I'm trying to set-up the SSPR registration portal in FIM 2010 R2 but when testing I'm receiving this error: Unauthorized User You are not authorized to register for password reset. Please contact your help desk or system administrator. (Error 3004) Details: Microsoft.IdentityManagement.CredentialManagement.Portal.Exceptions.NotAuthorizedException: Exception of type 'Microsoft.IdentityManagement.CredentialManagement.Portal.Exceptions.NotAuthorizedException' was thrown. at Microsoft.IdentityManagement.CredentialManagement.Portal.Common.RegistrationProxy.GetNextChallenge(String domain, String username, ChallengeContext gateChallengeResponse, FaultExceptionHandlerDelegate faultExceptionHandler) at Microsoft.IdentityManagement.CredentialManagement.Portal.Components.RegistrationDriver.InitiateRegistration() at Microsoft.IdentityManagement.CredentialManagement.Portal.Registration.Next() at System.Web.UI.WebControls.Button.OnClick(EventArgs e) at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) EventData User not in FIM Service The FIM Password Registration Portal was unable to recognize the Windows identity of a user who visited the Portal. The user's identity was: xxx\Username The user's IP address was: x.x.x.x Ensure that all users who are eligible for Password Reset have their Active Directory Security Identifier (SID) synchronized into the FIM Service. The FIM Service and Sync service are running on two separate servers and I'm trying to install the reset/registration portals on a third server. Users are syncing from an SQL database to AD via FIM with no problems, I ran a powershell script (I would link to it but I'm afraid I've lost the link!) to confirm that my test users' objectSID records in AD and the portal match, they did. All the MPRs suggested in the deployment guide are enabled. Any help would be really appreciated.

Resolved it at last! For some reason, the domain in the user attribute was incorrect, reading XXX.Local instead of just XXX. Correcting and re-syncing it with AD has fixed this for my test user, now things are looking good! Cheers.