Password reset: System.Management.ManagementExcept ion: Access denied
Hi,

im running FIM 2010 RC1 update 2,

I configured the self password reset using that guide http://technet.microsoft.com/en-us/library/ee534892(WS.10).aspx

- users are able to register for self-password reset.
- I can reach the "new password prompt" when the correct answers are provided.
- but after, the user get a message "We were unable to reset your password"...


After enabling FIM service debug, I got that error:

<E2ETraceEvent xmlns="http://schemas.microsoft.com/2004/06/E2ETraceEvent">
	<System xmlns="http://schemas.microsoft.com/2004/06/windows/eventlog/system">
		<EventID>3</EventID>
		<Type>3</Type>
		<SubType Name="Error">0</SubType>
		<Level>2</Level>
		<TimeCreated SystemTime="2009-12-11T12:24:41.1914184Z" />
		<Source Name="Microsoft.ResourceManagement" />
		<Correlation ActivityID="{391b811e-53e0-469f-9fba-295cee8a917a}" />
		<Execution ProcessName="Microsoft.ResourceManagement.Service" ProcessID="4456" ThreadID="11" />
		<Channel/>
		<Computer>SAOPAULO</Computer>
	</System>
	<ApplicationData>

			System.Management: System.Management.ManagementException: Access denied &#xD;&#xA;   
			at System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus errorCode)&#xD;&#xA;   
			at System.Management.ManagementObjectCollection.ManagementObjectEnumerator.MoveNext()&#xD;&#xA; 
			at Microsoft.ResourceManagement.PasswordReset.ResetPassword.ResetPasswordHelper(String domainName, String userName, String newPasswordText)
	
	<System.Diagnostics xmlns="http://schemas.microsoft.com/2004/08/System.Diagnostics">
		<LogicalOperationStack></LogicalOperationStack>
		<Timestamp>36529376603</Timestamp>
		<Callstack>
		at System.Environment.get_StackTrace()&#xD;&#xA;   
		at System.Diagnostics.TraceEventCache.get_Callstack()&#xD;&#xA;   
		at System.Diagnostics.XmlWriterTraceListener.WriteFooter(TraceEventCache eventCache)&#xD;&#xA;   
		at System.Diagnostics.TraceSource.TraceEvent(TraceEventType eventType, Int32 id, String format, Object[] args)&#xD;&#xA;   
		at Microsoft.ResourceManagement.Utilities.LoggingManager.LogError(String formatString, Object[] arguments)&#xD;&#xA;   
		at Microsoft.ResourceManagement.Utilities.LoggingManager.ReportError(Exception exception)&#xD;&#xA;   
		at Microsoft.ResourceManagement.PasswordReset.ResetPassword.ResetPasswordHelper(String domainName, String userName, String newPasswordText)&#xD;&#xA;   
		at Microsoft.ResourceManagement.Workflow.Activities.PWResetActivity.AttemptPasswordReset(Object sender, XmlDocumentValidationEventArgs e)&#xD;&#xA;   
		at System.Workflow.ComponentModel.Activity.RaiseGenericEvent[T](DependencyProperty dependencyEvent, Object sender, T e)&#xD;&#xA;   
		at Microsoft.ResourceManagement.Workflow.Activities.XmlInteractiveActivity.DocumentValidation(Object sender, EventArgs e)&#xD;&#xA;  
		at System.Workflow.ComponentModel.Activity.RaiseEvent(DependencyProperty dependencyEvent, Object sender, EventArgs e)&#xD;&#xA;  
		at System.Workflow.Activities.CodeActivity.Execute(ActivityExecutionContext executionContext)&#xD;&#xA;   
		at System.Workflow.ComponentModel.ActivityExecutor`1.Execute(T activity, ActivityExecutionContext executionContext)&#xD;&#xA;  
		at System.Workflow.ComponentModel.ActivityExecutor`1.Execute(Activity activity, ActivityExecutionContext executionContext)&#xD;&#xA;   
		at System.Workflow.ComponentModel.ActivityExecutorOperation.Run(IWorkflowCoreRuntime workflowCoreRuntime)&#xD;&#xA;   
		at System.Workflow.Runtime.Scheduler.Run()&#xD;&#xA;   
		at System.Workflow.Runtime.WorkflowExecutor.RunScheduler()&#xD;&#xA;   
		at System.Workflow.Runtime.WorkflowExecutor.RunSome(Object ignored)&#xD;&#xA;   
		at System.Workflow.Runtime.Hosting.SynchronizationContextWorkflowSchedulerService.Schedule(WaitCallback callback, Guid workflowInstanceId)&#xD;&#xA;   
		at System.Workflow.Runtime.WorkflowExecutor.RequestHostingService()&#xD;&#xA;  
		at System.Workflow.Runtime.ScheduleWork.Dispose()&#xD;&#xA;  
		at System.Workflow.Runtime.WorkflowExecutor.EnqueueItemOnIdle(IComparable queueName, Object item, IPendingWork pendingWork, Object workItem)&#xD;&#xA;  
		at System.Workflow.Runtime.WorkflowInstance.EnqueueItemOnIdle(IComparable queueName, Object item, IPendingWork pendingWork, Object workItem)&#xD;&#xA;  
		at System.ServiceModel.Dispatcher.WorkflowOperationAsyncResult.DoWork(Object state)&#xD;&#xA;
		at System.ServiceModel.Diagnostics.Utility.WaitThunk.UnhandledExceptionFrame(Object state)&#xD;&#xA;  
		at System.Workflow.Runtime.Hosting.SynchronizationContextWorkflowSchedulerService.SynchronizationContextPostHelper.Callback(Object state)&#xD;&#xA; 
		at System.ServiceModel.Diagnostics.Utility.WaitThunk.UnhandledExceptionFrame(Object state)&#xD;&#xA;  
		at System.Threading.ExecutionContext.runTryCode(Object userData)&#xD;&#xA; 
		at System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(TryCode code, CleanupCode backoutCode, Object userData)&#xD;&#xA;  
		at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)&#xD;&#xA; 
		at System.Threading._ThreadPoolWaitCallback.PerformWaitCallbackInternal(_ThreadPoolWaitCallback tpWaitCallBack)&#xD;&#xA; 
		at System.Threading._ThreadPoolWaitCallback.PerformWaitCallback(Object state)
	</Callstack>
</System.Diagnostics>
</ApplicationData>
</E2ETraceEvent>
Any suggestion would really be appreciated.
Thanks.
December 11th, 2009 12:44pm

Did you enable Password Management on the AD MA?
Free Windows Admin Tool Kit Click here and download it now
December 11th, 2009 1:28pm

yes, it was already enabled: AD MA > Configure Extensions > Enable password management.
December 11th, 2009 1:53pm

The PW reset tries to reset the password directly in AD (so AD complexity rules apply) but it uses the account configured in the AD MA (so the permissions of that account must include the ability to reset passwords). Otherwise I can't think what it might be...
Free Windows Admin Tool Kit Click here and download it now
December 11th, 2009 2:31pm

the FIMService service account needs to be a member of FIMSyncPasswordSet group
i highly suspect it is not...
after that, you need to restart Sync and then restart FIMService (in that order)

December 14th, 2009 12:18am

fimsvc: account for the fim service
fimmaadds: account for the ADDS management agent.

For the FIMSync memberships:
- FIMSyncAdmins: Administrator, fimmaadds, fimsvc
- FIMSyncBrowse: fimmaadds, fimsvc
- FIMSyncJoiners:
- FIMSyncOperators:
- FIMSyncPasswordSet: fimmaadds, fimsvc

Regarding the password reset permissions: for the account fimmaadds, on the OU containing the user im trying to reset its password:
- Descendant user objects: List content, Read All properties, Read permissions
- Descendant ... : read lockouttime, write lockout time
- Descendant...: read UAC, write UAC
- Descendant...: Reset password
- Descendant...: Change password

All the memberships and permissions seems correct according to the step-by-step password reset guide...
Is there anything wrong in what is written above?


Cheers.

Free Windows Admin Tool Kit Click here and download it now
December 14th, 2009 9:11am

are FIMService and FIMSync installed on different machines?

to eliminate some permission, would u mind try adding FIMSvc as local admin on the FIMSync box?
then disable firewall
then restart Sync and FIMService (in that order), and try again?
December 14th, 2009 9:15am

they're running on the same computer.

i added fimsvc as a local admin.
Now i get the following error when trying to reset the password:
- PWReset Activity could not connect to the directory.

and when i started the services, I got: "XmlInteractiveActivity 'authenticationGateActivity1.xmlInteractiveActivity1' running in WorkflowInstance 'b3ec4137-e1cd-4da1-95b1-ea1e12976e37' timed out waiting for response."

I however disabled the firewall (altough i double checked the firewall rules..)
any further ideas?

btw great CP on your blog!

Free Windows Admin Tool Kit Click here and download it now
December 14th, 2009 10:04am

I also got these errors:

- Windows logs > Application
FIMSync:
" The server encountered an unexpected error while performing an operation for a management agent.
"BAIL: MMS(2064): ma.cpp(370): 0x80040154 (Class not registered)
BAIL: MMS(2064): ma.cpp(7621): 0x80040154 (Class not registered)
BAIL: MMS(2064): ma.cpp(7518): 0x80040154 (Class not registered)
Forefront Identity Manager 4.0.2574.0"


- Applications and Services logs > Forefront Identity Manager:
" PWReset Activity could not connect to the directory."


Please note im running FIM RC1 update 2.
December 14th, 2009 12:36pm

I followed the steps mentionned in your other post: http://social.technet.microsoft.com/Forums/en/ilm2/thread/b2d07c59-9e1a-4d1c-86c9-a6cd96a40aab

All the steps 1 to 13 runs successfully.
Step 14:
- Method executed successfully,
- BUT: RETURN VALUE = call-failure:0x80040154

I also have the sameparameters forthe AD MA:
- Connect to forest- sign and encyrpt YES
- Extension - Pwd Mgmt YES require secure YES retry 10 interval 60

- I ran a repair on the FIM Setup, the errors message kept appearing and password reset still does not work.

About the registry keys:
HKEY_CLASSES_ROOT\CLSID\{86A0B533-53B1-458D-8AD4-DEE4C4A42208}
Default: ADMA

HKEY_CLASSES_ROOT\CLSID\{86A0B533-53B1-458D-8AD4-DEE4C4A42208}\InprocServer32
Default - REG_SZ - C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Bin\mmsmaad.dll
InprocServer32 - REG_MULTI_SZ - ?{+p]bozQ@Cs1(enXoLyAD<
ThreadingModel - REG_SZ - Both


HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{86A0B533-53B1-458D-8AD4-DEE4C4A42208}
Default - ADMA

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{86A0B533-53B1-458D-8AD4-DEE4C4A42208}\InprocServer32
Default - REG_SZ - C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Bin\mmsmaad.dll
Inprocserver32 - REG_MULTI_SZ - ?{+p]bozQ@Cs1(enXoLyAD<
ThreadingModel - REG_SZ - Both


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\ManagementAgents
AD - {86A0B533-53B1-458D-8AD4-DEE4C4A42208}
...
FIM - {1644FEE7-D816-4FF6-9101-234F14990F75}


You wrote the bug was correct.
What steps should I achieve to correct that bug?


Cheers
Free Windows Admin Tool Kit Click here and download it now
December 14th, 2009 1:23pm

Finally it's happened to someone else. :)
Sorry I still haven't found the fix myself, but glad to know it's not just me....

December 14th, 2009 7:50pm

ok, that's some progress. You were having permission issue when FIMSvc tries to search for the user using WMI. Have u followed the DCOM/WMI section in the step-by-step?
also, if u follow the setup guide 100%, it will suggest u to decline Network Access for FIMService and FIMSyncService service accounts. Since you are using All-in-One, that won't work.

For the timeout, that's just caused by previously active WF, you can ignore that...
Free Windows Admin Tool Kit Click here and download it now
December 16th, 2009 3:38am

let's keep this thread as to troubleshooting the permission issue
Let's leave the "Class not registered" error in the other thread

:)
December 16th, 2009 3:40am

I have also experienced this problem. Will post my finding as I troubleshoot this issue.
Free Windows Admin Tool Kit Click here and download it now
December 23rd, 2009 7:04am

Noticed this error in the event log:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID  {835BEE60-8731-4159-8BFF-941301D76D05}  to the user MYDOMAIN\fimSvc SID (S-1-5-21-2638804994-1901297949-932415521-1619) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
Am I missing any group memberships?
December 23rd, 2009 7:15am

nope
in the Introduction to Pwd Reset
there are a few sections around DCOM/WMI settings.
Make sure you have followed those sections
Free Windows Admin Tool Kit Click here and download it now
December 23rd, 2009 7:18am

I was able to resolve this error. I just had to add the FIM Svc account to the FIMSyncPasswor
December 23rd, 2009 7:25am

I did everything as said before, in my application event viewer i get the following error code

Log Name:      Application
Source:        FIMSynchronizationService
Date:          11/8/2010 8:26:09 PM
Event ID:      6306
Task Category: Server
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      FIMSRV01.fim.sogeti.local
Description:
The server encountered an unexpected error while performing an operation for the client.
 
 "BAIL: MMS(3080): server.cpp(7910): 0x80070005 (Access is denied.)
Forefront Identity Manager 4.0.3531.2"
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="FIMSynchronizationService" />
    <EventID Qualifiers="49152">6306</EventID>
    <Level>2</Level>
    <Task>3</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2010-11-08T19:26:09.000000000Z" />
    <EventRecordID>4915</EventRecordID>
    <Channel>Application</Channel>
    <Computer>FIMSRV01.fim.sogeti.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data>BAIL: MMS(3080): server.cpp(7910): 0x80070005 (Access is denied.)
Forefront Identity Manager 4.0.3531.2</Data>
  </EventData>
</Event>

Free Windows Admin Tool Kit Click here and download it now
November 8th, 2010 11:34am

same answer

 

the FIMService service account needs to be a member of FIMSyncPasswordSet group
i highly suspect it is not...
after that, you need to restart Sync and then restart FIMService (in that order)

November 8th, 2010 2:55pm

FIM server restart worked in my case :)

Thanks,

Free Windows Admin Tool Kit Click here and download it now
August 5th, 2015 5:51am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics