Troubleshooting FIM: SSPR-Error 3000-pwUnrecoverable

  • Article

PROBLEM STATEMENT

When attempting Self-Service Password reset, a user sees an Error 3000 after answering lockout gate questions and entering a new password.

Message: An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3000)

Source:

Attributes:

Details: System.InvalidProgramException: Error while performing the password reset operation: PWUnrecoverableError

*   at Microsoft.IdentityManagement.CredentialManagement.Portal.Reset.AttemptToResetPassword()*

*   at System.Web.UI.WebControls.Button.OnClick(EventArgs e)*

*   at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)*

*   at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)*

*   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)*

CorrelationId:

RequestId:

ErrorCode: 3000

Enabling FIM Service tracing and reproducing the issue showed the FIM Service throwing an access denied error preceded by a WQL Query for the user attempting PW reset.  The WQL Query looks something like

WQL:SELECT * FROM MIIS_CSObject WHERE (Domain='CONTOSO' AND Account='TestUser') or (FullyQualifiedDomain='CONTOSO' AND Account='TestUser') or (Domain='CONTOSO' AND UserPrincipalName='TestUser') or (FullyQualifiedDomain='CONTOSO' AND UserPrincipalName='TestUser') 

Followed by an access denied error:

System.Management: System.Management.ManagementException: Access denied

   at System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus errorCode)

   at System.Management.ManagementScope.InitializeGuts(Object o)

   at System.Management.ManagementScope.Initialize()

   at System.Management.ManagementObjectSearcher.Initialize()

   at System.Management.ManagementObjectSearcher.Get()

   at Microsoft.ResourceManagement.PasswordReset.ResetPassword.ResetPasswordHelper(String domainName, String userName, String newPasswordText)

RESOLUTION

1. Make sure you have the correct name of the currently active node of FIM Synchronization Service (if you have one, make sure it is correctly pointing to FIM Synchronization Service server) in Microsoft.ResourceManagement.Service.exe.config file (Default location of this file: C:\Program Files\Microsoft Forefront Identity Manager\2010\Service). The value is stored in the following line:
<add key="synchronizationServerName" value="FIMSynchronizationServerNode" />
2. Place the FIMSERVICE account in the appropriate FIMSyncBrowse group that was designated during installation of the FIM Synchronization Service.