IIS Authentication notes on Self-Service Password Reset – FIM 2010 R2

In category Forefront Identity Manager | September 13, 2012

I accidentally have run into an authentication-related issue in Self-Service Password Reset system based on Forefront Identity Manger 2010 R2 which is the latest FIM product providing web-based self-service password reset I have selected for a customer.

When a user opens the Password Registration portal, he always gets the error: “An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3000).” To show the error in more detail, I navigated to the web.config file in the path (C:\Program Files\Microsoft Forefront Identity Manager\2010\Password Registration Portal\), and looked up to  the value ShowTroubleshootingInfoOnErrorPage, changed false to true.

Most of the errors I got in the Event Viewer seem to be relevant to authentication stuffs. The error says that the FIM server could not be authenticated in domain via Windows Authentication. After getting helped by Anthony Ho who has written many invaluable FIM-related articles in his blog, I found out that the Windows Authentication was suddenly disabled. I tried to enable Windows Authentication in IIS Manager and FIM portals worked like a charm. Make sure only Windows Authentication is enabled.

Additionally, you must enable Anonymous Authentication on Password Reset portal if you don’t want to get complained. Let’s say if you don’t enable Anonymous Authentication on your reset portal, when a user opens it, he will get asked his credential. It does look stupid because he forgets password, so how the heck can he sign into the Password Reset portal.

Make sure you only enable Anonymous Authentication on the Password Reset portal. Open IIS Manager, click Password Reset website and then click Authentication under IIS section. Right click on Anonymous Authentication and select Enable.

Finally, make sure the policy “Anonymous users can reset their password” is not disabled in Management Policy Rule.

-T.s

Share

5 thoughts on “IIS Authentication notes on Self-Service Password Reset – FIM 2010 R2

  1. tatoeage voorbeeld says:

    I think this is a powerfull site with a lot interesting posts about this stuff. And i just wanna say thanks for this. I’ll follow your blog to see if you post more stuff like these!

  2. njabulo says:

    Please help Our FIM portal for register and password eset was always working but now we get an message that the page cannot be displayed. Kindly Help

    1. Hi njabulo,

      Your page can’t be displayed maybe because IIS can’t resolve the URL. Please contact me at thuan@outlook.com

      Regards,
      -T.s

Leave a Reply