SIMPLE QUESTION: NEED HELP ON HOW TO SETUP FIM 2010 R2 FOR USERS SELF-SERVICE PASSWORD RESET - NEED STEP-BY-STEP INSTRUCTIONS!
Hello, I'm trying to find simple and easy to use Step-By-Step instructions of how to setup FIM 2010 R2 for users self-service password reset. I successfully deployed all the components including FIM Service, FIM Sync Service, and FIM Portal (based on SharePoint 2010) using single server. What I cannot figure out is how to configure FIM Sync Service - it deals with what is known as Management Agents and I have no idea what to do there. Information available on Microsoft WEB page (http://technet.microsoft.com/en-us/library/hh322874(v=ws.10).aspx) seems to be not very clear at all to me. All I want and all I need is to enable end-user self-service password registration and password reset once user is registered using minimal steps and efforts. I even don't need the IIS portion that allows registration and password reset from the internet - all I need is Windows extensions on GINA screen to work. I would very much appreciate if somebody could guide me or provide with link to simple step-by-step instructions on how to set this up. I'm sure that many other people who never dealt before with FIM would be interested to see how to setup password reset service using FIM 2010 R2. Thanks!
March 19th, 2012 10:00am
Ok, after shopping around, I finally realized that Microsoft Test Lab Guide is not very bad. From 8 steps only steps 6, 7 and 8 are actually described in details, here are direct links to these steps: Step 6: Perform SSPR Prerequisite Tasks: http://technet.microsoft.com/en-us/library/hh824695(v=ws.10).aspx Step 7: Configure Self-Service Password Reset: http://technet.microsoft.com/en-us/library/hh824694(v=ws.10).aspx Step 8: Verify SSPR: http://technet.microsoft.com/en-us/library/hh824691(v=ws.10).aspx Apparently besides these instructions there are lots of additional steps that are required to setup SSPR properly, and this is not described here, but you need to get this info from other places. FIM 2010 for SSPR is most cumbersome product I ever seen! Now I got a new problem: Ok, so I configured everything, and it even work! But hey, it works for the new user I created using FIM 2010. If I grab existing AD user and put in special OU created during FIM configuration process, this account does not work. No matter how many times I tried to run FIM MA to sync stuff, it does not work. During configuration process I noticed that Microsoft instructions are heavily rely on some attributes like EmployeeID and EmployeeType, but our AD users do not have these attributes currently set. It is impossible to re-create all existing users using FIM, and it must be a way to "add" existing users under FIM management umbrella so these users can register for SSPR and use SSPR portal to reset password. Here is the error message I receive if I try to register for SSPR using non-Demo account John Smith:
March 26th, 2012 9:34am
Hi Pieter, 1. Yes, all users have permissions to read the FIM portal in SharePoint: 2. I'm not sure what you mean by "FIM Portal needs to have these attributes of the ActiveDirec+tory user". If it workf for John Smith (you know, this is the user created in FIM in one of the steps in Microsoft odocumentation) then does it mean that "FIM Portal already has these attributes of the ActiveDirectory user" or there is something that needs to be done? How I check? Where? 3. I double-checked and both MPRs are enabled (i.e. not disabled). There are actually not just two but 5 or 6 of MPRs that needs to be enabled, and since this is part of documentation it was done and completed. By the way, since John Smith works, does it mean that this is already enabled? 4. Of course I do have both MA: FIM MA and AD MA. Both created in Synchronization Service Manager, right? This is where you have 5 profiles for each MA, right? This is part of the procedure and I created them. Although (because I'm new to FIM) I hardly understand the complexity of these 10 profiles, looks to me lots of manual work and everything looks cumbersome, but I hope this is not the case and the only reason why I see that this way is because I do not know this product well enough :-) Thanks!
March 26th, 2012 2:29pm
Ok, let's assume you have the correct Inbound Synchronization Rule in place (synchronization of 'Domain', 'AccountName' and 'ObjectSID'), have you ran the correct profiles? If not: go to the synchronization engine and run the Full Import and Full Synchronization of Active Directory and then the Export profile of the FIM management agent.
March 29th, 2012 9:21am
Display Name is also a required attribute. Have you checked the metaverse for one of the users that is having an issue to make sure the user has a connector in both FIM and AD? (In the FIM Sync Service Manager, click "Metaverse Search", find the user, double click the user and click the "Connectors" tab.) Thanks, Sami
March 29th, 2012 12:54pm
Ok, I do have everything that is described in Microsoft documentation (all 3 URLs are in my first post above). I tried running everything many times, and it does not seem to be doing anything. Here are some points that I completely do not understand: 1. Do I need need to run these MA every time we create new user in AD? If this is the case, it will be lots of work. It must be a way of automating thiese tasks 2. Initially created JSMITH (John Smith) still works, password registration, password reset, everything works beautifully. Somehow creating another user in FIM using the same process as JSMITH does not work any more, even if I run AD and FIM MA with all profiles many times 3. Even though user created in FIM works OK (JSMITH) this is not what we are looking for. We already have 600+ users in AD and I'm not going to re-create them in FIM. So I moved one existing user into FIM-scoped OU but this account does not go to FIM and FIM does not allow to register or reset password for this user 4. I have to perform my tests slowly. I cannot point FIM to OU where 600 production users reside, unless everything is tested. I do see the possibility of wiping out everything if I do something wrong, and I want to precent this. So I want to make sure that I can do one existing user first before expanding the scope 5. In Microsoft documentation they are hevily talking about employeeID attribute, but we do not use it at this time. Does it mean that I must configure this attribute before I can use FIM for password reset? If this is the case it simply does not make sense to me 6. I'm not clear what "Domain" attribute is. If I open ADUC and go to Attribute Editor, there is no such attribute in any user object. Am I missing something? All I want is to be able to resiter for password reset and perform password reset. Not sure why this is so complicated...
March 29th, 2012 1:18pm
Well, good question. I have total of 3 users I'm trying to play with right now, with different falvour: 1. John Smith, was created in FIM as in Microsoft documentaion example, and all works (password registration, password reset, sync etc.): 2. Fred Flinstone, was created couple days after John Smith, same way (in FIM), somehow does not Sync to AD and as result there is nothing I can do about it (because it is not in AD): 3. Betty Rubble, this is existing user in AD, I just moved it from active OU to Password Reset OU (same as John Smith) hoping that this user will be recognized by FIM, but unfortunately magic did not happen, and I'm not sure why. I populated employeeID attribute just in case but still no luck. Funny thing: I have no idea even what to do now. Since JSMITH is working I assume that FIM is working, but I cannot expand this onto existing users, and even new user created in FIM does not work anymore. Completely confused now :-( but thanks for help me anyway! I'm open for any suggestions!
March 29th, 2012 2:07pm
Hi, SamiVV is on the right track. Fred Flinstone is not created in ActiveDirectory because he does not have an Expected Rule Entry. You need to define a FIM triple, as explained in the tutorial and in this post by my coleage Peter Geelen: http://identityunderground.wordpress.com/2011/08/05/fim-triple-definition-terminology/ Let me answer some of your questions above: 1. Do I need need to run these MA every time we create new user in AD? If this is the case, it will be lots of work. It must be a way of automating thiese tasks>> They need to be run periodacally. This can be automated. If you open the sync engine and go to 'Management Agents', click the 'Configure Run Profiles'. There you will find a button which will create a VBS script. 6. I'm not clear what "Domain" attribute is. If I open ADUC and go to Attribute Editor, there is no such attribute in any user object. Am I missing something? All I want is to be able to resiter for password reset and perform password reset. Not sure why this is so complicated... >> The domain attribute is present in the FIM Portal, but not in AD. If you have just one AD domain, you can configure your inbound synchronization rule to set a static value (your domain name).Pieter de Loos - Consultant at Traxion (http://www.traxion.com) http://fimfacts.wordpress.com/
March 29th, 2012 4:15pm
Thanks guys, you are really trying to help, I apreciate this. Let's forget about Fred - I deleted it for now. Then I created another user in FIM (Velma Dinkley), run MA syncs, and it went to AD no problem. So we can consider maybe it was something wrong when I created Fred in first place. Anyway it looks like it is working fine now. Most important question: why existing AD users are not coming to FIM? What I need to do to make this happen? Having users created in FIM replicated to AD may be a miracle, but this is not what I need at the end of the day. What I need is to be able to allow password reset for AD users who was created in AD before FIM. My understanding that all I have to do is move user from their current OU to OU that is covered by FIM. During FIM configuration, specifically when I created AD MA, I had to specify OU that is used by FIM, right? So why when I move existing AD user to this OU they are not picked up by FIM? Am I missing something? Probably this is pretty much the last challenge I have. Thanks!
March 29th, 2012 4:58pm
You need an inbound synchronization rule on ActiveDirectory. There, you can check the checkbox named 'Create a resource in FIM'. This wil project the user to the FIM Sync Metaverse on a Synchronization run from ActiveDirectory. This article provides some explanation about this scenario: http://social.technet.microsoft.com/wiki/contents/articles/how-do-i-synchronize-users-from-active-directory-domain-services-to-fim.aspx It think you have covered the first part, so you might want to skip to the 'Configuring the FIM Service'-part.Pieter de Loos - Consultant at Traxion (http://www.traxion.com) http://fimfacts.wordpress.com/
March 30th, 2012 2:46am
Here are some of the numerous settings that I configured as per Microsoft article mentioned in my first post. Is there anything should be changed there to make sync working from AD to FIM? I just not completely clear what I'm missing and what needs to be done. It is very strange why would they provide only instructions how to provision users from FIM to AD, when most companies already have existing users in AD. Here we go:
April 2nd, 2012 12:52pm
April 2nd, 2012 12:53pm
And 2 last screens:
April 2nd, 2012 12:53pm
If your issue is getting users created in the FIM portal, then you need to have "Create resource in FIM" checked. Also, I don't see an attribute flow for "Domain" which you will need to have set.
April 2nd, 2012 1:30pm
Ok, thank you. Last message worked 50%: first statement was clear, I implemented it (i.e. checked "Create resource in FIM" checkbox", and after performing SYNC I got existing user showed in FIM but it is shown very wired - I can see this: When I click on this user ((No display name) everything is empty - I assume that this is my existing AD user that I moved to Reset Password OU. If I clieck on Provisioning tab (all other tabs contains no information - all empty) I can see this: So I assuem that I'm missing something, like Inbound Attribute flow, but I'm not sure how to create it. Please advise!
April 2nd, 2012 3:15pm
Hi, Can you check in the sync engine with a preview on this user and see if there are any "not applied" or empty values for the display name? Thanks, Sami
April 3rd, 2012 9:55am
Hi Sami, You see, when you say something that is not clear for me, I'm getting extremely frustrated, because this is something confusing me 100%. For example, what do you mean by SYNC engine? I know there are 2 main things there: FIM management portal (this is the one built on top of SharePoint) and Synchronization Service Manager - the one with green icon and two white arrows. I would assume that you are talking about Synchronization Service Manager, right? So if I go to Metaverse Search, I do see this user with proper name, as shown below: But the user still not shown properly in FIM portal (under Users --> Search) as well as cannot register for password reset - getting this error: For some reason I'm starting thinking that Microsoft instructions are not really good, because they assume that you build FIM when your AD is empty, and you create ALL users in FIM, which I believe is not the case for 99.99% of the companies, so I'm not even sure why they did that. I have some additonal questions (if I may ask): 1. Do I really need both AD MA and FIM MA? What each MA does? All I need is to allow users to register for password reset and perform password reset later on when user forget their password. Nothing else. I do not want anything else! FIM seems to be too confusing and too complicated, but I have to make it work. So for password rest, do I need both MAs? 2. Why I need to sync things back and forth if I only need password reset. Can I sync AD users to FIM one way so they can be recognized by FIM to allow password registration and later on password reset? Why I need to sync anything to AD? This is scary actually. I do not want to change anything in AD! 3. When user reset password, is that going through the whole sync process, or FIM Service actually goes to AD and reset user password? If this is the case (direct reset password) why do I need to have SYNC from FIM to AD? 4. It would be nice to know what is really minimum requirements for password reset. All instructions seems to be over-complicated and extremely confusing. Even menu on the technet is tricky - depending on what button you press, menu is changing and switching to different topic. It sounds for me that this product is created to confuse people and let them know: IT is not fun any more! P.S. Just to explain what is my level of knowledge here: I'm an expert in AD, and I built first AD in 2000 that was recognized as best infrastructure solution of the year and got Microsoft fusion award 2001 for this. I'm also expert in Exchange, Lync, UM, System Centre etc. But this FIM is driving me nuts :-)
April 3rd, 2012 10:14am
Hi Sami, Thanks for last reply and sorry for delay - I was really busy with some other projects (since I could not finish this FIM quick I have to do some other stuff in parallel and that also takes time :-). My current status is the same so far: whatever is in the Microsoft documentation - works like a charm, everything 100% exactly how it supposed to be. But the issue is that this is not what we want - I do not want to create new users in FIM and replicate them to AD. I want to continue creating them in AD, so I guess I need to find a way (by re-configuring FIM moving pieces) how to replicate user objects from specific OU in AD to FIM, so they would be recognized when they go to Password Reset registration portal, and more importantly when they actually try resetting their password (using either Password Reset portal or Windows GINA extensions). I was wondering at this point what exactly needs to be modified in order to chieve that, and also whether or not somebody may come up with step-by-step procedure of how to do that. It is funny but I'm pretty sure that our requirements must be the same as other 99% of the people who wants to use FIM 2010 R2 for SSPR service. I cannot imagine that anybody will want to get rid of their current users in AD, can re-created them from scratch in FIN 2010 R2. Maybe after end of the world, but not now for sure. So ironically my question is still the same: is there step-by-step proceure how to configure Self-Service Password Reset for AD users using FIM 2010 R2? I know it may sounds funny, but it looks like the situation is not funny at all :-) And I still hope for the best! Thanks!
April 23rd, 2012 3:05pm
Hi Alex, Unless I'm missing something, it sounds like this guide (http://social.technet.microsoft.com/wiki/contents/articles/how-do-i-synchronize-users-from-active-directory-domain-services-to-fim.aspx) will give you the steps you need to sync users from AD to FIM. It describes bringing existing AD accounts into the FIM portal, which I think is what you want to do. Let me know if I'm not catching something here? Thanks, Sami
April 23rd, 2012 4:25pm
Hi Sami, Thanks for this info - unfortunately link provided does not work - this is what I get: Do you have by chance another working URL? Thanks for your help!
April 23rd, 2012 8:42pm
Looks like there's an extra ')' appended to the end of the link. Remove that and the page should load :)
April 23rd, 2012 9:07pm
see: http://social.technet.microsoft.com/wiki/contents/articles/9846.self-service-password-reset-sspr-resources.aspx <o:p></o:p> Cheers,<o:p></o:p> (HOPEFULLY THIS INFORMATION HELPS YOU!) Jorge de Almeida Pinto | MVP Identity & Access - Directory Services ------------------------------------------------------------------------------------------------------- * This posting is provided "AS IS" with no warranties and confers no rights! * Always evaluate/test yourself before using/implementing this! * DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/ ------------------------------------------------------------------------------------------------------- ################# Jorge's Quest For Knowledge ############### ###### BLOG URL: http://JorgeQuestForKnowledge.wordpress.com/ ##### #### RSS Feed URL: http://jorgequestforknowledge.wordpress.com/feed/ #### -------------------------------------------------------------------------------------------------------<o:p></o:p> "SamiVV" wrote in message news:email@example.com... Hi Alex, Unless I'm missing something, it sounds like this guide (http://social.technet.microsoft.com/wiki/contents/articles/how-do-i-synchronize-users-from-active-directory-domain-services-to-fim.aspx) will give you the steps you need to sync users from AD to FIM. It describes bringing existing AD accounts into the FIM portal, which I think is what you want to do. Let me know if I'm not catching something here? Thanks, Sami Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/
April 24th, 2012 8:52am
Hi Jorge, Thank you for this link. I reviewed all links and URL on this page you provided, but unfortunately none of them works for me. First of all, they all talk about FIM 2010, and not 2010 R2. I know, I know, you can say: Hey, it is the same. I can assure you: they are not the same. Lots of things changed. Last year I spent full 3 months trying to configure FIM 2010 for Password Rest, and eventually gave up, mostly because lack of documentation as well as complexity of the configuration. FIM 2010 R2 looks more promising, at least Microsoft has step-by-step and "it-took-almost-2-full-days-to-implement" procedure but at least it works, the only issue is that Microsoft Lab mentioned in my reply on the top is not replicating users from AD to FIM, instead it does vice-versa. I cannot imagine who may be interested to replicate users from FIM to AD when you already have all your users in AD, but I will leave it with Microsoft and whoever created this procedure. I will stick with the last link Sami provided, at least the name looks promising, and also it looks like a "step-by-step" procedure. Thanks again to all of you guys who is trying to help me - I'm sure there are more people reading this thread and trying to figure out the same thing: how the hell this FIM 2010 R2 needs to be configured for Password Reset :-) I will keep you posted tomorrow after attempting to re-configure FIM 2010 R2 for incoming replication (i.e. AD --> FIM). Alex.
April 24th, 2012 10:12am
Ok, I booked 3 hours tomorrow morning to go through this procedure and implement it in FIM 2010 R2 RC as per this article: http://social.technet.microsoft.com/wiki/contents/articles/how-do-i-synchronize-users-from-active-directory-domain-services-to-fim.aspx One question: do I need (or should I) clean-up or remove any existing replication from FIM to AD? I really don't want to break anything in AD. So should I remove all attributes flow from FIM to AD? Would it break anything? Or just deploy this process on top of existing configuration...
April 24th, 2012 10:52am
Thanks again, Sami. We do not have "test" AD, we are relatively small environment and we use "test" OU, "test" server, "test" groups instead. I'm very comfortable seeing that FIM is pointing to specific OU in AD tree, this is good enough for me to believe that it won't break anything. In addition to that I granted some permissions to ADMA (this is the accound used by AD Management Agent) like Reset Password, Change Password, Read Lockout Information etc. to only this sub-OU I called "Reset Password" so I know nothing bad could happen. My current goal is to configure FIM this way that when I drop (or create) new user account in this OU and run Sync jobs (still not sure what is the orer and which one I really need to run - having 2 MA and 5 Run profiles (total 10 scenarios) still driving me crazy - would it make sence to have one "Replicate Now" button and thats it?) I want to see that this user shows up in FIM, and then can open FIM Password Registration Portal and register for password reset (i.e. answer security questions). Finally it can go and reset password by using FIM Password Rest portal or using GINA extensions (Forgot Password? on login page). I will let you know what happens tomorrow. I booked 3 hours to perform these steps and go throguh new procedure. Thanks!
April 24th, 2012 11:24am
we understand a lot of time, people just want SSPR for users in AD... except setup process is very hard. We are working on a QuickStart powershell module which should address the problem (basically a few cmdlets that setup enough for you to do SSPR). It should come as part of R2 if everything goes according to planThe FIM Password Reset Blog http://blogs.technet.com/aho/
April 24th, 2012 1:57pm
Thanks, I assume you are from FIM development team working at Microsoft :-) Yes, it will be cool. I won't mind going through installation process for FIM components (FIM Service, FIM Sync Service, SharePoint Foundation 2010, FIM Portal etc.) but configuration piece is really (REALLY!) dificult and you have to be an Einstein in Identity Management to deploy this product. This does not have to be this way. I even think that the first question when launching Setup for FIM 2010 R2 should be: Are you installing FIM for SSPR? If the answer is Yes (and I'm sure these days more than 50% of people will use FIM for SSPR) then it will deploy and configure everything automatically. Asking simple questions like SQL Server and Service Accounts are fine, this is a standard process for System Center 2012 products and I like it. So I guess we can wait and hoope for the best to come? Another question: what is the current ETA for FIM 2010 R2. From what I can find in the Internet it looks like it is expected in H1 2012, but this is basically 2 months away. I hope Microsoft can make it in time as we really need this functionality soon...
April 24th, 2012 3:07pm
I was working on FIM's SSPR. My blog http://blogs.technet.com/b/aho/ has quite a bit of info around that. There is no date i can communicate to the public beyond what is already out there. If you are under NDA, contact your MS contact and might get some more info :) The FIM Password Reset Blog http://blogs.technet.com/aho/
April 24th, 2012 3:28pm
Hi Anthony, I guess the time has come - on June 1st Microsoft released RTM version of FIM 2010 R2. I already downloaded it and ready to deploy. Can you please point me to the magic script that was promised to help with the SSPR deployment? I'm anxious to see how this thing works. So far I was not able to find any script - is it something inside the FIM 2010 R2 ISO image, or I need to download it separately? Please advise, I need this badly (ASAP). Thanks!
June 18th, 2012 8:19am
IIRC, look into FIMSync's installation directory, there is a Tool folder with QuickStart.zip in it It offers powershell cmdlet to setup all the MA for uThe FIM Password Reset Blog http://blogs.technet.com/aho/
June 18th, 2012 11:21am
Thanks Anthony for quick reply. I found the file (QuickStart.zip) and extracted it to temporary folder. It contains 2 (two) PowerShell scripts, one XML file and several DLLs. New question: what I supposed to wo with these files? Should I run both on my FIM server? Does it matter in what order? Is there documentation? Now what about this FIM Portal configuration. It includes lots of steps and I believe that in original documentation it still want me to create John Smith in FIM and replicate to AD, but this is not what I need!!! I need to be able to replicate my existing users from AD to FIM so they can register for password reset and actually perform password reset (e.g. by using GINA add-in - Forgot Password? thing). Is that covered? Is there step-by-step documentaion how to do that? Not how to create new user in FIM and replicate to AD, but how to replicate existing AD users to FIM and allow them to register and reset their password. Additional question: we are currently not using Employee ID and Employee Type attributes, but documentation is insisting to replicate them. Is that really neccessary? Can I just not to replicate them? All I want is to configure SSPR in FIM, and nothing else. Thanks!
June 18th, 2012 2:30pm
http://blogs.technet.com/b/aho/archive/2012/06/12/fim-2010-r2-self-service-password-reset-deployment-guide.aspx QuickStart essentially setup the minimal stuff to let u enable SSPR for existing users in ur AD. QuickStart should create MAs and sync in your users from AD to FIM so they can use SSPR.The FIM Password Reset Blog http://blogs.technet.com/aho/
June 18th, 2012 2:34pm
Ok, sounds good so far, but now I'm scared: 1. MA needs to point to specific OU - untill I'm very comfortable I don't want to point to OU that contains ALL production users - would this script ask me to point to this OU? Or I need to go and setup it manually? 2. You seid it will sync users - would it do as part of the script run, or I still need to run it manually? If manually, do I need to create Run profiles? 3. Does this script creates both - FIM MA and AD MA? Or only one? 4. I have no problem creating MAs, in fact I already created them as well as 10 Run profiles - does it mean that I no longer need this scripts? How about FIM Portal configuration, the one with 50 pages of step-by-step procedure - is it still required? Is there documentation for this QuickStart?
June 18th, 2012 2:39pm
And yes, I got this document - but apparently this is not a good one - it does not have any information about configuring FIM portal. For example, in this document there are no steps described here: http://technet.microsoft.com/en-us/library/hh824695(v=ws.10).aspx Also there is no mentioning about SPN, delegation, and custom headers for password registration and password reset portals. Do I still need them? Several months ago I can able to re-create configuration where John Smith was created in FIN and replicated to AD and can reset password, but I had to use different WEB pages and make cumulative changes, from multiple places. I did not find single document that says how to do SSPR from A to Z. This is a big problem. Maybe I'm only alone confuzed here, but somehow I this that most people not able to figure this out and then either do nothing or switch to 3rd party. Thanks!
June 18th, 2012 2:50pm
MA needs to point to specific OU - untill I'm very comfortable I don't want to point to OU that contains ALL production users - would this script ask me to point to this OU? Or I need to go and setup it manually? [shane] Makes sense. Create or request the creation of an OU with a smaller number of users. You seid it will sync users - would it do as part of the script run, or I still need to run it manually? If manually, do I need to create Run profiles? [shane] The script will create the run profiles for you. It will optionally run them based on the RunInitialLoad parameter. See the quickstart documentation. 3. Does this script creates both - FIM MA and AD MA? Or only one? [shane] Both. Including as mentioned above the required run profiles. I have no problem creating MAs, in fact I already created them as well as 10 Run profiles - does it mean that I no longer need this scripts? [shane] The quickstart is all about getting something up and running quickly. It may or may not be appropriate to use it as the basis for a real customer deployment. It will not run if it detects any existing sync configuration. How about FIM Portal configuration, the one with 50 pages of step-by-step procedure - is it still required? [shane] The quick start is primarily focused at configuring user sync ;however we do enable the MPRs required to be able to use SSPR. You will still need to go and modify the out of the box authentication workflow to meet the security policy requirements. Is there documentation for this QuickStart? [shane] Yes: http://technet.microsoft.com/en-us/library/jj134276(v=ws.10) With regard to your latest post. The Quickstart assumes that you have setup FIM already. I sympathize with the fact that there are still a number of steps required to properly setup and configure FIM. If something was unpleasent, from a setup experience, please do not hesitate to say so. Thanks shane
June 18th, 2012 3:28pm
Hello, I used QuickStart and everything worked like a charm! I got one small problem at the very end - when user reset his password, I get this error - username format does not match: How I can resolve it? User has both names - UPN and pre-Windows 2000 configured.
June 22nd, 2012 4:16pm
It's by design that the disabled textbox will show NT4 format and the NOTE will show the UPN formatThe FIM Password Reset Blog http://blogs.technet.com/aho/
June 22nd, 2012 4:20pm
Ok, I see. The issue is that I still get error on very last step - actuall password reset. Whe I do this via GINA extension I get this error: When I do this in WEB portal, I get this error: What is the best and quickest way to check what is the issue? Can you please advise? So far you were extremely helpful, thank you very much for this. I hope we can close this case soon.
June 22nd, 2012 9:08pm
And this is the error I found in FIM Event Log - I hope this could help understand the issue better:
June 22nd, 2012 9:12pm
PWUnrecoverableError means something bad happened on the FIMService side. Go to FIMService's machine, EventView-->Applications and Services Log-->ForefrontIdentityManagement. Look for error coming from FIMService, the one with stack trace related to "ResetPasswordHelper" The FIM Password Reset Blog http://blogs.technet.com/aho/
June 23rd, 2012 12:04am
Thanks Anthony. I did clean password reset after rebooting server (just in case) and every time I try to reset password I get those 6 errors in FIM Event Log: Here is the content of each error (from bottom to top): Warning 1: ================================== Unable to resolve resource:Microsoft.ResourceManagement.Workflow.Activities.PWResetActivity.rules. Error 2: ================================== System.Management: System.Management.ManagementException: Access denied at System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus errorCode) at System.Management.ManagementObjectCollection.ManagementObjectEnumerator.MoveNext() at Microsoft.ResourceManagement.PasswordReset.ResetPassword.ResetPasswordHelper(String domainName, String userName, String newPasswordText) Warning 3: ================================== System.Workflow.ComponentModel.WorkflowTerminatedException: Exception of type 'System.Workflow.ComponentModel.WorkflowTerminatedException' Error 4: ================================== The web portal received a fault error from the FIM service. Details: Microsoft.ResourceManagement.WebServices.Faults.ServiceFaultException: DataRequiredFaultReason at Microsoft.ResourceManagement.WebServices.ResourceFactoryClient.Create(Message request) at Microsoft.IdentityManagement.CredentialManagement.Portal.Common.ResetProxy.InteractWithPasswordResetActivity(SecureString newPassword, String activityEndpoint, String workflowInstanceId, ContextualSecurityToken sessionSecurityToken) Web Portal: FIM Password Reset Portal Session Id: kceg5m45ccyghh55cnmy1fvt IP Address: XX.XX.XX.XX Error 5: ================================== Microsoft.IdentityManagement.CredentialManagement.Portal: System.Web.HttpUnhandledException: ScriptManager_AsyncPostBackError ---> System.InvalidProgramException: Error while performing the password reset operation: PWUnrecoverableError at Microsoft.IdentityManagement.CredentialManagement.Portal.Reset.AttemptToResetPassword() at System.Web.UI.WebControls.Button.OnClick(EventArgs e) at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) --- End of inner exception stack trace --- at Microsoft.IdentityManagement.CredentialManagement.Portal.Site.ScriptManager_AsyncPostBackError(Object sender, AsyncPostBackErrorEventArgs eventArgs) at System.Web.UI.ScriptManager.OnAsyncPostBackError(AsyncPostBackErrorEventArgs e) at System.Web.UI.PageRequestManager.OnPageError(Object sender, EventArgs e) at System.Web.UI.TemplateControl.OnError(EventArgs e) at System.Web.UI.Page.HandleError(Exception e) at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest() at System.Web.UI.Page.ProcessRequest(HttpContext context) at ASP.default_aspx.ProcessRequest(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) Error 6: ================================== The error page was displayed to the user. Details: Title: Error Message: An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3000) Source: Attributes: Details: System.InvalidProgramException: Error while performing the password reset operation: PWUnrecoverableError at Microsoft.IdentityManagement.CredentialManagement.Portal.Reset.AttemptToResetPassword() at System.Web.UI.WebControls.Button.OnClick(EventArgs e) at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) CorrelationId: RequestId: ErrorCode: 3000 CaughtTime: 06/24/2012 20:41:28 Web Portal: FIM Password Reset Portal Session Id: kceg5m45ccyghh55cnmy1fvt IP Address: XX.XX.XX.XX
June 24th, 2012 8:53pm
>>Error 2: ================================== System.Management: System.Management.ManagementException: Access denied at System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus errorCode) at System.Management.ManagementObjectCollection.ManagementObjectEnumerator.MoveNext() at Microsoft.ResourceManagement.PasswordReset.ResetPassword.ResetPasswordHelper(String domainName, String userName, String newPasswordText) The FIMService service a/c is not in FIMSyncPasswordSet group Fix that, then restart FIMSync, then restart FIMService (in that order)The FIM Password Reset Blog http://blogs.technet.com/aho/
June 24th, 2012 10:25pm
Great, I tried this and it worked like a charm. Thank you very much! Next step I will try to move other users to "Password Reset" OU and see if they replicate automatically, I would assume they would not? If they do not replicate automatically, what would be the best way to complete this perhaps last step? Is there single script that can be scheduled to run let's say every few hours so when new users are created they get synced to FIM automatically? Almost there, thanks again for your amazing help and support!!!
June 25th, 2012 9:12am
Ok, it has been completed, and everything is working properly. Thank you very much for your help, Anthony! I automated scripts with FIMMA account (using Task Scheduler) and configured it to run daily at night (3 a.m.). I also added another OU with more users and they were able to register and reset their password too. Great! So this case is now closed. I hope that many other people can now install and use FIM 2010 R2 using QuickStart scripts. Thank you!
July 17th, 2012 9:20am
Another thing u can consider is to run the sync cycle continuously (i.e. put the script in a loop instead of once a day) Make sure u clean the run history regularlyThe FIM Password Reset Blog http://blogs.technet.com/aho/
July 17th, 2012 11:17am