I have a FIM deployment in a pre-production environment where I have 2 FIM Portals behind a load balancer. The portal works fine from any machines (i.e. outside of the FIM Servers). However, when I try to access it from a remote machine (which is on production domain), I get a log in prompt, but upon logging in using the pre-production credentials, I see a "Service not available" error. Any advice on how to make this work? A Kerberos Error Message was received: on logon session Client Time: Server Time: 5:02:6.0000 7/30/2012 Z Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: Client Realm: Client Name: Server Realm: CORP.CONTOSO.COM Server Name: krbtgt/NT AUTHORITY Target Name: krbtgt/NT AUTHORITY@CORP.CONTOSO.COM Error Text: File: 9 Line: f09 Error Data is in record data.

Your production machine probably can't get a kerberos ticket for the pre-prod domain (probably not trusted) One option is to change the delegation settings to allow protocol transition from NTLM on the portal to Kerberos to the FIM Service.Frank C. Drewes III - Architect - Oxford Computer Group

Your production machine probably can't get a kerberos ticket for the pre-prod domain (probably not trusted) One option is to change the delegation settings to allow protocol transition from NTLM on the portal to Kerberos to the FIM Service.Frank C. Drewes III - Architect - Oxford Computer Group

Thanks Frank! I have already configured kerberos followig the article below: http://social.technet.microsoft.com/wiki/contents/articles/3385.aspx Is there any other trust settings or something else I need to check in AD?

What is the relationship between the environments? Different domain or perhaps different forest? If it's a different forest, is there a trust relationship between them?Frank C. Drewes III - Architect - Oxford Computer Group

If a popup apears and you are using pre-prod credentials then I would think Frank's first suggestion is correct: configure the delegation to be able to occur "for any protocol" and not "Kerberos only". Also if you followed the guide you might have to undo step 9 which only allows Kerberos authentication on the Portal side. If your client is authenticating using NTLM, because it's can't get a Kerberos ticket for the specified credentials, this might be the culprit.http://setspn.blogspot.com

Ok, removing kerberos only restriction did the trick! Thanks Frank and Thomas!

Thanks for the additional notes Thomas. As simple as this all seems after you've been doing it a few years, I remember how unclear this all was at first. Not that it's difficult - just very few good articles and most of them only explain 'what' and not 'why' I refer people to your blog often. Lots of good stuff there..Frank C. Drewes III - Architect - Oxford Computer Group