I have a server with FIM installed now.. (2008R2 std with forefront client security) I installed WSS 3.0 SP2 first, ran the configuration in basic settings.. that moss site works.. (http://localhost or http://nldemofm01 or http://nldemofm01.domain.local) Installed FIM Rc1 and that looks like it works And that was just the start L.. The website only seems to work for the administrator account logged in to the FIM server.. remote access to the site results in: HTTP Error 401. The requested resource requires user authentication. When I log in with another administrative account on the FIM server, and open the webpage from there.. I get a Service Unavailable from FIM.. The setup is as followed: Domain Controller: NLDEMODC01 and NLDEMODC02 FIM Server: NLDEMOFM01.domain.local DBServer: NLDEMODB01.domain.local (running under SA-NLDEMODB01-SQL) I have three accounts for FIM: SA-NLDEMOFM01-SYNC (for the sync engine) SA-NLDEMOFM01-MAA (for the MA account) SA-NLDEMOFM01-SC (for the FIM Service) The last one is the service account that the Forefront Identity Manager Service is running under.. I have the following SPN’s on that last account: setspn -l SA-NLDEMOFM01-SC Registered ServicePrincipalNames for CN=SA-NLDEMOFM01-SC,OU=Service Accounts,OU= Identity Management,OU=Services,DC=DEMO,DC=LOCAL: HTTP/NLDEMOFM01 HTTP/NLDEMOFM01.demo.local FIMService/NLDEMOFM01.demo.local FIMService/NLDEMOFM01 And the following SPN’s on the database account: setspn -l SA-NLDEMODB01-SQL Registered ServicePrincipalNames for CN=SA-NLDEMODB01-SQL,OU=Service Accounts,OU =Databases,OU=Services,DC=DEMO,DC=LOCAL: MSSQLSvc/NLDEMODB01:1433 MSSQLSvc/NLDEMODB01.demo.local MSSQLSvc/NLDEMODB01 MSSQLSvc/NLDEMODB01.demo.local:1433 I have set Trusted for delegation any service Kerberos Only for the NLDEMOFM01 computer account AND the SA-NLDEMOFM01-SC account. The system logs shows errors on DCOM: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {61738644-F196-11D0-9953-00C04FD919C1} and APPID {61738644-F196-11D0-9953-00C04FD919C1} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool. I tried to set the security for that one, but no luck all options are grayed out in the DCOM manager for the IIS WAMREG admin Service the FIM groups (local) are filled as followed: FIMSyncAdmins - demo\Administrator demo\ SA-NLDEMOFM01-SC FIMSyncBrowse - demo\ SA-NLDEMOFM01-SC FIMSyncJoiners – FIMSyncOperators – FIMSyncPasswordSet - demo\ SA-NLDEMOFM01-SC Evenmore the eventlog is showing the following warning when the 2^nd administrator on the box tries to logon to the webpage (resulting in the service unavailable) The Portal cannot connect to the middle tier using the web service interface. This failure prevents all portal scenarios from functioning correctly. The cause may be due to a missing or invalid server url, a downed server, or an invalid server firewall configuration. Ensure the portal configuration is present and points to the resource management service. I’m hoping someone has an idea what is going wrong.. and can help me with what I did wrong in this install.. Roelf ZomermanWORK FOR AVANADE!

Did you find a solution for the error? I have the same issue. Thanks

Yes, you must add the account to the FIM database and then sync the SID of the user in the AD to the user object in the FIM database. Then you can use that user to also login to FIMWORK FOR AVANADE!