Hi all, I have two servers: FIM-S01 (SQL 2008, Forefront Sync Service) FIM-P01 (Forefront Service and Portal) I've configured everything as per the set up guide AFAIK. Kerberos passthrough authentication works fine from a client machine when using http://fim-p01/identitymanagement or http://localhost/identitymanagement (from the server) but http://fim-p01.fully.qualified.domain.name/identitymanagement prompts me for credentials. Running Kerbtray shows a ticket gets granted successfully in the former example, but in the latter, no ticket. Sometimes in the client machine's event viewer I'm seeing: The kerberos client received a KRB_AP_ERR_MODIFIED error from the server fim-p01$. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (hidden.local), and the client realm. Please contact your system administrator. My WSS configuration is: Web application pool, Web Service: Windows Sharepoint Services Web Application Application pool: SharePoint - 80 Configurable, Username: domain\fimsp Password: Appropriate password Alternate access mappings are configured for http://fim-p01:2521 http://fim-p01.hidden.local Under public URL's I've configured: Default http://fim-p01/hidden.local (for Sharepoint 80) SetSPN domain\fimsp shows: Registered ServicePrincipalNames for CN=Fim SP,...: HTTP/fim-p01 HTTP/fim-p01.hidden.local SetSPN domain\fimservice (which I used for the FIM service) shows: Registered ServicePrincipalNames for CN=Fim Service,...: FIMService/fim-p01.hidden.local FIMService/fim-p01 Anybody give me any pointers? Thanks, Paul

Guys, My bad. Having wrestled with this since yesterday I thought I'd ask the question, 10 minutes after I do, I stumbled on the answer :o) I'd added the site fim-p01.hidden.local to trusted sites, but the client had some group policy configuration items, one of which said: Internet Options > Security > User Authentication > Logon > Automatic Logon only in Intranet zone. So even being in Trusted sites wasn't sufficient, I guess.. added the FQDN explictly to local intranet, et voila! Thanks, Paul.