Wednesday, June 2, 2010

FIM 2010 – Error during Password Reset Registration


After performing the Password Reset deployment tasks per  you log into a machine and initiate the password registration sequence.  Following the completion of the Gate questions, you receive and error stating:

“An error was encountered. Please call helpdesk or your system administrator”


The reason for the error is that the FIM Service account does not have “READ” permissions on the “Forefront Identity Manager” certificate installed on the FIMService Server. 


To resolve the issue, grant the FIMService account READ permissions to the certificate designated for Forefront Identity Manager.  Assigning the permission via the certificate manager console > Manager Private Key.. process may fail with an “Access "Denied” error when initiated.  In order modify the permissions, you will have to initiate the security permissions change by running the remote process in the system account.  This can be performed by downloading PSEXEC on to the FIMService server and executing the command sequence in the order shown below:

On the server hosting FIMService, download and install psexec and execute the following procedure. In that order

psexec.exe -s -d -i cmd.exe
add Cert snap-in -> local machine -> computer account
Personal store --> right click the cert --> all tasks -->manage private key
grant FIMService service account read permission.


Following the permissions change, the Password Reset Registration process should work (No reboot required).

There you go!!


  1. Thank you, thank you, thank you.
    That error message has been doing my head in.
    The fix sorted it. If only I had found this 4 hours ago ;-)

  2. Hello Rick,
    I am getting this error 3008 after supplying user credentials. I have checked for permissions and it already has, but i am unable to enter the registration process. can you pls help.