FIM SSPR Troubleshooting: Password Reset Registration - "An error was encountered. Please call helpdesk or your system."

  • Article

Case

An issue involving the FIM 2010 Self-Service Password Reset (SSPR) product. 

We were receiving “An error was encountered.  Please call helpdesk or your system administrator for further assistance.

 

Steps

Password Reset Deployment Guide

In troubleshooting a SSPR issue, always start with the Password Reset Deployment Guide.  Go through each of the sections in there to ensure that you have the needed MPRs enabled, DCOM and WMI security set, etc. 

Microsoft.ResourceManagement.Service.Exe.Config

Once we went through the Password Reset Deployment Guide, we validated the settings for the resourceManagementServiceBaseAddress and the externalHostName attributes in the %programfiles%\Microsoft Forefront Identity Manager\2010\Service\Microsoft.ResourceManagement.Service.Exe.Config file. 

These settings need to be the machine name of where the FIM Service is installed.  You can view these settings through the following steps:

  1. Open the Microsoft.ResourceManagement.Service.Exe.Config
  2. Search for resourceMangementClient
  3. Review the settings resourceManagementServiceBaseAddress and the externalHostName and ensure that they have the correct setting of just machine name.

In the issue that I was working, we had something similar as below documented.

resourceManagementServiceBaseAddress

Incorrect Setting

    <resourceManagementClient resourceManagementServiceBaseAddress="http://machinename/" />

    <resourceManagementService externalHostName="http://machinename/>

Correct Setting

    <resourceManagementClient resourceManagementServiceBaseAddress="machine name only" />

    <resourceManagementService externalHostName="machine name only"/>

web.config

Now that we have validated the FIM Service Configuration File, we then checked the web.config file under C:\Inetpub\wwwroot\wss\VirtualDirectories\80.  The goal here is to confirm the the resourceManagementServiceBaseAddress is correct.  It should be http://machinename:5725/, which is the FIM Service. 

  1. Open the web.config file
  2. Search for resourceManagementServiceBaseAddress
  3. Ensure that it is http://machinename:5725/
  4. If it is not the correct value, then fix it, and execute an IISRESET

In the issue, that I was working, we found that the resourceManagementServiceBaseAddress contained an additional http:// at the beginning of the http://machinename:5725/

Invalid Setting

    <resourceManagementClient resourceManagementServiceBaseAddress="http://http//machinename:5725" timeoutInMilliseconds="60000" />

Correct Setting

    <resourceManagementClient resourceManagementServiceBaseAddress="http://machinename:5725/" timeoutInMilliseconds="60000" />

Anonymous Authentication in SharePoint Central Administration

We then pressed on to confirm Anonymous Authentication in SharePoint Central Administration.  This should be checked to allow for people to be able to reset their passwords.  In the issue that I was working, this was not enabled.

  1. Start > Administrative Tools > SharePoint 3.0 Central Administration
  2. Select Application Management then Default
  3. Check the Enable anonymous access
  4. Click Save.

SiteLock key

Since we were experiencing problems with the Password Reset Client, we investigated the SiteLock key.  In the issue, we were using a DNS Alias to access the FIM Portal.  I was able to spot the DNS Alias in the SiteLock key, but not the machine name.  We added the machine name to the SiteLock.

  1. Open the Registry
  2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Forefront Identity Manager\2010\Extensions\Intranet
  3. Double click on SiteLock to edit it
  4. Add to the end the following
  5. ; machine name
  6. Click Ok

 We were still receiving the following error message in the Forefront Identity Manager Event Log.

System.ServiceModel: System.ServiceModel.CommunicationObjectFaultedException: The communication object, Microsoft.ResourceManagement.Workflow.Hosting.ResourceManagementWorkflowServiceHost, cannot be used for communication because it is in the Faulted state.

   at System.ServiceModel.Channels.CommunicationObject.Close(TimeSpan timeout)

   at Microsoft.ResourceManagement.Workflow.Hosting.HostActivator.CloseServiceHosts(IList`1 workflowServiceHosts)

   at Microsoft.ResourceManagement.Workflow.Hosting.HostActivator.ActivateHost(ResourceManagementWorkflowDefinition workflowDefinition, Boolean suspendWorkflowStartupAndTimerOperations)

   at Microsoft.ResourceManagement.Workflow.Hosting.HostActivator.RetrieveWorkflowDataForHostActivator()

   at Microsoft.ResourceManagement.Workflow.Hosting.HostActivator.UpdateServiceHosts(Object source, ElapsedEventArgs e)

IIS

We then checked Internet Information Server (IIS) to see how the authentication settings were set.  In checking these settings, we noticed that we had the Enable Kernel-mode authentication checked.  We disabled this check box and restarted the Password Reset Client Service.  Password Reset client began to work.

  1. Open IIS
  2. Expand Sites and select SharePoint-80
  3. Double click on Authentication
  4. Select Windows Authentication
  5. Under the Actions menu on the right, select Advanced Settings
  6. Ensure that the Enable Kernel-mode authentication is not checked and click Ok
  7. Execute an IISRESET
  8. Open an Administrative Command-Prompt
  9. Type IISRESET and press ENTER
  10. Restart the Forefront Password Reset Client via the Services Console.