none
FIM Service unavailable error when user is trying to open FIM Portal RRS feed

  • Question

  • Hi,

    I am trying to open the identity management portal as a normal or regular user, but get the error that the FIM service is not available.  I have also noted that this is a highly discussed topic with most of the people not having all the attributes in the portal, most notably the domain name and the objectsid.

    In my case I have all the required attributes in the portal and have also done the enabling of all the necessary MPRs.  I have also tested the objectsid with the PS script posted in one of the threads. - everything appears to fine.  Also verified that permissions in the sharePoint site.

    I don't see any errors on the portal server or the workstation other than what is shown in the browser.  On the browser line the following is shown:http://<server name>/_layouts/MSILM2/ErrorPage.aspx?ErrorCode=3000

    I must mention that I have a fully functional FIM implimentation on three servers, of which everything works including SSPR.  I do not have issues with anything else other than that the normal users can not access the FIM portal.  I want the users to access the portal in order to change an attribute value to indicate what their preference is for OTP (this was discussed in another post of mine)

    I would appreciate it if anybody can shed some light on this issue and maybe of how to resolve it.

    Regards

    Johan Marais


    JkM6228

    Tuesday, October 9, 2012 5:38 PM

Answers

  • Hi,

    These people have almost same error. Can you try this?

    http://blogs.msdn.com/b/emeadaxsupport/archive/2010/10/29/kerberos-authentication-error-code-0x7-kdc-err-s-principal-unknown-extended-error-0xc0000035-klin-0.aspx

    http://jeffwouters.nl/index.php/2011/04/a-kerberos-error-message-was-received-on-logon-session/

    Regards,


    M. Irfan

    • Marked as answer by Johan Marais Thursday, October 11, 2012 12:43 PM
    Thursday, October 11, 2012 5:24 AM
  • M.Irfan,

    in my searches I also came across the article you mentioned. That led me to relook my SPNs.  And I found that to be the source of my problems! now this is interesting because I followed the MS documentation on that.  I compared a few documents and found them all to be sligtly different.  All the develpoment and testing I have done so far was conducted with the administrator of the portal which appears to be working well. It is only when testing a user access the portal that problem showed it self.

    My working configuration is a follows:

    I have three servers of which one runs the sync service and DB, another the portal db and another the FIM portal and password portals. my service accounts are as follows:

    FIM Services Account with SPNs FIMService/<servername>, FIMService/<server FQDN> kerberos delegation enabled for any service

    FIM Portal application pool account with SPNs HTTP/<portal alias>, HTTP/<portal alias FQDN> kerberos delegation enabled for any service

    FIM Password Service Account no SPNs only kerberos delegation only

    FIM portal Server machine account with SPNs HTTP/<sspr host header for password registration>, HTTP/<sspr host header for password reset> kerberos delegation enabled for any service

    I didn't use contrained delegation at this time, didn't want to introduce more coplexity.

    Can you please confirm that this is the proper configuration? I will then update my documentation and we we can mark this as the the answer. 

    Thanks for your help so far

    Regards

    Johan


    JkM6228

    • Marked as answer by Johan Marais Thursday, October 11, 2012 11:52 AM
    Thursday, October 11, 2012 5:50 AM

All replies

  • Can the user get to at least the sharepoint instance the portal is hosted on?
    Tuesday, October 9, 2012 8:35 PM
  • Hi,

    Haven't thought of that, tried it and is getting "access denied".  Will try to sort that out.

    Regards

    Johan Marais


    JkM6228

    Wednesday, October 10, 2012 6:40 AM
  • Hi,

    I managed to get the user to open the sharepoint instance.  I noticed that the "domain users" group from our forest root domain was added but not the domain users from the prodcution domain where the users actually are.  After adding that, the user could open the sharepoint instance, but is still getting Service not available when trying to open the identity management site.  I even have given teh user permission with his name and still get the error.

    Any other ideas as to what is the cause of this?  or what else can I look at?

    Thanks

    Johan Marais


    JkM6228

    Wednesday, October 10, 2012 7:10 AM
  • Hi,

    When you opne the FIM portal page is it open and ask for login?

    If you can view the login page but can not login, then it means you did not import the user in FIM.

    And more over just for test add the user in any one built in group and chek how it work.

    Regards,


    M. Irfan

    • Proposed as answer by M.Irfan Wednesday, October 10, 2012 9:11 AM
    Wednesday, October 10, 2012 9:10 AM
  • M.Irfan,

    I do get prompted for the password, but only once after when I do an IISRESET on the portal or restart the server.  After this I am not prompted again.  I have added teh portal address to the trusted sites on the workstation browser.

    I did however might not comply 100% with the required attributes for this.  We have created a custom user type in the metaverse from where I flow the accountName to the FIM portal i.e.:

    AD samAccountName -> MV Custom accountName

    MV custom accountName -> FIM accountName

    not sure if this is causing teh problem as this is teh only thing which does not meet pre-requisites.  I am changing it to:

    AD samAccountName -> MV accountName (under the custom user object type which is copied from the default person object)

    MV accountName -> FIM accountName

    Will not be very happy if something as trivial as this is causing all the issues I am experiencing :-) is excatly the same information just stored differently.

    Anyway I am waiting for sync to finish - we have 1000's of objects

    Not sure to which group you want me to add the user, Adminsitrators in the domain or a specific Set.  Have added the user to the local administrators group on workstation, doesn't make a difference.

    Thanks

    Johan


    JkM6228

    Wednesday, October 10, 2012 9:25 AM
  • M.Irfan,

    Tested with my administrator, which can open the portal on the portal server, but  from the same workstation is getting the same error as a regular user.  Does this mean that there is something wrong with the Kerberos delagation?  I did configure this exactly according to the installation material and was under the impression that it worked.

    How can i check if this is the problem?

    Regards

    Johan


    JkM6228

    Wednesday, October 10, 2012 9:33 AM
  • Managed to fix the administrator account, but normal user still has problem opening the portal site

    JkM6228

    Wednesday, October 10, 2012 11:19 AM
  • Hi Johan,

    Thank you for explaining the problem.

    AD samAccountName -> MV Custom accountName

    MV custom accountName -> FIM accountName

    You are right, this is the problem.

    When created the custom user then AD do not have objectid. So AD even do not know the FIM user. If you are lucky I hope you are you will not get any worst problem. But it can be possible that FIM create the users again in AD.

    Let me know if the problem resolved after doing the above mentioned solution.

    Regards,


    M. Irfan

    • Proposed as answer by M.Irfan Wednesday, October 10, 2012 1:11 PM
    Wednesday, October 10, 2012 11:28 AM
  • M.Irfan,

    The problem seems to be kerberos related.  I am getting this error in workstation system event log for client trying to open portal site:

    A Kerberos Error Message was received:

    on logon session

    Client Time:

    Server Time: 13:13:5.0000 10/10/2012 Z

    Error Code: 0x7  KDC_ERR_S_PRINCIPAL_UNKNOWN

    Extended Error: 0xc0000035 KLIN(0)

    Client Realm:

    Client Name:

    Server Realm: DEV.TEST

    Server Name: HTTP/prtrra06-fim03.dev.test

    Target Name: HTTP/prtrra06-fim03.dev.test@DEV.TEST

    Error Text:

    File: 9

    Line: f09

    Error Data is in record data.

    does this look familiar to you?  Any ideas on this?

    Thanks

    Johan Marais


    JkM6228

    Wednesday, October 10, 2012 1:19 PM
  • Hi,

    These people have almost same error. Can you try this?

    http://blogs.msdn.com/b/emeadaxsupport/archive/2010/10/29/kerberos-authentication-error-code-0x7-kdc-err-s-principal-unknown-extended-error-0xc0000035-klin-0.aspx

    http://jeffwouters.nl/index.php/2011/04/a-kerberos-error-message-was-received-on-logon-session/

    Regards,


    M. Irfan

    • Marked as answer by Johan Marais Thursday, October 11, 2012 12:43 PM
    Thursday, October 11, 2012 5:24 AM
  • M.Irfan,

    in my searches I also came across the article you mentioned. That led me to relook my SPNs.  And I found that to be the source of my problems! now this is interesting because I followed the MS documentation on that.  I compared a few documents and found them all to be sligtly different.  All the develpoment and testing I have done so far was conducted with the administrator of the portal which appears to be working well. It is only when testing a user access the portal that problem showed it self.

    My working configuration is a follows:

    I have three servers of which one runs the sync service and DB, another the portal db and another the FIM portal and password portals. my service accounts are as follows:

    FIM Services Account with SPNs FIMService/<servername>, FIMService/<server FQDN> kerberos delegation enabled for any service

    FIM Portal application pool account with SPNs HTTP/<portal alias>, HTTP/<portal alias FQDN> kerberos delegation enabled for any service

    FIM Password Service Account no SPNs only kerberos delegation only

    FIM portal Server machine account with SPNs HTTP/<sspr host header for password registration>, HTTP/<sspr host header for password reset> kerberos delegation enabled for any service

    I didn't use contrained delegation at this time, didn't want to introduce more coplexity.

    Can you please confirm that this is the proper configuration? I will then update my documentation and we we can mark this as the the answer. 

    Thanks for your help so far

    Regards

    Johan


    JkM6228

    • Marked as answer by Johan Marais Thursday, October 11, 2012 11:52 AM
    Thursday, October 11, 2012 5:50 AM
  • Hi,

    For me it looks OK with configuration. I don't think so there need any changes. Just for future even if you use the "sspr host header for password registration" with some other name. You can browse that also if you forwarding in IIS.

    And one more thing are you using domain machine to login with user? If you are doing please try from any client computer. MS domain also not work well with domain user even you give proper permissions.

    And I will feel happy for further help if you need.

    Regards,


    M. Irfan

    • Proposed as answer by M.Irfan Thursday, October 11, 2012 11:49 AM
    Thursday, October 11, 2012 11:49 AM
  • M.Irfan,

    Again, thanks for your help. And yes I did login in from a domain joined machine and it works fine.  I did pick up a problem with the browser on Windows 8 complaining about that scripts are not allowed.  But this is a local setting which I will sort out later.  The majority of the workstations are either Windows XP or Windows 7

    Regards

    Johan Marais


    JkM6228

    Thursday, October 11, 2012 11:57 AM
  • Hi,

    I am happy that your problem resolved. But you forget to mark me as a proposed answer.

    If you think I was helpful, would be glad to get the marked as answer on my answers.

    Thank you.

    Regards,


    M. Irfan

    Thursday, October 11, 2012 12:35 PM