Hello, Im testing the SSPR adding the OTP functionality. Im presenting the error: "Unable to send security code. Please contact your help desk for assistance" I was able to register but in this process but in the process of challenge for Password Reset after pass the security questions appear this error. FIMService@domain.com email account exists and was added during FIM 2010 R2 installation. Ill appreciate the help to resolve this. Regards

If you are trying to send an Email OTP, check the Forefront Identity Manager category in the FIM Service's event logs. FIM cannot send SMS One-Time-Passwords out of the box, although a module and service to do this are available here. (Disclaimer: I wrote a good portion of it. ;) ) --Steve

Solved: "The FIM Service does of course need to be able to contact the SMTP gateway (or Exchange Web Service endpoint)." - Steve Kradel Ive validated that the FIMService has permissions on Exchange to send emails Internal and External. From the FIM Server that has the FIM Service installed, validate that you can access: https://mailserver/EWS/exchange.asmx, this re-direct to: https://mailserver/EWS/Services.wsdl The parameter of MailServer that appear in the File: C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\Microsoft.ResourceManagement.Service.exe.config should target the https://mailserver/EWS/exchange.asmx address. You need to verify that the Exchange Web Service (EWS) is accessible. You may need to add the certificate that Exchange is using to the local store on the FIM Server. There is information on how to do this here: http://technet.microsoft.com/en-us/library/jj134295(v=ws.10).aspx - Bill M. Thanks to Steve and Bill

Thanks Steve, Error Logs: Application: The Forefront Identity Manager Service cannot connect to the Exchange Web Service. The connection failure may be due to a network failure, firewall configuration error, or other connection issue. Additionally, the failure may be due to incorrect Exchange Web Service configuration. Verify that the Exchange Web Service is reachable from the Forefront Identity Manager Service computer. Ensure that Exchange is running, that the network connection is active, and that the firewall is configured properly. Last, ensure that the Exchange Web Service configuration is correct in the Microsoft.ResourceManagement.Service.exe.config file. Forefront Identity Manager System - Provider [ Name] Microsoft.ResourceManagement - EventID 3 [ Qualifiers] 0 Level 2 Task 0 Keywords 0x80000000000000 - TimeCreated [ SystemTime] 2012-08-02T17:45:18.000000000Z EventRecordID 2802256390 Channel Forefront Identity Manager Computer FIM01.com Security - EventData System.Web.Services: System.Net.WebException: The request failed with HTTP status 405: Method Not Allowed. at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall) at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters) at Microsoft.ResourceManagement.WebServices.Mail.Exchange.ExchangeServiceBinding.FindItem(FindItemType FindItem1) at Microsoft.ResourceManagement.WebServices.Mail.Exchange.MailChannel.ExchangeMailChannelListener`1.ExchangeMailListener.<OnPollTimerExpired>b__0(Boolean findUnreadItems) at Microsoft.ResourceManagement.WebServices.Mail.Exchange.MailChannel.ExchangeMailChannelListener`1.ExchangeMailListener.OnPollTimerExpired(Object state)

Im trying to send an Email OTP, the detailed error: Unable to send security code Unable to send a security code. Please contact your help desk for assistance. Go to Self-Service Password Reset home page Details: Microsoft.IdentityManagement.CredentialManagement.Portal.Exceptions.OneTimePasswordDeliveryException: ValidationError:UnableToSendSecurityCode ---> System.ServiceModel.FaultException: ValidationError:UnableToSendSecurityCode at Microsoft.ResourceManagement.WebServices.SecurityTokenServiceClient.RequestSecurityTokenResponse(Message request) at Microsoft.ResourceManagement.WebServices.SecurityTokenServiceClient.RequestSecurityTokenResponse(RequestSecurityTokenResponseType request, ClientOptionsHelper clientOptionsHelper, MessageBuffer& messageBuffer) at Microsoft.ResourceManagement.WebServices.Client.AuthenticationRequiredException.Authenticate(AuthenticationChallengeResponseType[] authenticationChallengeResponses, MessageBuffer& messageBuffer, ClientOptionsHelper clientOptionsHelper) at Microsoft.IdentityManagement.CredentialManagement.Portal.Common.ResetProxy.GetChallenge(String domain, String userName, ChallengeContext gateChallengeResponse) at Microsoft.IdentityManagement.CredentialManagement.Portal.Common.ResetProxy.GetNextChallenge(String domain, String userName, ChallengeContext gateChallengeResponse, FaultExceptionHandlerDelegate faultExceptionHandler) --- End of inner exception stack trace --- at Microsoft.IdentityManagement.CredentialManagement.Portal.Common.ResetProxy.GetNextChallenge(String domain, String userName, ChallengeContext gateChallengeResponse, FaultExceptionHandlerDelegate faultExceptionHandler) at Microsoft.IdentityManagement.CredentialManagement.Portal.Components.DriverBase.GetNextGate(IGateControl currentGate) at Microsoft.IdentityManagement.CredentialManagement.Portal.Reset.Next() at System.Web.UI.WebControls.Button.OnClick(EventArgs e) at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) The exchange resides in a different server, do i need to allow another port than 5725 and 5726?, ive applied the steps mentioned at: http://technet.microsoft.com/en-us/library/hh824696(v=ws.10) Thanks, Elas

There should be another, earlier warning/error message in the event log that details why the message couldn't be sent; the stack trace above is only informative to the extent that the service failed in an unspecified way. You do not need to open more listening ports on the FIM Service box, but the FIM Service does of course need to be able to contact the SMTP gateway (or Exchange Web Service endpoint). --Steve