FIM 2010 R2: Appropriate Service principal name should be set for the Web Pool account

  • Article

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Forefront Identity Manager 2010 R2 Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer (https://go.microsoft.com/fwlink/?LinkId=122786).

Product

Forefront Identity Manager 2010 R2

Feature

FIM Certificate Management

Operating System

Windows Server 2008 R2

Severity

Warning

Category

Security

Issue

FIMCM - Appropriate Service principal name should be set for the Web Pool account

FIM CM SPN rule

Impact

FIMCM – User session information can be exposed

Resolution

FIMCM – Set the Appropriate Service principal names for the Web Pool account.

The Web Pool account should have the HTTP/<fimcm_server> and HTTP<fimcm_server.fqdn> set on it. For example, if FIM CM was installed on a server named FIMCM1 in the corp.contoso.com domain, then the Web Pool account should have HTTP/FIMCM1 and HTTP/fimcm1.corp.contoso.com SPNs set on it. To set SPNs use the following procedure:

To set the SPNs for the Web Pool Account

  1. Log on to a domain controller with the appropriate credentials.

  2. Click Start, select All Programs, click Accessories, and the click Command Prompt. This will bring up a command prompt.

  3. In the command prompt type: Setspn.exe  –S HTTP/<fimcm_server> <domain\Web Pool account> . Where fimcm_server is the netbios name of your FIM CM Server and domain\Web Pool account is your domain and the name of your Web Pool account. For example: Setspn.exe  –S HTTP/fimcm1 CORP\FIMCMWebAgent. Hit Enter

  4. In the command prompt type: Setspn.exe  –S HTTP//<fimcm_server.fqdn> <domain\Web Pool account>. Where fimcm_server.fqdn is the FQDN name of your FIM CM Server and domain\Web Pool account is your domain and the name of your Web Pool account. For example: Setspn.exe  –S HTTP/fimcm1.corp.contoso.com CORP\FIMCMWebAgent.Hit Enter

Warning

Please be aware that there is currently an issue with having this SPN in place and running the Best Practice Analyzer scan. This has to do with the SPN and the Enable-PSRemoting. For more information see the Kerberos Issue with using the Best Practice Analyzer in the Best Practice Analyzer for Forefront Identity Manager 2010 R2 section.

Additional references

For more information, see the FIM 2010 R2 Deployment Guide (https://technet.microsoft.com/en-us/library/jj134310(v=ws.10))