Fresh build of RC1 with SSPRCan register for SSPR, and get through auth gate, no problems finding record in MV this time.Password Reset fails with "PWReset activity could not connect to the directory" There is also a simultaneous error in the application eventlog:The server encountered an unexpected error while performing an operation for a management agent."BAIL: MMS(2028): ma.cpp(370): 0x80040154 (Class not registered)BAIL: MMS(2028): ma.cpp(7621): 0x80040154 (Class not registered)BAIL: MMS(2028): ma.cpp(7518): 0x80040154 (Class not registered)Forefront Identity Manager 4.0.2560.0"I though it could be AD MA account permissions so I temporarily made the AD MA account a domain admin (It's only a test domain) - no change.Also tried unticking password extension on AD MA, restarting sync service, re-enabling password extension and restarting - also no change.Firewall is off on FIM and on DC. Any ideas?

That's interesting, i haven't never seen this before. Try the following steps and see at which state does it fail 1. runas /u:domain\fim_svc cmd 2. WBEMTEST 3. connect to root\MicrosoftIdentityIntegrationServer 4. select * from MIIS_CSObject WHERE Domain='...' and Account='...' 5. get the MaGuid and PartitionGuid 6. SELECT * FROM MIIS_ManagementAgent WHERE guid='{ma guid}' 7. you should see your AD MA? 8. get the __PATH of that object (e.g. \\FIMSERVER\root\MicrosoftIdentityIntegrationServer:MIIS_ManagementAgent.Name="AD") 9. Go back to WBEMTEST main screen --> Execute method 10. type the entire path from (8) 11. Method --> Choose Get ServerStatus 12. Edit In Parameter -> PartitionGuid-->Edit Property->not null->{partition guid}->Save property->Save object 13. Execute 14. Edit out parameter, you should see success as return value Also, double check ur AD MA properly. "Connect to Active Directory Forest" -> Sign and Encrypt LDAP traffic "Configure Extension" -> "Pwd Management" -> (1) enable pwd mgmt, (2) settings -> check "require secure ...", i have retry count as 10, interval as 60 not sure if that helps maybe try to Refresh Schema of AD MA?

1 thru 13 work as expected14. call-failure:0x80040154Connect to forest- sign and encyrpt YESExtension - Pwd Mgmt YES require secure YES retry 10 interval 60Will try refresh...

The error message you get is related to COM dll registration being incorrect. Try running a repair on the install of FIM RC1.You could also try applying the post RC 1 update that was just made available. The release notes do mention fixes for Password Reset and the sync serviceFIM 2010 RC1 Update 1 Details on the update available here David Lundell www.ilmBestPractices.com

Yup, looks like the COM is messed up Repair might help Quick search on of the AD MA guid, seems to be under the following keys, take a quick look and see if you spot anything suspicious. HKEY_CLASSES_ROOT\CLSID\{86A0B533-53B1-458D-8AD4-DEE4C4A42208} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{86A0B533-53B1-458D-8AD4-DEE4C4A42208} HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\ManagementAgentsThe FIM Password Reset Blog http://blogs.technet.com/aho/

Cheers David - will try repair and update1Thanks, Graham.

Repair didn't work.Complete reinstall from OS also gets same result.Update1 - Only Addin component of update1 downloads from catalog update without corruption. Portal and syncservice updates always corrupt and will not execute. Doesn't seem to be on connect any more - only catalog.Reg Keys:HKEY_CLASSES_ROOT\CLSID\{86A0B533-53B1-458D-8AD4-DEE4C4A42208}Default - C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Bin\mmsmaad.dllInprocserver32 - ?{+p]bozQ@Cs1(enXoLyAD<ThreadingModel - BothHKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{86A0B533-53B1-458D-8AD4-DEE4C4A42208}Default - C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Bin\mmsmaad.dllInprocserver32 - ?{+p]bozQ@Cs1(enXoLyAD<ThreadingModel - BothHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\ManagementAgentsAD - {86A0B533-53B1-458D-8AD4-DEE4C4A42208}

would you file a bug in Connect someone from the feature team can take a closer look?The FIM Password Reset Blog http://blogs.technet.com/aho/

Logged as Bug 517914

i want to follow up with you that we've got the bug. I believe someone from Sync team has given an initial reply as well. I have just included a link to this thread in the bug regarding step 1-14 you tried above.The FIM Password Reset Blog http://blogs.technet.com/aho/

The registration does not look correct. It looks like you are missing the InprocServer32 key (not value). Try creating the key and moving those entries down beneath the InprocServer32 key. The default for the {86A0B533-53B1-458D-8AD4-DEE4C4A42208} key should be "ADMA".It should look like this:HKEY_CLASSES_ROOT\CLSID\{86A0B533-53B1-458D-8AD4-DEE4C4A42208}@="ADMA" HKEY_CLASSES_ROOT\CLSID\{86A0B533-53B1-458D-8AD4-DEE4C4A42208}\InprocServer32@="C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Bin\mmsmaad.dll"Inprocserver32= ?{+p]bozQ@Cs1(enXoLyAD<ThreadingModel = Both Bruce Bequette - MSFT

Sorry missed \inprocserver32off key name - those were the settings from \Inprocserver32. Didn't post the settings from parent but here they are:HKEY_CLASSES_ROOT\CLSID\{86A0B533-53B1-458D-8AD4-DEE4C4A42208}@="ADMA"MAType="AD"HKEY_CLASSES_ROOT\CLSID\{86A0B533-53B1-458D-8AD4-DEE4C4A42208}\InprocServer32@="C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Bin\mmsmaad.dll"Inprocserver32= ?{+p]bozQ@Cs1(enXoLyAD<ThreadingModel = Both

Hi guys, I have the exact same problem: http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/02d19c02-4f43-43a7-9e77-c3c1ad4f66bfHow to solve it?It seems we have some problems running the WMI call, right? (according to the steps described http://blogs.technet.com/aho/archive/2009/11/09/forefront-identity-manager-credential-management-part-4.aspx#comments)Not sure if export of MA, uninstalling the FIMSync service, reboot and install again the the fim sync service, and then import of the MA would solve that problem?I'm gonna give it a try and keep you informed.Cheers.

it's failing to instantiate the AD MA COM object. i don't think you are having WMI permission anymore.We have an internal bug tracking this issueThe FIM Password Reset Blog http://blogs.technet.com/aho/

Any news from anyone? Fabien did you manage to fix yours?After 10 installs with consistent results I'm waiting for inspiration.

sorry, the product group doesn't have time to investigate this bug yet. Fabien might have something, maybe? just curious, have u tried changing to an All-in-One envirnment with all service accounts being domain admin?The FIM Password Reset Blog http://blogs.technet.com/aho/

I guess the bug was trigged by my fault: I installed this VM inside the Identity and Security corp demo we internally have. From what I saw there was some rights automatically applied on some OU, and especially the one containing the FIM sync svc, and FIM svc. And especially some WMI filters were applied. I guess this is what messed up the WMI permissions.. I just installed a new FIM sync + FIM svc VM in another OU, and was able to process the password reset straight away. Note: The environnement I used is AD 1 domain, 1 forest, 2008 R2 version. SQL, FIM sync and FIM svc on the same comp. Good luck.

Could someone with a running system check something for me.open Component Services - Computers - My Computer - DCOM Configscroll down to Forefront Identity Manager Managment Agents - rclick propertieson the location tab is "run application on this computer" greyed out and unselected?This may be expected, it just looked weird, and Forefront Identity Manager Managment Agents doesn't show up at all using oleview...Cheers, Graham

Also I turned on some com/ole debug reg keys I found on a blog HKLM\Software\Microsoft\ole\ActivationFailureLoggingLevel = 1 HKLM\Software\Microsoft\ole\CallFailureLoggingLevel = 1I now get an additional error logged each time, about a second after the class not registered one:Log Name: ApplicationSource: Microsoft-Windows-COMRuntimeDate: 8/01/2010 3:23:03 p.m.Event ID: 18209Task Category: NoneLevel: ErrorKeywords: ClassicUser: NETWORK SERVICEComputer: hostname.domainDescription:The application-specific permission settings do not grant Local access permission to the COM Server application C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Bin\miiserver.exe to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-COMRuntime" Guid="{bf406804-6afa-46e7-8a48-6c357e1d6d61}" EventSourceName="COM" /> <EventID Qualifiers="49152">18209</EventID> <Version>0</Version> <Level>2</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-01-08T02:23:03.000Z" /> <EventRecordID>4292</EventRecordID> <Correlation /> <Execution ProcessID="0" ThreadID="0" /> <Channel>Application</Channel> <Computer>hostname.domain</Computer> <Security UserID="S-1-5-20" /> </System> <EventData> <Data Name="param1">application-specific</Data> <Data Name="param2">Local</Data> <Data Name="param3">C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Bin\miiserver.exe</Data> <Data Name="param4">NT AUTHORITY</Data> <Data Name="param5">NETWORK SERVICE</Data> <Data Name="param6">S-1-5-20</Data> <Data Name="param7">LocalHost (Using LRPC)</Data> </EventData></Event>

Could someone with a running system check something for me. open Component Services - Computers - My Computer - DCOM Config scroll down to Forefront Identity Manager Managment Agents - rclick properties on the location tab is "run application on this computer" greyed out and unselected? This may be expected, it just looked weird, and Forefront Identity Manager Managment Agents doesn't show up at all using oleview... Cheers, Graham yes, it's the same in my test environmentThe FIM Password Reset Blog http://blogs.technet.com/aho/

my memory is getting bad but this looks more "human understandable" i might have asked this before but i have forgotten 1. Is the FIMService service account a member of the FIMSyncPasswordSet group? 2. Are Sync and FIM on the same box? 3. If #2 is YES, the setup guide (the lengthy document) tells u to deny network access for the service account on the box. That shouldn't be doneThe FIM Password Reset Blog http://blogs.technet.com/aho/

1. yes2. yes3. Ahh. I Had done that - and that looks suspiciously similar to the new event log error.... Will remove the deny and see if it works.

the setup guide is really intended for production environment (i.e. separated topology). keep me postedThe FIM Password Reset Blog http://blogs.technet.com/aho/

Removed deny and still same problem.I wonder if having the deny during setup caused some problems. Do you think it's worth a re-install?If so, is there a recommended way of uninstalling/reinstalling the FIM service/portal without losing the existing database if you've upgraded to CU1 or CU2? When I try to reinstall I can't re-use the existing database because it reports the wrong version. Should I create a new database during the base install, then upgrade to CU1/2 and then restore the previous (CU1/2) database? (Apologies if this is covered in release notes somewhere but I couldn't find anything...)

don't think re-installing help did you do a "gpupdate /force" after changing rights? and maybe restarts the services? don't know about the reinstalling part. Open a new thread and someone else might knowThe FIM Password Reset Blog http://blogs.technet.com/aho/

Ran process monitor and have some additional errorsIt looks for ROOT\microsoftidentityintegrationserver:__Win32Provider.Name="MIIS" in HKLM\SOFTWARE\Microsoft\WBEM\CIMOM\CompatibleHostProvidersHKLM\SOFTWARE\Wow6432Node\Microsoft\WBEM\CIMOM\CompatibleHostProvidersHKLM\SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProvidersHKLM\SOFTWARE\Wow6432Node\Microsoft\WBEM\CIMOM\SecuredHostProvidersand gets the response "NAME NOT FOUND" each timeIt also looks for HKCR\CLSID\{9A6AE3F8-5DEF-416E-A569-BB74B3184DC6}\AppId and gets NAME NOT FOUNDAny chance someone with working system can take a look and see if these keys exist.FYI this is what I have under that GUIDHKCR\CLSID\{9A6AE3F8-5DEF-416E-A569-BB74B3184DC6} @ = "Microsoft Forefront Identity Manager Synchronization Service WMI Provider"HKCR\CLSID\{9A6AE3F8-5DEF-416E-A569-BB74B3184DC6}\InprocServer32@ = "Microsoft Forefront Identity Manager Synchronization Service WMI Provider"InprocServer32 = ?{+p]bozQ@Cs1(enXoLyILM_Server>b.UkY4w`%?9tCU?KF8mwThreadingModel = Both

Ran process monitor and have some additional errors It looks for ROOT\microsoftidentityintegrationserver:__Win32Provider.Name="MIIS" in HKLM\SOFTWARE\Microsoft\WBEM\CIMOM\CompatibleHostProviders HKLM\SOFTWARE\Wow6432Node\Microsoft\WBEM\CIMOM\CompatibleHostProviders HKLM\SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders HKLM\SOFTWARE\Wow6432Node\Microsoft\WBEM\CIMOM\SecuredHostProviders and gets the response "NAME NOT FOUND" each time It also looks for HKCR\CLSID\{9A6AE3F8-5DEF-416E-A569-BB74B3184DC6}\AppId and gets NAME NOT FOUND Any chance someone with working system can take a look and see if these keys exist. FYI this is what I have under that GUID HKCR\CLSID\{9A6AE3F8-5DEF-416E-A569-BB74B3184DC6} @ = "Microsoft Forefront Identity Manager Synchronization Service WMI Provider" HKCR\CLSID\{9A6AE3F8-5DEF-416E-A569-BB74B3184DC6}\InprocServer32 @ = "Microsoft Forefront Identity Manager Synchronization Service WMI Provider" InprocServer32 = ?{+p]bozQ@Cs1(enXoLyILM_Server>b.UkY4w`%?9tCU?KF8mw ThreadingModel = Both Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{9A6AE3F8-5DEF-416E-A569-BB74B3184DC6}] @="Microsoft Forefront Identity Manager Synchronization Service WMI Provider" [HKEY_CLASSES_ROOT\CLSID\{9A6AE3F8-5DEF-416E-A569-BB74B3184DC6}\InprocServer32] @="C:\\Program Files\\Microsoft Forefront Identity Manager\\2010\\Synchronization Service\\Bin\\mmswmi.dll" "InprocServer32"=hex(7):4a,00,32,00,78,00,4f,00,6d,00,5f,00,3f,00,67,00,75,00,\ 3f,00,71,00,72,00,39,00,42,00,62,00,74,00,56,00,46,00,7e,00,24,00,49,00,4c,\ 00,4d,00,5f,00,53,00,65,00,72,00,76,00,65,00,72,00,3e,00,62,00,2e,00,55,00,\ 6b,00,59,00,34,00,77,00,60,00,25,00,3f,00,39,00,74,00,43,00,55,00,3f,00,4b,\ 00,46,00,38,00,6d,00,77,00,00,00,00,00 "ThreadingModel"="Both" The hex translates to "J2xOm_?gu?qr9BbtVF~$ILM_Server>b.UkY4w`%?9tCU?KF8mw" btw, i notice under InprocServer32, the default value is the path to the dll. yours is not..The FIM Password Reset Blog http://blogs.technet.com/aho/

Sorry cut+paste error - under incproc server32 defulat value is path to mmswmi.dll.Do you have a ROOT\microsoftidentityintegrationserver:__Win32Provider.Name="MIIS" value under any of the CIMOM keys?

ar... where am i suppose to look? registry or what?The FIM Password Reset Blog http://blogs.technet.com/aho/

Registry under:HKLM\SOFTWARE\Microsoft\WBEM\CIMOM\CompatibleHostProvidersHKLM\SOFTWARE\Wow6432Node\Microsoft\WBEM\CIMOM\CompatibleHostProvidersHKLM\SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProvidersHKLM\SOFTWARE\Wow6432Node\Microsoft\WBEM\CIMOM\SecuredHostProvidersLook under each of the above to see if there is a REG_SZ called ROOT\microsoftidentityintegrationserver:__Win32Provider.Name="MIIS"(there isn't on my system under any of the above)

Registry under: HKLM\SOFTWARE\Microsoft\WBEM\CIMOM\CompatibleHostProviders HKLM\SOFTWARE\Wow6432Node\Microsoft\WBEM\CIMOM\CompatibleHostProviders HKLM\SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders HKLM\SOFTWARE\Wow6432Node\Microsoft\WBEM\CIMOM\SecuredHostProviders Look under each of the above to see if there is a REG_SZ called ROOT\microsoftidentityintegrationserver:__Win32Provider.Name="MIIS" (there isn't on my system under any of the above) none of those are thereThe FIM Password Reset Blog http://blogs.technet.com/aho/

BreakthroughFinally got the VHD downloaded and working and have had a chance to compare some things to a working system. It does NOT appear to be anything to do with installed code/versions or permissions.It does appear to be something to do with something in the AD MA config which prevents class registration.If I create a "simple" AD MA, run Full Import Full Sync and use wbemtest execute method getserverstatus it returns success.I'm going through each AD MA setting to try and determine which setting breaks the class registration.Okay that was easier than expected - it's RUN IN SEPARATE PROCESS.If you set the AD MA to Run in separate process, class registration fails.

thanks for getting this back to us :)The FIM Password Reset Blog http://blogs.technet.com/aho/

Ran into the same issue, and I to unchecked the ADMA to Run in a Separate process. Worked for me as well. The reason I selected the ADMA to run in a separate process to begin with was the CPU utilization issue (Constantly above 90%), running in a separate process worked for that; however broke the password reset. Guess the Sync Server will cruise along pegged. ;-)

CPU utilization with exchange provisioning is a known issue. as for in-proc vs out-proc, i am not 100% sure on this one, but i believe you can contact the product group through PSS, and they might be able to provide you with some registry workaround that allows u to run it out-proc.The FIM Password Reset Blog http://blogs.technet.com/aho/

I got exactly the same issue and solved it, thanks! Did you open a bug on Connect for this? Cheers, PaoloPaolo Tedesco - http://cern.ch/idm

u mean in-proc vs out-proc? If you have a customer that must need a fix for that, you should contact PSS.The FIM Password Reset Blog http://blogs.technet.com/aho/

I just spun up a small lab environment for FIM 2010 R2 and ran into this exact same issue. I had the AD MA run out of process and was getting the same error. Once I switched it back to in-proc I was able to reset the password successfully. Has this not been implemented in any hot-fix or updates?