendation in the MIM installation instructions here: https://docs.microsoft.com/en-us/microsoft-identity-manager/deploy-use/prepare-server-ws2012r2

To verify access to WMI:
1. On the MIM Service server, run WBEMTEST as the MIM Service account
2. Test if you can connect to \\MIMSyncServer\root\MicrosoftIdentityIntegrationServer

In my case I got the Access Denied when attempting to connect as the MIM Service account. Which using my own admin account I could connect fine. After revoking the "Deny access to this computer from the network" limitation on the MIM Service account the WMI test was then successful, and SSPR was also successful.