FIM 2010 R2 Password Reset Portal - Error 3001

Hi

I am getting the following error when connecting to the FIM Password Reset Portal (FIM 2010 R2):

Access Denied Loading ... 
Ensure you enter your user name correctly. If you still cannot reset your password, please contact your helpdesk for assistance. (Error 3001)

I have also installed the Windows FIM Client on a few test Windows 7 systems to assist in password reset tests. Please note, this function works perfectly.

All the relevant FIM 2010 R2 setup manuals were followed step by step during the install.

The following error is also generated on the Password Reset Portal (Event Viewer) when I submit a request:

User unauthorized to reset password. An unauthenticated user requested to reset the password for a user who does not have permission to reset their password using the FIM Password Reset Portal. The asserted identity was: Domain\User The user's IP address was: x.x.x.x Possible causes include: (1) user error inputting their identity, (2) user is permanently locked out, and (3) malicious user attempting to enumerate valid identities and/or reset password for other users. 

Notes: The account used for testing is a valid and active account. This account is also included in the "Password Reset User Set".

Looking forward in finding a resolution to this issue.

Cheers, Franna




  • Edited by Franna81 Sunday, August 12, 2012 4:09 AM
August 8th, 2012 8:43am

Am too faccing same problem, my another test account is working fine, but newly test created user are able to register or reset

error screenshot below

Event log

The error page was displayed to the user.

Details:

Title: Access denied.

Message: Error processing your request: The operation was rejected because of access control policies.

Source: The supplied request content violates system rules.

Attributes:

Details: The Request contains changes that violate system constraints.

CorrelationId: 6b998175-c180-41aa-980c-8f1e67c3f8dc

RequestId: 755ea9f1-a19e-4999-937a-8591fa37ecc5

ErrorCode: 3001

CaughtTime: 08/13/2012 12:51:34

Web Portal: FIM Password Reset Portal

Session Id: ltq5dj55lidnbg45jtssw0vy

IP Address: XXXXX
Free Windows Admin Tool Kit Click here and download it now
August 13th, 2012 7:59am

Hi There

Please let me know if anyone can assist with this error. Help and ideas would be greatly appreciated in resolving this error.

Cheers

Franna 

August 26th, 2012 6:41am

Hi franna and ragavendra dayakar.

franna did you got password reset to work when using FIM client? or didnt?

Did you flow objectSID of a user into FIM (I never tested if rich client reset will work without SID, but doubt that, also)? It wont work if you didn't.

Other errors, did you allow Fim Service account access to namespace? try this http://technet.microsoft.com/en-us/library/hh824695(v=ws.10) and check if you did all the prereq's and configuration tweaks. It's pretty straight forward if you follow it the portal will work. At least it did for me in 2 different test labs.

ps. enable verbose errors on the portal, it helps a lot to get the idea of what is wrong. i cant find the link how to do it now and cant really tell you a step by step way to do it, but its pretty simple, has nothing to do with FIM actually, so its easily googlable.
pps. after reading it once again i have the feeling objectSID is the issue, at least for ragavendra dayakar.



  • Edited by 4c74356b41 Sunday, August 26, 2012 7:00 AM
Free Windows Admin Tool Kit Click here and download it now
August 26th, 2012 6:55am

Hi,

I am also facing the same issue. Could you please let me know how you solved it.

Regards,

praveena B

February 1st, 2013 10:10am

>>Source: The supplied request content violates system rules.

That means the SID for the SSPR Portal AppPool accounts are not known to FIMService. Please re-run FIMService's installer and provide the appropriate SSPR Portal AppPool accounts

Free Windows Admin Tool Kit Click here and download it now
July 25th, 2013 2:07pm

Hi ,

As per my understanding you should cross check ollowing things:

1) Check if user is present in the Metaverse Because if user is on portal but not in Metaverse Thn that user can register for the password but will be unable to Reset.

2) Check there a few MPR's which Admin has to enable for allowing a user for Password Registration and Reset.

Please Follow following link for all required MPR list which should be Enabled:

http://technet.microsoft.com/en-us/library/ee534892(v=ws.10).aspx

Hope this will help you to find your answer. If not please let me know. 

Thanks~

Giriraj Singh Bhamu

July 26th, 2013 5:29pm

>>Source: The supplied request content violates system rules.

That means the SID for the SSPR Portal AppPool accounts are not known to FIMService. Please re-run FIMService's installer and provide the appropriate SSPR Portal AppPool accounts

Confirmed this fixed an error simular to the OP's in a lab.

Thanks Anthony!

Free Windows Admin Tool Kit Click here and download it now
September 17th, 2013 8:09pm

Re-running the Fim service installer will not brake the current FIM Service configuration? Nor reset all of the customizations we have implemented?

December 11th, 2014 8:49pm

In my case it had been working for at least a year but a user that was recently registered (we do this automatically via powershell each day) wasn't working. 

It was only failing for them. 

So via powershell I unregistered the user for pw registration and then re-registered them.  I'm guessing something went awry during the automated process we use and one of the required objects wasn't applied to their account.  Their account *did* have the OTP password email listed.

Here's the unregister code.  (domain/username/uri are specific to your env.)

$usernamestring = ($domain + '\' + $username)

Unregister-AuthenticationWorkflow -AuthenticationWorkflowName "Password Reset AuthN Workflow" -UserName $usernamestring -Uri $uri

And here is the register code...

$wftemplate = Get-AuthenticationWorkflowRegistrationTemplate -AuthenticationWorkflowName "Password Reset AuthN Workflow" -URI $uri    

$usertemplate = $wftemplate.Clone()        $usertemplate.GateRegistrationTemplates[0].Data[0].Value=$personalemail    

Register-AuthenticationWorkflow -UserName ($domain + "\" + $username) -AuthenticationWorkflowRegistrationTemplate $userTemplate -URI $uri


  • Edited by m_a_tt 15 hours 7 minutes ago grammar
Free Windows Admin Tool Kit Click here and download it now
March 18th, 2015 12:13pm

In my case it had been working for at least a year but a user that was recently registered (we do this automatically via powershell each day) wasn't working. 

It was only failing for them. 

So via powershell I unregistered the user for pw registration and then re-registered them.  I'm guessing something went awry during the automated process we use and one of the required objects wasn't applied to their account.  Their account *did* have the OTP password email listed.

Here's the unregister code.  (domain/username/uri are specific to your env.)

$usernamestring = ($domain + '\' + $username)

Unregister-AuthenticationWorkflow -AuthenticationWorkflowName "Password Reset AuthN Workflow" -UserName $usernamestring -Uri $uri

And here is the register code...

$wftemplate = Get-AuthenticationWorkflowRegistrationTemplate -AuthenticationWorkflowName "Password Reset AuthN Workflow" -URI $uri    

$usertemplate = $wftemplate.Clone()        $usertemplate.GateRegistrationTemplates[0].Data[0].Value=$personalemail    

Register-AuthenticationWorkflow -UserName ($domain + "\" + $username) -AuthenticationWorkflowRegistrationTemplate $userTemplate -URI $uri


  • Edited by m_a_tt Wednesday, March 18, 2015 4:12 PM grammar
March 18th, 2015 4:11pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics