Tuesday 9 December 2014

FIM 2010 R2 SP1: Inbound Sync Rule CustomAttributes Script "DomainObjectSid_IFFSStatement.ps1" script provided by The FIM Scriptbox. "Error: Could not find a forest identified by: 'domain'."

After reviewing the Microsoft guide "Syncing Active Directory with FIM", I got to the stage of populating the Synchronization Rules using the FIM Portal. In the guide the following section outlines how you must generate a CustomExpression string.
 
How to Sync Active Directory with FIM.


As the domain I was trying to sync with Active Directory was Windows Server 2003 based, which does not natively have PowerShell (or the AD DS PowerShell cmdlets) I used a Windows Server 2012 R2 VM with the AD DS server role installed.
At first I had to reconfigure the ExecutionPolicy to allow Unrestricted scripts. I then tried to run the DomainObjectSid_IFFSStatement.ps1 script provided by The FIM Scriptbox. I received the error Error: Could not find a forest identified by: 'domain'.
To recognize where in the code the script was failing I opened the script in the PowerShell ISE and selected small sections of the code and used the Run Selection button to break out where then the code encounters an error.
 
In this instance it was on Line 10 $ForestObject = Get-ADForest that was causing the script to fail. At first I thought it was a DNS issue that was causing the issues so I did all the usual things and could not find anything.
The fix in this case was to configure the Active Directory Web Services service to start Automatically on the system starting. Once I did this and re-run the script it generated the required CustomExpression string I needed to continue.

Thursday 4 December 2014

Forefront Identity Manager 2010 R2 (FIM) portal "Service not available."

When you try to access the FIM 2010 R2 portal you receive the following screen stating that "Service not available. Please contact your help desk or system administrator."
 
In the Event Logs there is a continuous error "Event 3, Microsoft.ResourceManagement" in the error states that "System.Net.WebException: Unable to connect to remote server ---->" and "No connection could be made because the target machine actively refused it 10.25.1.40:433." That IP was actually one of my Domain Controllers, so I disabled the Windows Firewall to see if it would resolve the error. No change unfortunately.
 
After a bit research with some travling through TechNet blogs I came across this link which is "A hotfix rollup package (build 4.1.3508.0) is available for Forefront Identity Management 2010 R2" http://support.microsoft.com/kb/2913228/en-us although my issue was not directly mentioned in th More Information section I though it would be best to install the updates for the components I had deployed.
 
I installed FIMSyncService_x64_KB2913228.exe first.
 
Then FIMService_x64_KB2913228 secondly.
After the second patch was applied the FIM portal then started to work.
 

Wednesday 3 December 2014

FIM 2010 R2 SP1: Password Registration and Reset Portals Service Principal Names (SPN's) and Kerberos Delegation

If you complete the installation of Forefront Identity Manager 2010 R2 SP1 and do not manually create the Service Principal Names (SPN's) and configure Kerberos delegation when you try to browse to the Password Registration and Reset sites you will receive a cannot display website page, much like the IIS service has stopped or the ApplicationPool is not functioning correctly.
 
 
 
The following commands can be run on a Domain Controller to created the required SPN's, you must state the FQDN for both the Password Registration and Password Reset websites. You must also set the SPN for the FIM Service Account you have used throughout installing FIM.


setspn –s  HTTP/FQDNpasswordregservice DOMAIN\fimserviceaccount
 


setspn –s  HTTP/FQDNpasswordreset DOMAIN\fimserviceaccount
 
Some applications such as SQL Server automatically generate SPN's when they are installed this is not the case with this component of Forefront Identity Manager, however if you receive an error "Duplicate SPN: Operation Cancelled" from the setspn.exe, you can use the following command to display all the SPN's associated with a particular object.


setspn –l DOMAIN\computer or user object
 
Once the SPN's are created when you try to browse to the portal's you will see they are now starting to respond, you will receive the credentials box like below as Kerberos Delegation has not been configured. Delegation of authentication allows the client to send it's identity in the form of a Kerberos ticket to the front-facing web server. The front-facing web server can then relay the ticket to "back-end" servers to authentication requests.
 
Open the web.config file for the FIM Password Registration and Reset portals which can be found at C:\inetpub\wwwroot\wss\VirtualDirectories\80, you can open the file with Notepad.
Press CTRL + F to bring up a find window and type <resourceManagementClient and click Find. This will take you to a string in the web.config file you must edit.
 
The following string of text must be added to that line of the code requireKerberos="true". Once completed the entire string should read something like;
 


<resourceManagementClient resourceManagementServiceBaseAddress=http://FIMSERVER:5725 timeoutMilliseconds=”60000” requireKerberos=”true” />
 Next open up CMD and do an iisreset.
Now when you attempt to connect to the FIM Password Registration and Reset portals you should now see the splash screens.

Tuesday 2 December 2014

FIM 2010 R2 SP1: Creating Management Agents to Active Directory Forest fails with "failed-connection Error Server Down Error Code 0x51"

When you try to create a new Management Agent from Forefront Identity Manager (FIM) 2010 R2 you get the error "failed-connection Error Server Down Error Code 0x51". This error was basically stupid of me and down to name resolution between the two domains. The FIM server was in the new 2012 R2 Active Directory and it could not resolve DNS names in the forest I was trying to configure FIM to query.
 
 
The fix was to enable Zone Transfers (in this case to To Any Server), on the source Active Directory DNS server.
 
From the new Active Directory DNS server I then created a new Active Directory Secondary Zone, which I pointed to the IP of a known Domain Controller in the source AD. Because I configured Zone Transfers the Secondary Zone was immediately populated.
 
From the FIM server I flushed the DNS cache and click Next again. I could then continue creating the Management Agent.
 

FIM 2010 R2 SP1: Installing FIM Password Portal and FIM Reporting "The SharePoint 2010 Administration Service is not running. Please start it and then click "Retry". Click "Cancel" to abort setup."

After going through the massively complex installation process of Forefront Identity Manager Installation wizard for the Password Reset portal and the Reporting Services components you receive the following error "The SharePoint 2010 Administration Service is not running. Please start it and then click "Retry". Click "Cancel" to abort setup." it's pretty self-explanatory as an error. Basically the SharePoint 2010 Adaministration Service is not running on the SharePoint Server (which in this case also the FIM server).
 
 
I had forgot to reconfigure the SharePoint 2010 Administration (or SPAdminV4) service to start Automatically, I did the manually from the services.msc MMC.
 
After this I clicked Retry and the setup continued.