FIM Quick Troubleshooter: SSPR Registration: Error 3004 – not authorized to register for password reset

  • Article

Purpose

This quick troubleshooter is meant to aid in the deployment of FIM Self-Service Password Reset.  There are many configuration changes that need to be made for SSPR to function properly, and these are well-documented in the SSPR Deployment Guide (see References below).  It is expected that the individual referencing this troubleshooter has an intermediate knowledge of FIM.

Issue

A user is attempting to register for password reset, and is hitting Error 3004.  

Details:

Title: Unauthorized User

Message: You are not authorized to register for password reset. Please contact your help desk or system administrator. (Error 3004)

Quick Troubleshooter

  1. Verify the user is in the "Password Reset Users" set.

  2. Verify the "Password Reset Users" set is a member of "Password Reset Objects" set.  This is particularly important to check when using non-default sets for Password Reset.  

  3. Verify the following Management Policy Rules are enabled (default settings listed below each MPR)

  • Password Reset Users can read Password Reset Objects
    • Requestors:  Specific Set of Requestors - Password Reset Users Set (Criteria-based membership of all users)
    • Operation: Read resource
    • Permissions: Grants permission
    • Target Resource Definition Before Request: Password Reset Objects Set
    • Resource Attributes: Computed Member, Resource ID, Action Type, Action Parameter, Resource Current Set, Authentication Workflows, Resource Type, Display Name, Disabled, Principal Set
  • User management: Users can read attributes of their own
    • Requestors: Relative to Resource - Resource ID
    • Operation: Read resource
    • Permissions: Grants permission
    • Target Resource Definition Before Request: All Active People (Criteria-based membership of all users)
    • Resource Attributes: Detected Rules List, Display Name, Expected Rules List, Locale, Resource ID, Resource Type, Account Name, Address, City, Company, Cost Center, Cost Center Name, Country, Region, Department, Domain, Domain Configuration, E-mail, First Name, Job Title, Last Name, E-Mail Alias, Manager, Middle Name, Mobile, Phone, Fax, Office Location, Office Phone, Postal Code, Proxy Address Collection, Time Zone
  • General: Users can read non-administrative configuration resources
    • Requestors: Specific Set of Requestors - All Active People (Criteria-based membership of all users)
    • Operation: Read resource
    • Permissions: Grants permission
    • Target Resource Definition Before Request: All Basic Configuration Objects
    • Resource Attributes: All Attributes
  • Anonymous users can reset their passwords
    • Requestors: Anonymous Users (Manually-managed membership of Anonymous User)
    • Operation: Modify a single-valued attribute
    • Permissions: Grants permission
    • Target Resource Definition Before Request: Password Reset Users Set (Criteria-based membership of all users)
    • Target Resource Definition After Request: Password Reset Users Set (Criteria-based membership of all users)
    • Resource Attributes: Reset Password

4. Verify the user attempting to register has the following attributes in the FIM Portal:

  • Domain
  • Account Name
  • Resource SID

5. Verify the Authentication settings in IIS for the FIM Password Registration Portal show "Windows Authentication" Enabled.  The Providers should be "Negotiate" then "NTLM".  Make sure ASP.NET Impersonation is Disabled.

More References

Troubleshooting FIM SSPR: Error 3000 and 3004 – not authorized to register for password reset

Deployment Guide for Forefront Identity Manager 2010 R2 - Self-Service Password Reset