SSPR fails while usine Network Service instead of FIM service Account. Where can I re-configure it?

SSPR fails when trying to reset the password. Registration is working fine. Reset is working until the last step. Than, after typing the new password twice, I get an error: An error has occurred when trying to reset your password, please contact the helpdesk for assistance".

The following error is written in the System log:
^^^^^^^^^^^^^^^^^^^
Log Name:      System
Source:        Microsoft-Windows-DistributedCOM
Date:          11/18/2014 3:34:32 PM
Event ID:      10016
Task Category: None
Level:         Error
Keywords:      Classic
User:          NETWORK SERVICE
Computer:      SR0435.intranet.<client>.nl
Description:
The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{000C101C-0000-0000-C000-000000000046}
and APPID
{000C101C-0000-0000-C000-000000000046}
to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
^^^^^^^^^^^^^^^^^^^^^

The user mentioned is not the one I expect. I expected the FIM service account to do that. Not the Network service. There is a blog here (http://www.identitychaos.com/2009/06/dcom-error-10016-and-sharepoint.html) that deals with this issue. But there the user is a service account. 

My topology is as followed:
Server 1 en 2: SharePoint 2013 farm members. No FIM Components except BRIX DLLs.
Server 3: Service, Portal, SharePoint 2013 Farm administration and portal. Used only by servers 1 and 2.
server 4: SSPR password reset
server 5: SSPR password registration
server 6: Synchronization server

SQL server is elsewhere.

Just to be sure the servers are configured correctly I re-run the SSPR Password Reset installation wizard on server 4 and the Service and portal installation wizard on server 3.  The configuration is as you may expect.

I tried to add the NETWORK SERVICE to the DCOM and give it permissions. The DCOM error in the event viewer disappeared but the password reset failed as well.

The user resetting the password has sufficient permissions to reset passwords.

My first question is: Why the Network Service is used and not the FIM Service account? Where can I change it?

November 19th, 2014 7:34am

Most of the persistent settings for things are documented here:

https://msdn.microsoft.com/en-us/library/ff800821(v=ws.10).aspx

However this setting is not there. The account that is used by the Password Registration Portal is "persisted both in the Application Pool Identity settings in IIS as well as In the registry on the FIM Service Server in the  FIMService key of the SERVICES branch there is a value called PasswordResetServiceAccountSID" -- FIM Best Practices Vol 1 Ch 8

During the install you should have been prompted for an existing domain account that the FIM Password Reset application pool would use.

Free Windows Admin Tool Kit Click here and download it now
July 20th, 2015 4:46pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics