Understanding your FIM Topology is very important when attempting to troubleshoot the "Service Is Not Available" error message. The reason for this is the Kerberos settings that may or may not be required, or set differently depending on how you have deployed your FIM Solution. Is your FIM Solution deployed on a single server, or distributed across multiple machines? SINGLE SERVER Is the FIM Service Started? Ensure Configuration Files are configured correctly DISTRIBUTED ACROSS MULTIPLE MACHINES Is the FIM Service Started? Ensure Configuration Files are configured correctly Ensure ServicePrincipleNames (SPNs) are configured correctly Ensure Delegation is setup correctly
Understanding your FIM Topology is very important when attempting to troubleshoot the "Service Is Not Available" error message. The reason for this is the Kerberos settings that may or may not be required, or set differently depending on how you have deployed your FIM Solution.
SINGLE SERVER Is the FIM Service Started? Ensure Configuration Files are configured correctly DISTRIBUTED ACROSS MULTIPLE MACHINES Is the FIM Service Started? Ensure Configuration Files are configured correctly Ensure ServicePrincipleNames (SPNs) are configured correctly Ensure Delegation is setup correctly
If the FIM Service is not started, you will receive the "Service Is Not Available" error message. You can check to see if the FIM Service is started through the following steps: On the machine running the FIM Service, open the Services Management Console Start > Administrative Tools > Services or Start > Run and type services.msc and then click Ok Locate the Forefront Identity Manager Service and check the status of the service If the service is stopped, then proceed to starting the service Test Access to the FIM Portal
If the FIM Service is not started, you will receive the "Service Is Not Available" error message. You can check to see if the FIM Service is started through the following steps:
Using just the name of the FIM Service machine Using a DNS CNAME or a DNS Host (A) Record Using a Network Load Balancer (NLB)
FIM SERVICE MACHINE NAME
DNS CNAME or DNS HOST (A) RECORD
Ensure that the Configuration Files ( FIM Configuration File and Web Configuration File ) are configured correctly. For a DNS CNAME or DNS Host (A) record, the configuration files should have the CNAME or HOST (A) record information. Ensure that the Service PrincipleNames (SPNs) are configured correctly ( FIM Installation Companion - ServicePrincipleNames (SPNs) - Adding and Troubleshooting )
NETWORK LOAD BALANCER (NLB)
FIM ADMINISTRATOR
FROM THE FIM PORTAL SERVER
Ensure that the FIM Administrator is still in the FIM Portal with the ObjectSID Ensure that the Configuration Files ( FIM Configuration File and Web Configuration File ) are configured correctly. FIM Configuration File ( Appendix A ) Web Configuration File ( Appendix B ) Are you able to access the FIM Web Service? ( Appendix F )
FROM A CLIENT MACHINE
FIM USER ( Non-Adminstrator )
By running through the steps here, indicates that the FIM Administrator is able to access the FIM Portal from the FIM Portal Server, and a client machine. If this is not true, then it is recommended to start your troubleshooting with the FIM Administrator rather than a FIM User. Are you able to access the FIM Web Service? ( Appendix F ) Does the user attempting to access the FIM Portal exist in the FIM Portal? Does the user contain all of the required attributes? ( Appendix C ) Ensure that the default MPRs have been enabled ( Appendix D ) [TROUBLESHOOTING] FIM Portal Access: Invalid Token for Impersonation
By running through the steps here, indicates that the FIM Administrator is able to access the FIM Portal from the FIM Portal Server, and a client machine. If this is not true, then it is recommended to start your troubleshooting with the FIM Administrator rather than a FIM User.
INVALID SPN
FIM Portal access utilizes kerberos to access the page. One good tool that you can utilize to troubleshoot these type of issues is Network Monitor. Utilizing Network Monitor you can use a protocol type filter on KerberosV5. If you have an invalid SPN, you should see something like KDC_ERR_S_PRINCIPAL_UNKNOWN which is a response to a Kerberos request for a specific SPN. If you review the associated Kerberos request, you should see the SPN that is being requested.
APPENDIX A - FIM Configuration File
APPENDIX B - Web Configuration File ( web.config )
APPENDIX C - Required Attributes
Domain AccountName ObjectSid = Resource SID DisplayName = A good thing to have, but not required.
APPENDIX D - Required MPRs
APPENDIX E - Configuration Files Configured Correctly
APPENDIX F - ACCESS THE FIM WEB SERVICE
To test access to the FIM Web Service, navigate to http:// <Name of Machine Running the FIM Web Service>:5725 ( e.g. http://myfimservicemachine:5725/ ) If you cannot reach the FIM Web Service, consider checking the following: Forefront Identity Manager Service is Started Windows Firewall is not interfering If the above two options turn out to be true, and you still cannot access the FIM Web Service, you may consider doing a network trace ( Network Monitor 3.4 or WireShark ) to see if there is something on the network generating the issue.
To test access to the FIM Web Service, navigate to http:// <Name of Machine Running the FIM Web Service>:5725 ( e.g. http://myfimservicemachine:5725/ ) If you cannot reach the FIM Web Service, consider checking the following:
If the above two options turn out to be true, and you still cannot access the FIM Web Service, you may consider doing a network trace ( Network Monitor 3.4 or WireShark ) to see if there is something on the network generating the issue.
Richard Mueller edited Revision 6. Comment: Added tags
Tim Macaulay edited Original. Comment: added the note about R2