Hi all,
I inherited one FIM implementation with FIM SSPR functionality.
I am too new to this SSPR functionality, but anyway will try to give you all the information.
It seems that FIM is working well so far except for FIM Password Reset.
The issue is when user is accessing the Password Reset Portal, enter the username “USER1” and click "Next", he received an error message 3001, which is stating that the identity doesn’t exist.
I checked in FIM portal for the user and he is present, Password Registration has been done in the past and now the user wants to reset the password.
Looking into the Event Viewer logs I extracted the following relevant entries there it this order:
1. Source: Microsoft.ResourceManagement
GetCurrentUserFromSecurityIdentifier: No such user DOMAIN\svc-FIMPassword, S-1-5-21-xxx
Note: user DOMAIN\svc-FIMPassword is the service account that FIM Password Reset application pool is run in IIS.
Shouldn’t be here the actual user name that the user has been entered on the initial screen – “USER1”?
2. Source: Microsoft.ResourceManagement
Microsoft.ResourceManagement.Service: Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: IdentityIsNotFound
3. Source: Microsoft.CredentialManagement.ResetPortal
Microsoft.IdentityManagement.CredentialManagement.Portal: System.Web.HttpUnhandledException: ScriptManager_AsyncPostBackError ---> The web service client has encountered the following class of error: IdentityIsNotFound
Details: Additional Text Details: The requestor’s identity was not found.
4. Source: Microsoft.CredentialManagement.ResetPortal
Message: Error processing your request: The server was unwilling to perform the requested operation.
Source: The requester of this operation is invalid.
Attributes:
Details: The requestor’s identity was not found.
ErrorCode: 3001
So all the logs state that the identity couldn’t be found, but checked in Portal and he exists and also the password registration has been done in the past.
And my questions are:
1. GetCurrentUserFromSecurityIdentifier: No such user DOMAIN\svc-FIMPassword, S-1-5-21-xxx
How to interpret this message , because it confuses me - Why do I have here service account for FIM Password Reset application pool in IIS instead of the account that the user entered on the Portal?
Or indeed it states that the service account is missing, and if it is like that, where should be present, because the account exists in AD but it doesn’t exists in the Portal, because it is not part of any sync rules.
2. Any other checks to make sure the user identity is present and available for Password Reset?
Thank you in advance!