MIM2016 - Installing PAM server

I am trying to install PAM server. I have followed this guide https://technet.microsoft.com/en-us/library/mt345588.aspx with a couple of difference with my environment. 

I have allready done steps 7a and 7b, but in the step 7c I can't find any files under \the Privileged Access Management Portal\ folder.

Also when I am trying to access to addresses http://localhost:8086/ and http://localhost:8090/ I get http errors.

This from the first one:

HTTP Error 500.19 - Internal Server Error

The requested page cannot be accessed because the related configuration data for the page is invalid.



Detailed Error Information:



Module
   WindowsAuthenticationModule 

Notification
   AuthenticateRequest 

Handler
   ExtensionlessUrlHandler-ISAPI-4.0_64bit 

Error Code
   0x80070021 

Config Error
   This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false".  

Config File
   \\?\C:\Program Files\Microsoft Forefront Identity Manager\2010\Privileged Access Management REST API\web.config 



Requested URL
   http://localhost:8086/ 

Physical Path
   C:\Program Files\Microsoft Forefront Identity Manager\2010\Privileged Access Management REST API 

Logon Method
   Not yet determined 

Logon User
   Not yet determined 




Config Source:
   36:       <authentication>
   37:         <windowsAuthentication enabled="true" useKernelMode="false"/>
   38:       </authentication>

And this from the second one:

HTTP Error 403.14 - Forbidden

The Web server is configured to not list the contents of this directory.



Most likely causes:
A default document is not configured for the requested URL, and directory browsing is not enabled on the server.



Things you can try:
If you do not want to enable directory browsing, ensure that a default document is configured and that the file exists.
 Enable directory browsing using IIS Manager. 1.Open IIS Manager.
2.In the Features view, double-click Directory Browsing.
3.On the Directory Browsing page, in the Actions pane, click Enable.

Verify that the configuration/system.webServer/directoryBrowse@enabled attribute is set to true in the site or application configuration file.



Detailed Error Information:



Module
   DirectoryListingModule 

Notification
   ExecuteRequestHandler 

Handler
   StaticFile 

Error Code
   0x00000000 



Requested URL
   http://localhost:8090/ 

Physical Path
   C:\Program Files\Microsoft Forefront Identity Manager\2010\Privileged Access Management Portal 

Logon Method
   Anonymous 

Logon User
   Anonymous

August 10th, 2015 7:37am

I think I missed step 6.

Ok, it is still on the Connect.


  • Edited by 2xTsei 19 hours 14 minutes ago
Free Windows Admin Tool Kit Click here and download it now
August 10th, 2015 8:01am

I think I missed step 6.

Ok, it is still on the Connect.


  • Edited by 2xTsei Monday, August 10, 2015 12:11 PM
August 10th, 2015 11:59am

I think I missed step 6.

Ok, it is still on the Connect.


  • Edited by 2xTsei Monday, August 10, 2015 12:11 PM
Free Windows Admin Tool Kit Click here and download it now
August 10th, 2015 11:59am

Ok, it is still on the Connect.


2xTsei, the reference PAM Portal is on GitHub here.

Cheers,
August 10th, 2015 1:59pm

Ok, it is still on the Connect.


2xTsei, the reference PAM Portal is on GitHub here.

Ch
Free Windows Admin Tool Kit Click here and download it now
August 11th, 2015 1:31am

Ok, it is still on the Connect.


2xTsei, the reference PAM Portal is on GitHub here.

Ch
August 17th, 2015 5:32am
Hi 2xTsei, tbh I haven't seen this 'Internal Server Error' before. Are you really using 'localhost' for the PAM Portal and PAM REST API URIs? Did you update the Web.config and utils.js files as per the documentation?

Cheers,
Free Windows Admin Tool Kit Click here and download it now
August 17th, 2015 4:20pm
Hi 2xTsei, tbh I haven't seen this 'Internal Server Error' before. Are you really using 'localhost' for the PAM Portal and PAM REST API URIs? Did you update the Web.config and utils.js files as per the documentation?

Che
August 18th, 2015 2:01am

Did you get this PAM portal working?


Yes it works fine. I'm using 'http://pamportal.contoso.com:8090/' for the PAM Portal and 'http://pamapi.contoso.com:8086/' for the REST API. Out of interest can you download the roles.json file from the REST API?

Free Windows Admin Tool Kit Click here and download it now
August 18th, 2015 1:14pm

I am having a similar issue.

  • From the corp domain workstation, I open IE using the priv\priv.jen credentials
  • I navigate to the PAMSRV home page which opens successfully

  • When I click on any of the tabs on the left side (Activate, View History, or Approvals), I am prompted for credentials.
  • I enter the credentials 3 correctly three consecutive times both as priv\priv.jen and with the domain suffix, priv.jen@priv.contosa.local
  • The following error is displayed:



September 11th, 2015 1:32pm

I found that I was having the problem due to Kerberos authentication issues. I found that the SPNs that I had created were incorrect. After fixing (delete, create new, restart PAMSRV), I was able to navigate the web site without error.

2xTsei: Recommend you check the SPNs using setspn -L command:

PS C:\Users\Administrator> setspn -L svc-mimservice
Registered ServicePrincipalNames for CN=svc-MIMService,CN=Users,DC=priv,DC=contosa,DC=local:
        FIMService/pamsrv.priv.contosa.local
PS C:\Users\Administrator> setspn -L svc-sharepoint
Registered ServicePrincipalNames for CN=svc-SharePoint,CN=Users,DC=priv,DC=contosa,DC=local:
        http/pamsrv
        http/pamsrv.priv.contosa.local

Please note, that my service accounts are named differently than what was used specified in the TechNet lab. Also, my domain name is slightly different too.

-Matt

Free Windows Admin Tool Kit Click here and download it now
September 11th, 2015 2:36pm

I am having a similar issue.

  • From the corp domain workstation, I open IE using the priv\priv.jen credentials
  • I navigate to the PAMSRV home page which opens successfully

  • When I click on any of the tabs on the left side (Activate, View History, or Approvals), I am prompted for credentials.
  • I enter the credentials 3 correctly three consecutive times both as priv\priv.jen and with the domain suffix, priv.jen@priv.contosa.local
  • The following error is displayed:



  • Edited by Ma11Br00ks Friday, September 11, 2015 5:32 PM
September 11th, 2015 5:31pm

I am having a similar issue.

  • From the corp domain workstation, I open IE using the priv\priv.jen credentials
  • I navigate to the PAMSRV home page which opens successfully

  • When I click on any of the tabs on the left side (Activate, View History, or Approvals), I am prompted for credentials.
  • I enter the credentials 3 correctly three consecutive times both as priv\priv.jen and with the domain suffix, priv.jen@priv.contosa.local
  • The following error is displayed:



  • Edited by Ma11Br00ks Friday, September 11, 2015 5:32 PM
Free Windows Admin Tool Kit Click here and download it now
September 11th, 2015 5:31pm

Hi

I am getting "status code: 500" error, not "status code: 401" . Also I am not using Kerberos, but I have still registered the spns.

September 14th, 2015 1:44am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics