Hi all, I'm building a new lab environment up from a vanilla installation of FIM and am getting this dreaded "failed-modification-via-web-services" error on EXPORT of the FIM MA. I've followed all the steps I can find on how to resolve this, but with no joy. I have three FIM servers, i.e. portal, sync and sql. This is what I've done so far: Followed this guide: http://social.technet.microsoft.com/wiki/contents/articles/troubleshooting-failed-modification-via-web-services.aspx Ran the Check FIM MA account Powershell script (passes) Ran the FIM Portal installer in "repair" mode. Restarted all servers (just in case!) Even tried making the ma user a domain admin. One thing I want to look at as specified as an answer here (http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/24ef0597-2866-473d-92f3-9739f8e9256b) but can't as I don't see any such key in the C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\Microsoft.ResourceManagement.Service.exe.config file is how to check the sync user is the same as the ma user. I guess that is referring to a pre-release version of FIM? Any ideas? It seems quite elementary but has me stumped. Here's the error message in detail: There is an error executing a web service object modification request. Type: System.ServiceModel.Security.SecurityNegotiationException Message: SOAP security negotiation with 'http://gwa-sr-fimp-20:5725/ResourceManagementService/Resource' for target 'http://gwa-sr-fimp-20:5725/ResourceManagementService/Resource' failed. See inner exception for more details. Stack Trace: Server stack trace: at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout) at System.ServiceModel.Security.SspiNegotiationTokenProvider.OnOpen(TimeSpan timeout) at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Security.SecurityUtils.OpenCommunicationObject(ICommunicationObject obj, TimeSpan timeout) at System.ServiceModel.Security.SymmetricSecurityProtocol.OnOpen(TimeSpan timeout) at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Channels.SecurityChannelFactory`1.ClientSecurityChannel`1.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Channels.LayeredChannel`1.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade) at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) Exception rethrown at [0]: at Microsoft.ResourceManagement.WebServices.Client.UninitializedResource.PerformUpdate() at Microsoft.ResourceManagement.WebServices.Client.UninitializedResource.Update() at MIIS.ManagementAgent.RavenMA.ExportObjectModification(DataSourceObject dsObject, SchemaManager schemaManager) at MIIS.ManagementAgent.RavenMA.Export(DataSourceObject dsObject) Inner Exception: Security Support Provider Interface (SSPI) authentication failed. The server may not be running in an account with identity 'FIMService/gwa-sr-fimp-20'. If the server is running in a service account (Network Service for example), specify the account's ServicePrincipalName as the identity in the EndpointAddress for the server. If the server is running in a user account, specify the account's UserPrincipalName as the identity in the EndpointAddress for the server.

Hang on, eureka moment... I remember seeing a user in the Portal called: Built-in Synchronization Account I guess this is configured incorrectly, but don't know how to correct it? Edit... trying to run Portal installer in Change mode to set the user manually.

Turns out it was nothing to do with FIM at all, our operations guys came over and realised they'd made a mistake in the lab template and needed to change some AD SSPN settings on the FIMService user.

To clarify, you can get this even if your SPN's are set correctly if you configure the account for constrained delegation but prevent protocol transition: http://www.identitychaos.com/2011/02/soap-security-negotiation-with.html To be clear, I only see this error on the Public Client, configuring the FIM Service to prevent protocol transition (Use Kerberos Only) has not affected services in my FIM environments.Brad Turner, ILM MVP - Ensynch, Inc - www.identitychaos.com [If a post helps to resolve your issue, please click the "Mark as Answer" or "Helpful" button at the top of that post. By marking a post as Answered or Helpful, you help others find the answer faster.]

To clarify, you can get this even if your SPN's are set correctly if you configure the account for constrained delegation but prevent protocol transition: http://www.identitychaos.com/2011/02/soap-security-negotiation-with.html To be clear, I only see this error on the Public Client, configuring the FIM Service to prevent protocol transition (Use Kerberos Only) has not affected services in my FIM environments.Brad Turner, ILM MVP - Ensynch, Inc - www.identitychaos.com [If a post helps to resolve your issue, please click the "Mark as Answer" or "Helpful" button at the top of that post. By marking a post as Answered or Helpful, you help others find the answer faster.]