Upgrade your Internet Experience
Microsoft.com
Welcome Sign in
Identity Lifecycle Manager TechCenter
Click to Rate and Give Feedback
TechNet
TechNet Library
Deployment
 ILM "2" (Release Candidate) Install...

  Switch on low bandwidth view
ILM "2" (Release Candidate) Installation Guide

Updated: October 27, 2008

The Microsoft® Identity Lifecycle Manager "2" (ILM "2") Installation Guide enables IT professionals to install ILM "2". An ILM "2" deployment has two major component groups, the server-side and the client-side.

The server-side components are as follows:

  • ILM Synchronization Service
  • ILM Service
  • ILM Portal
  • ILM Password Portal

The client-side components are as follows:

  • ILM Add-in for Outlook 2007
  • ILM Password Reset Extensions

What This Document Covers

This document covers the installation of ILM "2". It discusses the steps to successfully deploy ILM "2" in your test environment. It also discusses the installation of each of the components and subcomponents that make up an ILM "2" installation.

Prerequisite Knowledge

This document assumes that you have a basic understanding of the following IT tasks:

  • Installing software on server and client computers
  • Basic knowledge of Active Directory® domain service, Microsoft® Identity Lifecycle Manager 2007 (ILM 2007), Microsoft SQL Server™ 2008 database software, Windows® SharePoint® Services 3.0, and Microsoft Exchange Server 2007.
  • A description of how to set up and configure Active Directory, SQL Server 2008, Windows SharePoint Services 3.0, and Microsoft Exchange Server 2007 are out of the scope of this document.

Audience

This document is intended for IT planners, systems architects, technology decision-makers, consultants, infrastructure planners, and IT personnel who plan to deploy ILM "2".

Topology

ILM "2" supports a variety of deployment topologies. Each of the main components:

  • ILM Service
  • ILM Synchronization Service
  • ILM Portal
  • ILM Password Portal
  • SQL Server 2008 database for the ILM Service
  • SQL Server 2008 database for the ILM Synchronization Service

may be installed separately or in combination on individual servers. Additionally, the ILM Service and the ILM Portal can be scaled out to multiple servers. For more information, see Network Load Balancing and SharePoint Server farm architecture.

noteNote
If you install the SQL 2008 database on a different server than the ILM Service or ILM Synchronization Service, you will need to open additional ports in order for ILM setup to communicate with SQL Server 2008. For more information, see Configuring the Windows Firewall to Allow SQL Server Access.

Required Hardware

The server(s) hosting the ILM "2" server components must meet the following hardware requirements:

  • A x64 capable processor
  • 2 gigabytes (GB) of available hard disk drive space
  • 2 gigabytes (GB) or more of RAM
  • A monitor with a resolution of 1024x768
  • A CD-ROM or DVD-ROM drive

The client computer that hosts the ILM "2" client-side component(s) must meet the following hardware requirements:

  • 512 MB of RAM (1 GB recommended)
  • 500 MB of free hard disk drive space
  • A monitor that can display a resolution of 1024x768

Required Software

Each server hosting the different ILM "2" server-side components has a different software requirement. Below, you will find the software requirements for each of the ILM "2" server-side components. If you decide to install all of the server-side components on one server, you must install the software requirements for each of the ILM "2" server-side components on that server.

ILM Synchronization Service Software Requirements

The server hosting the ILM Synchronization Service must have the following prerequisite software installed:

  • Windows Server 2008 64-bit Standard or Enterprise Editions.
    ImportantImportant
    When you install Windows Server 2008, do not install Windows Server 2008 Terminal Services. If you install Terminal Services, the ILM "2" server components do not install.
  • SQL Server 2008 64-bit Standard or Enterprise Editions.
  • Microsoft Visual Studio 2008
    noteNote
    Microsoft Visual Studio 2008 is required to develop rules extensions for ILM Synchronization Service.
  • Windows Powershell 1.0
    noteNote
    Windows Powershell 1.0 Features can be installed from the Features options interface included with Windows Server 2008.
  • Exchange 2007 SP1 Management Console
    noteNote
    Exchange 2007 SP1 Management Tools is required to fully provision Exchange Server 2007 mailboxes, contacts, and groups that are created by the ILM Synchronization Service. You will receive an extension-dll-exception error if you attempt to synchronize these objects to Active Directory without the Exchange 2007 SP1 Management Console installed.

ILM Service Software Requirements

The server hosting the ILM Service must have the following software installed:

  • Windows Server 2008 64-bit Standard or Enterprise Editions.
    ImportantImportant
    When you install Windows Server 2008, do not install Windows Server 2008 Terminal Services. If you install Terminal Services, the ILM "2" server components do not install.
  • SQL Server 2008 64-bit Standard or Enterprise Editions.
    noteNote
    You can use the same SQL Server 2008 instance that the ILM Synchronization Service is using.
  • Web Server (IIS)
    noteNote
    The Web Server (IIS) can be installed from the Server Role interface included with Windows Server 2008. The following options must be installed when you install the Web Server (IIS) role:
    • Common HTTP Features
    • Static Content
    • Default Document
    • Directory Browsing
    • HTTP Errors
    • HTTP Redirection
    • Application Development
    • ASP.NET
    • .NET Extensibility
    • ISAPI Extensions
    • ISAPI Filters
    • Health and Diagnostics
    • HTTP Logging
    • Request Monitor
    • Tracing
    • Basic Authentication
    • Windows Authentication
    • Request Filtering
    • Static Content Compression
    • IIS 6 Management Compatibility
    • IIS 6 WMI Compatibility
    • IIS 6 WMI Compatibility
    • IIS 6 Metabase Compatibility
  • Microsoft .NET 3.0 Features
    noteNote
    Microsoft .NET Framework 3.0 Features can be installed from the Features options interface included with Windows Server 2008.
  • Microsoft .NET 3.5 SP1 Framework
    You can download Microsoft .NET 3.5 SP1 Framework here http://go.microsoft.com/fwlink/?LinkId=129538.

ILM Portal and Password Portal Software Requirements

The server(s) hosting the ILM Portal and Password Portal must have the following software installed:

noteNote
If you decide to install the ILM Portal and Password Portal software on different servers, the software perquisites for both servers are the same.
  • Windows Server 2008 64-bit Standard or Enterprise Editions.
    ImportantImportant
    When you install Windows Server 2008, do not install Windows Server 2008 Terminal Services. If you install Terminal Services, the ILM "2" server components do not install.
  • Web Server (IIS)
    noteNote
    The Web Server (IIS) can be installed from the Server Role interface included with Windows Server 2008. The following options must be installed when you install the Web Server (IIS) role:
    • Common HTTP Features
    • Static Content
    • Default Document
    • Directory Browsing
    • HTTP Errors
    • HTTP Redirection
    • Application Development
    • ASP.NET
    • .NET Extensibility
    • ISAPI Extensions
    • ISAPI Filters
    • Health and Diagnostics
    • HTTP Logging
    • Request Monitor
    • Tracing
    • Basic Authentication
    • Windows Authentication
    • Request Filtering
    • Static Content Compression
    • IIS 6 Management Compatibility
    • IIS 6 WMI Compatibility
    • IIS 6 WMI Compatibility
    • IIS 6 Metabase Compatibility
  • Microsoft .NET Framework 3.0 Features
    noteNote
    Microsoft .NET Framework 3.0 Features can be installed from the Features options interface included with Windows Server 2008.
  • Microsoft .NET 3.5 SP1 Framework
    noteNote
    You can download Microsoft .NET 3.5 SP1 Framework here http://go.microsoft.com/fwlink/?LinkId=129538.
  • Windows SharePoint Services 3.0 SP1
    noteNote
    You can download Windows SharePoint Service 3.0 SP1 here http://go.microsoft.com/fwlink/?LinkID=105802.
    ImportantImportant
    For this release of ILM "2", the ILM Portal does not install in a SharePoint farm topology.

ILM Client Components Software Requirements

The client computers that host the ILM "2" client-side components must meet the following software requirements:

  • Windows XP Professional SP3, 32bit or Windows Vista Enterprise SP1, 32 or 64bit
  • Windows Installer 3.1 or later
    noteNote
    You can download Windows Installer 3.1 here http://go.microsoft.com/fwlink/?LinkID=62933
  • Microsoft .NET Framework 3.5 SP1
    noteNote
    You can download Microsoft .NET 3.5 SP1 Framework here http://go.microsoft.com/fwlink/?LinkId=129538.
  • Microsoft Office Outlook 2007
    This software is required only if you use ILM "2" Office Integration.
  • Microsoft Forms .NET 2.0 Programmability Support
    This software is required only if you use ILM "2" Office Integration.
    noteNote
    This software is an add-in feature of Microsoft Office 2007. To install this software, select Smart Tag .NET Programmability Support option when you run setup for Microsoft Office 2007.
  • Smart Tag .NET Programmability Support for Microsoft Office 2007
    This software is required only if you use ILM "2" Office Integration.
    noteNote
    This software is an add-in feature of Microsoft Office 2007. To install this software, select Smart Tag .NET Programmability Support option when you run setup for Microsoft Office 2007.

Before You Begin

Before you install the ILM "2" server and client components, you must complete the following configuration tasks in the order shown:

  1. Create a domain service e-mail enabled account to run the ILM Service, Portal, and Password components.
  2. Create a service account to run the ILM Synchronization Service.
  3. Create an ILM "2" Management Agent account.
  4. Configure the service accounts that are running the ILM "2" server components in a secure manner.
  5. If you are running the Exchange Web Service and IIS default web site (ILM "2" Portal) on the same server, ensure that both are not configured to use port 80.
  6. Run the SharePoint 3.0 Services configuration wizard before you install the ILM Portal and Password Portal

Create a domain service e-mail enabled account to run the ILM Service, Portal, and Password components

To run the ILM Service, Portal, and Password components, you must create a ILM "2" domain service account that is e-mail enabled. This account must be a member of the local administrator group and the credentials that the service runs under must be the same credentials for its e-mail account. For example, if the ILM "2" service is running under domain\ilmsrv credentials, the monitored ILM "2" mailbox must be the mailbox of domain\ilmsrv.

To use the ILM Add-in for Outlook 2007 feature, you must set up the domain service e-mail account on a server that hosts Microsoft Exchange Server 2007.

ImportantImportant
You must reserve the domain service e-mail account for the exclusive use of the ILM "2" Web Service. If you do not, and any e-mail accounts move messages from the e-mail Inbox, the e-mail processor does not see these messages. In addition, after the e-mail processor reads a message from the Inbox, it moves the message to another folder, potentially causing problems for other accounts that attempt to use that e-mail account.

Create a service account to run the ILM Synchronization Service

You must create a service account to run the ILM Synchronization Service, this service account must be a domain service account. This account does not have to be a local administrator account.

Create a domain ILM “2” management agent account

You must create a domain service account that is reserved for the exclusive use of the ILM "2" management agent (MA). The ILM Service has to know the name of the account that the ILM MA is using so that during setup, it can give the account the required rights to make calls to the Web services. This account does not have to be a local administrator account.

In order to run properly, the ILM MA account requires Read access to miisserver.exe. To ensure that the ILM MA account has the correct access:

  • Use the Synchronization service account for the ILM MA account, or
  • Add the ILM MA account to the MIISAdmins security group.

Configure the service accounts running the ILM “2” server components in a secure manner

To configure the server(s) running the ILM "2" server components in a secure manner, use the following restrictions on the service accounts:

  • Deny users access to log on as a batch job.
  • Deny users access to log on using Terminal Services.
  • Deny users access to this computer on a network.

Ensure the Exchange Web Service and IIS default Web site are not both configured to use port 80

If you are running the Exchange Web Service and IIS default web site (ILM "2" Portal) on the same server, ensure that both are not configured to use port 80. If both are configured to use port 80, the Exchange Web Service will be unreachable.

Either specify a different port, or a different IP or different host name in IIS.

Run the SharePoint 3.0 Services configuration wizard before you install the ILM Portal and Password Portal

Before you install the ILM Portal and Password Portal, run the SharePoint 3.0 Services configuration wizard. If you do not perform this task you may have to reinstall the ILM Portal and Password Portal components of ILM "2".

Installing the ILM "2" Server Components

To install the ILM 2” server components you must install the following pieces of software in the following order. Not following the order specified below will cause the installation to fail because the prerequisite pointers for each piece of software will not be in place. You must use an account with domain administrator privileges to install the ILM "2" server components

  1. ILM Synchronization Service
  2. ILM Service
  3. ILM Portal
  4. ILM Password Portal

ILM Synchronization Service

The ILM Synchronization Service consists of the metadirectory, provisioning engine, and management agents for various connected data sources. It supports synchronizing data between the ILM Synchronization database and other identity stores in the enterprise.

During the installation of the Synchronization Service, the firewall on the machine hosting this service is configured to allow Dynamic RPC and RCP endpoint mapper access to the ILM Synchronization Service.

noteNote
The Windows Firewall Service must be enabled during the installation of the ILM Synchronization Service. After the installation is complete, it may be disabled again.

The Synchronization Service creates five security groups that correspond to the three Synchronization and Provisioning Service user roles: Administrator, Operator, and Joiner. The Synchronization and User Provisioning Service also creates two Windows Management Instrumentation (WMI) roles: Connector Browse and Password Set. The Synchronization and Provisioning Administrators group contains the account that you used to log on and run Setup.

By default the Synchronization Service creates the five security groups as local computer groups, instead of global groups. If you plan to use global groups, you must create the groups before you install the ILM Synchronization Service.

To install the ILM Synchronization Service

  1. From the ILM "2" splash screen click the Install Synchronization services and user provisioning link.

  2. Run setup.exe and then follow the instructions in the installation wizard.

    ImportantImportant
    Setup.exe must be run with elevated privileges. If UAC is enabled, installing the ILM Synchronization Service without elevated privileges will cause the installation to fail.
    ImportantImportant
    The user account used to install the ILM Synchronization Service must be granted the sysadmin role in SQL Server 2008.  By default, members of the Local Administrators group do not have the necessary permissions.  Unless the user account is either the built-in administrator account, or the user account used to install SQL Server 2008 then the user account must be granted the sysadmin role in SQL Server 2008.
    ImportantImportant
    If you install the SQL 2008 database on a different server than the ILM Service or ILM Synchronization Service, you will need to open additional ports in order for ILM setup to communicate with SQL Server 2008. For more information, see Configuring the Windows Firewall to Allow SQL Server Access

  3. On the Group Information page, when you are prompted for the five security groups use the default local groups or type the details for the global groups that you created.

    noteNote
    Not applicable if installing on a domain controller (DC).

ILM Service

Installing the ILM Service installs the Web services parts of ILM "2" and also configures the ILM Service database on the server that hosts SQL Server 2008.

During the installation of ILM Service, port 526 and 527 are opened and exceptions for these ports are added to the Windows Server 2008 firewall settings. Opening these ports enables communication to the ILM Service.

When installing the ILM Service on a separate server from the ILM Synchronization Service server, you must manually add the service account that is used by the ILM Synchronization Service to the MIISAdmins security group. This enables authorized users to remotely configure the ILM Synchronization Service using the synchronization configuration API exposed through the Web services interface. In addition, if you install the ILM Service on a separate server from the ILM Synchronization Service server, you must add the ILM Service’s service account to the Local Administrator group on the server hosting the ILM Synchronization Service.

After you complete the installation of the ILM Service, you must stop and restart the Microsoft Identity Integration Server service.

To install the ILM Service

  1. From the ILM "2" splash screen click the Install ILM "2" Server, 64 bit link.

  2. Run ilm-server.msi.

    ImportantImportant
    The SQL Agent must be running before you run ilm-server.msi.
    ImportantImportant
    The user account used to install the ILM Synchronization Service must be granted the sysadmin role in SQL Server 2008.  By default, members of the Local Administrators group do not have the necessary permissions.  Unless the user account is either the built-in administrator account, or the user account used to install SQL Server 2008 then the user account must be granted the sysadmin role in SQL Server 2008.
    ImportantImportant
    If you install the SQL 2008 database on a different server than the ILM Service or ILM Synchronization Service, you will need to open additional ports in order for ILM setup to communicate with SQL Server 2008. For more information, see Configuring the Windows Firewall to Allow SQL Server Access

  3. On the Custom Setup page you are prompted for the applications that you want to install. From the drop-down menu located next to Microsoft ILM Core Services, click, Entire feature will be installed on local hard drive. If you do not want to install all of the components on one server, deselect Sharepoint Components for ILM Portal and Sharepoint Components for Password Reset by clicking the drop-down menus located next to them and clicking, Entire feature will be unavailable.

  4. Click Next.

  5. On the Configure Common Services page, in the Database Server field, enter the NETBIOS name of the server that hosts SQL Server 2008.

  6. Click Next.

  7. On the Configure Common Services - Configure mail server connection page, in Mail Server, type the NetBIOS name of the server hosting the Exchange Web services.

  8. Click Next.

  9. On the Configure Common Services - Configure service certificate page, select the default IdentityLifecycleManager2 certificate that is used to sign and encrypt the communication between the clients and the ILM "2" Web service, or select a certificate from the certificate store, then click Next.

  10. On the Configure Common Services - Configure the ILM "2" service account page provide the credentials for the ILM "2" domain service account.

    In Service e-mail Account, make sure that you type the e-mail address for the ILM "2" service account, not your personal e-mail address. You must reserve the ILM "2" domain service e-mail account for the exclusive use of the ILM "2" service to send and receive messages to and from the ILM "2" application.

  11. Click Next.

  12. On the Configure Common ServicesConfigure the Identity Lifecycle Manager synchronization connection, in the Synchronization Server field enter the NETBIOS name of the server hosting the ILM Synchronization Service component.

    In the ILM “2” Management Agent Account* field enter the domain\Account of the ILM "2" management agent account. This is the account you created in the Create a domain ILM “2” management agent account section of this document.

  13. Click Next.

  14. On the Configure First User page, enter the e-mail address of the account used to install the ILM "2" server components.

  15. Click Next.

  16. Click Install.

    After the installation is complete you may have start the Microsoft ILM Common Services service.

    To start the Microsoft ILM Common Services service:

    1. Open Server Manager.
    2. Expand Configuration.
    3. Click Services.
    4. In the Services window, browse to Microsoft ILM Common Services.
    5. Check the Status pane to see whether the service is Started.

ILM Portal

The ILM Portal allows users who have authorized access to manage the activities that are requested and sent to the ILM Service.

When using the ILM Portal in Windows Server 2008, the controls or buttons will not work unless the browser security settings for Internet Explorer are adjusted to enable JavaScript.

ImportantImportant
For security purposes, it is required that you implement Secure Sockets Layer (SSL) on the server running Internet Information Services (IIS).
To install the ILM Portal

  1. From the ILM "2" splash screen click the Install ILM "2" Server, 64 bit link.

  2. Run ilm-server.msi.

    ImportantImportant
    The SQL Agent must be running before you run ilm-server.msi.

  3. On the Custom Setup page you are prompted for the applications that you want to install. From the drop-down menu located next to Sharepoint Components for ILM Portal, click, Entire feature will be installed on local hard drive. If you do not want to install all of the components on one server, deselect Microsoft ILM Core Services and Sharepoint Components for Password Reset by clicking the drop down menus located next to them and clicking, Entire feature will be unavailable.

  4. Click Next.

  5. On the Enter ILM “2” server name page, enter the NETBIOS name of the server hosting the ILM "2" Service.

  6. Click Next.

  7. Click Install.

ILM Password Portal

The ILM "2" Password Portal lets users perform self-service password reset by using a web portal.

To install the ILM Password Portal

  1. From the ILM "2" splash screen click the Install ILM "2" Server, 64 bit link.

  2. Run ilm-server.msi, and then follow the instructions in the installation wizard.

    ImportantImportant
    The SQL Agent must be running before you run ilm-server.msi.

  3. On the Custom Setup page you are prompted for the applications that you want to install. From the drop-down menu located next to Sharepoint Components for ILM Portal, click, Entire feature will be installed on local hard drive. If you do not want to install all of the components on one server, deselect Microsoft ILM Core Services and Sharepoint Components for ILM Portal by clicking the drop down menus located next to them and clicking, Entire feature will be unavailable.

  4. Click Next.

  5. On the Enter ILM “2” server name page, enter the NETBIOS name of the server hosting the ILM Service.

  6. Click Next.

  7. Click Install.

Installing the ILM Client Components

The ILM "2" client components consist of the ILM Add-in for Outlook 2007 and ILM Password Reset Extensions.

ILM Add-in for Outlook 2007 lets users join or leave e-mail enabled group. Using the ILM Add-in for Outlook 2007 feature also enables owners and approvers to approve or reject a request of any type made from the ILM Portal or Outlook 2007 office integration add-in component.

Password Reset lets users reset their passwords using an authentication gate from the native Windows log-on screen. If users cannot remember their passwords, Password Reset takes the user through the process of gaining a new password.

To install the ILM Client components

  1. Depending on the client computer’s architecture, from the ILM "2" splash screen, click either the Install ILM "2" Client, 64 bit Client or Install ILM “2” Client, 32-bit link.

  2. Exit Office Outlook 2007, if it is running.

  3. Run ilm-client-64 bit or ilm-client-32 bit.msi, and then follow the instructions in the installation wizard.

  4. On the Configure Client Settings page, in ILM Server (Name or IP), type the NETBIOS name of the server that hosts the ILM "2" server components.

  5. In Monitored Mailbox Address, type the fully-resolved domain account name of the ILM "2" monitored e-mail account.

    For e-mail resolution to the service account to occur correctly, you must type the fully-resolved domain account name of the ILM "2" monitored e-mail account, not the alias or display name. This e-mail account is the same e-mail account as the e-mail account that is used for the ILM "2" service account. If you plan to use Office Integration, the ILM "2" monitored e-mail account must be hosted by Microsoft Exchange Server 2007.

Post-Installation Tasks and Configurations

After you install the ILM "2" server and client components, you must complete several configuration tasks.

noteNote
To access the ILM "2" Windows SharePoint Services site (this is also the ILM Portal) from the middle-tier server, type http://NETBIOS name of the Portal server/identitymanagement. To access the ILM Portal from client computers, open a Web browser, and type http://NETBIOS name of the middle-tier server/identitymanagement.

Add the ILM “2” service account to the MIISAdmins group

  • In order to use the SyncConfigAPI feature, the ILM2 Service account must be a member of the MIISAdmins security group.

Installing the ILM Service and ILM Portal on separate servers

If you have installed the ILM Service and the ILM Portal on separate servers, you must perform the following tasks to enable communication between them:

  • Enable the ILM Portal server for Kerberos delegation. For more information, see Enable Trust computer for delegation.
  • Set the Service Principal Name (SPN) on ILM Server machine using setspn.exe. The setspn.exe utility can be downloaded from the Microsoft Web site. Run the following command:
    • setspn -A IdentityManagementService/computername domain\useraccountname.
  • On ILM Service server, edit the file c:\Program Files\Microsoft Identity Management\Common Services\Microsoft.ResourceManagement.Service.exe.config as follows:
    • <resourceManagementClient resourceManagementServiceBaseAddress="http://computername:526" servicePrincipalName="IdentityManagementService/computername"/>
    • <resourceManagementService certificateName="IdentityLifecycleManager2" confirmHumanity="false" servicePrincipalName="IdentityManagementService/computername"/>
    • Click Start, then click Run…, type services.msc, and click OK. Stop and Restart the Identity Lifecycle Manager service.
  • On the ILM Portal server, edit the file C:\inetpub\wwwroot\wss\VirtualDirectories\80\Web.config as follows:
    • <authentication mode="Windows"/>
      <identity impersonate="true"/>
          <authorization>
               <allow users="*"/>
               <deny users="?"/>
          </authorization>
 …
<resourceManagementClient resourceManagementServiceBaseAddress="http://computername:526" timeoutInMilliseconds="60000" servicePrincipalName="IdentityManagementService/computername"/>
  • Click Start, then click Run…, type iisreset, and click OK.
  • On the ILM Portal server, edit the file C:\Program Files\Microsoft Identity Integration Server\Bin\miiserver.exe.config as follows:
    • <resourceManagementClient resourceManagementServiceBaseAddress="http://computername:526" timeoutInMilliseconds="60000"/>
    • Click Start, then click Run…, type services.msc, and click OK. Stop and Restart the Microsoft Identity Integration Service service.

SharePoint Access and Configuration

In this section you will configure SharePoint for user access as well as perform SharePoint configuration tasks.

Grant Full Control rights to the ILM "2" SharePoint site to the initial user of the site

In this procedure, you will grant full control rights to the ILM "2" SharePoint site to the initial user of the site

To grant the initial user Full Control rights for the site, you can use the Windows SharePoint Services UI or the stsadm.exe tool that is located in %ProgramFiles%\Common Files\Microsoft shared\Web server extensions\12\Bin\Stsadm.exe.

To grant full control rights for the ILM "2" Windows SharePoint Services site to the initial user

  • At a command prompt, type the following command:

    stsadm.exe -o adduser -url http://localhost/identitymanagement -userlogin userdomain\username -useremail emailalias -username "user description" -role "Full Control"

Grant user rights for the ILM “2” Windows SharePoint Services site to domain users who require it

By default, domain users do not have user rights for the site. To grant user rights, you can use the Windows SharePoint Services UI or the stsadm tool located in %ProgramFiles%\Common Files\Microsoft shared\Web server extensions\12\Bin\Stsadm.exe.

To grant access rights for the ILM "2" Windows SharePoint Services site to domain users

  • At a command prompt, type the following command:

    stsadm.exe -o adduser -url http://localhost/identitymanagement -userlogin "NT AUTHORITY/Authenticated Users " -useremail users@userdomain -username "group description" -role "Contributor"

    You can substitute another group for Domain users in the parameter referencing -userlogin "userdomain\Domain Users".

Configure the ILM Password Portal for anonymous access

After installing the ILM Password Portal, you must manually configure the portal for anonymous access. This allows users who have forgotten their password and are not authenticated to the domain access to the password reset portal.

To allow anonymous users access to the ILM Password Portal

  1. Open Internet Explorer and open the home page of the ILM Password Portal by typing http://NETBIOS name of the middle-tier server/passwordportal in the address bar.

  2. Log in as a site administrator.

  3. From the home page, click the drop down menu located next to Site Actions and then click Site Settings.

  4. In the Users and Permissions column, click Advanced Permissions.

  5. On the following page click Settings and then click Anonymous Access.

  6. From the list Anonymous users can access, select Entire Web site and then click OK.

Disable SharePoint Indexing

It is recommended that you disable Sharepoint indexing for this release. There are no documents that need to be indexed, and indexing will result in many error log entries and potential performance problems with ILM "2".

To disable SharePoint indexing

  1. On the server that hosts the ILM Portal, click Start.

  2. Click All Programs.

  3. From the All Programs list click Administrative Tools.

  4. Under Administrative Tools, click SharePoint 3.0 Central Administration.

  5. On the Central Administration page, click Operations.

  6. On the Operations page, under Global Configuration, click Timer job definitions.

  7. On the Timer Job Definitions page, click SharePoint Services Search Refresh.

  8. On the Edit Timer Job page, click Disable.

Exchange Server 2007 Web Service (EWS) and Certificate Configuration

This section will guide you through the configuration of the Exchange Server 2007 Web Service (EWS) and certificate.

Exchange Server 2007 Web Service (EWS) Configuration

In this procedure, you will ensure that the Exchange 2007 Web Service (EWS) is running and can be accessed as the ILM "2" service account.

To ensure that the Exchange 2007 Web service (EWS) is running and is accessible as the ILM "2" service account

  1. Open Internet Explorer as the ILM "2" service account.

  2. In the address bar, type https://<mail server>/EWS/Exchange.asmx.

    This makes sure that you can access EWS wsdl using the ILM "2" service account.

Exchange Server 2007 Certificate installation

On the middle-tier server that runs the ILM "2" server component, install the Microsoft Exchange Server 2007 certificate for the ILM "2" domain service account.

noteNote
You must run the installation of the Microsoft Exchange certificate with elevated rights. If UAC is enabled, installing the Microsoft Exchange certificate without elevated rights will cause the installation to fail.
To install the Microsoft Exchange certificate on the middle-tier server running ILM "2"

  1. Open Internet Explorer as the domain service account that you specified when you set up the ILM "2" server components.

  2. In the address bar, type https://mailserver/EWS/exchange.asmx.

    Mailserver is the Microsoft Exchange server that you specified when you set up the ILM "2" server components.

  3. In the Security Alert dialog box, click View Certificate.

  4. On the Welcome to the Certificate Import Wizard page, click Next.

  5. In the Certificate dialog box, click Install Certificate.

Active Directory to ILM “2” Data Migration

If you have existing data that you want synchronized from Active Directory to ILM "2", you have to perform a data migration. This is a one-time operation and is not a continuous synchronization. It is not required to complete this to successfully setup ILM "2".

noteNote
For more information about synchronizing users between ILM "2" and Active Directory, see the Publishing Active Directory User From Two Authoritative Data Sources document included in the ILM "2" documentation set.

Verify ILM Service account group membership

To use Password Reset, after you install the ILM Synchronization Service, add the ILM Service, Portal, and Password Management domain service account to the MIISBrowse, MIISPasswordSet, and MIISAdmins groups, and then restart Microsoft ILM Common Services and Microsoft Identity Integration Server services.

Also verify that the administrators that will need access to Password Reset are members of the MIISAdmins.

ILM Portal Access

Every user who accesses the ILM Portal must have a record in the ILM "2" data store and an account in Active Directory. If you use the ILM Portal to create a record for the user, the Active Directory account is created automatically if you are running the ILM Synchronization Service. However, if you first create a record for the user in Active Directory, you must then use the ILM Portal to create a record for that user in the ILM Service database.

noteNote
For more information about synchronizing users between ILM "2" and Active Directory, see the Publishing Active Directory User From Two Authoritative Data Sources document included in the ILM "2" documentation set.

Uninstall of the ILM Service component of ILM “2”

If you encounter an unrecoverable error and need to uninstall and then reinstall the ILM Service component of ILM "2", follow the instructions in the procedure below to uninstall this component of ILM "2".

To uninstall the ILM Service component of ILM “2”

  1. From the Control Panel, select Add or Remove Programs.

  2. Select Microsoft Identity Lifecycle Manager Server Components and click Remove.

  3. Delete the ILM Service database

  4. Open SQL Server Management Studio.

  5. Select the MSILM database.

  6. Right click and select Delete.

Group management settings for the ILM Add-in for Outlook 2007

If you use the Add-in for Outlook 2007 for ILM "2" for group management, make sure that the security of the group objects managed by ILM "2" does not allow for membership changes by users from the Outlook 2007 UI.

Configuration of the Add-in for Outlook 2007

The configuration of the ILM Add-in for Outlook 2007 is modifiable through the Tools menu in Outlook 2007.

To configure the ILM Add-in for Outlook 2007

  1. On the client(s) computer that has the ILM Add-in for Outlook 2007 feature installed, open Outlook 2007.

  2. On the Tools menu, click Options.

  3. On the Options property sheet, click Approvals.

    This lets you modify the following settings:

    Approval Requests - this setting lets you select whether to delete the approval request of leave the approval request in its original folder after you send an approval response.

    Search Folders - if the user deletes the approval search folders, this setting lets you select whether to auto restore the approval search folders or delete them permanently.

    ILM Server - this setting lets you specify the location of the ILM "2" server and the service account's e-mail address.

Tags What's this?: Add a tag
Community Content   What is Community Content?
Add new content RSS  Annotations
Uninstall of the Identity Management Platform Services component of ILM “2”      Brad Turner - ILM MVP ... David Lundell -- ILM MVP   |   Edit   |   Show History

For more information on removing a failed installation of ILM 2 Beta - see the following:

http://www.identitychaos.com/search?q=ILM+2+Beta+premature+failure

In some cases, the WSP solution files, features, and the web sites themselves are not cleaned up. These lingering objects will cause the "premature failure" of the ILM Server install.

Cleaning up WSP Solutions

  1. Open SharePoint Central Administration
  2. Click the Operations Tab
  3. Under Global Configuration, click Solution Management
  4. Click the hyperlink for the offending WSP
  5. Click the Remove Solution link (might say Retract Solution) and click OK to delete the WSP

Cleaning up Features

You can use the following commands to remove any residual features:

cd /d C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\BIN
stsadm -o uninstallfeature -id 2E279CD0-C88F-43d8-B3DE-CE333D8FBCFA
stsadm -o uninstallfeature -id E2383F3D-7C1C-4368-B91B-5567684B464B
stsadm -o uninstallfeature -id 5B69107E-DCE0-4f49-80A2-24B78C202CE3
stsadm -o uninstallfeature -id 8ECFC16B-5E2D-4a82-9BD2-31F73C8FF058

Cleaning Up Sites

  1. Open the root site collection (http://%computername% typically)
  2. From the Site Actions drop-down, select Site Settings
  3. Under the Site Administration column, select Sites and workspaces
  4. Click the Delete "x" icon next to each of the residual "Microsoft Identity Management" Sites
Tags What's this?: beta (x) failure (x) ilm (x) Add a tag
Flag as ContentBug
SQL Server Agent should be running or install of ILM 2 Services fails      David Lundell -- ILM MVP   |   Edit   |   Show History
The SQL Agent Service account must be a sql sysadmin and the SQL Agent Service must be running or during install you may get "error -2147217900

Failed to execute sql string addtemporaleventsjobtoSQLServer" while trying to install ILM 2 Beta 3 Identity Management Platform Services. Apparently, the install routine needs to create a SQL Agent Job and with SQL 2005 the Agent must be running to create a job. For more info on that job http://www.ilmbestpractices.com/blog/2008/10/sql-server-agent-should-be-running-or.html

Almost Automatic Installation of ILM 2 Beta 3      David Lundell -- ILM MVP   |   Edit   |   Show History

For more info and complete scripts: http://www.ilmbestpractices.com/blog/2008/10/semi-automated-install-of-ilm-2-beta-3.html

After installation of ILM 2 Beta 3 you have several post install tasks per the ILM "2" Beta 3 Installation Guide:

  1. Grant Full Control rights to the ILM "2" SharePoint site to the initial user of the site
  2. Grant user rights for the ILM “2” Windows SharePoint Services site to domain users who require it
  3. Configure the ILM “2” Password Management Portal for anonymous access
  4. Disable SharePoint Indexing
  5. Exchange Server 2007 Web Service (EWS) Configuration
  6. Exchange Server 2007 Certificate installation
  7. ILM MA permissions (SQL permissions)
  8. Verify ILM Service account group membership
  9. ILM “2” Web Portal Access

For items 1 and 2 the guide provides a command line but for steps 3-9 the guide only provides steps that must be done through the GUI.

With the help of some stsadm custom extensions written by SharePoint MVP Gary LaPointe we can easily automate step #3. We will use gl-setanonymousaccess

Step 4 could be automated by using the following standard stsadm command to stop the Search service

stsadm -o osearch -action stop -f

Or this could be handled during your WSS 3.0 install, which is how we did it. I'll have to ping another Ensynch colleague Jeff Holliday (he calls his blog the SharePoint Redemption) to see how he did that when he created our install for WSS 3.0

Steps 5 and 6 are manual as is 9 (well 9 is pretty involved), but 7 (ILM MA user account SQL Permissions) is easy to automate with a SQL Script. (For the time being I am going to be lazy about step 8 -- which could be automated but which I leave as an exercise to the reader).

We need to create a login for the account we specified for the ILM 2 MA, grant it a user in the MSILM database and make it a member of the db_owner fixed database role.

You'll see that I took advantage of sqlcmd's ability to do some preprocessing replacement using parameters or environmental variables. In this case I used environmental variables. You can see wherever it says [$(something)] -- like this: [$(SYNCHRONIZATION_SERVER_ACCOUNTNQ)] 

USE [master] 
CREATE LOGIN [$(SYNCHRONIZATION_SERVER_ACCOUNTNQ)] FROM WINDOWS WITH DEFAULT_DATABASE=[MSILM]
GO 
USE [MSILM]
GO
CREATE USER [$(SYNCHRONIZATION_SERVER_ACCOUNTNQ)] FOR LOGIN [$(SYNCHRONIZATION_SERVER_ACCOUNTNQ)]
GO 
EXEC sp_addrolemember N'db_owner', N'$(SYNCHRONIZATION_SERVER_ACCOUNTNQ)' 
GO
DECLARE @myvar int
SELECT @myvar = (SELECT CASE 
WHEN 1 = (SELECT COUNT(*) FROM sys.syslogins where name = '$(SYNCHRONIZATION_SERVER_ACCOUNTNQ)') 
AND 1 = (SELECT COUNT(*) FROM sys.database_principals WHERE name ='$(SYNCHRONIZATION_SERVER_ACCOUNTNQ)' )
AND 1 = (SELECT COUNT(*)
FROM sys.database_role_members
WHERE member_principal_id =
(SELECT top 1 principal_id FROM sys.database_principals WHERE name ='$(SYNCHRONIZATION_SERVER_ACCOUNTNQ)' )
AND role_principal_id =
(SELECT top 1 principal_id FROM sys.database_principals WHERE name ='db_owner')
) THEN 0
WHEN 0 = (SELECT COUNT(*) FROM sys.syslogins where name = '$(SYNCHRONIZATION_SERVER_ACCOUNTNQ)') 
THEN 1 -- Couldn't create Login
WHEN 0 = (SELECT COUNT(*) FROM sys.database_principals WHERE name ='$(SYNCHRONIZATION_SERVER_ACCOUNTNQ)' ) 
THEN 2 -- Couldn't map user to MSILM database
WHEN 0 = (SELECT COUNT(*)
FROM sys.database_role_members
WHERE member_principal_id =
(SELECT top 1 principal_id FROM sys.database_principals WHERE name ='$(SYNCHRONIZATION_SERVER_ACCOUNTNQ)' )
AND role_principal_id =
(SELECT top 1 principal_id FROM sys.database_principals WHERE name ='db_owner')
)
THEN 3 -- Couldn't assign user to db_owner role
ELSE 4 -- unknown error
END)
EXIT(SELECT @myvar)
Flag as ContentBug
© 2009 Microsoft Corporation. All rights reserved. Terms of Use  |  Trademarks  |  Privacy Statement
Page view tracker