Last night, I had a particularly devilish time trying to figure out why when users were attempting to reset their passwords, they were receiving the following error:"An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3000)"
Nothing like an error list this to make a FIM guy *sigh*
Checking the Password Reset server's event log revealed the following errors:Error logged in the FIM SSPR Server's event log: Message: An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3000)Source:Attributes:Details: System.InvalidProgramException: Error while performing the password reset operation: PWUnrecoverableError at Microsoft.IdentityManagement.CredentialManagement.Portal.Reset.AttemptToResetPassword() at System.Web.UI.WebControls.Button.OnClick(EventArgs e) at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)CorrelationId:RequestId:ErrorCode: 3000Knowing that the PWUnrecoverableError means that the source of the error must have originated on the FIM Service box, I checked that server's event log to discover the following error logged:
Error logged in the FIM Portal/Service Server's event log:mscorlib: System.Runtime.InteropServices.COMException (0x80070721): A security package specific error occurred. (Exception from HRESULT: 0x80070721) at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo) at System.Management.ManagementScope.InitializeGuts(Object o) at System.Management.ManagementScope.Initialize() at System.Management.ManagementObjectSearcher.Initialize() at System.Management.ManagementObjectSearcher.Get() at Microsoft.ResourceManagement.PasswordReset.ResetPassword.ResetPasswordHelper(String domainName, String userName, String newPasswordText)I ran through the usual check-list of things to verify:
It was only after exhausting all other possibilities that I dug deeper to find that, if you're FIM Service and Synchronization services reside on separate boxes, you must ensure that all of the boxes impersonation levels are set to Identify. My issue was that while my sync server was set to this, my portal/service servers were set to Delegate. Once I brought them all in line, my happiness was restored. For sake of posterity, here are the steps you should take to verify that your sync and portal/service server have the correct impersonation levels.
Anyway, hope this helps anyone down the line that needs it.
I have set that setting up but it still doesn't work for me.