SSPR install less stable since RC1 ?
First let me say that I really like the fact that in RC1 the MPRs and Workflows no longer need to be created manually and in some waysgetting this configured is simpler. But I have foundSSPR in RC1 a lot less reliable than RC0 -I installed RC0 SSPR about 6 times and only had problems with some documentation glitches the first time - the other 5 times were fine. I've now tried to install RC1 SSPR for the 10th time and have yet to get it working. Iam trying witha pretty simple configuration - single domainand portal+sync service on the same box.FYI the installer functions which are supposed to set the permissions for portal and password portal, andto add the sites to trusted sites for all users in IE7have never worked for me in 10 installs, I've always ended up doing it manually, yet no errors get reported. There is now a lot of required manual configurationof DCOM permissions,SPNs, group memberships, WSS configuration, IE zoneswhich should, IMHO be taken care of by the installer -I think the uptake of SSPR in RTM will be a lot higherif this is improved.
November 24th, 2009 11:55pm

Hi Carpriole I understand your frustration. I just look up all the issues you have encountered and posted here. And seems some are not SSPR specific (SPN, Portal permission etc) Let me see if i can pull in someone from Setup/Support/Doc here to address your concern Regarding the trusted site is never added by the Client Installer. there are a few things i would double check 1. make sure you specify the hostname during setup (no http:// prefix) 2. make sure below where you specify the hostname, you choose the prefix u wanna add (default is don't add) 3. check the registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\%hostname%", there should be a subkey saying "FIM Managed" as well as a subkey indicating it's http or https if you have problem with that, feel free to start a new thread, as always :)The FIM Password Reset Blog http://blogs.technet.com/aho/
Free Windows Admin Tool Kit Click here and download it now
November 25th, 2009 5:35am

A lot of the issues I've had are not specifically SSPR related, but I think the way the documentation, installer and condition checking/error messages work makes it very difficult. I realise FIM is a highly configurable and environmental specific product, but that makes it all the more important to document complete start-to-finish steps or have very good condition checking error/handling.I have been very disappointed by the way if configuration steps are missed, they are not picked upor alerted on by the installer or FIM itself - examples DCOM permissions, WMI permissions, sharepoint globally not having anonymous auth enabled, SPNs not being set, IE ESC being off, using 64bit IE on 64bit OS, AD MA having correct AD permissions. Since these are documented (albeit in many separate places)I would have thought it should be reasonably simple to add code tocheck if they are correct at install/configration time and raise anerror,rather than letting the user try and decrypt the resulting event log errorat run time.I've beenputting together a comprehensive task list toget SSPR working for a single domain with a single FIM portal/sync/SQL server, which I'm happy to share once I actually manage to get it working.BTW I've really appreciated your efforts to sort through the issues I've had.
November 25th, 2009 11:39pm

I have to admit our documentation isn't great. I once spent 2week full time with a customer deploy SSPR on a cloned environment (i.e. multiple domains, NLB, etc) and I fully understand your pain. Most configuration problems are specific to a particular environment. I definitely had pulled out many hair and banged my head against the wall multiple times. Some customers want as much detail as possible on why they need to make a specific change to their environment, while some just want the steps to setup an environment for a demo. I don't think the current doc covers too much details on "why". If you have specific topic want me to cover in my blog, leave a comment there. Also, there is another thread talking about the FIM Documentation. I think you should also put your comment there: http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/51201d05-9fba-4b7a-b81a-4d158d0d9f06 And sorry to hijack this thread, but i do want to address two things that you mentioned regarding IE: 1. "using 64bit IE on 64bit OS" This is definitely NOT a must. The the x64 client installer will register a x86 ActiveX for x86 IE AND a x64 ActiveX for x64 IE. That's why the x64 client installer has one more feature. In fact, the default IE on x64 OS is a x86 IE. 2. "IE ESC being off" This is NOT really the exact requirements. The actual requirements are: The FIM Portal only works if it's in intranet (or trusted site of course) ActiveX only works if IE Protected mode is OFF. Since we can't change your zone security settings, that forces us to put the hostname to trusted sites for IE7 (IE6 and IE8 are fine) When i have time, i would also like to blog about all the common issues in SSPR (symptoms and resolutions)The FIM Password Reset Blog http://blogs.technet.com/aho/
Free Windows Admin Tool Kit Click here and download it now
November 26th, 2009 1:57am

1.This was in some doco or blogsomewhere - maybe release notes. Don't know if this was an RC0 "feature" which doesn't apply anymore. I know that I came across this before as it was preventing me from registering using x86 IE (on x64 OS) but when I used x64 it worked. Will try an find where the reference came from.Could you confirmthat either x86 IE or x64 IE should both work for registration and reset on x64 OS?2. As many enterpises have customised zone settings it can be very difficult trying to interpret statements like "must be in trusted zone". I suspect what this really means is "it will work in trusted zoneOR local intranet zone IF you have default zone settings". It might be a lot more useful to document the exact settingsthe portal requires:(These aren't the settings it needs just an example of what the documentation could look like)ActiveX controls and Plugins - Allow Scriptlets - EnableActiveX controls and Plugins -Binary and Script Behaviours- Don't careActiveX controls and Plugins -Download Signed ActiveX controls- Enable
November 29th, 2009 11:01pm

1. i think in the relnote, under "Test your deployment" section, it says you need to use x64 IE. Anyway, that's not correct. x86 IE on x64 IE should work 2. yes, default zone settingsThe FIM Password Reset Blog http://blogs.technet.com/aho/
Free Windows Admin Tool Kit Click here and download it now
November 30th, 2009 2:04am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics