FIM Installation Companion - Service Principle Names (SPNs)

OVERVIEW / PURPOSE

The purpose of this wiki is to provide guidance on how to add the ServicePrinicpleNames (SPNs) required for a Forefront Identity Manager (FIM) solution.  If you do not have these setup properly then you will experience issues with the FIM Portal.

 

ADDING SPNs TO REQUIRED ACCOUNTS

FIM Service Account

1. On a domain controller where the FIM Solution is installed, open an administrative command-prompt by right clicking on command prompt and selecting Run As Administrator

2. Type:

   setspn -S FIMService/<alias> <Domain Name>\<FIM Service Account Name>

   ( e.g. setspn -s FIMService/myfimservicemachine DOMAINA\svcFimService )

   1. <alias>:  This is what you entered during the installation of the FIM Service and Portal to reference the FIM Web Service

      1. Name of the machine running the FIM Service
      2. DNS: CNAME
      3. DNS: Host (A) Record
      4. Network Load Balancing (NLB): The name of the cluster

   2. <Domain Name>: NETBIOS name of the domain that the FIM Solution has been installed

   3. <FIM Service Account Name>: sAMAccountName of the FIM Service Account

      (*NOTE: Remember, the FIM Service Account needs to be a domain name.)

If you are using several different names - for instance, fully qualified domain names (FQDN) and NETBIOS names - to contact the server, repeat Step 2 for every name.

FIM SHAREPOINT SERVICE ACCOUNT ( For the FIM Portal Server )

If the address that the clients use to contact the FIM Portal is not the same as the server address, you have to establish an SPN for HTTP. That is, if you use a CNAME resource record in DNS, have a SharePoint farm, or use NLB, this address must be registered or Internet Explorer cannot use the Kerberos protocol when it contacts the portal. Run the following command:

1. 1. On a domain controller where the FIM Solution is installed, open an administrative command-prompt by right clicking on command prompt and selecting Run As Administrator

   2. Type:

      setspn -S HTTP/<FIMPortalAlias> <Domain Name>\<SharePoint Service Account>

      ( e.g. setspn -s HTTP/myfimportalmachine DOMAINA\svcSharePointService )

      1. <FIMPortalAlias>: This is the address that is used to navigate to the FIM Portal ( e.g. http://myfimportalserver/ )
      2. <Domain Name>: NETBIOS name of the domain that the FIM Solution has been installed
      3. <SharePoint Service Account>: sAMAccountName of the SharePoint Service Account ( e.g. The account specified on the SharePoint - 80 Application Pool in IIS.

*NOTE: If the account running the SharePoint - 80 Application Pool account is Network Service, then the SharePoint Service Account should be the computer account that SharePoint Services 3.0 and the FIM Portal are running.

If you are using several different names - for instance, fully qualified domain names (FQDN) and NETBIOS names - to contact the server, repeat Step 2 for every name.

ADDITIONAL INFORMATION FOR SETTING UP THE SPNs

• FIM Installation Guide
• FIM Installation Guide - Before You Begin ( To establish the SPNs for the FIM Service )

TROUBLESHOOTING THE FIM SPNs

ENSURING SPNs LOOK CORRECT 

Here, our goal is to validate that the SPNs entered for the FIM Solution have been entered correctly.  We will be utilizing the SETSPN.EXE utility to be able to view this information.

1. On a domain controller where the FIM Solution is installed, open an administrative command-prompt by right clicking on command prompt and selecting Run As Administrator

2. Type:

   setspn -l <domain name>\<FIM Service Account Name> and press the ENTER key

   ( e.g. setspn -l DOMAINA\myfimserviceaccount )

3. Type:

   setspn -l <domain name>\<SharePoint Service Account> and press the ENTER key

   ( e.g. setspn -l DOMAINA\mysharepointserviceaccount )

   *NOTE: If the account running the SharePoint - 80 Application Pool account is Network Service, then the SharePoint Service Account should be the computer account that SharePoint Services 3.0 and the FIM Portal are running.

CHECKING FOR DUPLICATE SPNs 

Here, our goal is to validate that we do not have a duplicate SPN concerning the SPNs entered for the FIM Solution. We will be utilizing the SETSPN.EXE utility ( view the Parameters section ) to be able to view this information.

1. On a domain controller where the FIM Solution is installed, open an administrative command-prompt by right clicking on command prompt and selecting Run As Administrator

2. Type:

   setspn -x and then press the ENTER key

SEE ALSO 

• Current Forefront Identity Manager Resources
• Current Certificate Lifecycle Manager Resources
• GalSync Resource Wiki
• PCNS-Password Synchronization Resource Wiki
• Self-Service Password Reset (SSPR) Resources