none
FIM Service Disappears and Kerberos question RRS feed

  • Question

  • Hello All,

    First a little bit about the FIM topology and SPNs I've set up and then on to the problem(s) I'm having.  

    FIM1 - Sharepoint, Fim Service and Portal, Password Reset/Password Registration Portals

    FIM2 - Synchronization Service

    SQL1 - Contains FimService and Synch Service database

    ExchangeServer - Hosting the exchange stuff.  

    SPNS have been configured for:

    http/fim1 domain\sharepointservice and the FQDN

    FimService/fim1 domain\FimService and the FQDN

    http/passwordreset.domain.org and passwordregistration.domain.org domain\FIM1$ 

    the MSSQLsvc already has an SPN configured for SQL1

    Problem 1:

    I get everything installed and can access http:\\fim1\identitymanagement (FIM Portal) for a little while.  After a period of time the page becomes unresponsive and I get an error message that the web page cannot be found.  I check the FIM Service in services.msc and the FimService is no longer there.  I uninstalled the FimService and reinstalled it and again and everything was functioning normally.  The page again becomes unresponsive and I check the services.msc and this time I see the FimService is running and set to automatic.  I decide to bounce the service anyway to see if this will resolve the issue and it disappears before my very eyes.  Last I checked David Copperfield isn't standing behind me with a top hat and wand...  so what gives?

    Problem 2:

    I'm having a hard time finding consistent information on Kerberos Authentication set up for the password registration and reset portal app pool being installed on the same server as the FIM Service.  Based on what I read in the "Before you Begin guide"...

    1. Repeat the above step for each of the FIM Password portals, using setspn.exe –S HTTP/<ssprPortalHostHeaderName> <domain>\<ssprPortalMachineAccount$>, where <ssprPortalHostHeaderName> is the binding information for the FIM Password portal Host Name that was entered during setup. This is the name that will be used by clients to contact the portals.

    I set up my aforementioned SPNs accordingly. It asks me if I'm installing the registration portals on a different server from the FIM service and if so, check the boxes, and specify the FIMPassword account.  I don't check these boxes and move forward with the install.  I get to the registration and reset portal installation section and it asks me for an account name. Am I supposed to be using FIM1$ computer account as I specified in the SPN?  If so, what is the password I am supposed to provide?  Should all Kernel Mode settings remain enabled after this?  Also, on previous installs, if I set up NetworkService as the app pool identity I've noticed that it at least lets me access the portals, however I get a generic message that the user account password can not be reset.  

    Can anyone tell me if I'm supposed to be using the machine account password for the SSPR and SSRP app pool account during set up?  

    Sorry for the long winded question, but I've been failing at installing/configuring FIM for the better part of a month and just can not get this thing to cooperate.  

    Many thanks for any help you can provide.

    Mike


    Friday, July 11, 2014 9:17 PM

All replies

  • Hey Mike, I have never seen the FIM Service just disappear from a server.  Is there some sort of policy or anti-virus that is running that might be the culprit? As far as the SPNS, I suggest that you get a copy of David Lundell's book, it walks you through the SPNs, FIM config, etc..  It very good and I use it for reference when I have questions.  Try Ken's book as well.

    Scott


    If this post has been useful please click the green arrow to the left or click Propose as answer

    Monday, July 14, 2014 3:50 PM