Troubleshooting FIM SSPR: Error 3000 and 3004 – not authorized to register for password reset

Troubleshooting FIM SSPR: Error 3000 and 3004 – not authorized to register for password reset

 

ENVIRONMENT

  • Forefront Identity Manager 2010 R2
  • Forefront Identity Manager 2010 R2 Self-Service Password Reset
  • Forefront Identity Manager 2010 R2 Self-Service Password Reset Registration Portal

PROBLEM STATEMENT

An end-user attempts to register for Self-Service Password Reset in Forefront Identity Manager 2010 R2. The end-user receives Error 3004 in the UI.

ERROR IN USER INTERFACE

ERROR 3004 ON PORTAL PAGE

The error page was displayed to the user.

Details:

Title: Unauthorized User

Message: You are not authorized to register for password reset. Please contact your help desk or system administrator. (Error 3004)

Source:

Attributes:

Details: Microsoft.IdentityManagement.CredentialManagement.Portal.Exceptions.NotAuthorizedException: Expected authentication.

at Microsoft.IdentityManagement.CredentialManagement.Portal.Common.RegistrationProxy.GetNextChallenge(String domain, String username, ChallengeContext gateChallengeResponse, FaultExceptionHandlerDelegate faultExceptionHandler)

at Microsoft.IdentityManagement.CredentialManagement.Portal.Components.RegistrationDriver.InitiateRegistration()

at Microsoft.IdentityManagement.CredentialManagement.Portal.Registration.Next()

at System.Web.UI.WebControls.Button.OnClick(EventArgs e)

at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)

at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)

at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

CorrelationId:

RequestId:

ErrorCode: 3004

 

ERROR ON PORTAL PAGE

Details:

Title: Error

Message: An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3000)

Source:

Attributes:

Details: System.InvalidOperationException: HttpContext.Current.User.Identity.Name is Null or Empty

at Microsoft.IdentityManagement.CredentialManagement.Portal.Components.RegistrationDriver.GetDomainAndUserName(String& domain, String& userName)

at Microsoft.IdentityManagement.CredentialManagement.Portal.Components.RegistrationDriver.InitiateRegistration()

at Microsoft.IdentityManagement.CredentialManagement.Portal.Registration.Next()

at System.Web.UI.WebControls.Button.OnClick(EventArgs e)

at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)

at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)

at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

CorrelationId:

RequestId:

ErrorCode: 3000

 

TROUBLESHOOTING

Investigation into the issue, we researched the following log information to help identify and isolate the issue.

  • Validated all of the necessary MPRs for SSPR were enabled
  • Validated FIMService account to be in the FIMSyncBrowse and FIMSyncPasswordReset groups as stated in the SSPR R2 Deployment guide.
  • The Forefront Identity Manager Event Log
  • Enabled FIM Service Tracing

The error is clearly visible in the Forefront Identity Manager Event Log. In addition, we can see some interesting key pieces of text:

  • Event Log: "HttpContext.Current.User.Identity.Name is Null or Empty"
  • FIM Service Trace: "User unauthorized to register for Password Reset"

The large clue here came in a XPATH query discovered in the FIM Service Trace.

FOREFRONT IDENTITY MANAGER EVENT LOG

EVENT LOG: Forefront Identity Manager

Log Name: Forefront Identity Manager

Source: Microsoft.CredentialManagement.RegistrationPortal

Date: 1/10/2013 10:29:45 AM

Event ID: 3

Task Category: None

Level: Error

Keywords: Classic

User: N/A

Description:

The error page was displayed to the user.

Details:

Title: Error

Message: An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3000)

Source:

Attributes:

Details: System.InvalidOperationException: HttpContext.Current.User.Identity.Name is Null or Empty

at Microsoft.IdentityManagement.CredentialManagement.Portal.Components.RegistrationDriver.GetDomainAndUserName(String& domain, String& userName)

at Microsoft.IdentityManagement.CredentialManagement.Portal.Components.RegistrationDriver.InitiateRegistration()

at Microsoft.IdentityManagement.CredentialManagement.Portal.Registration.Next()

at System.Web.UI.WebControls.Button.OnClick(EventArgs e)

at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)

at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)

at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

CorrelationId:

RequestId:

ErrorCode: 3000

 

EVENT LOG: Forefront Identity Manager

 

Log Name: Forefront Identity Manager

Source: Microsoft.CredentialManagement.RegistrationPortal

Date: 1/10/2013 10:29:45 AM

Event ID: 3

Task Category: None

Level: Error

Keywords: Classic

User: N/A

Description:

Microsoft.IdentityManagement.CredentialManagement.Portal: System.Web.HttpUnhandledException: ScriptManager_AsyncPostBackError ---> System.InvalidOperationException: HttpContext.Current.User.Identity.Name is Null or Empty

at Microsoft.IdentityManagement.CredentialManagement.Portal.Components.RegistrationDriver.GetDomainAndUserName(String& domain, String& userName)

at Microsoft.IdentityManagement.CredentialManagement.Portal.Components.RegistrationDriver.InitiateRegistration()

at Microsoft.IdentityManagement.CredentialManagement.Portal.Registration.Next()

at System.Web.UI.WebControls.Button.OnClick(EventArgs e)

at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)

at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)

at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

--- End of inner exception stack trace ---

at Microsoft.IdentityManagement.CredentialManagement.Portal.Site.ScriptManager_AsyncPostBackError(Object sender, AsyncPostBackErrorEventArgs eventArgs)

at System.Web.UI.ScriptManager.OnAsyncPostBackError(AsyncPostBackErrorEventArgs e)

at System.Web.UI.PageRequestManager.OnPageError(Object sender, EventArgs e)

at System.Web.UI.TemplateControl.OnError(EventArgs e)

at System.Web.UI.Page.HandleError(Exception e)

at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

at System.Web.UI.Page.ProcessRequest()

at System.Web.UI.Page.ProcessRequest(HttpContext context)

at ASP.default_aspx.ProcessRequest(HttpContext context)

at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()

at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

 

FIM SERVICE TRACING

FIM Service Trace Log

Microsoft.ResourceManagement Warning: 2 : User unauthorized to register for Password Reset

An unauthorized user initiated a request to register for self-service password reset.

The user's identity was: <domain>\<user name>

Ensure that all users who should be eligible for self-service password reset are members of a set which is referenced by MPR(s) that (1) grant permission to create registration objects for themselves in the FIM Service, and (2) have permission to read password reset resources.

Web Portal: FIM Password Registration Portal

 

FIM Service Trace Log – XPATH Query




The XPATH query displayed in the picture to the left was crucial to us fixing the issue.

The XPATH query is attempting to find a Management Policy Rule (MPR) that is Enabled
where the Requesting Set(PrincipalSet) is the 'Anonymous Users' set. In addition, we ensure that the user is part of the Set.

Finally, the MPR that we are looking for must apply to the 'ResetPassword' attribute in target resources.

The 'ResetPassword' attribute is a Boolean attribute that is actually changed when password reset is attempted.
For 'ActionParameter = 'ResetPassword', the target resources attribute actually has to include this attribute; using
'All Attributes' equates to the ActionParameter being '*'. The only MPR in my environment that fits the above criteria
is the 'Anonymous Users can reset their Password' MPR.

 

CAUSE

The reason we are receiving this error is because in this issue the Resource Attributes on the Target Resources tab of the MPR was set to All Attributes.

Incorrect Setup for the MPR

 

RESOLUTION

  1. In the MPR 'Anonymous users can reset their password' click Target Resources
  2. Set Resources Attributes to 'Select specific attributes'
  3. In the 'Rule applies to selected attributes' type Reset Password
  4. Click the Green Check Mark to the right to validate
  5. Click Finish and then Submit to submit the change

Correct Setup for the MPR

Leave a Comment
  • Please add 7 and 8 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Comments
  • Peter Geelen - MSFT edited Revision 2. Comment: more condensed title

Page 1 of 1 (1 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Comments
  • Peter Geelen - MSFT edited Revision 2. Comment: more condensed title

Page 1 of 1 (1 items)