I have the same symptoms as the user from this thread: http://social.technet.microsoft.com/Forums/en/ilm2/thread/ab79b77e-d44e-46b8-9500-b1a8350699c3 I register for password reset and after answering my security gate questions I get the error: An error was encountered. Please call helpdesk or your system administrator. However, I received a different error in the Password Management Proxy Log: mscorlib: System.ServiceModel.CommunicationException: An error occurred while receiving the HTTP response to http://fim02.fimdemo.local:5726/ResourceManagementService/SecurityTokenService/Registration. This could be due to the service endpoint binding not using the HTTP protocol. This could also be due to an HTTP request context being aborted by the server (possibly due to the service shutting down). See server logs for more details. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size) --- End of inner exception stack trace --- at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size) at System.Net.PooledStream.Read(Byte[] buffer, Int32 offset, Int32 size) at System.Net.Connection.SyncRead(HttpWebRequest request, Boolean userRetrievedStream, Boolean probeRead) --- End of inner exception stack trace --- at System.Net.HttpWebRequest.GetResponse() at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout) --- End of inner exception stack trace --- Server stack trace: at System.ServiceModel.Channels.HttpChannelUtilities.ProcessGetResponseWebException(WebException webException, HttpWebRequest request, HttpAbortReason abortReason) at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout) at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout) at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout) at System.ServiceModel.Channels.ContextRequestChannel.Request(Message message, TimeSpan timeout) at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at Microsoft.ResourceManagement.WebServices.WSTrust.ISecurityTokenService.RequestSecurityTokenResponse(Message request) at Microsoft.ResourceManagement.WebServices.SecurityTokenServiceClient.RequestSecurityTokenResponse(Message request) at Microsoft.ResourceManagement.WebServices.SecurityTokenServiceClient.RequestSecurityTokenResponse(RequestSecurityTokenResponseType request, MessageBuffer& messageBuffer) at Microsoft.ResourceManagement.WebServices.Client.AuthenticationRequiredException.Authenticate(AuthenticationChallengeResponseType[] authenticationChallengeResponses, MessageBuffer& messageBuffer) at Microsoft.IdentityManagement.PasswordReset.GinaOperation.STSSubmitAndRetrieveChallenges(Byte[] gateData)

that's a generic WCF messages when a non-serializable type is returned... do u have a server trace?

Hmmm..... I checked - there is a certificate, it has a key, the key appears to be in order. This is my demo box so I have FIM installed on a (the) DC. Any ideas? -Jeremy System.ServiceModel: System.Xml.XmlException: There was an error serializing the security token. Please see the inner exception for more details. ---> System.InvalidOperationException: The SamlAssertion could not be serialized to XML. Please see inner exception for details. ---> System.Security.Cryptography.CryptographicException: Keyset does not exist at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer) at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle) at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair() at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize) at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey() at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.get_PrivateKey() at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetSignatureFormatter(String algorithm) at System.IdentityModel.SignedXml.ComputeSignature(SecurityKey signingKey) at System.IdentityModel.Tokens.SamlAssertion.System.IdentityModel.ICanonicalWriterEndRootElementCallback.OnEndOfRootElement(XmlDictionaryWriter dictionaryWriter) at System.IdentityModel.SamlDelegatingWriter.OnEndOfRootElement() at System.IdentityModel.Tokens.SamlAssertion.WriteXml(XmlDictionaryWriter writer, SamlSerializer samlSerializer, SecurityTokenSerializer keyInfoSerializer) --- End of inner exception stack trace --- at System.IdentityModel.Tokens.SamlAssertion.WriteXml(XmlDictionaryWriter writer, SamlSerializer samlSerializer, SecurityTokenSerializer keyInfoSerializer) at System.IdentityModel.Tokens.SamlAssertion.WriteTo(XmlWriter writer, SamlSerializer samlSerializer, SecurityTokenSerializer keyInfoSerializer) at System.ServiceModel.Security.WSSecurityJan2004.SamlTokenEntry.WriteTokenCore(XmlDictionaryWriter writer, SecurityToken token) at System.ServiceModel.Security.WSSecurityTokenSerializer.WriteTokenCore(XmlWriter writer, SecurityToken token) --- End of inner exception stack trace --- at System.ServiceModel.Security.WSSecurityTokenSerializer.WriteTokenCore(XmlWriter writer, SecurityToken token) at Microsoft.ResourceManagement.WebServices.WSTrust.RequestSecurityTokenResponseType.SetRequestedSecurityToken(SamlSecurityToken samlSecurityToken) at Microsoft.ResourceManagement.WebServices.SecurityTokenService.TokenIssuer.IssueSecurityToken(Message requestMessage, Object request, Claim[] claims) at Microsoft.ResourceManagement.WebServices.SecurityTokenService.Challenger.IssueAuthenticationChallenge(Message requestMessage, Object requestBody, Nullable`1 requestContext, UniqueIdentifier authenticationProcessIdentifier, List`1 accumulatedClaims, Nullable`1& currentWorkflowInstanceIdentifier, AuthenticationChallengeType[]& currentChallenges) at Microsoft.ResourceManagement.WebServices.SecurityTokenService.ProcessRequest(Message requestMessage, Object requestBody) at Microsoft.ResourceManagement.WebServices.SecurityTokenService.RequestSecurityTokenResponse(Message requestMessage)

Not sure what is going on. The certificate is in Computer\Personal\Certificates and in the Trusted People container. If I open the cert it says there is a private key associated with the cert. If I right-click the cert and say "Export", the wizard says the associated private key cannot be found. If I right-click the cert and say "Manage Provate Keys" I get an Access Denied. If I run FindPrivateKey.exe I cannot find the cert.... -J

you patched your deployment somehow? That's a bug and fixed in RTM Update1 psexec.exe -s -d -i cmd.exe mmc.exe add Cert snap-in -> local machine -> computer account Personal store --> right click the cert --> all tasks -->manage private key grant FIMService service account read permission. psexec can be found at http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

I am not sure what you mean about patching my deployment. This is a new install of FIM using the RTM bits (4.0.2592.0). Is there an update past this version? I don't see anything on Connect or MSDN. How do I get it? -Jeremy

psexec.exe -s -d -i cmd.exemmc.exeadd Cert snap-in -> local machine -> computer accountPersonal store --> right click the cert --> all tasks -->manage private keygrant FIMService service account read permission. psexec can be found at http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx Works perfectly. Thanks Anthony!

so this is a clean install of MSDN 2592? Or another possibility to get to 2592 is to install 2592 on a machine with RC1, RC1 Update1/2/3 on it already. let me know if you are doing a clean install >>Is there an update past this version? I don't see anything on Connect or MSDN. How do I get it? Sorry, RTM Update 1 is on the way. not yet release

correct, I have implemented changes from posting and new error is; The FIM Password and Authentication Extensions experienced an error when trying to reset a password

you have to get the trace on the server side to be able to do more trouble shooting

I have the trace, the one error that is poping out is;FlushFileBuffers failed on pipe [[Unknown]] with error code [109]other then this I do not see any other errors... when completing the regform it completes and saves correctly. When a user who has registered for password reset tried the portal though I am getting the error mentioned above. Any thoughts? Derek

sorry, didn't mean to ignore you. This thread is about cert permission issue and is marked as answered. Would you mind starting another thread with your specific problem?The FIM Password Reset Blog http://blogs.technet.com/aho/