SSPR Troubleshooting

  • Article

SSPR Troubleshooting

The following section will assist with troubleshooting issues that may arise with your SSPR deployment.

Troubleshooting

If you have issues when you set up the self-service password reset, look for the issues in the following list for information about how to resolve the issues.

Password reset configuration

  • If the firewall on the FIM 2010 R2 RC server is enabled, you must open a range of ports to allow remote procedure call (RPC) communication between the domain controller and the server with FIM 2010. For more information, see the Microsoft Identity Integration Server 2003 Technical Reference (https://go.microsoft.com/fwlink/?LinkId=38680).

  • If the firewall on the server running FIM 2010 R2 is on, the password reset does not work unless you manually unblock TCP ports 5725 and 5726. If necessary, manually unblock TCP ports 5725 and 5726.

  • In the Question and Answer activity settings, the following condition exists:

    • A question should not exceed 100 characters.
Password reset use case
  • Answers to questions should not exceed 255 characters.
Self-Service Password client deployment

  • If a user does not register for a password reset during the initial logon, he or she will be prompted to register during each subsequent logon.

  • If a user wants to reregister for a self-service password reset, follow the procedures in the Register for a self-service password reset section of this document.

FIM Password and Authentication Client Service may be down

If the Forefront Identity Manager Password Rese Client Service is not running or is not started on the client and a user attempts to run mspwdregistration.exe –all there will be a long delay and eventually they will receive the following error message: The FIM Password and Authentication Client Service may be down. If you have just started your computer, please wait one minute and try again. Otherwise, please contact your system administrator.

There will be no events in the Event Viewer.

mspwdregistration error

To resolve this issue, ensure that the Forefront Identity Manager Password Reset Client Service is started and running.

To ensure that the Forefront Identity Manager Password Reset Client Service is running, use the following procedure:

To ensure that the Forefront Identity Manager Password Reset Client Service is running

  1. On the the client that has the Forefront Identity Manager Password Reset Client Service installed, click Start, select Control Panel, select Administrative Tools, and select Services. This will bring up Services.

  2. On the Services screen, scroll down to Forefront Identity Manager Password Reset Client Service.

  3. Right-click, Forefront Identity Manager Password Reset Client Service and select Start. This will start the service.

  4. Once the service has started, close Services.

FIM Paassword Reset Client Service

FIM Password Reset Registration encountered an error

If the client attempts to register a user while the FIM Service is down, the following error will be received: FIM Password Reset Registration encountered an error. You may be able to resolve the issue by trying again. If you still experience issues, please contact your support team.

Fim sevice error

On the client attempting to make the registration, you can check the Event Viewer and you will receive an error similar to the one below. To check the Event Viewer, start Event Viewer from Administrative tools and navigate to Applications and Services Logs -> Forefront Identity Manager.

Event Viewer

Trace messages are received by listeners. The purpose of a listener is to collect, store, and route tracing messages. Listeners direct the tracing output to an appropriate target, such as a log, window, or text file. An EventLogTraceListener redirects output to an event log. By default, the Self-Service Password Reset client has an EventLogTraceListener enabled.

A listener’s event type filter can have its event type set and from then on, the listener will only trace events which are that event type or more important. By default this listener is setup to only trace event types of error. This can be modified to Warnings, Informational, All, etc. This is done by changing the initializeData from Error to the new value in the PwdMgmtProxy.exe.Config file found in %ProgramFiles%\Microsoft Forefront Identity Manager\2010\Password Reset Client Service.

<add initializeData="Microsoft.ResourceManagement.PasswordProxy" type="System.Diagnostics.EventLogTraceListener" 
                        name="DefaultPasswordProxyEventListener">
                        <filter type="System.Diagnostics.EventTypeFilter" initializeData="Error" />
                    </add>