An issue involving the FIM 2010 Self-Service Password Reset (SSPR) product.
We were receiving “An error was encountered. Please call helpdesk or your system administrator for further assistance.”
In troubleshooting a SSPR issue, always start with the
Password Reset Deployment Guide. Go through each of the sections in there to ensure that you have the needed MPRs enabled, DCOM and WMI security set, etc.
Once we went through the Password Reset Deployment Guide, we validated the settings for the
resourceManagementServiceBaseAddress and the externalHostName attributes in the
%programfiles%\Microsoft Forefront Identity Manager\2010\Service\Microsoft.ResourceManagement.Service.Exe.Config file.
These settings need to be the machine name of where the FIM Service is installed. You can view these settings through the following steps:
In the issue that I was working, we had something similar as below documented.
<resourceManagementClient resourceManagementServiceBaseAddress="http://machinename/" />
<resourceManagementClient resourceManagementServiceBaseAddress="machine name only" />
<resourceManagementService externalHostName="machine name only"/>
Now that we have validated the FIM Service Configuration File, we then checked the web.config file under C:\Inetpub\wwwroot\wss\VirtualDirectories\80. The goal here is to confirm the the resourceManagementServiceBaseAddress is correct. It should be
http://machinename:5725/, which is the FIM Service.
In the issue, that I was working, we found that the resourceManagementServiceBaseAddress contained an additional http:// at the beginning of the
<resourceManagementClient resourceManagementServiceBaseAddress="http://http//machinename:5725" timeoutInMilliseconds="60000" />
<resourceManagementClient resourceManagementServiceBaseAddress="http://machinename:5725/" timeoutInMilliseconds="60000" />
We then pressed on to confirm Anonymous Authentication in SharePoint Central Administration. This should be checked to allow for people to be able to reset their passwords. In the issue that I was working, this was not enabled.
Since we were experiencing problems with the Password Reset Client, we investigated the SiteLock key. In the issue, we were using a DNS Alias to access the FIM Portal. I was able to spot the DNS Alias in the SiteLock key, but not the machine name. We
added the machine name to the SiteLock.
We were still receiving the following error message in the Forefront Identity Manager Event Log.
System.ServiceModel: System.ServiceModel.CommunicationObjectFaultedException: The communication object, Microsoft.ResourceManagement.Workflow.Hosting.ResourceManagementWorkflowServiceHost, cannot be used for
communication because it is in the Faulted state.
at System.ServiceModel.Channels.CommunicationObject.Close(TimeSpan timeout)
at Microsoft.ResourceManagement.Workflow.Hosting.HostActivator.CloseServiceHosts(IList`1 workflowServiceHosts)
at Microsoft.ResourceManagement.Workflow.Hosting.HostActivator.ActivateHost(ResourceManagementWorkflowDefinition workflowDefinition, Boolean suspendWorkflowStartupAndTimerOperations)
at Microsoft.ResourceManagement.Workflow.Hosting.HostActivator.UpdateServiceHosts(Object source, ElapsedEventArgs e)
We then checked Internet Information Server (IIS) to see how the authentication settings were set. In checking these settings, we noticed that we had the Enable Kernel-mode authentication checked. We disabled this check box and restarted the Password Reset
Client Service. Password Reset client began to work.