The server encountered an error while attempting to perform a set/change password operation
Another person with this dreaded error, after following the Password Reset Deployment Guide exactly. My architecture is as follows:
Single forest with all servers and clients in it One SQL cluster containing Sync and Service DBs, Sharepoint is using local Windows Internal Database
One FIM Sync server One FIM Service and Portal server Separate service accounts for FIM Service, FIM Sync Service, FIM Portal Service, FIM Sync MA, FIM AD MA
FIM Sync security groups are domain accounts with FIM Service acct added to all five
Best practice for securing service accounts as defined in installation guide:
FIM Sync Server: Allow logon locally for Sync MA acct FIM Sync Server: Deny access from network / Deny logon as batch job / Deny logon locally for FIM Service and FIM Sync Service accts
FIM Service/Portal Server: Deny access from network / Deny logon as batch job / Deny logon locally for FIM Service acct
I've tried the following (all in place, currently):
Granting Allow logon locally (on FIM Sync Server) to AD MA account, as stated by Anthony Ho in recent thread with same issue (but different detailed error messages)
Granting (temporary) Domain Admin to AD MA account (then restarting Sync and Service services
I enabled tracing on the Pwd Reset Client (XP SP3 machine), and it dumps the following (only included the seemingly pertinent lines from the XML):
·
Resetting the password. ·
SQM: Beginning Session: ClientSession-8cd0d19f-d46c-494c-b9e1-a7884d50ff8a
·
Attempting to resume initial request with new SAML token. ·
SharedProxy: ResourceClient.Put(Put, Locale).Enter ·
SharedProxy: ResourceClient.Put.Enter ·
The server requested an anonymous interaction. ·
Attempting Mex Get at Address (http://<PortalServiceFQDN> :5726/ResourceManagementService/WorkflowManager/79315438-c20b-465e-bcd6-677685f2783a/7
) on workflow instance 84ee81b1-b70c-4f2f-a39f-4b1b1fe8ea89 ·
Mex Data received: ·
<?xml version="1.0" encoding="utf-16"?> <xs:schema elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema "> <xs:element
name="PWResetRequestData" nillable="true" type="PWResetRequestData" /> <xs:complexType name="PWResetRequestData"> <xs:sequence> <xs:element minOccurs="0" maxOccurs="1" name="NewPassword"
type="xs:base64Binary" /> </xs:sequence> </xs:complexType> </xs:schema>
·
SharedProxy: ResourceFactoryClient.Open.Enter ·
SharedProxy: ResourceFactoryClient.Open.Exit ·
Performing create on the interactive workflow endpoint. ·
SharedProxy: ResourceFactoryClient.Create.Enter ·
Service fault was received. ·
Service fault of type DataRequiredFault was received. ·
PWReset activity returned status code PWUnrecoverableError. ·
SQM: Session is Disabled. ·
SQM: Ending Session: ClientSession-8cd0d19f-d46c-494c-b9e1-a7884d50ff8a
·
SQM: Beginning to upload 10 files. ·
SQM: Upload Callback: hr = 0, File Path = C:\DOCUME~1\NETWOR~1\LOCALS~1\Temp\Ilm2Client00.sqm, Http Response = 407.
·
SQM: Upload Callback: hr = 80000110, File Path = C:\DOCUME~1\NETWOR~1\LOCALS~1\Temp\Ilm2Client01.sqm, Http Response = 407.
·
... same for total of 10 files ·
FlushFileBuffers failed on pipe [[Unknown]] with error code [109].
·
PWReset activity returned status code PWUnrecoverableError. ·
FlushFileBuffers failed on pipe [[Unknown]] with error code [109].
·
FlushFileBuffers failed on pipe [[Unknown]] with error code [109].
·
PWReset activity returned status code PWUnrecoverableError.
The Application event log on the Pwd Reset client contains the same PWUnrecoverableError message. I don't see anything in the FIM or Application error logs on either FIM server.
Any insight or assistance is greatly appreciated!
November 15th, 2010 2:53pm
I found an Audit Failure message on the Sync server stating that the FIM Service account "has not been granted the requested logon type at this machine", with Logon Type = 3 (network)... so I removed the account from the "Deny access to this
computer from the network" user right assignment, restarted the FIM Service, and it worked!
So I looked back at the "Before You Begin" section of the Installation Guide (where I got the info to configure them in this way), and there's an "Important Note" that I didn't notice was there before (or was added since I created my
own documentation on the subject):
"On the FIM Synchronization Service server, you must restrict only the FIM Synchronization Service service account and not the FIM Service service account. On the FIM Service server, you must restrict only the FIM Service service account, and not the
FIM Synchronization Service service account."
So I'll fix this issue for the other user rights assignments...
Free Windows Admin Tool Kit Click here and download it now
November 15th, 2010 3:28pm