Hello, I'm trying to find simple and easy to use Step-By-Step instructions of how to setup FIM 2010 R2 for users self-service password reset. I successfully deployed all the components including FIM Service, FIM Sync Service, and FIM Portal (based on SharePoint 2010) using single server. What I cannot figure out is how to configure FIM Sync Service - it deals with what is known as Management Agents and I have no idea what to do there. Information available on Microsoft WEB page (http://technet.microsoft.com/en-us/library/hh322874(v=ws.10).aspx) seems to be not very clear at all to me. All I want and all I need is to enable end-user self-service password registration and password reset once user is registered using minimal steps and efforts. I even don't need the IIS portion that allows registration and password reset from the internet - all I need is Windows extensions on GINA screen to work. I would very much appreciate if somebody could guide me or provide with link to simple step-by-step instructions on how to set this up. I'm sure that many other people who never dealt before with FIM would be interested to see how to setup password reset service using FIM 2010 R2. Thanks!

Ok, after shopping around, I finally realized that Microsoft Test Lab Guide is not very bad. From 8 steps only steps 6, 7 and 8 are actually described in details, here are direct links to these steps: Step 6: Perform SSPR Prerequisite Tasks: http://technet.microsoft.com/en-us/library/hh824695(v=ws.10).aspx Step 7: Configure Self-Service Password Reset: http://technet.microsoft.com/en-us/library/hh824694(v=ws.10).aspx Step 8: Verify SSPR: http://technet.microsoft.com/en-us/library/hh824691(v=ws.10).aspx Apparently besides these instructions there are lots of additional steps that are required to setup SSPR properly, and this is not described here, but you need to get this info from other places. FIM 2010 for SSPR is most cumbersome product I ever seen! Now I got a new problem: Ok, so I configured everything, and it even work! But hey, it works for the new user I created using FIM 2010. If I grab existing AD user and put in special OU created during FIM configuration process, this account does not work. No matter how many times I tried to run FIM MA to sync stuff, it does not work. During configuration process I noticed that Microsoft instructions are heavily rely on some attributes like EmployeeID and EmployeeType, but our AD users do not have these attributes currently set. It is impossible to re-create all existing users using FIM, and it must be a way to "add" existing users under FIM management umbrella so these users can register for SSPR and use SSPR portal to reset password. Here is the error message I receive if I try to register for SSPR using non-Demo account John Smith:

Hi, There are a few things you need to know: Make sure the user has access to read the FIM Portal website in Sharepoint.FIM Portal needs to have these attributes of the ActiveDirectory user: 'Domain', 'AccountName' and 'ObjectSID'. Next to that, you should enable the following MPR's to allow access to an Active Directory user: "General: Users can read non-administrative configuration resources""User management: Users can read attributes of their own" Does your lab environment already have an Active Directory Management Agent? If not, check this URL, which will give you clear instructions on how to create it: http://social.technet.microsoft.com/wiki/contents/articles/how-do-i-synchronize-users-from-active-directory-domain-services-to-fim.aspx Regards, Pieter.

Hi Pieter, 1. Yes, all users have permissions to read the FIM portal in SharePoint: 2. I'm not sure what you mean by "FIM Portal needs to have these attributes of the ActiveDirec+tory user". If it workf for John Smith (you know, this is the user created in FIM in one of the steps in Microsoft odocumentation) then does it mean that "FIM Portal already has these attributes of the ActiveDirectory user" or there is something that needs to be done? How I check? Where? 3. I double-checked and both MPRs are enabled (i.e. not disabled). There are actually not just two but 5 or 6 of MPRs that needs to be enabled, and since this is part of documentation it was done and completed. By the way, since John Smith works, does it mean that this is already enabled? 4. Of course I do have both MA: FIM MA and AD MA. Both created in Synchronization Service Manager, right? This is where you have 5 profiles for each MA, right? This is part of the procedure and I created them. Although (because I'm new to FIM) I hardly understand the complexity of these 10 profiles, looks to me lots of manual work and everything looks cumbersome, but I hope this is not the case and the only reason why I see that this way is because I do not know this product well enough :-) Thanks!

Ok, let's assume you have the correct Inbound Synchronization Rule in place (synchronization of 'Domain', 'AccountName' and 'ObjectSID'), have you ran the correct profiles? If not: go to the synchronization engine and run the Full Import and Full Synchronization of Active Directory and then the Export profile of the FIM management agent.

Display Name is also a required attribute. Have you checked the metaverse for one of the users that is having an issue to make sure the user has a connector in both FIM and AD? (In the FIM Sync Service Manager, click "Metaverse Search", find the user, double click the user and click the "Connectors" tab.) Thanks, Sami

Ok, I do have everything that is described in Microsoft documentation (all 3 URLs are in my first post above). I tried running everything many times, and it does not seem to be doing anything. Here are some points that I completely do not understand: 1. Do I need need to run these MA every time we create new user in AD? If this is the case, it will be lots of work. It must be a way of automating thiese tasks 2. Initially created JSMITH (John Smith) still works, password registration, password reset, everything works beautifully. Somehow creating another user in FIM using the same process as JSMITH does not work any more, even if I run AD and FIM MA with all profiles many times 3. Even though user created in FIM works OK (JSMITH) this is not what we are looking for. We already have 600+ users in AD and I'm not going to re-create them in FIM. So I moved one existing user into FIM-scoped OU but this account does not go to FIM and FIM does not allow to register or reset password for this user 4. I have to perform my tests slowly. I cannot point FIM to OU where 600 production users reside, unless everything is tested. I do see the possibility of wiping out everything if I do something wrong, and I want to precent this. So I want to make sure that I can do one existing user first before expanding the scope 5. In Microsoft documentation they are hevily talking about employeeID attribute, but we do not use it at this time. Does it mean that I must configure this attribute before I can use FIM for password reset? If this is the case it simply does not make sense to me 6. I'm not clear what "Domain" attribute is. If I open ADUC and go to Attribute Editor, there is no such attribute in any user object. Am I missing something? All I want is to be able to resiter for password reset and perform password reset. Not sure why this is so complicated...

Well, good question. I have total of 3 users I'm trying to play with right now, with different falvour: 1. John Smith, was created in FIM as in Microsoft documentaion example, and all works (password registration, password reset, sync etc.): 2. Fred Flinstone, was created couple days after John Smith, same way (in FIM), somehow does not Sync to AD and as result there is nothing I can do about it (because it is not in AD): 3. Betty Rubble, this is existing user in AD, I just moved it from active OU to Password Reset OU (same as John Smith) hoping that this user will be recognized by FIM, but unfortunately magic did not happen, and I'm not sure why. I populated employeeID attribute just in case but still no luck. Funny thing: I have no idea even what to do now. Since JSMITH is working I assume that FIM is working, but I cannot expand this onto existing users, and even new user created in FIM does not work anymore. Completely confused now :-( but thanks for help me anyway! I'm open for any suggestions!

Thanks for the screenshots--I think the issue is that Freddie doesn't have the Expected or Detected Rules List. Not sure how your MPRs are configured, but check the Set that is used for the MPR that adds the synchronization rule to the user. Fred may not be in there. (I'm assuming you've created set transition MPRs.) If he is in there, change your set criteria to take him out (perhaps adding a condition that the first name = 'John' or some such). Save the set, open it again and remove the criteria you just added. Fred should be in the Set. Now, check Fred's user account and see if the Provisioning tab shows anything in the ERE and DRE lists. Until the ERE is applied, the sync rule will not apply to the user and you won't see them syncing properly.

Hi, SamiVV is on the right track. Fred Flinstone is not created in ActiveDirectory because he does not have an Expected Rule Entry. You need to define a FIM triple, as explained in the tutorial and in this post by my coleage Peter Geelen: http://identityunderground.wordpress.com/2011/08/05/fim-triple-definition-terminology/ Let me answer some of your questions above: 1. Do I need need to run these MA every time we create new user in AD? If this is the case, it will be lots of work. It must be a way of automating thiese tasks>> They need to be run periodacally. This can be automated. If you open the sync engine and go to 'Management Agents', click the 'Configure Run Profiles'. There you will find a button which will create a VBS script. 6. I'm not clear what "Domain" attribute is. If I open ADUC and go to Attribute Editor, there is no such attribute in any user object. Am I missing something? All I want is to be able to resiter for password reset and perform password reset. Not sure why this is so complicated... >> The domain attribute is present in the FIM Portal, but not in AD. If you have just one AD domain, you can configure your inbound synchronization rule to set a static value (your domain name).Pieter de Loos - Consultant at Traxion (http://www.traxion.com) http://fimfacts.wordpress.com/

Thanks guys, you are really trying to help, I apreciate this. Let's forget about Fred - I deleted it for now. Then I created another user in FIM (Velma Dinkley), run MA syncs, and it went to AD no problem. So we can consider maybe it was something wrong when I created Fred in first place. Anyway it looks like it is working fine now. Most important question: why existing AD users are not coming to FIM? What I need to do to make this happen? Having users created in FIM replicated to AD may be a miracle, but this is not what I need at the end of the day. What I need is to be able to allow password reset for AD users who was created in AD before FIM. My understanding that all I have to do is move user from their current OU to OU that is covered by FIM. During FIM configuration, specifically when I created AD MA, I had to specify OU that is used by FIM, right? So why when I move existing AD user to this OU they are not picked up by FIM? Am I missing something? Probably this is pretty much the last challenge I have. Thanks!

You need an inbound synchronization rule on ActiveDirectory. There, you can check the checkbox named 'Create a resource in FIM'. This wil project the user to the FIM Sync Metaverse on a Synchronization run from ActiveDirectory. This article provides some explanation about this scenario: http://social.technet.microsoft.com/wiki/contents/articles/how-do-i-synchronize-users-from-active-directory-domain-services-to-fim.aspx It think you have covered the first part, so you might want to skip to the 'Configuring the FIM Service'-part.Pieter de Loos - Consultant at Traxion (http://www.traxion.com) http://fimfacts.wordpress.com/

Here are some of the numerous settings that I configured as per Microsoft article mentioned in my first post. Is there anything should be changed there to make sync working from AD to FIM? I just not completely clear what I'm missing and what needs to be done. It is very strange why would they provide only instructions how to provision users from FIM to AD, when most companies already have existing users in AD. Here we go:

Other screens:

And 2 last screens:

If your issue is getting users created in the FIM portal, then you need to have "Create resource in FIM" checked. Also, I don't see an attribute flow for "Domain" which you will need to have set.

Ok, thank you. Last message worked 50%: first statement was clear, I implemented it (i.e. checked "Create resource in FIM" checkbox", and after performing SYNC I got existing user showed in FIM but it is shown very wired - I can see this: When I click on this user ((No display name) everything is empty - I assume that this is my existing AD user that I moved to Reset Password OU. If I clieck on Provisioning tab (all other tabs contains no information - all empty) I can see this: So I assuem that I'm missing something, like Inbound Attribute flow, but I'm not sure how to create it. Please advise!

Hi, Can you check in the sync engine with a preview on this user and see if there are any "not applied" or empty values for the display name? Thanks, Sami

Hi Sami, You see, when you say something that is not clear for me, I'm getting extremely frustrated, because this is something confusing me 100%. For example, what do you mean by SYNC engine? I know there are 2 main things there: FIM management portal (this is the one built on top of SharePoint) and Synchronization Service Manager - the one with green icon and two white arrows. I would assume that you are talking about Synchronization Service Manager, right? So if I go to Metaverse Search, I do see this user with proper name, as shown below: But the user still not shown properly in FIM portal (under Users --> Search) as well as cannot register for password reset - getting this error: For some reason I'm starting thinking that Microsoft instructions are not really good, because they assume that you build FIM when your AD is empty, and you create ALL users in FIM, which I believe is not the case for 99.99% of the companies, so I'm not even sure why they did that. I have some additonal questions (if I may ask): 1. Do I really need both AD MA and FIM MA? What each MA does? All I need is to allow users to register for password reset and perform password reset later on when user forget their password. Nothing else. I do not want anything else! FIM seems to be too confusing and too complicated, but I have to make it work. So for password rest, do I need both MAs? 2. Why I need to sync things back and forth if I only need password reset. Can I sync AD users to FIM one way so they can be recognized by FIM to allow password registration and later on password reset? Why I need to sync anything to AD? This is scary actually. I do not want to change anything in AD! 3. When user reset password, is that going through the whole sync process, or FIM Service actually goes to AD and reset user password? If this is the case (direct reset password) why do I need to have SYNC from FIM to AD? 4. It would be nice to know what is really minimum requirements for password reset. All instructions seems to be over-complicated and extremely confusing. Even menu on the technet is tricky - depending on what button you press, menu is changing and switching to different topic. It sounds for me that this product is created to confuse people and let them know: IT is not fun any more! P.S. Just to explain what is my level of knowledge here: I'm an expert in AD, and I built first AD in 2000 that was recognized as best infrastructure solution of the year and got Microsoft fusion award 2001 for this. I'm also expert in Exchange, Lync, UM, System Centre etc. But this FIM is driving me nuts :-)

Hi, My apologies if I wasn't clear. The FIM Sync Engine is the FIM Synchronization Service Manager. When you click on one of the connectors in the second screenshot you provided, there should be a "Preview" button. If you click that you can drill down the results pane to see the attribute flows and status. That can help you to see what may be causing Display Name not to get populated. Microsoft actually doesn't assume that the AD is empty. Check out the various How Do I Guides: http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/f02f1114-ea84-403f-862d-c62cc92d0b45. Sounds like you may benefit from reading through those. Regarding your questions: 1. Yes--for password reset you need your users in the FIM MA and ADMA. Users have to login to register for the password registration gate (the place where they provide answers to the security questions that are presented when they try to reset their password). (http://technet.microsoft.com/en-us/library/ee534892(WS.10).aspx#step_2) 2. No--you don't need to write anything back to AD. You do need to have the users joined in the metaverse to FIM and AD. And you need to write the objectSid to the user in the FIM portal (including account name, domain and display name). 3. I don't know exactly what is happening under the covers with the password reset, but part of the configuration is turning on the password management features in the FIM Syncronization Service Manager. So, it is a required piece. 4. It does have a lot of moving pieces. And FIM does come with a large learning curve. I'd recommend really reading through the documentation--especially in the areas for password reset and the basic concepts of how FIM manages identities. It's time consuming, but possibly a better use of time than getting frustrated. Hope that helps. Thanks, Sami EDIT: another resource: http://blogs.technet.com/b/aho/.

Hi Sami, Thanks for last reply and sorry for delay - I was really busy with some other projects (since I could not finish this FIM quick I have to do some other stuff in parallel and that also takes time :-). My current status is the same so far: whatever is in the Microsoft documentation - works like a charm, everything 100% exactly how it supposed to be. But the issue is that this is not what we want - I do not want to create new users in FIM and replicate them to AD. I want to continue creating them in AD, so I guess I need to find a way (by re-configuring FIM moving pieces) how to replicate user objects from specific OU in AD to FIM, so they would be recognized when they go to Password Reset registration portal, and more importantly when they actually try resetting their password (using either Password Reset portal or Windows GINA extensions). I was wondering at this point what exactly needs to be modified in order to chieve that, and also whether or not somebody may come up with step-by-step procedure of how to do that. It is funny but I'm pretty sure that our requirements must be the same as other 99% of the people who wants to use FIM 2010 R2 for SSPR service. I cannot imagine that anybody will want to get rid of their current users in AD, can re-created them from scratch in FIN 2010 R2. Maybe after end of the world, but not now for sure. So ironically my question is still the same: is there step-by-step proceure how to configure Self-Service Password Reset for AD users using FIM 2010 R2? I know it may sounds funny, but it looks like the situation is not funny at all :-) And I still hope for the best! Thanks!

Hi Alex, Unless I'm missing something, it sounds like this guide (http://social.technet.microsoft.com/wiki/contents/articles/how-do-i-synchronize-users-from-active-directory-domain-services-to-fim.aspx) will give you the steps you need to sync users from AD to FIM. It describes bringing existing AD accounts into the FIM portal, which I think is what you want to do. Let me know if I'm not catching something here? Thanks, Sami

Hi Sami, Thanks for this info - unfortunately link provided does not work - this is what I get: Do you have by chance another working URL? Thanks for your help!

Looks like there's an extra ')' appended to the end of the link. Remove that and the page should load :)

see: http://social.technet.microsoft.com/wiki/contents/articles/9846.self-service-password-reset-sspr-resources.aspx <o:p></o:p> Cheers,<o:p></o:p> (HOPEFULLY THIS INFORMATION HELPS YOU!) Jorge de Almeida Pinto | MVP Identity & Access - Directory Services ------------------------------------------------------------------------------------------------------- * This posting is provided "AS IS" with no warranties and confers no rights! * Always evaluate/test yourself before using/implementing this! * DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/ ------------------------------------------------------------------------------------------------------- ################# Jorge's Quest For Knowledge ############### ###### BLOG URL: http://JorgeQuestForKnowledge.wordpress.com/ ##### #### RSS Feed URL: http://jorgequestforknowledge.wordpress.com/feed/ #### -------------------------------------------------------------------------------------------------------<o:p></o:p> "SamiVV" wrote in message news:c7014912-e490-484e-bb62-67ca9da24bec@communitybridge.codeplex.com... Hi Alex, Unless I'm missing something, it sounds like this guide (http://social.technet.microsoft.com/wiki/contents/articles/how-do-i-synchronize-users-from-active-directory-domain-services-to-fim.aspx) will give you the steps you need to sync users from AD to FIM. It describes bringing existing AD accounts into the FIM portal, which I think is what you want to do. Let me know if I'm not catching something here? Thanks, Sami Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/

Hi Jorge, Thank you for this link. I reviewed all links and URL on this page you provided, but unfortunately none of them works for me. First of all, they all talk about FIM 2010, and not 2010 R2. I know, I know, you can say: Hey, it is the same. I can assure you: they are not the same. Lots of things changed. Last year I spent full 3 months trying to configure FIM 2010 for Password Rest, and eventually gave up, mostly because lack of documentation as well as complexity of the configuration. FIM 2010 R2 looks more promising, at least Microsoft has step-by-step and "it-took-almost-2-full-days-to-implement" procedure but at least it works, the only issue is that Microsoft Lab mentioned in my reply on the top is not replicating users from AD to FIM, instead it does vice-versa. I cannot imagine who may be interested to replicate users from FIM to AD when you already have all your users in AD, but I will leave it with Microsoft and whoever created this procedure. I will stick with the last link Sami provided, at least the name looks promising, and also it looks like a "step-by-step" procedure. Thanks again to all of you guys who is trying to help me - I'm sure there are more people reading this thread and trying to figure out the same thing: how the hell this FIM 2010 R2 needs to be configured for Password Reset :-) I will keep you posted tomorrow after attempting to re-configure FIM 2010 R2 for incoming replication (i.e. AD --> FIM). Alex.

Ok, I booked 3 hours tomorrow morning to go through this procedure and implement it in FIM 2010 R2 RC as per this article: http://social.technet.microsoft.com/wiki/contents/articles/how-do-i-synchronize-users-from-active-directory-domain-services-to-fim.aspx One question: do I need (or should I) clean-up or remove any existing replication from FIM to AD? I really don't want to break anything in AD. So should I remove all attributes flow from FIM to AD? Would it break anything? Or just deploy this process on top of existing configuration...

Hi Alex, It depends on what all you have set up now. But, since it sounds like you don't want to write anything to AD, I'd get rid of anything that is flowing from FIM to AD. [Edit: Forgot to mention that you can disable the MPRs that are triggering the AD user provisioning as well. You don't have to completely delete them. Also, when you re-do your configuration, you might want to delete the connector spaces in the FIM Sync Service and delete any EREs or DREs that may still be lingering. http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/3db4100d-16da-4002-9708-43949659a4f8] If you can, create a Test OU in AD and be sure that is the only container FIM is managing. This way, FIM won't be looking at any real accounts. (It would be best to have a development AD if you can.) To select the OU, open the AD management agent, select "Configure Directory Partitions" and then click "Containers". You'll be prompted for credentials and then you can check the OUs for FIM to manage and leave the rest unchecked. If you want to back up your current configuration before makeing changes, follow this guide: http://technet.microsoft.com/en-us/library/ff400277(v=ws.10).aspx You'll want to do the steps for Exporting the Sync Server configuration and exporting the Policy and Schema from the portal. Good luck! Sami

Thanks again, Sami. We do not have "test" AD, we are relatively small environment and we use "test" OU, "test" server, "test" groups instead. I'm very comfortable seeing that FIM is pointing to specific OU in AD tree, this is good enough for me to believe that it won't break anything. In addition to that I granted some permissions to ADMA (this is the accound used by AD Management Agent) like Reset Password, Change Password, Read Lockout Information etc. to only this sub-OU I called "Reset Password" so I know nothing bad could happen. My current goal is to configure FIM this way that when I drop (or create) new user account in this OU and run Sync jobs (still not sure what is the orer and which one I really need to run - having 2 MA and 5 Run profiles (total 10 scenarios) still driving me crazy - would it make sence to have one "Replicate Now" button and thats it?) I want to see that this user shows up in FIM, and then can open FIM Password Registration Portal and register for password reset (i.e. answer security questions). Finally it can go and reset password by using FIM Password Rest portal or using GINA extensions (Forgot Password? on login page). I will let you know what happens tomorrow. I booked 3 hours to perform these steps and go throguh new procedure. Thanks!

we understand a lot of time, people just want SSPR for users in AD... except setup process is very hard. We are working on a QuickStart powershell module which should address the problem (basically a few cmdlets that setup enough for you to do SSPR). It should come as part of R2 if everything goes according to planThe FIM Password Reset Blog http://blogs.technet.com/aho/

Thanks, I assume you are from FIM development team working at Microsoft :-) Yes, it will be cool. I won't mind going through installation process for FIM components (FIM Service, FIM Sync Service, SharePoint Foundation 2010, FIM Portal etc.) but configuration piece is really (REALLY!) dificult and you have to be an Einstein in Identity Management to deploy this product. This does not have to be this way. I even think that the first question when launching Setup for FIM 2010 R2 should be: Are you installing FIM for SSPR? If the answer is Yes (and I'm sure these days more than 50% of people will use FIM for SSPR) then it will deploy and configure everything automatically. Asking simple questions like SQL Server and Service Accounts are fine, this is a standard process for System Center 2012 products and I like it. So I guess we can wait and hoope for the best to come? Another question: what is the current ETA for FIM 2010 R2. From what I can find in the Internet it looks like it is expected in H1 2012, but this is basically 2 months away. I hope Microsoft can make it in time as we really need this functionality soon...

I was working on FIM's SSPR. My blog http://blogs.technet.com/b/aho/ has quite a bit of info around that. There is no date i can communicate to the public beyond what is already out there. If you are under NDA, contact your MS contact and might get some more info :) The FIM Password Reset Blog http://blogs.technet.com/aho/