Dear All, I have a problem to register user for self-service password reset. I already sync user between ADDS and FIM. I also added the user to password user reset Sets. But, when I try open identity management portal, but the browser error: you do not have permission . In other way, to register the user, i try click Reset Password link on logon windows, but pop-up windows error: you are not authorized to reset your password using self service password reset. you may need to register in order to complete self-service password reset.please contact your admin . Any suggestion for my check and configuration? Any idea? Iam new bie in FIM. regards, Endrik

1. Clicking "Reset Password" will definitely NOT initiate the registration sequence. 2. there are multiple possibilities to cause that permission issue: e.g. SPN, incorrect sync rule. does the user have all the required attributes set to go to the portal? (displayName, accountname, domain, objectSid)The FIM Password Reset Blog http://blogs.technet.com/aho/

try to enable more debug info on the portal C:\inetpub\www\wss\virtualdirectory\80\web.config search for "stack", change the callstack=true search for "custom", change the custom error page = Off search for ILMError, comment out that tag... try access the portal now and u should get the full stacktrace

Dear Antony, I was added the callstack to be true in web.config, the error is "you do not have permission". In FIM, the user have a detail with , displayName, accountname, domain, and objectSid. any idea? Regards, Endrik

with all those steps to enable portal diagnostic, now if u go to FIMPortal with that user, you still don't see a complete stack? Probably you have changed the wrong fileThe FIM Password Reset Blog http://blogs.technet.com/aho/

Dear Aho, Iam sure i edit the right file, and I still not see a complete task. how to make sure that the user in FIM have a detail accountname and objectSid? Regards, Endrik

http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/f3ae1913-4c9d-43a2-b2bd-830912d3792d would u please post a screenshot as well?The FIM Password Reset Blog http://blogs.technet.com/aho/

Dear Aho, For make sure: 1. Change callstack=true and allowpageleveltrace=true <SafeMode MaxControls="200" CallStack="true" DirectFileDependencies="10" TotalFileDependencies="50" AllowPageLevelTrace="true"> 2. Change customerror mode="off" <customErrors mode="On" /> is this right? I also try to check the user attribute value for FIM Portal access using powershell (http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/f3ae1913-4c9d-43a2-b2bd-830912d3792d), but the powershell getting error : File C:\accessfimportal.ps1 cannot be loaded because the execution of scripts is disabled on this system. Please see "g et-help about_signing" for more details. At line:1 char:22 + .\accessfimportal.ps1 <<<< + CategoryInfo : NotSpecified: (:) [], PSSecurityException + FullyQualifiedErrorId : RuntimeException Regards, Endrik

I try to set the executionpolicy to be unrestricted. And the powershell script can be execute. Here the result: AccountName : tukul DisplayName : Tukul Arwana Domain : FABRIKAM ObjectSID : AQUAAAAAAAUVAAAAssERljkC/LdotBlFZwQAAA== StringSID : S-1-5-21-2517746098-3086746169-1159312488-1127 so, any idea? regards Endrik

u didn't mention you have commented out the ILMError tag. would u like to double check on that one? have u enabled the 6 MPRs required for Password Reset (2 are for regular portal access) http://technet.microsoft.com/en-us/library/ee534892%28WS.10%29.aspx The FIM Password Reset Blog http://blogs.technet.com/aho/

Dear Aho, Now the user can view the portal via IE brower. but, i stil get error, when i try to register password in the portal, the appear Welcome screen FIM password reset registration, and pop-up error windows : An error occured while processing your request. Please try again later. If the error persists please contract your system administrator. Any idea Aho? Regards, Endrik

so enabling the 6 MPRs move u one step further? i would suggest u to read through the deployment guide first. so u just initiate the registration process (clicking on the registration link), and without doing anything, u see that error? i would check the FIMService config file, search for externalHostname attribute, make sure it is a DNS-resolvable hostname by the client (i.e. no localhost, no http:// prefix).The FIM Password Reset Blog http://blogs.technet.com/aho/

haven't heard back from you. Is there anything we can further assist you with?The FIM Password Reset Blog http://blogs.technet.com/aho/

Dear Aho, Thank a lot, User can complete to register self-service password. So the conclusion: 1. User must have required attribute to go to the portal. 2. The attributes are Account Name, Domain, Display Name, objectSid So for now, I need distribute the Adds-on and extension FIM for the client, and I will using SCCM, or GPO to distribute that adds-on. Are you have script to distribute adds-on with un-attend installation? I mean installation by using script with userless interaction Regards, Endrik

Perfect. Glad to hear that. As for unattended installation, you might want to take a look at this one: http://technet.microsoft.com/en-us/library/ff602040%28WS.10%29.aspx i am going to mark this thread as resolved. If u have further questions around unattended installation, please start a new thread. :)The FIM Password Reset Blog http://blogs.technet.com/aho/

Dear Aho, Two thumbs up for you. Regards, Endrik