FIM 2010 R2: Appropriate Service principal name should be set for the Web Pool account
This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Forefront Identity Manager 2010 R2 Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer (https://go.microsoft.com/fwlink/?LinkId=122786).
Product |
Forefront Identity Manager 2010 R2 |
Feature |
FIM Certificate Management |
Operating System |
Windows Server 2008 R2 |
Severity |
Warning |
Category |
Security |
Issue
FIMCM - Appropriate Service principal name should be set for the Web Pool account
Impact
FIMCM – User session information can be exposed
Resolution
FIMCM – Set the Appropriate Service principal names for the Web Pool account.
The Web Pool account should have the HTTP/<fimcm_server> and HTTP<fimcm_server.fqdn> set on it. For example, if FIM CM was installed on a server named FIMCM1 in the corp.contoso.com domain, then the Web Pool account should have HTTP/FIMCM1 and HTTP/fimcm1.corp.contoso.com SPNs set on it. To set SPNs use the following procedure:
To set the SPNs for the Web Pool Account
Log on to a domain controller with the appropriate credentials.
Click Start, select All Programs, click Accessories, and the click Command Prompt. This will bring up a command prompt.
In the command prompt type: Setspn.exe –S HTTP/<fimcm_server> <domain\Web Pool account> . Where fimcm_server is the netbios name of your FIM CM Server and domain\Web Pool account is your domain and the name of your Web Pool account. For example: Setspn.exe –S HTTP/fimcm1 CORP\FIMCMWebAgent. Hit Enter
In the command prompt type: Setspn.exe –S HTTP//<fimcm_server.fqdn> <domain\Web Pool account>. Where fimcm_server.fqdn is the FQDN name of your FIM CM Server and domain\Web Pool account is your domain and the name of your Web Pool account. For example: Setspn.exe –S HTTP/fimcm1.corp.contoso.com CORP\FIMCMWebAgent.Hit Enter
Warning
Please be aware that there is currently an issue with having this SPN in place and running the Best Practice Analyzer scan. This has to do with the SPN and the Enable-PSRemoting. For more information see the Kerberos Issue with using the Best Practice Analyzer in the Best Practice Analyzer for Forefront Identity Manager 2010 R2 section.
Additional references
For more information, see the FIM 2010 R2 Deployment Guide (https://technet.microsoft.com/en-us/library/jj134310(v=ws.10))