Hi all, I've got an error message when I try to 'Register for Authentication Challenge'. I searched in this forum, and on the internet, but I didn't find anything. When I try to register with my Administrator account, everything works. But when I try to register with a basic account (I mean user I created), it doesn't. On the page "Please provide your password", I provide the correct Domain\Username and Password, and I've got "Unable to validate your password at this time" as error message. Note that Basic accounts are allowed to change their password manually (I mean Ctrl+Alt+Del, Change Password...) Does anyone know something about that ??? I would really appreciate. Thanks, Guillaume.

Hi, Are you referring to Password Change Notification Service or Self-Service Password Reset in FIM2010? From your description, you seems to be talking about SSPR. Please let me know if that's not the case. I assume you are at step 1.2 described in my blog @ http://blogs.technet.com/aho/archive/2009/10/01/forefront-identity-manager-credential-management-part-1.aspx ?? If yes, i don't understand how you can "provide the correct Domain\Username" because that's an readonly field. Also, if you give an incorrect password, you should receive "The password you provided is not correct." error. Would you like to provide more details to your issue? Maybe screenshots? ThanksThe FIM Password Reset Blog http://blogs.technet.com/aho/

Hi, Self-Service Password Reset is more correct about my issue. This is exactly the step 1.2 you described in your Blog. Well, this field is readOnly you're right. I wanted to say that I was sure my password was right. When I enter a wrong password, I have this message: " The Password you provided is not correct. ", exactly as you said. But when the password is correct, I have: " Unable to validate your password at this time, please contact your system Administrator ". Did you ever saw this error before ??? I'll try to give you a screenshot, but not before next Monday. My job is a Part-Time internship, so... Thanks for trying to fix that ;)

thanks looks like a server problem can the user logon to the server? if not, would you mind granting logon locally permission and give it a shot?The FIM Password Reset Blog http://blogs.technet.com/aho/

Yep, the user can logon. And he has the authorization to change his own password.

i think you mean this exact message right? "Unable to validate your password at this time, please contact your system administrator." if that's the case, sorry for asking you to check the server, that's a client side problem. It's trying to perform a call to LogonUser to validate the password LogonUser(username, domain, password, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, &t); but then i am not sure why you are hitting an error for that. would you try to enable Auditing for logon on that machine and check if you see anything interesting in event log? i am sure that's not needed/required, but how about let's try granting that user local admin rights just for the sake of troubleshooting? The FIM Password Reset Blog http://blogs.technet.com/aho/

i circulated in the feature team asking for ideas. Suggestion 1: I would start w/ local policy and enable auditing logon failures; this way one will get event log entries w/ some failure detail. Possible causes: · Missing interactive logon privilege · DC connectivity or temporal issues to locate a DC o Cache cleaned and: § transient DC connectivity issues § DNS issues § Clock skew · Client – domain controller trust relationship problems o http://technet.microsoft.com/en-us/library/cc961803.aspx - see Client-Domain Controller Trust Relationships o http://support.microsoft.com/kb/109626 - Enabling debug logging for the Net Logon service Suggestion 2: Or … the account got locked up in AD or tries to logon outside of the logon hours. Also look for an interesting diag session here: http://blogs.technet.com/isablog/archive/2009/06/12/troubleshooting-authentication-issues-in-isa-server-using-net-logon-logging.aspxThe FIM Password Reset Blog http://blogs.technet.com/aho/

Thank you so much for your help !!!! I'll try next Monday, and I will let you know if it works. Cheers, Guillaume

Hi Anthony,So, I enabled Auditing on Logon failures. Here are the details of the logon error:Event 4625, Microsoft Windows security auditing. Log Name: SecuritySource: Microsoft Windows securityLogged: 2/1/2010 8:46:41 AMEvent ID: 4625Task Category: LogonLevel: InformationKeywords: Audit FailureUser: N/AComputer: xxxxx.xxxxxx.luOpCode: Info An account failed to log on. Subject: Security ID: EFAFIM\ituser Account Name: ituser Account Domain: EFAFIM Logon ID: 0x5a66dc0 Logon Type: 2 Account For Which Logon Failed: Security ID: NULL SID Account Name: ituser Account Domain: EFAFIM Failure Information: Failure Reason: The user has not been granted the requested logon type at this machine. Status: 0xc000015b Sub Status: 0x0 Process Information: Caller Process ID: 0x22a4 Caller Process Name: C:\Windows\System32\MsPwdRegistration.exe Network Information: Workstation Name: LUXSV003094 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.Then, I granted the Locaql Admin rights to a user. Guess what, logon works.So, I enabled Audit Privilege Use on Success, and I saw the privileges needed to the logon.I noticed some events about the authentication: - A Kerberos authentication Ticket was Requested - A Kerberos service Ticket was Requested - An account was successfully logged on - Special privileges assigned to new logonHere are the details of the event:Special privileges assigned to new logon. Subject: Security ID: SYSTEM Account Name: LUXSV003094$ Account Domain: xxxx Logon ID: 0x5af7714 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeEnableDelegationPrivilege Now, I'll try to grant theses privileges to all users, and we'll see if it works.Does it seems good ???Cheers,Guillaume.

Hi Guillaume, To be honest with you, i don't have the knowledge to further help with your issue (i am not a security guy) Just curious, are you trying that on a client machine (not Server 2008)? Can the user logoff and re-logon to the machine? Sorry for not knowing what's the cause of this issue. -AnthonyThe FIM Password Reset Blog http://blogs.technet.com/aho/

I'm doing those tests on the server. For now, I can't install pre-requisites on a client machine... But I tried to connect via a client machine, just to try to connect to the portal, and it works.I thik I can solve my problem with a MPR, which allows Users to register for Password Reset... Or something like that.Don't worry, I'll find out (I hope ^^).Anyway, thanks for helping ;)Guillaume.

It looks like you're trying to log onto a server. Adding those privileges to all users makes all users local Admins on that server. Is that what you really want to do?Paul Adare CTO IdentIT Inc. ILM MVP

Well, It seems users don't have privileges to register to Password reset... Of course, I don't want them to be Local Admins =P (Granting them those privileges was just a supposition)I don't know what to do to allow them to register.It must be an Privileges problem... Non-Administrators cannot register for password Reset.Maybe I can create a MPR which allows those users. I don't know.

MPR only manages rights within FIM The issue u are seeing is because the user doesn't have enough windows privilege. It's really a windows security thing and has nothing to with MPR. The FIM Password Reset Blog http://blogs.technet.com/aho/

and btw, to get a client, all you need is .net 3.5... So if you can get a Win7 client, you can just domain join the machine and install the clientThe FIM Password Reset Blog http://blogs.technet.com/aho/

To proceed to my tests, I connect to my server has a basic user... So, the 'client' already has .Net 3.5 (In my case, Client = Server)But I think this is a FIM Privilege, because users can change their own passwords in Windows.I'm totally lost actually...

nope, it's not FIM privilege related the client simply fails to verify the password you type in using LogonUser (a C++ call) FIM policy hasn't come into played yetThe FIM Password Reset Blog http://blogs.technet.com/aho/

try this Local Security Policy --> Local Policies --> User Rights Management add the user to "Allow Log on locally" and make sure the user isn't in "deny log on locally" again, have you tried to logoff and re-logon as that user?The FIM Password Reset Blog http://blogs.technet.com/aho/

All right !!! It works !!! Thanks Anthony.I had this error because EVERYTHING is on the same server... I will not have this error in production, of course, 'cause users will not connect to the server.But thank you =)

Hm, so it seems like you have AD + FIMService + Client installed all on the same box? or something else?The FIM Password Reset Blog http://blogs.technet.com/aho/

Yep exactly. It's a test lab, just to see FIM functionnalities. Especially the portal, about delegation.

glad that i could help after a long troubleshooting exercise :)The FIM Password Reset Blog http://blogs.technet.com/aho/