Hi, again... Just did at brand new fresh FIM install, portal, service and sync service on one server and SQL on another. I'm through the "Before you begin" & "installing the FIM 2010 Server Components" I've installed Update 1 and KB421784. All of the above with no trouble. So now i've created the ADMA and the FIMMA and i was going to go to the portal and do the sync. rules (this is my 4. FIM install) but this time i get a "Service not available" and i havent even synced the users to the portal yes (i've got the message before on other installs and resolved the issue with AccountName and such) I'v done a Full Import and i can see that the install account "AppFIMPA" has all of the needed attributes; AccountName ObjectSID Domain Displayname ObjectType ObjectID so i'm thinking it might be something else this time. SPN's maybe setspn -l ivabfim01 http://7913selfservice MSSQLSvc/ivabfim01.int.sonofon.dk:SQLEXPRESS WSMAN/ivabfim01 WSMAN/ivabfim01.int.sonofon.dk TERMSRV/ivabfim01.int.sonofon.dk TERMSRV/IVABFIM01 RestrictedKrbHost/IVABFIM01 HOST/IVABFIM01 RestrictedKrbHost/IVABFIM01.int.sonofon.dk HOST/IVABFIM01.int.sonofon.dk Where to go from here? EDIT; Looking at the eventlog i get this; The Portal cannot connect to the middle tier using the web service interface. This failure prevents all portal scenarios from functioning correctly. The cause may be due to a missing or invalid server url, a downed server, or an invalid server firewall configuration. Ensure the portal configuration is present and points to the resource management service. I can see that this thread http://social.technet.microsoft.com/Forums/en/ilm2/thread/0d14e459-25cf-4df2-8cad-283e2cec428e is about the same issue and he speaks of SPN. I've done the setspn -S HTTP/PortalAlias Domain\WssPoolAccount and setspn -S FIMService/alias Domain\FimServiceAccount i don't realle get the part where i have to trust the FIMServiceAccount for delegation tho /Frederik Leed

So in this http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/9bdfc893-a4e3-4ad4-88f1-707c60e281e4 Thomas says something i can use; Bottom line: FIM Service Account SPN: setspn -s fimservice/fimsvr fim-service-service-account WSS Application Pool Identity Account SPN: setspn -s http/fimportal app-pool-service-account And then you need to configure (using ADUC) delegation: The fim-service-service-account should be configured for delegation to fimservice/fimsvr The app-pool-service-account should be configured for delegation to fimservice/fimsvr How do you do that last part? I find the user in ADUC, click delegation, trust use for delegation, specify, add FIM servername and then i get a list of services... which is not what i want, i can't select FIMService/fimserver? if i in stead add the fimservice user, it lets me select from FIMService/fimserver or FIMService/portal alias. So i'm now able to do something to both users that looks like the; The fim-service-service-account should be configured for delegation to fimservice/fimsvr The app-pool-service-account should be configured for delegation to fimservice/fimsvr my spn looks like this; C:\Windows\system32>setspn -l ivabfim01 Registered ServicePrincipalNames for CN=IVABFIM01,OU=Compliant,OU=TelenorServer ,DC=int,DC=sonofon,DC=dk: HOST/IVABFIM01.INT.SONOFON.DK HOST/IVABFIM01 WSMAN/ivabfim01 WSMAN/ivabfim01.int.sonofon.dk TERMSRV/IVABFIM01 TERMSRV/ivabfim01.int.sonofon.dk RestrictedKrbHost/IVABFIM01 RestrictedKrbHost/IVABFIM01.int.sonofon.dk Efter reboot i'm still not able to get in. I actually tried a "trust user for delegation to any service (kerberos only)" and i didn't solve the problem.... Need help:)/Frederik Leed

So in this http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/9bdfc893-a4e3-4ad4-88f1-707c60e281e4 Thomas says something i can use; Bottom line: FIM Service Account SPN: setspn -s fimservice/fimsvr fim-service-service-account WSS Application Pool Identity Account SPN: setspn -s http/fimportal app-pool-service-account And then you need to configure (using ADUC) delegation: The fim-service-service-account should be configured for delegation to fimservice/fimsvr The app-pool-service-account should be configured for delegation to fimservice/fimsvr How do you do that last part? I find the user in ADUC, click delegation, trust use for delegation, specify, add FIM servername and then i get a list of services... which is not what i want, i can't select FIMService/fimserver? if i in stead add the fimservice user, it lets me select from FIMService/fimserver or FIMService/portal alias. So i'm now able to do something to both users that looks like the; The fim-service-service-account should be configured for delegation to fimservice/fimsvr The app-pool-service-account should be configured for delegation to fimservice/fimsvr my spn looks like this; C:\Windows\system32>setspn -l ivabfim01 Registered ServicePrincipalNames for CN=IVABFIM01,OU=Compliant,OU=TelenorServer ,DC=int,DC=sonofon,DC=dk: HOST/IVABFIM01.INT.SONOFON.DK HOST/IVABFIM01 WSMAN/ivabfim01 WSMAN/ivabfim01.int.sonofon.dk TERMSRV/IVABFIM01 TERMSRV/ivabfim01.int.sonofon.dk RestrictedKrbHost/IVABFIM01 RestrictedKrbHost/IVABFIM01.int.sonofon.dk Efter reboot i'm still not able to get in. I actually tried a "trust user for delegation to any service (kerberos only)" and i didn't solve the problem.... Need help:)/Frederik Leed

Frederik, I assume you are trying to access the portal with the account that installed the account eh? Besides that, can you provide the following information: Name of the: SQL Server FIM Server FIM Service Service Account Sharepoint Application Pool Identity Account in IIS What results do the following commands produce? The paths might be different for your deployment, especially the one for the web.config findstr /i /C:"resourceManagementClient resourceManagementServiceBaseAddress" "c:\Program Files\Microsoft Forefront Identity Manager\2010\Service\Microsoft.ResourceManagement.Service.exe.config" findstr /i /C:"resourceManagementService externalHostName" "c:\Program Files\Microsoft Forefront Identity Manager\2010\Service\Microsoft.ResourceManagement.Service.exe.config" findstr /i /C:"resourceManagementClient resourceManagementServiceBaseAddress" "C:\inetpub\wwwroot\wss\VirtualDirectories\80\web.config" What results do the following commands produce? Make sure to replace the account name with the correct FIM Service and IIS Application Pool Identity account dsquery * domainroot -filter "(sAMAccountName=FIMserviceAccount)" -attr sAMAccountName ServicePrincipalName msDS-allowedToDelegateTo dsquery * domainroot -filter "(sAMAccountName=IISappPoolAccount)" -attr sAMAccountName ServicePrincipalName msDS-allowedToDelegateTo For the dsquery commands to succeed, you might have to execute them from a server/workstation with the AD RSAT installed. http://setspn.blogspot.com

Frederik, I assume you are trying to access the portal with the account that installed the account eh? Besides that, can you provide the following information: Name of the: SQL Server FIM Server FIM Service Service Account Sharepoint Application Pool Identity Account in IIS What results do the following commands produce? The paths might be different for your deployment, especially the one for the web.config findstr /i /C:"resourceManagementClient resourceManagementServiceBaseAddress" "c:\Program Files\Microsoft Forefront Identity Manager\2010\Service\Microsoft.ResourceManagement.Service.exe.config" findstr /i /C:"resourceManagementService externalHostName" "c:\Program Files\Microsoft Forefront Identity Manager\2010\Service\Microsoft.ResourceManagement.Service.exe.config" findstr /i /C:"resourceManagementClient resourceManagementServiceBaseAddress" "C:\inetpub\wwwroot\wss\VirtualDirectories\80\web.config" What results do the following commands produce? Make sure to replace the account name with the correct FIM Service and IIS Application Pool Identity account dsquery * domainroot -filter "(sAMAccountName=FIMserviceAccount)" -attr sAMAccountName ServicePrincipalName msDS-allowedToDelegateTo dsquery * domainroot -filter "(sAMAccountName=IISappPoolAccount)" -attr sAMAccountName ServicePrincipalName msDS-allowedToDelegateTo For the dsquery commands to succeed, you might have to execute them from a server/workstation with the AD RSAT installed. http://setspn.blogspot.com

Frederik, I assume you are trying to access the portal with the account that installed the account eh? Besides that, can you provide the following information: Name of the: SQL Server FIM Server FIM Service Service Account Sharepoint Application Pool Identity Account in IIS What results do the following commands produce? The paths might be different for your deployment, especially the one for the web.config findstr /i /C:"resourceManagementClient resourceManagementServiceBaseAddress" "c:\Program Files\Microsoft Forefront Identity Manager\2010\Service\Microsoft.ResourceManagement.Service.exe.config" findstr /i /C:"resourceManagementService externalHostName" "c:\Program Files\Microsoft Forefront Identity Manager\2010\Service\Microsoft.ResourceManagement.Service.exe.config" findstr /i /C:"resourceManagementClient resourceManagementServiceBaseAddress" "C:\inetpub\wwwroot\wss\VirtualDirectories\80\web.config" What results do the following commands produce? Make sure to replace the account name with the correct FIM Service and IIS Application Pool Identity account dsquery * domainroot -filter "(sAMAccountName=FIMserviceAccount)" -attr sAMAccountName ServicePrincipalName msDS-allowedToDelegateTo dsquery * domainroot -filter "(sAMAccountName=IISappPoolAccount)" -attr sAMAccountName ServicePrincipalName msDS-allowedToDelegateTo For the dsquery commands to succeed, you might have to execute them from a server/workstation with the AD RSAT installed. http://setspn.blogspot.com

Great Thomas, was hoping for you to answer :) SQL Server; IVABFIM02 FIM Server: IVABFIM01 FIM Service Service Account; AppFIMPSMAA Sharepoint Application Pool Identity Account in IIS; AppFIMPWSSAPPA findstr /i /C:"resourceManagementClient resourceManagementServiceBaseAddress" "c:\Program Files\Microsoft Forefront Identity Manager\2010\Service\Microsoft.ResourceManagement.Service.exe.config" Result: <resourceManagementClient resourceManagementServiceBaseAddress="7913selfservice" /> findstr /i /C:"resourceManagementService externalHostName" "c:\Program Files\Microsoft Forefront Identity Manager\2010\Service\Microsoft.ResourceManagement.Service.exe.config" Result: <resourceManagementService externalHostName="7913selfservice" /> findstr /i /C:"resourceManagementClient resourceManagementServiceBaseAddress" "C:\inetpub\wwwroot\wss\VirtualDirectories\80\web.config" Result: <resourceManagementClient resourceManagementServiceBaseAddress="http://7913selfservice:5725" timeoutInMilliseconds="60000" /> C:\>dsquery * domainroot -filter "(sAMAccountName=AppFIMpsmaa)" -attr sAMAccountName ServicePrincipalName msDS-allowedToDelegateTo sAMAccountName ServicePrincipalName msDS-allowedToDelegateTo AppFIMPSMAA FIMService/ivabfim01;FIMService/7913selfservice; FIMService/ivabfim01 C:\>dsquery * domainroot -filter "(sAMAccountName=Appfimpwssappa)" -attr sAMAccountName ServicePrincipalName msDS-allowedToDelegateTo sAMAccountName ServicePrincipalName msDS-allowedToDelegateTo AppFIMPWSSAPPA HTTP/7913selfservice FIMService/ivabfim01/Frederik Leed

Great Thomas, was hoping for you to answer :) SQL Server; IVABFIM02 FIM Server: IVABFIM01 FIM Service Service Account; AppFIMPSMAA Sharepoint Application Pool Identity Account in IIS; AppFIMPWSSAPPA findstr /i /C:"resourceManagementClient resourceManagementServiceBaseAddress" "c:\Program Files\Microsoft Forefront Identity Manager\2010\Service\Microsoft.ResourceManagement.Service.exe.config" Result: <resourceManagementClient resourceManagementServiceBaseAddress="7913selfservice" /> findstr /i /C:"resourceManagementService externalHostName" "c:\Program Files\Microsoft Forefront Identity Manager\2010\Service\Microsoft.ResourceManagement.Service.exe.config" Result: <resourceManagementService externalHostName="7913selfservice" /> findstr /i /C:"resourceManagementClient resourceManagementServiceBaseAddress" "C:\inetpub\wwwroot\wss\VirtualDirectories\80\web.config" Result: <resourceManagementClient resourceManagementServiceBaseAddress="http://7913selfservice:5725" timeoutInMilliseconds="60000" /> C:\>dsquery * domainroot -filter "(sAMAccountName=AppFIMpsmaa)" -attr sAMAccountName ServicePrincipalName msDS-allowedToDelegateTo sAMAccountName ServicePrincipalName msDS-allowedToDelegateTo AppFIMPSMAA FIMService/ivabfim01;FIMService/7913selfservice; FIMService/ivabfim01 C:\>dsquery * domainroot -filter "(sAMAccountName=Appfimpwssappa)" -attr sAMAccountName ServicePrincipalName msDS-allowedToDelegateTo sAMAccountName ServicePrincipalName msDS-allowedToDelegateTo AppFIMPWSSAPPA HTTP/7913selfservice FIMService/ivabfim01/Frederik Leed

Great Thomas, was hoping for you to answer :) SQL Server; IVABFIM02 FIM Server: IVABFIM01 FIM Service Service Account; AppFIMPSMAA Sharepoint Application Pool Identity Account in IIS; AppFIMPWSSAPPA findstr /i /C:"resourceManagementClient resourceManagementServiceBaseAddress" "c:\Program Files\Microsoft Forefront Identity Manager\2010\Service\Microsoft.ResourceManagement.Service.exe.config" Result: <resourceManagementClient resourceManagementServiceBaseAddress="7913selfservice" /> findstr /i /C:"resourceManagementService externalHostName" "c:\Program Files\Microsoft Forefront Identity Manager\2010\Service\Microsoft.ResourceManagement.Service.exe.config" Result: <resourceManagementService externalHostName="7913selfservice" /> findstr /i /C:"resourceManagementClient resourceManagementServiceBaseAddress" "C:\inetpub\wwwroot\wss\VirtualDirectories\80\web.config" Result: <resourceManagementClient resourceManagementServiceBaseAddress="http://7913selfservice:5725" timeoutInMilliseconds="60000" /> C:\>dsquery * domainroot -filter "(sAMAccountName=AppFIMpsmaa)" -attr sAMAccountName ServicePrincipalName msDS-allowedToDelegateTo sAMAccountName ServicePrincipalName msDS-allowedToDelegateTo AppFIMPSMAA FIMService/ivabfim01;FIMService/7913selfservice; FIMService/ivabfim01 C:\>dsquery * domainroot -filter "(sAMAccountName=Appfimpwssappa)" -attr sAMAccountName ServicePrincipalName msDS-allowedToDelegateTo sAMAccountName ServicePrincipalName msDS-allowedToDelegateTo AppFIMPWSSAPPA HTTP/7913selfservice FIMService/ivabfim01/Frederik Leed

Wrong: FIM Service Service Account; AppFIMPSMAA Right: FIM Service Service Account; AppFIMPSCA So the problem was that i've been stetting the SPN with the account for the FIMMA i stead of the FIMService Account... :/ I now have acces to the portal. The new DSquery result is; C:\>dsquery * domainroot -filter "(sAMAccountName=AppFIMpsca)" -attr sAMAccountName ServicePrincipalName msDS-allowedToDelegateTo sAMAccountName ServicePrincipalName msDS-allowedToDelegateTo AppFIMPSCA FIMService/ivabfim01;FIMService/7913selfservice;FIMService/ivabfim04; FIMService/ivabfim01;FIMService/7913selfservice; So i think i've actually been doing it right, just with the wron account. Thanks for pointing me in the right direction Thomas./Frederik Leed

Wrong: FIM Service Service Account; AppFIMPSMAA Right: FIM Service Service Account; AppFIMPSCA So the problem was that i've been stetting the SPN with the account for the FIMMA i stead of the FIMService Account... :/ I now have acces to the portal. The new DSquery result is; C:\>dsquery * domainroot -filter "(sAMAccountName=AppFIMpsca)" -attr sAMAccountName ServicePrincipalName msDS-allowedToDelegateTo sAMAccountName ServicePrincipalName msDS-allowedToDelegateTo AppFIMPSCA FIMService/ivabfim01;FIMService/7913selfservice;FIMService/ivabfim04; FIMService/ivabfim01;FIMService/7913selfservice; So i think i've actually been doing it right, just with the wron account. Thanks for pointing me in the right direction Thomas./Frederik Leed

Wrong: FIM Service Service Account; AppFIMPSMAA Right: FIM Service Service Account; AppFIMPSCA So the problem was that i've been stetting the SPN with the account for the FIMMA i stead of the FIMService Account... :/ I now have acces to the portal. The new DSquery result is; C:\>dsquery * domainroot -filter "(sAMAccountName=AppFIMpsca)" -attr sAMAccountName ServicePrincipalName msDS-allowedToDelegateTo sAMAccountName ServicePrincipalName msDS-allowedToDelegateTo AppFIMPSCA FIMService/ivabfim01;FIMService/7913selfservice;FIMService/ivabfim04; FIMService/ivabfim01;FIMService/7913selfservice; So i think i've actually been doing it right, just with the wron account. Thanks for pointing me in the right direction Thomas./Frederik Leed

Yeah that's typically Kerberos: it often works without configuring it, but if you configure it wrong, it's totally broken. Glad you sorted it out. You mentioned this is a single server setup. How come you have ivabfim01, 7913selfservice and ivabfim04 registered as names for the FIM Service? What I most prefer is picking a custom alias for the FIM Service, like "fimsvc.contoso.com". And then use this name during the installation and SPN creation. I don't register SPN's for servernames in this case. I assume HTTP/7913selfservice is the SPN for your portal. Is that a userfriendly name? P.S. always register SPN's given their FQDN and shortname! I would type the above in all upper case and add 10 ! to it, but that would be rude. If you just register "HTTP/7913selfservice" and your user visits http://7913selfservice kerberos will not be used. As 7913selfservice will resolve to 7913selfservice.contoso.com and that's what AD will be queried for, an SPN for HTTP/7913selfservice.contoso.com Which in your case will return nothing...http://setspn.blogspot.com

Yeah that's typically Kerberos: it often works without configuring it, but if you configure it wrong, it's totally broken. Glad you sorted it out. You mentioned this is a single server setup. How come you have ivabfim01, 7913selfservice and ivabfim04 registered as names for the FIM Service? What I most prefer is picking a custom alias for the FIM Service, like "fimsvc.contoso.com". And then use this name during the installation and SPN creation. I don't register SPN's for servernames in this case. I assume HTTP/7913selfservice is the SPN for your portal. Is that a userfriendly name? P.S. always register SPN's given their FQDN and shortname! I would type the above in all upper case and add 10 ! to it, but that would be rude. If you just register "HTTP/7913selfservice" and your user visits http://7913selfservice kerberos will not be used. As 7913selfservice will resolve to 7913selfservice.contoso.com and that's what AD will be queried for, an SPN for HTTP/7913selfservice.contoso.com Which in your case will return nothing...http://setspn.blogspot.com

Yeah that's typically Kerberos: it often works without configuring it, but if you configure it wrong, it's totally broken. Glad you sorted it out. You mentioned this is a single server setup. How come you have ivabfim01, 7913selfservice and ivabfim04 registered as names for the FIM Service? What I most prefer is picking a custom alias for the FIM Service, like "fimsvc.contoso.com". And then use this name during the installation and SPN creation. I don't register SPN's for servernames in this case. I assume HTTP/7913selfservice is the SPN for your portal. Is that a userfriendly name? P.S. always register SPN's given their FQDN and shortname! I would type the above in all upper case and add 10 ! to it, but that would be rude. If you just register "HTTP/7913selfservice" and your user visits http://7913selfservice kerberos will not be used. As 7913selfservice will resolve to 7913selfservice.contoso.com and that's what AD will be queried for, an SPN for HTTP/7913selfservice.contoso.com Which in your case will return nothing...http://setspn.blogspot.com

7913selfservice is a DNS Alias for IVABFIM01 and the users will only contact the portal on http://7913selfservice, so i guess i can remove the FIMSerivce/ivabfim01. I'm gonna remove the FIMService/ivabfim04 when i get my entire configuration to this new production server. I have to move everythin because the conf. on ivabfim04 is on a SQL 2008 R2 and that is apparently not supported even though software requiremenst says; "SQL 2008 SP1 or later" 7913selfservice is pretty userfriendly, our Helpdesk is known as 7913, so it kinda makes sense. HTTP/7913selfservice.int.sonofon.dk is now added/Frederik Leed

7913selfservice is a DNS Alias for IVABFIM01 and the users will only contact the portal on http://7913selfservice, so i guess i can remove the FIMSerivce/ivabfim01. I'm gonna remove the FIMService/ivabfim04 when i get my entire configuration to this new production server. I have to move everythin because the conf. on ivabfim04 is on a SQL 2008 R2 and that is apparently not supported even though software requiremenst says; "SQL 2008 SP1 or later" 7913selfservice is pretty userfriendly, our Helpdesk is known as 7913, so it kinda makes sense. HTTP/7913selfservice.int.sonofon.dk is now added/Frederik Leed

7913selfservice is a DNS Alias for IVABFIM01 and the users will only contact the portal on http://7913selfservice, so i guess i can remove the FIMSerivce/ivabfim01. I'm gonna remove the FIMService/ivabfim04 when i get my entire configuration to this new production server. I have to move everythin because the conf. on ivabfim04 is on a SQL 2008 R2 and that is apparently not supported even though software requiremenst says; "SQL 2008 SP1 or later" 7913selfservice is pretty userfriendly, our Helpdesk is known as 7913, so it kinda makes sense. HTTP/7913selfservice.int.sonofon.dk is now added/Frederik Leed

Just posting my now working SPN Konf. FIM SPN Konf. Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\appfimpa>dsquery * domainroot -filter "(sAMAccountName=AppFIMpsca)" -attr sAMAccountName ServicePrincipalName msDS-allowedToDelegateTo sAMAccountName ServicePrincipalName msDS-allowedToDelegateTo AppFIMPSCA FIMService/ivabfim01.int.sonofon.dk;FIMService/ivabfim01;FIMService/7913selfservice; FIMService/ivabfim01.int.sonofon.dk;FIMService/ivabfim01;FIMService/7913selfservice; C:\Users\appfimpa>dsquery * domainroot -filter "(sAMAccountName=AppFIMpwssappa)" -attr sAMAccountName ServicePrincipalName msDS-allowedToDelegateTo sAMAccountName ServicePrincipalName msDS-allowedToDelegateTo AppFIMPWSSAPPA HTTP/7913selfservice FIMService/ivabfim01.int.sonofon.dk;FIMService/ivabfim01;FIMService/7913selfservice; C:\Users\appfimpa>setspn -l ivabfim01 Registered ServicePrincipalNames for CN=IVABFIM01,OU=Compliant,OU=TelenorServers,DC=int,DC=sonofon,DC=dk: HOST/IVABFIM01 HOST/IVABFIM01.INT.SONOFON.DK WSMAN/ivabfim01.int.sonofon.dk WSMAN/ivabfim01 TERMSRV/ivabfim01.int.sonofon.dk TERMSRV/IVABFIM01 RestrictedKrbHost/IVABFIM01 RestrictedKrbHost/IVABFIM01.int.sonofon.dk/Frederik Leed

Just posting my now working SPN Konf. FIM SPN Konf. Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\appfimpa>dsquery * domainroot -filter "(sAMAccountName=AppFIMpsca)" -attr sAMAccountName ServicePrincipalName msDS-allowedToDelegateTo sAMAccountName ServicePrincipalName msDS-allowedToDelegateTo AppFIMPSCA FIMService/ivabfim01.int.sonofon.dk;FIMService/ivabfim01;FIMService/7913selfservice; FIMService/ivabfim01.int.sonofon.dk;FIMService/ivabfim01;FIMService/7913selfservice; C:\Users\appfimpa>dsquery * domainroot -filter "(sAMAccountName=AppFIMpwssappa)" -attr sAMAccountName ServicePrincipalName msDS-allowedToDelegateTo sAMAccountName ServicePrincipalName msDS-allowedToDelegateTo AppFIMPWSSAPPA HTTP/7913selfservice FIMService/ivabfim01.int.sonofon.dk;FIMService/ivabfim01;FIMService/7913selfservice; C:\Users\appfimpa>setspn -l ivabfim01 Registered ServicePrincipalNames for CN=IVABFIM01,OU=Compliant,OU=TelenorServers,DC=int,DC=sonofon,DC=dk: HOST/IVABFIM01 HOST/IVABFIM01.INT.SONOFON.DK WSMAN/ivabfim01.int.sonofon.dk WSMAN/ivabfim01 TERMSRV/ivabfim01.int.sonofon.dk TERMSRV/IVABFIM01 RestrictedKrbHost/IVABFIM01 RestrictedKrbHost/IVABFIM01.int.sonofon.dk/Frederik Leed

OK, so here we go again... Kerberos auth IS working, but only from the server it self. So if i go to the server and logon to the portal, i can access it from both portal and from my client. But if i iisreset (or wait) and access the portal from my client, i get the "Service not available" again. My configuration looks like this. FIM Service Account AppFIMPSCA ServicePrincipalName FIMService/7913selfservice.int.sonofon.dk FIMService/7913selfservice FIMService/ivabfim01.int.sonofon.dk FIMService/ivabfim01 msDS-allowedToDelegateTo FIMService/7913selfservice.int.sonofon.dk FIMService/7913selfservice FIMService/ivabfim01.int.sonofon.dk FIMService/ivabfim01 WSS Application Pool Account; AppFIMPWSSAPPA ServicePrincipalName HTTP/ivabfim01.int.sonofon.dk HTTP/ivabfim01 HTTP/7913selfservice.int.sonofon.dk HTTP/7913selfservice; msDS-allowedToDelegateTo FIMService/7913selfservice.int.sonofon.dk FIMService/7913selfservice FIMService/ivabfim01 FIMService/ivabfim01.int.sonofon.dk/Frederik Leed

OK, so here we go again... Kerberos auth IS working, but only from the server it self. So if i go to the server and logon to the portal, i can access it from both portal and from my client. But if i iisreset (or wait) and access the portal from my client, i get the "Service not available" again. My configuration looks like this. FIM Service Account AppFIMPSCA ServicePrincipalName FIMService/7913selfservice.int.sonofon.dk FIMService/7913selfservice FIMService/ivabfim01.int.sonofon.dk FIMService/ivabfim01 msDS-allowedToDelegateTo FIMService/7913selfservice.int.sonofon.dk FIMService/7913selfservice FIMService/ivabfim01.int.sonofon.dk FIMService/ivabfim01 WSS Application Pool Account; AppFIMPWSSAPPA ServicePrincipalName HTTP/ivabfim01.int.sonofon.dk HTTP/ivabfim01 HTTP/7913selfservice.int.sonofon.dk HTTP/7913selfservice; msDS-allowedToDelegateTo FIMService/7913selfservice.int.sonofon.dk FIMService/7913selfservice FIMService/ivabfim01 FIMService/ivabfim01.int.sonofon.dk/Frederik Leed

Just opened a second post for this for better overview; http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/869c6cf3-f6aa-40d9-a599-02439e456d96/Frederik Leed

Just opened a second post for this for better overview; http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/869c6cf3-f6aa-40d9-a599-02439e456d96/Frederik Leed