If you complete the installation of Forefront
Identity Manager 2010 R2 SP1 and do not manually create the Service Principal
Names (SPN's) and configure Kerberos delegation when you try to browse to the
Password Registration and Reset sites you will receive a cannot display website page, much like the IIS service has stopped or the ApplicationPool is not functioning correctly.
The following commands can be run on a Domain
Controller to created the required SPN's, you must state the FQDN for both the
Password Registration and Password Reset websites. You must also set the SPN
for the FIM Service Account you have used throughout installing FIM.
|
setspn –s HTTP/FQDNpasswordregservice
DOMAIN\fimserviceaccount
|
|
setspn –s HTTP/FQDNpasswordreset
DOMAIN\fimserviceaccount
|
Some applications such as SQL Server
automatically generate SPN's when they are installed this is not the case with
this component of Forefront Identity Manager, however if you receive an error
"Duplicate SPN: Operation Cancelled" from the setspn.exe,
you can use the following command to display all the SPN's associated with a
particular object.
|
setspn –l
DOMAIN\computer or user object
|
Once the SPN's are created when you try to browse
to the portal's you will see they are now starting to respond, you will receive
the credentials box like below as Kerberos Delegation has not been
configured. Delegation of authentication allows the client to send it's identity
in the form of a Kerberos ticket to the front-facing web server. The
front-facing web server can then relay the ticket to "back-end"
servers to authentication requests.
Open the web.config file for the FIM
Password Registration and Reset portals which can be found at C:\inetpub\wwwroot\wss\VirtualDirectories\80,
you can open the file with Notepad.
Press CTRL + F to bring up a find window
and type <resourceManagementClient and click Find. This will
take you to a string in the web.config file you must edit.
The following string of text must be added to
that line of the code requireKerberos="true". Once completed
the entire string should read something like;
|
<resourceManagementClient
resourceManagementServiceBaseAddress=http://FIMSERVER:5725
timeoutMilliseconds=”60000” requireKerberos=”true” />
|
Now when you attempt to connect to the FIM
Password Registration and Reset portals you should now see the splash screens.
