Wednesday 3 December 2014

FIM 2010 R2 SP1: Password Registration and Reset Portals Service Principal Names (SPN's) and Kerberos Delegation

If you complete the installation of Forefront Identity Manager 2010 R2 SP1 and do not manually create the Service Principal Names (SPN's) and configure Kerberos delegation when you try to browse to the Password Registration and Reset sites you will receive a cannot display website page, much like the IIS service has stopped or the ApplicationPool is not functioning correctly.
The following commands can be run on a Domain Controller to created the required SPN's, you must state the FQDN for both the Password Registration and Password Reset websites. You must also set the SPN for the FIM Service Account you have used throughout installing FIM.

setspn –s  HTTP/FQDNpasswordregservice DOMAIN\fimserviceaccount

setspn –s  HTTP/FQDNpasswordreset DOMAIN\fimserviceaccount
Some applications such as SQL Server automatically generate SPN's when they are installed this is not the case with this component of Forefront Identity Manager, however if you receive an error "Duplicate SPN: Operation Cancelled" from the setspn.exe, you can use the following command to display all the SPN's associated with a particular object.

setspn –l DOMAIN\computer or user object
Once the SPN's are created when you try to browse to the portal's you will see they are now starting to respond, you will receive the credentials box like below as Kerberos Delegation has not been configured. Delegation of authentication allows the client to send it's identity in the form of a Kerberos ticket to the front-facing web server. The front-facing web server can then relay the ticket to "back-end" servers to authentication requests.
Open the web.config file for the FIM Password Registration and Reset portals which can be found at C:\inetpub\wwwroot\wss\VirtualDirectories\80, you can open the file with Notepad.
Press CTRL + F to bring up a find window and type <resourceManagementClient and click Find. This will take you to a string in the web.config file you must edit.
The following string of text must be added to that line of the code requireKerberos="true". Once completed the entire string should read something like;

<resourceManagementClient resourceManagementServiceBaseAddress=http://FIMSERVER:5725 timeoutMilliseconds=”60000” requireKerberos=”true” />
 Next open up CMD and do an iisreset.
Now when you attempt to connect to the FIM Password Registration and Reset portals you should now see the splash screens.