(2015-03-08) Resolving The "PWUnrecoverableError" Error With FIM Self-Service Password Reset (SSPR)

While using or configuring FIM 2010 (R2) SSPR you might receive the error after specifying the new password twice and submitting . This of course needs troubleshooting, but looking at the generic error and code you need to dig further to really understand what went wrong.

Figure 1: Error 3000 After Specifying A New Password Twice And Submitting It

–

Looking at the Forefront Identity Manager Event Log you will may find Event ID 3 with an "Access is denied" statement. Now you know something is wrong with authentication or authorization between the FIM Service and the FIM Sync Service.

Figure 2: Unauthorized Access Exception – Access is denied

–

mscorlib: System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
   at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)
   at System.Management.ManagementScope.InitializeGuts(Object o)
   at System.Management.ManagementScope.Initialize()
   at System.Management.ManagementObjectSearcher.Initialize()
   at System.Management.ManagementObjectSearcher.Get()
   at Microsoft.ResourceManagement.PasswordReset.ResetPassword.ResetPasswordHelper(String domainName, String userName, String newPasswordText)

–

You may also find the following Event ID 2 in the Forefront Identity Manager Event Log.

Figure 3: Workflow Terminated Exception

–

System.Workflow.ComponentModel.WorkflowTerminatedException: Exception of type ‘System.Workflow.ComponentModel.WorkflowTerminatedException’ was thrown.

–

You may also find the following Event ID 3 in the Forefront Identity Manager Event Log.

Figure 4: Service Fault Exception

–

The web portal received a fault error from the FIM service.
Details:
Microsoft.ResourceManagement.WebServices.Faults.ServiceFaultException: DataRequiredFaultReason
   at Microsoft.ResourceManagement.WebServices.ResourceFactoryClient.Create(Message request)
   at Microsoft.IdentityManagement.CredentialManagement.Portal.Common.ResetProxy.InteractWithPasswordResetActivity(SecureString newPassword, String activityEndpoint, String workflowInstanceId, ContextualSecurityToken sessionSecurityToken)
Web Portal: FIM Password Reset Portal
Session Id: ufoifqmbyuwt0p3cim0iz455
IP Address: 10.1.1.32

–

You will also find the following Event ID 3 in the Forefront Identity Manager Event Log.

Figure 5: HTTP Unhandled Exception – PWUnrecoverableError

–

Microsoft.IdentityManagement.CredentialManagement.Portal: System.Web.HttpUnhandledException: ScriptManager_AsyncPostBackError —> System.InvalidProgramException: Error while performing the password reset operation: PWUnrecoverableError
   at Microsoft.IdentityManagement.CredentialManagement.Portal.Reset.AttemptToResetPassword()
   at System.Web.UI.WebControls.Button.OnClick(EventArgs e)
   at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)
   at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   — End of inner exception stack trace —
   at Microsoft.IdentityManagement.CredentialManagement.Portal.Site.ScriptManager_AsyncPostBackError(Object sender, AsyncPostBackErrorEventArgs eventArgs)
   at System.Web.UI.ScriptManager.OnAsyncPostBackError(AsyncPostBackErrorEventArgs e)
   at System.Web.UI.PageRequestManager.OnPageError(Object sender, EventArgs e)
   at System.Web.UI.TemplateControl.OnError(EventArgs e)
   at System.Web.UI.Page.HandleError(Exception e)
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest()
   at System.Web.UI.Page.ProcessRequest(HttpContext context)
   at ASP.default_aspx.ProcessRequest(HttpContext context)
   at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously

–

You will also find the following Event ID 3 in the Forefront Identity Manager Event Log.

Figure 6: Invalid Program Exception – PWUnrecoverableError

–

The error page was displayed to the user.
Details:
Title: Error
Message: An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3000)
Source:
Attributes:
Details: System.InvalidProgramException: Error while performing the password reset operation: PWUnrecoverableError
   at Microsoft.IdentityManagement.CredentialManagement.Portal.Reset.AttemptToResetPassword()
   at System.Web.UI.WebControls.Button.OnClick(EventArgs e)
   at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)
   at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
CorrelationId:
RequestId:
ErrorCode: 3000
CaughtTime: 01/09/2015 21:47:39

Web Portal: FIM Password Reset Portal
Session Id: ufoifqmbyuwt0p3cim0iz455
IP Address: 10.1.1.32

–

If you have tracing enabled for the FIM Service you would also see the following. To enable tracing for the FIM Service see the following blog post "(2013-11-01) Advanced Logging, Event Tracing Or Troubleshooting Within FIM Components". Basically you comment the default "Default Diagnostics configuration" and remove the comment from the "Advanced Diagnostics Configuration (Full Diagnostics configuration)" and restart the FIM service. By the way: DO NOT forget to disable tracing afterwards!!!

Figure 7: Unauthorized Access Exception – Access is denied

–

Microsoft.ResourceManagement Verbose: 0 : WQL:SELECT * FROM MIIS_CSObject WHERE (Domain=’IAMTEC’ AND Account=’John.Doe’) or (FullyQualifiedDomain=’IAMTEC’ AND Account=’John.Doe’) or (Domain=’IAMTEC’ AND UserPrincipalName=’John.Doe’) or (FullyQualifiedDomain=’IAMTEC’ AND UserPrincipalName=’John.Doe’)
    ThreadId=16
    DateTime=2015-01-09T20:47:38.5549208Z
Microsoft.ResourceManagement Error: 3 : mscorlib: System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
   at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)
   at System.Management.ManagementScope.InitializeGuts(Object o)
   at System.Management.ManagementScope.Initialize()
   at System.Management.ManagementObjectSearcher.Initialize()
   at System.Management.ManagementObjectSearcher.Get()
   at Microsoft.ResourceManagement.PasswordReset.ResetPassword.ResetPasswordHelper(String domainName, String userName, String newPasswordText)
    ThreadId=16
    DateTime=2015-01-09T20:47:38.5705433Z

–

In this case the "PWUnrecoverableError" error is related to unauthorized access. In other words, the FIM Service account is lacking some permission somewhere. To be sure NOTHING is missed, check everything listed below.

–

[1] Permissions In The FIM Sync Engine

The password reset is done through the FIM Sync Engine, therefore the FIM Service must have the permission to look up the connector space object and actually set the new password. For that to be possible the FIM Service account must be a member of the "FIM Sync Browse Group" and the "FIM Sync Password Set Group". See below as an example. If you just added the FIM Service account to these groups, make sure to restart the FIM Service!

Figure 8: Required FIM Sync Group Memberships For The FIM Service Account When Using SSPR

–

[2] DCOM Permissions

The FIM Service account requires the correct DCOM permissions on the FIM Sync Server(s). I say server(s) because you might have a running FIM Sync server and a hot or cold standby FIM Sync server. The manual steps to enable DCOM for the FIM Service account on the FIM Sync Server(s) are:

1. Log on to the FIM Sync Server with local administrative permissions
2. Click Start, click Administrative Tools, and then click Component Services.
3. On Component Services, expand Component Services, and then expand Computers.
4. Right-click My Computer, and then click Properties.
5. On My Computer Properties, click COM Security.
6. On COM Security, under Access Permissions, click Edit Limits.
7. On Access Permissions, click Add.
8. On Select, Users, Computers, and Groups, in the Enter the object names to select (examples) box, enter the FIM Service account name, and then click Check Name.
   When the service account name resolves successfully, it appears underlined.
9. Click OK.
10. On Access Permissions, select the FIM Service account name and place a check in the Allow check box for both Local Access and Remote Access.
11. Click OK.
12. On COM Security, under Access Permissions, click Edit Default.
13. On Access Permissions, click Add.
14. On Select, Users, Computers, and Groups, in the Enter the object names to select (examples) box, enter the FIM Service account name, and then click Check Name.
    When the service account name resolves successfully, it appears underlined.
15. Click OK.
16. On Access Permissions, select the FIM Service account name and place a check in the Allow check box for both Local Access and Remote Access.
17. Click OK.
18. On COM Security, under Launch and Activation Permissions, click Edit Limits.
19. On Launch and Activation Permissions, click Add.
20. On Select, Users, Computers, and Groups, in the Enter the object names to select (examples) box, enter the FIM Service account name, and then click Check Name.
    When the service account name resolves successfully, it appears underlined.
21. Click OK.
22. On Launch and Activation Permissions, select the FIM Service account name and place a check in the Allow check boxes for Local Launch, Remote Launch, Local Activation, and Remote Activation.
23. Click OK.
24. On COM Security, under Launch and Activation Permissions, click Edit Default.
25. On Access Permissions, click Add.
26. On Select, Users, Computers, and Groups, in the Enter the object names to select (examples) box, enter the FIM Service account name, and then click Check Name.
    When the service account name resolves successfully, it appears underlined.
27. Click OK.
28. On Launch and Activation Permissions, select the FIM Service account name and place a check in the Allow check boxes for Local Launch, Remote Launch, Local Activation, and Remote Activation.
29. Click OK.
30. On My Computer Properties, click Apply, and then click OK.
31. Close Component Services.

–

If you think, "damn, that’s a lot of work!", you can also use PowerShell to do it!. See Using PowerShell to Set DCOM Permissions for FIM Self-Service Password Reset

Figure 9: DCOM Permissions – Access Permissions – Edit Limits

–

Figure 10: DCOM Permissions – Access Permissions – Edit Default

–

Figure 11: DCOM Permissions – Launch And Activation Permissions – Edit Limits

–

Figure 12: DCOM Permissions – Launch And Activation Permissions – Edit Default

–

[3] WMI Permissions

The FIM Service account requires the correct WMI permissions on the FIM Sync Server(s). I say server(s) because you might have a running FIM Sync server and a hot or cold standby FIM Sync server. The manual steps to enable WMI for the FIM Service account on the FIM Sync Server(s) are:

1. Log on to the FIM Sync Server with local administrative permissions.
2. Click Start, select Administrative Tools, and click Computer Management.
3. In Computer Management, expand Configuration, right-click WMI Controls and select Properties.
4. Click the Security tab.
5. Expand Root, select CIMV2, and then click the Security button. This will bring up the Security for ROOT\CIMV2.
6. On Security for ROOT\CIMV2, click Add.
7. On Select Users, Computers, and Groups, in the Enter the object names to select (examples) box, enter the FIM Service account name, and then click Check Name.
   When the service account name resolves successfully, it appears underlined.
8. Click OK.
9. On Security for ROOT\CIMV2, for the FIM Service account name ensure that Allow is selected for both Enable Account and Remote Enable.
10. Click Advanced. This will bring up the Advanced Security Settings for CIMV2.
11. On Advanced Security Settings for CIMV2, select the FIM Service account name and then click Edit. This will bring up Permission Entry for CIMV2.
12. On Permission Entry for CIMV2, select This namespace and subnamespaces in the Apply To box.
13. Click OK.
14. On Advanced Security Settings for CIMV2, click Apply, and then click OK.
15. On Security for ROOT\CIMV2, click OK.
16. On WMI Control Properties, click OK.
17. Close Computer Management.

–

If you think, "damn, that’s a lot of work!", you can also use PowerShell to do it!. See How to Use PowerShell to Set WMI Permissions for FIM Self-Service Password Reset or Using PowerShell to Set WMI Permissions for FIM Self-Service Password Reset.

Figure 13: WMI Permissions – ROOT\COMV2

–

If you have all of the above (already) correctly configured and it is still not working, you need to check something check to see if that’s correctly configured. Open the System Event Log and see if you can find the warning Event ID 6037 similar to the one shown below.

Figure 14: LSA Error Regarding Incorrect SPN Configuration

–

The program svchost.exe, with the assigned process ID 860, could not authenticate locally by using the target name RPCSS/FIMSYNC.IAMTEC.NET. The target name used is not valid. A target name should refer to one of the local computer names, for example, the DNS host name.
 
Try a different target name.

–

If you do find the above warming, then navigate to the folder "C:\Program Files\Microsoft Forefront Identity Manager\2010\Service" on the server with the FIM Service installed and open the file "Microsoft.ResourceManagement.Service.exe.config" and look for the string "synchronizationServerName". After finding it, look for its value, which in this case is "FIMSYNC.IAMTEC.NET". Ask yourself if the value is the real FQDN of the FIM Sync Server or if it is an alias for the FIM Sync Server. In this case the specified FQDN is an alias registered in DNS as an A record, not a CNAME record. If the value specified is neither, then you need to run a change install of the FIM Service to be able to specify the correct FQDN of the FIM Sync Server. I really suggest you use an alias for the FIM Sync Server as it gives you lots of flexibility, especially if you have a running FIM Sync Server and a hot/cold standby of the FIM Sync Server. If you would not use an alias but the real FQDN of the FIM Sync Server, and you have multiple FIM Service server instances, you would need to do a change install on each and every FIM Service server instance just to change the FIM Sync Server FQDN. With an alias you do not need to do that, you just need to change the DNS record.

Figure 15: The FIM Sync Server FQDN Specified In the FIM Service Configuration File

–

If the value specified is the real FQDN of the FIM Sync Server, then you need to make sure the following SPNs are registered in the servicePrincipalNames attribute on the computer account of the FIM Sync Server:

• HOST/<NetBIOS Name FIM Sync Server> (e.g. HOST/R1FSMBSV2)
• HOST/<FQDN Name FIM Sync Server>(e.g. HOST/R1FSMBSV2.IAMTEC.NET)

–

In this case you need to check for the HOST SPN and not the RPCSS SPN, as the RPCSS SPN is covered by the HOST SPN. You can check this mapping in the "sPNMappings" in the object "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=IAMTEC,DC=NET"

If any of the HOST SPN is missing, add it back, but be aware for duplicate SPNs!

–

If the value specified is the alias FQDN of the FIM Sync Server, then you need to make sure the following SPNs are registered in the servicePrincipalNames attribute on the computer account of the FIM Sync Server:

• RPCSS/<NetBIOS Alias FIM Sync Server> (e.g. RPCSS/FIMSYNC)
• RPCSS/<FQDN Alias FIM Sync Server>(e.g. RPCSS/FIMSYNC.IAMTEC.NET)

–

Figure 16: Registering The RPCSS SPN For The Alias On The Computer Account Of The FIM Sync Server

–

When using an alias FQDN for the FIM Sync Server, you need to make sure that alias is registered in DNS as an A record and not as a CNAME record! The downside of this approach is that if you need to activate your hot/cold standby, you also need to move the RPCSS SPN from the computer account of the previous FIM Sync Server to the computer account of the new FIM Sync Server. To make you do not have that dependency, make sure you have the following:

• HOST/<NetBIOS Name FIM Sync Server> registered on the computer account of any FIM Sync Server (should be there by default!)
• HOST/<FQDN Name FIM Sync Server> registered on the computer account of any FIM Sync Server (should be there by default!)
• RPCSS/<NetBIOS Alias FIM Sync Server> NOT registered anywhere
• RPCSS/<FQDN Alias FIM Sync Server> NOT registered anywhere
• The Alias FQDN is registered in DNS as a CNAME record and mapped to the real FQDN of the running FIM Sync Server

–

So this last approach have a downside? Yes it does! The downside of this approach is that if you need to activate your hot/cold standby, you also need to change the CNAME DNS record mapping to the FQDN of the new FIM Sync Server.

–

Whatever you choose, it should work. You just need to decide which approach you prefer.

–

After all this, you should not experience the "PWUnrecoverableError" Error anymore!

–

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————