Hi getting the usual portal error and have tried just about every forum, blog and post i can find but i cant fix it. trying to hit: https://fimportal/identitymanagement/default.aspx My environment FIM PORTAL: "moss-svr" 2008 r2 box FIM SERVICE: "fimsvr" 2008 r2 box FIM SYNCH SERVICE: "fimsvr" 2008 r2 box SQLSVR = FIMSERVICE +FIMSYNCHRONIZATION DB'S The Portal cannot connect to the middle tier using the web service interface. This failure prevents all portal scenarios from functioning correctly. The cause may be due to a missing or invalid server url, a downed server, or an invalid server firewall configuration. Ensure the portal configuration is present and points to the resource management service. - have followed installer guide to the letter, - have established spns - set access mappings - altered app host and web config files for kerberos i believe the problem is when i moved the fim service from the moss server to the fimsvr and reinstalled the portal on the moss server.. there may be a problem with the administrator account SID... Can anyone please help? Very frustrating stuCheers Stu

Can you provide us the value of the "resourceManagementServiceBaseAddress" which is set in the web.config on the FIM Portal server? You could copy paste the following from the web.config: <resourceManagementClient resourceManagementServiceBaseAddress="http://yourvalue" timeoutInMilliseconds="60000" /> Typically this file is located below c:\inetpub\wwwroot\wss\VirtualDirectories\80http://setspn.blogspot.com

Thomas... <resourceManagementClient resourceManagementServiceBaseAddress="http://fimvsvr:5725" timeoutInMilliseconds="60000" /> as requested above... what im trying to achieve is an environment with kerberos and SSL ..i managed to get it working when i had the service and portal on the same box (MOSS-WFE) but they need to be separated now though...hopefully you can shed some light. i have since fully re-installed and can currently only connect to the portal if i type the following: http://MOSS-WFE/Identitymanagement my alias (which has SPN's, AAM's and dns A records for it) is: https://fimportal/identitymanagement <default aam https://fimportal.company.com.au/identitymanagement <intranet aam Hopefully you can help? stuCheers Stu

Well, I don't know if you have the following covered: your sharepoint site "application pool identity" account (app pool identity can be found in IIS manager) should be trusted for delegation to the "fimservice\fimsvr" SPN. And also, did you configured the Portal to only accept Kerberos? As explained in the FIM Installation Guide: search for Activating the Kerberos protocol only (http://technet.microsoft.com/en-us/library/ff512686(WS.10).aspx) Regards, Thomashttp://setspn.blogspot.com

Well, I don't know if you have the following covered: your sharepoint site "application pool identity" account (app pool identity can be found in IIS manager) should be trusted for delegation to the "fimservice\fimsvr" SPN. And also, did you configured the Portal to only accept Kerberos? As explained in the FIM Installation Guide: search for Activating the Kerberos protocol only (http://technet.microsoft.com/en-us/library/ff512686(WS.10).aspx) Regards, Thomashttp://setspn.blogspot.com

thanks thomas! i hadnt set that spn yet but it makes sense considering fimvsvr is hosting the service... what would be the correct spn to set then? something like this? setspn -s fimservice/fimvsvr vic\fimwss i did try and set the kerberos switch but it broke the connection, but thats probably cause my spns where not complete. ill see how i go. do i also need to set an spn for the sqlsvr? as its on another box? if so, its sqlsvr2 so what would the spn look like? cheers stu Cheers Stu

thanks thomas! i hadnt set that spn yet but it makes sense considering fimvsvr is hosting the service... what would be the correct spn to set then? something like this? setspn -s fimservice\fimvsvr vic\fimwss i did try and set the kerberos switch but it broke the connection, but thats probably cause my spns where not complete. ill see how i go. cheers stuCheers Stu

thomas, setspn -s fimservice/fimvsvr vic\fimwss ive added the above spn..it hit the portal fine ...i then added the use kerberos switch and it broke it again???.should i also add an spn like this: http/fimportal MOSS-WFE ??? for the iis machine account...i already have a http binding for the "fimwss" account...not sure if i should have one or both? stuCheers Stu

stuballz, There are several things to consider, which are nicely explained in the "before you begin" part of the FIM installation Guide (http://technet.microsoft.com/en-us/library/ff512685(WS.10).aspx) I suggest you read Establish SPNs for FIM 2010 carefully. Bottom line: FIM Service Account SPN: setspn -s fimservice/fimsvr fim-service-service-account WSS Application Pool Identity Account SPN: setspn -s http/fimportal app-pool-service-account And then you need to configure (using ADUC) delegation: The fim-service-service-account should be configured for delegation to fimservice/fimsvr The app-pool-service-account should be configured for delegation to fimservice/fimsvr Regards, Thomas http://setspn.blogspot.com

Thanks thomas... i reinstalled the portal and service and following the instrutions to the letter..established the missing spns and delegation and it now works...i havent set usekerberos switch on the site only though as everytime i do this it breaks the portal so im not going to risk it. i believe originally there could have been a syntax error in my applicationhost file aswell.. thanks again for the help stuCheers Stu