Troubleshooting FIM: Service Is Not Available - Invalid SPN on the Application Pool Identity Account

PROBLEM STATEMENT

The customer is not able to view the FIM Portal via the FIM Portal Server.  We were focused on the FIM Administrator account, because that account could not reach the FIM Portal on the FIM Portal Server.   We were receiving a “Service Is Not Available” message when viewing the FIM Portal from a client machine, and nothing but a white page when viewing from the FIM Portal Server.

CAUSE

The SPN on the Application Pool Account (SharePoint – 80) is invalid.  We were able to discover this by running a network monitor trace on the FIM Portal server when attempting to access the FIM Portal. 

NETWORK MONITOR TRACE INFORMATION

1.      The Network Trace displays sever a KDC_ERR_S_PRINCIPAL_UNKNOWN. 

ErrorCode: KDC_ERR_S_PRINCIPAL_UNKNOWN (7)

This is the response to a request for HTTP/fimportal.domainCU.com

Sname: HTTP/fimportal.domainCU.com

APPLICATION POOL ACCOUNT SPN

Registered ServicePrincipalNames for (( DN for the Application Pool Account ))

               HTTP/FIMPortal.domain.com

               HTTP/FIMPortal

               HTTP/FIMService.domain.com

               HTTP/FIMService

2.      The following SPNs are not listed here.

a.      HTTP/fimportal.domainCU.com

3.      Additionally, the following SPNs should be removed:

a.      HTTP/FIMService.domain.com

b.      HTTP/FIMService

RESOLUTION

To resolve the issue, we will need to update the SPN for the Application Pool Account (SharePoint-80) to contain the correct SPN information.

Registered ServicePrincipalNames for CN=AppPoolAccount,OU=myou,OU=orgou,OU=departmentou,DC=domainCU,DC=com:

HTTP/FIMPortal.domainCU.com
HTTP/FIMPortal
HTTP/PortalMachineName.domainCU.com
HTTP/PortalMachineName