none
Accessing FIM portal from a remote computer RRS feed

  • Question

  • I have a FIM deployment in a pre-production environment where I have 2 FIM Portals behind a load balancer. The portal works fine from any machines (i.e. outside of the FIM Servers). However, when I try to access it from a remote machine (which is on production domain), I get a log in prompt, but upon logging in using the pre-production credentials, I see a "Service not available" error. Any advice on how to make this work?

    A Kerberos Error Message was received:
     on logon session
     Client Time:
     Server Time: 5:02:6.0000 7/30/2012 Z
     Error Code: 0x7  KDC_ERR_S_PRINCIPAL_UNKNOWN
     Extended Error:
     Client Realm:
     Client Name:
     Server Realm: CORP.CONTOSO.COM
     Server Name: krbtgt/NT AUTHORITY
     Target Name: krbtgt/NT AUTHORITY@CORP.CONTOSO.COM
     Error Text:
     File: 9
     Line: f09
     Error Data is in record data.

    Thursday, August 16, 2012 9:19 PM

Answers

  • Your production machine probably can't get a kerberos ticket for the pre-prod domain (probably not trusted)

    One option is to change the delegation settings to allow protocol transition from NTLM on the portal to Kerberos to the FIM Service.


    Frank C. Drewes III - Architect - Oxford Computer Group

    Thursday, August 16, 2012 10:05 PM

All replies

  • Your production machine probably can't get a kerberos ticket for the pre-prod domain (probably not trusted)

    One option is to change the delegation settings to allow protocol transition from NTLM on the portal to Kerberos to the FIM Service.


    Frank C. Drewes III - Architect - Oxford Computer Group

    Thursday, August 16, 2012 10:05 PM
  • Thanks Frank! I have already configured kerberos followig the article below:
    http://social.technet.microsoft.com/wiki/contents/articles/3385.aspx

    Is there any other trust settings or something else I need to check in AD?

    Friday, August 17, 2012 4:19 AM
  • What is the relationship between the environments? Different domain or perhaps different forest? If it's a different forest, is there a trust relationship between them?


    Frank C. Drewes III - Architect - Oxford Computer Group

    Friday, August 17, 2012 5:10 AM
  • If a popup apears and you are using pre-prod credentials then I would think Frank's first suggestion is correct: configure the delegation to be able to occur "for any protocol" and not "Kerberos only".

    Also if you followed the guide you might have to undo step 9 which only allows Kerberos authentication on the Portal side. If your client is authenticating using NTLM, because it's can't get a Kerberos ticket for the specified credentials, this might be the culprit.


    http://setspn.blogspot.com

    Friday, August 17, 2012 10:04 AM
  • Ok, removing kerberos only restriction did the trick!

    Thanks Frank and Thomas!

    Friday, August 17, 2012 10:24 AM
  • Thanks for the additional notes Thomas.

    As simple as this all seems after you've been doing it a few years, I remember how unclear this all was at first. Not that it's difficult - just very few good articles and most of them only explain 'what' and not 'why'

    I refer people to your blog often. Lots of good stuff there..


    Frank C. Drewes III - Architect - Oxford Computer Group

    Friday, August 17, 2012 2:52 PM