none
How to troubleshoot ErrorCode 3000

    Question

  • Hi,

    I have deployed FIM-based solution to the testing environment and some users cannot access the portal.

    They get "Service not available" and URL http://servername/_layouts/MSILM2/ErrorPage.aspx?ErrorCode=3000.

    Everything looks fine on the portal. The user accounts have been imported from AD.

    The users that cannot access the portal are on the list of users with all required attributes (display name, account, domain, sid).

    Nothing is logged in the event log, nothing in fimDiagnostics.svclog.

    DebugView shows also nothing.

    Best regards

        Rafal Grzybowski

    Thursday, January 10, 2013 9:19 AM

Answers

  • This is usually an issue Kerberos not working because the SPN's are not configured correctly.

    Check out the following article on SPNs for FIM:

    http://technet.microsoft.com/en-us/library/jj134299(v=ws.10).aspx

    Or get a copy of my book or Kent's book. We each provide some solid chapters on this stuff.

    Is this a load balanced scenario? What is the url the users are using? Is that the name of the server or the alias name? What SPNs have you setup? Have you checked for duplicate SPNs?


    David Lundell, Get your copy of FIM Best Practices Volume 1 http://blog.ilmbestpractices.com/2010/08/book-is-here-fim-best-practices-volume.html

    Wednesday, January 16, 2013 11:34 PM
  • Are you trying this from different machines or the same machine allows some users and does not allow others.

    And the FIM Portal only works on Internet Explorer, it will not work on any other browser.

    Also the user who login to the portal should be domain users, this mean they should have an active directory account and the AccountName, DomainName and the ObjectSID should be populated in FIM Portal and should match exactly with Active Directory.

    Wednesday, January 23, 2013 1:02 PM

All replies

  • This is usually an issue Kerberos not working because the SPN's are not configured correctly.

    Check out the following article on SPNs for FIM:

    http://technet.microsoft.com/en-us/library/jj134299(v=ws.10).aspx

    Or get a copy of my book or Kent's book. We each provide some solid chapters on this stuff.

    Is this a load balanced scenario? What is the url the users are using? Is that the name of the server or the alias name? What SPNs have you setup? Have you checked for duplicate SPNs?


    David Lundell, Get your copy of FIM Best Practices Volume 1 http://blog.ilmbestpractices.com/2010/08/book-is-here-fim-best-practices-volume.html

    Wednesday, January 16, 2013 11:34 PM
  • This is usually an issue Kerberos not working because the SPN's are not configured correctly.

    Check out the following article on SPNs for FIM:

    http://technet.microsoft.com/en-us/library/jj134299(v=ws.10).aspx

    Or get a copy of my book or Kent's book. We each provide some solid chapters on this stuff.

    Is this a load balanced scenario? What is the url the users are using? Is that the name of the server or the alias name? What SPNs have you setup? Have you checked for duplicate SPNs?


    David Lundell, Get your copy of FIM Best Practices Volume 1 http://blog.ilmbestpractices.com/2010/08/book-is-here-fim-best-practices-volume.html

    The scenario is not load balanced. The url accessed is simple http://hostname/IdentityManagement, no aliasing.

    The portal works for some users while for the others it doesn't.

    I really have no idea :(

    Best regards

    Tuesday, January 22, 2013 9:31 PM
  • This is what I can see in the IIS log when it doesn't work. 302 redirection when accessing  /IdentityManagement/default.aspx

    2013-01-22 09:13:50 10.122.21.89 GET /IdentityManagement - 80 - 10.127147.150 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;...) 401 2 5 26

    2013-01-22 09:13:55 10.122.21.89 GET /IdentityManagement - 80 SOMEDOMAIN\johndoe 10.127.147.150 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;...) 200 0 0 4662

    2013-01-22 09:13:55 10.122.21.89 GET /IdentityManagement/default.aspx - 80 SOMEDOMAIN\johndoe 10.127.147.150 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;...) 302 0 64 529

    2013-01-22 09:13:55 10.122.21.89 GET /_layouts/MSILM2/ErrorPage.aspx ErrorCode=3000 80 SOMEDOMAIN\johndoe 10.127.147.150 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;...) 200 0 0 174


    • Edited by Rafał Grzybowski Tuesday, January 22, 2013 10:40 PM reduced browser info to increase readability
    Tuesday, January 22, 2013 10:38 PM
  • Are you trying this from different machines or the same machine allows some users and does not allow others.

    And the FIM Portal only works on Internet Explorer, it will not work on any other browser.

    Also the user who login to the portal should be domain users, this mean they should have an active directory account and the AccountName, DomainName and the ObjectSID should be populated in FIM Portal and should match exactly with Active Directory.

    Wednesday, January 23, 2013 1:02 PM
  • Are you trying this from different machines or the same machine allows some users and does not allow others.

    And the FIM Portal only works on Internet Explorer, it will not work on any other browser.

    Also the user who login to the portal should be domain users, this mean they should have an active directory account and the AccountName, DomainName and the ObjectSID should be populated in FIM Portal and should match exactly with Active Directory.

    Different machines, different users, all were imported to FIM will all requried attributes.

    And the problem was: for some reason some users have disabled Windows Integrated Authentication...from time to time.

    We are still investigating why the setting has changed on some computers/accounts while for the others it is always on.

    Thank you.


    Wednesday, January 23, 2013 3:53 PM
  • Hi Rafał,

    Could you get in touch with me? I have an opportunity you might be interested in, and judging by your activity here on the forum, you might be up to the challenge:) Anyway contact me at: andrzej (dot) lipka (at) predica (dot) pl or +48 500 041226

    Friday, April 12, 2013 12:47 PM