As I started playing around with the Self Service Password Reset functionality of FIM, which is explain nicely in Password Reset Deployment Guide, I encountered an error during the registration phase.
First the Welcome screen popped up, where I clicked next.
And got greeted with a vague error: An error was encountered. Please call helpdesk or your system administrator for further assistance. As I am the administrator myself I started troubleshooting, again…
Not much in the event logs (client nor server), so I started looking on the FIM Forums (TechNet) and found the following procedure to enable logging for the Password Reset Client Service:
- Open an elevated prompt and run the following commands:
- copy "%ProgramFiles%\Microsoft Forefront Identity Manager\2010\Password Reset Client Service\pwdmgmtproxy.exe.config" "%ProgramFiles%\Microsoft Forefront Identity Manager\2010\Password Reset Client Service\pwdmgmtproxy.exe.config.bak"
- notepad "%ProgramFiles%\Microsoft Forefront Identity Manager\2010\Password Reset Client Service\pwdmgmtproxy.exe.config"
- In the configuration file notepad opened, perform the following changes:
- Look for the element: <source name="Microsoft.ResourceManagement" switchValue="Warning">
- And change "Warning" to "Verbose"
- Look for the element: <add initializeData="C:\Logs\PwdMgmtProxy.svclog"
- And change to <add initializeData="c:\Program Files\Microsoft Forefront Identity Manager\2010\Password Reset Client Service\PwdMgmtProxy.svclog"
- Now perhaps pretty obvious, but notepad has no syntax coloring, so i forgot this at first: remove the <!—and –> which actually comment the configuration settings
- Ensure NT AUTHORITY\Network Service has Write permission to "%ProgramFiles%\Microsoft Forefront Identity Manager\2010\Password Reset Client Service". You can right click the folder, and edit the NT Authority\Network Service it’s entry, give it modify
- Restart the Password Reset Client service.
Now try registering again and reproduce the error. Now you could open the PwdMgmtProxy.svc log using notepad, it would look like:
Happy troubleshooting…….! But there is an alternative, a typical Visual Studio installation comes with an utility called SvcTraceViewer. If you copy the log file to a machine with Visual Studio installed, it will be a known file extension and your troubleshooting will look a lot better:
By altering the logging options, we’d even got an entry in the application event log, so all the hassle with the log file was not really necessary. But perhaps for more advanced issues it could come in handy.
Basically what happed in this specific case is that somewhere in the installation of the FIM Portal/FIM Service I entered a wrong URL (well the wrong DNS suffix, damn all those lab environments!). There are several places to look for URLs used by FIM:
- Search in the registry on the client or the FIM Portal/Service: all was fine
- Search in the database of the FIM Service: all was not fine:
/****** Script for SelectTopNRows command from SSMS ******/
SELECT TOP 1000 [ServicePartitionId]
We could try altering the value in the database… But we’re not gonna do that, it’s unsupported and might leave your database in an inconsistent state. To be completely honest, I did and it didn’t acted as it should :) Thanks god it’s a lab environment.
The better way is to keep searching where it was originally set. So I ended up in the following location: C:\Program Files\Microsoft Forefront Identity Manager\2010\Service with the Microsoft.ResourceManagement.Service.Exe.config file:
Update it, restart the FIM Service, the database gets fixed and the SSPR error goes away! Afterwards I found out that whether I manually edit it in the DB, or alter it in the configuration file, an extra ServicePartition is added in the DB. Perhaps a work around is to stop the FIM Serivce, alter both the configuration and the db and start again. But if you want to keep your configuration supported: try re-running the FIM setup. During the setup you should be able to provide the URL and get your self back on track. If this is not the case it’s probably advised to call in some help.
With thanks to Paul Williams for the advanced logging procedure: http://social.technet.microsoft.com/forums/en-us/ilm2/thread/34B61A17-F0A8-4FCC-9525-0ED96E51420B
P.S. If you want to trigger the self service password registration wizard to start, you can simply execute mspwdregistration -all