We are currently facing issues in setting up the SSPR on the FIM 2010 installation
Actions done:
- Installed FIM Service, Portal and SSPR sites on the same box (SQL is on another box)
- Followed all the instructions to set up SSPR -
http://technet.microsoft.com/en-us/library/hh824694%28v=ws.10%29.aspx
- Used svc-FIMService as the App Pool account for the SSPR sites (the same service is used for FIM installation)
- Used URLs http://passwordregistration.xxx.com andhttp://passwordreset.xxx.com as the SSPR sites (xxx is the company name and registered both the URLs in DNS)
- Created the following SPNs
- HTTP/passwordregistration.xxx.com ECOM\svc-FIMService
- HTTP/passwordreset.xxx.com ECOM\svc-FIMService
- Enabled delegation on svc-FIMservice
- Verified all the MPRs and the Password Reset
- For all the test accounts we have edited the property “AuthN Workflow Registered” to “Password Reset AuthN Workflow”
- Verified the “Password Reset Users Set” and all the users are in this set
Observed Issues
- Though all users are able to log into FIM portal, none of them are able to use the SSPR features. (The home page opens up for everyone, but beyond that we are facing issues described below)
- The svc-FIMservice account is able to do password registration but not password reset
- All other accounts are not able to register for password reset. After pressing Next on the first screen we observe the following error message
- Ensure you enter your user name correctly. If you still cannot reset your password, please contact your helpdesk for assistance. (Error 3001) We enabled the FIM Service logging and see that the error logged is based on permissions. The detailed message is:
The supplied request content violates system rules.
Correlation Id:
82454090-576e-4906-9858-2b851a6039ae
Details: The Request contains changes that violate system constraints
- On the FIM Service Logs we are getting this error: Microsoft.ResourceManagement.Service: Microsoft.ResourceManagement.WebServices.Exceptions.PermissionDeniedException: SystemConstraint
Please let us know if there are any other steps that we are missing. We are struck in this step for over a week and would really appreciate any help provide..
Vittal