Hi Im trying to setup a test lab for FIM 2010 R2 SP1 following will be my windows server 2008 r2 sp1 VMs
1. FIMDC --- server for domain controller
2. FIMPORTAL-- server for Fim portal server with fim service
3. FIMSYNC ---server for fim sync service
4.FIMSSPR --- server for Fim Self service portals
5.FIMEX --- server for exchange 2010
6.FIMDB --- server for fim sync and fim service databases
The service accounts are as follows
1. fimportaladmin for Fim portal in sharepoint foundation 2010
2. fimserviceadmin for FIM service
3. fimdbadmin for sql services
4. fimsyncadmin for fim synchronization service.
i have configured following SPNs and delegation but i can get the identity management portal to view itself.
Setspn.exe –S HTTP/FIMPORTAL testlab\fimportaladmin
Setspn.exe –S HTTP/fimportal.testlab.com testlab\fimportaladmin
Setspn.exe –S FIMService/fimportal testlab\fimserviceadmin
Setspn.exe –S FIMService/fimportal.testlab.com testlab\fimserviceadmin
Setspn –S MSSQLsvc/fimdb.testlab.com:1433 testlab\fimdbadmin
Setspn –S MSSQLsvc/fimdb:1433 testlab\fimdbadmin
I have delegated sharepoint (fimportaladmin) account to Fim service(fimserviceadmin) and fimserviceadmin to fimservice
I have used sharepoint app pool to use the service account (fimportaladmin) and configured machine.config to use useapppoolcredentials to true.
I disabled the custom error module in portal and seems the security token is not properly created.
I checked with kerbtray tool and no kerberos tickets were generated.
Could you please point me in right way since i am unable to view the portal itself.
Im not sure of the SPNs i have configured.
Also is there any wrong in the choosen setup like one more server for fim service.
Hi there Dhayanandh and thanks for posting on the FIM forum.
Your SPN configuration doesn't look quite right for the FIM Service component. You need to make sure that the following is covered off.
1. You've created an A record in DNS for the FIM Service, e.g. fimservice.testlab.com.
2. You've configured an SPN, e.g. setspn -s FIMService/fimservice.testlab.com testlab\fimserviceadmin.
3. You've configured Kerberos delegation correctly on the testlab\fimserviceadmin service account in AD DS.
4. When installing FIM Service, ensure you enter fimservice.testlab.com in the FIM Server Service address.
Give this a go Dhayanandh, and post back here if you can't get it up and running.
Tom Houston, HP Contingent Staff
Your SPNs look fine as is, assuming that "FIMPORTAL" is the name of your FIM Portal and FIM Service server, which is what you've indicated. I don't see anything wrong there.
As Tom mentioned, you should ensure that the DNS record for "FIMPORTAL" is defined as a A (host) record. If that's the server name, that should be the case.
Along with setting "useAppPoolCredentials" to true, you should also be setting "useKernelMode" to true as well.
I would recommend rebooting the FIMPORTAL server as well. In the past, I've found that restarting the FIM/SharePoint services are insufficient to properly apply the delegation.
One other test is to verify whether you can open the Portal from the its host server, as well as from other servers.
Marc Mac Donell, VP Identity and Access Solutions, Avaleris Inc.