Installing the FIM 2010 R2 Server Components

  • Article

Installing the FIM 2010 R2 Server Components

You must use an account with local administrator privileges to install the Microsoft® Forefront® Identity Manager (FIM) 2010 R2 server components. To be able to install the FIM Portal, the account must be a SharePoint administrator. To be able to install FIM Synchronization Service or FIM Service, the account must be a SQL sysadmin. The account that you use does not have to be a SQL sysadmin after the installation is complete.

This section covers the following components:

  • FIM Synchronization Service

  • FIM Service

  • FIM Portal

Note

During installation, Setup tries to contact the other components to validate that the service is running. For the contact to function correctly, remote administration must be activated in Windows Firewall. To turn on remote administration, start Windows Firewall in Control Panel, click Allow a program through the Windows Firewall, and then click Remote Administration. You can install FIM 2010 R2 without remote administration turned on. You must also be an administrator of the other server. If either one of those two requirements is not fulfilled, several warning messages appear, telling you that the service could not be contacted. There is no functional impact to ignoring those warnings during Setup if you know that all the settings are correct and if you chose not to allow remote administration.

FIM Synchronization Service

The FIM Synchronization Service consists of the metadirectory, provisioning engine, and management agents (MAs) for various connected data sources. It supports synchronization of data between the FIM Synchronization Service database and other identity stores in the enterprise.

During the installation of the Synchronization Service, the firewall on the server that hosts this service is configured to allow Dynamic Remote Procedure Call (RPC) and RPC endpoint mapper access to the FIM Synchronization Service.

The FIM Synchronization Service creates five security groups. The first three groups correspond to the FIM Synchronization Service user roles: Administrator, Operator, and Joiner. The other two groups are used for granting access to the Windows Management Instrumentation (WMI) interfaces: Connector Browse and Password Set.

By default, the FIM Synchronization Service creates the five security groups as local computer groups instead of domain global groups. If you plan to use domain global groups, you must create the groups before you install the FIM Synchronization Service.

Warning

Only one FIM Synchronization Service instance can exist in a deployment.

To install the FIM Synchronization Service

  1. Navigate to the directory that contains the binaries for Forefront Identity Manager 2010 R2 and double-click FIMSplash.htm. This will bring up the Forefront Identity Manager 2010 R2 splash screen.

  2. On the splash screen, click Install Synchronization Service. You will see a pop-up that says Do you want to run or save this file? Click Run. This will take a minute. Then you will see another pop-up asking Do you want to run this software? Click Run. This will start the Forefront Identity Manager 2010 R2 Setup Wizard.

  3. On the Welcome page, click Next.

    Important

    Setup.exe runs with elevated privileges. If User Account Control (UAC) is turned on, installing the FIM Synchronization Service without elevated privileges causes the installation to fail.

    Important

    If you are reusing an existing FIM Synchronization Service database during installation, User Account Control (UAC) must be turned on.

    Important

    The user account that is used to install the FIM Synchronization Service must be granted the sysadmin role in SQL Server 2008. By default, members of the Local Administrators group do not have the necessary permissions. Unless the user account is either the built-in administrator account or the user account used to install SQL Server 2008, the user account must be given the sysadmin role in SQL Server 2008.

    Install FIM Synch Service

  4. On the End User License Agreement page, read the License Agreement, if you agree with the terms, select I accept the terms in the License Agreement, and then click Next.

  5. On the Custom Setup page, click Next.

  6. On the Configure Forefront Identity Manager Synchronization Service page, under SQL Server is located on, click the radio button next to A remote machine, enter the SQL server name and click Next.

    Sync Install 2

  7. Next to Service account enter the service account, next to Password enter the service account password, and next to Service Account Domain or local computer name enter the service account domain. Click Next.

    Sync Install 3

  8. Leave the default groups, and click Next.

    Sync Install 4

  9. Select Enable firewall rules for inbound RPC communications, and click Next.

    Sync Install 5

  10. Click Install.

  11. This will bring up a pop-up box that says the setup will now create a backup key. Click OK. In the File name box, enter a name and location for the backup key and click Save. This will continue the installation.

    Sync Install 6

  12. Once the installation completes, click Finish. This will bring up a pop-up box that says you must log off and log on to your system again for the security group membership changes to take effect. Click Yes. This will log you off.

  13. Log back on to the Synchronization Service server.

FIM Service and Portal

Installing the FIM Service installs the Web services parts of FIM 2010 R2 and also configures the FIM Service database on the server that hosts SQL Server 2008. This section describes the steps to install each component individually, however, any or all the components may be installed at the same time.

During the installation of FIM Service, port 5725 and port 5726 are opened and exceptions for these ports are added to the Windows Server 2008 firewall settings. Opening these ports permits communication to the FIM Service from the FIM Portal, FIM Password Reset Portal, FIM Synchronization Service, and FIM Password Reset Extensions components that may be installed on other computers in your organization.

The FIM Portal allows users who have authorized access to manage the activities that are requested and sent to the FIM Service.

Note

To be able to install the FIM Portal, it is assumed that SharePoint is installed with the default settings, that the default SharePoint site can be reached using the address specified in the user interface, and that the user who is installing the FIM Portal is authorized as an administrator of that SharePoint site.

Note

If you install the FIM Portal on a SharePoint server farm, the address https://localhost is not available by default. To add localhost to the list of known addresses:

  • Start SharePoint 2010 Central Administration, and navigate to System Settings, Configure alternate access mappings, Edit Public Zone URLs, or

  • Start SharePoint 3.0 Central Administration, and navigate to Operations, Alternate Access Mappings, Edit Public Zone URLs

Add https://localhost to the Intranet zone, leaving the Default zone with the SharePoint server farm address.

Important

For security purposes, we highly recommend that you implement Secure Sockets Layer (SSL) on the server that is running Internet Information Services (IIS). For a procedure to do this, see Before You Begin.

Note

You can activate SSL before or after the installation of the FIM Portal. If you add SSL after installation of the FIM Portal, ensure that you run a change installation on the FIM Service and FIM Portal and change the address of the FIM Portal. If you do not provide the correct address to the installer, future updates to the product will not install successfully.

To install the FIM Service and Portal use the following procedure:

To install the FIM Service and Portal

  1. Navigate to the directory that contains the binaries for Forefront Identity Manager 2010 R2 and double-click FIMSplash.htm. This will bring up the Forefront Identity Manager 2010 R2 splash screen.

  2. On the splash screen, click Install Service and Portal. You will see a pop-up that says Do you want to run or save this file? Click Run. This will take a minute. Then you will see another pop-up asking Do you want to run this software? Click Run. This will start the Forefront Identity Manager 2010 Service and Portal Setup Wizard.

    Important

    The SQL Agent must be running on the server running SQL before you run the installation of the FIM Service.

    Important

    The user account used to install the FIM Service must be granted the sysadmin role in SQL Server 2008. By default, members of the Local Administrators group do not have the necessary permissions. Unless the user account is either the built-in administrator account, or the user account used to install SQL Server 2008, then the user account must be granted the sysadmin role in SQL Server 2008.

  3. On the Welcome page, click Next.

  4. On the End User License Agreement page, read the License Agreement, if you agree with the terms, select I accept the terms in the License Agreement, and then click Next.

  5. On the FIM Customer Experience Improvement Program page, select one of the options and then click Next.

  6. On the Custom Setup page, click the drop-down list next to FIM Password Registration, select Entire feature will be unavailable.

  7. On the Custom Setup page, click the drop-down list next to FIM Password Reset Portal, select Entire feature will be unavailable.

  8. Click Next.

  9. On the Configure Common Services page, next to Database Server, enter the name of the database server. Leave the remaining defaults, and click Next.

    Configure Common Services

  10. Next to Mail Server, type the following name of the email server if it is relevant. Either clear or leave the SSL box and either check or uncheck the Mail Server is Exchange 2007 or Exchange Server 2010 and Enable polling for Exchange Server 2007 or Exchange Server 2010 boxes, then click Next.

    Important

    If you have several FIM Service servers using the same database, ensure that you select only the Enable polling of Exchange Server 2007 check box on one of the servers. This setting is also applicable for Exchange 2010. This server is responsible for obtaining e-mail messages from the Exchange Web Service interface and turning them into requests.

    FIM R2 Mail Server Location

  11. On the Configure service certificate page, select Generate a self-signed certificate.

    Note

    The certificate is validated only by the server; therefore, you do not have to trust it on the clients. For this reason you can safely use a self-issued certificate, and do not need one that is issued by your enterprise CA.

    Note

    If your organization has already created an in-house certification authority (CA), a public key pair can be generated for the service to use.

    Generate certificate

  12. On the Configure FIM Service account page, next to Service Account Name, enter the FIM Service account.

  13. On the Configure FIM Service account page, next to Service Account Password enter the FIM Service account password.On the Configure FIM Service account page, next to Service Account Password, type the following text:
    Pass1word$

  14. On the Configure FIM Service account page, next to Service Account Domain enter the FIM Service account domain.

  15. On the Configure FIM Service account page, next to Service Email Account enter the FIM Service account email.

    Configure FIM Service Account

  16. Click Next.

  17. On the Configure the Forefront Identity Manager Service and Portal synchronization page, next to Synchronization Server , enter the Synchronization Server name.

  18. On the Configure the Forefront Identity Manager Service and Portal synchronization page, next to FIM Management Agent Account*, enter the FIM MA account.

    Configure Synch Server

  19. Click Next.

  20. On the Configure connection to the FIM Service page, next to FIM Service Server address, enter the server name or the alias that the clients should use to contact the FIM Service. If you plan to use an alternative name (that is, a CNAME resource record in Domain Name System (DNS)), type the alternative name. If you plan to have several FIM Service servers in a Network Load Balancing (NLB) cluster, type the name of the cluster address.

    Important

    Do not specify localhost. This is not supported and will result in an error.

    Note

    The names should match the Service Principal Names (SPNs) that you created in the pre-installation tasks.

    Important

    This name must be stable, and clients must be able to resolve it to the IP address of the server where the FIM Service is installed. This server name is also used by password reset clients to reach the server.

    Important

    The FQDN should be used here if the FIM Service and the FIM Portal are on separate machines and you plan to use cross forest scenarios.

    Connection to FIM Service

  21. Click Next.

  22. On the Configure connection to the FIM Service page, leave the default of https://localhost and click next.

    Sharepoint site collection

  23. On the Configure optional portal homepage configuration page, in the box next to Registration Portal URL: either enter a url or leave it blank and then click Next.

    Registration Portal URL

  24. On the Configure security changes configured by setup page, select Open ports 5725 and 5726 in firewall, select Grant authenticated users access to the FIM Portal site, and then click Next.

    Configure Firewall

  25. On the Enter optional password portal configuration page, either place a check in FIM Password Registration Portal will be installed on another host and under Enter the existing account under which the password registration application pool will run in IIS, next to Account Name, enter the FIM Password Registration Application Pool account or leave unchecked.

  26. On the Enter optional password portal configuration page, either place a check in FIM Password Reset Portal will be installed on another host and under Enter the existing account under which the application pool will run in IIS, next to Account Name, enter the FIM Password Reset Application Pool account or leave unchecked.

    Important

    One important thing that must be done in order for Self-Service Password Reset to work properly is that the FIM Service account must be aware of the application pool account or accounts that are running the Registration and Reset Portals. This is because these become well-known identities to the FIM Service. The FIM Service recognizes requests which originate from these identities and respond accordingly. If you plan to run the Registration and Reset portals on a server other than the one that is running the FIM Service, then these accounts need to be specified during the FIM Service setup. In other words, to associate the FIM Service with these accounts, you must specify these accounts at the end of installation wizard when setting up the FIM Service. To do this, place a check in FIM Password Registration Portal will be installed on another host and then specify the Registration account and place a check in FIM Password Reset Portal will be installed on another host and specify the Reset account. If you plan to run the Registration and Reset portals on the same server as the FIM Service, then these boxes can be left blank when you are installing the FIM Service. This is only if you plan to run the SSPR portals on the same server as the FIM Service.For additional information see the Forefront Identity Manager 2010 R2 Self-Service Password Reset Deployment Guide.Also, be aware that if this account changes or you need to do a change mode install that you will need to ensure the FIM Service is associated with the app pool accounts by running a change mode install on the FIM Service server first, then on the servers that are hosting the Registration and Reset portals. For more information on this see Forefront Identity Manager 2010 R2 Self-Service Password Reset Deployment Guide.

    FIM Password Portal Information

  27. Click Next.

  28. Click Install. This will begin the installation.

  29. Once the installation completes, click Finish.

  30. Close the Splash screen.

  31. Restart the server.

Test the FIM Portal by opening Internet Explorer and navigating to https://servername/identitymanagement.

If you want to redirect the FIM Portal URL, for example to let the user type https://servername and be redirected to https://servername/identitymanagement, follow the steps in the following procedure.

To redirect the FIM Portal

  1. Navigate to the website installation directory. By default this path is c:\inetpub\wwwroot\wss\VirtualDirectories\80.

  2. Make sure the file system is showing file extensions.

  3. Create a new text file named default.aspx.

  4. Edit default.aspx as follows:

    <%@ Page Language="C#" %>
    <script runat="server">
    protected override void OnLoad(EventArgs e)
    {
    base.OnLoad(e);
    Response.Redirect("~/IdentityManagement/default.aspx");
    }
    </script>

  5. Save the file, and run iisreset.

Note

When using the FIM Portal in Windows Server 2008 or Windows Server 2008 R2, the controls or buttons do not work unless the browser security settings for Internet Explorer are adjusted to turn on JavaScript.

Post-Installation Tasks

After you install the FIM 2010 R2 server components, you must complete several configuration tasks.

Tasks in the domain:

  • Add the FIM Service service account to the FIM Synchronization Service security groups.

  • Configure the FIM Service service Exchange Server mailbox.

Tasks on the FIM Portal:

  • Turn off the SharePoint indexing.

  • Turn on the Kerberos v5 protocol only.

Tasks on FIM Service:

  • Install Exchange 2007 and Exchange 2010 Web Service Certificate.

Add the FIM Service service account to the FIM Synchronization Service security groups

  • Add the service account used by the FIM Service to the FIMSyncAdmins group. This allows the FIM Service to configure the FIM Synchronization Service.

  • If you plan to use the Password Reset feature of FIM 2010 R2, add the service account that the FIM Service uses to the security group FIMSyncPasswordSet.

  • So that the group membership is effective, restart the FIMService service.

Configuring the FIM Service Service Exchange mailbox

The following are best practices for configuring Exchange Server for the FIM Service service account:

  1. Configure the service account so that it can accept mail only from internal e-mail addresses. Specifically, the service account mailbox should never be able to receive mail from external SMTP servers.

    In the Exchange Management Console, select the FIM Service service account, click Properties, click Mail Flow Settings, and then click Mail Delivery Restrictions. Select the Require that all senders are authenticated check box. For more information, see:

    Configure Message Delivery Restrictions (https://go.microsoft.com/fwlink/?LinkId=183625)

  2. Configure the service account so that it rejects mail messages with sizes greater than 1 MB.

    Follow the best practice of configuring the Exchange 2007 message size limits:

    Configure Message Size Limits for a Mailbox or a Mail-enabled Public Folder (https://go.microsoft.com/fwlink/?LinkId=183626)

  3. Configure the service account so that it has a mailbox storage quota of 5 gigabytes (GB).

    Follow the best practice of configuring the Exchange 2007 mailbox size limits:

    Configure Storage Quotas for a Mailbox (https://go.microsoft.com/fwlink/?LinkId=156929)

Disabling SharePoint indexing

It is recommended that you disable SharePoint indexing. There are no documents that need to be indexed, and indexing causes many error log entries and potential performance problems with FIM 2010 R2.

To disable SharePoint indexing in SharePoint Foundation 2010

  1. On the server that hosts the FIM Portal, click Start, click All Programs, click Microsoft SharePoint 2010 Products and then click SharePoint 2010 Central Administration.

  2. Under Monitoring, click Check job status.

  3. Click SharePoint Services Search Refresh.

  4. On the Edit Timer Job page, click Disable.

To disable SharePoint indexing in WSS 3.0

  1. On the server that hosts the FIM Portal, click Start.

  2. Click All Programs.

  3. In the All Programs list, click Administrative Tools.

  4. Under Administrative Tools, click SharePoint 3.0 Central Administration.

  5. On the Central Administration page, click Operations.

  6. On the Operations page, under Global Configuration, click Timer job definitions.

  7. On the Timer Job Definitions page, click SharePoint Services Search Refresh.

  8. On the Edit Timer Job page, click Disable.

Activating the Kerberos protocol only

We highly recommend that you turn off portal authentication that uses NTLM. The Kerberos protocol is a more secure protocol to use.

To activate Kerberos protocol only

  1. Open the Web.config file, which is usually located at C:\inetpub\wwwroot\wss\VirtualDirectories\80.

    Note

    You need an elevated command prompt or Windows Explorer to access this folder.

  2. Locate the element <resourceManagementClient . . . />

  3. Add requireKerberos=”true” so that it reads <resourceManagementClient requireKerberos="true" . . . />

  4. Save the Web.config file.

  5. Run iisreset from a command prompt.

Uninstalling the FIM Service and Portal Component of FIM 2010 R2

If you encounter an unrecoverable error and need to uninstall and then reinstall the FIM Service and Portal component of FIM 2010 R2, complete the following procedure to uninstall this component of FIM 2010 R2.

To uninstall the FIM Service component of FIM 2010 R2

  1. On the FIM 2010 R2 startup screen, click Install Service and Portal.

  2. Run Setup.exe /l*v logfile.txt from a command-line, and then follow the instructions in the installation wizard to remove the installation.

  3. Delete the FIM Service database.

    1. Open SQL Server Management Studio.

    2. Select the FIMService database.

    3. Right-click the database name, and then click Delete.

Note

To be able to uninstall the FIM Portal component, you must be a SharePoint administrator. By default, a local server administrator is not granted administrator permissions in SharePoint. You must explicitly grant either SharePoint site administrator or secondary administrator permissions.