An end-user attempts to register for Self-Service Password Reset in Forefront Identity Manager 2010 R2. The end-user receives Error 3004 in the UI.
ERROR 3004 ON PORTAL PAGE
The error page was displayed to the user.
Details:
Title: Unauthorized User
Message: You are not authorized to register for password reset. Please contact your help desk or system administrator. (Error 3004)
Source:
Attributes:
Details: Microsoft.IdentityManagement.CredentialManagement.Portal.Exceptions.NotAuthorizedException: Expected authentication.
at Microsoft.IdentityManagement.CredentialManagement.Portal.Common.RegistrationProxy.GetNextChallenge(String domain, String username, ChallengeContext gateChallengeResponse, FaultExceptionHandlerDelegate faultExceptionHandler)
at Microsoft.IdentityManagement.CredentialManagement.Portal.Components.RegistrationDriver.InitiateRegistration()
at Microsoft.IdentityManagement.CredentialManagement.Portal.Registration.Next()
at System.Web.UI.WebControls.Button.OnClick(EventArgs e)
at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)
at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
CorrelationId:
RequestId:
ErrorCode: 3004
ERROR ON PORTAL PAGE
Title: Error
Message: An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3000)
Details: System.InvalidOperationException: HttpContext.Current.User.Identity.Name is Null or Empty
at Microsoft.IdentityManagement.CredentialManagement.Portal.Components.RegistrationDriver.GetDomainAndUserName(String& domain, String& userName)
ErrorCode: 3000
Investigation into the issue, we researched the following log information to help identify and isolate the issue.
The error is clearly visible in the Forefront Identity Manager Event Log. In addition, we can see some interesting key pieces of text:
The large clue here came in a XPATH query discovered in the FIM Service Trace.
EVENT LOG: Forefront Identity Manager
Log Name: Forefront Identity Manager
Source: Microsoft.CredentialManagement.RegistrationPortal
Date: 1/10/2013 10:29:45 AM
Event ID: 3
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Description:
Microsoft.IdentityManagement.CredentialManagement.Portal: System.Web.HttpUnhandledException: ScriptManager_AsyncPostBackError ---> System.InvalidOperationException: HttpContext.Current.User.Identity.Name is Null or Empty
--- End of inner exception stack trace ---
at Microsoft.IdentityManagement.CredentialManagement.Portal.Site.ScriptManager_AsyncPostBackError(Object sender, AsyncPostBackErrorEventArgs eventArgs)
at System.Web.UI.ScriptManager.OnAsyncPostBackError(AsyncPostBackErrorEventArgs e)
at System.Web.UI.PageRequestManager.OnPageError(Object sender, EventArgs e)
at System.Web.UI.TemplateControl.OnError(EventArgs e)
at System.Web.UI.Page.HandleError(Exception e)
at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequest(HttpContext context)
at ASP.default_aspx.ProcessRequest(HttpContext context)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
FIM SERVICE TRACING
FIM Service Trace Log
Microsoft.ResourceManagement Warning: 2 : User unauthorized to register for Password Reset
An unauthorized user initiated a request to register for self-service password reset.
The user's identity was: <domain>\<user name>
Ensure that all users who should be eligible for self-service password reset are members of a set which is referenced by MPR(s) that (1) grant permission to create registration objects for themselves in the FIM Service, and (2) have permission to read password reset resources.
Web Portal: FIM Password Registration Portal
FIM Service Trace Log – XPATH Query
The XPATH query displayed in the picture to the left was crucial to us fixing the issue.
The XPATH query is attempting to find a Management Policy Rule (MPR) that is Enabled where the Requesting Set(PrincipalSet) is the 'Anonymous Users' set. In addition, we ensure that the user is part of the Set.
Finally, the MPR that we are looking for must apply to the 'ResetPassword' attribute in target resources.
The 'ResetPassword' attribute is a Boolean attribute that is actually changed when password reset is attempted. For 'ActionParameter = 'ResetPassword', the target resources attribute actually has to include this attribute; using 'All Attributes' equates to the ActionParameter being '*'. The only MPR in my environment that fits the above criteria is the 'Anonymous Users can reset their Password' MPR.
The reason we are receiving this error is because in this issue the Resource Attributes on the Target Resources tab of the MPR was set to All Attributes.
Incorrect Setup for the MPR
Correct Setup for the MPR
Peter Geelen - MSFT edited Revision 2. Comment: more condensed title