none
Is it possible to "discover" the FIM service? RRS feed

  • Question

  • Note:  I am not a FIM (or Sharepoint) administrator and only have a passing understanding of how the server(s) structure fits together. 

    I am writing some PowerShell scripts that utilize the FIMAutomation plugins and speed up some functions over using the FIM portal.  They were working fine in the development domain, but the portal URL and the FIM service URI were very similar (drop to http and add the port).

    Now that we have FIM in production, I get a "Unable to connect to the remote server" error in my script and nothing works.  I am assuming that the FIM service for the production setup is not on the same server as the FIM portal/Sharepoint server, or that the port has been changed from the default.  Unfortunately, I am also not getting any answers from the folks running the show about where the FIM service is and/or even if they have blocked access from outside of the FIM portal.  I assume that is because they are too busy to bother with my silly questions.

    Can some kind person here tell me if there is some means to discover where the FIM service is?  My understanding (from other posts here) is that the FIM portal/Sharepoint knows where to find the FIM Service via the "resourceManagementClient' section of the web.config file.  Is that a file that a regular user can read?  If so, how do I find it? 

    Please don't assume I am asking for malicious reasons.  Obviously, if I can't manage to find the service, I'm not competant enough to try to hack anything.  :)

    Thanks.

    Monday, April 29, 2013 4:51 PM

Answers

  • Hello,

    The Microsoft.ResourceManagement.Service.exe.config file is located by default in: ..\Program Files\Microsoft Forefront Identity Manager\2010\Service.

    If your FIM guys did setup an DNS alias for the fimservice (for use of kerberos) you could try pinging fimservice.youdomain. If you are very lucky you`d get a response :P

    Do you have access to the FIM server at all, ex. RDP ?


    Regards, Remi www.iamblogg.com

    Monday, April 29, 2013 7:01 PM
  • There is no autodiscovery service for the FIM Service; some ways to find it include, as Remi indicated, checking the .config file on the box that hosts the FIM Service.  Another way, if things are set up properly, is to LDAP-search Active Directory for "(&(servicePrincipalName=FIMService/*))" which will show you the hostname only.  Finally, if you have administrative access to the FIM Synchronization Service, you could check the FIM MA's setup.

    It would be very unusual for someone to change the FIM Service's port.  Less unusual would be firewall rules, although these are of only limited usefulness if one intends to use rich client SSPR.


    Steve Kradel, Zetetic LLC

    Monday, April 29, 2013 8:02 PM

All replies

  • Hello,

    The Microsoft.ResourceManagement.Service.exe.config file is located by default in: ..\Program Files\Microsoft Forefront Identity Manager\2010\Service.

    If your FIM guys did setup an DNS alias for the fimservice (for use of kerberos) you could try pinging fimservice.youdomain. If you are very lucky you`d get a response :P

    Do you have access to the FIM server at all, ex. RDP ?


    Regards, Remi www.iamblogg.com

    Monday, April 29, 2013 7:01 PM
  • There is no autodiscovery service for the FIM Service; some ways to find it include, as Remi indicated, checking the .config file on the box that hosts the FIM Service.  Another way, if things are set up properly, is to LDAP-search Active Directory for "(&(servicePrincipalName=FIMService/*))" which will show you the hostname only.  Finally, if you have administrative access to the FIM Synchronization Service, you could check the FIM MA's setup.

    It would be very unusual for someone to change the FIM Service's port.  Less unusual would be firewall rules, although these are of only limited usefulness if one intends to use rich client SSPR.


    Steve Kradel, Zetetic LLC

    Monday, April 29, 2013 8:02 PM
  • Thanks for the suggestions.

    As far as I know, I don't have access to any of the servers via RDP or SMB, so I can't see the file (except by some means I'm not aware of). 

    Running the LDAP query returns only a generic user account established for the service, but no computers match.  I can see the machine hosting the FIM portal in AD, but I still don't know how to identify the one with the service.

    When I run an NMAP on the server subnet for the 5725 port, a lot of systems are listed as filtered including the FIM portal machine.  The rest (except for the development systems) are closed.  Maybe they just have a firewall on it. 

    I guess I am out of luck for now.

    Tuesday, April 30, 2013 6:55 PM
  • The servicePrincipalName is probably your best bet; i.e., if the SPN you found is FIMService/somehost.domain.local, http://somehost.domain.local:5725 is almost certainly the location of the FIM Service.  Beyond that, poking around with nmap is *not* a good way to make friends with the network admins... find the group that runs FIM and work with them directly.

    Steve Kradel, Zetetic LLC

    Tuesday, April 30, 2013 7:16 PM