Hi, I know this question has been asked many times...but i was just wondering the following: I have a synch server on one box, a portal setup with a alias "fimportal.domain.com.au" etc on another and a sqlserver for the db. I have set correct SPN's and delegation etc...works fine from the server the portals installed on. The common problem is that the portal wont work on any other box! As Usual... My portal uses SSL and kerberos authN and therefore i setup a CNAME DNS entry so other PC's can resolve to the alias. I read on brad turners fantastic blogs (http://www.identitychaos.com/2008/03/problem-with-kerberos-delegation.html) that kerberos dosent like a CNAME. So then i replaced it with a HOST-A record in which seemed to break the authentication on the portal to my alias (typing the HTTPS://SERVER-NAME/IDENTITYMANAGEMENT still works). i believe this is because of the SSL not allowing connection to an IP Address (which i put in the host-A record)>>> alternatively could this be a certificate problem...because when i add a host A record instead i get the dreaded authN prompt that never works! Is there a way around this or am i completely wrong about this???? stu

Not sure I completely followed your post, but I'll try and provide some information and explain how I've deployed serveral portals. If you want to use a load balanced name (i.e. a name other than the hostname of the portal, irrespective of whether you will actually load balance) then you need to configure WSS a little differently. Firstly, you need to run WSS under a service account not the computer itself. You need a HTTP SPN defined for the WSS service account too. You must then update the appHost.config file (IIS) so that you define useAppPoolCredentials="true" for your website (SharePoint - 80). Once this is done, assuming you have your FIM SPNs setup you will be able to access the WSS site using the alternate name. In addition you should, but it won't break if you don't, setup alternate access mappings (AAM) in WSS for the new name(s) and also configure the WSS service account with the DCOM permissions for IIS WAMREG. Hope that makes sense?

SSL is a transport security and doesn't do authentication. The easiest way to troubleshoot is to try either: "SSL + Basic Auth". If that works, then it's your kerb config, or "no-SSL + Kerb" and SSL works just fine with A-record

Thanks for the quick reply guys! Sorry i wasnt clear enough in my initial post ill clarify.. so far ive already... 1. setup my site app pool to run under a service account "fimwss" 2. set a HTTP SPN for the service account as follows ... HTTP/fimportal <domain>\fimwss (and associated FQDN's) 3. changed web.config file for web app and added requirekerberos="true" to <resourceMnagementClient> 4. setup AAM's for the alias 5. setup DCOM IISWAMREG permissions for fimservice account 6. installed proper server signed certifcates for SSL from my certification Authority this all works on the installation server for the portal but when i change it across to a HOST A record it dosent authenticate ! I dont get it...i think its definently kerberos but not sure what else. Only thing i haven't done is change 'appHost.config' file to include useAppPoolCredentials="true" because it seems like a farm wide change and i dont want to break other websites in the farm...is there a specific way to do this so it on changes settings for my fim site? stu

Tony, tried: 1. no ssl + kerb (with a-record in dns) = still didnt work 2. SSL + Basic auth = dosent work still prompt for access and i type credentials and then it prompts straight away again stu

so... basically it boils down to http or https with hostname works, but not fimportal.domain.com.au? check your sharepoint alternate site mappingThe FIM Password Reset Blog http://blogs.technet.com/aho/

Thanks guys...figured it out...it was just the problem with the applicationhost.config file... cheers