Step 6: Perform FIM 2010 Prerequisite Tasks

  • Article

Applies To: Forefront Identity Manager 2010

FIM1 prerequisites for the Forefront Identity Manager 2010 test lab consists of the following:

  • Create the FIM Service Accounts

  • Mailbox-Enable the CORP\FIMService Account

  • Secure the CORP\FIMService and CORP\FIMSynchService Accounts

  • Set the SQL Server Agent Service to Start Automatically

  • Enable SQL Firewall Ports

  • Enable SQL Server Network Protocols

  • Verify That the FIM Installation Account Has SharePoint Permissions

  • Change the SharePoint Application Pool Account to Use CORP\SPService

  • Configure IIS to Use CORP\SPService for Kerberos Delegation

  • Set the SPNs for CORP\SPService

  • Set the SPNs for CORP\FIMService

  • Turn on Delegation for CORP\SPService

  • Turn on Delegation for CORP\FIMService

Create the FIM Service Accounts

Four service accounts need to be created in corp.contoso.com that will be used with the Forefront Identity Manager 2010 installation.

Table 1 – Service Accounts

Full name User logon name Forest Password

FIM Service

FIMService

corp.contoso.com

Pass1word$

FIM Synch Service

FIMSynchService

corp.contoso.com

Pass1word$

FIM MA

FIMMA

corp.contoso.com

Pass1word$

SharePoint Service

SPService

corp.contoso.com

Pass1word$

To create the Service Accounts

  1. Log on to DC1.corp.contoso.com as Administrator.

  2. Click Start, select Administrative Tools, and then click Active Directory Users and Computers. This will open the Active Directory Users and Computers MMC.

  3. In the Active Directory Users and Computers MMC, from the tree-view on the left, expand corp.contoso.com.

  4. Now, right-click ServiceAccounts, select New, and then select User. This will bring up the New Object – User window.

  5. On the New Object – User screen, in the Full Name box, type the following text:
    FIM Service

  6. On the New Object – User screen, in the User logon name box, type the following text, and then click Next:
    FIMService

  7. On the New Object – User screen, in the Password box, type the following text:
    Pass1word!

  8. On the New Object – User screen, in the Confirm Password box, type the following text:
    Pass1word!

  9. On the New Object – User screen, clear the User must change password at next logon check box.

  10. On the New Object – User screen, select Password never expires, and then click Next.

  11. Click Finish.

  12. Repeat these steps for all of the accounts listed in the Account Summary table.

    Create FIM Accounts

  13. Log off DC1.corp.contoso.com.

Mailbox-Enable the CORP\FIMService Account

Now, create a mailbox for the CORP\FIMService account. This account is used to send e-mail notifications from FIM 2010. Also, in order to use the Office Outlook integration feature, this account must be mailbox-enabled and the e-mail account must be hosted by Exchange 2007 or Exchange 2010.

To mailbox-enable the CORP\FIMService account

  1. Log on to the EX1.corp.contoso.com server as Administrator.

  2. Click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console.

  3. In the Exchange Management Console, click Microsoft Exchange On-Premises. This will start an Initialization.

    Warning

    This may bring up a Microsoft Exchange box that says The following servers in your organization running Exchange Server 2010 are unlicensed. It will list EX1. If you plan to use this test lab for more than 120 days you will need to enter a product key. For now, just hit OK.

  4. In the Exchange Management Console, expand Microsoft Exchange On-Premises (ex1.corp.contoso.com), expand Recipient Configuration, and then click Mailbox.

  5. On the right, in the Actions pane, click New Mailbox to start the New Mailbox Wizard.

  6. On the Introduction page, select User Mailbox, and then click Next.

  7. On the User Type page, select Existing users, and then click Add. This will bring up the Select User – Entire Forest page.

  8. From the list, select FIM Service, click OK, and then click Next.

    Mailbox enable Fim Service

  9. On the Mailbox Settings page, click Next.

  10. On the New Mailbox page, click New.

  11. On the Completion page, verify that it was successful, and then click Finish.

  12. Close the Exchange Management Console.

  13. Log off EX1.corp.contoso.com.

Secure the CORP\FIMService and CORP\FIMSynchService Accounts

Now, you will secure the CORP\FIMService and CORP\FIMSynchService account by restricting its permissions.

Table 2 – FIMService Account and FIMSynchService Permissions

Account Permissions

CORP\FIMService
  • Deny logon as batch job

  • Deny logon locally

  • Deny access to this computer from the network

CORP\FIMSynchService
  • Deny logon as batch job

  • Deny logon locally

  • Deny access to this computer from the network

To secure the CORP\FIMService accounts

  1. Log on to FIM1.corp.contoso.com as Administrator.

  2. Click Start, select Administrative Tools, and then click Local Security Policy. This will open the Local Security Policy MMC.

  3. In the Local Security Policy MMC, on the left, expand Local Policies, and then click User Rights Assignment.

  4. Now, on the right, scroll down and double-click Deny access to the computer from the network.This will open the Deny access to the computer from the network Properties window.

  5. Now, click Add User of Group. This will bring up the Select Users, Computers, Service Accounts, or Groups window.

  6. In the box, below Enter the object names to select (examples), type the following text, and then click Check Names:
    FIMService;FIMSynchService.
    This should resolve to the FIM Service account and the FIM Synch Service account. Click OK.

  7. On the Deny access to the computer from the network Properties screen, click Apply, and then click OK.

  8. In the Local Security Policy, scroll down and double-click Deny logon as batch job. This will open the Deny logon as batch job Properties window.

  9. Now, click Add User of Group. This will bring up the Select Users, Computers, Service Accounts, or Groups window.

  10. In the box, below Enter the object names to select (examples), type the following text, and then click Check Names:
    FIMService;FIMSynchService
    This should resolve to the FIM Service account and the FIM Synch Service account. Click OK.

  11. On the Deny logon as batch Properties screen, click Apply, and then click OK.

  12. In the Local Security Policy, scroll down and double-click Deny logon locally. This will open the Deny logon locally Properties window.

  13. Now, click Add User of Group. This will bring up the Select Users, Computers, Service Accounts, or Groups window.

  14. In the box, below Enter the object names to select (examples), type then following text, and then click Check Names:
    FIMService;FIMSynchService
    This should resolve to the FIM Service account and the FIM Synch Service account. Click OK.

  15. On the Deny logon locally Properties screen, click Apply, and then click OK.

    Secure FIM Accounts

  16. Close the Local Security Policy.

Set the SQL Server Agent Service to Start Automatically

To set SQL Server Agent service to start automatically

  1. Log on to APP1 as CORP\Administrator.

  2. Click Start, select Administrative Tools, and then click Services.

  3. Scroll down to SQL Server Agent (MSSQLSERVER) and double-click it. This will bring up the SQL Server Agent (MSSQLSERVER) Properties.

  4. In the middle, next to Startup Type, select Automatic from the drop-down list. Click Apply, and then click OK.

    SQL Server Agent Automatic

  5. In Services, right-click SQL Server Agent (MSSQLSERVER), and then click Start. This will start the SQL Server Agent.

  6. When this completes, verify that the SQL Server Agent (MSSQLSERVER) has a status of Started.

  7. Close Services.

Enable SQL Firewall Ports

To enable the firewall ports on APP1

  1. Click Start, select Administrative Tools, and then click Windows Firewall with Advanced Security. This will bring up Windows Firewall with Advanced Security.

  2. On the left, select Inbound Rules, and on the right click New Rule. This will bring up the New Inbound Rule Wizard.

  3. On the Rule Type page, select Port, and then click Next.

  4. On the Protocol and ports page, select TCP, and type the following text in the box next to Specific local ports, and then click Next:
    445

  5. On the Action page, select Allow the connection, and then click Next.

  6. On the Profile page, select Domain, Private, and Public, and then click Next.

  7. On the Name page, type the following text in the box, and then click Finish:
    SQL Server Named Pipes

  8. Repeat these steps for all of the entries in the table below.

    SQL Firewalls

  9. Close Windows Firewall with Advanced Security.

Table 3 – SQL Server Firewall Port Exceptions

Protocol Port number Name

TCP

445

SQL Server Named Pipes

TCP

1433

SQL Server Listening Port

UDP

1434

SQL Server Browser Service

Enable SQL Server Network Protocols

To enable SQL Server Network Protocols

  1. Click Start, select All Programs, click Microsoft SQL Server 2008, click Configuration Tools, and then select SQL Server Configuration Manager. This will bring up the SQL Server Configuration Manager.

  2. In SQL Server Configuration Manager, on the left, expand SQL Server Network Configuration, and then click Protocols for MSSQLSERVER. This will populate the right pane with four protocols and their statuses.

  3. On the right, right-click Disabled next to Named Pipes, and then select Enable. This will bring up a pop-up box that says Any changes made will be saved; however, they will not take effect until the service is stopped and restarted. Click OK.

    SQL Network Protocols

  4. In SQL Server Configuration Manager, on the left, click SQL Server Services. This will populate the right pane with three services and their states.

  5. On the right, right-click SQL Server (MSSQLSERVER), and select Stop. This will bring up a pop-up box that says stopping this service will also stop the SQLServerAgent. Do you wish to continue? Click Yes. This will stop the SQL Server service.

  6. In the SQL Services pane, right-click on a blank area of the screen. This will bring up a small pop-up box. Click Refresh. You should now see both services stopped.

  7. On the right, right-click SQL Server (MSSQLSERVER), and select Start. This will start the SQL Server service.

  8. On the right, right-click SQL Server Agent, and select Start. This will start the SQL Server Agent service.

  9. Close SQL Server Configuration Manager.

Verify That the FIM Installation Account Has SharePoint Permissions

In this step, you will verify that the FIM Installation account, for example, CORP\Administrator, has SharePoint permissions. If the account that is used to install FIM does not have the correct permissions, the installation will fail.

To verify that the FIM Installation account has SharePoint permissions

  1. Log on to FIM1.corp.contoso.com as Administrator.

  2. Click Start, click Administrative Tools, and then click SharePoint 3.0 Central Administration. This will bring up the SharePoint Central Administration in Internet Explorer.

  3. On the left, click Application Management. This may bring up a Credentials box. If so, enter the following text for user name and the password, and then click OK:
    Administrator
    Now the Application Management page will appear.

  4. Under SharePoint Site Management, click Site Collection Administrators. This will bring up the Site Collection Administrators page.

  5. Under Primary site collection administration, verify that it says Administrator.

    Verify Administrator Account

  6. At the top of Internet Explorer, enter the new URL https://fim1 in the address box, and then hit Enter. This will bring up the Windows SharePoint Service home page.

  7. In the upper right corner, click Site Actions and the select Site Settings from the drop-down list. This will bring up the Site Settings page.

  8. Under Users and Permissions, click Site Collection Administrators. This will bring up the Site Collection Administrators page.

  9. Verify that Administrator appears in the box next to Site Collection Administrators.

    Verify Administrator Account 2

  10. Close Internet Explorer.

Change the SharePoint Application Pool Account to Use CORP\SPService

By default, IIS uses the Network Service account for the Application Pool. The recommended guidance is to use a service account.

To change the SharePoint Application Pool account to use CORP\SPService

  1. Click Start, click Administrative Tools, and then click SharePoint 3.0 Central Administration. This will bring up the SharePoint Central Administration in Internet Explorer.

  2. On the left, click Operations. This may bring up a Credentials box. If so, enter the following text for the user name and the password, and then click OK:
    Administrator
    Now the Operations page will appear.

  3. Under Security Configuration, click Service Accounts. This will bring up the Service Accounts page.

  4. Click the Web Application Pool radio button and from the drop-down list select Windows SharePoint Services Web Application. This will activate Application Pool.

  5. Under Application Pool, from the drop-down list, select SharePoint-80.

  6. Click the Configurable radio button and enter CORP\SPService for user name and Pass1word$ for the password.

    SharePoint App Pool Account

  7. Click OK. This will bring up a pop-up that says the SPN must be updated by a domain administrator. This will be done later in this step. Click OK. This will bring up another pop-up that says that iisrest/NOFORCE must be run. Click OK. It may take a minute or two, but then the Operations page will come up.

  8. Close Internet Explorer.

Configure IIS to Use CORP\SPService for Kerberos Ticket Decryption

By default, an application pool running under a specific service account will not use the service account for Kerberos. This section will configure IIS to use the CORP\SPService account for Kerberos Delegation.

To configure IIS to use CORP\SPService for Kerberos Ticket Decryption

  1. Navigate to the following directory: C:\Windows\System32\inetsrv\config.

  2. Locate the ApplicationHost.config file, right-click and select Open. This will bring up a pop-up that states Windows cannot open this file and it will have two options. Choose Select a program from a list of installed program, and click OK.

  3. Select Notepad, and click OK. This will open the config file in Notepad.

  4. At the top, select Edit, Find, type the following text in the box, and then click Find Next:
    windowsAuthentication enabled=”true”

  5. You should now see the first instance and it will look like the Before image below. Insert useKernelMode=”false” useAppPoolCredentials=”true” in the line so it looks like the After image.

    User Kernel Mode Before

    Kernel-mode update

  6. Click Find Next and repeat the above steps. There should be a total of six instances that need to have useKernelMode=”false” useAppPoolCredentials = “true” added.

  7. When you finish the last one, a window will pop-up and state that it cannot find windowsAuthentication enable=”true”. Click OK.

  8. On the Find box, click Cancel.

  9. At the top of Notepad, select Save. Close Notepad.

  10. Click Start, click All Programs, click Accessories, and then click Command Prompt. This will launch a Command Prompt window.

  11. In the Command Prompt window, type the following text, and then hit Enter:
    iisreset
    This will stop and then restart IIS. Once this completes, close the Command Prompt window.

Set the SPNs for CORP\SPService

In this step, you will be setting the service principal names (SPNs) for the CORP\SPService account.

To set the SPNs for CORP\SPService

  1. Log on to DC1 as CORP\Administrator.

  2. Click Start, select Administrative Tools, and then click ADSI Edit. This will bring up ADSI Edit.

  3. At the top, right-click ADSI Edit and select Connect to. This will bring up a Connections Settings box. Leave the defaults and click OK.

  4. On the right, expand Default Naming Context [DC1.corp.contoso.com], double-click DC=corp,DC=contoso,DC=com, expand DC=corp,DC=contoso,DC=com, and then select OU=ServiceAccounts.

  5. In the center, right-click CN=SharePoint Service and select Properties. This will bring up CN=SharePoint Service Properties.

  6. Scroll through the list of attributes and double-click servicePrincipalName. This will bring up the Multi-valued String Editor.

  7. In the box, under Value to add, type the following text, and then click Add:
    HTTP/fim1

  8. In the box, under Value to add, type the following text, and then click Add:
    HTTP/fim1.corp.contoso.com

  9. Click OK.

    SharePoint Service Account SPN

  10. Click Apply.

  11. Click OK.

Set the SPNs for CORP\FIMService

In this step, you will be setting the SPNs for the CORP\FIMService account.

To set the SPNs for CORP\FIMService

  1. In the center, right-click CN=FIM Service and select Properties. This will bring up CN=SharePoint Service Properties.

  2. Scroll through the list of attributes and double-click servicePrincipalName. This will bring up the Multi-valued String Editor.

  3. In the box, under Value to add, type the following text, and then click Add:
    FIMService/fim1

  4. In the box, under Value to add, type the following text, and then click Add:
    FIMService/fim1.corp.contoso.com

  5. Click OK.

    FIM Service Account SPN

  6. Click Apply.

  7. Click OK.

  8. Close ADSI Edit.

Turn on Delegation for CORP\SPService

Now you will enable Kerberos Delegation for the SharePoint Service account.

To turn on Delegation for CORP\SPService

  1. Click Start, select Administrative Tools, and click Active Directory Users and Computers. This will open the Active Directory Users and Computers MMC.

  2. In the Active Directory Users and Computers MMC, from the tree-view on the left, expand corp.contoso.com, expand ServiceAccounts and in the center, right-click SharePoint Service, and then select Properties.

  3. On the SharePoint Service Properties, select the Delegation tab.

  4. In the middle, select Trust this user for delegation to any service (Kerberos only).

    SharePoint Service Account Delegation

  5. Click Apply.

  6. Click OK.

Turn on Delegation for CORP\FIMService

Now you will enable Kerberos delegation for the FIM Service account.

To turn on Delegation for CORP\FIMService

  1. Right-click FIM Service, and select Properties.

  2. On the FIM Service Properties, select the Delegation tab.

  3. In the middle, select Trust this user for delegation to any service (Kerberos only).

  4. Click Apply.

  5. Click OK.

  6. Close Active Directory Users and Computers.