Table of Contents
PROBLEM STATEMENT
The customer is not able to view the FIM Portal via the FIM Portal Server. We were focused on the FIM Administrator account, because that account could not reach the FIM Portal on the FIM Portal Server. We
were receiving a “Service Is Not Available” message when viewing the FIM Portal from a client machine, and nothing but a white page when viewing from the FIM Portal Server.
CAUSE
The SPN on the Application Pool Account (SharePoint – 80) is invalid. We were able to discover this by running a network monitor trace on the FIM Portal server when attempting to access the FIM Portal.
NETWORK MONITOR TRACE INFORMATION
1.
The Network Trace displays sever a KDC_ERR_S_PRINCIPAL_UNKNOWN.
ErrorCode: KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
This is the response to a request for HTTP/fimportal.domainCU.com
Sname: HTTP/fimportal.domainCU.com
APPLICATION POOL ACCOUNT SPN
Registered ServicePrincipalNames for (( DN for the Application Pool Account ))
HTTP/FIMPortal.domain.com
HTTP/FIMPortal
HTTP/FIMService.domain.com
HTTP/FIMService
2. The following SPNs are not listed here.
a. HTTP/fimportal.domainCU.com
3. Additionally, the following SPNs should be removed:
a. HTTP/FIMService.domain.com
b. HTTP/FIMService
RESOLUTION
To resolve the issue, we will need to update the SPN for the Application Pool Account (SharePoint-80) to contain the correct SPN information.
Registered ServicePrincipalNames for CN=AppPoolAccount,OU=myou,OU=orgou,OU=departmentou,DC=domainCU,DC=com:
HTTP/FIMPortal.domainCU.com
HTTP/FIMPortal
HTTP/PortalMachineName.domainCU.com
HTTP/PortalMachineName
HTTP/FIMPortal
HTTP/PortalMachineName.domainCU.com
HTTP/PortalMachineName