Weird error resetting user's password: Failed to acquire user information: 0x7f
Hi,
Need some help in understanding why Sync Service reports the following error while resetting the password. Not clear as to why ADMA is not able to acquire user information when it has all the required permissions.
Sync Service Error
The server encountered an error while attempting to perform a set/change password operation.
"ERR: MMS(1036): admaexport.cpp(2384): Failed to acquire user information: 0x7f
BAIL: MMS(1036): admaexport.cpp(2386): 0x80004005 (Unspecified error)
BAIL: MMS(1036): admaexport.cpp(2709): 0x80004005 (Unspecified error)
ERR: MMS(1036): ma.cpp(9099): ExportPasswordSet failed with 0x80004005
Forefront Identity Manager 4.0.3531.2"
FIM Service Error
PWReset Activity's MIIS Password Set call failed with call-failure:0x80004005
Items tried so far:
SSPR setup as per the guide: http://technet.microsoft.com/en-us/library/ee534892(WS.10).aspx
ADMA account has got all the permissions as per: http://social.technet.microsoft.com/Forums/en/ilm2/thread/00571f75-2246-4195-83de-20820c66301a
ADMA account was even elevated as a domain admin just to try it out.
Appreciate your time reading this post. Looking forward to some guidance.
Thanks & Regards, Jameel Syed Principal Consultant, fimGuru - Your window into simplified identities jameel.syed@fimguru.com - http://www.fimguru.com
January 13th, 2011 4:33pm
Perhaps the "wmi" query being executed doesnt results in a user?
From: http://setspn.blogspot.com/2010/09/fim-sspr-fun-facts.html
WQL from verbose trace is:
WQL:SELECT * FROM MIIS_CSObject WHERE (Domain='domain' AND Account='fdagg001')
or (FullyQualifiedDomain='domain' AND Account='fdagg001')
or (Domain='domain' AND UserPrincipalName='fdagg001')
or (FullyQualifiedDomain='domain' AND UserPrincipalName='fdagg001')
So I would suspect you need at least one of thouse "couplets" to be complete in order to be able to perform SSPR.
The orginal source:
http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/28fcfc43-54f6-4f8e-9602-21663d11a250
http://setspn.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
January 13th, 2011 4:43pm
Thomas,
Thanks for bring it up. Apparently, I cannot run this query as FIM Service as it reports Access Denied. FIM Service is setup as per the SSPR Deployment Guide. It should have all the access it needs to run this query successfully.
Further, I am able to run this query sucessfully as FIM Service in a different environment installed in a different domain. Something is different about this environment. Cant figure out what.
Any ideas?
Thanks & Regards, Jameel Syed Principal Consultant, fimGuru - Your window into simplified identities jameel.syed@fimguru.com - http://www.fimguru.com
January 13th, 2011 7:17pm
Thomas,
Thanks for bring it up. Apparently, I cannot run this query as FIM Service as it reports Access Denied. FIM Service is setup as per the SSPR Deployment Guide. It should have all the access it needs to run this query successfully.
Further, I am able to run this query sucessfully as FIM Service in a different environment installed in a different domain. Something is different about this environment. Cant figure out what.
Any ideas?
Thanks & Regards, Jameel Syed Principal Consultant, fimGuru - Your window into simplified identities jameel.syed@fimguru.com - http://www.fimguru.com
Free Windows Admin Tool Kit Click here and download it now
January 13th, 2011 7:17pm
Are you sure you also go the "before you begin" part covered? There's a note if you are deploying SSPR:
If you are deploying password reset, do not use the Deny access to this computer from the network restriction.
If you choose to use the same account for both service accounts and you separate the FIM Service and the FIM Synchronization Service, you cannot set
Deny access to this computer from the network on the FIM Synchronization Service server. If access is denied, that prohibits the FIM Service from contacting the FIM Synchronization Service to change configuration and manage passwords.
At source:
http://technet.microsoft.com/en-us/library/ff512685(WS.10).aspxhttp://setspn.blogspot.com
January 14th, 2011 3:17am
Are you sure you also go the "before you begin" part covered? There's a note if you are deploying SSPR:
If you are deploying password reset, do not use the Deny access to this computer from the network restriction.
If you choose to use the same account for both service accounts and you separate the FIM Service and the FIM Synchronization Service, you cannot set
Deny access to this computer from the network on the FIM Synchronization Service server. If access is denied, that prohibits the FIM Service from contacting the FIM Synchronization Service to change configuration and manage passwords.
At source:
http://technet.microsoft.com/en-us/library/ff512685(WS.10).aspxhttp://setspn.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
January 14th, 2011 3:17am
Update: Didnt quite resolve it but made some headway. I am now able to run the query as FIM Service account. It turns out the Windows session I was using for wbemtest to run the query was stale. The query worked after a log-off and a re-logon to the
windows session as FIM Service.
However, the password reset still fails with the same error. With this at-least I was able to validate that the FIM Service account is able to run the WMI query to the AD connector space.
Do we know what specific attribute it looks for in the AD connector space? I am currently not pulling in lockoutTime in AD-CS. That wouldn't cause this issue, would it?
SSPR deployment guide doesn't talk about importing the lockoutTime into AD connector space.Thanks & Regards, Jameel Syed Principal Consultant, fimGuru - Your window into simplified identities jameel.syed@fimguru.com - http://www.fimguru.com
January 14th, 2011 5:11am
Update: Didnt quite resolve it but made some headway. I am now able to run the query as FIM Service account. It turns out the Windows session I was using for wbemtest to run the query was stale. The query worked after a log-off and a re-logon to the
windows session as FIM Service.
However, the password reset still fails with the same error. With this at-least I was able to validate that the FIM Service account is able to run the WMI query to the AD connector space.
Do we know what specific attribute it looks for in the AD connector space? I am currently not pulling in lockoutTime in AD-CS. That wouldn't cause this issue, would it?
SSPR deployment guide doesn't talk about importing the lockoutTime into AD connector space.Thanks & Regards, Jameel Syed Principal Consultant, fimGuru - Your window into simplified identities jameel.syed@fimguru.com - http://www.fimguru.com
Free Windows Admin Tool Kit Click here and download it now
January 14th, 2011 5:11am
Here's the query that's happening on the CS Space:
(Domain='fim-serverad' AND Account='ikrimae') or (FullyQualifiedDomain='fimserverad' AND Account='{ikrimae}') or (Domain='fim-serverad' AND UserPrincipalName='ikrimae') or (FullyQualifiedDomain='fim-serverad' AND UserPrincipalName='ikrimae')ex-MSFT developer, now FIM/MIIS/ILM/WPF/Silverlight consultant | http://blog.aesthetixsoftware.com/
January 14th, 2011 1:52pm
Here's the query that's happening on the CS Space:
(Domain='fim-serverad' AND Account='ikrimae') or (FullyQualifiedDomain='fimserverad' AND Account='{ikrimae}') or (Domain='fim-serverad' AND UserPrincipalName='ikrimae') or (FullyQualifiedDomain='fim-serverad' AND UserPrincipalName='ikrimae')ex-MSFT developer, now FIM/MIIS/ILM/WPF/Silverlight consultant | http://blog.aesthetixsoftware.com/
Free Windows Admin Tool Kit Click here and download it now
January 14th, 2011 1:52pm
Yup. I saw that query when WMI Tracing was enabled. Funny thing is the 'UserPrincipalName' format. Its suppose to have 'xyz@abc.com' format. The 'FullyQualifiedDomain' also didnt seem right.Thanks & Regards, Jameel Syed Principal Consultant, fimGuru - Your window into simplified identities jameel.syed@fimguru.com - http://www.fimguru.com
January 14th, 2011 2:45pm
Right, it depends on how you specify the username/domain. I think if you specify upn to specify a user account, the right upn term will show up (but obviously the other ones will be false)ex-MSFT developer, now FIM/MIIS/ILM/WPF/Silverlight consultant | http://blog.aesthetixsoftware.com/
Free Windows Admin Tool Kit Click here and download it now
January 14th, 2011 2:54pm