FIM 2010 R2 - SSPR policy enforcement prevents all passwords
I have deployed FIM 2010 R2 for a client, who requires a minimum password length enforced in order to prevent sync issues with Live@edu. However, no matter what the policy is set to - or where - all passwords set in the reset portal are rejected. I have
attempted with the policy undefined at all levels, minimally defined at the OU level, fully defined at the domain level, all with little effect.
I have ensured all the requirements of
KB2443871 have been met; there is a root CA and DC certificate in place, and the root CA cert has been added to the trusted certs on the FIM sync server. The PDC has been updated and has the PDC Emulator FSMO role. LDP.exe can connect properly over SSL
and the OID is visible. SSPR works properly without ADMAEnforcePasswordPolicy set to 1.
After failures, the event log on the FIM service/portal server shows:
Error: PWReset Activity's MIIS Password Set call failed because of a policy violation.
Error: The web portal received a fault error from the FIM service.
Details:
Microsoft.ResourceManagement.WebServices.Faults.ServiceFaultException: DataRequiredFaultReason
at Microsoft.ResourceManagement.WebServices.ResourceFactoryClient.Create(Message request)
at Microsoft.IdentityManagement.CredentialManagement.Portal.Common.ResetProxy.InteractWithPasswordResetActivity(SecureString newPassword, String activityEndpoint, String workflowInstanceId, ContextualSecurityToken sessionSecurityToken)
Web Portal: FIM Password Reset Portal
Session Id: [snip]
IP Address: 10.x.x.xx
Any help would be greatly appreciated. I'd like to avoid a pricy call to Microsoft support. Thanks!
James J.
Flashpoint CS, LLC
August 10th, 2012 4:19pm
Are there any error messages on the FIM Sync Service host, and/or just prior to this one from the FIM Service? The one above (from the FIM Service / client tier) isn't informative.
You might try independently testing that your PDC really, really does support the server-side LDAP control for checking password policy during reset.
Free Windows Admin Tool Kit Click here and download it now
August 10th, 2012 6:32pm
Are there any error messages on the FIM Sync Service host, and/or just prior to this one from the FIM Service? The one above (from the FIM Service / client tier) isn't informative.
You might try independently testing that your PDC really, really does support the server-side LDAP control for checking password policy during reset.
I didn't see anything informative (or really anything at all, and logging is already level 3) on the FIM sync service host. As for checking the LDAP control, I did verify it's available; I don't know of a better way to test it at the moment. It works with AD
clients. Any suggestions?
August 11th, 2012 12:37am
I just tested this and it worked... What do your registry settings look like? KB2443871 doesn't appear to recommend any particular datatype for the registry value, although dword and string seemed to proceed with no ill effects.
AD clients don't use LDAP(S) for password reset--it is doable with LDP, although the effort to do so is perhaps a bit steep.
Free Windows Admin Tool Kit Click here and download it now
August 13th, 2012 5:27pm