Error configuring Alternate Access Mapping for FIM 2010 Portal
Hi, I'm trying to configure an alternate URL for FIM Portal. Actually domain users can access it at the link
https://IP_host/IdentityManagement. I would they can access it at the alternative link
https://nome_host/IdentityManagement. So I added it to Public URL for Intranet zone in the following way
When users try to access it from the browser .. they get the 401 Unauthorized message and Event Viewer on the server record this event:
Event 8214 - Windows SharePoint Services 3
A request was made for a URL, https://nome_host.XYZ.net (intranet one), which has not been configured in Alternate Access Mappings. Some links may point to the Alternate Access URL for the default zone,
https://nome_host (default one). Review the Alternate Access mappings for this Web application at http://localhost:13760/_admin/AlternateUrlCollections.aspx and consider adding
https://nome_host.XYZ.net (intranet one) as a Public Alternate Access URL if it will be used frequently. Help on this error: http://go.microsoft.com/fwlink/?LinkId=114854
Please, can you help me?
Francesca
September 14th, 2012 6:58am
You should probably add the /IdentityManagement subsite to the URL, like https://home.xyz.net/identitymanagement ? Oterwise, they'll get to the default site, which they probably don't have permissions for.
Also, make sure that Authenticated User can get to the site (there was a tickmark during installation for this); if not you can go to Site Settings and add them there (cant' remember the exact prescription for this)Regards, Soren Granfeldt
blog is at http://blog.goverco.com | twitter at https://twitter.com/#!/MrGranfeldt
Free Windows Admin Tool Kit Click here and download it now
September 14th, 2012 7:22am
Yes, authenticated users can access the Portal (from the
https://IP_host/IdentityManagement site they can access their information)..
I tried to add the /IdentityManagement subsite to the URL but I get the error "URL format is invalid".
Any other suggestion?
September 14th, 2012 7:30am
I think you need to change the Default URL to be something different than localhost (the URL you'd like users to use). You can set localhost as a different type of address.
As I seem to remember SharePoint will redirect users to this URL and they'll have no chance to get at http://localhost when coming from a client. Also double-check your DNS entries.
I'm no SharePoint admin so just "working" from memory here...Regards, Soren Granfeldt
blog is at http://blog.goverco.com | twitter at https://twitter.com/#!/MrGranfeldt
Free Windows Admin Tool Kit Click here and download it now
September 14th, 2012 7:38am
To configure the alternate access mappings perform the following steps from the central administration tool.
Select SharePoint - 80 from the Alternate Access Mapping Collection drop-down in the top right of the page.Click Edit Public URLs and modify the default value to that of your intended virtual host name, e.g.
http://idmweb. Click Save.Click Add Internal URL and then enter the FQDN for the virtual name. Leave the zone as Default. Click Save.Repeat step four for any other valid names and also add the actual hostname as an internal URL too.
Execute IISRESET from an administrative command prompt and the configuration is completeFrank C. Drewes III - Architect - Oxford Computer Group
September 14th, 2012 8:45am
Frek, thank you very much.
I did as you suggested (my intended virtual host name is the same as the FQDN resolved by the DNS :
https://host_name.XYZ.net) .. now I have a direct mapping in the default zone between these URLs (internal
https://host_name.XYZ.net and public
https://host_name.XYZ.net).
But when users try to access the Portal at
https://host_name.XYZ.net/IdentityManagement they get the following error:
Not Authorized
HTTP Error 401. The requested resource requires user authentication.
Otherwise, when they access the Portal at
https://IP_host/IdentityManagement it works.
Any other idea?
Free Windows Admin Tool Kit Click here and download it now
September 14th, 2012 9:34am
Hi,
Please look at the following
link that could solve your problem.
Patrick.Patrick Layani
September 18th, 2012 6:08am
Thank u Patrick, but now I think the problem is somewhere else.
Now anyone can access the Portal also from
https://IP_host/IdentityManagement . When users try to access it, after they insert their credentials .. they get the error "An unexpected error has occurred."
I'm wondering if I well configured it. Or can I control some config file?
In the Microsoft.resourcemanagement.service.exe.config I have:
system.serviceModel
>
<
services
>
<
service
name="Microsoft.ResourceManagement.WebServices.ResourceManagementService"
>
<
host><baseAddresses><add
baseAddress="http://localhost:5725"
/></baseAddresses></host
>
</
service
>
<
service
name="Microsoft.ResourceManagement.WebServices.SecurityTokenService"
>
<
host><baseAddresses><add
baseAddress="http://localhost:5726"
/> </baseAddresses></host
>
</
service
>
</
services
>
</
system.serviceModel
>
<
resourceManagementClient
resourceManagementServiceBaseAddress="172.16.30.214"
/>
<
resourceManagementService
externalHostName="172.16.30.214"
/>
Should I change something in FIM settings?
In the web.config (in the WSS directory in the inetpub one) I have:
resourceManagementClient
resourceManagementServiceBaseAddress="http://172.16.30.214:5725"
timeoutInMilliseconds="60000"
/>Is it ok?
If yes, can the problem be SPNs? I have a fim service service account and a sharepoint app pool domain account. I ran the following commands on the DC: setspn - S FIMService/myserver.mydomain.dom mydomain\fimservice_serviceaccount and setspn -s HTTP/myserver.mydomain.dom
mydomain\sharepointapp_pooldomainaccount and turned on Kerberos delegation.
Can you direct me troubleshooting this problem?
<
<
Free Windows Admin Tool Kit Click here and download it now
September 22nd, 2012 5:33am
Hi, Francesca85
Please, try to edit your Microsoft.resourcemanagement.service.exe.config file. Replace 172.16.30.214 with localhost. Then restart FIM Service and IIS. If your Sharepoint site is configured with NTLM authentication provider you have to access to your
site without 401 error.
September 22nd, 2012 6:04am
Where can I see if my sharepoint is configured with NTLM authentication provider?
So I can check it before doing the change in the config file.
Free Windows Admin Tool Kit Click here and download it now
September 22nd, 2012 6:11am
According to the sharepoint central administration - authentication provider.. my IIS authentication setting are "negotiate (kerberos)" and not NTLM.
Any other idea?
September 22nd, 2012 6:19am
If your authentication provider is set to Kerberos, follow these instructions - http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/b8fae069-218f-4dfd-bb66-54bcb63b0386
In brief, you have to create SPNs and set delegation in AD for Kerberos become working. After you fininsh configure SPNs open IIS Manager on your portal server and check your site (where FIM is located) is configured as followed:
Authentication: Windows Authentication Enabled (other Disabled): Providers:
Negotiate:Kerberos onlyAuthentication: Windows Authentication: Advanced Settings: "Enable Kernel-mode authentication" - disabled
When instructions above are completed - restart server.
If usage of Kerberos is not principal to you, I recommend to use NTLM. To do so, you have to change authentication providers in Sharepoint Central Administration to NTLM, then check IIS (providers - NTLM, advanced settings - "Enable Kernel-mode authentication"
enabled).
Free Windows Admin Tool Kit Click here and download it now
September 22nd, 2012 8:57am
I created the SPNs before installing FIM.
Particularly I have 2 service accounts: fim.service (for the fim service) and fim.spapppool (for sharepoint). I registered the SPNs as following:
fim.service is registered FIMService/host_name.mydomain.domfim.spapppool is registered HTTP/host_name.mydomain.dom
Have I to register also the accounts with the short host_name (fim.service with FIMService/host_name and fim.spapppool with HTTP/host_name)?
Pavel, I followed you steps but now I cannot access the portal even from the portal server...
September 22nd, 2012 10:21am
If you don't plan to acces portal via short names you don't have to register them.
After you created SPNs for FIM service and HTTP did you setup the delegation in ADDS for fim.service account for created SPNs?
For this plan become working you have to do some more: open this file - C:\Windows\System32\inetsrv\config\applicationHost.config, find section "<system.webServer>". In this section find "<security>", then "<authentication>". Change "<windowsAuthentication
enabled="false">" on "<windowsAuthentication enabled="true" useAppPoolCredentials="true">". Reboot server. This parameter says to IIS to use application pool's credentials instead of server's account.
Information above is applicable for Kerberos.
Did you try to set NTLM?
Free Windows Admin Tool Kit Click here and download it now
September 22nd, 2012 11:51am
Yes, I set the delegation in ADDS for fim.service.
Ok, I found the piece of config file you suggested, the same before and after the following change
Authentication: Windows Authentication Enabled (other Disabled): Providers:
Negotiate:Kerberos only
Authentication: Windows Authentication: Advanced Settings: "Enable Kernel-mode authentication" - disabled
Here it is
So I have to change the
<section name="windowsAuthentication" overrideModeDefault="Deny" />
with
<section name="windowsAuthentication" enabled="true" useAppPoolCredentials="true"/>
?
Why in my config file there isn't "enable = true or false"? And why these steps are not listed in the technet guide?
I didnt' try to set NTLM because I would implement Kerberos authentication.. please can you continue supporting me in troubleshooting?
Francesca
September 22nd, 2012 2:39pm
Sorry, probably you meant here.. (the image is befaure the change in the IIS Manager)
Have I to change in IIS Manager authentication advanced options and providers and then add the useAppPoolCredentials = TRUE?
Free Windows Admin Tool Kit Click here and download it now
September 22nd, 2012 2:57pm
Francesca85, don't change config file in your web-site directory. useAppPoolCredentials can be defined only on the server level. Set string <windowsAuthentication enabled="false"> in your last post to <windowsAuthentication enabled="true" useAppPoolCredentials>.
This will only enable windows integrated authentication on server level, but it will enable the usage of applicaiton pool credentials. Restart server after this change.
For information, at now FIM server is configured to use Kerberos or you have changed authentication provider to NTLM?
September 22nd, 2012 3:10pm
FIM Portal is configured with authentication provider "Negotiate:Kerberos" and in advanced settings I disabled "Enable Kernel-mode authentication".
Ok, I changed the applicationHost.config file as you suggested. Now the portal is reacheable from the server but not from clients. If I use the link https://IP_host/IdentityManagement I get the error
"an unexpected error has occurred", if I use https://nome_host.mydomain.dom/IdentityManagement it asks me credential for 3 times and then show a white page (this time without the "unexpected"
error) ..
Free Windows Admin Tool Kit Click here and download it now
September 22nd, 2012 4:44pm
in your Web.config - your service base address has to match your SPN - if you registered FIMServce\MyPortal.corp.local - you need to use (http://MyPortal.corp.local:5725) in your web.config
Your sharePoint identity needs two delegations - FIMService and HTTP
Your FIM Service account needs one delegation - FIMService
IIS needs
UseAppPoolCredentials = true
kernel Mode Auth (true for WSS false for 2010)
(use this..)
cd %systemroot%\system32\inetsrv
copy config\applicationHost.config config\applicationHost.config.bak
appcmd set config "SharePoint - 80" /section:windowsauthentication /useKernelMode:false /useAppPoolCredentials:true /commit:MACHINE/WEBROOT/APPHOST
Windows authentication - Authentication providers:
1 Negotiate (not negotiate kerberos
2 NTLM
Frank C. Drewes III - Architect - Oxford Computer Group
September 22nd, 2012 5:04pm
Frank,
I changed the base address in the web.config file according to the SPN registration (for the portal I use https://[..], in the file I left http://[..])I cannot register SPN for FIMService with fim.spapppool because of a duplicate (fim.service is already registere for FIMService). Did you mean this?I used your commands and checked the authentication providers for sharepoint - 80.
Now I can access the portal from the server. The clients already get the "an unexpected error has occured" using normal user accounts.
With the FIM administrator account I can access from a client the portal by
https://ip_host/identitymanagement (even before) and not
https://host_name/identitymanagement . I'm really confused...
Free Windows Admin Tool Kit Click here and download it now
September 22nd, 2012 6:47pm
Correct - the FIMService URL should be http:// not https://
Its' the delegation setting, not the SPN - like this (I registered the short and fqdn names - but that's not required - you may only have one URL per service)
Frank C. Drewes III - Architect - Oxford Computer Group
September 22nd, 2012 7:26pm
Ok, now I cannot access the domain controller.. tomorrow I'll try.
Do you think that this change can make the Portal working from clients (normal users)? Because until now I get the error an "unexpected error has occured" when try to access...
Free Windows Admin Tool Kit Click here and download it now
September 23rd, 2012 5:41am
Ok, done. But normal users with clients cannot access the portal. The error is the same: "an unexpected error has occurred".. Why? Users have all minimum attributes setted on the portal.
The fim administration account can access from clients.. what else can I try?
PS: I get the same error if I connect to the portal from the server with a normal domain user.
In the event viewer I can see all steps to authenticate the user that tryies to access the portal (from validating, authenticating to authorized and committed).. from source: microsoft.resourcemanagement.
In DCOM i get these errors from source distributedCOM:
1)
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{61738644-F196-11D0-9953-00C04FD919C1}
and APPID
{61738644-F196-11D0-9953-00C04FD919C1}
to the user mydomain\fim.spapppool SID (S-1-5-21-1028063728-624252461-2003979711-26844) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
2)
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{61738644-F196-11D0-9953-00C04FD919C1}
and APPID
{61738644-F196-11D0-9953-00C04FD919C1}
to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
September 24th, 2012 4:06am
Ok, done. But normal users with clients cannot access the portal. The error is the same: "an unexpected error has occurred".. Why? Users have all minimum attributes setted on the portal.
The fim administration account can access from clients.. what else can I try?
PS: I get the same error if I connect to the portal from the server with a normal domain user.
In the event viewer I can see all steps to authenticate the user that tryies to access the portal (from validating, authenticating to authorized and committed).. from source: microsoft.resourcemanagement.
In DCOM i get these errors from source distributedCOM:
1)
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{61738644-F196-11D0-9953-00C04FD919C1}
and APPID
{61738644-F196-11D0-9953-00C04FD919C1}
to the user mydomain\fim.spapppool SID (S-1-5-21-1028063728-624252461-2003979711-26844) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
2)
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{61738644-F196-11D0-9953-00C04FD919C1}
and APPID
{61738644-F196-11D0-9953-00C04FD919C1}
to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
Free Windows Admin Tool Kit Click here and download it now
September 24th, 2012 4:06am
Ok, done. But normal users with clients cannot access the portal. The error is the same: "an unexpected error has occurred".. Why? Users have all minimum attributes setted on the portal.
The fim administration account can access from clients.. what else can I try?
PS: I get the same error if I connect to the portal from the server with a normal domain user.
September 24th, 2012 4:14am
If you plan to allow non-administrator users to have access to the portal, enable these MPRs
General: Users can read schema related resourcesGeneral: Users can read non-administrative configuration resourcesUser management: Users can read attributes of their ownFrank C. Drewes III - Architect - Oxford Computer Group
Free Windows Admin Tool Kit Click here and download it now
September 24th, 2012 6:06am
If you plan to allow non-administrator users to have access to the portal, enable these MPRs
General: Users can read schema related resourcesGeneral: Users can read non-administrative configuration resourcesUser management: Users can read attributes of their ownFrank C. Drewes III - Architect - Oxford Computer Group
September 24th, 2012 6:06am
Thank u very much Frank.. I disabled the last rule last week for a test!
Thank u, now the portal is reacheable even from
https://nome_host/identitymanagement !
Free Windows Admin Tool Kit Click here and download it now
September 24th, 2012 8:39am
Thank u very much Frank.. I disabled the last rule last week for a test!
Thank u, now the portal is reacheable even from
https://nome_host/identitymanagement !
September 24th, 2012 8:39am