Demystify Kerberos setup with FIM 2010 R2 with SSPR

---

Case

Customer requirement to implement it for their FIM 2010R2 deployment.

Microsoft Technet has a decent guide for examples of the Service Principal Names to create, but falls short in the explanations so this article will try to address some of those.

The Microsoft document is on technet and is available here: http://technet.microsoft.com/en-us/library/jj134299(v=ws.10).aspx.

---

Scenario

Lets go through an example scenario. Lets say that I have a fully distributed FIM deployment with 2 servers that have the FIM Portal and FIM service installed that are load balanced, 2 servers with FIM R2 SSPR installed that are load balanced, 1 sync server, and a SQL cluster.

Now, what SPNs do I need? To answer this we need to start by creating some A records in DNS:

1. The load balanced FIM service which will be our first partition of 3, lets call it FIMService-reset.
   • See more on partitioning the FIM Service here: http://social.technet.microsoft.com/wiki/contents/articles/2363.understanding-fim-service-partitions.aspx
2. Let's create an A record for the load balanced FIM Portal – lets call it fim.com/IdentitiyManagment
3. Let's create an A record for the SSPRRegistration called SSPRRegister
4. Let's create an A record for SSPRReset called SSPRReset

Now that is done, what SPNs do we create?

---

Which SPNs to create

FIM Service

Lets start with the FIM Service. We will create an SPN for the FQDN of the FIMService-reset, for example;

1. FIMService/FIMService-reset.contoso.com.

Next we need a SPN for the FQDN and netBios names of both FIM Service servers.

For example

1. FIMService/FIMService1.contoso.com,
2. FIMService/FIMService1,
3. FIMService/FIMService2.contoso.com,
4. and finally FIMService/FIMService2.

These 5 SPNs are tied to your FIM Service service account, for example svc-FIMservice.

FIM Portal

Next, we need an SPN for the A record we created for the FIM Portal using the App pool Account for the Sharepoint site. This will be an HTTP SPN, for example HTTP/fim.contoso.com.

SSPR

Almost there! Next, we will create SPNs for the SSPR registration and reset A records that we created.

For example:

 HTTP/SSPRRegistration.contoso.com

and HTTP/SSPRReset.contoso.com.

These SPNs will be using the App Pool account for the Reset and Registration portals, for example svc-fimPassword.

 

Note

The Microsoft guide on technet states to use the computer name for these SPNs, but that will only work if you have a single server. In this case, since we will load balance these SSPR portals, we will use the App pool account.

 

Note

To get this to work you will need to go into IIS and turn off Kernel mode.

Here is a link on how to do this: Kernel-mode authentication  (http://blogs.msdn.com/b/autz_auth_stuff/archive/2011/05/06/kernel-mode-authentication.aspx).

Last steps!

ApplicationHost.config file

Follow the technet guide to alter the applicationHost.config file.

Delegation

Then Lastly, set up delegation.

Two important things here –

1. the FIM service will need to delegate to itself and 
2. the Sharepoint App Pool account that runs the FIM Portal, will need to delegate to the FIM service.

So in this scenario, the delegation will include the FIMService service types for the FIMService-reset.contoso.com, and both server names that the FIM Service installed on.

Open an elevated command prompt and type IISRESET /noforce or just reboot the servers and off you go!

See Also

Another important place to find a huge amount of FIM related articles is the TechNet Wiki itself. The best entry point is Forefront Identity Manager Resources on the TechNet Wiki