none
Users cannot access the FIM Portal unless they are a member of the local Group "Users" on the FIM Service server RRS feed

  • Question

  • Hi,

    I have an FIM 2010 R2 SP1 install on Windows 2012 infrastructure using SharePoint 2013.  Roles are broken out so I have a separate server for FIM Service, FIM Sync and SQL backend.

    I have populated users as required but they cannot access the FIM Portal unless they are members of the local security group "Users" on the FIM Service server itself.  When not added to this group they get prompted for credentials repeatedly and after entering them repeatedly then I receive a message from the below link

    "https://idmportal.company.com/_layouts/MSILM2/ErrorPage.aspx

    Unable to process your request"

    Once I add the user into the "Users" group on the FIM Service server then the user logs in with no issues.

    Has anyone else come across this issue?

    Thanks,

    B

    Monday, February 17, 2014 5:55 PM

All replies

  • When installing the FIM Portal and service, did you check the box that said "Grant Authenticated Users Access to the FIM Portal Site"?

    • Proposed as answer by GirirajSingh Monday, February 17, 2014 8:18 PM
    Monday, February 17, 2014 7:55 PM
  • Hi,

    Thanks for the response.  I rechecked the install guide and this was definitely ticked on install.  Is there anyway to confirm this once installed or could there be any other issue?

    Thanks

    B

    Tuesday, February 18, 2014 9:24 AM
  • Hi,

    Just wanted to follow up on this.  When a server is first joined to the domain the "Domain\Domain Users" group is added by default to the servers Local "Users" group.  In this environment the Domain Users group had been removed. 

    Can anyone confirm that the Domain Users group should be present on the server in the "Users" group for the FIM Portal (SharePoint) to work?  Does the FIM Portal (SharePoint) need local users rights on top of site rights?

    Thanks,

    B

    Wednesday, February 26, 2014 5:46 PM
  • As far I understand you have the following environment:

    Server 1: SQL

    Server 2: FIM Synchronization Service

    Server 3: FIM Service+FIM Portal (and maybe SSRP)

    If so, I bet the problem here is connected with Kerberos. Why? Because you have "double-hop" problem. If you install whole FIM (and SQL) solution on one box, there is no such problem, but here - you have it.

    To fix the problem please check if you have right SPNs configured as well you have delegation configured as well.

    You should have the following SPNs:

    • HTTP/IDMPortal Company\FIMPortalWebAppServiceAccount
    • HTTP/IDMPortal.company.com Company\FIMPortalWebAppServiceAccount
    • FIMService/FIMService Company\FIMServiceAccount
    • FIMService/FIMService.company.com Company\FIMServiceAccount
    • MSSQLSvc/FIMSQL Company\SQLEngineServiceAccount
    • MSSQLSvc/FIMSQL.company.com Company\SQLEngineServiceAccount

    Once SPNs would be configured, you should enter DSA console and set delegation - allow FIMPortalWebAppServiceAccount to delegate credentials to FIMServiceAccount. And FIMServiceAccount to delegate them (credentials) to FIMServiceAccount (yes, to itself).

    You also have to configure FIM Portal site on IIS to enforce Kerberos.

    Please see references:


    Keep trying If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    Thursday, February 27, 2014 6:56 AM
  • Hi Dominik,

    Thanks for the response.  Testing the environment Kerberos is working, when users are accessing the site I can see that the user is authenticated correctly on the FIM Service server from the security logs but if the user is not a member of the local security "Users" group then they get prompted for credentials till it fails with the error

    "https://idmportal.company.com/_layouts/MSILM2/ErrorPage.aspx

    Unable to process your request"

    If they are a member of this group then they are authenticated seamlessly, Kerberos is therefore working as expected but some additional rights issue is at play. 

    Can you please confirm that on your environments that there are no user entries in the local "Users" security group on the FIM Service server and that users can still log on? 

    Thanks,

    B

    Thursday, February 27, 2014 10:08 AM
  • I have never added users to "Users" security group on FIMService server - so I can confirm there is no need to do so.

    When you reach this error, check Event Viewer console - it would help a lot as error above says...nothing...


    Keep trying If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    Thursday, February 27, 2014 10:12 AM
  • I have never had to add Users to this group either but by default once a server is joined to the domain then the Domain\Domain Users group is added to the "Users" security group.  In this environment this group has been removed, I have never come across this before and cannot find anywhere that this group is required but it is present in all other installations.

    If possible could you review any environment and just see if the Domain\Domain users group is present?

    Thanks,

    B

    Thursday, February 27, 2014 10:17 AM
  • That doesnt necessarily mean that Delegation is working. You might be getting authenticated by the portal but portal may not be able to turn around and delegate those credentials to FIM Service.

    I would recheck the trusted for delegation configuration. 

    Are you using CNAMEs for DNS Alias for your FIM Portal and Service?


    Thanks,

    Jameel Syed | Identity & Security Strategist | jameel.syed@credexo.com | Simplified Identity and Access Management

    • Edited by Jameel Syed Wednesday, March 5, 2014 8:28 AM
    Wednesday, March 5, 2014 8:28 AM