Hi, Need some help in understanding why Sync Service reports the following error while resetting the password. Not clear as to why ADMA is not able to acquire user information when it has all the required permissions. Sync Service Error The server encountered an error while attempting to perform a set/change password operation. "ERR: MMS(1036): admaexport.cpp(2384): Failed to acquire user information: 0x7f BAIL: MMS(1036): admaexport.cpp(2386): 0x80004005 (Unspecified error) BAIL: MMS(1036): admaexport.cpp(2709): 0x80004005 (Unspecified error) ERR: MMS(1036): ma.cpp(9099): ExportPasswordSet failed with 0x80004005 Forefront Identity Manager 4.0.3531.2" FIM Service Error PWReset Activity's MIIS Password Set call failed with call-failure:0x80004005 Items tried so far: SSPR setup as per the guide: http://technet.microsoft.com/en-us/library/ee534892(WS.10).aspx ADMA account has got all the permissions as per: http://social.technet.microsoft.com/Forums/en/ilm2/thread/00571f75-2246-4195-83de-20820c66301a ADMA account was even elevated as a domain admin just to try it out. Appreciate your time reading this post. Looking forward to some guidance. Thanks & Regards, Jameel Syed Principal Consultant, fimGuru - Your window into simplified identities jameel.syed@fimguru.com - http://www.fimguru.com

Perhaps the "wmi" query being executed doesnt results in a user? From: http://setspn.blogspot.com/2010/09/fim-sspr-fun-facts.html WQL from verbose trace is: WQL:SELECT * FROM MIIS_CSObject WHERE (Domain='domain' AND Account='fdagg001') or (FullyQualifiedDomain='domain' AND Account='fdagg001') or (Domain='domain' AND UserPrincipalName='fdagg001') or (FullyQualifiedDomain='domain' AND UserPrincipalName='fdagg001') So I would suspect you need at least one of thouse "couplets" to be complete in order to be able to perform SSPR. The orginal source: http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/28fcfc43-54f6-4f8e-9602-21663d11a250 http://setspn.blogspot.com

Thomas, Thanks for bring it up. Apparently, I cannot run this query as FIM Service as it reports Access Denied. FIM Service is setup as per the SSPR Deployment Guide. It should have all the access it needs to run this query successfully. Further, I am able to run this query sucessfully as FIM Service in a different environment installed in a different domain. Something is different about this environment. Cant figure out what. Any ideas? Thanks & Regards, Jameel Syed Principal Consultant, fimGuru - Your window into simplified identities jameel.syed@fimguru.com - http://www.fimguru.com

Thomas, Thanks for bring it up. Apparently, I cannot run this query as FIM Service as it reports Access Denied. FIM Service is setup as per the SSPR Deployment Guide. It should have all the access it needs to run this query successfully. Further, I am able to run this query sucessfully as FIM Service in a different environment installed in a different domain. Something is different about this environment. Cant figure out what. Any ideas? Thanks & Regards, Jameel Syed Principal Consultant, fimGuru - Your window into simplified identities jameel.syed@fimguru.com - http://www.fimguru.com

Are you sure you also go the "before you begin" part covered? There's a note if you are deploying SSPR: If you are deploying password reset, do not use the Deny access to this computer from the network restriction. If you choose to use the same account for both service accounts and you separate the FIM Service and the FIM Synchronization Service, you cannot set Deny access to this computer from the network on the FIM Synchronization Service server. If access is denied, that prohibits the FIM Service from contacting the FIM Synchronization Service to change configuration and manage passwords. At source: http://technet.microsoft.com/en-us/library/ff512685(WS.10).aspxhttp://setspn.blogspot.com

Are you sure you also go the "before you begin" part covered? There's a note if you are deploying SSPR: If you are deploying password reset, do not use the Deny access to this computer from the network restriction. If you choose to use the same account for both service accounts and you separate the FIM Service and the FIM Synchronization Service, you cannot set Deny access to this computer from the network on the FIM Synchronization Service server. If access is denied, that prohibits the FIM Service from contacting the FIM Synchronization Service to change configuration and manage passwords. At source: http://technet.microsoft.com/en-us/library/ff512685(WS.10).aspxhttp://setspn.blogspot.com

Update: Didnt quite resolve it but made some headway. I am now able to run the query as FIM Service account. It turns out the Windows session I was using for wbemtest to run the query was stale. The query worked after a log-off and a re-logon to the windows session as FIM Service. However, the password reset still fails with the same error. With this at-least I was able to validate that the FIM Service account is able to run the WMI query to the AD connector space. Do we know what specific attribute it looks for in the AD connector space? I am currently not pulling in lockoutTime in AD-CS. That wouldn't cause this issue, would it? SSPR deployment guide doesn't talk about importing the lockoutTime into AD connector space.Thanks & Regards, Jameel Syed Principal Consultant, fimGuru - Your window into simplified identities jameel.syed@fimguru.com - http://www.fimguru.com

Update: Didnt quite resolve it but made some headway. I am now able to run the query as FIM Service account. It turns out the Windows session I was using for wbemtest to run the query was stale. The query worked after a log-off and a re-logon to the windows session as FIM Service. However, the password reset still fails with the same error. With this at-least I was able to validate that the FIM Service account is able to run the WMI query to the AD connector space. Do we know what specific attribute it looks for in the AD connector space? I am currently not pulling in lockoutTime in AD-CS. That wouldn't cause this issue, would it? SSPR deployment guide doesn't talk about importing the lockoutTime into AD connector space.Thanks & Regards, Jameel Syed Principal Consultant, fimGuru - Your window into simplified identities jameel.syed@fimguru.com - http://www.fimguru.com

Here's the query that's happening on the CS Space: (Domain='fim-serverad' AND Account='ikrimae') or (FullyQualifiedDomain='fimserverad' AND Account='{ikrimae}') or (Domain='fim-serverad' AND UserPrincipalName='ikrimae') or (FullyQualifiedDomain='fim-serverad' AND UserPrincipalName='ikrimae')ex-MSFT developer, now FIM/MIIS/ILM/WPF/Silverlight consultant | http://blog.aesthetixsoftware.com/

Here's the query that's happening on the CS Space: (Domain='fim-serverad' AND Account='ikrimae') or (FullyQualifiedDomain='fimserverad' AND Account='{ikrimae}') or (Domain='fim-serverad' AND UserPrincipalName='ikrimae') or (FullyQualifiedDomain='fim-serverad' AND UserPrincipalName='ikrimae')ex-MSFT developer, now FIM/MIIS/ILM/WPF/Silverlight consultant | http://blog.aesthetixsoftware.com/

Yup. I saw that query when WMI Tracing was enabled. Funny thing is the 'UserPrincipalName' format. Its suppose to have 'xyz@abc.com' format. The 'FullyQualifiedDomain' also didnt seem right.Thanks & Regards, Jameel Syed Principal Consultant, fimGuru - Your window into simplified identities jameel.syed@fimguru.com - http://www.fimguru.com

Right, it depends on how you specify the username/domain. I think if you specify upn to specify a user account, the right upn term will show up (but obviously the other ones will be false)ex-MSFT developer, now FIM/MIIS/ILM/WPF/Silverlight consultant | http://blog.aesthetixsoftware.com/