none
PAM Sample Portal Status code: 406. Error: Not Acceptable. RRS feed

  • Question

  • I installed MIM 2016 SP2 Server in privOnly mode, with PAM feature and have the following error when deploying the PAM Sample portal.

    Oops! Something went wrong. The ajax calls failed, please contact your administrator.
    Status code: 406.
    Error: Not Acceptable

    When testing with http://mydomain.local:port/api/pamresources/pamroles I got the following error :

    406 - Client browser does not accept the MIME type of the requested page.


    So if I understand the error, it seems that the server is sending some information that the browser cannot parse, which is strange since I took the the exact files in the src folder in github .

    Can someone help to resolve this issue ?


    Thanks in advance.

    Wednesday, January 8, 2020 2:26 PM

Answers

  • The issue was related to SPNs, There should be SPNs for both sites in IIS (PAM User Portal + PAM API). 

    So Marking this as answered.
    Monday, May 4, 2020 4:59 PM

All replies

  • Still struggling with issue and have new findings :

    I took a wireshark trace, and found that the request fails after an HTTP POST to  /ResourceManagementService/Enumeration

    URI : http://localhost:5725/ResourceManagementService/Enumeration


    With 500 Internal Server Error. The 406 error was shown because the browser wasn't able to parse the 500 error message content. 


    Did someone have this issue before ?
    More info :

    Auth protocol is Kerbers and delegation is set to Sharepoint account, SPNs are also created for the all the URLs used.



    Thursday, January 23, 2020 8:58 AM
  • Hello,

    exactly the same issue... Set Content-Type to application/json on IIS, still not working...

    Already install this on 2012 R2 platform and it worked, now i try to run it on Windows 2019, and have this issue...

    Regards

    Thursday, January 23, 2020 10:52 AM
  • @Az_The IT Guy, I've seen this issue before when the user you are signed in with doesn't exist in the MIM Service database.

    Cheers,

    Tom Houston, UK Identity Management Practice

    Tuesday, February 4, 2020 7:44 AM
  • @Tom Houston, Thanks for your reply. In fact that's what I discovered recently, however, it's looking for My AppPool Account in the MIM service database, instead of the real user who authenticated from the portal. 

    In my understanding, the AppPool account should be transparent, and doesn't need to be in the MIM database. am I doing something wrong in IIS configuration ?  

    Cheers,




    Tuesday, February 4, 2020 10:04 AM
  • @Az_The IT Guy, the PAM API app pool account shouldn't be in the MIM Service database, but you need to make sure it can impersonate you when authenticating to your bastion AD. Make sure the msDS-AllowedToDelegateTo attribute has entries for all of your bastion DCs:

    ldap/bastiondc1.priv.contoso.local
    ldap/bastiondc1

    ...and your MIM Service of course:

    fimservice/mimservice.priv.contoso.local
    fimservice/mimservice

    Cheers,


    Tom Houston, UK Identity Management Practice

    Tuesday, February 4, 2020 10:15 AM
  • @Tom Houston,  Knowing that my setup environment is PrivOnly. Should I add the SPN for the DC in this case ?

    ldap/bastiondc1.priv.contoso.local
    ldap/bastiondc1

    If yes, I beleive the bastiondc, will be the corpdc in my case ?
    For the FIMService, I added the following :

    fimservice/MIMserver.contoso.local
    fimservice/MIMServer

    Thanks.

    Cheers,

    Tuesday, February 4, 2020 10:36 AM
  • @Az_The IT Guy, as far as I know, deploying MIM PAM in anything other than a dedicated bastion forest, is not supported. I'd recommend checking this with your Microsoft representative before proceeding further.

    Cheers,

    Tom Houston, UK Identity Management Practice

    Tuesday, February 4, 2020 11:05 AM
  • Actually, the whole setup is working with Powershell cmdlets (I can add users, Assign roles, Approve them ...), the only issue is the 406 error when using the reset API.  Thanks :)

    Cheers,
    Tuesday, February 4, 2020 11:38 AM
  • The issue was related to SPNs, There should be SPNs for both sites in IIS (PAM User Portal + PAM API). 

    So Marking this as answered.
    Monday, May 4, 2020 4:59 PM