You browse to the FIM Portal and click the link to Register for password reset. The password reset registration wizard opens and immediately the error “The Forefront Identity Manager service has not started yet. Please wait one minute and try again” is presented (screenshot below).
If you enable client side tracing you’ll see that no error is written to the trace.
Internet Explorer protected mode is enabled. The following figure shows the Internet Explorer status bar.
The status bar indicates that protected mode is on for the intranet zone.
In my case I’m in a virtualised lab using my FIM server to test the password reset client settings. I’m running Internet Explorer 8 on the server and the virtual hostname of my FIM Service instance is configured to be in the Local Intranet zone.
Why is protected mode enabled? Because I’m running the Windows Server SKU. Actually, that’s only partly true. By default Internet Explorer (IE) Enhanced Security Configuration (ESC) is enabled on the Server versions of Windows. In Internet Explorer 8 and 9 Protected Mode is only enabled for Internet and Restricted Sites zones. Intranet and Trusted Sites have protected mode turned off. However when IE ESC is enabled this is slightly different –only the Trusted Sites zone is exempt from protected mode under IE ESC. That is, when IE ESC is enabled protected mode is also enabled for the Intranet zone.
Note. Protected mode is the reason for the guidance around the FIM portal hostname being a member of the Intranet zone for IE6, IE8 and IE9 and a member of the Trusted Sites zone in IE7. Although technically this limitation only applies to Vista and later versions of Windows as XP can’t use protected mode.
Moral of the story? In the lab turn IE ESC off if you want to test SSPR on your FIM server.
SSPR doesn’t work with Protected Mode enabled, even if you have configured Site Lock. If you want to use SSPR on Server versions of Windows you’ll need to add the portal hostname(s) to the Trusted Sites zone or turn protected mode off for the Intranet Zone (which requires IE Enhanced Security Configuration be turned off). At the client, the Intranet Zone is what you need if you’re running IE6, IE8 or IE9. If you’re using IE7 you should add the portal hostname to the Trusted Sites zone and enable Integrated Windows Authentication (IWA) for the zone.