[Troubleshooting] SSPR Error 3000 Troubleshooter

  • Article

 

Overview

A very common Self-Service Password Reset (SSPR) issue that we encounter in Microsoft Support is the following:

“An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3000)”   

The Error 3000 can be frustrating, in that it does not provide much information as to what is causing the Error 3000 to be generated.  This blog has will assist in isolating what is causing the Error 3000. 

To help in diagnosing this error, I have listed out the available logs and also provided an architecture diagram. If you are familiar with those items already, I recommend you skip to the SSPR Troubleshooter Checklist below.

Possible Machines Involved and logs to review

Client Machine

  1. Application Event Log
  2. PwdMgmtProxy Tracing
  3. Network Trace

FIM Portal Machine

  1. Application Event Log
  2. IIS Authentication Settings
  3. Network Trace

FIM Service Machine

  1.  Application Event Log
  2. Forefront Identity Manager Event Log
  3. FIM Service Tracing
  4. Network Trace

FIM Synchronization Service Machine

  1. Application Event Log
  2. Network Trace

Domain Controller

  1. Application Event Log
  2. Security Event Log
  3. Network Trace

 

SSPR Flow Diagram

SSPR Troubleshooter Checklist

I am building this checklist to assist in troubleshooting SSPR related issues.  This is an ever changing list, meaning that as I discover more information I will update the list to help isolate and troubleshoot SSPR issues better.  You will see the recommended machine of which to focus your troubleshooting.  The scenarios below have snippets of logs that were utilized to help isolate the issue. 

  1. Where does the password reset attempt fail? This provides a good investigative starting point.
    1. Using the SSPR Rich Client, enable client tracing: (https://blogs.technet.com/b/aho/archive/2010/09/29/troubleshooting-fimservice-fimportal-password-reset-client.aspx)
    2. Unable to access the SSPR web portal? (Look at the web portal/IIS components)
    3. Initial attempt providing user name? (Web portal and/or FIM Service Machine)
    4. Failure to process one of the gates? Which one(s)? (FIM Service Machine)
    5. Failure upon providing the new password? (FIM Synchronization Service machine)
    6. Confirm the user attempting the password reset may access the FIM Portal (Is the user able to access the FIM Portal?)
  2. How is the user attempting to reset their password
    1. Login or lock screen (using the SSPR rich client):
      Test resetting the password via SSPR web portal
  3. Specifically for FIM 2010 R2, Confirm the IIS Authentication Settings: (Scenario #2)
  4. Turn off friendly error messages in SSPR Web Portal (https://blog.msresource.net/2012/06/07/troubleshooting-the-fim-2010-r2-password-registration-and-reset-portals/)
  5. If using SSPR Rich Client enable client tracing Do a FIM Service Trace (How to Enable)

 

SSPR Basic Checks

Does the user exist in the FIM Portal
  1. Navigate to the FIM Portal and click Users
  2. Search for the User
  3. If the user does not exist in the FIM Portal, then the user will not be able to reset their password or navigate to the FIM Portal.

 

Does the user have the required attributes
  1. Navigate to the FIM Portal and click Users
  2. Search for the User
  3. Are the following attributes populated:
    1. Domain
    2. accountName
    3. ResourceSID

 

Is the user registered for Self-Service Password Reset (SSPR)
  1. Navigate to the FIM Portal and click Users
  2. Search for the User
  3. Click the Advanced View button
  4. Click the Extended Attributes Tab
  5. Look for AuthN Workflow Registered
  6. If this is populated then the user is registered for SSPR.  If it is not populated, as the picture below, then the user is not registered for SSPR.

 

 

Scenarios:

This section provides information on scenarios that have been encountered with SSPR that have returned the error 3000.  In the documented scenarios below, you will find the Log to investigate and a preview of some of the key text to identify your issue.  Additionally, you will find a link to a Microsoft TechNet Wiki and/or Blog post that will help you resolve the issue that you are encountering. 

Scenario #1 - Access Is Denied

This scenario will cover the different "Access Is Denied" messages that you may find in the Forefront Identity Manager Event Log.

Scenario #1a - Access Is Denied

Environment

  • FIM 2010 R2 with a remote SQL Server
  • Using a SQL Server Alias

Log Investigation

Forefront Identity Manager Event Log: "mscorlib: System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))". The key here is noticing the "Access is denied". The "Access is denied" message could mean several different things when involved with the Self-Service Password Reset (SSPR) solution. Execute a FIM Service Trace while resetting the password. If the FIM Service Trace displays the below information then you take a look at the following Microsoft TechNet Wiki

FIM Service Trace (How to Enable): " WQL:SELECT * FROM MIIS_CSObject WHERE (Domain='DOM' AND Account='user1') or (FullyQualifiedDomain='DOM' AND Account=' user1') or (Domain='DOM' AND UserPrincipalName='user1') or (FullyQualifiedDomain='DOM' AND UserPrincipalName='user1')"

Resolution 

Troubleshooting FIM 2010 R2: SSPR Error 3000: Access is denied. (Exception from HRESULT: 0x80070005 https://social.technet.microsoft.com/wiki/contents/articles/15553.fim2010r2-troubleshooting-sspr-error-3000-when-attempting-to-reset-password.aspx

Scenario #1b - Access Is Denied

Environment

  • FIM 2010 R2 with a remote SQL Server
  • Using a SQL Server Alias

Log Investigation

Forefront Identity Manager Event Log: System.Management: System.Management.ManagementException: Access denied

Resolution

Troubleshooting FIM2010 SSPR: Error 3000 - Access Denied: https://social.technet.microsoft.com/wiki/contents/articles/16572.troubleshooting-fim2010-sspr-error-3000-access-denied.aspx

Scenario #2

Environment

    • FIM 2010 R2 SSPR

Log Investigation

Component Investigation

    • Confirm IIS Authentication Settings by reviewing the following Microsoft TechNet Wiki:

[FIM2010R2-TROUBLESHOOTING-SSPR] Error 3000: Invalid IIS Authentication Settings https://social.technet.microsoft.com/wiki/contents/articles/15429.fim2010r2-troubleshooting-sspr-error-3000.aspx

Scenario #3

Environment

    • FIM 2010 R2

Log Investigation

    • Forefront Identity Manager Event Log

System.IO.FileLoadException: Could not load file or assembly 'Microsoft.IdentityManagement.CredentialManagement.Portal.Gates\, Version\={BuildVersion}\, Culture\=neutral\, PublicKeyToken\=31bf3856ad364e35' or one of its dependencies. The given assembly name or codebase was invalid. (Exception from HRESULT: 0x80131047)

Resolution

Troubleshooting FIM 2010 R2: SSPR Error 3000:could not load file or assembly: 0x80131047: https://social.technet.microsoft.com/wiki/contents/articles/15428.troubleshooting-fim-2010-r2-sspr-error-3000-could-not-load-file-or-assembly-0x80131047.aspx

Troubleshooting FIM2010R2 SSPR Error 3000 – The given assembly name or codebase was invalid: https://social.technet.microsoft.com/wiki/contents/articles/15574.troubleshooting-fim2010r2-sspr-error-3000-the-given-assembly-name-or-codebase-was-invalid.aspx

Scenario #4

Environment

    • FIM 2010 R2

Log Investigation

    • FIM Portal Page: Details: Microsoft.IdentityManagement.CredentialManagement.Portal.Exceptions.NotAuthorizedException: Expected authentication
    • Forefront Identity Manager: Details: System.InvalidOperationException: HttpContext.Current.User.Identity.Name is Null or Empty
    • Forefront Identity Manager: Microsoft.IdentityManagement.CredentialManagement.Portal: System.Web.HttpUnhandledException: ScriptManager_AsyncPostBackError ---> System.InvalidOperationException: HttpContext.Current.User.Identity.Name is Null or Empty
    • FIM Service Trace (How to Enable) : Microsoft.ResourceManagement Warning: 2 : User unauthorized to register for Password Reset

Resolution

Troubleshooting FIM SSPR: Error 3000 and 3004 – not authorized to register for password reset: https://social.technet.microsoft.com/wiki/contents/articles/15372.troubleshooting-fim-sspr-error-3000-and-3004-not-authorized-to-register-for-password-reset.aspx

Scenario #5

Environment

    • FIM 2010 R2 SSPR

Log Investigation

    • Forefront Identity Manager Event Log: Microsoft.IdentityManagement.CredentialManagement.Portal: System.Web.HttpUnhandledException: ScriptManager_AsyncPostBackError ---> System.ArgumentNullException: Value cannot be null.

Component Investigation

 

Resolution

Troubleshooting FIM SSPR: Error 3000 - Value cannot be null.: https://social.technet.microsoft.com/wiki/contents/articles/15600.troubleshooting-fim-sspr-error-3000-value-cannot-be-null.aspx

Scenario #6

Environment

    • FIM 2010 or FIM 2010 R2

Log Investigation

    • FIM Service Trace Log (How to Enable) : PWReset Activity's MIIS Password Set call failed with call-failure:0x80004005

Resolution

Troubleshooting FIM 2010 R2: SSPR Error 3000: PWReset Activity's MIIS Password Set call failed with call-failure:0x80004005: https://social.technet.microsoft.com/wiki/contents/articles/17912.troubleshooting-password-reset-is-successful-but-still-throws-an-error-3000.aspx

 

 

 

 

 

Self-Service Password Reset (SSPR) Resources

 

 

 

 

 

 

 

 FIM Resources 
Microsoft Support Team Blog Home Page Forefront Identity Manager TechNet Community Forums Microsoft Support Team Keywords for searching content
FIM Landing Page: Resource Wiki Page Index Microsoft Support Twitter Page  
Forefront Identity Manager Facebook Group Forefront Identity Manager 2010 R2 Product Page