Friday, February 18, 2011

SOAP security negotiation with 'http://fim:5725/ResourceManagementService/Resource'

We finally got to the bottom of a problem we were having with the Public Client with regards to this odd SOAP security negotiation error. The inner exception might look something like this:

Inner Exception: Security Support Provider Interface (SSPI) authentication failed. The server may not be running in an account with identity 'FIMService/ If the server is running in a service account (Network Service for example), specify the account's ServicePrincipalName as the identity in the EndpointAddress for the server. If the server is running in a user account, specify the account's UserPrincipalName as the identity in the EndpointAddress for the server.

Oddly enough, our error contained the SPN reference of 'host/' and not 'FIMService', but the real problem here as to do with the way your Kerberos delegation is setup for your FIM Service account – the account that is running the FIM Service itself. The 'Before You Begin' section of the Install Guide correctly instructs you to configure the Service Principal Names for this account, however it leaves out one bit of clarifying information when instructing you how to configure the Constrained Delegation. The instructions are:

Turn on Kerberos delegation for the FIM Service service account in AD DS. You can turn on delegation for all services either by selecting Trust this user for delegation to any service (not recommended) or by using constrained delegation (recommended) by selecting Trust this user for delegation to the specified services only. If you use constrained delegation, search for the FIM Service service account, and then select the entry that you added in the previous step.

Now, here is how we had our FIM Service account configured:

Note the setting "Use Kerberos only" – using this configuration will restrict the delegated service from delegating to a service using any other protocol other than Kerberos. In this configuration, FIM itself works just fine and the first time I saw this create an issue was when testing Henrik Nilsson's FIM Attribute Store for ADFS. I kept getting errors and I was assured they were Kerberos issues, of which I stubbornly pointed out that everything was configured properly and working on my side. Smile

So, three are three types of delegation with respect to Kerberos:

  1. Unconstrained delegation – the "old" way
  2. Constrained delegation – the "new recommended" way
  3. Constrained delegation with Protocol Transition – for when the initial authN is not Kerberos based

When you configure constrained delegation in this manner using the Use Kerberos Only setting, you are preventing protocol transition from occurring. For reasons I don't completely understand, the FIM Public Client leverages protocol transition and the internal FIM classes do not.

So, how do I fix this thing? Easy, set the account to the "Use any authentication protocol" setting and then restart your FIM Services.


Post a Comment