Tuesday, June 16, 2015

FIM SSPR error 3000

One day I ran into this error on a previously working FIM 2010R2 self service password reset portal configuration instance.  All users were getting error 3000:

An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3000)

On the usual rounds of google, I found a few articles for testing wmi permissions and guides to ensure permissions.  The Microsoft provided install guide also covers some of this as well.  The one thing though is WMI permissions that are discussed are always root\cimv2 permissions.  When looking at my configuration, everything was already set up as it should be (according to all of these documents).  I enabled debug logging on the portal to get more details.  This showed me this message among the other related events:

System.Management: System.Management.ManagementException: Access denied
   at System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus errorCode)
   at System.Management.ManagementScope.InitializeGuts(Object o)
   at System.Management.ManagementScope.Initialize()
   at System.Management.ManagementObjectSearcher.Initialize()
   at System.Management.ManagementObjectSearcher.Get()
   at Microsoft.ResourceManagement.PasswordReset.ResetPassword.ResetPasswordHelper(String domainName, String userName, String newPasswordText)

So obviously I still had a permissions problem somewhere.  After digging around and getting nowhere, I fell back on my favorite troubleshooting rule, "when in doubt, Netmon".

 
As you can see in the last frame, the access denied error message is present on a WMI call.  So this quickly narrows it down to a WMI issue.  Go up a few frames to the blacked out server name, and we see it accessing the root\MicrosoftIdentityIntegrationServer.  Oddly, you won't find this mentioned anywhere in the documentation.  Once I granted the service account "enable account" and "remote enable" rights on this namespace on the sync server, everything started working fine.  The root caused ended up being removal of admin rights from the fim service account on the sync server.  As usual, in bad documentation and bad troubleshooting, granting admin rights solves a lot of problems.  If you want to go with a more restricted environment, add this to your build steps for SSPR.

Just for search purposes, here are some of the other event log texts that may be seen when this issue occurs:

WorkflowInstance '3eb56c33-cc6f-4c4f-90cf-30086a5d1fbd' [Description: ] recorded the following event for activity authenticationGateActivity1.FailureBranch (type:System.Workflow.Activities.IfElseBranchActivity): Executing at 2/27/2015 6:39:02 AM.
-----------
The error page was displayed to the user.
Details:
Title: Error
Message: An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3000)
Source:
Attributes:
Details: System.InvalidProgramException: Error while performing the password reset operation: PWUnrecoverableError
   at Microsoft.IdentityManagement.CredentialManagement.Portal.Reset.AttemptToResetPassword()
   at System.Web.UI.WebControls.Button.OnClick(EventArgs e)
   at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)
   at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
CorrelationId:
RequestId:
ErrorCode: 3000
CaughtTime: 02/27/2015 01:39:02

Web Portal: FIM Password Reset Portal
Session Id: mfa4tg550e52v4be0bhhxu45



-----------------

Microsoft.IdentityManagement.CredentialManagement.Portal: System.Web.HttpUnhandledException: ScriptManager_AsyncPostBackError ---> System.InvalidProgramException: Error while performing the password reset operation: PWUnrecoverableError
   at Microsoft.IdentityManagement.CredentialManagement.Portal.Reset.AttemptToResetPassword()
   at System.Web.UI.WebControls.Button.OnClick(EventArgs e)
   at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)
   at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityManagement.CredentialManagement.Portal.Site.ScriptManager_AsyncPostBackError(Object sender, AsyncPostBackErrorEventArgs eventArgs)
   at System.Web.UI.ScriptManager.OnAsyncPostBackError(AsyncPostBackErrorEventArgs e)
   at System.Web.UI.PageRequestManager.OnPageError(Object sender, EventArgs e)
   at System.Web.UI.TemplateControl.OnError(EventArgs e)
   at System.Web.UI.Page.HandleError(Exception e)
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest()
   at System.Web.UI.Page.ProcessRequest(HttpContext context)
   at ASP.default_aspx.ProcessRequest(HttpContext context)
   at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)


---------

A user's attempt to reset password ended with the following result.
The result details:
Error while performing the password reset operation: PWUnrecoverableError
Web Portal: FIM Password Reset Portal
Session Id: mfa4tg550e52v4be0bhhxu45


---------
Service fault of type DataRequiredFault was received.
----------

The web portal received a fault error from the FIM service.
Details:
Microsoft.ResourceManagement.WebServices.Faults.ServiceFaultException: DataRequiredFaultReason
   at Microsoft.ResourceManagement.WebServices.ResourceFactoryClient.Create(Message request)
   at Microsoft.IdentityManagement.CredentialManagement.Portal.Common.ResetProxy.InteractWithPasswordResetActivity(SecureString newPassword, String activityEndpoint, String workflowInstanceId, ContextualSecurityToken sessionSecurityToken)
Web Portal: FIM Password Reset Portal
Session Id: mfa4tg550e52v4be0bhhxu45




Monday, June 15, 2015

Why my child isn't on Facebook, gmail or the rest


Few people take the time to consider the actions they take online. This can be easily seen in the blind acceptance of terms of service agreements. This discussion is about my children, which are all under the age of 13. If you look at most of these major service providers, they have written rules that prohibit anyone under the age of 13 from signing up. This may be a mention in the terms of service, or it may be a technical control which checks ages based on birthdate values that are entered at sign up. Why 13? Various laws and attempts at passing laws on online child privacy (ex: COPPA) usually put special restrictions on handling privacy for children below this age. Given that these laws are being made in these company's home countries and major markets, it influences how they provide services. Having to meet various regulations for different types of users becomes expensive to create and maintain. Besides the business and the technical problems, there is the obvious issue of why these laws are being passed in the first place. Children at these ages haven't matured and are too innocent which leads them to get into trouble in these environments.

Despite the legal issues, the technical controls and the background on why they are there in the first place, kids and others are still preassuring them to sign up because "everyone is doing it", or its some necessity for class work. So for my kids, I break down the legal implications, and sometimes get into the spiritual implications. They are as follows:


Legal:

1) Terms of service agreements are contracts. Lying about your age to enter into one is fraud.

2) Terms of service agreements are contracts. Failing to follow the conditions is breech of contract.

3) The service providers are running on "protected computers". As these providers can define their systems as protected computers, any misuse of them, or unauthorised use of them violates the Computer Fraud and Abuse Act. This is criminal computer hacking.  Although this may seem ridiculous, and its unlikely that a prosecutor would pursue someone unless they were involved in other illegal or harmful activities, the law is vaguely worded and many odd uses of it have happened recently.  (Example: 14 year old arrested for changing his teacher's desktop wallpaper after teacher gave him the password [in a state with a minimum penalty of 1 year in prison].)  (Example: A woman is charged with computer hacking after creating a fake social media account to bully a teenager.)


Spiritual:

1) Lying about one's age to access a service:

"The Messenger of Allah, may Allah bless him and grant him peace, was asked, 'Can the mumin be a coward?' He said, 'Yes.' He was asked, 'Can the mumin be a miser?' He said, 'Yes.' He was asked, 'Can the mumin be a liar?' He said, 'No.' " [Muwatta]


2) Fulfilling commitments

And do not approach the property of an orphan, except in the way that is best, until he reaches maturity. And fulfill [every] commitment. Indeed, the commitment is ever [that about which one will be] questioned. [Quran 17:34]

3) Children are not allowed to enter into business transactions without assistance from a guardian who has reached the age of discernment.

4) Obeying laws
O you who have believed, obey Allah and obey the Messenger and those in authority among you. And if you disagree over anything, refer it to Allah and the Messenger, if you should believe in Allah and the Last Day. That is the best [way] and best in result. [Quran 4:59]

Computer services should be viewed in the same way that other people's property should be viewed. The service providers are paying for their equipment, maintenance and development. If it was something that belonged to your neighbour, you wouldn't help yourself to it whenever you wanted.


True taqwa is doing what is right, even when everyone is is doing wrong, or when no one will see you doing wrong.  We don't individually use our intellect to decide if a law can be broken for any reason (be it everyone else is doing it, or the law doesn't make sense, etc).

These are just a few thoughts related to the initial signing up for service. There are many other concerns later which will creep in. Its interesting that the age of 13 was chosen, given that it is around the age that children with pass into adulthood according to Islamic guidelines. Restricting internet access in the earlier ages, and providing good supervision will hopefully help establish good habits and good judgement in regard to the dangers that are out there (both physical and spiritual).