IIS Authentication notes on Self-Service Password Reset – FIM 2010 R2
I accidentally have run into an authentication-related issue in Self-Service Password Reset system based on Forefront Identity Manger 2010 R2 which is the latest FIM product providing web-based self-service password reset I have selected for a customer.
When a user opens the Password Registration portal, he always gets the error: “An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3000).” To show the error in more detail, I navigated to the web.config file in the path (C:\Program Files\Microsoft Forefront Identity Manager\2010\Password Registration Portal\), and looked up to the value ShowTroubleshootingInfoOnErrorPage, changed false to true.
Most of the errors I got in the Event Viewer seem to be relevant to authentication stuffs. The error says that the FIM server could not be authenticated in domain via Windows Authentication. After getting helped by Anthony Ho who has written many invaluable FIM-related articles in his blog, I found out that the Windows Authentication was suddenly disabled. I tried to enable Windows Authentication in IIS Manager and FIM portals worked like a charm. Make sure only Windows Authentication is enabled.
Additionally, you must enable Anonymous Authentication on Password Reset portal if you don’t want to get complained. Let’s say if you don’t enable Anonymous Authentication on your reset portal, when a user opens it, he will get asked his credential. It does look stupid because he forgets password, so how the heck can he sign into the Password Reset portal.
Make sure you only enable Anonymous Authentication on the Password Reset portal. Open IIS Manager, click Password Reset website and then click Authentication under IIS section. Right click on Anonymous Authentication and select Enable.
Finally, make sure the policy “Anonymous users can reset their password” is not disabled in Management Policy Rule.