FIM 2010 R2 SSPR: Cannot access password registration portal - Error 3000

In a development environment, after upgrading to FIM 2010 R2, I configured (as you would) the new URLs and settings for the SSPR password registration and reset pages.  However, much to my surprise (or not), the registration site did not work as in another testing environment.  When prompted to click Next in order to begin the registration process, the portal would immediately throw the following error:

Looking at the administrative event logs, the following stream of events were occurring during the portal being accessed and after clicking Next:

The three errors state:

HttpContext.Current.User.Identity.Name is Null or Empty

Microsoft.IdentityManagement.CredentialManagement.Portal: System.Web.HttpUnhandledException: ScriptManager_AsyncPostBackError ---> System.InvalidOperationException: HttpContext.Current.User.Identity.Name is Null or Empty

at Microsoft.IdentityManagement.CredentialManagement.Portal.Components.RegistrationDriver.GetDomainAndUserName(String& domain, String& userName)

at Microsoft.IdentityManagement.CredentialManagement.Portal.Components.RegistrationDriver.InitiateRegistration()

at Microsoft.IdentityManagement.CredentialManagement.Portal.Registration.Next()

at System.Web.UI.WebControls.Button.OnClick(EventArgs e)

at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)

at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)

at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

--- End of inner exception stack trace ---

at Microsoft.IdentityManagement.CredentialManagement.Portal.Site.ScriptManager_AsyncPostBackError(Object sender, AsyncPostBackErrorEventArgs eventArgs)

at System.Web.UI.ScriptManager.OnAsyncPostBackError(AsyncPostBackErrorEventArgs e)

at System.Web.UI.PageRequestManager.OnPageError(Object sender, EventArgs e)

at System.Web.UI.TemplateControl.OnError(EventArgs e)

at System.Web.UI.Page.HandleError(Exception e)

at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

at System.Web.UI.Page.ProcessRequest()

at System.Web.UI.Page.ProcessRequest(HttpContext context)

at ASP.default_aspx.ProcessRequest(HttpContext context)

at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()

at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

The error page was displayed to the user.

Details:

Title: Error

Message: An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3000)

Source:

Attributes:

Details: System.InvalidOperationException: HttpContext.Current.User.Identity.Name is Null or Empty

at Microsoft.IdentityManagement.CredentialManagement.Portal.Components.RegistrationDriver.GetDomainAndUserName(String& domain, String& userName)

at Microsoft.IdentityManagement.CredentialManagement.Portal.Components.RegistrationDriver.InitiateRegistration()

at Microsoft.IdentityManagement.CredentialManagement.Portal.Registration.Next()

at System.Web.UI.WebControls.Button.OnClick(EventArgs e)

at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)

at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)

at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

CorrelationId:

RequestId:

ErrorCode: 3000

CaughtTime: 12/19/2013 15:53:14

Web Portal: FIM Password Registration Portal 

After doing some research, I found the following very insightful articles by Tim Macaulay (Microsoft):

• MPR configuration issue producing error 3000 and/or 3004 (portal security): http://social.technet.microsoft.com/wiki/contents/articles/15372.troubleshooting-fim-sspr-error-3000-and-3004-not-authorized-to-register-for-password-reset.aspx
• IIS authentication issue due to improper Windows Authentication settings: http://social.technet.microsoft.com/wiki/contents/articles/15600.fim-troubleshooting-sspr-error-3000-value-cannot-be-null.aspx

Interestingly, the second article discussed disabling Kernel Mode Authentication, and yet, in the following article, it states per the SPN registration portal requirements:

The SSPR portals use IIS 7.0/7.5. IIS 7.0/7.5 has an authentication feature - 'Enable Kernel Mode Authentication'. With this feature the Kerberos ticket for the requested service is decrypted using Machine account (Local system) of the IIS server. It no longer depends upon the application pool Identity for this purpose. The following assumes that the password registration and reset portals are being accessed through a custom host header. In this instance the SPN is required only for the IIS machine account and not for our FIM Password Service account.

Therefore, having registered the machine name (DOMAIN\computername$) using the "setspn" command, as well as other configurations, I knew that Kerberos authentication had been set up properly, so WHAT WAS GOING ON!!

All this, and I noticed that Windows Authentication, after running setup, was disabled, with Anonymous authentication enabled.  These IIS settings may have been edited in the past, and were likely retained during the upgrade.  Also interesting is the fact that these are the settings for the password reset portal, which is correct.

Make sure the following configurations are set in IIS for the Password Registration portal:

 



Hope this helps!

-jose the admin

Preparing for Microsoft MCTS exam 70-158: Forefront Identity Manager 2010, Configuring

After working with FIM 2010 now for almost two years in a very "thrown to the wolves" fashion, I have come a long way.  I now feel it is time to certify my pain by taking exam 70-158.

As anyone that has attempted this before will know by now, preparing for this is a challenge.  First off, we are not talking about any flagship product, such as Windows Server, Exchange, SharePoint, Lync, etc.  Therefore, there is not a lot in the way of literature, examples, or coverage.

However, during my journey in learning about and at the same time managing and maintaining FIM, as well as architecting solutions for my organization, I have come across a wealth of knowledge that would presumably help anyone trying to meet the exam objectives.

First, let me talk literature.

I must say that the book by David Lundell and Brad Turner, FIM R2 Best Practices Volume 1: Introduction, Architecture And Installation Of Forefront Identity Manager 2010 R2 is a fantastic resource.  I have swallowed this book whole, and find that my understanding of WHY something should be done a certain way as regards FIM is largely guided by the directions of this book.  It is a joy to read, concise considering the material, and yet sheds light on topics seldom found in TechNet or in forums.  I found the most benefits in the topics surrounding capacity planning, general architecture planning, and service account security implementation.  I highly recommend going through the entire book as it will give you very solid foundation on the architecture, installation, and initial configurations of FIM and its client.

In addition, many best practices and overall discussion can be found in the book Microsoft Forefront Identity Manager 2010 R2 Handbook by Kent Nordstrom.  I found many interesting points, including some consultant suggestions during configuring FIM, that helped understand FIM in a deeper way.  I especially liked the chapters on the seldom discussed topics around certificate management and smart cards.

 

Obviously, there is TechNet, which does help:

 

• http://technet.microsoft.com/en-us/forefront/default.aspx
• http://social.technet.microsoft.com/wiki/contents/articles/399.forefront-identity-manager-resources.aspx
• http://technet.microsoft.com/en-us/ff793470.aspx

 

However, I found the following community supporter sites to be critical in getting more real-world knowledge on FIM:

 

• http://www.wapshere.com/missmiis/
• http://idmcrisis.com/
• http://thefimteam.com/fim-team-user-group/
• http://jorgequestforknowledge.wordpress.com/
• http://blog.ilmbestpractices.com/
• http://www.integrationtrench.com/

 

There may be others, but those are the ones I frequent most.  Of special mention is the user group, originated and supported by The FIM Team (Bob Bradley, Carol Wapshere, and the like).  Their leadership and pioneering in IdM has been inspirational as well as extremely insightful.  Anyone serious about FIM should already know who they are.

 

Finally, there are events and classes held by the Oxford Computer Group and BrightTALK held very often that assist in general understanding of IAM current topics like attestation, BHOLD, and governance.

 

• http://www.oxfordcomputergroup.com/
• https://www.brighttalk.com/webcasts

 

Of course, taking the initial foundation course 50382: Implementing Forefront Identity Manager 2010 is highly advisable as a starter:  http://www.microsoft.com/learning/en-us/course.aspx?id=50382b

 

All in all, I continue to love/hate this paradoxical journey towards mastering FIM 2010 and its related solutions.  I feel like the above would definitely assist any who would attempt exam 70-158, or who would just like to get a firm grip on IAM on FIM 2010 in general.

 

Hope this helps!

 

-jose the admin