Two primary reasons for the Forefront Identity Manager 2010 (FIM) or Forefront Identity Manager 2010 R2 Self Service Password Reset (SSPR) password reset action workflow (WF) failing to successfully reset a password after a user has successfully authenticated via the QA Gate or one of the new R2 gates have been posted on this blog. This post is just a quick table of contents for the two posts. In both cases the error message logged by the action workflow is the same: PWReset Activity could not connect to the directory.
- Issue #1. Enable password management is *not enabled* on the ADMA.
- Issue #2. Run this management agent in a separate process *is enabled* on the ADMA.
When we get this error we can rule out membership in FIMSyncBrowse and FIMSyncPasswordSet groups, DCOM and WMI permissions. It’s possible this error can be thrown for other reasons, but I haven’t seen any others personally and haven’t got round to simulating major Active Directory issues yet.
One thing that might be of interest however is the new feature in FIM 2010 R2 build 4.1.2548.0:
FIM Service
New feature
When the FIM password reset activity does not connect to Active Directory, the Windows Management Instrumentation (WMI) components return a code. The code explains the reason for this failure.
More information on that build can be found here (the quote above is taken from kb2750671). That suggests we might get more info. bubbled up that helps with these silly layer-8 issues.
