When an administrator tries to reset the password on a limited number of accounts an error message is thrown. I have tested other accounts and the same process works sometimes, but not for others. DetailLevel="Information" EntryTime="2011-06-14T00:46:47.9711956Z">The Workflow Instance 'e3425f2d-1a9e-4e78-97b6-5be28603f5c8' encountered an internal error during processing. Contact your system administrator for more information.</RequestStatusDetail> I have checked the FIM Service Event log as per below: Log Name: Forefront Identity Manager Source: Microsoft.ResourceManagement Date: 14/06/2011 9:34:11 AM Event ID: 3 Task Category: None Level: Error Keywords: Classic User: N/A Computer: XXX.mydomain Description: Requestor: urn:uuid:1ea65464-2c01-4615-8c5d-ca065abe9d16 Microsoft.ResourceManagement.Service: Microsoft.ResourceManagement.WebServices.Exceptions.PermissionDeniedException: Exception of type 'Microsoft.ResourceManagement.WebServices.Exceptions.PermissionDeniedException' was thrown. at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAuthorization(RequestType request) at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request, Guid requestIdentifier, Object redispatchSingleInstanceKey, Boolean isRedispatch) at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request) at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest(RequestType request) at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Put(Message request) Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft.ResourceManagement" /> <EventID Qualifiers="0">3</EventID> <Level>2</Level> <Task>0</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2011-06-13T23:34:11.000000000Z" /> <EventRecordID>267225</EventRecordID> <Channel>Forefront Identity Manager</Channel> <Computer>P00555.prod.services</Computer> <Security /> </System> <EventData> <Data>Requestor: urn:uuid:1ea65464-2c01-4615-8c5d-ca065abe9d16 Microsoft.ResourceManagement.Service: Microsoft.ResourceManagement.WebServices.Exceptions.PermissionDeniedException: Exception of type 'Microsoft.ResourceManagement.WebServices.Exceptions.PermissionDeniedException' was thrown. at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAuthorization(RequestType request) at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request, Guid requestIdentifier, Object redispatchSingleInstanceKey, Boolean isRedispatch) at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request) at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest(RequestType request) at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Put(Message request)</Data> </EventData> </Event> What can I do to troubleshoot and resolve this issue?

search for all requests... look for the failed request what is the MPR being applied? anything unusual from the failed request?The FIM Password Reset Blog http://blogs.technet.com/aho/

Looks like there are 4 Matched MPR's Modify Users, Grants permission to Selected admins to Read, Add a value to multivalue attribute, Remove a value from a multivalued attribute and modify a single value - Target resources include Reset Password, and TMPPWD. Password reset, Grants permission, to all administrators to Modify single attribute, Target resources TMPPWD Remove TMPPWD Does not grant right - Action Workflows - Yes Administrators can read and update Users, Grants right to Admins, Create, add, remove and Modify attributes: TMPPWD I have included my account in the selected admins role and tried with my account to reset tha password and this also fails. I initally thought that this failed due to not meeting AD complexity rules, in my org, however I have tried a suffienctly complex password as waell, and this fails as well regards

Actually, to clarify, at which step are you failing in the reset sequence? Please refer to my blog for the numbering and screenshot http://blogs.technet.com/b/aho/archive/2009/10/01/forefront-identity-manager-credential-management-part-1.aspxThe FIM Password Reset Blog http://blogs.technet.com/aho/

Hi Anthony, the experience I am having is NOT for SSPR. This issue is for Servicedesk (Authorized Admins) Password reset for users accounts. Our FIM portal is published via a citrix portal to 3rd party client, we have not deployed SSPR to the citrix portal for user to perform SSPR. thanks

>>The Workflow Instance 'e3425f2d-1a9e-4e78-97b6-5be28603f5c8' encountered an internal error during processing. Contact your system administrator for more information. What's that workflow instance?The FIM Password Reset Blog http://blogs.technet.com/aho/

Gazman, can you clarify what tooling your Admins are using then? http://setspn.blogspot.com

Hi Anthony, The Workflow instance is the Admin Password Change workflow In the extended Attributes tab of the workflow the status shows terminated We also found some of the AD accounts were expired and thought that this may be a contributing factor, however we have changed at least one of these users expiry to a future date and tried again with no luck. The workflow points to the sync service hostname, has a Password attribute of TmpPwd, Forces Change at next login and unlocks the account in Ad regards

Hi Thomas, Not sure what you are asking here, what do you mean by tooling? regards

Hi Gazman2010, Can you have a look at the domain drop down in the users account properties and ensure its populated?