The purpose of this document is to guide you through troubleshooting process of the infamous "Service Is Not Available" message that you or one of your end-users may receive when attempting to browse the FIM Portal.
The "Service Is Not Available" message can be very frustrating in that it doesn't provide much to go on as to where the problem lies. This article will provide troubleshooting information to help troubleshoot the "Service Is Not Available" message.
Understanding your FIM Topology is very important when attempting to troubleshoot the "Service Is Not Available" error message. The reason for this is the Kerberos settings that may or may not be required, or set differently depending on how you have deployed your FIM Solution.
Is your FIM Solution deployed on a single server, or distributed across multiple machines?
If the FIM Service is not started, you will receive the "Service Is Not Available" error message. You can check to see if the FIM Service is started through the following steps:
For a DNS CNAME or DNS Host (A) record, the configuration files should have the CNAME or HOST (A) record information.
see ( FIM Installation Companion - ServicePrincipleNames (SPNs) - Adding and Troubleshooting )
Depending on the type of load balancer or the way the load balancer works, there are many reasons why the access to the portal fails.
In some cases, the FIM portal server may receive and interprete the request incorrectly (remember you can setup FIM/MIM to handle internal/external requests differently).
Some hints and tips for troubleshooting include
( FIM Installation Companion - ServicePrincipleNames (SPNs) - Adding and Troubleshooting )
By running through the steps here, indicates that the FIM Administrator is able to access the FIM Portal from the FIM Portal Server, and a client machine. If this is not true, then it is recommended to start your troubleshooting with the FIM Administrator rather than a FIM User.
FIM Portal access utilizes kerberos to access the page.
One good tool that you can utilize to troubleshoot these type of issues is Network Monitor. Utilizing Network Monitor you can use a protocol type filter on KerberosV5. If you have an invalid SPN, you should see something like KDC_ERR_S_PRINCIPAL_UNKNOWN which is a response to a Kerberos request for a specific SPN. If you review the associated Kerberos request, you should see the SPN that is being requested.
To test access to the FIM Web Service, navigate to http:// <Name of Machine Running the FIM Web Service>:5725
( e.g. http://myfimservicemachine:5725/ )
If you cannot reach the FIM Web Service, consider checking the following:
If the above two options turn out to be true, and you still cannot access the FIM Web Service, you may consider doing a network trace ( Network Monitor 3.4 or WireShark ) to see if there is something on the network generating the issue.