After performing the Password Reset deployment tasks per http://technet.microsoft.com/en-us/library/ee534892(WS.10).aspx#reset_pswd_us_pswd_reset_portal you log into a machine and initiate the password registration sequence. Following the completion of the Gate questions, you receive and error stating:
“An error was encountered. Please call helpdesk or your system administrator”
The reason for the error is that the FIM Service account does not have “READ” permissions on the “Forefront Identity Manager” certificate installed on the FIMService Server.
To resolve the issue, grant the FIMService account READ permissions to the certificate designated for Forefront Identity Manager. Assigning the permission via the certificate manager console > Manager Private Key.. process may fail with an “Access "Denied” error when initiated. In order modify the permissions, you will have to initiate the security permissions change by running the remote process in the system account. This can be performed by downloading PSEXEC on to the FIMService server and executing the command sequence in the order shown below:
On the server hosting FIMService, download and install psexec and execute the following procedure. In that order
psexec.exe -s -d -i cmd.exe
add Cert snap-in -> local machine -> computer account
Personal store --> right click the cert --> all tasks -->manage private key
grant FIMService service account read permission.
Following the permissions change, the Password Reset Registration process should work (No reboot required).
There you go!!