FIM Portal hardware load balancer issues
Hi,
We have followed the FIM "Before you begin" technet article (http://technet.microsoft.com/en-us/library/ff512685%28WS.10%29.aspx).
changed the WSS application pool account and registered the SPN (see below) Executed the following:
setspn –S FIMService/IDM.Company.com DOMAIN\FIMSvcSync (FIM Service account)
setspn –S FIMService/IDM DOMAIN\FIMSvcSync
Turned
on Kerberos delegation for the FIM Service service account in AD DS. Turned on delegation for all services either by selecting
Trust this user for delegation to any service. setspn
–S HTTP/IDM.company.com DOMAIN\FIMSvcWSS (WSS service account)
setspn
–S HTTP/IDM DOMAIN\FIMSvcWSS
So IDM.COMPANY.COM is the name on the hardware load balancer, and it exists as an 'A' record in the internal DNS. NSlookup resolves correctly.
In addition I have also registered the following:
Setspn –S HTTP/FIMPortal-01 DOMAIN\FIMSvcWSS (WSS Service account)
Setspn –S HTTP/FIMPortal-01.company.com DOMAIN\FIMSvcWSS
Setspn –S HTTP/FIMPortal-02 DOMAIN\FIMSvcWSS
Setspn –S HTTP/FIMPortal-02.company.com DOMAIN\FIMSvcWSS
I then try to connect to http://idm.company.com - after many prompts for authentication I see the following in the browser:
Not Authorized
HTTP Error 401. The requested resource requires user authentication.
Verified that Kernel-mode authentication is enabled in IIS on the FIM Portal.
Then - here is a related Event Log error ID 4:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server FIMPortal-01$. The target name used was HTTP/idm.company.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target
server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target
service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password.
If the server name is not fully qualified, and the target domain (AD.COMPANY.COM) is different from the client domain (AD.COMPANY.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the
server.
In addition the Event log keeps repeating this event (ID 3):
System.Web.Services: System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by
the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
--- End of inner exception stack trace ---
at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.PooledStream.Read(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.Connection.SyncRead(HttpWebRequest request, Boolean userRetrievedStream, Boolean probeRead)
--- End of inner exception stack trace ---
at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at Microsoft.ResourceManagement.WebServices.Mail.Exchange.ExchangeServiceBinding.FindItem(FindItemType FindItem1)
at Microsoft.ResourceManagement.WebServices.Mail.Exchange.MailChannel.ExchangeMailChannelListener`1.ExchangeMailListener.<OnPollTimerExpired>b__0(Boolean findUnreadItems)
at Microsoft.ResourceManagement.WebServices.Mail.Exchange.MailChannel.ExchangeMailChannelListener`1.ExchangeMailListener.OnPollTimerExpired(Object state)
Its quite a lot of errors - any ideas guys?
thanks
April 12th, 2011 6:37am
If Kernel mode AuthN is ENABLED you need to edit the APPHOST.CONFIG file to also enable UseAppPoolCredential=True.
Open an *elevated* NOTEPAD.EXE. Open %systemroot%\system32\inetsrv\config\applicationHost.config.
Search (Ctrl + F) for 'path="Sharepoint - 80' Scroll down until you find <System.WebServer> CrLf <Security> CrLf <Authentication>
Modify <windowsAuthentication enabled="true"> to become: <windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true">
You should be good to go after an IISRESET.
Note, you don't need SPNs for each host in the farm, only the service name. Note also that you require two constrained delegations (don't consider unconstrained delegation):
WSS_SVC_ACCT --> FIMService/FIM_SVC_ACCT FIM_SVC_ACCTS --> FIMService/FIM_SVC_ACCT
So, you require four SPNs (two qualified, two unqualified):
HTTP/portal-name and HTTP/portal-name.domain-name.com (WSS SVC account) FIMService/portal-name and FIMService/portal-name.domain-name.com (FIM SVC account)
Free Windows Admin Tool Kit Click here and download it now
April 12th, 2011 6:54am
hmm, there are so many references to "SharePoint - 80" how do i know which is the correct one to edit?
maybe it will just be easier to disable Kernel Mode Authentication - and avoid messing up the .config file?
April 12th, 2011 7:14am
So I tracked down the <location path="SharePoint - 80"> entry, beneath it is the modification:
<security>
<authentication>
<windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true">
<providers>
So - is the location <location path="SharePoint - 80"> correct?
OK, so now I can connect to the website via the hardware load balancer - I can see the FIM logo, but its got the 'Service not available' error message.
Free Windows Admin Tool Kit Click here and download it now
April 12th, 2011 7:31am
Yes, that is the only place you need to modify it in my experience. I take a copy, then open an elevated NOTEPAD and edit. I have never needed to stop anything whilst doing this.
The trick to finding the correct piece to edit is to search for what I wrote >>>path="Sharepoint - 80<<< not >>>Sharepoint - 80<<<
April 12th, 2011 7:38am
thanks Paul, I guess I will need to post another one for the "Service not available" error message.
Free Windows Admin Tool Kit Click here and download it now
April 12th, 2011 7:42am
Service not available usually means Kerberos authN isn't working (or you don't have an ObjectSid and Domain).
Assuming you can access the WSS instance using Kerberos by hitting
http://loadbalancedname (and not being prompted for authN) then check the following:
You have enabled delegation from the WSS service account to the FIMService SPN on the FIM Service account.
You have enabled delegation from the FIM Service service account to the FIMService SPN on the FIM Service account.
The FIM Service was installed and the name of the portal and service configured as the load balanced name during setup (you can validate this in the configuration file).
Validate the portal and service are up and running by hitting
http://ipv4address/identitymanagement
April 12th, 2011 7:54am
Hi,
I have just reviewed your settings, but here is something interesting - I have just enabled stack tracing in IIS...this is the error message I now get:
No connection could be made because the target machine actively refused it IP_address_of_the_hardware_load_balancer:5725
Just found out that the load balancer has not been configured with ports: 5725 and 5726
Will get the network guys to open them so we can test.
Free Windows Admin Tool Kit Click here and download it now
April 12th, 2011 8:06am