Hi, This is my problem. If I browse the fim portal [identity mgmt or password] from IE 7 browsers in the morning [assume FIM was idle for more than 8 hours-], I see “service unavailable” error. I checked the eventvwr “Forefront identity manager” logs, and didnt see any entries. But if I browse the FIM portals from IE 6 browsers [same user], it works. And after that some of the IE 7 browsers are started working, few of them still fails. If i do the same testing next day, i see the same behavior. FIM site is added in trusted sites zone, “automatic logon with current username and password” was checked for IE 7 browsers. I enabled the IIS/SP logs, and I got the below. SPNs are ok and delegation is also fine. I assume that’s why IE 6 and IE 8 [on servers] works all the time. any idea? Thanks for your time. Server Error in '/' Application. The request for security token could not be satisfied because authentication failed. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. Exception Details: System.ServiceModel.FaultException: The request for security token could not be satisfied because authentication failed. Source Error: An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below. Stack Trace: [FaultException: The request for security token could not be satisfied because authentication failed.] System.ServiceModel.Security.SecurityUtils.ThrowIfNegotiationFault(Message message, EndpointAddress target) +15323386 System.ServiceModel.Security.IssuanceTokenProviderBase`1.ThrowIfFault(Message message, EndpointAddress target) +18 System.ServiceModel.Security.SspiNegotiationTokenProvider.GetNextOutgoingMessageBody(Message incomingMessage, SspiNegotiationTokenProviderState sspiState) +167 [SecurityNegotiationException: The caller was not authenticated by the service.] Microsoft.ResourceManagement.WebServices.Client.ResourceTemplate.EnumerateResources(SearchParameters parameters) +1605 Microsoft.IdentityManagement.WebUI.Controls.ConfigurationModelBase.RetrieveResources(String type, String filter, List`1 attributes) +499 [ServerDownException: Error connecting to server] Microsoft.IdentityManagement.WebUI.Controls.ConfigurationModelBase.RetrieveResources(String type, String filter, List`1 attributes) +1171 Microsoft.IdentityManagement.WebUI.Controls.PortalUIConfigurationModel.RetrievePortalUIConfiguration() +269 Microsoft.IdentityManagement.WebUI.Controls.PortalUIConfigurationModel.get_PortalUI() +118 Microsoft.IdentityManagement.WebUI.Controls.PortalUIConfigurationModel.get_BrandingLeftImageUrl() +16 Microsoft.IdentityManagement.WebUI.Controls.BrandBar.get_BrandTable() +117 Microsoft.IdentityManagement.WebUI.Controls.BrandBar.CreateChildControls() +32 System.Web.UI.Control.EnsureChildControls() +146 System.Web.UI.Control.PreRenderRecursiveInternal() +61 System.Web.UI.Control.PreRenderRecursiveInternal() +224 System.Web.UI.Control.PreRenderRecursiveInternal() +224 System.Web.UI.Control.PreRenderRecursiveInternal() +224 System.Web.UI.Control.PreRenderRecursiveInternal() +224 System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3394 Note: FIM Portal URL has been added to IE 7 trusted site zone. am i missing anything for IE 7 browser requirements?

IISRESET didnt help. I tried that. until i access the FIM portal using IE 6 or IE8 (same user or different user) , i always get "service unavailable" from IE 7. as soon as i accessed FIM portal thru IE 6 or 8. I'm able to access FIM portal thru IE 7 browsers. if the SPN is broken, then i should get this problem in all browsers. correct? but IE 7 works after IE 6/8 tries.

After i have changed my DNS entries from CNAME to A Record for FIM portal URL, i was able to see consistent results across all browsers. in my environment we have GSS[Global Site Selector] to route the requests between two data center CISCO ACE Modules. and ACE Modue will load balance the requests between multiple FIM Servers across two Data centers. So Now i need to bypass GSS and A Record will only point to ACE Module VIP for a specific data center. but with this approach, i see consistent results. with the CNAMES [pointing to GSS vip] i saw lot of authentication (kerberos) problem. I have another VIP URL just for password reset services [Only FIM Services for password reset] and that works well with DNS->GSS->ACE Module routing. so CNAMES are not good for Sharepoint Delegations in hardware load balancing scenarios? Thanks