FIM 2010 R2 SP1 and SSPR registration Kerberos authentication RRS feed

  • Question

  • Hi,

    Some back ground:

    We were running on FIM 2010 R2 with all the components running including SSPR from multiple clients excluding Windows 8.  Because FIM 2010 R2 SP1 provided support for Win 8 and some other fixes we upgraded the environment.  The solution runs on three servers as follows:

    Server1 - FIM Sync and Sync DB

    Server2 - FIM service DB

    Server3 - FIM portal,  Password registration portal and reset portal

    Operating system is Windows Server 2008 R2,SQL Server 2008 R2 and SharePoint Foundation 2010.

    I used a separate application pool account for the FIM portal and SSPR portals.

    Kerberos authentication was configured.

    After upgrading to FIM 2010 R2 SP1, the FIM portal worked after I had disabled the certificate validation check.  The SSPR password registration portal failed for everybody.  it was prompting for user name and password and fails anyway - even after providing correct credentials.  I tracked it down to a problem with Kerberos authentication and more specifically found that if Kernel-mode authentication was enabled the authentication failed.  (even having the SPNs on the proper account)

    The only way to solve this was to disabled Kernel-mode authentication and move the SPNs to the application pool account.

    my question are, is this supposed to be like this? and did anybody else experience the same issue?


    Johan Marais


    Wednesday, March 20, 2013 9:22 AM

All replies

  • If password registration and reset portal hosted on a single server you just need to set SPN on the IIS machine account

    command > Setspn -S  HTTP/"" "yourdomain"\"MachineName"$

    If you have farm environment, by editing the applicationHost.config file, you can bypass this

     <windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true">


    Sudhish Kumar

    Wednesday, March 20, 2013 12:59 PM
  • Sudish,

    Thanks for the reply, this is exactly how it was configured and working before upgrading to FIM 2010 R2 SP1.  But after the upgrade it stopped working and I found that I had to disable Kernel mode in IIS for the SSPR registration site to work again.




    Tuesday, March 26, 2013 8:38 AM