{"id":2745,"date":"2014-02-09T00:31:49","date_gmt":"2014-02-09T00:31:49","guid":{"rendered":"https:\/\/www.wapshere.com\/missmiis\/?p=2745"},"modified":"2023-01-09T02:24:24","modified_gmt":"2023-01-09T02:24:24","slug":"unable-to-to-process-your-request-when-trying-to-approve-in-the-fim-portal-part-2","status":"publish","type":"post","link":"https:\/\/www.wapshere.com\/missmiis\/unable-to-to-process-your-request-when-trying-to-approve-in-the-fim-portal-part-2","title":{"rendered":"“Unable to to process your request” when trying to approve in the FIM Portal – Part 2"},"content":{"rendered":"

A long time after writing an earlier blog post<\/a> on this error, I’ve seen it again. You try to approve in the Portal, and right after clicking Submit you get the dreaded FIM “Unable to process” error page<\/p>\n

<\/p>\n

I had been working through all the usual Kerberos issues but was pretty sure I had all the SPNs, names in config files and Alternate Access Mappings lined up. Plus there was no sign of that “cannot connect to the middle tier” error in the FIM event log that always sets off Kerberos alarm bells in my mind.<\/p>\n

Eventually I did manage to get an error – this one in the Applications log, and only when I logged in to the Portal as the approving user on the FIM server itself:<\/p>\n

Log Name:      Application\nSource:        ASP.NET 2.0.50727.0\nDate:          9\/02\/2014 09:59:16\nEvent ID:      1309\nTask Category: Web Event\nLevel:         Warning\nKeywords:      Classic\nUser:          N\/A\nComputer:      FIMServer.mydomain.com\nDescription:\nEvent code: 3005 \nEvent message: An unhandled exception has occurred. \nEvent time: 2\/9\/2014 9:59:16 AM \nEvent time (UTC): 2\/8\/2014 10:59:16 PM \nEvent ID: 941b508e7d764e89a77c1c5a57cad942 \nEvent sequence: 293 \nEvent occurrence: 6 \nEvent detail code: 0 \n\nApplication information: \n    Application domain: \/LM\/W3SVC\/1069363774\/ROOT-1-130363694884026945 \n    Trust level: WSS_Minimal \n    Application Virtual Path: \/ \n    Application Path: C:\\inetpub\\wwwroot\\wss\\VirtualDirectories\\80\\ \n    Machine name: FIMSERVER\n\nProcess information: \n    Process ID: 8780 \n    Process name: w3wp.exe \n    Account name: MYDOMAIN\\SharepointAppPoolServiceAccount \n\nException information: \n    Exception type: SecurityNegotiationException \n    Exception message: The caller was not authenticated by the service. \n\nRequest information: \n    Request URL: http:\/\/fimportal\/identitymanagement\/aspx\/Requests\/ApproveRequests.aspx?CacheID=18eab583-73a2-4bbd-991d-80e16f60a646 \n    Request path: \/identitymanagement\/aspx\/Requests\/ApproveRequests.aspx \n    User host address: xxx.xxx.xxx.xxx \n    User: MYDOMAIN\\ApproverUser\n    Is authenticated: True \n    Authentication Type: NTLM<\/span> \n    Thread account name: MYDOMAIN\\SharepointAppPoolServiceAccount<\/pre>\n
I’ve highlighted the bit that jumped out at me – NTLM. It should have been using Kerberos.<\/p>\n
When you approve you are actually hitting a published endpoint which is stamped on the Approval object itself and based on the externalHostAddress of the FIM Service instance where the Approval object was initially created. It must be possible to authenticate to this endpoint using Kerberos, and if anything gets in the way of that, the approval will fail.<\/p>\n
So I went and checked the Windows Authentication settings on the “Sharepoint – 80” site in IIS and, for some reason that I have yet to get to the bottom of, only “NTLM” was listed as a provider. We must have “Negotiate” and it must be first.<\/p>\n
\"iis_winauth_providers\"<\/a><\/p>\n
I also followed the step to “Turn off NTLM authentication in the Portal” in the FIM post-installation steps: http:\/\/technet.microsoft.com\/en-us\/library\/gg637904(v=ws.10).aspx<\/a><\/p>\n
After a FIM Service restart and iisreset it is now possible to approve!<\/p>\n","protected":false},"excerpt":{"rendered":"
A long time after writing an earlier blog post on this error, I’ve seen it again. You try to approve in the Portal, and right after clicking Submit you get the dreaded FIM “Unable to process” error page<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"footnotes":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":[]},"categories":[42,60,64],"tags":[],"class_list":["post-2745","post","type-post","status-publish","format-standard","hentry","category-fim-2010","category-fim-2010-r2","category-troubleshooting"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pkp1o-Ih","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/posts\/2745","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/comments?post=2745"}],"version-history":[{"count":4,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/posts\/2745\/revisions"}],"predecessor-version":[{"id":3315,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/posts\/2745\/revisions\/3315"}],"wp:attachment":[{"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/media?parent=2745"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/categories?post=2745"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/tags?post=2745"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}