SecurityNegotiationException when accessing FIM Service from a remote machine with RM Client

Oct 31, 2013 at 12:31 AM
Edited Oct 31, 2013 at 12:34 AM
Hello,

Before I begin, I should say that I have read all related threads in the Discussions section, but wasn't able to apply the suggestions to my situation or, more so, I need clarification. So my setup is a follows:

Machine 1 - running FIM Service
Machine 2 - IIS Web App that uses RM Client to talk to FIM Service on Machine 1

Both machines are on the same domain.

FIM Service runs under Domain\FimService
SPNs configured in a standard way: FIMService/Machine 1 Domain\FimService

IIS Application pool for the app on Machine 2 runs under Domain\SomeServiceAccount.
I run the application (browser) as domain administrator.

Now the tricky part: at the point when the RM Client is trying to connect to FIM Service, there is no web.config file available (too long to explain, but I can, if necessary). Or, more precisely, it is available but it may contain incorrect endpoint addresses. I could update web.config with the correct endpoints based on user entry, but that would require browser restart as the AppDomain will automatically recycle. So I am left with using the DefaultClient overload constructor that allows you to specify endpoint addresses. Something like this:
DefaultClient myClient = new DefaultClient("ServiceMultipleTokenBinding_Resource",                                                    "http://Machine1:5725/ResourceManagementService/Resource",
"ServiceMultipleTokenBinding_ResourceFactory",                                                                  "http://Machine1:5725/ResourceManagementService/ResourceFactory",
 "ServiceMultipleTokenBinding_Enumeration",                                                                  "http://Machine1:5725/ResourceManagementService/Enumeration",                                                                  "MetadataExchangeHttpBinding_IMetadataExchange",                                                                  "http://Machine1:5725/ResourceManagementService/MEX",
"ServiceMultipleTokenBinding_Alternate",                                                                  "http://Machine1:5725/ResourceManagementService/Alternate"));
The credential for this instance of dc is DefaultNetworkCredential, which I assume would be Domain\Administrator since I am running the browser as one. HttpContxt.Current.User.Identity.Name is Administrator, in any case.

I am not sure if I am using this constructor correctly or if it is there only to allow you to override the addresses in the web.config. I am also not sure if there's any identity information passed in the message to the FIM service (like, servicePrincipalName=".../..."). The way I see it, there is an endpoint address, but there is no identity information for the service except for the dc credential, and where that comes into play, I don't know.

In the end, I get "Caller not authenticated" exception on dc.Enumerate call.

So my questions are:
  1. Do I have to use mgercevich's approach to instantiate DefaultClient mentioned here?
    (http://fim2010client.codeplex.com/discussions/360608)
  2. What am I missing from my current setup that doesn't allow me to connect? Or there is no way I can connect the way things currently are?
I appreciate the help very much! Any elaboration (on top what's already out there) on how negotiation happens and what's required for it to run properly would be great.

Ilya

EDIT: I should mention that this setup runs fine if RM Client is on the same machine as FIM Service.