Overview / Purpose

The purpose of this document is to guide you through troubleshooting process of the infamous "Service Is Not Available" message that you or one of your end-users may receive when attempting to browse the FIM Portal.

The "Service Is Not Available" message can be very frustrating in that it doesn't provide much to go on as to where the problem lies. This article will provide troubleshooting information to help troubleshoot the "Service Is Not Available" message.

 

 Note
FIM 2010 R2 has greatly improved on this error message to help prevent the generic "Service Is Not Available" message

 


Understanding Your FIM Topology

Understanding your FIM Topology is very important when attempting to troubleshoot the "Service Is Not Available" error message.  The reason for this is the Kerberos settings that may or may not be required, or set differently depending on how you have deployed your FIM Solution.

Is your FIM Solution deployed on a single server, or distributed across multiple machines?

Single server

Multiple machines

 


Is the FIM Service Started?

If the FIM Service is not started, you will receive the "Service Is Not Available" error message.  You can check to see if the FIM Service is started through the following steps:

  1. On the machine running the FIM Service, open the Services Management Console
    • Start > Administrative Tools > Services or Start > Run and type services.msc and then click Ok
  2. Locate the Forefront Identity Manager Service and check the status of the service
    • If the service is stopped, then proceed to starting the service
  3. Test Access to the FIM Portal


How are you accessing the FIM Portal?

  • Using just the name of the FIM Service machine
  • Using a DNS CNAME or a DNS Host (A) Record
  • Using a Network Load Balancer (NLB)

 

FIM SERVICE MACHINE NAME

    1. Ensure that the Configuration Files ( FIM Configuration File and Web Configuration File ) are configured correctly.
      1. FIM Configuration File ( Appendix A )
      2. Web Configuration File ( Appendix B )
    2. Ensure that the FIM Configuration File is configured correctly for the resourceManagementClient and the resourceManagementService equals that found in the Web.Config File in the resourceManagementServiceBaseAddress 

 

DNS CNAME or DNS HOST (A) RECORD

  1. Ensure that the Configuration Files ( FIM Configuration File and Web Configuration File ) are configured correctly.  For a DNS CNAME or DNS Host (A) record, the configuration files should have the CNAME or HOST (A) record information.
  2. Ensure that the Service PrincipleNames (SPNs) are configured correctly: see ( FIM Installation Companion - ServicePrincipleNames (SPNs) - Adding and Troubleshooting )

 

NETWORK LOAD BALANCER (NLB)

 

Account Accessing the FIM Portal

FIM ADMINISTRATOR

FROM THE FIM PORTAL SERVER

  1. Ensure that the FIM Administrator is still in the FIM Portal with the ObjectSID
  2. Ensure that the Configuration Files ( FIM Configuration File and Web Configuration File ) are configured correctly.
    1. FIM Configuration File ( Appendix A )
    2. Web Configuration File ( Appendix B )
  3. Are you able to access the FIM Web Service? ( Appendix F )

 

FROM A CLIENT MACHINE

  1. Ensure that you can access the FIM Portal from the machine running the FIM Portal
  2. Ensure that you have the ServicePrincipleNames (SPNs) configured properly
  3. Ensure that the delegation has been properly configured
  4. Ensure that the Configuration Files ( FIM Configuration File and Web Configuration File ) are configured correctly.
  5. Are you able to access the FIM Web Service? ( Appendix F )
  6. [TROUBLESHOOTING] FIM Portal Access: Invalid Token for Impersonation

 

FIM USER ( Non-Administrator )

By running through the steps here, indicates that the FIM Administrator is able to access the FIM Portal from the FIM Portal Server, and a client machine.  If this is not true, then it is recommended to start your troubleshooting with the FIM Administrator rather than a FIM User. 

  1. Are you able to access the FIM Web Service? ( Appendix F )
  2. Does the user attempting to access the FIM Portal exist in the FIM Portal? 
  3. Does the user contain all of the required attributes? ( Appendix C )
  4. Ensure that the default MPRs have been enabled ( Appendix D )
  5. [TROUBLESHOOTING] FIM Portal Access: Invalid Token for Impersonation

 


Troubleshooting

INVALID SPN

FIM Portal access utilizes kerberos to access the page. One good tool that you can utilize to troubleshoot these type of issues is Network Monitor. Utilizing Network Monitor you can use a protocol type filter on KerberosV5. If you have an invalid SPN, you should see something like KDC_ERR_S_PRINCIPAL_UNKNOWN which is a response to a Kerberos request for a specific SPN. If you review the associated Kerberos request, you should see the SPN that is being requested.

  • FIM Troubleshooting: Service Is Not Available - Invalid SPN on the Application Pool Identity Account
  •  FIM 2010 R2 Service Is Not Available - Administrator sees Service Is Not Available

    Appendix

    APPENDIX A - FIM Configuration File

      1. Navigate to %programfiles%\Microsoft Forefront Identity Manager\2010\Service folder on the machine running the FIM Service
      2. Locate the file Microsoft.ResourceManagement.Service.Exe.Config (File Type: Configuration)
      3. Edit the file in some sort of text editor or xml editor (Notepad.Exe)
      4. Press CTRL+F
      5. Type resourceManagementClient click Ok ( or press the ENTER key )
      6. Ensure that the resourceManagementServiceBaseAddress equals that of the FIM Service Machine Name or DNS CNAME or A RECORD
      7. Ensure the line below externalHostName equals that of the FIM Service Machine Name or DNS CNAME or A RECORD
      8. resourceManagementServiceBaseAddress and externalHostName should be the same value, and should not contain HTTP in the front

     

    APPENDIX B - Web Configuration File ( web.config )

    1. Navigate to C:\InetPub\wwwroot\wss\VirtualDirectories\80 on the machine running the FIM Portal
    2. Locate the web.config file
    3. Edit the file in some sort of text editor or xml editor ( e.g. notepad.exe / visual studio )
    4. Press CTRL+F to open the Find Window
    5. Type: resourceManagementServiceBaseAddress and then click OK ( or press the ENTER key )
    6. Ensure that the value here is first prefaced with http:// and ends with :5725 ( e.g. http://myfimservicemachine:5725/ )
      • Name of the FIM Service Machine
      • DNS CNAME or DNS Host (A) Record Name
      • NLB Cluster Name
    7. Essentially the value for resourceManagementServiceBaseAddress should match the same thing in the FIM Configuration File ( resourceManagementClient and resourceManagementServiceBaseAddress )

     

    APPENDIX C - Required Attributes

    1. Domain
    2. AccountName
    3. ObjectSid = Resource SID
    4. DisplayName = A good thing to have, but not required.

     

    APPENDIX D - Required MPRs

    1. General: Users can read schema related resources
    2. General: Users can read non-administrative configuration resources
    3. User Management: Users can read attributes of their own

     

    APPENDIX E - Configuration Files Configured Correctly

    1. FIM Configuration File - Appendix A
    2. Web Configuration File - Appendix B
    3. Ensure that Configuration Files Match

     

    APPENDIX F - ACCESS THE FIM WEB SERVICE

    To test access to the FIM Web Service, navigate to http:// <Name of Machine Running the FIM Web Service>:5725

    ( e.g. http://myfimservicemachine:5725/ )

    If you cannot reach the FIM Web Service, consider checking the following:

    • Forefront Identity Manager Service is Started
    • Windows Firewall is not interfering

    If the above two options turn out to be true, and you still cannot access the FIM Web Service, you may consider doing a network trace ( Network Monitor 3.4 or WireShark ) to see if there is something on the network generating the issue.

     


    See Also