I’ve had the chance to spend sometime researching Kerberos Authentication and have a requirement at a client to implement it for their FIM 2010R2 deployment. Microsoft has a decent guide for examples of the Service Principal Names in which to create, but falls short in the explanations so I will try to address some of those. The Microsoft document is on technet and is available here: http://technet.microsoft.com/en-us/library/jj134299(v=ws.10).aspx.
Lets go through an example scenario. Lets say that I have a fully distributed FIM deployment with 2 servers that have the FIM Portal and FIM service installed that are load balanced, 2 servers with FIM R2 SSPR installed that are load balanced, 1 sync server, and a SQL cluster. Now, what SPNs do I need? To answer this we need to start by creating some A records in DNS:
1. First, the load balanced FIM service which will be our first partition of 3, lets call it FIMService-reset. See more on partitioning the FIM Service here: http://social.technet.microsoft.com/wiki/contents/articles/2363.understanding-fim-service-partitions.aspx
2. Second, lets create an A record for the load balanced FIM Portal – lets call it myID.com/IdentitiyManagment
3. Third, lets create an A record for the SSPRRegistration called SSPRRegister
4. Fourth, lets create an A record for SSPRReset called SSPRReset
Now that is done, what SPNs do we create? Lets start with the FIM Service. We will create an SPN for the FQDN of the FIMService-reset, for example FIMService/FIMService-reset.contoso.com. Next we need a SPN for the FQDN and netBios names of both FIM Service servers. for example FIMService/FIMService1.contoso.com, FIMService/FIMService1, FIMService/FIMService2.contoso.com, and finally FIMService/FIMService2. These 5 SPNs are tied to your FIM Service service account, for example svc-FIMservice.
Next, we need an SPN for the A record we created for the FIM Portal using the App pool Account for the Sharepoint site. This will be an HTTP SPN, for example HTTP/myid.contoso.com.
Almost there! Next, we will create SPNs for the SSPR registration and reset A records that we created. For example, HTTP/SSPRRegistration.contoso.com and HTTP/SSPRReset.contoso.com. These SPNs will be using the App Pool account for the Reset and Registration portals, for example svc-fimPassword. As a note, the Microsoft guide on technet states to use the computer name for these SPNs, but that will only work if you have a single server. In this case, since we will load balance these SSPR portals, we will use the App pool account. IMPORTANT TIP – to get this to work you will need to go into IIS and turn off Kernel mode. Here is a link on how to do this: http://blogs.msdn.com/b/autz_auth_stuff/archive/2011/05/06/kernel-mode-authentication.aspx.
Last steps! Follow the technet guide to alter the applicationHost.config file. Then Lastly, set up delegation. Two important things here – the FIM service will need to delegate to itself and the Sharepoint App Pool account that runs the FIM Portal, will need to delegate to the FIM service. So in this scenario, the delegation will include the FIMService service types for the FIMService-reset.contoso.com, and both server names that the FIM Service installed on.
Open an elevated command prompt and type IISRESET /noforce or just reboot the servers and off you go! Thank you for reading this blog and any feedback is much appreciated.
forefrontidm 