Installation Guide

Applies To: Forefront Identity Manager 2010

The Microsoft® Forefront™ Identity Manager Installation Guide enables IT professionals to install FIM 2010. A FIM 2010 deployment has two major component groups, the server-side and the client-side. This document also covers the installation of Microsoft® Forefront Identity Manager Certificate Management (FIM CM).

The server-side components are as follows:

  • FIM Synchronization Service

  • FIM Service

  • FIM Portal

  • FIM Password Portal

  • FIM Service and Portal Language Pack

The client-side components are as follows:

  • FIM Add-in for Outlook

  • FIM Password Reset Extensions

  • FIM Add-ins and Extensions Language Pack

What This Document Covers

This document covers the installation of FIM 2010. It discusses the steps to successfully deploy FIM 2010 in your environment. It also discusses the installation of each of the components and subcomponents that make up an FIM 2010 installation.

Prerequisite Knowledge

This document assumes that you have a basic understanding of the following IT tasks:

  • Installing software on server and client computers

  • Basic knowledge of Active Directory® domain service, FIM 2010, Microsoft SQL Server™ 2008 database software, Windows® SharePoint® Services 3.0, and Microsoft Exchange Server 2007.

  • A description of how to set up and configure Active Directory, SQL Server 2008, Windows SharePoint Services 3.0, and Microsoft Exchange Server 2007 are out of the scope of this document.

Audience

This document is intended for IT planners, systems architects, technology decision-makers, consultants, infrastructure planners, and IT personnel who plan to deploy FIM 2010.

Topology

FIM supports a variety of deployment topologies. Each of the main components:

  • FIM Service

  • FIM Synchronization Service

  • FIM Portal

  • FIM Password Portal

  • SQL Server 2008 database for the FIM Service

  • SQL Server 2008 database for the FIM Synchronization Service

may be installed separately or in combination on individual servers. Additionally, the FIM Service and the FIM Portal can be scaled out to multiple servers. For more information, see Overview of Network Load Balancing and SharePoint Server farm architecture.

 

Required Hardware

The server(s) hosting the FIM 2010 server components must meet the following hardware requirements:

  • A x64 capable processor

  • 2 gigabytes (GB) of available hard disk drive space

  • 2 gigabytes (GB) or more of RAM

  • A monitor with a resolution of 1024x768

  • A CD-ROM or DVD-ROM drive

The client computer that hosts the FIM 2010 client-side component(s) must meet the following hardware requirements:

  • 512 MB of RAM (1 GB recommended)

  • 500 MB of free hard disk drive space

  • A monitor that can display a resolution of 1024x768

Required Software

Each server hosting the different FIM 2010 server-side components has a different software requirement. Below, you will find the software requirements for each of the FIM 2010 server-side components. If you decide to install all of the server-side components on one server, you must install the software requirements for each of the FIM 2010 server-side components on that server.

FIM 2010 Synchronization Service Software Requirements

The server hosting the FIM 2010 Synchronization Service must have the following prerequisite software installed:

  • Windows Server 2008 or Windows Server 2008 R2 64-bit Standard or Enterprise Editions.

    ImportantImportant
    When you install Windows Server 2008, do not install Windows Server 2008 Terminal Services. If you install Terminal Services, the FIM 2010 server components do not install.

  • Windows Installer 4.5

    noteNote
    Windows Installer 4.5 can be downloaded from Microsoft download center.

  • SQL Server 2008 64-bit Standard or Enterprise Editions, Service Pack 1 or later.

    The following SQL features must be installed:

    • Database Engine Services

  • Microsoft Visual Studio 2008

    noteNote
    Microsoft Visual Studio 2008 is required if you are planning to develop rules extensions for FIM 2010 Synchronization Service on this server.

  • Windows PowerShell 1.0 or Powershell 2.0

    noteNote
    PowerShell 1.0 or newer is required to provision resources for Exchange 2007.

    PowerShell 2.0 is required to provision resources for Exchange 2010.

    You cannot have both versions of PowerShell installed at the same time.

    Windows PowerShell 1.0 Features can be installed from the Features options interface included with Windows Server 2008.

    Windows Server 2008 R2 ships with PowerShell 2.0. Windows PowerShell 2.0 can also be downloaded from the Microsoft download center for Windows Server 2008.

  • Microsoft .NET 3.5 SP1 Framework

    You can download Microsoft .NET 3.5 SP1 Framework here http://go.microsoft.com/fwlink/?LinkId=129538.



  • Exchange 2007 SP1 Management Console

    noteNote
    Exchange 2007 SP1 Management Tools is required to fully provision Exchange Server 2007 mailboxes, contacts, and groups that are created by the FIM Synchronization Service. You will receive an extension-dll-exception error if you attempt to synchronize these objects to Active Directory without the Exchange 2007 SP1 Management Console installed.

    Exchange 2010 provisioning does not require any additional tools to be installed on the FIM Synchronization Service server.

FIM Service Software Requirements

The server hosting the FIM Service must have the following software installed:

  • Windows Server 2008 or Windows Server 2008 R2 64-bit Standard or Enterprise Editions.

    ImportantImportant
    When you install Windows Server 2008, do not install Windows Server 2008 Terminal Services. If you install Terminal Services, the FIM server components do not install.

  • Windows Installer 4.5

    noteNote
    Windows Installer 4.5 can be downloaded from Microsoft download center.

  • SQL Server 2008 64-bit Standard or Enterprise Editions, Service Pack 1 or later.

    The following SQL features must be installed:

    • Database Engine Service

      • Full-Text Search

    noteNote
    You can use the same SQL Server 2008 instance that the FIM Synchronization Service is using.

    noteNote
    After installing SQL Server, make sure that the SQL Agent is running.

  • Windows PowerShell 1.0 or PowerShell 2.0

    noteNote
    FIM Service will work both with PowerShell 1.0 and PowerShell 2.0.

    You cannot have both versions of PowerShell installed at the same time.

    Windows PowerShell 1.0 Features can be installed from the Features options interface included with Windows Server 2008. Windows Server 2008 R2 ships with PowerShell 2.0.

    Windows PowerShell 2.0 can be downloaded from Microsoft download center for Windows Server 2008.

  • Microsoft .NET 3.0 Features

    noteNote
    Microsoft .NET Framework 3.0 Features can be installed from the Features options interface included with Windows Server 2008.

  • Microsoft .NET 3.5 SP1 Framework

    You can download Microsoft .NET 3.5 SP1 Framework here http://go.microsoft.com/fwlink/?LinkId=129538.

FIM Portal and Password Portal Software Requirements

The server(s) hosting the FIM Portal and Password Portal must have the following software installed:

noteNote
If you decide to install the FIM Portal and Password Portal software on different servers, the software prerequisites for both servers are the same.

  • Windows Server 2008 or Windows Server 2008 R2 64-bit Standard or Enterprise Editions.

    ImportantImportant
    When you install Windows Server 2008, do not install Windows Server 2008 Terminal Services. If you install Terminal Services, the FIM 2010 server components do not install.

  • Microsoft .NET Framework 3.0 Features

    noteNote
    Microsoft .NET Framework 3.0 Features can be installed from the Features options interface included with Windows Server 2008.

  • Microsoft .NET 3.5 SP1 Framework

    noteNote
    You can download Microsoft .NET 3.5 SP1 Framework here http://go.microsoft.com/fwlink/?LinkId=129538.

  • Windows SharePoint Services 3.0 SP1 or SP2

    noteNote
    You can download Windows SharePoint Service 3.0 SP2 here http://go.microsoft.com/fwlink/?LinkID=152405.

    noteNote
    Make sure you install Windows SharePoint services before you install other server roles. Refer to the installation guide for SharePoint Services for further information: http://go.microsoft.com/fwlink/?LinkID=123878.

  • Windows SharePoint Services 3.0 Language Pack

    noteNote
    If you have installed Windows SharePoint Services 3.0 in a different language than English, then you must install the Windows SharePoint Services 3.0 Language Pack. You can download SP2 from http://go.microsoft.com/fwlink/?LinkID=178266

FIM Add-ins and Extensions Components Software Requirements

The client computers that host the FIM add-ins and extensions components must meet the following software requirements:

  • Windows XP Professional SP2 or later, 32bit or Windows Vista Enterprise SP1 or later, 32 or 64bit, or Windows 7, 32 or 64 bit.

  • Windows Installer 3.1 or later (only needed for Windows XP SP2)

    noteNote
    You can download Windows Installer 3.1 here http://go.microsoft.com/fwlink/?LinkID=62933

  • Microsoft .NET Framework 3.5 SP1

    noteNote
    You can download Microsoft .NET 3.5 SP1 Framework here http://go.microsoft.com/fwlink/?LinkId=129538.

  • Microsoft Office Outlook 2007 SP2

    This software is required only if you use the FIM Office add-in.



  • Microsoft Forms 2.0 .NET Programmability Support

    This software is required only if you use FIM 2010 Office Integration.

    noteNote
    This software is an add-in feature of Microsoft Office 2007. To install this software, select Microsoft Forms 2.0 .NET Programmability Support option under Office Tools when you run setup for Microsoft Office 2007.

  • Smart Tag .NET Programmability Support

    This software is required only if you use FIM 2010 Office Integration.

    noteNote
    This software is an add-in feature of Microsoft Office 2007. To install this software, select Smart Tag .NET Programmability Support option under Office Tools when you run setup for Microsoft Office 2007.

  • .Net Programmability Support for Microsoft Office Outlook

    This software is required only if you use FIM 2010 Office Integration.

    noteNote
    This software is an add-in feature of Microsoft Office 2007. To install this software, select the .NET Programmability Support option under Microsoft Office Outlook when you run setup for Microsoft Office 2007.

Before You Begin

Before you install the FIM 2010 server and client components, you must complete the following configuration tasks in the order shown:

  1. Create an e-mail enabled domain service account to run the FIM Service component.

  2. Create a service account to run the FIM Synchronization Service.

  3. Create a FIM Management Agent account.

  4. Configure the service accounts that are running the FIM server components in a secure manner.

  5. If you are running the Exchange Web Service and IIS default web site (FIM Portal) on the same server, ensure that both are not configured to use port 80.

  6. Ensure there is a default SharePoint web site installed.

  7. Ensure that SharePoint Services has English installed.

  8. Implementing Secure Sockets Layer (SSL)

  9. Configure SQL server.

  10. Configure SQL aliases.

  11. Establish Service Principal Names (SPN) for FIM 2010

Create an e-mail enabled domain service account to run the FIM Service

To run the FIM Service component, you must have a dedicated domain service account. To be able to use the Outlook integration feature, an Exchange mailbox must also be created for this account. To use the FIM Add-in for Outlook feature, you must set up the domain service e-mail account on a server that hosts Microsoft Exchange Server 2007 or Microsoft Exchange Server 2010.

This account will also be used to send e-mail notifications from FIM 2010.

This account should not be granted local administrator permissions.

ImportantImportant
You must reserve the domain service e-mail account for the exclusive use of the FIM Service. If you do not, and any e-mail accounts move messages from the e-mail Inbox, the e-mail processor does not see these messages. In addition, after the e-mail processor reads a message from the Inbox, it moves the message to another folder, potentially causing problems for other accounts that attempt to use that e-mail account.

Create a service account to run the FIM Synchronization Service

You must create a service account to run the FIM Synchronization Service, this service account must be a domain service account. This account should not be a local administrator account.

Create a domain FIM management agent account

You must create a domain service account that is reserved for the exclusive use of the FIM management agent (FIM MA) used by the FIM Synchronization Service to communicate with the FIM Service. The FIM Service has to know the name of the account that the FIM MA is using so that during setup, it can give the account the required rights. This account should not be a local administrator account.

Understanding the Purpose of the FIM management agent account

The purpose of this account is for the FIM Service to be able to identify the FIM Synchronization Service when it is exporting to the FIM Service through the web services. When the FIM Synchronization Service engine is exporting, all authentication (AuthN) and authorization (AuthZ) workflows are ignored and only action workflows will run.

The account used for the FIM MA should be considered as a trusted account; you should not use it to access the FIM Portal. If you do all requests made through the FIM Portal with this account will skip AuthN and AuthZ.

If you later change this account in the FIM Synchronization service, you must also run a change install on the FIM Service to update the service with the new account information.

Configure the service accounts running the FIM 2010 server components in a secure manner

As mentioned above, there are two service accounts used to run the FIM server components. They are called the FIM Service service account and FIM Synchronization Service service account in this guide. The FIM MA account is not considered a service account and should be a regular user account. For the FIM Synchronization Service service account to be able to impersonate the FIM MA account, the FIM MA must be able to logon locally. Start Administrative Tools, click Local Security Policy and open the node Local Policies, User Rights Assignment. In the policy Allow log on locally make sure the FIM MA account is explicitly specified or add it to one of the groups that is already granted access.

To configure the server(s) running the FIM server components in a secure manner, the service accounts should be restricted. The easiest way to do this is by running Local Security Policy from Administrative Tools, navigate to Local Policies\User Rights Assignment and add the service account to the policy.

Use the following restrictions on the service accounts:

  • Deny logon as a batch job

  • Deny logon locally

  • Deny access to this computer from the network

The service accounts should not be a member of the local administrators group.

The FIM Synchronization Service service account should not be a member of the security groups used to control access to FIM Synchronization Service (groups starting with FIMSync, e.g. FIMSyncAdmins).

If you select to use the same account for both service accounts and you separate the FIM Service and the FIM Synchronization Service, then you cannot set Deny access to this computer from the network on the FIM Synchronization Service server. If access is denied that would prohibit the FIM Service to contact the FIM Synchronization Service to change configuration and manage passwords.

Ensure the Exchange Web Service and IIS default Web site are not both configured to use port 80

In a lab environment it might be that you want to run Exchange on the same server as the FIM Service. If you do, ensure that you are reconfiguring Exchange Web Service to not use the default port 80 or else Exchange Web Service will not be reachable.

You must either specify a different port, or a different IP or different host name in IIS.

Ensure that SharePoint Services has English installed

If the installed version of SharePoint Services is non-English, FIM 2010 setup will fail. In order to install FIM 2010, you must first install the SharePoint Service English Language pack SP2, located here: http://go.microsoft.com/fwlink/?LinkID=178266.

Ensure there is a default SharePoint web site installed

Before you install the FIM Portal and Password Portal, run the SharePoint 3.0 Services configuration wizard. This will create a default SharePoint site for you.

If you have installed SharePoint in a SharePoint farm, the default site will not be created by the wizard and must be created manually. How to setup a SharePoint farm is outside the scope of this installation guide.

Verify the SharePoint installation by navigating to http://localhost:80 on the server where you will install the FIM Portal. You should see a SharePoint site and not the standard Welcome to IIS7. If you see the Welcome to IIS7 message, please reconfigure SharePoint to have a default SharePoint site at this server address.

If you do not perform this task you may have to reinstall the FIM Portal and Password Portal components of FIM 2010.

Implementing Secure Sockets Layer (SSL)

It is highly recommended that you use SSL on the FIM Portal server to secure the traffic between the clients and the server.

To implement SSL

  1. Open IIS Manager on the FIM Portal server.

  2. Click the local computer name.

  3. Click Server Certificates.

  4. Click Create Certificate Request.

  5. For Common Name, enter the name of the server.

  6. Click Next, then Next.

  7. Save the file to any location. You will need to access this in subsequent steps.

  8. In Internet Explorer, browse to https://servername/certsrv. Replace servername above with the name of the server issuing certificates.

  9. Click Request a new Certificate.

  10. Click submit an Advanced Request.

  11. Click Submit a Certificate Request by using a base-64-encoded.

  12. Paste in the contents of the file you save in the above step.

  13. From Certificate Template, select Web Server.

  14. Click Submit.

  15. Save the Certificate to your Desktop.

  16. In IIS Manager, click Complete Certification Request.

  17. Point it to the certificate you just saved to the Desktop.

  18. For Friendly name, enter the name of the server.

  19. Click Sites, then select Sharepoint – 80.

  20. Click Bindings, then click Add.

  21. Select https.

  22. For certificate, select the one that has the same name as the server (this is the cert you just imported).

  23. Click OK.

  24. Remove the http binding.

  25. Click SSL Settings and check Require SSL and Require 128-bit SSL

  26. Save the settings.

  27. Click Start, then click Administrative Tools, then click Sharepoint 3.0 Central Administration.

  28. Click Operations, then select Alternate Access Mappings.

  29. Click http://servername.

  30. Change it to https://servername and click OK.

  31. Click Start, Run, enter iisreset, and click OK.

  32. In Internet Explorer, navigate to https://servername/identitymanagement.

Configure SQL Server

Before you install the FIM Service, there are certain tasks which should be verified and completed on the SQL server.

Make sure the service accounts used by SQL Server Database and SQL Server Agent are either domain accounts or a built-in service accounts (e.g. Network Service).

When you configure the service account for SQL, please consult the following articles:

  1. http://msdn.microsoft.com/en-us/library/ms345380.aspx

  2. http://msdn.microsoft.com/en-us/library/ms191543.aspx

ImportantImportant
The SQL Server service account should not be a local computer account. A local account cannot impersonate domain accounts and the FIM Service will not behave as expected.

noteNote
The Windows Services SQL Server, SQL Server Agent and SQL Full-text Filter Deamon Launcher must run under the same account.

ImportantImportant
If you install the SQL 2008 database on a different server than the FIM Service or FIM Synchronization Service, you will need to open additional ports in order for FIM 2010 setup to communicate with SQL Server 2008. For more information, see Configuring the Windows Firewall to Allow SQL Server Access.

When FIM Service and FIM Synchronization Service are installed, the data and log files will be created in the default locations specified by SQL. For optimal performance, those should be located on different drives and on different spindles.

  1. Start Microsoft SQL Server Enterprise Manager

  2. Right-click the server and select Properties.

  3. Go to Database settings. Make necessary adjustments on the Data and Log settings to make sure the database files are located on a different drive than the operating system.

Configure SQL aliases

If you plan to install FIM Service or FIM Synchronization Service on a SQL Server using a non-default port then you must create a SQL alias for setup to be able to contact the SQL server.

  1. Start the SQL Server Configuration Manager.

  2. Navigate to SQL Native Client 10.0 Configuration/Aliases.

  3. Create a new alias with your server information.

Establish Service Principal Names (SPN) for FIM 2010

For Kerberos to be enabled you have to establish SPNs in the domain. Enabling Kerberos will make the traffic secure and is required for the clients to be able to communicate with the FIM Service.

SPNs are needed if you separate the FIM Portal and the FIM Service to different servers or if you use the FIM Password Reset Extension. You also have to create SPNs if the network address used by users and clients is not the same as the server name (e.g. by using CNAMES).Different SPNs are used by the FIM Portal server and the FIM Service server. For the FIM Service server, take the following steps:

  • Establish the Service Principal Names (SPN) for the FIM Service by running the following commands:

    • setspn –A FIMService/servername domain\serviceaccount

    • setspn –A HTTP/servername domain\serviceaccount

    • The servername above is the address entered during FIM Service setup and used by the clients to contact the Web Service.

    • The serviceaccount above is the account used by the FIM Service.

    • If you are using several different names, e.g. FQDN and NetBIOS names to contact the server, repeat the steps for every name.

  • Enable the FIM Service server for Kerberos delegation in Active Directory. You can either select to enable delegation for the entire server by selecting Trust this computer for delegation to any service or by using constrained delegation (recommended) by selecting Trust this computer for delegation to the specified services only. If you select to use constrained delegation, search for the FIM Service service account and select the entries added in the previous step.

For the FIM Portal server, take the following steps:

  • If the address the clients use to contact the FIM Portal is not the same as the server address you have to establish an SPN for http. E.g. If you use a CNAME in DNS for the clients to use, this address must be registered or Internet Explorer will not be able to use Kerberos when contacting the portal. Run the following command:

    setspn –A HTTP/FIMPortalAddress servername

    • The FIMPortalAddress above is the address used by clients to contact the FIM Portal server, repeat the steps for every name.

    • Servername is the real name of the server.

    • If you are using several different names, e.g. FQDN and NetBIOS names to contact the server, repeat the steps for every name.

    • If you have several servers hosting the FIM Portal, run this for every server.

    • Enable Kerberos delegation in Active directory for HTTP. You can either select to enable delegation for the entire server by selecting Trust this computer for delegation to any service or by using constrained delegation (recommended) by selecting Trust this computer for delegation to the specified services only. If you select to use constrained delegation, search for the servername and select the entry added in the previous step.

Installing the FIM 2010 Server Components

You must use an account with local administrator privileges to install the FIM 2010 server components. To be able to install the FIM Portal the account must be a SharePoint administrator. To be able to install FIM Synchronization Service or FIM Service the account must be a SQL sysadmin. You do not have to be a sysadmin after installation has completed.

This section covers the following components:

  • FIM Synchronization Service

  • FIM Service

  • FIM Portal

  • FIM Password Portal

noteNote
During installation the setup will try to contact the other components to validate that the service is running. For this to work, remote administration must be enabled in the firewall. You can enable remote administration by starting Windows Firewall in Control Panel, select Allow a program through the Windows Firewall, and select Remote Administration. You can install FIM 2010 without remote administration enabled. You must also be an administrator of the other server. If either of those two requirements are not fulfilled, you will see several warning messages that the service could not be contacted. There is no functional impact to ignore those warnings during setup if you know all settings are correct and if you selected to not allow remote administration.

FIM Synchronization Service

The FIM Synchronization Service consists of the metadirectory, provisioning engine, and management agents for various connected data sources. It supports synchronizing data between the FIM Synchronization database and other identity stores in the enterprise.

During the installation of the Synchronization Service, the firewall on the machine hosting this service is configured to allow Dynamic RPC and RPC endpoint mapper access to the FIM Synchronization Service.

The FIM Synchronization Service creates five security groups. The first three groups correspond to the FIM Synchronization Service user roles: Administrator, Operator, and Joiner. The other two groups are used for granting access to the Windows Management Instrumentation (WMI) interfaces: Connector Browse and Password Set.

By default the FIM Synchronization Service creates the five security groups as local computer groups, instead of domain global groups. If you plan to use domain global groups, you must create the groups before you install the FIM Synchronization Service.

To install the FIM Synchronization Service

  1. From the FIM 2010 splash screen click the Install Synchronization service link.

  2. Run setup.exe and then follow the instructions in the installation wizard.

    ImportantImportant
    Setup.exe will be run with elevated privileges. If UAC is enabled, installing the FIM Synchronization Service without elevated privileges will cause the installation to fail.

    ImportantImportant
    The user account used to install the FIM Synchronization Service must be granted the sysadmin role in SQL Server 2008.  By default, members of the Local Administrators group do not have the necessary permissions.  Unless the user account is either the built-in administrator account, or the user account used to install SQL Server 2008 then the user account must be granted the sysadmin role in SQL Server 2008.

  3. On the Group Information page, when you are prompted for the five security groups use the default local groups or type the details for the global groups that you created. If you use global groups, prefix the groupname with domain\.

FIM Service

Installing the FIM Service installs the Web services parts of FIM 2010 and also configures the FIM Service database on the server that hosts SQL Server 2008.

During the installation of FIM Service, port 5725 and 5726 are opened and exceptions for these ports are added to the Windows Server 2008 firewall settings. Opening these ports enables communication to the FIM 2010 Service from the FIM Portal, FIM Password Reset Portal, FIM Synchronization Service and FIM Password Reset Extensions components installed on other computers in your organization.

To install the FIM Service

  1. From the FIM 2010 splash screen click the Install Service and Portal link.

  2. Run Setup.exe, and then follow the instructions in the installation wizard.

    ImportantImportant
    The SQL Agent must be running on the SQL server before you run the installation of FIM Service.

    ImportantImportant
    The user account used to install the FIM Service must be granted the sysadmin role in SQL Server 2008.  By default, members of the Local Administrators group do not have the necessary permissions.  Unless the user account is either the built-in administrator account, or the user account used to install SQL Server 2008 then the user account must be granted the sysadmin role in SQL Server 2008.

  3. On the Custom Setup page you are prompted for the applications that you want to install. From the drop-down menu located next to FIM Services, click, Will be installed on local hard drive. If you do not want to install all of the components on one server, deselect FIM Portal and FIM Password Portal by clicking the drop-down menus located next to them and clicking, Entire feature will be unavailable.

  4. Click Next.

  5. On the Configure Common Services page, in the Database Server field, enter the name of the server that hosts SQL Server 2008.

  6. Click Next.

  7. On the Configure Common Services - Configure mail server connection page, in Mail Server, type the name of the server hosting the Exchange Web services.

    ImportantImportant
    If you have several FIM Service servers using the same database, make sure to only leave the checkbox Enable polling of Exchange Server 2007 enabled on one of the servers. This server will be responsible for fetching e-mail messages from the Exchange web service interface and make them into requests.

  8. Click Next.

  9. On the Configure Common Services - Configure service certificate page, select to generate a new self-issued Microsoft Forefront Identity Manager certificate that is used by the web service to validate communication from the clients, or select a certificate from the certificate store, then click Next.

    noteNote
    The certificate is only validated by the server so you do not have to trust it on the clients. For this reason you can safely use a self-issued certificate and do not need one issued by your enterprise CA.

    noteNote
    If your organization has already created an in-house Certification Authority (CA), then a public key pair can be generated for the service to use.

  10. On the Configure Common Services - Configure the FIM service account page provide the credentials for the FIM domain service account.

    In Service e-mail Account, make sure that you type the e-mail address for the FIM service account, not your personal e-mail address.

  11. Click Next.

  12. On the Configure Common ServicesConfigure the Forefront Identity Manager synchronization connection, in the Synchronization Server field enter the name of the server hosting the FIM Synchronization Service component.

    In the FIM 2010 Management Agent Account* field enter the domain\Account of the FIM management agent account. This is the account you created in the Create a domain FIM management agent account section of this document.

  13. Click Next.

  14. In Configure FIM Service and Portal – Configure connection to the FIM Service, enter the address the clients should use to contact the FIM Service. If you plan to use an alternative name (e.g. a CNAME in DNS) then the alternative name should be entered. If you plan to have several FIM Service servers in an NLB cluster, then the name of the cluster address should be entered.

    noteNote
    The names should match the SPNs (Service Principal Names) you created in the pre-installation tasks.

    ImportantImportant
    This name must be stable and clients must be able to resolve it to the IP addresses of the server where the FIM Service is installed. This address is also used by password reset clients to reach the server.

  15. Click Next.

  16. On the Configure FIM Service and Portal – Configure security changes configured by setup, check Open ports 5725 and 5726 in firewall to allow clients to contact the web service interface.

  17. Click Next, then click Install.

FIM Portal

The FIM Portal allows users who have authorized access to manage the activities that are requested and sent to the FIM Service.

noteNote
To be able to install the FIM Portal it is assumed that Windows SharePoint is installed with default settings and the default SharePoint site can be reached on the address specified in the UI and that the user installing the FIM Portal is authorized as an administrator of that SharePoint site. On a standalone WSS server the default address will be http://localhost and if you enabled SSL earlier, the address will be https://localhost.

noteNote
If you install the FIM Portal on a Windows SharePoint server farm, the address http://localhost is not available by default. To add localhost to the list of known addresses, start SharePoint 3.0 Central Administration and navigate to Operations, Alternate Access Mappings, Edit Public Zone URLs. Add http://localhost to the Intranet zone leaving the Default zone with the SharePoint server farm address.

ImportantImportant
For security purposes, it is required that you implement Secure Sockets Layer (SSL) on the server running Internet Information Services (IIS). You can enable SSL before or after installation of the FIM Portal.

noteNote
If you add SSL after installation of the FIM Portal, make sure to run a change install on the FIM Service and Portal and change the address of the portal. If you do not provide the correct address to the installer, future updates to the product will not install successfully.

To install the FIM Portal

  1. From the FIM 2010 splash screen click the Install Service and Portal link.

  2. Run Setup.exe, and then follow the instructions in the installation wizard.

  3. On the Custom Setup page you are prompted for the applications that you want to install. From the drop-down menu located next to FIM Portal, click, Will be installed on local hard drive. If you do not want to install all of the components on one server, deselect FIM Service and FIM Password Reset Portal by clicking the drop down menus located next to them and clicking Entire feature will be unavailable.

  4. Click Next.

  5. On the FIM Service server address page, enter the name of the server hosting the FIM Service. This should be the same address as used during the FIM Service installation.

  6. Click Next.

  7. In Enter the URL to the SharePoint.., enter the address to the SharePoint site where the FIM Portal should be installed. This is the full address, including port number if needed, to access the site collection. This address is http://localhost or https://localhost if you followed earlier steps.

  8. Click Next.

  9. On the Configure FIM Service and Portal – Configure security changes configured by setup, check Grant authenticated users access to the FIM Portal site to grant read permissions on the portal site

  10. Click Next, then click Install.

Test the portal by opening Internet Explorer and navigate to http://servername/identitymanagement.

When using the FIM Portal in Windows Server 2008, the controls or buttons will not work unless the browser security settings for Internet Explorer are adjusted to enable JavaScript.

FIM Password Reset Portal

The FIM Password Reset Portal lets users perform self-service password reset by using a web portal.

To install the FIM Password Reset Portal

  1. From the FIM 2010 splash screen click the Install Service and Portal link.

  2. Run setup.exe, and then follow the instructions in the installation wizard.

  3. On the Custom Setup page you are prompted for the applications that you want to install. From the drop-down menu located next to FIM Password Reset Portal, click Will be installed on local hard drive. If you do not want to install all of the components on one server, deselect FIM Service and FIM Portal by clicking the drop down menus located next to them and clicking Entire feature will be unavailable.

  4. Click Next.

  5. On the FIM Service server address page, enter the name of the server hosting the FIM Service. This should be the same address as used during the FIM Service installation.

  6. Click Next.

  7. In Enter the URL to the SharePoint.., enter the address to the SharePoint site where the FIM Portal should be installed. This is the full address, including port number if needed, to access the site collection. This address is http://localhost or https://localhost if you followed earlier steps.

  8. Click Next.

  9. On the Configure FIM Service and Portal – Configure security changes configured by setup, check Grant authenticated users access to the FIM Portal site to grant read permissions on the portal site.

  10. Click Next, then click Install.

Installing the FIM Add-ins and Extensions

The FIM Add-ins and Extensions components consist of the FIM Add-in for Outlook and FIM Password Reset Extensions.

FIM Add-in for Outlook lets users join or leave e-mail enabled group. Using the FIM Add-in for Outlook feature also enables owners and approvers to approve or reject a request of any type made from the FIM Portal or Outlook 2007 office integration add-in component.

Password Reset lets users reset their passwords using an authentication gate from the native Windows log-on screen. If users cannot remember their passwords, Password Reset takes the user through the process of gaining a new password.

To install the FIM Add-ins and Extensions

  1. Exit Office Outlook 2007, if it is running.

  2. Depending on the client computer’s architecture, from the FIM 2010 splash screen, click either the Install Add-ins and Extensions, 64 bit or Install Add-ins and Extensions, 32 bit link.

  3. Run setup.exe and then follow the instructions in the installation wizard.

  4. On the Custom Setup page you are prompted for the applications that you want to install. The component FIM Password and Authentication extension will install the GINA/Credential provider and an Active X control for Internet Explorer. On a 64-bit installation an additional component is available, FIM Portal Authentication Extensions. This component will install a 32-bit Active X control for Internet Explorer.

  5. On the Configure FIM Add-ins and Extensions page, in FIM Portal Server address, type the name of the server that hosts the FIM Portal. Select if you plan to contact the Portal using http or https (recommended).

  6. In FIM Service service account e-mail address, type the e-mail address in SMTP format, e.g. someone@example.com, of the FIM Service service account. Do not type the alias or display name of the account.

  7. On the Configure FIM Add-ins and Extensions page, in FIM Service Server address, type the name of the server that hosts the FIM Service. If the Service and Portal components are installed on the same server, this will be the same value as on previous page.

  8. On the Configure FIM Add-ins and Extensions page, in the field for Sitelock, type all addresses the users can use to access the portal. E.g. if users will be able to access the server by using both myfimserver and myfimserver.microsoft.com, you should enter myfimserver;myfimserver.microsoft.com in this field. If you have FIM Portal and FIM Password Reset Portal on two different servers, then you have to enter both addresses in this field.

    noteNote
    This setting will allow the Active X control used by Password reset to initialize without adding the FIM Portal site to the list of trusted sites in Internet Explorer.

    noteNote
    It is assumed that the site will be in the Intranet Zone. It is only in the Intranet Zone that login will be automatic with default settings in Internet Explorer.

    If you are installing FIM add-ins and extensions on a machine with Internet Explorer 7, you are also given the option to add the sites specified in the previous field to be added to trusted sites as well.

    ImportantImportant
    Internet Explorer 7 will by default have protected mode on. An Active X control cannot contact any external resource unless the site is added to trusted sites. If you select to not add the FIM Portal site at this time to trusted sites, you can use another method.

    noteNote
    If you select to add the sites to Trusted sites at this part of the setup, the sites will be added to the Local Machine list of Trusted Sites so it can be used by all users on the machine. Those sites will not be visible when looking at Trusted Sites in Internet Explorer. Those sites will also be added to the Popup blocked exception list.

  9. Click Install.

FIM Language Packs

FIM Service and Portal Language Pack

The FIM Service and Portal Language Pack will install additional languages for the Portal. The localized components are both additional SharePoint server solution packs and database upgrades. For this reason, the installation must be completed on every server.

ImportantImportant
The installation of a language to the database cannot be undone. Make sure you have a database backup before you install the Language Pack.

With the release of FIM 2010, nine additional languages are offered.

    • Chinese (Simplified)

    • Chinese (Traditional)

    • Dutch (Netherlands)

    • French (France)

    • German (Germany)

    • Italian (Italy)

    • Japanese (Japan)

    • Portuguese (Portugal)

    • Spanish (Spain)

To install the FIM Service and Portal Language Pack

  1. From the FIM 2010 splash screen click the Download Server and Client Language Packs link.

  2. Extract the download to a local directory.

  3. Run Setup.exe, and then follow the instructions in the installation wizard.

  4. On the Custom Setup page you are prompted for the languages you want to install. If you have separated the FIM Service from the FIM Portal, select only the features installed on this server.

  5. Click Install.

noteNote
The installation of the Language Pack will take considerable time. The completion bar will go to 95% completed almost immediately and will not make any progress while the database is configured. This can take 10 minutes or more per installed language.

View the FIM Portal in your selected language

To verify that the language pack has installed successfully and that you can now view the FIM Portal in your selected language, follow the steps below.

To view the FIM Portal in your selected language

  1. Log on to the FIM Portal Server or navigate to the server from another computer using Internet Explorer.

  2. Open Internet Explorer and go to the Tools and select Internet Options from the drop-down list.

  3. On the General tab, select Languages from the bottom.

  4. Click the Add button and select your desired language from the list.

  5. Click OK.

  6. On the Language Preferences page, select your desired language under Language: and click Move up. Do this until your language is at the top.

    noteNote
    For simplified Chinese, you need to set the language to zh-CN, and for traditional Chinese, set the language to zh-TW. Otherwise, the portal will not recognize it as supported language and will fall back to English.

  7. Click OK.

  8. Click OK.

  9. Close Internet Explorer.

  10. Open Internet Explorer and browse to the FIM 2010 home page. Everything should now be in your selected language.

Installing the FIM Add-ins and Extensions Language Pack

The following steps will show how to install the Add-ins and Extensions language pack so that users can take advantage of localized versions of the FIM Outlook Add-in and the Password Reset Extensions. The following assumes that you have already setup and deployed the FIM 2010 Add-ins and Extensions software.

With the release of FIM 2010, 33 additional languages are offered for the FIM client.

    • Bulgarian (Bulgaria)

    • Chinese (Simplified)

    • Chinese (Traditional)

    • Croatian (Croatia)

    • Czech (Czech Republic)

    • Danish (Denmark)

    • Dutch (Netherlands)

    • Estonian (Estonia)

    • Finish (Finland)

    • French (France)

    • German (Germany)

    • Greek (Greece)

    • Hindi (India)

    • Hungarian (Hungary)

    • Italian (Italy)

    • Japanese (Japan)

    • Korean (Korea)

    • Latvian (Latvia)

    • Lithuanian (Lithuania)

    • Norwegian (Bokmal)

    • Polish (Poland)

    • Portuguese (Brazil)

    • Portuguese (Portugal)

    • Romanian (Romania)

    • Russian (Russia)

    • Serbian (Latin)

    • Slovak (Slovakia)

    • Slovenian (Slovenia)

    • Spanish (Spain)

    • Swedish (Sweden)

    • Thai (Thailand)

    • Turkish (Turkey)

    • Ukrainian (Ukraine)

To install the FIM Add-ins and Extensions Language Pack

  1. Log on to a client with administrator permissions.

  2. Run Setup.exe, and then follow the instructions in the installation wizard.

  3. On the Microsoft Forefront Identity Manager Client Language Pack Setup screen, click Next.

  4. On the End-User License Agreement screen, select I accept the terms in the License Agreement and click Next.

  5. On the Custom Setup screen, select the languages you wish to install and click Next.

  6. Click Install.

  7. When the install has completed, click Finish.

View the FIM Add-in for Outlook and Password Reset Extensions in your selected language

The following steps will demonstrate how to verify that the FIM Add-in for Outlook is using localization.

To view the FIM Add-in for Outlook and Password Reset Extensions in your selected language on Windows XP

  1. Log on to a client computer with administrator permissions.

  2. Go to Start and click Control Panel.

  3. From Control Panel select Regional and Language Options.

  4. On the Options tab, under Select an item to match its preferences, or click Customize to choose your own formats: select your desired language from the drop-down.

  5. On the Languages tab, under Language to be used in menus and dialogs: select your desired language. Note: If you do not see any display languages you must install the MUI packs. For more information on this, see Install a display language in the Windows XP help.

  6. Click the Advanced tab, under Select a language to match the language version of the non-Unicode programs you want to use: select your desired language from the drop-down list.

  7. Click Apply.

  8. This may bring up a pop-up window that says the required files are already installed on your hard disk. You can click Yes to use these files and skip the process of copying them from the CD, otherwise you may need the original Windows XP installation media to copy the required file.

  9. Click Yes to reboot the Windows XP client.

  10. When the client restarts log on to the machine.

  11. Open Outlook and use the functionality of the FIM Add-in for Outlook.

  12. To view in another language, repeat steps 1 through 10.

To view the FIM Add-in for Outlook and Password Reset Extensions in your desired language on Windows Vista or Windows 7

  1. Log on to a client computer with administrator permissions.

  2. Go to Start and click Control Panel.

  3. From Control Panel select Regional and Language Options.

  4. On the Formats tab, next to Current Format: select your desired language from the drop-down.

  5. On the Keyboard and Languages tab, under Display language, select your desired language.

    noteNote
    If you do not see any display languages you must install the MUI packs. For more information on this, see Install a display language in the Windows Vista help.

  6. Click OK.

  7. Click Apply.

  8. Click OK.

  9. Open Outlook and use the functionality of the FIM Add-in for Outlook.

  10. To view in another language, repeat steps 1 through 11.

Post-Installation Tasks and Configurations

After you install the FIM 2010 server components, you must complete several configuration tasks.

Tasks in the domain:

  • Add the FIM Service service account to the FIM Synchronization Service security groups

  • Configure FIM Service service Exchange mailbox

Tasks on FIM Portal:

  • Disable SharePoint indexing

Tasks on FIM Service:

  • Exchange Server 2007 Web Service Certificate Installation

  • Enable WCF performance counters

Tasks on SQL server hosting FIM Service:

  • SQL Server Database configuration

Tasks on all servers (optional)

  • Install the Management Pack for Forefront Identity Manager

noteNote
The FIM Portal is installed on http://FIM Portal Server name/identitymanagement. To access the FIM Portal site, open a Web browser and type this address.

Add the FIM Service service account to the FIM Synchronization Service security groups

  • Add the service account used by the FIM Service to the FIMSyncAdmins group. This will allow the FIM Service to configure the FIM Synchronization service.

  • If you plan to use the Password reset feature of FIM 2010, add the service account used by FIM Service to the security group FIMSyncPasswordSet.

  • Restart the FIMService service for group membership to be effective.

Configuring FIM Service service Exchange mailbox.

The following are best practices for configuring Exchange for the FIM Service service account.

  1. Configure the service account so that it can accept mail only from internal e-mail addresses. Specifically the service account mailbox should never be able to receive mail from external SMTP servers.

    In the Exchange Management Console, select the FIM Service service account, select Properties, Mail Flow Settings, and Mail Delivery Restrictions. Check the checkbox Require that all senders are authenticated. For further information, see

    http://technet.microsoft.com/en-us/library/bb397214.aspx

  2. Configure the service account so that it rejects mail with sizes greater than 1 MB.

    Follow the best practice of configuring Exchange 2007 message size limits:

    http://technet.microsoft.com/en-us/library/bb124708.aspx.

  3. Configure the service account so that it has a mailbox storage quota of 5 GB.

    Follow the best practice of configuring Exchange 2007 mailbox size limits:

    http://technet.microsoft.com/en-us/library/aa998353.aspx.

Disable SharePoint Indexing

It is recommended that you disable Sharepoint indexing. There are no documents that need to be indexed, and indexing will result in many error log entries and potential performance problems with FIM 2010.

To disable SharePoint indexing

  1. On the server that hosts the FIM 2010 Portal, click Start.

  2. Click All Programs.

  3. From the All Programs list click Administrative Tools.

  4. Under Administrative Tools, click SharePoint 3.0 Central Administration.

  5. On the Central Administration page, click Operations.

  6. On the Operations page, under Global Configuration, click Timer job definitions.

  7. On the Timer Job Definitions page, click SharePoint Services Search Refresh.

  8. On the Edit Timer Job page, click Disable.

Exchange Server 2007 Web Service (EWS) Certificate Installation

If your Exchange server is using a certificate that is untrusted by the FIM Service, the certificate used by the Exchange server must be added to the local certificate store.

You can verify if you have an untrusted certificate by:

  1. Open Internet Explorer and navigate to https://mailserver/ews/Services.wsdl. If you receive a certificate error then you must complete the steps in this section. Mailserver above is the Microsoft Exchange server that you specified when you installed the FIM 2010 component.

If you have several FIM Service servers, this task must be completed on every server.

noteNote
You must run the installation of the Microsoft Exchange certificate with elevated rights. If UAC is enabled, installing the Microsoft Exchange certificate without elevated rights will cause the installation to fail.

To install the Microsoft Exchange certificate on the FIM Service server

  1. Open Internet Explorer.

  2. In the address bar, type https://mailserver/EWS/Services.wsdl.

    Mailserver is the Microsoft Exchange server that you specified when you installed the FIM 2010 component.

    Select Continue to this Web site.

  3. In the Security Alert dialog box (where it reads Certificate Error), click View Certificate.

  4. In the Certificate dialog box, click Install Certificate.

  5. On the Welcome to the Certificate Import Wizard page, click Next.

  6. On the Certificate Store page, select Place all certificates in the following store and click Browse.

  7. Select the checkbox Show physical stores, navigate to Trusted People\Local Computer, and select this store. Click OK.

  8. Select Next.

  9. Select Finish to import the certificate.

Verify the certificate and verify that the EWS can be reached

In this procedure, you will ensure that the Exchange 2007 Web Service (EWS) is running and can be accessed as the FIM service account.

To ensure that the Exchange 2007 Web service (EWS) is running and is accessible as the FIM service account

  1. Open Internet Explorer as the FIM 2010.

  2. In the address bar, type https://<mail server>/EWS/Exchange.asmx.This makes sure that you can access EWS using the FIM service account.

Enable WCF Performance Counters

FIM 2010 uses Windows Communication Foundation (WCF) performance counters to monitor service usage. Monitoring service usage with WCF performance counters is an optional step to enable when diagnosing performance problems. It is not necessary to leave performance counters enabled for normal operations. To enable and configure WCF performance counters, see this MSDN article http://go.microsoft.com/fwlink/?LinkId=164848.

Recommended configuration

Enabling ServiceOnly WCF performance counters is recommended. However, to see Endpoint and Operation instances it is necessary to enable all WCF performance counters.

SQL Server Database configuration

Assign dbo role to administrators

The FIM Service installation will not grant administrators access to the FIM Service database. To be able to install future upgrades, run change/repair installation, and perform database maintenance, you should grant the administrators of FIM Service the dbo role for the FIMService database.

  1. Start SQL Server Enterprise Manager.

  2. Navigate to Security/Logins. Create a login for every administrator. On the User Mappings page for the login, assign the role db_owner in the FIMService database to the administrator.

Assign enough space for the database

The FIM Service database will not autogrow even if those settings are enabled by default by SQL Server. You should expand the Data and Log files to be able to hold all data needed.

  1. Start SQL Server Enterprise Manager.

  2. Navigate to the database FIMService, right-click and select Properties. On the Files page, expand the database files to required size.

Create additional tempdb files

For optimal performance it is recommended to create one data file per CPU core in the temp db

  1. Start SQL Server Enterprise Manager.

  2. Navigate to the database tempdb in System Databases, right-click and select Properties. On the Files page, create one Data file per CPU core. Make sure to separate the tempdb Data and Log files to different drives and spindles.

Limit SQL server memory usage

Depending on how much memory you have on your SQL server and if you share the SQL server with other services (e.g. FIMService and FIMSynchronizationService) you might want to restrict the memory consumption of SQL. You can do this with the following steps.

  1. Start SQL Enterprise Manager.

  2. Select New Query.

  3. Run the following query:

    USE master
EXEC sp_configure 'show advanced options', 1
RECONFIGURE WITH OVERRIDE

USE master
EXEC sp_configure 'max server memory (MB)', 12000--- max=12G
RECONFIGURE WITH OVERRIDE
    This example will reconfigure the SQL server to not use more than 12GB of memory.

  4. Verify the setting using the following query:

    USE master
EXEC sp_configure 'max server memory (MB)'--- verify the setting

USE master
EXEC sp_configure 'show advanced options', 0
RECONFIGURE WITH OVERRIDE

Installing the Management Pack for Forefront Identity Manager 2010

The Management Pack for FIM 2010 allows System Center Operations Manager to monitor identity management scenarios for FIM 2010. Examples include:

  • Management agent errors requiring administrative intervention

  • Events indicating service outages

  • Alerts indicating configuration issues and connected data source changes

  • Verification that all dependent services are running

  • Notification if the password management is denying access to requests

  • Notification when account provisioning doesn’t occur correctly

To Install the Management Pack for Forefront Identity Manager

  1. Go to the Microsoft System Center Pack Catalog.

  2. In System Center Pack for: select Forefront Identity Manager 2010 and click Search.

  3. In the search results, click the System Center Pack for FIM 2010.

  4. Follow the download instructions.

Optionally, you may also download and install the management pack from within System Center Operations Manager 2007 R2. For more information, see the Microsoft Web site.

Unattended installation of FIM 2010

All components of FIM 2010 accept properties to allow unattended and silent installation. Those properties can either be set in a Windows Installer Transform (MST) file or specified on the command line during installation.

The FIM installation packages do not support advertisement (msiexec /j) or administrative (msiexec /a) installations.

There are several different ways to install FIM silently (unattended), Two methods are described in this section, pass in parameters in a command line and using MST files. It is outside the scope of this document to describe unattended installations in general.

Pass in parameters on the command line

This can be used with System Center Configuration Manger (SCCM). To silently install you will use the command msiexec with an option followed by properties. The generic construct of a command line is:

Msiexec /i NameofMSI.msi /Option ADDLOCAL=MSIFeatureName Property=Value

The possible values of MSIFeatureName and Property can be found in tables further down. Note that all parameters are case sensitive.

This is an example of an installation of FIM Add-ins and extensions from a file server where only the FIM Outlook add-in is installed.

msiexec /i “\\MyServer\Distribution\FIM\32\Add-ins and extensions.msi” /quiet ADDLOCAL=OfficeClient PORTAL_LOCATION=MyPortalServer PORTAL_PREFIX=https MONITORED_EMAIL=fimservice@contoso.com

Create an MST file

Another solution is to use an MST file. MST files can be created by tools such as Orcas (shipped with Windows SDK) and they contain the same settings as passed in on the command line.

Troubleshoot an installation

If an unattended installation fails, then add the option /l*v NameOfLogFile.txt to the command line. This will create a log file which can be used for trouble shooting. An error in a Windows Installer log file can be identified by looking for the text Return Value 3.

Features and properties

The tables list the settings in the order they appear during the UI installation. Default values in brackets.

Table 1   Name of feature in MSI file

 

Name of feature in UI MSI feature name

FIM Add-in for Outlook

OfficeClient

FIM Password and Authentication Extensions

FIM Password and Authentication Extensions for Windows XP

FIM Password and Authentication Extensions for Windows Vista

PasswordClient

FIM Portal Authentication Extensions

PasswordClientX86

FIM Service

CommonServices

FIM Portal

WebPortals

FIM Password Reset Portal

PwdPortals

FIM Synchronization Service

N/A (only one feature in the installer)

FIM CM Update Service

CLM_Service

FIM CM Portal

Web_Files

FIM CM CA Modules

CA_Modules

FIM CM Smart Card PIN Reset Tool

ChangePin

FIM CM Smart Card Personalization Control

AppletManagement

FIM CM Smart Card Client

SelfServiceControl

FIM CM Update Client

ProfileUpdateControl

FIM CM Bulk Issuance Client

ClientFiles

Microsoft Password Change Notification Service

PCNSSVC

Table 2   Service and Portal properties

 

Property Name Description

SQMOPTINSETTING

1 – opt in, 0 – opt out (default)

SQLSERVER_SERVER

(Required) Name of SQL Server instance

SQLSERVER_DATABASE

Name of database (FIMService)

EXISTINGDATABASE

0 – New database (default), 1 – Existing database

SERVICE_ACCOUNT_NAME

(Required) Service account name

SERVICE_ACCOUNT_PASSWORD

(Required) Service account password

SERVICE_ACCOUNT_DOMAIN

(Required) Service account domain

SERVICE_ACCOUNT_EMAIL

(Required) Service account e-mail address

SYNCHRONIZATION_SERVER_ACCOUNT

FIM Service Management Agent account in format domain\accountname

CERTIFICATE_NAME

Name of certificate to generate (ForefrontIdentityManager)

MAIL_SERVER

(Required) Name of mailserver

MAIL_SERVER_IS_EXCHANGE

0 – SMTP, 1 – Exchange (default)

MAIL_SERVER_USE_SSL

0 – Disable SSL, 1 – Enable SSL (default)

POLL_EXCHANGE_SERVER

0 – Server will not poll for e-mail messages1 – Server will poll for e-mail messages (default)

SYNCHRONIZATION_SERVER

(Required) Address of FIM Synchronization Service server

SERVICEADDRESS

Address used by clients to contact the server

SHAREPOINT_URL

URL used to contact the SharePoint server

FIREWALL_CONF

0 – Do not configure firewall (default)1 – Configure firewall

SHAREPOINTUSER_CONF

0 – Do not add authenticated users (default1 – Add authenticated users

PASSWORDUSERS_CONF

0 – Do not add authenticated users (default1 – Add authenticated users

SHAREPOINTTIMEOUT

Timeout in seconds the installer should wait for SharePoint to deploy the solution packs.

Table 3   Synchronization Service properties

 

Property Name Description

STORESERVER

Name of SQL Server

SQLDB

Name of database (FIMSynchronization)

SQLINSTANCE

Name of database instance

SERVICEACCOUNT

(Required) Service account name

SERVICEPASSWORD

Required) Service account password

SERVICEDOMAIN

(Required) Service account domain

GROUPADMINS

Name of admin group (FIMSyncAdmins)

GROUPOPERATORS

Name of operators group (FIMSyncOperators)

GROUPACCOUNTJOINERS

Name of joiners group (FIMSyncJoiners)

GROUPBROWSE

Name of browse group (FIMSyncBrowse)

GROUPPASSWORDSET

Name of password set group (FIMSyncPasswordSet)

FIREWALL_CONF

0 – Do not configure firewall (default)1 – Configure firewall

Table 4   Add-ins and Extensions properties

 

Property Name Description

SQMOPTINSETTING

1 – opt in, 0 – opt out (default)

RMS_LOCATION

Address to the FIM Service. Used by Password Reset extensions

PORTAL_LOCATION

Address to the FIM Portal. Used by Outlook add-in.

PORTAL_PREFIX

Prefix used to contact the FIM Portal. http or https (default)

MONITORED_EMAIL

FIM Service e-mail address. Used by Outlook add-in when sending e-mail.

SITELOCK_DOMAIN

Semi-colon separated list of sites the Password Reset ActiveX control can be activated on

IE7TRUSTEDSITES

If IE7 is installed, then this is the prefix to add to the list of sites defined in SITELOCK_DOMAIN. None – Do not add sites to trusted sites (default)http – Add sites with http as prefixhttps – Add sites with https as prefix

BEST_EFFORT_INSTALL

If both components are selected, but one cannot be installed due to failed pre-requisites, silently continue installation with the other component.0 – Fail installation (default)1 – Silently continue

Populating the FIM Service database

FIM Portal Access

Every user who accesses the FIM Portal must have an Account in Active Directory and a resource in the FIM Service database with the ObjectSID, Domain, and Accountname attributes representing the user in Active Directory.

noteNote
For more information about synchronizing users between FIM 2010 and Active Directory, see Publishing Active Directory User From Two Authoritative Data Sources included in the FIM 2010 documentation set.

Active Directory to FIM 2010 Initial Data Load

If you have existing data that you want synchronized from Active Directory to FIM 2010, you have to perform an initial data load. This is a one-time operation and is not a continuous synchronization. It is not required to complete this to successfully setup FIM 2010.

noteNote
For more information about synchronizing users between FIM 2010 and Active Directory, see the Publishing Active Directory User From Two Authoritative Data Sources document included in the FIM 2010 documentation set.

Configure the SQL Server for initial data load

When you plan to initially load a lot of data, you can shorten the time it will take to populate the database by temporarily turning off the full text search and enable it again after the export on the FIM MA has completed.

Follow these steps to temporarily turn off Full Text Search:

  1. Start SQL Enterprise Manager.

  2. Select New Query

  3. Run the following SQL statements:

    ALTER FULLTEXT INDEX ON [fim].[ObjectValueString] SET CHANGE_TRACKING = MANUAL
ALTER FULLTEXT INDEX ON [fim].[ObjectValueXml] SET CHANGE_TRACKING = MANUAL
  4. Complete the export of the FIM MA.

  5. Run the following SQL statements to turn on Full Text search again:

    ALTER FULLTEXT INDEX ON [fim].[ObjectValueString] SET CHANGE_TRACKING = AUTO
ALTER FULLTEXT INDEX ON [fim].[ObjectValueXml] SET CHANGE_TRACKING = AUTO

Uninstall of the FIM 2010 Service and Portal component of FIM 2010

If you encounter an unrecoverable error and need to uninstall and then reinstall the FIM Service and Portal component of FIM 2010, follow the instructions in the procedure below to uninstall this component of FIM 2010.

To uninstall the FIM Service component of FIM 2010

  1. From the FIM 2010 splash screen click the Install Service and Portal link.

  2. Run Setup.exe, and then follow the instructions in the installation wizard to remove the installation.

  3. Delete the FIM 2010 Service database.

    1. Open SQL Server Management Studio.

    2. Select the FIMService database.

    3. Right click and select Delete.

noteNote
To be able to uninstall the FIM Portal component, you must be a SharePoint administrator. A local server administrator will not by default be granted administrator permissions in SharePoint. You must explicitly grant either SharePoint site admin or secondary admin permissions.

Page view tracker