none
MIM PAM Demo App only working locally

    Question

  • I try to evaluate MIM PAM.
    Everything works as expected so far except for the MIM PAM Management Portal Demo Application where users can manage their roles.
    It only works when logged on locally at the PAM Server. When logged on to a different machine (in the RED forest or in the CORP forest) I can see an 401 error in the IIS log of the REST API Web Site. At the Client I get a logon window when clicking one the options: "Activate", "View History" or "Approvals".
    One difference in IIS logs I can see is that all successful requests have IPv6 IP link-local addresses for client and server, while all lines with errors are IPv4 addresses. The bindings in IIS are "*:<port>" for both Web Sites and the redirec works as I see requests in the logs of both virtual servers.

    Any help is appreciated.
    Henry


    • Edited by henryschl Sunday, November 27, 2016 5:28 PM
    Sunday, November 27, 2016 5:00 PM

Answers

  • henryschl

    I think your running into an issue were added code is trying to use the directory services API. Try to add the ldp of the domain controllers to sharepoint app account if using constrained delegation

    • Marked as answer by henryschl Monday, November 28, 2016 4:38 PM
    Monday, November 28, 2016 12:43 PM
    Moderator

All replies

  • Its probably in the way you deployed IIS, as we have it working from everywhere
    Monday, November 28, 2016 12:08 AM
  • I really think the same way. So it would be helpful if we could compare IIS settings?

    I installed MIM PAM SP1 using the Scripts provided here:

    https://www.microsoft.com/en-us/download/details.aspx?id=53941

    I downloaded the sample app from here: https://github.com/Azure/identity-management-samples

    Unfortunately it says only a little about IIS configuration at this place:

    https://github.com/Microsoft/MIMDocs/blob/master/MIMDocs/pam/step-4-install-mim-components-on-pam-server.md

    The main difference at the first glance is that I did not install the MIM Portal as it is not included in the setup scripts provided for MIM PAM SP1. That also means I cannot enable the MPR "User management: Users can read attributes of their own"

    Can you provide your IIS configuration settings? At least details about AppPool Account, Authentication Settings for both Web Sites (REST API and PAM Demo).

    Thanks, Henry

    Monday, November 28, 2016 7:36 AM
  • henryschl

    I think your running into an issue were added code is trying to use the directory services API. Try to add the ldp of the domain controllers to sharepoint app account if using constrained delegation

    • Marked as answer by henryschl Monday, November 28, 2016 4:38 PM
    Monday, November 28, 2016 12:43 PM
    Moderator
  • Hello David

    your suggestion wasn't the exact solution but you led me in the right direction. Thanks for your time and help.

    Henry

    Monday, November 28, 2016 4:37 PM
  • Hi,

    We used the following guide to deploy PAM: https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/configuring-mim-environment-for-pam

    Perhaps you could use it to validate your deployment too?

    Tuesday, November 29, 2016 10:34 PM
  • Can you please elaborate.  I am having the same issue and have spent half a day comparing IIS setting with no luck.  It works fine on the machine where the site is installed but not from any other machine on the same network.  Thanks.

    Hilalh

    Friday, January 13, 2017 10:47 PM