Recently I worked an issue involving the FIM 2010 Self-Service Password Reset (SSPR) product.  It took me a bit of time to locate the problem, and we had to check several things before we were able to resolve the issue.  We were receiving “An error was encountered.  Please call helpdesk or your system administrator for further assistance.”

 

In troubleshooting a SSPR issue, I always start with the Password Reset Deployment Guide.  I go through each of the sections in there to ensure that I have the needed MPRs enabled, DCOM and WMI security set, etc. 

Once we went through the Password Reset Deployment Guide, we validated the settings for the resourceManagementServiceBaseAddress and the externalHostName attributes in the %programfiles%\Microsoft Forefront Identity Manager\2010\Service\Microsoft.ResourceManagement.Service.Exe.Config file. 
These settings need to be the machine name of where the FIM Service is installed.  You can view these settings through the following steps:

1. Open the Microsoft.ResourceManagement.Service.Exe.Config
2. Search for resourceMangementClient
3. Review the settings resourceManagementServiceBaseAddress and the externalHostName and ensure that they have the correct setting of just machine name.

In the issue that I was working, we had something similar as below documented.

Incorrect Setting
    <resourceManagementClient resourceManagementServiceBaseAddress="http://machinename/" />
    <resourceManagementService externalHostName="http://machinename/>

Correct Setting
    <resourceManagementClient resourceManagementServiceBaseAddress="machine name only" />
    <resourceManagementService externalHostName="machine name only"/>

Now that we have validated the FIM Service Configuration File, we then checked the web.config file under C:\Inetpub\wwwroot\wss\VirtualDirectories\80.  The goal here is to confirm the the resourceManagementServiceBaseAddress is correct.  It should be http://machinename:5725/, which is the FIM Service. 

1. Open the web.config file
2. Search for resourceManagementServiceBaseAddress
3. Ensure that it is http://machinename:5725/
4. If it is not the correct value, then fix it, and execute an IISRESET

In the issue, that I was working, we found that the resourceManagementServiceBaseAddress contained an additional http:// at the beginning of the http://machinename:5725/. 

Invalid Setting
    <resourceManagementClient resourceManagementServiceBaseAddress="http://http//machinename:5725" timeoutInMilliseconds="60000" />

Correct Setting
    <resourceManagementClient resourceManagementServiceBaseAddress="http://machinename:5725/" timeoutInMilliseconds="60000" />

We then pressed on to confirm Anonymous Authentication in SharePoint Central Administration.  This should be checked to allow for people to be able to reset their passwords.  In the issue that I was working, this was not enabled.

1. Start > Administrative Tools > SharePoint 3.0 Central Administration
2. Select Application Management then Default
3. Check the Enable anonymous access
4. Click Save.

Since we were experiencing problems with the Password Reset Client, we investigated the SiteLock key.  In the issue, we were using a DNS Alias to access the FIM Portal.  I was able to spot the DNS Alias in the SiteLock key, but not the machine name.  We added the machine name to the SiteLock.

1. Open the Registry
2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Forefront Identity Manager\2010\Extensions\Intranet
3. Double click on SiteLock to edit it
4. Add to the end the following
5. ; machine name
6. Click Ok

 We were still receiving the following error message in the Forefront Identity Manager Event Log.

System.ServiceModel: System.ServiceModel.CommunicationObjectFaultedException: The communication object, Microsoft.ResourceManagement.Workflow.Hosting.ResourceManagementWorkflowServiceHost, cannot be used for communication because it is in the Faulted state.
   at System.ServiceModel.Channels.CommunicationObject.Close(TimeSpan timeout)
   at Microsoft.ResourceManagement.Workflow.Hosting.HostActivator.CloseServiceHosts(IList`1 workflowServiceHosts)
   at Microsoft.ResourceManagement.Workflow.Hosting.HostActivator.ActivateHost(ResourceManagementWorkflowDefinition workflowDefinition, Boolean suspendWorkflowStartupAndTimerOperations)
   at Microsoft.ResourceManagement.Workflow.Hosting.HostActivator.RetrieveWorkflowDataForHostActivator()
   at Microsoft.ResourceManagement.Workflow.Hosting.HostActivator.UpdateServiceHosts(Object source, ElapsedEventArgs e)
 
We then checked Internet Information Server (IIS) to see how the authentication settings were set.  In checking these settings, we noticed that we had the Enable Kernel-mode authentication checked.  We disabled this check box and restarted the Password Reset Client Service.  Password Reset client began to work.

1. Open IIS
2. Expand Sites and select SharePoint-80
3. Double click on Authentication
4. Select Windows Authentication
5. Under the Actions menu on the right, select Advanced Settings
6. Ensure that the Enable Kernel-mode authentication is not checked and click Ok
7. Execute an IISRESET
8. Open an Administrative Command-Prompt
9. Type IISRESET and press ENTER
10. Restart the Forefront Password Reset Client via the Services Console.