Hi, We have followed the FIM "Before you begin" technet article (http://technet.microsoft.com/en-us/library/ff512685%28WS.10%29.aspx). changed the WSS application pool account and registered the SPN (see below) Executed the following: setspn –S FIMService/IDM.Company.com DOMAIN\FIMSvcSync (FIM Service account) setspn –S FIMService/IDM DOMAIN\FIMSvcSync Turned on Kerberos delegation for the FIM Service service account in AD DS. Turned on delegation for all services either by selecting Trust this user for delegation to any service. setspn –S HTTP/IDM.company.com DOMAIN\FIMSvcWSS (WSS service account) setspn –S HTTP/IDM DOMAIN\FIMSvcWSS So IDM.COMPANY.COM is the name on the hardware load balancer, and it exists as an 'A' record in the internal DNS. NSlookup resolves correctly. In addition I have also registered the following: Setspn –S HTTP/FIMPortal-01 DOMAIN\FIMSvcWSS (WSS Service account) Setspn –S HTTP/FIMPortal-01.company.com DOMAIN\FIMSvcWSS Setspn –S HTTP/FIMPortal-02 DOMAIN\FIMSvcWSS Setspn –S HTTP/FIMPortal-02.company.com DOMAIN\FIMSvcWSS I then try to connect to http://idm.company.com - after many prompts for authentication I see the following in the browser: Not Authorized HTTP Error 401. The requested resource requires user authentication. Verified that Kernel-mode authentication is enabled in IIS on the FIM Portal. Then - here is a related Event Log error ID 4: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server FIMPortal-01$. The target name used was HTTP/idm.company.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (AD.COMPANY.COM) is different from the client domain (AD.COMPANY.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server. In addition the Event log keeps repeating this event (ID 3): System.Web.Services: System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size) --- End of inner exception stack trace --- at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size) at System.Net.PooledStream.Read(Byte[] buffer, Int32 offset, Int32 size) at System.Net.Connection.SyncRead(HttpWebRequest request, Boolean userRetrievedStream, Boolean probeRead) --- End of inner exception stack trace --- at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request) at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request) at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters) at Microsoft.ResourceManagement.WebServices.Mail.Exchange.ExchangeServiceBinding.FindItem(FindItemType FindItem1) at Microsoft.ResourceManagement.WebServices.Mail.Exchange.MailChannel.ExchangeMailChannelListener`1.ExchangeMailListener.<OnPollTimerExpired>b__0(Boolean findUnreadItems) at Microsoft.ResourceManagement.WebServices.Mail.Exchange.MailChannel.ExchangeMailChannelListener`1.ExchangeMailListener.OnPollTimerExpired(Object state) Its quite a lot of errors - any ideas guys? thanks

If Kernel mode AuthN is ENABLED you need to edit the APPHOST.CONFIG file to also enable UseAppPoolCredential=True. Open an *elevated* NOTEPAD.EXE. Open %systemroot%\system32\inetsrv\config\applicationHost.config. Search (Ctrl + F) for 'path="Sharepoint - 80' Scroll down until you find <System.WebServer> CrLf <Security> CrLf <Authentication> Modify <windowsAuthentication enabled="true"> to become: <windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true"> You should be good to go after an IISRESET. Note, you don't need SPNs for each host in the farm, only the service name. Note also that you require two constrained delegations (don't consider unconstrained delegation): WSS_SVC_ACCT --> FIMService/FIM_SVC_ACCT FIM_SVC_ACCTS --> FIMService/FIM_SVC_ACCT So, you require four SPNs (two qualified, two unqualified): HTTP/portal-name and HTTP/portal-name.domain-name.com (WSS SVC account) FIMService/portal-name and FIMService/portal-name.domain-name.com (FIM SVC account)

hmm, there are so many references to "SharePoint - 80" how do i know which is the correct one to edit? maybe it will just be easier to disable Kernel Mode Authentication - and avoid messing up the .config file?

So I tracked down the <location path="SharePoint - 80"> entry, beneath it is the modification: <security> <authentication> <windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true"> <providers> So - is the location <location path="SharePoint - 80"> correct? OK, so now I can connect to the website via the hardware load balancer - I can see the FIM logo, but its got the 'Service not available' error message.

Yes, that is the only place you need to modify it in my experience. I take a copy, then open an elevated NOTEPAD and edit. I have never needed to stop anything whilst doing this. The trick to finding the correct piece to edit is to search for what I wrote >>>path="Sharepoint - 80<<< not >>>Sharepoint - 80<<<

thanks Paul, I guess I will need to post another one for the "Service not available" error message.

Service not available usually means Kerberos authN isn't working (or you don't have an ObjectSid and Domain). Assuming you can access the WSS instance using Kerberos by hitting http://loadbalancedname (and not being prompted for authN) then check the following: You have enabled delegation from the WSS service account to the FIMService SPN on the FIM Service account. You have enabled delegation from the FIM Service service account to the FIMService SPN on the FIM Service account. The FIM Service was installed and the name of the portal and service configured as the load balanced name during setup (you can validate this in the configuration file). Validate the portal and service are up and running by hitting http://ipv4address/identitymanagement

Hi, I have just reviewed your settings, but here is something interesting - I have just enabled stack tracing in IIS...this is the error message I now get: No connection could be made because the target machine actively refused it IP_address_of_the_hardware_load_balancer:5725 Just found out that the load balancer has not been configured with ports: 5725 and 5726 Will get the network guys to open them so we can test.