none
FIM 2010 R2 and MIM 2016 queries RRS feed

  • Question

  • Hello Experts,

    I was advised to write to your email for an advice on this concern.

    My overall goal is to migrate FIM 2010 R2 to MIM 2016, and to that effect I have tested a few aspects separately and I was able to figure out most of the parts.

    One such test, I am getting stuck at is to deploy MIM 2016 SSPR portals (Pwd Reg and reset) on SPF 2013 Port 80, like it was done for FIM 2010 R2.

    I was able to deploy Identity Management Portal, and also setup AAM for a userfirendly address (URL) rather than just hostname and that works fine, except the password registration and reset portals.

    The environment:
    Domain: Cloud.org
    New MIM 2016 Deplyment

    MIM2016/SQL2014/SPF2013SP1/IIS are installed on Windows Server 2012 R2, and the host name is -----SQL2014-2.

    Sharepoint URL
    AAM
    MIM Portal (works fine with standard and AAM as weel)
    SSPR URL (doesn't work- Page cannot be displayed/ Host A static record created in DNS)
    Service Accounts (Names)
    MIMService
    MIMSync
    MIMMA
    SharePoint

    SQLServer

    The issue:

    The MIM portal works fine and I am able to provision and sync users in AD, however the the SSPR portals end up in "Page cannot be displaied" error. There are Host A records created in DNS, pointing to same IP as the MIM Server (SQL2014-2). The SPNs for http/pwdreg.cloud.org are also registered for Mimservice service account. 

    Also, Claims auth and auto upgrade are disabled for SPF2013 SP1.

    The SSPR portals are set to operate on Port 80, unlike what's stated on MIM guide to use ports 8080 and 8088 respectively. This is a new install and I have followed the FIM guide where all the portals work fine together on 80/443.It as suggested in MIM formal guide  to use FIM guide when necessary.

    Is this supposed to work or  are we supposed to use ports other than Port 80 for MIM 2016 unlike FIM 2010 R2?

    The only related error I could see in the eventlog:
    Log Name:      Forefront Identity Manager
    Source:        Microsoft.ResourceManagement
    Date:          11/3/2016 7:37:36 AM
    Event ID:      3
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      SQL2014-2.cloud.org
    Description:
    Requestor: Internal Service
    Correlation Identifier: 3204fa40-1d54-4a08-bbbe-a8a8e706a6ff
    Microsoft.ResourceManagement.Service: Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: IdentityIsNotFound
       at Microsoft.ResourceManagement.WebServices.ResourceManagementService.GetUserFromSecurityIdentifier(SecurityIdentifier securityIdentifier)
       at Microsoft.ResourceManagement.WebServices.ResourceManagementService.GetCurrentUser()
       at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Enumerate(Message request)
    Event Xml:
      <System>
        <Provider Name="Microsoft.ResourceManagement" />
        <EventID Qualifiers="0">3</EventID>
        <Level>2</Level>
        <Task>0</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2016-11-03T02:07:36.000000000Z" />
        <EventRecordID>22</EventRecordID>
        <Channel>Forefront Identity Manager</Channel>
        <Computer>SQL2014-2.cloud.org</Computer>
        <Security />
      </System>
      <EventData>
        <Data>Requestor: Internal Service
    Correlation Identifier: 3204fa40-1d54-4a08-bbbe-a8a8e706a6ff
    Microsoft.ResourceManagement.Service: Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: IdentityIsNotFound
       at Microsoft.ResourceManagement.WebServices.ResourceManagementService.GetUserFromSecurityIdentifier(SecurityIdentifier securityIdentifier)
       at Microsoft.ResourceManagement.WebServices.ResourceManagementService.GetCurrentUser()
       at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Enumerate(Message request)</Data>
      </EventData>

    </Event>

    Also, following SPNs are registered for service accounts and host server (you may ignore MIM2016 and MIM2016-S2K8 as they were older installations and are shutoff):

    CN=MIMService,OU=Service Accounts,DC=cloud,DC=org:
            HTTP/pwdreset.cloud.org
            HTTP/pwdreg.cloud.org
            MIMService/SQL2014-2
            MIMService/SQL2014-2.cloud.org
            MIMService/MIM2016.cloud.org
            MIMService/MIM2016-S2K8.cloud.org
    CN=MIMSync,OU=Service Accounts,DC=cloud,DC=org:
            MIMSync/SQL2014-2
            MIMSync/SQL2014-2.cloud.org
            MIMSync/MIM2016.cloud.org
            MIMSync/MIM2016-S2K8.cloud.org
    No SPNS for MIMMA
    CN=SharePoint,OU=Service Accounts,DC=cloud,DC=org:
            http/mimportal
            http/mimportal.cloud.org
            http/SQL2014-2
            http/SQL2014-2.cloud.org
            http/MIM2016
            http/MIM2016.cloud.org
            http/MIM2016-S2K8
            http/MIM2016-S2K8.cloud.org
    CN=SqlServer,OU=Service Accounts,DC=cloud,DC=org:
            MSSQLsvc/SQL2014-2:1433
            MSSQLsvc/SQL2014-2.cloud.org:1433
    CN=SQL2014-2,CN=Computers,DC=cloud,DC=org:
            MIMSync/SQL2014-2 Cloud\MIMSync
            MIMService/SQL2014-2.cloud.org Cloud\MIMService
            MIMService/SQL2014-2 Cloud\MIMService
            http/SQL2014-2.cloud.org Cloud\Sharepoint
            http/SQL2014-2 Cloud\Sharepoint
            MSSQLSVC/SQL2014-2.cloud.org:SHAREPOINT
            MIMSync/SQL2014-2.cloud.org Cloud\MIMSync
            WSMAN/SQL2014-2
            WSMAN/SQL2014-2.cloud.org
            TERMSRV/SQL2014-2
            TERMSRV/SQL2014-2.cloud.org
            RestrictedKrbHost/SQL2014-2
            HOST/SQL2014-2
            RestrictedKrbHost/SQL2014-2.cloud.org

            HOST/SQL2014-2.cloud.org

    Any help would be greatly appreciated.

    Regards

    SG

    Thursday, November 3, 2016 3:05 AM

Answers

  • Yes, there's a lot that went into the mix and the final piece of the puzzle was IE. Use Chrome for your exercise.

    MIM Portal use an Alias

    PWD and Reset portal ..use Host A records.

    Exclude from the AV so Sharepoint can breathe.

    Use all the old SPNs, not the new ones.

    Move all the DBs, set them to new DB level.

    Enable cookies (pain with IE).

    Add to trusted sites,and voila ..then it works.

    The migration took me three days, to ensure nothing is missed1

    It works on 443 as well, do the necessary SSL config.

    Happy Deployment!

    PS: MS needs to get their documentation right for the new MIM product, it sucks. Refer to the FIM 2010 documentation, for better insight.


    SG

    • Marked as answer by Saurabh.G Tuesday, March 14, 2017 2:13 AM
    Tuesday, March 14, 2017 2:12 AM

All replies

  • Anybody have a suggestion for SG?

    Thanks!


    Ed Price, Azure Development Customer Program Manager (Blog, Small Basic, Wiki Ninjas, Wiki)

    Answer an interesting question? Create a wiki article about it!

    Saturday, November 5, 2016 9:59 PM
    Moderator
  • SG,

    you don't need to change any ports when upgrading from FIM to MIM.

    There is a mistake in the MIM documentation set, to use different ports.. (referring to port 82) As the MIM documentation was referring to a single server setup with Exchange Webservices running on the same box.
    If that is not the case (and you should not) then you can upgrade from FIM to MIM with the same setup.

    In essence you can do an in place upgrade, considering MIM as SP2 for FIM...

    If you got it working in FIM, you must get it working in MIM, with the exact same setup.

    The port settings for SSPR are using 8080 and 8088 for the same reason, to avoid any conflict with existing ports used, if you don't use port 80 for anything else, you should be able to assign it.

    For example if you install SSPR PwdReg and SSPR PwdSet on different machines, there are no conflicts.


    Peter Geelen - MVP (Quest for security) (user page)

    [If a post helps to resolve your issue, please click the "Mark as Answer" of that post or click Answered"Vote as helpful" button of that post. By marking a post as Answered or Helpful, you help others find the answer faster. ]


    Sunday, November 6, 2016 7:48 PM
    Moderator
  • SG,

    the error "Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: IdentityIsNotFound" might be pointing to a different issue. Eg, when the user is not synced correctly into the FIM Portal... (Typically SP and/or FIM cannot find the user that is trying to login eg when the ObjectSID is not mapped or the user is not registered for pwd reset...)


    Peter Geelen - MVP (Quest for security) (user page)

    [If a post helps to resolve your issue, please click the "Mark as Answer" of that post or click Answered"Vote as helpful" button of that post. By marking a post as Answered or Helpful, you help others find the answer faster. ]

    Sunday, November 6, 2016 7:57 PM
    Moderator
  • Hi Peter,

    Thanks for replying.

    The catch is the inplace upgrade works FIM2010R2 to MIM2016 (W2K8R2,SQL2K8,SP2010), and the requirement is to use all the latest SW MIM2016 (W2012,SQL2014, SP2013SP1).

    FIM has always been effectively deployed, sharing the Port 80 between FIM Portal, and Pwd Reg and reset portal, what makes it different for MIM 2016

    If you got it working in FIM, you must get it working in MIM, with the exact same setup...

    I used to believe this until I ended up here.

    Just for test, I attempted a vanilla install of MIM2016 (all new, with no old DB's from FIM), and the sync service works and MIM portal both work fine, but reg and reset portals still dont.

    Something do with SPN's, or IIS, I checked most of the rules and I think got them in place. Any more ideas, I will be grateful.


    SG

    Monday, November 7, 2016 3:11 PM
  • Switched all the new SPN's with old FIM ones..mimservice to fimservice and mimsync to fymsynchronization, and updated the password registration SPNs to the SSPR account.

    The reg and reset portals now open, not from the MIM server oddly but from any other server in the domain. Also, I get the 3001 error- Access Denied. I have repaired the setup, rerun the fim service and portal setup to update and change, but the error 3001 is persistent.

    Followed, https://social.technet.microsoft.com/Forums/en-US/813d5248-7669-4098-8b80-fd97f26420e3/mim-sspr-registration-error-3001?forum=ilm2, it talks about rerunning the setup which has been done.

    Awaiting inputs.

    Thanks  


    SG

    Monday, November 7, 2016 8:37 PM
  • Did you ever fix this so that MIM Portal, MIM Pwd Reg and Pwd Reset all run on port 80?
    Monday, March 13, 2017 10:16 PM
  • Yes, there's a lot that went into the mix and the final piece of the puzzle was IE. Use Chrome for your exercise.

    MIM Portal use an Alias

    PWD and Reset portal ..use Host A records.

    Exclude from the AV so Sharepoint can breathe.

    Use all the old SPNs, not the new ones.

    Move all the DBs, set them to new DB level.

    Enable cookies (pain with IE).

    Add to trusted sites,and voila ..then it works.

    The migration took me three days, to ensure nothing is missed1

    It works on 443 as well, do the necessary SSL config.

    Happy Deployment!

    PS: MS needs to get their documentation right for the new MIM product, it sucks. Refer to the FIM 2010 documentation, for better insight.


    SG

    • Marked as answer by Saurabh.G Tuesday, March 14, 2017 2:13 AM
    Tuesday, March 14, 2017 2:12 AM