I've been trying to troubleshoot this problem in my lab for a couple of days now. I did have a kerberos problem but I'm positive that's resolved. Nonetheless I cannot login with any domain user on either the fim server or another domain computer. The error is that old "Unable to process your request" one. Everything I can see in the logs seems to indicate it's all fine: - The only Kerb error I see is KDC_ERR_PREAUTH_REQUIRED, which as I understand it is just the login box popping up. - I can see that the ticket is granted by the DC - The user has the ticket in klist - On the FIM server I see a successful login in the Security log - There are no errors in the FIM log. When I turn on verbose logging I see encouraging messages about the user being authenticated and authorized. I have also exported the objectSid out of the Portal and used PsGetSid to compare it to the actual sid in AD - identical. Domain and username are correct. What else could it be?? http://www.wapshere.com/missmiis

would you post the call stack following the steps at http://setspn.blogspot.com/2010/06/fim-2010-enable-advanced-error-logging.html ThanksThe FIM Password Reset Blog http://blogs.technet.com/aho/

Server Error in '/' Application. The endpoint could not dispatch the request. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. Exception Details: Microsoft.ResourceManagement.WebServices.Faults.ServiceFaultException: The endpoint could not dispatch the request. Source Error: An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below. Stack Trace: [ServiceFaultException: The endpoint could not dispatch the request.] Microsoft.ResourceManagement.WebServices.Client.ResourceTemplate.EnumerateResources(SearchParameters parameters) +1457 Microsoft.IdentityManagement.WebUI.Controls.ConfigurationModelBase.RetrieveResources(String type, String filter, List`1 attributes) +499 [ServerDownException: Error connecting to server] Microsoft.IdentityManagement.WebUI.Controls.ConfigurationModelBase.RetrieveResources(String type, String filter, List`1 attributes) +1171 Microsoft.IdentityManagement.WebUI.Controls.PortalUIConfigurationModel.RetrievePortalUIConfiguration() +269 Microsoft.IdentityManagement.WebUI.Controls.PortalUIConfigurationModel.get_PortalUI() +118 Microsoft.IdentityManagement.WebUI.Controls.PortalUIConfigurationModel.get_BrandingLeftImageUrl() +16 Microsoft.IdentityManagement.WebUI.Controls.BrandBar.get_BrandTable() +117 Microsoft.IdentityManagement.WebUI.Controls.BrandBar.CreateChildControls() +32 System.Web.UI.Control.EnsureChildControls() +146 System.Web.UI.Control.PreRenderRecursiveInternal() +61 System.Web.UI.Control.PreRenderRecursiveInternal() +224 System.Web.UI.Control.PreRenderRecursiveInternal() +224 System.Web.UI.Control.PreRenderRecursiveInternal() +224 System.Web.UI.Control.PreRenderRecursiveInternal() +224 System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3394 http://www.wapshere.com/missmiis

Ah forget it - I just need to enable some MPRs (new installation). I spent so much time troubleshooting the kerberos problem I had that when it still didn't work I couldn't think of obvious things! Tell me - when did it become necessary to enable MPRs to allow login? Was it always like that? It's just I don't remember having to do that before.http://www.wapshere.com/missmiis

Ah forget it - I just need to enable some MPRs (new installation). I spent so much time troubleshooting the kerberos problem I had that when it still didn't work I couldn't think of obvious things! Tell me - when did it become necessary to enable MPRs to allow login? Was it always like that? It's just I don't remember having to do that before.http://www.wapshere.com/missmiis

Carol, What MPR's did you enabled? I'm not really aware of any that need to be enabled for a login to work... Might be mistaken though. Regards, Thomashttp://setspn.blogspot.com

I'm glad it's not just me! So I re-disabled them and found that the test user I was already using still worked. So then I logged in with a new user account, never attached to the portal before, and had the problem. I then switched the MPRs back on one at a time. "User management: Users can read attributes of their own" When I enable this one the user can now login but he can't see anything - just the title bar. "General: Users can read non-administrative configuration resources" Now the user can see a proper Portal. Note that just enabling this one without the one above did not work, so you definitely seem to need both. http://www.wapshere.com/missmiis

yes, those are the two required MPRs for non-admin (i.e. user not in Administrators set) to go to the portal My blog talks briefly about that http://blogs.technet.com/b/aho/archive/2009/10/20/forefront-identity-manager-credential-management-part-3.aspxThe FIM Password Reset Blog http://blogs.technet.com/aho/

btw, the first step i would do in troubleshooting portal generic error is to enable the callstack. If it's kerberos related issues, usually it indicates something around SSPI or something similar.The FIM Password Reset Blog http://blogs.technet.com/aho/

btw, the first step i would do in troubleshooting portal generic error is to enable the callstack. If it's kerberos related issues, usually it indicates something around SSPI or something similar.The FIM Password Reset Blog http://blogs.technet.com/aho/

btw, the first step i would do in troubleshooting portal generic error is to enable the callstack. If it's kerberos related issues, usually it indicates something around SSPI or something similar.The FIM Password Reset Blog http://blogs.technet.com/aho/