Step 6: Perform FIM 2010 Prerequisite Tasks
Applies To: Forefront Identity Manager 2010
FIM1 prerequisites for the Forefront Identity Manager 2010 test lab consists of the following:
Create the FIM Service Accounts
Mailbox-Enable the CORP\FIMService Account
Secure the CORP\FIMService and CORP\FIMSynchService Accounts
Set the SQL Server Agent Service to Start Automatically
Enable SQL Firewall Ports
Enable SQL Server Network Protocols
Verify That the FIM Installation Account Has SharePoint Permissions
Change the SharePoint Application Pool Account to Use CORP\SPService
Configure IIS to Use CORP\SPService for Kerberos Delegation
Set the SPNs for CORP\SPService
Set the SPNs for CORP\FIMService
Turn on Delegation for CORP\SPService
Turn on Delegation for CORP\FIMService
Create the FIM Service Accounts
Four service accounts need to be created in corp.contoso.com that will be used with the Forefront Identity Manager 2010 installation.
Table 1 – Service Accounts
Full name | User logon name | Forest | Password |
---|---|---|---|
FIM Service |
FIMService |
corp.contoso.com |
Pass1word$ |
FIM Synch Service |
FIMSynchService |
corp.contoso.com |
Pass1word$ |
FIM MA |
FIMMA |
corp.contoso.com |
Pass1word$ |
SharePoint Service |
SPService |
corp.contoso.com |
Pass1word$ |
To create the Service Accounts
Log on to DC1.corp.contoso.com as Administrator.
Click Start, select Administrative Tools, and then click Active Directory Users and Computers. This will open the Active Directory Users and Computers MMC.
In the Active Directory Users and Computers MMC, from the tree-view on the left, expand corp.contoso.com.
Now, right-click ServiceAccounts, select New, and then select User. This will bring up the New Object – User window.
On the New Object – User screen, in the Full Name box, type the following text:
FIM ServiceOn the New Object – User screen, in the User logon name box, type the following text, and then click Next:
FIMServiceOn the New Object – User screen, in the Password box, type the following text:
Pass1word!On the New Object – User screen, in the Confirm Password box, type the following text:
Pass1word!On the New Object – User screen, clear the User must change password at next logon check box.
On the New Object – User screen, select Password never expires, and then click Next.
Click Finish.
Repeat these steps for all of the accounts listed in the Account Summary table.
Log off DC1.corp.contoso.com.
Mailbox-Enable the CORP\FIMService Account
Now, create a mailbox for the CORP\FIMService account. This account is used to send e-mail notifications from FIM 2010. Also, in order to use the Office Outlook integration feature, this account must be mailbox-enabled and the e-mail account must be hosted by Exchange 2007 or Exchange 2010.
To mailbox-enable the CORP\FIMService account
Log on to the EX1.corp.contoso.com server as Administrator.
Click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console.
In the Exchange Management Console, click Microsoft Exchange On-Premises. This will start an Initialization.
Warning
This may bring up a Microsoft Exchange box that says The following servers in your organization running Exchange Server 2010 are unlicensed. It will list EX1. If you plan to use this test lab for more than 120 days you will need to enter a product key. For now, just hit OK.
In the Exchange Management Console, expand Microsoft Exchange On-Premises (ex1.corp.contoso.com), expand Recipient Configuration, and then click Mailbox.
On the right, in the Actions pane, click New Mailbox to start the New Mailbox Wizard.
On the Introduction page, select User Mailbox, and then click Next.
On the User Type page, select Existing users, and then click Add. This will bring up the Select User – Entire Forest page.
From the list, select FIM Service, click OK, and then click Next.
On the Mailbox Settings page, click Next.
On the New Mailbox page, click New.
On the Completion page, verify that it was successful, and then click Finish.
Close the Exchange Management Console.
Log off EX1.corp.contoso.com.
Secure the CORP\FIMService and CORP\FIMSynchService Accounts
Now, you will secure the CORP\FIMService and CORP\FIMSynchService account by restricting its permissions.
Table 2 – FIMService Account and FIMSynchService Permissions
Account | Permissions |
---|---|
CORP\FIMService |
|
CORP\FIMSynchService |
|
To secure the CORP\FIMService accounts
Log on to FIM1.corp.contoso.com as Administrator.
Click Start, select Administrative Tools, and then click Local Security Policy. This will open the Local Security Policy MMC.
In the Local Security Policy MMC, on the left, expand Local Policies, and then click User Rights Assignment.
Now, on the right, scroll down and double-click Deny access to the computer from the network.This will open the Deny access to the computer from the network Properties window.
Now, click Add User of Group. This will bring up the Select Users, Computers, Service Accounts, or Groups window.
In the box, below Enter the object names to select (examples), type the following text, and then click Check Names:
FIMService;FIMSynchService.
This should resolve to the FIM Service account and the FIM Synch Service account. Click OK.On the Deny access to the computer from the network Properties screen, click Apply, and then click OK.
In the Local Security Policy, scroll down and double-click Deny logon as batch job. This will open the Deny logon as batch job Properties window.
Now, click Add User of Group. This will bring up the Select Users, Computers, Service Accounts, or Groups window.
In the box, below Enter the object names to select (examples), type the following text, and then click Check Names:
FIMService;FIMSynchService
This should resolve to the FIM Service account and the FIM Synch Service account. Click OK.On the Deny logon as batch Properties screen, click Apply, and then click OK.
In the Local Security Policy, scroll down and double-click Deny logon locally. This will open the Deny logon locally Properties window.
Now, click Add User of Group. This will bring up the Select Users, Computers, Service Accounts, or Groups window.
In the box, below Enter the object names to select (examples), type then following text, and then click Check Names:
FIMService;FIMSynchService
This should resolve to the FIM Service account and the FIM Synch Service account. Click OK.On the Deny logon locally Properties screen, click Apply, and then click OK.
Close the Local Security Policy.
Set the SQL Server Agent Service to Start Automatically
To set SQL Server Agent service to start automatically
Log on to APP1 as CORP\Administrator.
Click Start, select Administrative Tools, and then click Services.
Scroll down to SQL Server Agent (MSSQLSERVER) and double-click it. This will bring up the SQL Server Agent (MSSQLSERVER) Properties.
In the middle, next to Startup Type, select Automatic from the drop-down list. Click Apply, and then click OK.
In Services, right-click SQL Server Agent (MSSQLSERVER), and then click Start. This will start the SQL Server Agent.
When this completes, verify that the SQL Server Agent (MSSQLSERVER) has a status of Started.
Close Services.
Enable SQL Firewall Ports
To enable the firewall ports on APP1
Click Start, select Administrative Tools, and then click Windows Firewall with Advanced Security. This will bring up Windows Firewall with Advanced Security.
On the left, select Inbound Rules, and on the right click New Rule. This will bring up the New Inbound Rule Wizard.
On the Rule Type page, select Port, and then click Next.
On the Protocol and ports page, select TCP, and type the following text in the box next to Specific local ports, and then click Next:
445On the Action page, select Allow the connection, and then click Next.
On the Profile page, select Domain, Private, and Public, and then click Next.
On the Name page, type the following text in the box, and then click Finish:
SQL Server Named PipesRepeat these steps for all of the entries in the table below.
Close Windows Firewall with Advanced Security.
Table 3 – SQL Server Firewall Port Exceptions
Protocol | Port number | Name |
---|---|---|
TCP |
445 |
SQL Server Named Pipes |
TCP |
1433 |
SQL Server Listening Port |
UDP |
1434 |
SQL Server Browser Service |
Enable SQL Server Network Protocols
To enable SQL Server Network Protocols
Click Start, select All Programs, click Microsoft SQL Server 2008, click Configuration Tools, and then select SQL Server Configuration Manager. This will bring up the SQL Server Configuration Manager.
In SQL Server Configuration Manager, on the left, expand SQL Server Network Configuration, and then click Protocols for MSSQLSERVER. This will populate the right pane with four protocols and their statuses.
On the right, right-click Disabled next to Named Pipes, and then select Enable. This will bring up a pop-up box that says Any changes made will be saved; however, they will not take effect until the service is stopped and restarted. Click OK.
In SQL Server Configuration Manager, on the left, click SQL Server Services. This will populate the right pane with three services and their states.
On the right, right-click SQL Server (MSSQLSERVER), and select Stop. This will bring up a pop-up box that says stopping this service will also stop the SQLServerAgent. Do you wish to continue? Click Yes. This will stop the SQL Server service.
In the SQL Services pane, right-click on a blank area of the screen. This will bring up a small pop-up box. Click Refresh. You should now see both services stopped.
On the right, right-click SQL Server (MSSQLSERVER), and select Start. This will start the SQL Server service.
On the right, right-click SQL Server Agent, and select Start. This will start the SQL Server Agent service.
Close SQL Server Configuration Manager.
Verify That the FIM Installation Account Has SharePoint Permissions
In this step, you will verify that the FIM Installation account, for example, CORP\Administrator, has SharePoint permissions. If the account that is used to install FIM does not have the correct permissions, the installation will fail.
To verify that the FIM Installation account has SharePoint permissions
Log on to FIM1.corp.contoso.com as Administrator.
Click Start, click Administrative Tools, and then click SharePoint 3.0 Central Administration. This will bring up the SharePoint Central Administration in Internet Explorer.
On the left, click Application Management. This may bring up a Credentials box. If so, enter the following text for user name and the password, and then click OK:
Administrator
Now the Application Management page will appear.Under SharePoint Site Management, click Site Collection Administrators. This will bring up the Site Collection Administrators page.
Under Primary site collection administration, verify that it says Administrator.
At the top of Internet Explorer, enter the new URL https://fim1 in the address box, and then hit Enter. This will bring up the Windows SharePoint Service home page.
In the upper right corner, click Site Actions and the select Site Settings from the drop-down list. This will bring up the Site Settings page.
Under Users and Permissions, click Site Collection Administrators. This will bring up the Site Collection Administrators page.
Verify that Administrator appears in the box next to Site Collection Administrators.
Close Internet Explorer.
Change the SharePoint Application Pool Account to Use CORP\SPService
By default, IIS uses the Network Service account for the Application Pool. The recommended guidance is to use a service account.
To change the SharePoint Application Pool account to use CORP\SPService
Click Start, click Administrative Tools, and then click SharePoint 3.0 Central Administration. This will bring up the SharePoint Central Administration in Internet Explorer.
On the left, click Operations. This may bring up a Credentials box. If so, enter the following text for the user name and the password, and then click OK:
Administrator
Now the Operations page will appear.Under Security Configuration, click Service Accounts. This will bring up the Service Accounts page.
Click the Web Application Pool radio button and from the drop-down list select Windows SharePoint Services Web Application. This will activate Application Pool.
Under Application Pool, from the drop-down list, select SharePoint-80.
Click the Configurable radio button and enter CORP\SPService for user name and Pass1word$ for the password.
Click OK. This will bring up a pop-up that says the SPN must be updated by a domain administrator. This will be done later in this step. Click OK. This will bring up another pop-up that says that iisrest/NOFORCE must be run. Click OK. It may take a minute or two, but then the Operations page will come up.
Close Internet Explorer.
Configure IIS to Use CORP\SPService for Kerberos Ticket Decryption
By default, an application pool running under a specific service account will not use the service account for Kerberos. This section will configure IIS to use the CORP\SPService account for Kerberos Delegation.
To configure IIS to use CORP\SPService for Kerberos Ticket Decryption
Navigate to the following directory: C:\Windows\System32\inetsrv\config.
Locate the ApplicationHost.config file, right-click and select Open. This will bring up a pop-up that states Windows cannot open this file and it will have two options. Choose Select a program from a list of installed program, and click OK.
Select Notepad, and click OK. This will open the config file in Notepad.
At the top, select Edit, Find, type the following text in the box, and then click Find Next:
windowsAuthentication enabled=”true”You should now see the first instance and it will look like the Before image below. Insert useKernelMode=”false” useAppPoolCredentials=”true” in the line so it looks like the After image.
Click Find Next and repeat the above steps. There should be a total of six instances that need to have useKernelMode=”false” useAppPoolCredentials = “true” added.
When you finish the last one, a window will pop-up and state that it cannot find windowsAuthentication enable=”true”. Click OK.
On the Find box, click Cancel.
At the top of Notepad, select Save. Close Notepad.
Click Start, click All Programs, click Accessories, and then click Command Prompt. This will launch a Command Prompt window.
In the Command Prompt window, type the following text, and then hit Enter:
iisreset
This will stop and then restart IIS. Once this completes, close the Command Prompt window.
Set the SPNs for CORP\SPService
In this step, you will be setting the service principal names (SPNs) for the CORP\SPService account.
To set the SPNs for CORP\SPService
Log on to DC1 as CORP\Administrator.
Click Start, select Administrative Tools, and then click ADSI Edit. This will bring up ADSI Edit.
At the top, right-click ADSI Edit and select Connect to. This will bring up a Connections Settings box. Leave the defaults and click OK.
On the right, expand Default Naming Context [DC1.corp.contoso.com], double-click DC=corp,DC=contoso,DC=com, expand DC=corp,DC=contoso,DC=com, and then select OU=ServiceAccounts.
In the center, right-click CN=SharePoint Service and select Properties. This will bring up CN=SharePoint Service Properties.
Scroll through the list of attributes and double-click servicePrincipalName. This will bring up the Multi-valued String Editor.
In the box, under Value to add, type the following text, and then click Add:
HTTP/fim1In the box, under Value to add, type the following text, and then click Add:
HTTP/fim1.corp.contoso.comClick OK.
Click Apply.
Click OK.
Set the SPNs for CORP\FIMService
In this step, you will be setting the SPNs for the CORP\FIMService account.
To set the SPNs for CORP\FIMService
In the center, right-click CN=FIM Service and select Properties. This will bring up CN=SharePoint Service Properties.
Scroll through the list of attributes and double-click servicePrincipalName. This will bring up the Multi-valued String Editor.
In the box, under Value to add, type the following text, and then click Add:
FIMService/fim1In the box, under Value to add, type the following text, and then click Add:
FIMService/fim1.corp.contoso.comClick OK.
Click Apply.
Click OK.
Close ADSI Edit.
Turn on Delegation for CORP\SPService
Now you will enable Kerberos Delegation for the SharePoint Service account.
To turn on Delegation for CORP\SPService
Click Start, select Administrative Tools, and click Active Directory Users and Computers. This will open the Active Directory Users and Computers MMC.
In the Active Directory Users and Computers MMC, from the tree-view on the left, expand corp.contoso.com, expand ServiceAccounts and in the center, right-click SharePoint Service, and then select Properties.
On the SharePoint Service Properties, select the Delegation tab.
In the middle, select Trust this user for delegation to any service (Kerberos only).
Click Apply.
Click OK.
Turn on Delegation for CORP\FIMService
Now you will enable Kerberos delegation for the FIM Service account.
To turn on Delegation for CORP\FIMService
Right-click FIM Service, and select Properties.
On the FIM Service Properties, select the Delegation tab.
In the middle, select Trust this user for delegation to any service (Kerberos only).
Click Apply.
Click OK.
Close Active Directory Users and Computers.