Step 8: Perform FIM 2010 Post-Installation Tasks

  • Article

Applies To: Forefront Identity Manager 2010

The FIM1 post installation tasks for the Forefront Identity Manager 2010 test lab consists of the following:

  • Add CORP\FIMService to the FIMSyncAdmins Group

  • Configure the CORP\FIMService Mailbox to Only Accept Mail from Internal E-mail Addresses

  • Configure the CORP\FIMService Mailbox to Reject E-mail Greater Than 1 MB

  • Turn Off NTLM Authentication for the FIM Portal

  • Disable SharePoint Indexing

  • Implement Secure Sockets Layer (SSL) for the FIM Portal

  • Add the FIM Portal URL to Local Intranet Sites for CORP\Administrator

  • Restrict Membership in the User Administrators Set

  • Pre-allocate Space in the FIM Service Database

  • Pre-allocate Space in the FIM Synchronization Service Database

Add CORP\FIMService to the FIMSyncAdmins Group

By adding the CORP\FIMService account to the FIMSyncAdmins group, it allows the FIM Service to configure the FIM Synchronization service.

To add CORP\FIMService to the local FIMSyncAdmins group

  1. Log on to FIM1.corp.contoso.com as Administrator.

  2. Click Start, select Administrative Tools, and then click Computer Management. This will open the Computer Management MMC.

  3. In the Computer Management MMC, from the tree-view on the left, expand Local Users and Groups, and then select Groups.

    Add the FIM Service Account to FIMSynchAdmins

  4. In the center pane, right-click FIMSynchAdmins and select Properties. This will bring up the FIMSynchAdmins Properties.

  5. Click Add.

  6. This will bring up the Select Users, Computers, Service Accounts, Groups dialog box.

  7. In the box, below Enter the object names to select (examples), type the following text, and then click Check Names:
    CORP\FIMService
    This should resolve to the FIM Service account and the FIM Synch Service account. Click OK.

  8. Click Apply.

  9. Click OK.

  10. Close Computer Management.

Configure the CORP\FIMService Mailbox to Only Accept Mail from Internal E-mail Addresses

Now you will need to configure the CORP\FIMService mailbox so that it will only accept e-mail from internal addresses.

To configure the CORP\FIMService mailbox to only accept mail from internal e-mail addresses

  1. Log on to the EX1.corp.contoso.com server as Administrator.

  2. Click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console.

  3. In the Exchange Management Console, click Microsoft Exchange On-Premises.

    Warning

    This may bring up a Microsoft Exchange box that says The following servers in your organization running Exchange Server 2010 are unlicensed. It will list EX1. If you plan to use this test lab for more than 120 days you will need to enter a product key. For now, just hit OK.

  4. In the Exchange Management Console, expand Microsoft Exchange On-Premises (ex1.corp.contoso.com), click Recipient Configuration, in the center pane, right-click FIM Service, and then select Properties. This will bring up the FIM Service Properties.

  5. In FIM Service Properties, click the Mail Flow Settings tab, and then double-click Message Delivery Restrictions. This will bring up the Mail Delivery Restrictions.

    Add FIM portal to local intranet

  6. In Message Delivery Restrictions, select the Require that all senders are authenticated check box, and then click OK.

Configure the CORP\FIMService Mailbox to Reject E-mail Greater Than 1 MB

Now you will need to configure the CORP\FIMService mailbox so that it will only accept e-mail that is less than or equal to 1 MB in size.

To configure the CORP\FIMService mailbox to reject e-mail greater than 1 MB

  1. Double-click Message Size Restrictions. This will bring up the Message Size Restrictions.

  2. In Message Size Restrictions, select the Maximum Message Size (in KB) check box, and enter 1024 in the box.

  3. Click OK. Click Apply and then click OK.

    Configure FIM Service Account Email

  4. Close the Exchange Management Console.

Turn Off NTLM Authentication for the FIM Portal

In order to make the FIM portal more secure, it is recommended that NTLM Authentication be disabled.

To turn off NTLM Authentication for the FIM portal

  1. Log on to FIM1.corp.contoso.com as CORP\Administrator.

  2. Navigate to the following directory: C:\inetpub\wwwroot\wss\VirtualDirectories\80.

  3. Locate the Web.config file, right-click and select Open. This will bring up a pop-up that states Windows cannot open this file and it will have two options. Choose Select a program from a list of installed program, and then click OK.

  4. Select Notepad, and click OK. This will open the config file in Notepad.

  5. At the top, select Edit, Find, type the following text in in the box, and then click Find Next:
    <resourceManagementClient

  6. There should be only one instance and it will look like the following Before image. Insert requireKerberos=”true” in the line so it looks like the After image.

    Web Config Before

    Web Config After

  7. At the top of the Notepad, select Save. Close Notepad.

  8. Click Start, click All Programs, click Accessories, and then click Command Prompt. This will launch a Command Prompt window.

  9. In the Command Prompt window, type the following text, and then hit Enter:
    iisreset
    This will stop and then restart IIS. Once this completes, close the Command Prompt window.

Disable SharePoint Indexing

Because SharePoint Indexing is not required and it can decrease performance, you will need to disable it now.

To disable SharePoint indexing

  1. Log on to FIM1.corp.contoso.com as CORP\Administrator.

  2. Click Start, click Administrative Tools, and then click SharePoint 3.0 Central Administration. This will bring up the SharePoint Central Administration in Internet Explorer.

  3. On the left, click Operations.

    Warning

    This may bring up a Credentials box. If so, enter the following text for the user name and password, and then click OK:
    Administrator

  4. Under Global Configuration, click Timer job definitions. This will bring up the Timer Job Definitions page.

    Disable SharePoint Indexing

  5. Click SharePoint Services Search Refresh. This will bring up the Edit Timer Job page.

  6. Click Disable.

  7. Close Internet Explorer.

Implement Secure Sockets Layer (SSL) for the FIM Portal

In this step, you will implement SSL for the FIM Portal. You will be requesting a new domain certificate and binding it to SharePoint site. If you recall, the Base Configuration Test Lab guide automatically issues a server certificate to FIM1 when it joins the domain. However, because this certificate uses the FQDN (FIM1.corp.contoso.com) as its common name and not the NetBIOS name (FIM1), you will receive a certificate error when attempting to access the site with the URL https://fim1. If you used https://FIM1.corp.contoso.com as the URL you will not receive the error. However, because this site will be used inside the domain and primarily accessed using https://fim1, you should request a new certificate to use.

To implement Secure Sockets Layer (SSL) for the FIM portal

  1. Click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager. This will bring up the Internet Information Services (IIS) Manager.

  2. On the left, expand FIM1 (CORP\Administrator). This will populate the center pane with icons. Make sure that FIM1(CORP\Administrator) is still selected.

  3. In the center, double-click Server Certificates.

  4. On the right, click Create Domain Certificate. This will launch the Create Certificate Wizard.

  5. For Common Name, type the following text: FIM1

  6. For Organization, type the following text: Contoso

  7. For Organizational Unit, type the following text: IT

  8. For City, type the following text: Anywhere

  9. For State, type the following text: NC

    Implement SSL

  10. Click Next.

  11. On the On-line Certificate Authority page, under Specify Online-Certificate Authority, click Select. This will bring up a Select Certificate Authority page.

  12. Select corp-DC1-ca, and click OK.

  13. On the On-line Certificate Authority page, under Friendly Name, type the following text, and then click Finish:
    FIM1_SSL.
    This will close the Create Certificate Wizard and you should see the newly created certificate in the center pane.

  14. On the left, expand Sites, right-click SharePoint-80, and then select Edit Bindings. This will bring up the Site Bindings window.

  15. Click Add.

  16. Under type, select https from the drop-down list.

  17. Under SSL Certificate, select FIM1_SSL from the drop-down list. Click OK, and then click Close.

  18. On the left, select SharePoint-80 and from the center pane double-click SSL Settings.

  19. Place a check in Require SSL. On the right, click Apply.

  20. Close Internet Information Services (IIS) Manager.

  21. Click Start, click All Programs, click Accessories, and click Command Prompt. This will launch a command prompt window.

  22. In the command prompt window, type iisreset and hit enter. This will stop and then re-start IIS. Once this completes, close the command prompt window.

Add the FIM Portal URL to Local Intranet Sites for CORP\Administrator

In this step you will add the FIM Portal URL to the local intranet sites.

To add the FIM Portal URL to Local Intranet Sites

  1. Click Start, click All Programs, and then click Internet Explorer (64-bit).

  2. At the top of Internet Explorer, under Tools, click Internet Options.

  3. Click the Security tab and select Local intranet from the Select a zone to view or change security settings box.

  4. Click Sites to show a Local intranet window. Click Advanced.

  5. In the Add this website to the zone: box, type https://fim1. Click Add.

    Add FIM portal to local intranet

  6. Place a check in Require server verification (https:) for all sites in this zone and click Close. Click Ok.

  7. Click OK to close the Internet Options dialog box.

Restrict Membership in the User Administrators Set

By default, everyone is a member of the User Administrators set. In order to increase security, you will want to prevent users from having too much authority.

To restrict membership in the user administrators set

  1. In Internet Explorer, in the address bar at the top, enter https://fim1/identitymanagement and hit enter. This should bring up the Forefront Identity Manager 2010 page.

  2. On the left, under Management Policy Rules, click Sets. This will bring up the Sets Page.

  3. Scroll through the list of sets and select User Administrators. This will be on the last page of the sets.

  4. On the User Administrators pop-up, at the top, click Criteria-based Members.

  5. Click to select Add Statement.

  6. Click to select <Click to select attribute>.

  7. From the drop-down list that appears, select Resource ID.

  8. Next to Resource ID, click the word is. This will change to a drop-down box. Select in.

  9. Next to in, click to select <click to select value>. This will bring up a Select Set pop-up.

  10. At the top, next to the Search for box, click the magnifying glass.

    Tip

    Leave the box empty before clicking to select the magnifying glass. This will return a list of all the sets.

  11. Select Administrators in the check box, and then click OK. It should now look like the following image.

    Restirct User Admin Set

  12. Click OK.

  13. Click Submit.

Pre-allocate Space in the FIM Service Database

Because SQL Server performance can suffer when SQL Server must allocate space during processing, you will want to prevent this by pre-allocating space for the FIM Service database.

To pre-allocate space in the FIM Service database

  1. Log on to APP1.corp.contoso.com as Administrator.

  2. Click Start, click All Programs, click Microsoft SQL Server 2008, and then click SQL Server Management Studio. This will launch SQL Server Management Studio.

  3. On the Connect to Server dialog box, under Server Type select Database Engine.

  4. On the Connect to Server dialog box, under Server name select APP1.

  5. On the Connect to Server dialog box, under Authentication select Windows Authentication.

  6. Click Connect. This should be successful and the database information will be displayed on the left. The SQL Server Agent should have a green arrow.

  7. On the left, expand Databases, right-click FIMService, and then select Properties. This will bring up the Database Properties – FIMService screen.

  8. On the left, click Files.

  9. For the row with FIMService, under Initial Size, change the value to 5000.

  10. For the row with FIMService_log, under Initial Size, change the value to 1000. It should now look like the following image.

    Change FIM DB

  11. Click OK. This may take a few minutes to complete.

Pre-allocate Space in the FIM Synchronization Service Database

Because SQL Server performance can suffer when SQL Server must allocate space during processing, you will want to prevent this by preallocating space for the FIM Synchronization Service database.

To pre-allocate space in the FIM Synchronization Service database

  1. In SQL Server Management Studio, right-click FIMSynchronizationService, and then select Properties. This will bring up the Database Properties – FIMSyncrhonizationService screen.

  2. On the left, click Files.

  3. For the row with FIMSynchronizationService, under Initial Size, change the value to 5000.

  4. For the row with FIMSynchronizationService_log, under Initial Size, change the value to 1000. It should now look like the following image.

  5. Click OK. This may take a few minutes to complete.