Editing the FIM Portal web.config in a farm topology

Hit an interesting issue this week.  One of the projects I’m working on was patching pre-production with 4.1.3419.0 and at the end of the process two of the four portals were down.  Properly down.  HTTP 500 error.  The issue was in the web.config.  I won’t bore you with the detail, as there’s too much background, suffice to say that during backup and restore of the web.config the order of some custom elements got messed up which caused IIS to fail to load the web application.

Ultimately this isn’t of much relevance to the readers of this blog but it made me notice something else.  Each time we patch we loose the requireKerberos property of the resourceManagementClient element, i.e. before the patch:

<resourceManagementClient resourceManagementServiceBaseAddress=http://idmgmt.contoso.com:5725 timeoutInMilliseconds=”60000″ requireKerberos=”true” />

After the patch:

<resourceManagementClient resourceManagementServiceBaseAddress=http://idmgmt.contoso.com:5725 timeoutInMilliseconds=”60000″ />

Chatting with one of the project team who knows a lot more about SharePoint than me and I realise that there’s more to the web.config in a farm than I’d previously considered.  It’s stored in the SharePoint configuration database for one.  Each farm member updates the local file with the persisted object data in the database.  Which means there’s a programmatic process managing that file, so what happens to manually added changes?  Right, they can get lost.  Or maybe they don’t get consumed by all nodes.  In fact, there’s an health analyser rule that checks this for you:

But who manages FIM’s SharePoint infrastructure?  Are you on top of all the alerts?

The FIM Portal patch process triggers a backup of the web.config.  A programmatic backup.  The requireKerberos property was added out-of-band, i.e. via NOTEPAD.  So that isn’t in the database and is lost.  Which brings us to the real question – how do we edit the file then?  How do we define requireKerberos in an SP farm?


Here’s an example.

## modify the $fIMPortalURL variable with the FIM portal URL
[String]$fIMPortalURL = "https://idweb.contoso.com/identitymanagement";
## do not modify anything else

Write-Host "`nUpdateFimPortalFarmWebConfig.ps1 v1.0 Paul Williams May 2013`n";

[System.Reflection.Assembly]$loaded = [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint");
    Write-Error "Couldn't load required assembly.";

[String]$sPPortalURL = $fIMPortalURL.Substring(0, $fIMPortalURL.IndexOf("/", 9));

# get the site
[Microsoft.SharePoint.SPSite]$sPSite = `
    New-Object Microsoft.SharePoint.SPSite($sPPortalURL);

# get the web app from the site
[Microsoft.SharePoint.Administration.SPWebApplication]$sPWebApp = $sPSite.WebApplication;

# get the web service from the web app
[Microsoft.SharePoint.Administration.SPWebService]$sPFarmService = `
    $sPWebApp.Farm.Services | ? {
        $_.TypeName -eq 'Microsoft SharePoint Foundation Web Application'

# get the web.config rmclient element from the web app
[Microsoft.SharePoint.Administration.SPWebConfigModification]$rMClientConfigElement = `
    $sPWebApp.WebConfigModifications | ? {
        $_.Owner -eq '7c43ce5b-a59b-44f5-9e8a-50bd1b696145' -and
        $_.Name -eq 'resourceManagementClient'

{ # the element exists
    [Xml]$element = $rMClientConfigElement.Value;
    [String]$requireKerberos = $element.resourceManagementClient.requireKerberos;

    Write-Host "Current value:";
    Write-Host "$($rMClientConfigElement.Value)`n" -ForegroundColor Yellow;

    { # we have a value that might need to be modified
        { # nothing to do
            Write-Host "Require Kerberos property already set to TRUE.";
            Write-Host "No changes required.  Script complete.`n`n";
            Write-Host "Require Kerberos property not set to TRUE.  Setting to TRUE.";
            $rMClientConfigElement.Value = `
                $rMClientConfigElement.Value.Replace('requireKerberos="false"', 'requireKerberos="true"');
    { # we need to add it
        Write-Host "Require Kerberos property not defined (default value is FALSE).  Setting to TRUE.";
        [String]$val = $rMClientConfigElement.Value;
        [String]$newVal = $val.Replace("/>", 'requireKerberos="true" />');
        $rMClientConfigElement.Value = $newVal;

Write-Host "New value:";
Write-Host "$($rMClientConfigElement.Value)`n" -ForegroundColor Yellow;
Write-Host "Committing update.";

Write-Host "Script complete.`n`n";

The above script is quite simple and can undoubtedly be improved.  It does provide a supported mechanism to configure this setting in a SharePoint farm however.

Some more reading:

And the guys who provided what I needed to write the above script:

I hope that this has been interesting and helpful.

I alluded to this previously.  And I’ll be complaining about the complexity or pain of a SharePoint farm again when I get a better understanding of what patching does to FIM Reporting too…


About Paul Williams

IT consultant working for Microsoft specialising in Identity Management and Directory Services.
This entry was posted in FIM, Scripting, SharePoint and tagged , , , , , , . Bookmark the permalink.

1 Response to Editing the FIM Portal web.config in a farm topology

  1. It’s probably worth noting that while this is more important in a farm than with multiple stand-alone instances the web.config changes will be lost whenever you patch the FIM portal unless you make the change via SharePoint’s API, i.e. this isn’t just applicable to a farm. The process of adding the requireKerberos element, for example, to the web.config file via direct modification is not recommended as the programmatic management of the file will remove that change each time you patch.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s