Password reset: System.Management.ManagementExcept ion: Access denied
Hi,
im running FIM 2010 RC1 update 2,
I configured the self password reset using that guide
http://technet.microsoft.com/en-us/library/ee534892(WS.10).aspx- users are able to register for self-password reset.
- I can reach the "new password prompt" when the correct answers are provided.
- but after, the user get a message "We were unable to reset your password"...
After enabling FIM service debug, I got that error:
<E2ETraceEvent xmlns="http://schemas.microsoft.com/2004/06/E2ETraceEvent">
<System xmlns="http://schemas.microsoft.com/2004/06/windows/eventlog/system">
<EventID>3</EventID>
<Type>3</Type>
<SubType Name="Error">0</SubType>
<Level>2</Level>
<TimeCreated SystemTime="2009-12-11T12:24:41.1914184Z" />
<Source Name="Microsoft.ResourceManagement" />
<Correlation ActivityID="{391b811e-53e0-469f-9fba-295cee8a917a}" />
<Execution ProcessName="Microsoft.ResourceManagement.Service" ProcessID="4456" ThreadID="11" />
<Channel/>
<Computer>SAOPAULO</Computer>
</System>
<ApplicationData>
System.Management: System.Management.ManagementException: Access denied 

at System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus errorCode)

at System.Management.ManagementObjectCollection.ManagementObjectEnumerator.MoveNext()

at Microsoft.ResourceManagement.PasswordReset.ResetPassword.ResetPasswordHelper(String domainName, String userName, String newPasswordText)
<System.Diagnostics xmlns="http://schemas.microsoft.com/2004/08/System.Diagnostics">
<LogicalOperationStack></LogicalOperationStack>
<Timestamp>36529376603</Timestamp>
<Callstack>
at System.Environment.get_StackTrace()

at System.Diagnostics.TraceEventCache.get_Callstack()

at System.Diagnostics.XmlWriterTraceListener.WriteFooter(TraceEventCache eventCache)

at System.Diagnostics.TraceSource.TraceEvent(TraceEventType eventType, Int32 id, String format, Object[] args)

at Microsoft.ResourceManagement.Utilities.LoggingManager.LogError(String formatString, Object[] arguments)

at Microsoft.ResourceManagement.Utilities.LoggingManager.ReportError(Exception exception)

at Microsoft.ResourceManagement.PasswordReset.ResetPassword.ResetPasswordHelper(String domainName, String userName, String newPasswordText)

at Microsoft.ResourceManagement.Workflow.Activities.PWResetActivity.AttemptPasswordReset(Object sender, XmlDocumentValidationEventArgs e)

at System.Workflow.ComponentModel.Activity.RaiseGenericEvent[T](DependencyProperty dependencyEvent, Object sender, T e)

at Microsoft.ResourceManagement.Workflow.Activities.XmlInteractiveActivity.DocumentValidation(Object sender, EventArgs e)

at System.Workflow.ComponentModel.Activity.RaiseEvent(DependencyProperty dependencyEvent, Object sender, EventArgs e)

at System.Workflow.Activities.CodeActivity.Execute(ActivityExecutionContext executionContext)

at System.Workflow.ComponentModel.ActivityExecutor`1.Execute(T activity, ActivityExecutionContext executionContext)

at System.Workflow.ComponentModel.ActivityExecutor`1.Execute(Activity activity, ActivityExecutionContext executionContext)

at System.Workflow.ComponentModel.ActivityExecutorOperation.Run(IWorkflowCoreRuntime workflowCoreRuntime)

at System.Workflow.Runtime.Scheduler.Run()

at System.Workflow.Runtime.WorkflowExecutor.RunScheduler()

at System.Workflow.Runtime.WorkflowExecutor.RunSome(Object ignored)

at System.Workflow.Runtime.Hosting.SynchronizationContextWorkflowSchedulerService.Schedule(WaitCallback callback, Guid workflowInstanceId)

at System.Workflow.Runtime.WorkflowExecutor.RequestHostingService()

at System.Workflow.Runtime.ScheduleWork.Dispose()

at System.Workflow.Runtime.WorkflowExecutor.EnqueueItemOnIdle(IComparable queueName, Object item, IPendingWork pendingWork, Object workItem)

at System.Workflow.Runtime.WorkflowInstance.EnqueueItemOnIdle(IComparable queueName, Object item, IPendingWork pendingWork, Object workItem)

at System.ServiceModel.Dispatcher.WorkflowOperationAsyncResult.DoWork(Object state)

at System.ServiceModel.Diagnostics.Utility.WaitThunk.UnhandledExceptionFrame(Object state)

at System.Workflow.Runtime.Hosting.SynchronizationContextWorkflowSchedulerService.SynchronizationContextPostHelper.Callback(Object state)

at System.ServiceModel.Diagnostics.Utility.WaitThunk.UnhandledExceptionFrame(Object state)

at System.Threading.ExecutionContext.runTryCode(Object userData)

at System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(TryCode code, CleanupCode backoutCode, Object userData)

at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)

at System.Threading._ThreadPoolWaitCallback.PerformWaitCallbackInternal(_ThreadPoolWaitCallback tpWaitCallBack)

at System.Threading._ThreadPoolWaitCallback.PerformWaitCallback(Object state)
</Callstack>
</System.Diagnostics>
</ApplicationData>
</E2ETraceEvent>
Any suggestion would really be appreciated.
Thanks.
December 11th, 2009 12:44pm
Did you enable Password Management on the AD MA?
December 11th, 2009 1:28pm
yes, it was already enabled: AD MA > Configure Extensions > Enable password management.
December 11th, 2009 1:53pm
The PW reset tries to reset the password directly in AD (so AD complexity rules apply) but it uses the account configured in the AD MA (so the permissions of that account must include the ability to reset passwords). Otherwise I can't think what it might be...
December 11th, 2009 2:31pm
the FIMService service account needs to be a member of FIMSyncPasswordSet group
i highly suspect it is not...
after that, you need to restart Sync and then restart FIMService (in that order)
December 14th, 2009 12:18am
fimsvc: account for the fim service
fimmaadds: account for the ADDS management agent.
For the FIMSync memberships:
- FIMSyncAdmins: Administrator, fimmaadds, fimsvc
- FIMSyncBrowse: fimmaadds, fimsvc
- FIMSyncJoiners:
- FIMSyncOperators:
- FIMSyncPasswordSet: fimmaadds, fimsvc
Regarding the password reset permissions: for the account fimmaadds, on the OU containing the user im trying to reset its password:
- Descendant user objects: List content, Read All properties, Read permissions
- Descendant ... : read lockouttime, write lockout time
- Descendant...: read UAC, write UAC
- Descendant...: Reset password
- Descendant...: Change password
All the memberships and permissions seems correct according to the step-by-step password reset guide...
Is there anything wrong in what is written above?
Cheers.
December 14th, 2009 9:11am
are FIMService and FIMSync installed on different machines?
to eliminate some permission, would u mind try adding FIMSvc as local admin on the FIMSync box?
then disable firewall
then restart Sync and FIMService (in that order), and try again?
December 14th, 2009 9:15am
they're running on the same computer.
i added fimsvc as a local admin.
Now i get the following error when trying to reset the password:
- PWReset Activity could not connect to the directory.
and when i started the services, I got: "XmlInteractiveActivity 'authenticationGateActivity1.xmlInteractiveActivity1' running in WorkflowInstance 'b3ec4137-e1cd-4da1-95b1-ea1e12976e37' timed out waiting for response."
I however disabled the firewall (altough i double checked the firewall rules..)
any further ideas?
btw great CP on your blog!
December 14th, 2009 10:04am
I also got these errors:
- Windows logs > Application
FIMSync:
" The server encountered an unexpected error while performing an operation for a management agent.
"BAIL: MMS(2064): ma.cpp(370): 0x80040154 (Class not registered)
BAIL: MMS(2064): ma.cpp(7621): 0x80040154 (Class not registered)
BAIL: MMS(2064): ma.cpp(7518): 0x80040154 (Class not registered)
Forefront Identity Manager 4.0.2574.0"
- Applications and Services logs > Forefront Identity Manager:
" PWReset Activity could not connect to the directory."
Please note im running FIM RC1 update 2.
December 14th, 2009 12:36pm
I followed the steps mentionned in your other post:
http://social.technet.microsoft.com/Forums/en/ilm2/thread/b2d07c59-9e1a-4d1c-86c9-a6cd96a40aabAll the steps 1 to 13 runs successfully.
Step 14:
- Method executed successfully,
- BUT: RETURN VALUE = call-failure:0x80040154
I also have the sameparameters forthe AD MA:
- Connect to forest- sign and encyrpt YES
- Extension - Pwd Mgmt YES require secure YES retry 10 interval 60
- I ran a repair on the FIM Setup, the errors message kept appearing and password reset still does not work.
About the registry keys:
HKEY_CLASSES_ROOT\CLSID\{86A0B533-53B1-458D-8AD4-DEE4C4A42208}
Default: ADMA
HKEY_CLASSES_ROOT\CLSID\{86A0B533-53B1-458D-8AD4-DEE4C4A42208}\InprocServer32
Default - REG_SZ - C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Bin\mmsmaad.dll
InprocServer32 - REG_MULTI_SZ - ?{+p]bozQ@Cs1(enXoLyAD<
ThreadingModel - REG_SZ - Both
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{86A0B533-53B1-458D-8AD4-DEE4C4A42208}
Default - ADMA
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{86A0B533-53B1-458D-8AD4-DEE4C4A42208}\InprocServer32
Default - REG_SZ - C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Bin\mmsmaad.dll
Inprocserver32 - REG_MULTI_SZ - ?{+p]bozQ@Cs1(enXoLyAD<
ThreadingModel - REG_SZ - Both
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\ManagementAgents
AD - {86A0B533-53B1-458D-8AD4-DEE4C4A42208}
...
FIM - {1644FEE7-D816-4FF6-9101-234F14990F75}
You wrote the bug was correct.
What steps should I achieve to correct that bug?
Cheers
December 14th, 2009 1:23pm
Finally it's happened to someone else. :)
Sorry I still haven't found the fix myself, but glad to know it's not just me....
December 14th, 2009 7:50pm
ok, that's some progress. You were having permission issue when FIMSvc tries to search for the user using WMI. Have u followed the DCOM/WMI section in the step-by-step?
also, if u follow the setup guide 100%, it will suggest u to decline Network Access for FIMService and FIMSyncService service accounts. Since you are using All-in-One, that won't work.
For the timeout, that's just caused by previously active WF, you can ignore that...
December 16th, 2009 3:38am
let's keep this thread as to troubleshooting the permission issue
Let's leave the "Class not registered" error in the other thread
:)
December 16th, 2009 3:40am
I have also experienced this problem. Will post my finding as I troubleshoot this issue.
December 23rd, 2009 7:04am
Noticed this error in the event log:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{835BEE60-8731-4159-8BFF-941301D76D05}
to the user MYDOMAIN\fimSvc SID (S-1-5-21-2638804994-1901297949-932415521-1619) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
Am I missing any group memberships?
December 23rd, 2009 7:15am
nope
in the Introduction to Pwd Reset
there are a few sections around DCOM/WMI settings.
Make sure you have followed those sections
December 23rd, 2009 7:18am
I was able to resolve this error. I just had to add the FIM Svc account to the FIMSyncPasswor
December 23rd, 2009 7:25am
I did everything as said before, in my application event viewer i get the following error code
Log Name: Application
Source: FIMSynchronizationService
Date: 11/8/2010 8:26:09 PM
Event ID: 6306
Task Category: Server
Level: Error
Keywords: Classic
User: N/A
Computer: FIMSRV01.fim.sogeti.local
Description:
The server encountered an unexpected error while performing an operation for the client.
"BAIL: MMS(3080): server.cpp(7910): 0x80070005 (Access is denied.)
Forefront Identity Manager 4.0.3531.2"
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="FIMSynchronizationService" />
<EventID Qualifiers="49152">6306</EventID>
<Level>2</Level>
<Task>3</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2010-11-08T19:26:09.000000000Z" />
<EventRecordID>4915</EventRecordID>
<Channel>Application</Channel>
<Computer>FIMSRV01.fim.sogeti.local</Computer>
<Security />
</System>
<EventData>
<Data>BAIL: MMS(3080): server.cpp(7910): 0x80070005 (Access is denied.)
Forefront Identity Manager 4.0.3531.2</Data>
</EventData>
</Event>
November 8th, 2010 11:34am
same answer
the FIMService service account needs to be a member of FIMSyncPasswordSet group
i highly suspect it is not...
after that, you need to restart Sync and then restart FIMService (in that order)
November 8th, 2010 2:55pm
FIM server restart worked in my case :)
Thanks,
August 5th, 2015 5:51am