OK, I have two idependent FIM 2010 servers created. Both have the Portal and FIM Service installed and they each work fine. However, now that we have a load balancer installed and configured, we want to use that to load balance the Portals and the FIM Services. The Portals work fine this way but we cannot get the FIM Services to load balance. So, taking the load balancer out of the mix, we just tried to point one servers Portal to the other servers FIM Service. This too was unsuccessful.
So, when we went to the Portal on the server who was pointing to the other server for its FIM Service, we received a "Service not available". After cranking up errors on the SharePoint portal, we would receive a more descriptive, "The request for security token could not be satisfied because authentication failed". I can provide the stack trace if necessary but the relevant portion seems to be:
[SecurityNegotiationException: The token provider cannot get tokens for target 'http://server1.qa.foo.bar:5725/ResourceManagement/Enumeration'.
Now, we have our SPN's created:
fimservice/server1.qa.foo.bar, fimservice/server1, fimservice/server2.qa.foo.bar, fimservice/server2, fimservice/fimlb.qa.foo.bar, fimservice/fimlb
The first four are for the servers and the last two for the load balancers.
Our FIM service on each server runs under the account "qa\fimportalservice" and our SharePoint application pools also run under that same account.
I have tried messing with applicationHost.config and setting the "useAppPoolCredentials" on the SharePoint - 80 site, but that only succeeds in entirely breaking the SharePoint site, even the root site. Basically, it prompts you for credentials three times and has you go to a blank site.
Kerberos delegation is turned ON for all services for the "qa\fimportalservice".
We are not requiring Kerberos only in the web config
Now, we have this all working in a completley different, isolated environment where we do not require Kerberos in the web config and did not monkey with the applicationHost.config file. Works beautiful. Now, the only difference we can think of is that in the working environment, the NLB was configured prior to installing FIM. In the non-working environment, NLB came later and so we are editing the web.config and Microsoft.ResourceManagement.service.exe.config files as necessary. Note that in the case where we are simply trying to point one server to the FIM service on the other server, we only edit the web.config file in the one location where you specify the ResourceManagement URL.
What am I missing here? It seems like a Kerberos auth issue but I'm not sure where to go from here.