Hi,
On our FIM 2010 R2 environment (version 4.1.3599.0), after renewing the certificates used on FIM Service/Portal and Password Reset/Registration servers two days back, both the password registration and reset no longer work but instead fails on the last step of the process. So for example when user browse to https://passwordreset.domain.com and fills in their domain\username and click next, FIM will send a security code (SMS OTP) to user´s mobile phone and once user then fills in code and click Next, the Communication error 3008 is shown to user. Same happens in the last step of the registration where user reviews that the mobile number is correct before clicking finally next. Once clicked the same error as is with Reset portal is shown to user.
Other changes than renewing the certificates have not been done to the environment after it was working last time two days ago. Synchronization of users/groups create in FIM Portal works normally towards AD.
All servers within FIM environment are on same domain and subnet and firewall is off on all servers.
The following error message as an example is recorded on FIM app log on either of the SSPR servers (two in NLB):
**********
The error page was displayed to the user.
Details:
Title: Communication Error
Message: An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3008)
Source:
Attributes:
Details: Microsoft.IdentityManagement.CredentialManagement.Portal.Exceptions.GenericCommunicationException: An error occurred while receiving the HTTP response to http://fimservice.domain.com:5726/ResourceManagementService/SecurityTokenService/Registration. This could be due to the service endpoint binding not using the HTTP protocol. This could also be due to an HTTP request context being aborted by the server (possibly due to the service shutting down). See server logs for more details. ---> System.ServiceModel.CommunicationException: An error occurred while receiving the HTTP response to http://fimservice.domain.com:5726/ResourceManagementService/SecurityTokenService/Registration. This could be due to the service endpoint binding not using the HTTP protocol. This could also be due to an HTTP request context being aborted by the server (possibly due to the service shutting down). See server logs for more details. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
***********
The following error message as an example is recorded on FIM app log on either of the FIM Service/Portal servers (two in NLB):
***********
Microsoft.ResourceManagement.Service: System.NullReferenceException: Object reference not set to an instance of an object.
at Microsoft.ResourceManagement.WebServices.SecurityTokenService.TokenIssuer.IssueSecurityToken(Message requestMessage, Object request, Claim[] claims)
at Microsoft.ResourceManagement.WebServices.SecurityTokenService.Challenger.IssueAuthenticationChallenge(Message requestMessage, Object requestBody, Nullable`1 requestContext, UniqueIdentifier authenticationProcessIdentifier, List`1 accumulatedClaims, Nullable`1& currentWorkflowInstanceIdentifier, AuthenticationChallengeType[]& currentChallenges)
at Microsoft.ResourceManagement.WebServices.SecurityTokenService.ProcessRequest(Message requestMessage, Object requestBody)
at Microsoft.ResourceManagement.WebServices.SecurityTokenService.RequestSecurityTokenResponse(Message requestMessage)
***********
Both http://fimservice.domain.com:5726 or http://fimservice.domain.com:5725 can be accessed ok using web browser from the SSPR servers. The url of http://fimservice.domain.com:5726/ResourceManagementService/SecurityTokenService/Registration gives http 400 bad request which is ok.
At least the following fixes provided on urls below have been tried out or were in place already but did not fix the issue:
http://social.technet.microsoft.com/wiki/contents/articles/24629.fim-troubleshooting-sspr-registration-error-3008-an-error-occurred-while-receiving-the-http-response.aspx
https://social.technet.microsoft.com/Forums/en-US/ae16496e-413a-45b7-a0d1-b39652c6478a/fim-password-registration-portal-error-3008-communication-error?forum=ilm2 (we have exactly the same three errors on FIM app log as mentioned in this post)
https://social.technet.microsoft.com/Forums/en-US/aa14cff7-6b93-4413-8c75-737dd08bd25f/error-when-resetting-password-on-sspr?forum=ilm2
https://social.technet.microsoft.com/Forums/en-US/aab6d5ef-667a-4ea9-876d-415c56852da9/sspr-password-reset-failure?forum=ilm2 (no such lines on FIMService config files)
Can anyone help us with this and provide some tips what to check next on the environment? As the most weird thing here is that everything was working just fine before the certificates were renewed on all servers and no other changes were done on the environment.
-Pappa75
On our FIM 2010 R2 environment (version 4.1.3599.0), after renewing the certificates used on FIM Service/Portal and Password Reset/Registration servers two days back, both the password registration and reset no longer work but instead fails on the last step of the process. So for example when user browse to https://passwordreset.domain.com and fills in their domain\username and click next, FIM will send a security code (SMS OTP) to user´s mobile phone and once user then fills in code and click Next, the Communication error 3008 is shown to user. Same happens in the last step of the registration where user reviews that the mobile number is correct before clicking finally next. Once clicked the same error as is with Reset portal is shown to user.
Other changes than renewing the certificates have not been done to the environment after it was working last time two days ago. Synchronization of users/groups create in FIM Portal works normally towards AD.
All servers within FIM environment are on same domain and subnet and firewall is off on all servers.
The following error message as an example is recorded on FIM app log on either of the SSPR servers (two in NLB):
**********
The error page was displayed to the user.
Details:
Title: Communication Error
Message: An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3008)
Source:
Attributes:
Details: Microsoft.IdentityManagement.CredentialManagement.Portal.Exceptions.GenericCommunicationException: An error occurred while receiving the HTTP response to http://fimservice.domain.com:5726/ResourceManagementService/SecurityTokenService/Registration. This could be due to the service endpoint binding not using the HTTP protocol. This could also be due to an HTTP request context being aborted by the server (possibly due to the service shutting down). See server logs for more details. ---> System.ServiceModel.CommunicationException: An error occurred while receiving the HTTP response to http://fimservice.domain.com:5726/ResourceManagementService/SecurityTokenService/Registration. This could be due to the service endpoint binding not using the HTTP protocol. This could also be due to an HTTP request context being aborted by the server (possibly due to the service shutting down). See server logs for more details. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
***********
The following error message as an example is recorded on FIM app log on either of the FIM Service/Portal servers (two in NLB):
***********
Microsoft.ResourceManagement.Service: System.NullReferenceException: Object reference not set to an instance of an object.
at Microsoft.ResourceManagement.WebServices.SecurityTokenService.TokenIssuer.IssueSecurityToken(Message requestMessage, Object request, Claim[] claims)
at Microsoft.ResourceManagement.WebServices.SecurityTokenService.Challenger.IssueAuthenticationChallenge(Message requestMessage, Object requestBody, Nullable`1 requestContext, UniqueIdentifier authenticationProcessIdentifier, List`1 accumulatedClaims, Nullable`1& currentWorkflowInstanceIdentifier, AuthenticationChallengeType[]& currentChallenges)
at Microsoft.ResourceManagement.WebServices.SecurityTokenService.ProcessRequest(Message requestMessage, Object requestBody)
at Microsoft.ResourceManagement.WebServices.SecurityTokenService.RequestSecurityTokenResponse(Message requestMessage)
***********
Both http://fimservice.domain.com:5726 or http://fimservice.domain.com:5725 can be accessed ok using web browser from the SSPR servers. The url of http://fimservice.domain.com:5726/ResourceManagementService/SecurityTokenService/Registration gives http 400 bad request which is ok.
At least the following fixes provided on urls below have been tried out or were in place already but did not fix the issue:
http://social.technet.microsoft.com/wiki/contents/articles/24629.fim-troubleshooting-sspr-registration-error-3008-an-error-occurred-while-receiving-the-http-response.aspx
https://social.technet.microsoft.com/Forums/en-US/ae16496e-413a-45b7-a0d1-b39652c6478a/fim-password-registration-portal-error-3008-communication-error?forum=ilm2 (we have exactly the same three errors on FIM app log as mentioned in this post)
https://social.technet.microsoft.com/Forums/en-US/aa14cff7-6b93-4413-8c75-737dd08bd25f/error-when-resetting-password-on-sspr?forum=ilm2
https://social.technet.microsoft.com/Forums/en-US/aab6d5ef-667a-4ea9-876d-415c56852da9/sspr-password-reset-failure?forum=ilm2 (no such lines on FIMService config files)
Can anyone help us with this and provide some tips what to check next on the environment? As the most weird thing here is that everything was working just fine before the certificates were renewed on all servers and no other changes were done on the environment.
-Pappa75