First published at https://nivleshc.wordpress.com
Recently I was at a customer site, setting up a Microsoft Identity Manager (MIM) 2016 environment, which included the deployment of the Self Service Password Registration and Self Service Password Reset portals. For additional security, I was using Kerberos instead of the default NTLM.
I finished installing the MIM Portal, Service, Password Registration and Password Reset Portals without any issues.
I then proceeded to securing all http endpoints by enabling them for SSL and after that removing the http bindings, so that you could access the MIM Portal, Password Registration and Password Reset Portals only via https. No issues there as well.
By this time I was pretty pleased with myself 😉 Everything was going as planned, no issues faced at all. Finally, lady luck was showering me with her blessings.
Having finished the installation and configuration, I proceeded to testing the solution.
The first thing to check was the MIM Portal site. I opened up a web browser and navigated to the Microsoft Identity Manager Portal. When prompted, I logged in with the mimadmin domain account credentials. I was successfully logged in and could access all the parts without any hitch.
Now kids, if you are faint at heart, be very wary of what happens next (hint. this is the time when you cover your eyes with your hands when watching a horror movie).
I then tried accessing the Self Service Password Registration Portal and got prompted for credentials.
I entered the mimadmin account credentials and pressed enter. Just as I thought I had successfully logged in, the credential prompt returned! hmm, that is weird. I was pretty sure I had typed the username and password correctly. Oh well, maybe I didn’t.
I typed the credentials again and pressed enter. Quick as a flash, the credential prompt returned! Uh? What was happening here?{scratching my head} Hmm, I seem to be making a lot of typos today. I carefully entered the username and password again, taking my time this time, to ensure I was entering it correctly. I then pressed enter and waited.
Well, I didn’t have to wait for long since within a second, I got greeted with the Not Authorized screen!
Fascinating. It seems that lady luck had flown away because here indeed was an issue with the Self Service Password Registration Portal! Ok, Mister. Lets have a look at whats causing this kerfuffle!
I opened up the event viewer on the Self Service Password Registration server and went through each of the logged events in the Application and System logs, however I couldn’t find any clue as to why the credentials were not working. I secretly had suspicions that the issue could be due to Kerberos token errors, however I couldn’t find anything in the event logs to substantiate my suspicion. Hmm, the plot was indeed getting thicker!
I next started doing some Google searches, thinking that someone else might have encountered the same issue. Alas, it seemed that I was alone in my woes as the results seemed to be quite thin in regards to any possible solution for my issue.
Finally, I decided to follow my dear ol’ Sherlock’s advice “when you have eliminated the impossible, whatever remains, however improbable, must be the truth”
I went through the whole Self Service Password Registration setup process, checking each and every part of the configuration, to ensure that the values were as expected. After 10 minutes, I was almost done checking and no clues so far 🙁
Lastly, I opened IIS Manager and checked all the settings. Nothing here as well. Hey back up a bit. What is this?
The Self Service Password Registration Portal site had its useAppPoolCredentials set to False.
Now, this should be True! Is this what was causing the issue?
I quickly changed the value for useAppPoolCredentials from False to True.
I then opened my web browser again and navigated to the Self Service Password Registration Portal. Once again the familiar credential prompt came up. I entered the same credentials as before and pressed enter.
Woo hoo!! This time around I was successfully logged in.
I sincerely hope that this post helps others who might be encountering the same error.
Have a great day 😉
Category:
FIM Join the conversation! 4 Comments
Comments are closed.
This excellent. It really helped me 🙂
Hi, Do we have to carry out pre-requisite to setup config for user login? As I do not get access to the webpage
Thank you, helped me a lot.
Thank you very much. You saved my day