Some users cannot save responses to SSPR Challenge Response questions

  • 7012470
  • 23-May-2013
  • 03-Jun-2013

Environment

SSPR2.0 HF1a
Active Directory environment

Situation

"Insufficient access rights" error returned when saving answers to SSPR challenge response questions
Problem only affects privileged users
Other users answer and save challenge responses without error

Resolution

Apply the hotfix or workarounds from this Microsoft KB article:  http://support.microsoft.com/kb/817433
One customer reports that workaround 2 from this article resolved their problem.

Alternatively, using ADSI Edit add read and write permissions to the pwm* attributes for SELF, as follows:  
1. In ADSI Edit, go into properties of the user or group
2. click the Security tab
3. click the Advanced button
4. click Add, enter SELF
5. go to the properties tab
6. click “Allow” for all of the pwm attributes, as shown below

Cause

Microsoft bug.

Additional Information

Other ideas that may help resolve the rights problem:
 
1.  Compare working users vs failing users.  Are working users of type "user" while failing users of type "InetOrgPerson?"   One issue we have seen is that you need to  enable the SELF write rights for  "InetOrgPerson" users  (note that this issue is resolved in SSPR 3.0).
 
2.  Make sure inheritance is not blocked anywhere between the user and the top of the directory.  Inheritance must be enabled so that permissions flow to the user.  

3.  Look in ADUC or ADSI, on the security tab for the problem users.   Make sure adminSDHolder is not set to 1.  Set it to 0 if it isn't already.

4. If the above steps don't help, look for any other differences between working users vs failing users.   Do they have the same group policy objects, access the same domain controllers, attach to the same SSPR server,  etc?  Does the problem occur with no group policies applied?