Conectare
 
Pagina de pornireBibliotecăInformațiiFişiere de descărcatSuportComunitateForumuri
Resurse pentru profesionişti IT >
FIM Portal HTTP Error 401. The requested resource requires user authentication.

Discussion FIM Portal HTTP Error 401. The requested resource requires user authentication.

  • 22 februarie 2012 00:35
     
     
    Sign in pentru a vota
    0

    Hi,

    We have followed both the articles to the last line, 'before you begin' (http://technet.microsoft.com/en-us/library/ff512685(v=ws.10).aspx) and 'installing the FIM server components' (http://technet.microsoft.com/en-us/library/ff512686(WS.10).aspx) - and unfortunately we still cannot connect to the FIM Portal.

    This is the IE error message: HTTP Error 401. The requested resource requires user authentication.

    To recap:

    1. Created a WSS service account S-WSS

    2. Selected the correct identity for the SharePoint Application Pool using Central Admin (even retyped the password in both AD and in Central Admin). Verified that the Sharepoint - 80 app pool reflects this new account. Reset IIS.

    3. Registered the SPNs (we have one FIM Sync and one FIM Portal server on separate VMs, no NLB).

    setspn –S HTTP/FIMPortal Adatum\S-WSS

    setspn –S HTTP/FIMPortal.adatum.com Adatum\S-WSS

    setspn –S FIMService/FIMServer Adatum\S-FIMSVC

    setspn –S FIMService/FIMServer.adatum.com Adatum\S-FIMSVC

    4. Enabled both accounts listed above for Kerberos Delegation to Any Service

    5. Enabled Kernel-mode authentication for IIS Windows Authentication, reset IIS

    6. Modified Web.config file to include: <resourceManagementClient requireKerberos="true" . . . />, reset IIS again (even tried it without this setting)

    No matter what we type in: http://localhost/identitymanagement or http://FIMPortal/identitymanagement we get the same error message: HTTP Error 401. The requested resource requires user authentication.

    Are there any steps we missed?

    Thank you,

    SK

     

Toate mesajele

  • 22 februarie 2012 15:04
     
     
    Sign in pentru a vota
    0

    Which account are you using to connect ? Is this account created in FIM portal with AD SID ?

    Have you tried to connect with the account that installed the Portal ?

    I sometimes hade issues and had to allow authenticated users to read in sharepoint central administration.

    //Christian

     
  • 23 februarie 2012 01:06
     
     
    Sign in pentru a vota
    0

    Hi,

    At this stage I am using one account, the Admin that installed and configured FIM & Portal.

    Regards

     
  • 24 februarie 2012 06:52
     
     
    Sign in pentru a vota
    1

    Enable Kernel mode authentication for the Application pool's identity be used for Kerberos ticket decryption.
    <%SystemDrive%>/Windows/System32/inetsrv/config

    1. Run the Application pool under a custom domain account. (I see you've done that)
    2. Add  "useAppPoolCredentials" in the ApplicationHost.config file.
    <system.webServer>
       <security>
          <authentication>
             <windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true" />
          </authentication>
       </security>
    </system.webServer>

    Frank C. Drewes III - Senior Consultant: Oxford Computer Group

     
  • 27 februarie 2012 03:31
     
     
    Sign in pentru a vota
    0
    thank you, that seemed to have fixed it !
     
  • 27 februarie 2012 07:36
     
     
    Sign in pentru a vota
    0

    The underlying issue is that when you have kernel mode authentication turned on, it ignores the application pool credentials and uses the computer account when it tries to communicate to the FIM service, so it doesn't get the identity of the user logging into the portal and keeps asking the user to reauthenticate.

    The 'useAppPoolCredentials="true" ' property fixes that.

    You might want to mark my earlier reply as the answer so that other people who experience the same issue (fairly common) can find the answer quickly.

    Frank C. Drewes III - Senior Consultant: Oxford Computer Group

     
  • 27 februarie 2012 23:55
     
     
    Sign in pentru a vota
    0

    Hello Frank ,

    I see the above Error message , when accessing the http://localhost/identitymanagement as an end user. While adding myself as a site collection admin i have access to the site and evrything works perfect.

    When i  access the http://localhost with my user account i do not see the site under the sites tabs , However when i log-in through service account to http://localhost i could see the identitymanagement site under it but gives access denied error when i browse.

    i checked both the sharepoint logs could not find any thing related. Found 401.2 in IIS log

    Any ideas on what is missing ? Any help is appericiated

    Regards

    Sunny 

     
  • 28 februarie 2012 00:02
     
     
    Sign in pentru a vota
    0
    Correcting the above statement .. Error message is  when accessing the site " http://localhost/identitymanagement " with service account & As an end user i see an access denied error. Adding an account to sitecollection admin site works perfect. 
     
  • 28 februarie 2012 00:23
     
     
    Sign in pentru a vota
    0

    i have followed this and now able to access the site

    Just go to Administrative Tools -> SharePoint Central Administration. From SharePoint Central Administration web page, go to Application management tab and select Policy for Web application in Application Security. Click Add Users and choose your FIM web application, then click Next. Fill Choose User column with "NT AUTHORITY\authenticated users" (without quote). Select User permissions as you desired and click Finish

     
  • 28 februarie 2012 00:39
     
     
    Sign in pentru a vota
    0

    Above procedure gives site actions tab on the site for the end user . I suppose above is not the right way ?

    Any ideas on what is missing and Any help is appericiated .

    New to FIM :)

    Regards

    sunny