This post is about some of the errors you may find when setting up SSPR with Forefront Identity Manager 2010. The main resource to setup SSPR is the guide found at http://technet.microsoft.com/en-us/library/ee534892(v=WS.10).aspx.
Although the guide is very complete and detailed step-by-step, there are a few issues you may find if you misconfigure the Add-Ins and Extensions during its setup.
When installing the FIM Add-Ins and Extensions package, it will prompt you for “FIM Service Server Address”. Here you have to type the FQDN of the FIM Service server, without protocol or port. You can check "C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\Microsoft.ResourceManagement.Service.exe.config" file and find externalHostName in there.
Then it will prompt for FIM Portal sites. This is important because having it misconfigured leads to the errors described later. In a single-box setup, you will have both FIM Service and FIM Portal in the same FQDN. However, in more complex architectures you will be separating FIM Portal and FIM Service in separate URLs. So it is important that you get the right servers in the right configuration dialogs.
If you have your externalHostName as fimservice.corp.contoso.com, but your FIM Portal is running at https://fimportal, you have to enter in this second dialog both the FQDN and the NetBIOS name of your FIM Portal server, as end users may be accessing it, separated by semicolon.
If you mistake like this when configuring with the FIM Service site instead of FIM Portal site (when different URLs), like the following, you will have problems initiating the ActiveX controls.
FIM Portal site is OK, but the FIM Service address is not.
In this case, the ActiveX component will initialize properly, but remain with buttons grayed out, cannot close the window, and the dialog gets hanged, so you will have to kill iexplore.exe process.
The attempt to access the Q&A gate through logon screen link is however more explicit, throwing the error “A service proxy exception was encountered while running the Password Reset Application. Error Text: An unexpected error has ocurred. Please contact helpdesk or your administrator. Error Code: 40007”.
FIM Service address is OK but FIM Portal site is not
In this case, SSPR functionality will work OK if you initiate registration using c:\windows\system32\MsPwdRegistration.exe program, and reset password through logon screen link. However, all attempts to register or reset through FIM Portal will fail, no matter what you do with your browser settings. The errors you will find if FIM Portal addresses get misconfigured include the ones described below.
“Registration is not possible at this time. The FIM Password and Authentication Extensions experienced an error when trying to launch registration for password reset. Please reinstall or contact your system administrator”.
When user click on “Register for password reset” link, this error window pops up, and a browser information bar shows “Internet Explorer blocked an ActiveX control, so this page might not display correctly”.
“Authentication operation failed”
Going directly to the registration workflow page at https://fimportal/identitymanagement/aspx/authn/AuthNWFUserRegistration.aspx, the yellow banner about blocked ActiveX appears and disappears, and then above message is shown in red when user click on “Register” button.
“The FIM Password and Authentication Extensions experienced an error when trying to reset a password. Please reinstall or contact your system administrator”.
Through https://fimportal/PasswordPortal, you will get the error above in red text once type a username and hit “Reset Password” button.
On the other hand, even when Add-Ins and Extensions are properly configured, a weird issue occurs when using the https://fimportal/PasswordPortal and users do not enter domain\accountname as the picture above shows. When not including the domain, the FIM Password Reset shows up, but hangs and “ghosts” when moving the window around
Hope this helps!