I've had a go at setting FIM up (all on a single server), and the portal doesn't work from remote machines, it works on the server though, which leads me to believe I've made some sort of error with the SPN's or delegation which is affecting kerboros? It displays the following error:
'Service Not Available'
I've used the following accounts
SA-FimSync -Synchronisation account (runs 'Forefront Identity Manager Synchronisation Service')
SA-FimService- Mail enabled service account for Fim (runs 'Forefront identity Manager Service)
SA-FimAgent -Agent account.
SA-SharePoint - Runs SharePoint app pool for the portal.
I've configured the following SPN's:
setspn -S FIMService/FIMService.local.mydomain.sch.uk ATS\SA-FimService
setspn -S FIMService/FIMService ATS\SA-FimService
setspn -S HTTP/FIMPortal.local.mydomain.sch.uk ATS\SA-SharePoint
setspn -S HTTP/FIMPortal ATS\SA-SharePoint
setspn -S HTTP/PWReg.local.mydomain.sch.uk ats
and have the following DNS records all pointing to the same server:
FIMservice
Fimportal
PwReg
PwReset
The delegation is set to:
ATS\SA-SharePoint to ATS\SA-FimService
ATS\SA-FimService to ATS\SA-FimService
I'm really not sure where to look next to solve this issue and would appreciate any guidance.