Here's the situation: I have three servers setup for FIM2010. FFSync - hosts the synchronization service FFFIM - hosts the FIMService FFPortal - hosts the portal I setup all three ok. Setup Sharepoint to point to http://ffportal Install FIM portal to the server. I launch http://ffportal/identitymanagment, i get an error. I launch http://localhost/identitymanagement. It comes up fine. I then launch http://ffportal/identitymanagment and it comes up fine! I log off the server, and launch a web browser from a Windows 7 PC and go to http://ffportal/identitymanagement. I get an error. I go back to the portal server and launch the http://localhost/identiymanagment and then go back to the Windows 7 PC and launch http://ffportal/identitymanagement and it comes up ok! Its driving me nuts. Anyone have any info on this? Thanks, Akash

coz the portal caches results it get from FIMService the best way to test it is to do an iisreset before you do anything... very likely you are running into kerb mis-configuration following the steps in the other post would give u a better error message: http://social.technet.microsoft.com/Forums/en/ilm2/thread/7d602219-1438-42ef-9fec-4ca7e7739a70The FIM Password Reset Blog http://blogs.technet.com/aho/

Thanks Anthony, I enabled the stacks and indeed I do get a problem with authentication. Here is the stack: [FaultException: The request for security token could not be satisfied because authentication failed.] System.ServiceModel.Security.SecurityUtils.ThrowIfNegotiationFault(Message message, EndpointAddress target) +15350730 System.ServiceModel.Security.IssuanceTokenProviderBase`1.ThrowIfFault(Message message, EndpointAddress target) +18 System.ServiceModel.Security.SspiNegotiationTokenProvider.GetNextOutgoingMessageBody(Message incomingMessage, SspiNegotiationTokenProviderState sspiState) +165 [SecurityNegotiationException: The caller was not authenticated by the service.] System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout) +1668 System.ServiceModel.Security.IssuanceTokenProviderBase`1.GetTokenCore(TimeSpan timeout) +203 System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout) +21 System.ServiceModel.Security.SecurityProtocol.GetToken(SecurityTokenProvider provider, EndpointAddress target, TimeSpan timeout) +87 [SecurityNegotiationException: The token provider cannot get tokens for target 'http://fffim:5725/ResourceManagementService/Enumeration'.] Microsoft.ResourceManagement.WebServices.Client.ResourceTemplate.EnumerateResources(SearchParameters parameters) +1605 Microsoft.IdentityManagement.WebUI.Controls.ConfigurationModelBase.RetrieveResources(String type, String filter, List`1 attributes) +499 [ServerDownException: Error connecting to server] Microsoft.IdentityManagement.WebUI.Controls.ConfigurationModelBase.RetrieveResources(String type, String filter, List`1 attributes) +1171 Microsoft.IdentityManagement.WebUI.Controls.PortalUIConfigurationModel.RetrievePortalUIConfiguration() +269 Microsoft.IdentityManagement.WebUI.Controls.PortalUIConfigurationModel.get_PortalUI() +118 Microsoft.IdentityManagement.WebUI.Controls.PortalUIConfigurationModel.get_BrandingLeftImageUrl() +16 Microsoft.IdentityManagement.WebUI.Controls.BrandBar.get_BrandTable() +117 Microsoft.IdentityManagement.WebUI.Controls.BrandBar.CreateChildControls() +32 System.Web.UI.Control.EnsureChildControls() +146 System.Web.UI.Control.PreRenderRecursiveInternal() +61 System.Web.UI.Control.PreRenderRecursiveInternal() +224 System.Web.UI.Control.PreRenderRecursiveInternal() +224 System.Web.UI.Control.PreRenderRecursiveInternal() +224 System.Web.UI.Control.PreRenderRecursiveInternal() +224 System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3394 Now, how do I fix this? I've setup the SPNs and trusted for delegation as stated in the documentation. Any assistance would be appreciated. Thanks, Akash

i am not good at kerb stuff so won't be able to help but someone else should be able to helpThe FIM Password Reset Blog http://blogs.technet.com/aho/

I downloaded kerbtray and examined the tickets that were present when i attempted to log in using the url http://ffportal/identitymanagement and http://localhost/identitymanagement. When I logged in to http://localhost/identitymanagement, a ticket for FIMService/fffim shows up (this was the SPN I setup for the FIM Service). When I log in to http://ffportal/identitymanagement, it does not. Is it a rights issue? Anyone else run into this issue? Akash

Perhaps it might help for use if you provide a list of the service accounts used in the setup, the output of setspn -l serviceaccount (for each service account) and a description of which accounts you configured for Kerberos delegation Alternatively you could fire up wireshark during your tests to find out why kerberos is failing: SPN which does not exist or Delegation permission issues P.S. when registering SPN's imho it's always advised to register the short (netbios) name and the FQDN of the service. and oh, did you changed the applicaton pool identity of your fimportal in IIS? http://setspn.blogspot.com

The Before you Begin section of the Install Guide has pointers to configuring the application pool account and how to set the correct SPN's http://technet.microsoft.com/en-us/library/ff512685(WS.10).aspx From the doc: Select the correct identity for the SharePoint Application Pool By default, IIS uses the Network Service account for the Application Pool. We recommend that you use a service account for SharePoint to use. Later in this guide you will enable Kerberos delegation, and only one identity can use one Service Principal Name (SPN). By default an application pool running under a specific service account will not use the service account for Kerberos. In the second configuration step, you will configure IIS to use the service account for Kerberos. To run the SharePoint Application Pool using an account that is located in the domain Create an account in the domain for use by the SharePoint Application Pool. Start SharePoint 3.0 Central Administration from Administrative Tools. Select Operations and Service Accounts. Select Web Application Pool, and select Windows SharePoint Services Web Application. Select the SharePoint Application Pool where the FIM Portal will be installed, which by default is SharePoint – 80. Enter the user name and password for the service account that you created in the first step. Click OK to save your changes. Enable the Application Pool to use the service account for Kerberos. To configure IIS to use the service account for Kerberos delegation, set useAppPoolCredentials as described in Service Principal Name (SPN) checklist for Kerberos authentication with IIS 7.0 (http://go.microsoft.com/fwlink/?LinkId=188290). ..... Establish SPNs for FIM 2010 SPNs are necessary for the Kerberos v5 protocol to be used for authentication. Enabling Kerberos helps to make the traffic secure, and it is required for the clients to be able to communicate with the FIM Service. SPNs must be registered in the domain for Kerberos to work. We recommend that you use aliases for your FIM Service and FIM Portal. They can be represented as host (A) or CNAME resource records in Domain Name System (DNS). For the FIM Service server, complete the following procedure: To establish the SPNs for the FIM Service Establish the SPNs for the FIM Service by running the following command: setspn –S FIMService/<alias> <domain>\<serviceaccount> The <alias> above is the address that is entered during FIM Service setup and used by the clients and the FIM Portal to contact the Web Service. This can be a CNAME or host (A) resource record in DNS. If you are using Network Load Balancing (NLB), this is the name of the cluster. The <serviceaccount> above is the account that is used by the FIM Service. If you are using several different names—for instance, fully qualified domain names (FQDNs) and NetBIOS names—to contact the server, repeat the steps for every name. Turn on Kerberos delegation for the FIM Service service account in AD DS. You can turn on delegation for all services either by selecting Trust this user for delegation to any service (not recommended) or by using constrained delegation (recommended) by selecting Trust this user for delegation to the specified services only. If you use constrained delegation, search for the FIM Service service account, and then select the entry that you added in the previous step. For the FIM Portal server, complete the steps in the next procedure. If the address that the clients use to contact the FIM Portal is not the same as the server address, you have to establish an SPN for HTTP. That is, if you use a CNAME resource record in DNS, have a SharePoint farm, or use NLB, this address must be registered or Internet Explorer cannot use the Kerberos protocol when it contacts the portal. Run the following command: setspn –S HTTP/<FIMPortalAlias> <domain>\<sharepointserviceaccount> The <FIMPortalAlias> is the address that clients use to contact the FIM Portal server. The <domain>\sharepointserviceaccount> is the account that the SharePoint Application Pool uses, as defined in IIS. If you are using several different names, that is, FQDN and NetBIOS names, to contact the server, repeat the steps for every name. The SharePoint service account must be allowed to delegate to the FIM Service. You can choose to enable delegation for all services either by selecting Trust this user for delegation to any service (not recommended) or by using constrained delegation (recommended) by selecting Trust this user for delegation to the selected services only. If you use constrained delegation, search for the FIM Service service account, and then select the entry that you added in the FIM Service step. This posting is provided "AS IS" with no warranties, and confers no rights

Brjann, I follow the Technet manuals but I still have problems. Problem1: When Windows+Kerberos authentication is chosen, nobody can log in to the website https://server1/identitymanagement. PKI is not the problem I guess. I created an enterprise PKI and gave the right certificates to all servers. I also imported the chain-root everywhere. I already made 3 accounts: FIMSRV: FIM service account e-mail enabled FIMSYN: Fim synchronization service account FIMMA: Fim management agent service account. As described in your answer, I made a 4e account. SPSRV: Sharepoint service account. Then I followed the manuals from Technet. Q1: maybe I should have used FIMSRV? I found a workaround. I chose Basic authentication at the security provider on the Sharepoint administration site. But I still want to get it right with Kerberos. Problem2: users can’t register for password reset. Q2: Maybe because Kerberos in not available? Is Kerberos mandatory here, or will password reset work with basic authentication I followed here also the Technet deployment manual.

Since I found this with Google - thought I would update with what my resolution. Don't use a SharePoint application that is configured for claims based authentication. FIM Portal requires classic authentication.