Hi, I'm trying to configure an alternate URL for FIM Portal. Actually domain users can access it at the link https://IP_host/IdentityManagement. I would they can access it at the alternative link https://nome_host/IdentityManagement. So I added it to Public URL for Intranet zone in the following way When users try to access it from the browser .. they get the 401 Unauthorized message and Event Viewer on the server record this event: Event 8214 - Windows SharePoint Services 3 A request was made for a URL, https://nome_host.XYZ.net (intranet one), which has not been configured in Alternate Access Mappings. Some links may point to the Alternate Access URL for the default zone, https://nome_host (default one). Review the Alternate Access mappings for this Web application at http://localhost:13760/_admin/AlternateUrlCollections.aspx and consider adding https://nome_host.XYZ.net (intranet one) as a Public Alternate Access URL if it will be used frequently. Help on this error: http://go.microsoft.com/fwlink/?LinkId=114854 Please, can you help me? Francesca

You should probably add the /IdentityManagement subsite to the URL, like https://home.xyz.net/identitymanagement ? Oterwise, they'll get to the default site, which they probably don't have permissions for. Also, make sure that Authenticated User can get to the site (there was a tickmark during installation for this); if not you can go to Site Settings and add them there (cant' remember the exact prescription for this)Regards, Soren Granfeldt blog is at http://blog.goverco.com | twitter at https://twitter.com/#!/MrGranfeldt

Yes, authenticated users can access the Portal (from the https://IP_host/IdentityManagement site they can access their information).. I tried to add the /IdentityManagement subsite to the URL but I get the error "URL format is invalid". Any other suggestion?

I think you need to change the Default URL to be something different than localhost (the URL you'd like users to use). You can set localhost as a different type of address. As I seem to remember SharePoint will redirect users to this URL and they'll have no chance to get at http://localhost when coming from a client. Also double-check your DNS entries. I'm no SharePoint admin so just "working" from memory here...Regards, Soren Granfeldt blog is at http://blog.goverco.com | twitter at https://twitter.com/#!/MrGranfeldt

To configure the alternate access mappings perform the following steps from the central administration tool. Select SharePoint - 80 from the Alternate Access Mapping Collection drop-down in the top right of the page.Click Edit Public URLs and modify the default value to that of your intended virtual host name, e.g. http://idmweb. Click Save.Click Add Internal URL and then enter the FQDN for the virtual name. Leave the zone as Default. Click Save.Repeat step four for any other valid names and also add the actual hostname as an internal URL too. Execute IISRESET from an administrative command prompt and the configuration is completeFrank C. Drewes III - Architect - Oxford Computer Group

Frek, thank you very much. I did as you suggested (my intended virtual host name is the same as the FQDN resolved by the DNS : https://host_name.XYZ.net) .. now I have a direct mapping in the default zone between these URLs (internal https://host_name.XYZ.net and public https://host_name.XYZ.net). But when users try to access the Portal at https://host_name.XYZ.net/IdentityManagement they get the following error: Not Authorized HTTP Error 401. The requested resource requires user authentication. Otherwise, when they access the Portal at https://IP_host/IdentityManagement it works. Any other idea?

Hi, Please look at the following link that could solve your problem. Patrick.Patrick Layani

Thank u Patrick, but now I think the problem is somewhere else. Now anyone can access the Portal also from https://IP_host/IdentityManagement . When users try to access it, after they insert their credentials .. they get the error "An unexpected error has occurred." I'm wondering if I well configured it. Or can I control some config file? In the Microsoft.resourcemanagement.service.exe.config I have: system.serviceModel > < services > < service name="Microsoft.ResourceManagement.WebServices.ResourceManagementService" > < host><baseAddresses><add baseAddress="http://localhost:5725" /></baseAddresses></host > </ service > < service name="Microsoft.ResourceManagement.WebServices.SecurityTokenService" > < host><baseAddresses><add baseAddress="http://localhost:5726" /> </baseAddresses></host > </ service > </ services > </ system.serviceModel > < resourceManagementClient resourceManagementServiceBaseAddress="172.16.30.214" /> < resourceManagementService externalHostName="172.16.30.214" /> Should I change something in FIM settings? In the web.config (in the WSS directory in the inetpub one) I have: resourceManagementClient resourceManagementServiceBaseAddress="http://172.16.30.214:5725" timeoutInMilliseconds="60000" />Is it ok? If yes, can the problem be SPNs? I have a fim service service account and a sharepoint app pool domain account. I ran the following commands on the DC: setspn - S FIMService/myserver.mydomain.dom mydomain\fimservice_serviceaccount and setspn -s HTTP/myserver.mydomain.dom mydomain\sharepointapp_pooldomainaccount and turned on Kerberos delegation. Can you direct me troubleshooting this problem? < <

Hi, Francesca85 Please, try to edit your Microsoft.resourcemanagement.service.exe.config file. Replace 172.16.30.214 with localhost. Then restart FIM Service and IIS. If your Sharepoint site is configured with NTLM authentication provider you have to access to your site without 401 error.

Where can I see if my sharepoint is configured with NTLM authentication provider? So I can check it before doing the change in the config file.

According to the sharepoint central administration - authentication provider.. my IIS authentication setting are "negotiate (kerberos)" and not NTLM. Any other idea?

If your authentication provider is set to Kerberos, follow these instructions - http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/b8fae069-218f-4dfd-bb66-54bcb63b0386 In brief, you have to create SPNs and set delegation in AD for Kerberos become working. After you fininsh configure SPNs open IIS Manager on your portal server and check your site (where FIM is located) is configured as followed: Authentication: Windows Authentication Enabled (other Disabled): Providers: Negotiate:Kerberos onlyAuthentication: Windows Authentication: Advanced Settings: "Enable Kernel-mode authentication" - disabled When instructions above are completed - restart server. If usage of Kerberos is not principal to you, I recommend to use NTLM. To do so, you have to change authentication providers in Sharepoint Central Administration to NTLM, then check IIS (providers - NTLM, advanced settings - "Enable Kernel-mode authentication" enabled).

I created the SPNs before installing FIM. Particularly I have 2 service accounts: fim.service (for the fim service) and fim.spapppool (for sharepoint). I registered the SPNs as following: fim.service is registered FIMService/host_name.mydomain.domfim.spapppool is registered HTTP/host_name.mydomain.dom Have I to register also the accounts with the short host_name (fim.service with FIMService/host_name and fim.spapppool with HTTP/host_name)? Pavel, I followed you steps but now I cannot access the portal even from the portal server...

If you don't plan to acces portal via short names you don't have to register them. After you created SPNs for FIM service and HTTP did you setup the delegation in ADDS for fim.service account for created SPNs? For this plan become working you have to do some more: open this file - C:\Windows\System32\inetsrv\config\applicationHost.config, find section "<system.webServer>". In this section find "<security>", then "<authentication>". Change "<windowsAuthentication enabled="false">" on "<windowsAuthentication enabled="true" useAppPoolCredentials="true">". Reboot server. This parameter says to IIS to use application pool's credentials instead of server's account. Information above is applicable for Kerberos. Did you try to set NTLM?

Yes, I set the delegation in ADDS for fim.service. Ok, I found the piece of config file you suggested, the same before and after the following change Authentication: Windows Authentication Enabled (other Disabled): Providers: Negotiate:Kerberos only Authentication: Windows Authentication: Advanced Settings: "Enable Kernel-mode authentication" - disabled Here it is So I have to change the <section name="windowsAuthentication" overrideModeDefault="Deny" /> with <section name="windowsAuthentication" enabled="true" useAppPoolCredentials="true"/> ? Why in my config file there isn't "enable = true or false"? And why these steps are not listed in the technet guide? I didnt' try to set NTLM because I would implement Kerberos authentication.. please can you continue supporting me in troubleshooting? Francesca

Sorry, probably you meant here.. (the image is befaure the change in the IIS Manager) Have I to change in IIS Manager authentication advanced options and providers and then add the useAppPoolCredentials = TRUE?

Francesca85, don't change config file in your web-site directory. useAppPoolCredentials can be defined only on the server level. Set string <windowsAuthentication enabled="false"> in your last post to <windowsAuthentication enabled="true" useAppPoolCredentials>. This will only enable windows integrated authentication on server level, but it will enable the usage of applicaiton pool credentials. Restart server after this change. For information, at now FIM server is configured to use Kerberos or you have changed authentication provider to NTLM?

FIM Portal is configured with authentication provider "Negotiate:Kerberos" and in advanced settings I disabled "Enable Kernel-mode authentication". Ok, I changed the applicationHost.config file as you suggested. Now the portal is reacheable from the server but not from clients. If I use the link https://IP_host/IdentityManagement I get the error "an unexpected error has occurred", if I use https://nome_host.mydomain.dom/IdentityManagement it asks me credential for 3 times and then show a white page (this time without the "unexpected" error) ..

in your Web.config - your service base address has to match your SPN - if you registered FIMServce\MyPortal.corp.local - you need to use (http://MyPortal.corp.local:5725) in your web.config Your sharePoint identity needs two delegations - FIMService and HTTP Your FIM Service account needs one delegation - FIMService IIS needs UseAppPoolCredentials = true kernel Mode Auth (true for WSS false for 2010) (use this..) cd %systemroot%\system32\inetsrv copy config\applicationHost.config config\applicationHost.config.bak appcmd set config "SharePoint - 80" /section:windowsauthentication /useKernelMode:false /useAppPoolCredentials:true /commit:MACHINE/WEBROOT/APPHOST Windows authentication - Authentication providers: 1 Negotiate (not negotiate kerberos 2 NTLM Frank C. Drewes III - Architect - Oxford Computer Group

Frank, I changed the base address in the web.config file according to the SPN registration (for the portal I use https://[..], in the file I left http://[..])I cannot register SPN for FIMService with fim.spapppool because of a duplicate (fim.service is already registere for FIMService). Did you mean this?I used your commands and checked the authentication providers for sharepoint - 80. Now I can access the portal from the server. The clients already get the "an unexpected error has occured" using normal user accounts. With the FIM administrator account I can access from a client the portal by https://ip_host/identitymanagement (even before) and not https://host_name/identitymanagement . I'm really confused...

Correct - the FIMService URL should be http:// not https:// Its' the delegation setting, not the SPN - like this (I registered the short and fqdn names - but that's not required - you may only have one URL per service) Frank C. Drewes III - Architect - Oxford Computer Group

Ok, now I cannot access the domain controller.. tomorrow I'll try. Do you think that this change can make the Portal working from clients (normal users)? Because until now I get the error an "unexpected error has occured" when try to access...

Ok, done. But normal users with clients cannot access the portal. The error is the same: "an unexpected error has occurred".. Why? Users have all minimum attributes setted on the portal. The fim administration account can access from clients.. what else can I try? PS: I get the same error if I connect to the portal from the server with a normal domain user. In the event viewer I can see all steps to authenticate the user that tryies to access the portal (from validating, authenticating to authorized and committed).. from source: microsoft.resourcemanagement. In DCOM i get these errors from source distributedCOM: 1) The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {61738644-F196-11D0-9953-00C04FD919C1} and APPID {61738644-F196-11D0-9953-00C04FD919C1} to the user mydomain\fim.spapppool SID (S-1-5-21-1028063728-624252461-2003979711-26844) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool. 2) The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {61738644-F196-11D0-9953-00C04FD919C1} and APPID {61738644-F196-11D0-9953-00C04FD919C1} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

Ok, done. But normal users with clients cannot access the portal. The error is the same: "an unexpected error has occurred".. Why? Users have all minimum attributes setted on the portal. The fim administration account can access from clients.. what else can I try? PS: I get the same error if I connect to the portal from the server with a normal domain user. In the event viewer I can see all steps to authenticate the user that tryies to access the portal (from validating, authenticating to authorized and committed).. from source: microsoft.resourcemanagement. In DCOM i get these errors from source distributedCOM: 1) The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {61738644-F196-11D0-9953-00C04FD919C1} and APPID {61738644-F196-11D0-9953-00C04FD919C1} to the user mydomain\fim.spapppool SID (S-1-5-21-1028063728-624252461-2003979711-26844) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool. 2) The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {61738644-F196-11D0-9953-00C04FD919C1} and APPID {61738644-F196-11D0-9953-00C04FD919C1} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

Ok, done. But normal users with clients cannot access the portal. The error is the same: "an unexpected error has occurred".. Why? Users have all minimum attributes setted on the portal. The fim administration account can access from clients.. what else can I try? PS: I get the same error if I connect to the portal from the server with a normal domain user.

If you plan to allow non-administrator users to have access to the portal, enable these MPRs General: Users can read schema related resourcesGeneral: Users can read non-administrative configuration resourcesUser management: Users can read attributes of their ownFrank C. Drewes III - Architect - Oxford Computer Group

If you plan to allow non-administrator users to have access to the portal, enable these MPRs General: Users can read schema related resourcesGeneral: Users can read non-administrative configuration resourcesUser management: Users can read attributes of their ownFrank C. Drewes III - Architect - Oxford Computer Group

Thank u very much Frank.. I disabled the last rule last week for a test! Thank u, now the portal is reacheable even from https://nome_host/identitymanagement !

Thank u very much Frank.. I disabled the last rule last week for a test! Thank u, now the portal is reacheable even from https://nome_host/identitymanagement !