none
FIM Load Balancing and SPN's - Strange behaviour RRS feed

  • Question

  • I have a FIM setup in a domain

    I have mycorp.com and a domain in the same forest contractor.mycorp.com (fictional setup)

    I have 2 servers built in the contractors.mycorp.com domain

    • Id1
    • Id2

    Id1 has the Service and portal on wss3 in SharePoint farm mode, Sp central admin is on this as well

    Id2 has the service and is a load balanced SharePoint farm.

    I have NLB setup and working the service name is identity.mycorp.com pointing at the IP of the NLB

    I have a CNAME identity pointing at identity.mycorp.com

    Identity.mycorp.com is used as the name of the Service and the Portal.

    In the ApplicationHost.config I have

    <system.webServer>

       <security>

          <authentication>

             <windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true" />

          </authentication>

       </security>

    </system.webServer>

    I have kernel mode enabled, and I have Windows authentication enabled in the IIS console on id1 and id2.

    The app pool credentials are a domain account SPService for SharePoint Service, the app pool is set on both id1 and id2 servers. The root domain account mycorp\SPService us used.

    In

    c:\inetpub\wwwroot\wss\VirtualDirectories

    I have set

    <resourceManagementClient requireKerberos="true"

    I have registered the alternate URL mappings for SharePoint as

    • Identity
    • Identity.myCorp.com

    I have registered SPN's for

    • Setspn –S FIMService/identity.myCorp.com myCorp\FIMService
    • Setspn –S FIMService/identity  myCorp\FIMService
    • Setspn –S HTTP/identity.myCorp.com myCorp\SPService
    • Setspn –S HTTP/identity myCorp\SPService

    I have configured delegation for both accounts in ADUC for the identity.mycorp.com

    So all is well and I installed everything fine.

    Now my problem is that if I go to id1 and browse to http://identity/identitymanagement I get redirected , and authenticated with my admin account to http://id1/IdentityManagement/default.aspx

    On id1 if I go to http://identity.myCorp.com/identitymanagement I get prompted for credentials, when I enter myCorp\FIMAdmin and my password I get redirected to the portal at http://id1/IdentityManagement/default.aspx

    If I try and authenticate to any of the previous URL's from other machines in my domain, including the load balanced box id2 I get "HTTP Error 401. The requested resource requires user authentication."

    Even if I try and browse to http://id1/identitymanagement from another machine I am getting 401. Only on http://id1 am I getting a result, even if there is a prompt.

    I am sure my SPN's are fine, there are no duplicate SPN's , I checked with the -x switch

    So my load balanced portal and service are not working as I would have thought , I have looked at

    http://blogs.msdn.com/b/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspx

    http://social.technet.microsoft.com/Forums/en-US/484faae8-4df6-4b81-8b2d-9d75d5258e4f/fim-portal-http-error-401-the-requested-resource-requires-user-authentication?forum=ilm2

    http://social.technet.microsoft.com/wiki/contents/articles/4473.fim-http-error-401-the-requested-resource-requires-user-authentication.aspx

    http://setspn.blogspot.ie/2010/06/kerberos-basic-troubleshooting-tip-3.html

    The only thing that I can think of is that the machine is in the contractors.myCorp.com domain which makes the machine   unique from where the SPN's are registered, but if that was the case then browsing to the portal from http://id1 would certainly fail.

    Can anyone see anything wrong with my approach ?

    Normally I find SharePoint a pain, but this week it seems to be this.

    When I ran the fim service install I specified identity.myCorp.com as the name of the server


    Rob



    • Edited by MasterPrawn Monday, January 6, 2014 7:14 PM spacing
    Monday, January 6, 2014 5:10 PM

All replies

  • In my Load Balanced setup it helped a lot (on some strange behaviours) when I set up Load Balancer to keep session on one server.

    Borys Majewski, Identity Management Solutions Architect (Blog: IDArchitect.NET)

    Monday, January 6, 2014 8:57 PM
  • What type of Load balancer was that ?

    If my session is changing , then why is my portal not arriving at the actual name of the service, in my case always landing on the "first" server id1 ?


    Rob

    Tuesday, January 7, 2014 10:11 AM