Thursday, June 17, 2010

FIM 2010 – Password Reset failing

 

ISSUE:

Ok… So you have brought up your Forefront Identity Management 2010 environment, configured policies, got password reset working and life is good.  Then down the road you of course make performance, configuration changes or tweaks to the environment, MAs, etc…  One day you initiate (or user) a password reset via a workstation “reset password” link, pass through the gate questions without any problems, enter the new password and submit.  Then to your surprise are presented with a not so intuitive error.  Wait… this worked before WTH is going on.

You do some digging, check for events on the server running the password reset and discover a slue of the following events under “Forefront Identity Manager” event node.

EventID: 3
Source: Microsoft.ResourceManagement
Details:   "PWReset activity could not connect to the directory"

image

After banging my head on the concrete, I recalled changes made to the environment and when, then matched them up to the last time Password Reset worked.  I recalled a change made to the AD MA in order to work around the Excessive CPU Utilization on the Synchronization Server, which was to set the ADMA to “Run in a separate process..”.   If you set the AD MA to run in a separate process, password reset fails.

SOLUTION: 

Make sure the AD MA is NOT enabled to “Run in a separate process”, and then restart the Forefront Identity Manager Synchronization Server Service (miisserver.exe).  Try another password reset and BAM, it works.

So what fixed one issue apparently damaged/disrupted another.  Until the fix for FIM 2010 is available, determine what is more important to you… a pegged processor on the Synchronization Server or Password Reset working.  I’ll leave that up to you.

Tuesday, June 15, 2010

FIM 2010: Approval email “This request cannot be approved or rejected…”

 

Issue:

Within a Distribution Group an approval workflow and email is generated, when you open Outlook as the approver you receive the error message below and the approve/reject buttons are dimmed 

"This request cannot be approved or rejected for the following reason(s): The sender (FIM Service Component User) is not an authorized sender of approval requests. Contact your system administrator for assistance."

Cause:

The FIM service account email address entered during the FIM Extensions and Add-ins install/configure process was not correct.  In my case when this was encountered, I entered the email address correctly for the FIMService account; however Exchange created a different PrimarySMTP address for the account, and set other as a secondary.  This caused the error.

Solution:

On the machine with the FIM Extensions and Add-ins installed, perform a “Change” on the installation.

Program and Features > Forefront Identity Manager Add-ins and Extensions > Change

During the change, enter the correct email address assigned to the FIM Service account.

Hopefully you discover this before deploying company wide.  If not, you can always make the change via Group Policy, or other Desktop management solution.

Thursday, June 3, 2010

MA Attributes not listed in FIM Sync Rule

 

Ran into an issue with FIM 2010 (RTM), where custom or added attributes to Management Agents were not showing up in the list of available attributes when creating/editing a Synchronization Rule.  The event on the synchronization server is listed below:

Log Name:      Application
Source:        FIMSynchronizationService
Date:          11/29/2009 11:26:25 AM
Event ID:      6331
Task Category: MA Extension
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      fimserver.mydomain.local
Description:
A update on the configuration of a MA or MV failed to replicate to a target connector directory that is capable  of storing MA/MV configurations.  As a result, the MA/MV configuration data in this connector directory is not up to date.  Please correct the condition that causes the error, and triggers a resync by updating the password information of the target MA.
Additional information:
Error Code: 0x80230709
Error Message: (The extension operation aborted due to an internal error in FIM Synchronization Service.)
Operation: Update MV
Name of the MA to replicate:
 

I exhausted all effort into try and get the attributes to show in the synchronization rule(s), and I even attempted to repair/reconfigure the FIM service and FIM Sync service installation.  

Combing through the forums, I noticed a few others experienced the same issue.  Two possible solutions existed… 1 was to repair/reconfigure the install, and the other was to completely uninstall, reinstall and rebuild.   Sorry to say that the first option did not work, but the completely uninstalling and reinstalling did work.

Now, I never got down to the true underlying reason for this hickup, so hopefully you dont experience this after investing a ton of time into building sync rules, etc.  During the reinstall I chose to create a new FIM Database, so I am not sure if restoring the existing FIM Database would surface the same issue.   All I know is that restoring the MA Configurations was ok.

The images below reference attributes present in the MA, Metaverse, etc. and they dont exist in the Synchronization Rule attribute list

.Metaverse (Person Object Attributes)

clip_image002

Export Attribute Flow: FIMMA

clip_image003

Schema Management: Attribute / Bindings

clip_image005

Filter Permissions

clip_image007

Synchronization Rule:
Destination (No mDBUseDefaults)

clip_image009

Synchronization Rule:

Source (No mDBUseDefaults)

clip_image011

Event Logs on Synchronization Server:

Log Name:      Application
Source:        FIMSynchronizationService
Date:          11/29/2009 11:26:25 AM
Event ID:      6331
Task Category: MA Extension
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      fimserver.mydomain.local
Description:
A update on the configuration of a MA or MV failed to replicate to a target connector directory that is capable  of storing MA/MV configurations.  As a result, the MA/MV configuration data in this connector directory is not up to date.  Please correct the condition that causes the error, and triggers a resync by updating the password information of the target MA.
Additional information:
Error Code: 0x80230709
Error Message: (The extension operation aborted due to an internal error in FIM Synchronization Service.)
Operation: Update MV
Name of the MA to replicate:

Wednesday, June 2, 2010

Exchange 2010 – 3rd party Certificate status “The certificate status could not be determined because the revocation check failed”

 

After installing the 3rd Party certificate for Exchange 2010, the certificate status of the installed certificate listed:

“The certificate status could not be determined because the revocation check failed”

Cause:

See this when Proxy is used!

Exchange 2010 uses WinHTTP to determine the validity of a certificate.  WinHTTP uses the Web Proxy Auto-Discovery Protocol (WPAD), so its possible that WinHTTP is not configured with all or any of the proxy settings listed in Internet Explorer.  To determine which settings are being used by the Exchange 2010 server, you can execute a NETSH command validate and set accordingly.  

To Check WinHTTP Proxy settings:

netsh winhttp show proxy

Resolution:

Set the correct proxy settings for winhttp:

Login to the Command shell with escalated permissions “Run as Administrator

netsh winhttp set proxy proxy-server="http=myproxy:80;https=sproxy:80" bypass-list= "*.contoso.com"

Note:  Replace myproxy and sproxy with the name or IP of your own proxy server, and be sure to specify ports.  The bypass section is optional.

Following execution, open Exchange Server 2010 Management Console, and refresh the Server Configuration>Exchange Certificates.   The certificate should now have a status of “The certificate is valid for Exchange Server Usage”

FIM 2010 – Error during Password Reset Registration

 

After performing the Password Reset deployment tasks per http://technet.microsoft.com/en-us/library/ee534892(WS.10).aspx#reset_pswd_us_pswd_reset_portal  you log into a machine and initiate the password registration sequence.  Following the completion of the Gate questions, you receive and error stating:

“An error was encountered. Please call helpdesk or your system administrator”

Cause:

The reason for the error is that the FIM Service account does not have “READ” permissions on the “Forefront Identity Manager” certificate installed on the FIMService Server. 

Resolution:

To resolve the issue, grant the FIMService account READ permissions to the certificate designated for Forefront Identity Manager.  Assigning the permission via the certificate manager console > Manager Private Key.. process may fail with an “Access "Denied” error when initiated.  In order modify the permissions, you will have to initiate the security permissions change by running the remote process in the system account.  This can be performed by downloading PSEXEC on to the FIMService server and executing the command sequence in the order shown below:

On the server hosting FIMService, download and install psexec and execute the following procedure. In that order

psexec.exe -s -d -i cmd.exe
mmc.exe
add Cert snap-in -> local machine -> computer account
Personal store --> right click the cert --> all tasks -->manage private key
grant FIMService service account read permission.

clip_image001

Following the permissions change, the Password Reset Registration process should work (No reboot required).

There you go!!