FIM Portal Authentication - Setting DNS for remote access with SSL and Kerberos configured
Hi, I know this question has been asked many times...but i was just wondering the following: I have a synch server on one box, a portal setup with a alias "" etc on another and a sqlserver for the db. I have set correct SPN's and delegation fine from the server the portals installed on. The common problem is that the portal wont work on any other box! As Usual... My portal uses SSL and kerberos authN and therefore i setup a CNAME DNS entry so other PC's can resolve to the alias. I read on brad turners fantastic blogs ( that kerberos dosent like a CNAME. So then i replaced it with a HOST-A record in which seemed to break the authentication on the portal to my alias (typing the HTTPS://SERVER-NAME/IDENTITYMANAGEMENT still works). i believe this is because of the SSL not allowing connection to an IP Address (which i put in the host-A record)>>> alternatively could this be a certificate problem...because when i add a host A record instead i get the dreaded authN prompt that never works! Is there a way around this or am i completely wrong about this???? stu
October 28th, 2010 1:07am

Not sure I completely followed your post, but I'll try and provide some information and explain how I've deployed serveral portals. If you want to use a load balanced name (i.e. a name other than the hostname of the portal, irrespective of whether you will actually load balance) then you need to configure WSS a little differently. Firstly, you need to run WSS under a service account not the computer itself. You need a HTTP SPN defined for the WSS service account too. You must then update the appHost.config file (IIS) so that you define useAppPoolCredentials="true" for your website (SharePoint - 80). Once this is done, assuming you have your FIM SPNs setup you will be able to access the WSS site using the alternate name. In addition you should, but it won't break if you don't, setup alternate access mappings (AAM) in WSS for the new name(s) and also configure the WSS service account with the DCOM permissions for IIS WAMREG. Hope that makes sense?
Free Windows Admin Tool Kit Click here and download it now
October 28th, 2010 4:30am

SSL is a transport security and doesn't do authentication. The easiest way to troubleshoot is to try either: "SSL + Basic Auth". If that works, then it's your kerb config, or "no-SSL + Kerb" and SSL works just fine with A-record
October 28th, 2010 4:45am

Thanks for the quick reply guys! Sorry i wasnt clear enough in my initial post ill clarify.. so far ive already... 1. setup my site app pool to run under a service account "fimwss" 2. set a HTTP SPN for the service account as follows ... HTTP/fimportal <domain>\fimwss (and associated FQDN's) 3. changed web.config file for web app and added requirekerberos="true" to <resourceMnagementClient> 4. setup AAM's for the alias 5. setup DCOM IISWAMREG permissions for fimservice account 6. installed proper server signed certifcates for SSL from my certification Authority this all works on the installation server for the portal but when i change it across to a HOST A record it dosent authenticate ! I dont get it...i think its definently kerberos but not sure what else. Only thing i haven't done is change 'appHost.config' file to include useAppPoolCredentials="true" because it seems like a farm wide change and i dont want to break other websites in the there a specific way to do this so it on changes settings for my fim site? stu
Free Windows Admin Tool Kit Click here and download it now
October 28th, 2010 9:18pm

Tony, tried: 1. no ssl + kerb (with a-record in dns) = still didnt work 2. SSL + Basic auth = dosent work still prompt for access and i type credentials and then it prompts straight away again stu
October 28th, 2010 9:29pm

so... basically it boils down to http or https with hostname works, but not check your sharepoint alternate site mappingThe FIM Password Reset Blog
Free Windows Admin Tool Kit Click here and download it now
October 28th, 2010 10:25pm

Thanks guys...figured it was just the problem with the applicationhost.config file... cheers
October 28th, 2010 10:56pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics