Hello All,
First a little bit about the FIM topology and SPNs I've set up and then on to the problem(s) I'm having.
FIM1 - Sharepoint, Fim Service and Portal, Password Reset/Password Registration Portals
FIM2 - Synchronization Service
SQL1 - Contains FimService and Synch Service database
ExchangeServer - Hosting the exchange stuff.
SPNS have been configured for:
http/fim1 domain\sharepointservice and the FQDN
FimService/fim1 domain\FimService and the FQDN
http/passwordreset.domain.org and passwordregistration.domain.org domain\FIM1$
the MSSQLsvc already has an SPN configured for SQL1
Problem 1:
I get everything installed and can access http:\\fim1\identitymanagement (FIM Portal) for a little while. After a period of time the page becomes unresponsive and I get an error message that the web page cannot be found. I check the FIM Service
in services.msc and the FimService is no longer there. I uninstalled the FimService and reinstalled it and again and everything was functioning normally. The page again becomes unresponsive and I check the services.msc and this time I see the FimService
is running and set to automatic. I decide to bounce the service anyway to see if this will resolve the issue and it disappears before my very eyes. Last I checked David Copperfield isn't standing behind me with a top hat and wand... so what
gives?
Problem 2:
I'm having a hard time finding consistent information on Kerberos Authentication set up for the password registration and reset portal app pool being installed on the same server as the FIM Service. Based on what I read in the "Before you Begin
guide"...
Repeat the above step for each of the FIM Password portals, using setspn.exe –S HTTP/<ssprPortalHostHeaderName> <domain>\<ssprPortalMachineAccount$>
, where<ssprPortalHostHeaderName> is the binding information for the FIM Password portal Host Name that was entered during setup. This is the name that will be used by clients to contact the portals.
I set up my aforementioned SPNs accordingly. It asks me if I'm installing the registration portals on a different server from the FIM service and if so, check the boxes, and specify the FIMPassword account. I don't check these boxes and move forward
with the install. I get to the registration and reset portal installation section and it asks me for an account name. Am I supposed to be using FIM1$ computer account as I specified in the SPN? If so, what is the password I am supposed to provide? Should all Kernel Mode settings remain enabled after this? Also, on previous installs, if I set up NetworkService as the app pool identity I've noticed that it at least lets me access the portals, however I get a generic message that the user account
password can not be reset.
Can anyone tell me if I'm supposed to be using the machine account password for the SSPR and SSRP app pool account during set up?
Sorry for the long winded question, but I've been failing at installing/configuring FIM for the better part of a month and just can not get this thing to cooperate.
Many thanks for any help you can provide.
Mike