[Troubleshooting] SSPR Error 3000 Troubleshooter
Overview
A very common Self-Service Password Reset (SSPR) issue that we encounter in Microsoft Support is the following:
“An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3000)”
The Error 3000 can be frustrating, in that it does not provide much information as to what is causing the Error 3000 to be generated. This blog has will assist in isolating what is causing the Error 3000.
To help in diagnosing this error, I have listed out the available logs and also provided an architecture diagram. If you are familiar with those items already, I recommend you skip to the SSPR Troubleshooter Checklist below.
Possible Machines Involved and logs to review
Client Machine
- Application Event Log
- PwdMgmtProxy Tracing
- Network Trace
FIM Portal Machine
- Application Event Log
- IIS Authentication Settings
- Network Trace
FIM Service Machine
- Application Event Log
- Forefront Identity Manager Event Log
- FIM Service Tracing
- Network Trace
FIM Synchronization Service Machine
- Application Event Log
- Network Trace
Domain Controller
- Application Event Log
- Security Event Log
- Network Trace
SSPR Flow Diagram
SSPR Troubleshooter Checklist
I am building this checklist to assist in troubleshooting SSPR related issues. This is an ever changing list, meaning that as I discover more information I will update the list to help isolate and troubleshoot SSPR issues better. You will see the recommended machine of which to focus your troubleshooting. The scenarios below have snippets of logs that were utilized to help isolate the issue.
- Where does the password reset attempt fail? This provides a good investigative starting point.
- Using the SSPR Rich Client, enable client tracing: (https://blogs.technet.com/b/aho/archive/2010/09/29/troubleshooting-fimservice-fimportal-password-reset-client.aspx)
- Unable to access the SSPR web portal? (Look at the web portal/IIS components)
- Initial attempt providing user name? (Web portal and/or FIM Service Machine)
- Failure to process one of the gates? Which one(s)? (FIM Service Machine)
- Failure upon providing the new password? (FIM Synchronization Service machine)
- Confirm the user attempting the password reset may access the FIM Portal (Is the user able to access the FIM Portal?)
- How is the user attempting to reset their password
- Login or lock screen (using the SSPR rich client):
Test resetting the password via SSPR web portal
- Login or lock screen (using the SSPR rich client):
- Specifically for FIM 2010 R2, Confirm the IIS Authentication Settings: (Scenario #2)
- Turn off friendly error messages in SSPR Web Portal (https://blog.msresource.net/2012/06/07/troubleshooting-the-fim-2010-r2-password-registration-and-reset-portals/)
- If using SSPR Rich Client enable client tracing Do a FIM Service Trace (How to Enable)
SSPR Basic Checks
Does the user exist in the FIM Portal |
|
Does the user have the required attributes |
|
Scenarios:
This section provides information on scenarios that have been encountered with SSPR that have returned the error 3000. In the documented scenarios below, you will find the Log to investigate and a preview of some of the key text to identify your issue. Additionally, you will find a link to a Microsoft TechNet Wiki and/or Blog post that will help you resolve the issue that you are encountering.
Scenario #1 - Access Is Denied
This scenario will cover the different "Access Is Denied" messages that you may find in the Forefront Identity Manager Event Log.
Scenario #1a - Access Is Denied
Environment
- FIM 2010 R2 with a remote SQL Server
- Using a SQL Server Alias
Log Investigation
Forefront Identity Manager Event Log: "mscorlib: System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))". The key here is noticing the "Access is denied". The "Access is denied" message could mean several different things when involved with the Self-Service Password Reset (SSPR) solution. Execute a FIM Service Trace while resetting the password. If the FIM Service Trace displays the below information then you take a look at the following Microsoft TechNet Wiki
FIM Service Trace (How to Enable): " WQL:SELECT * FROM MIIS_CSObject WHERE (Domain='DOM' AND Account='user1') or (FullyQualifiedDomain='DOM' AND Account=' user1') or (Domain='DOM' AND UserPrincipalName='user1') or (FullyQualifiedDomain='DOM' AND UserPrincipalName='user1')"
Resolution
Troubleshooting FIM 2010 R2: SSPR Error 3000: Access is denied. (Exception from HRESULT: 0x80070005 https://social.technet.microsoft.com/wiki/contents/articles/15553.fim2010r2-troubleshooting-sspr-error-3000-when-attempting-to-reset-password.aspx
Scenario #1b - Access Is Denied
Environment
- FIM 2010 R2 with a remote SQL Server
- Using a SQL Server Alias
Log Investigation
Forefront Identity Manager Event Log: System.Management: System.Management.ManagementException: Access denied
Resolution
Troubleshooting FIM2010 SSPR: Error 3000 - Access Denied: https://social.technet.microsoft.com/wiki/contents/articles/16572.troubleshooting-fim2010-sspr-error-3000-access-denied.aspx
Scenario #2
Environment
-
- FIM 2010 R2 SSPR
Log Investigation
Component Investigation
-
- Confirm IIS Authentication Settings by reviewing the following Microsoft TechNet Wiki:
[FIM2010R2-TROUBLESHOOTING-SSPR] Error 3000: Invalid IIS Authentication Settings https://social.technet.microsoft.com/wiki/contents/articles/15429.fim2010r2-troubleshooting-sspr-error-3000.aspx
Scenario #3
Environment
-
- FIM 2010 R2
Log Investigation
-
- Forefront Identity Manager Event Log
System.IO.FileLoadException: Could not load file or assembly 'Microsoft.IdentityManagement.CredentialManagement.Portal.Gates\, Version\={BuildVersion}\, Culture\=neutral\, PublicKeyToken\=31bf3856ad364e35' or one of its dependencies. The given assembly name or codebase was invalid. (Exception from HRESULT: 0x80131047)
Resolution
Troubleshooting FIM 2010 R2: SSPR Error 3000:could not load file or assembly: 0x80131047: https://social.technet.microsoft.com/wiki/contents/articles/15428.troubleshooting-fim-2010-r2-sspr-error-3000-could-not-load-file-or-assembly-0x80131047.aspx
Troubleshooting FIM2010R2 SSPR Error 3000 – The given assembly name or codebase was invalid: https://social.technet.microsoft.com/wiki/contents/articles/15574.troubleshooting-fim2010r2-sspr-error-3000-the-given-assembly-name-or-codebase-was-invalid.aspx
Scenario #4
Environment
-
- FIM 2010 R2
Log Investigation
-
- FIM Portal Page: Details: Microsoft.IdentityManagement.CredentialManagement.Portal.Exceptions.NotAuthorizedException: Expected authentication
- Forefront Identity Manager: Details: System.InvalidOperationException: HttpContext.Current.User.Identity.Name is Null or Empty
- Forefront Identity Manager: Microsoft.IdentityManagement.CredentialManagement.Portal: System.Web.HttpUnhandledException: ScriptManager_AsyncPostBackError ---> System.InvalidOperationException: HttpContext.Current.User.Identity.Name is Null or Empty
- FIM Service Trace (How to Enable) : Microsoft.ResourceManagement Warning: 2 : User unauthorized to register for Password Reset
Resolution
Troubleshooting FIM SSPR: Error 3000 and 3004 – not authorized to register for password reset: https://social.technet.microsoft.com/wiki/contents/articles/15372.troubleshooting-fim-sspr-error-3000-and-3004-not-authorized-to-register-for-password-reset.aspx
Scenario #5
Environment
-
- FIM 2010 R2 SSPR
Log Investigation
-
- Forefront Identity Manager Event Log: Microsoft.IdentityManagement.CredentialManagement.Portal: System.Web.HttpUnhandledException: ScriptManager_AsyncPostBackError ---> System.ArgumentNullException: Value cannot be null.
Component Investigation
Resolution
Troubleshooting FIM SSPR: Error 3000 - Value cannot be null.: https://social.technet.microsoft.com/wiki/contents/articles/15600.troubleshooting-fim-sspr-error-3000-value-cannot-be-null.aspx
Scenario #6
Environment
-
- FIM 2010 or FIM 2010 R2
Log Investigation
-
- FIM Service Trace Log (How to Enable) : PWReset Activity's MIIS Password Set call failed with call-failure:0x80004005
Resolution
Troubleshooting FIM 2010 R2: SSPR Error 3000: PWReset Activity's MIIS Password Set call failed with call-failure:0x80004005: https://social.technet.microsoft.com/wiki/contents/articles/17912.troubleshooting-password-reset-is-successful-but-still-throws-an-error-3000.aspx
Self-Service Password Reset (SSPR) Resources
- FIM 2010 R2 Self-Service Password Reset (SSPR) Portal: https://technet.microsoft.com/en-us/library/jj134281(v=ws.10).aspx
- Self-Service Password Reset (SSPR) Resource Wiki: https://social.technet.microsoft.com/wiki/contents/articles/9846.self-service-password-reset-sspr-resources.aspx
- FIM: Anonymous Access cannot be set for the FIM 2010 PasswordPortal in SharePoint: https://support.microsoft.com/kb/2013939/en-us
- Maintaining Forefront Identity Manager 2010 R2 - Self-Service Password Reset: https://technet.microsoft.com/en-us/library/jj134290(v=ws.10).aspx
- FIM 2010: SSPR Deployment Guide: https://technet.microsoft.com/en-us/library/ee534892(v=WS.10).aspx
- FIM 2010 R2: https://social.technet.microsoft.com/wiki/contents/articles/24629.fim-sspr-registration-error-3008-an-error-occurred-while-receiving-the-http-response.aspx
FIM Resources | ||
---|---|---|
Microsoft Support Team Blog Home Page | Forefront Identity Manager TechNet Community Forums | Microsoft Support Team Keywords for searching content |
FIM Landing Page: Resource Wiki Page Index | Microsoft Support Twitter Page | |
Forefront Identity Manager Facebook Group | Forefront Identity Manager 2010 R2 Product Page |
Comments
- Anonymous
May 04, 2014
The comment has been removed