Installing the FIM 2010 Server Components

Applies To: Forefront Identity Manager 2010

FIM Database Considerations

FIM cannot use a SQL database that has a higher version number than FIM 2010. When you try to install an additional instance of a FIM server using an existing database to which, for example, Update 1 has been applied, an error is reported.

To address this issue, you need to install the additional FIM instance on a new database. During the installation of, for example, Update 1 to your new FIM instance, you can force the installation process to reuse your original database.

Installing the FIM 2010 Server Components

You must use an account with local administrator privileges to install the Microsoft® Forefront® Identity Manager (FIM) 2010 server components. To be able to install the FIM Portal, the account must be a SharePoint administrator. To be able to install FIM Synchronization Service or FIM Service, the account must be a SQL sysadmin. You do not have to be a sysadmin after the installation is complete.

This section covers the following components:

  • FIM Synchronization Service

  • FIM Service

  • FIM Portal

  • FIM Password Portal

Note

During installation, Setup tries to contact the other components to validate that the service is running. For the contact to function correctly, remote administration must be activated in Windows Firewall. To turn on remote administration, start Windows Firewall in Control Panel, click Allow a program through the Windows Firewall, and then click Remote Administration. You can install FIM 2010 without remote administration turned on. You must also be an administrator of the other server. If either one of those two requirements is not fulfilled, several warning messages appear, telling you that the service could not be contacted. There is no functional impact to ignoring those warnings during Setup if you know that all the settings are correct and if you chose not to allow remote administration.

FIM Synchronization Service

The FIM Synchronization Service consists of the metadirectory, provisioning engine, and management agents (MA) for various connected data sources. It supports synchronization of data between the FIM Synchronization Service database and other identity stores in the enterprise.

During the installation of the Synchronization Service, the firewall on the server hosting this service is configured to allow Dynamic RPC and RPC endpoint mapper access to the FIM Synchronization Service.

The FIM Synchronization Service creates five security groups. The first three groups correspond to the FIM Synchronization Service user roles: Administrator, Operator, and Joiner. The other two groups are used for granting access to the Windows Management Instrumentation (WMI) interfaces: Connector Browse and Password Set.

By default, the FIM Synchronization Service creates the five security groups as local computer groups instead of domain global groups. If you plan to use domain global groups, you must create the groups before you install the FIM Synchronization Service.

Warning

Only one FIM Synchronization Service instance can exist in a deployment.

To install the FIM Synchronization Service

  1. On the FIM 2010 startup screen, click the Install Synchronization Service link.

  2. Run Setup.exe, and then follow the instructions in the installation wizard.

    Important

    Setup.exe runs with elevated privileges. If User Account Control (UAC) is turned on, installing the FIM Synchronization Service without elevated privileges causes the installation to fail.

    Important

    The user account used to install the FIM Synchronization Service must be granted the sysadmin role in SQL Server 2008. By default, members of the Local Administrators group do not have the necessary permissions. Unless the user account is either the built-in administrator account or the user account used to install SQL Server 2008, the user account must be given the sysadmin role in SQL Server 2008.

  3. On the Group Information page, when you are prompted for the five security groups, use the default local groups or type the details for the global groups that you created. If you use global groups, prefix the groupname with domain\.

Note

If you are upgrading the FIM Sync Service and are using the separated SQL DB topology, you may encounter error 25070, “Error connecting to database FIMSynchronizationService: Invalid class string”. If this occurs, you may not be running the most recent version of the Microsoft SQL Server 2008 Native Client. To address this issue, install the Microsoft SQL Server 2008 Feature Pack, April 2009, and re-run the FIM Synchronization Service installer.

FIM Service

Installing the FIM Service installs the Web services parts of FIM 2010 and also configures the FIM Service database on the server that hosts SQL Server 2008.

During the installation of FIM Service, port 5725 and 5726 are opened and exceptions for these ports are added to the Windows Server 2008 firewall settings. Opening these ports permits communication to the FIM 2010 Service from the FIM Portal, FIM Password Reset Portal, FIM Synchronization Service and FIM Password Reset Extensions components installed on other computers in your organization.

To install the FIM Service

  1. On the FIM 2010 startup screen, click the Install Service and Portal link.

  2. Run Setup.exe, and then follow the instructions in the installation wizard.

    Important

    The SQL Agent must be running on the server running SQL before you run the installation of the FIM Service.

    Important

    The user account used to install the FIM Service must be granted the sysadmin role in SQL Server 2008. By default, members of the Local Administrators group do not have the necessary permissions. Unless the user account is either the built-in administrator account, or the user account used to install SQL Server 2008, then the user account must be granted the sysadmin role in SQL Server 2008.

  3. On the Custom Setup page, you are prompted for the applications that you want to install. In the drop-down menu next to FIM Services, click Will be installed on local hard drive. If you do not want to install all the components on one server, clear FIM Portal and FIM Password Portal by clicking the drop-down menus next to them. Then, click Entire feature will be unavailable.

  4. Click Next.

  5. On the Configure Common Services page, in the Database Server box, type the name of the server that hosts SQL Server 2008.

  6. Click Next.

  7. On the Configure Common Services - Configure mail server connection page, in Mail Server, type the name of the server hosting the Exchange Web services.

    Important

    If you have several FIM Service servers using the same database, ensure that you select only the Enable polling of Exchange Server 2007 check box on one of the servers. This setting is also applicable for Exchange 2010. This server is responsible for obtaining e-mail messages from the Exchange Web Service interface and turning them into requests.

  8. Click Next.

  9. On the Configure Common Services - Configure service certificate page, select the option to generate a new self-issued FIM 2010 R2 certificate that is used by the Web service to validate communication from the clients, or select a certificate from the certificate store, and then click Next.

    Note

    The certificate is validated only by the server; therefore, you do not have to trust it on the clients. For this reason you can safely use a self-issued certificate, and do not need one that is issued by your enterprise CA.

    Note

    If your organization has already created an in-house certification authority (CA), a public key pair can be generated for the service to use.

  10. On the Configure Common Services - Configure the FIM service account page, provide the credentials for the FIM domain service account.

    In Service e-mail Account, ensure that you type the e-mail address for the FIM service account and not your personal e-mail address.

  11. Click Next.

  12. On the Configure Common ServicesConfigure the Forefront Identity Manager synchronization connection, in the Synchronization Server box, type the name of the server that is hosting the FIM Synchronization Service component.

    In the FIM 2010 Management Agent Account* box, type the domain\account of the FIM MA account. This is the account you created in the “Create a domain FIM management agent account” section of the Before You Begin document.

  13. Click Next.

  14. In Configure FIM Service and Portal – Configure connection to the FIM Service, type the name of the server or the alias that the clients should use to contact the FIM Service. If you plan to use an alternative name (that is, a CNAME resource record in Domain Name System (DNS)), type the alternative name. If you plan to have several FIM Service servers in a Network Load Balancing (NLB) cluster, type the name of the cluster address.

    Note

    The names should match the Service Principal Names (SPNs) that you created in the preinstallation tasks.

    Important

    This name must be stable, and clients must be able to resolve it to the IP address of the server where the FIM Service is installed. This server name is also used by password reset clients to reach the server.

  15. Click Next.

  16. On the Configure FIM Service and Portal – Configure security changes configured by setup, to allow clients to contact the Web service interface, select Open ports 5725 and 5726 in firewall.

  17. Click Next, then click Install.

FIM Portal

The FIM Portal allows users who have authorized access to manage the activities that are requested and sent to the FIM Service.

Note

To be able to install the FIM Portal, it is assumed that Office SharePoint is installed with the default settings, that the default SharePoint site can be reached using the address specified in the user interface, and that the user who is installing the FIM Portal is authorized as an administrator of that SharePoint site.

Note

If you install the FIM Portal on a SharePoint server farm, the address https://localhost is not available by default. To add localhost to the list of known addresses, start SharePoint 3.0 Central Administration, and navigate to Operations, Alternate Access Mappings, Edit Public Zone URLs. Add https://localhost to the Intranet zone, leaving the Default zone with the SharePoint server farm address.

Important

For security purposes, we highly recommend that you implement Secure Sockets Layer (SSL) on the server that is running Internet Information Services (IIS). For a procedure to do this, see Before You Begin.

Note

You can activate SSL before or after the installation of the FIM Portal. If you add SSL after installation of the FIM Portal, ensure that you run a change installation on the FIM Service and FIM Portal and change the address of the FIM Portal. If you do not provide the correct address to the installer, future updates to the product will not install successfully.

To install the FIM Portal

  1. On the FIM 2010 startup screen, click the Install Service and Portal link.

  2. Run Setup.exe, and then follow the instructions in the installation wizard.

  3. On the Custom Setup page, you are prompted for the applications that you want to install. In the drop-down menu next to FIM Portal, click Will be installed on local hard drive. If you do not want to install all of the components on one server, clear FIM Service and FIM Password Reset Portal by clicking the drop down menus located next to them. Then click Entire feature will be unavailable.

  4. Click Next.

  5. On the FIM Service server address page, type the name of the server hosting the FIM Service. This should be the same server name or alias used during the FIM Service installation.

  6. Click Next.

  7. In Enter the URL to the SharePoint, type the address to the SharePoint site where the FIM Portal should be installed. This is the full address, including the port number, if necessary, to access the site collection. This address is https://localhost or https://localhost, if you completed the previous steps.

  8. Click Next.

  9. On the Configure FIM Service and Portal – Configure security changes configured by setup page, click Grant authenticated users access to the FIM Portal site to grant read permissions on the FIM Portal site

  10. Click Next, then click Install.

Test the FIM Portal by opening Internet Explorer and navigating to https://servername/identitymanagement.

When using the FIM Portal in Windows Server 2008 or Windows Server 2008 R2, the controls or buttons do not work unless the browser security settings for Internet Explorer are adjusted to turn on JavaScript.

FIM Password Reset Portal

With the FIM Password Reset Portal, users can perform self-service password reset by using a Web portal.

To install the FIM Password Reset Portal

  1. On the FIM 2010 startup screen, click the Install Service and Portal link.

  2. Run setup.exe, and then follow the instructions in the installation wizard.

  3. On the Custom Setup page, you are prompted for the applications that you want to install. From the drop-down menu located next to FIM Password Reset Portal, click Will be installed on local hard drive. If you do not want to install all of the components on one server, deselect FIM Service and FIM Portal by clicking the drop down menus next to them. Then, click Entire feature will be unavailable.

  4. Click Next.

  5. On the FIM Service server address page, type the name of the server that is hosting the FIM Service. This should be the same server name or alias that was used during the FIM Service installation.

  6. Click Next.

  7. In Enter the URL to the SharePoint, type the address to the SharePoint site where the FIM Portal should be installed. This is the full address, including the port number, if necessary, to access the site collection. This address is https://localhost or https://localhost, if you completed the previous steps.

  8. Click Next.

  9. On the Configure FIM Service and Portal – Configure security changes configured by setup page, select Grant authenticated users access to the FIM Portal site to grant read permissions on the FIM Portal site.

  10. Click Next, and then click Install.

Post-Installation Tasks

After you install the FIM 2010 server components, you must complete several configuration tasks.

Important

For other recommended post-installation configuration tasks, see the Post-Installation and Configuration Guide.

Tasks on all servers:

  • Install the latest update for FIM 2010 R2.

Tasks in the domain:

  • Add the FIM Service service account to the FIM Synchronization Service security groups.

  • Configure the FIM Service service Exchange Server mailbox.

Tasks on the FIM Portal:

  • Turn off the SharePoint indexing.

  • Turn on the Kerberos v5 protocol only.

Tasks on FIM Service:

  • Install Exchange 2007 and Exchange 2010 Web Service Certificate.

Installing the latest update for FIM

Updates for FIM are posted on Microsoft Update. Ensure that you install the latest update from Microsoft Update.

  1. In Windows Server 2008, click Start, and then click Windows Update.

  2. Click Check for updates. Install any new updates for FIM that are available.

Add the FIM Service service account to the FIM Synchronization Service security groups

  • Add the service account used by the FIM Service to the FIMSyncAdmins group. This allows the FIM Service to configure the FIM Synchronization service.

  • If you plan to use the Password Reset feature of FIM 2010, add the service account that the FIM Service uses to the security group FIMSyncPasswordSet.

  • So that the group membership is effective, restart the FIMService service.

Configuring the FIM Service service Exchange mailbox

The following are best practices for configuring Exchange Server for the FIM Service service account.

  1. Configure the service account so that it can accept mail only from internal e-mail addresses. Specifically, the service account mailbox should never be able to receive mail from external SMTP servers.

    In the Exchange Management Console, select the FIM Service service account, click Properties, click Mail Flow Settings, and then click Mail Delivery Restrictions. Select the Require that all senders are authenticated check box. For more information, see:

    Configure Message Delivery Restrictions (https://go.microsoft.com/fwlink/?LinkId=183625)

  2. Configure the service account so that it rejects mail messages with sizes greater than 1 MB.

    Follow the best practice of configuring the Exchange 2007 message size limits:

    Configure Message Size Limits for a Mailbox or a Mail-enabled Public Folder (https://go.microsoft.com/fwlink/?LinkId=183626)

  3. Configure the service account so that it has a mailbox storage quota of 5 gigabytes (GB).

    Follow the best practice of configuring the Exchange 2007 mailbox size limits:

    Configure Storage Quotas for a Mailbox (https://go.microsoft.com/fwlink/?LinkId=156929)

Disabling SharePoint indexing

It is recommended that you disable SharePoint indexing. There are no documents that need to be indexed, and indexing causes many error log entries and potential performance problems with FIM 2010.

To disable SharePoint indexing

  1. On the server that hosts the FIM 2010 Portal, click Start.

  2. Click All Programs.

  3. In the All Programs list, click Administrative Tools.

  4. Under Administrative Tools, click SharePoint 3.0 Central Administration.

  5. On the Central Administration page, click Operations.

  6. On the Operations page, under Global Configuration, click Timer job definitions.

  7. On the Timer Job Definitions page, click SharePoint Services Search Refresh.

  8. On the Edit Timer Job page, click Disable.

Activating the Kerberos protocol only

We highly recommend that you turn off portal authentication that uses NTLM. The Kerberos protocol is a more secure protocol to use.

To activate Kerberos protocol only

  1. Open the Web.config file, which is usually located at C:\inetpub\wwwroot\wss\VirtualDirectories\80.

    Note

    You need an elevated command prompt or Windows Explorer to access this folder.

  2. Locate the element <resourceManagementClient . . . />

  3. Add requireKerberos=”true” so that it reads <resourceManagementClient requireKerberos="true" . . . />

  4. Save the Web.config file.

  5. Run iisreset from a command prompt.

Installing the Exchange 2007 and Exchange 2010 Web Service (EWS) Certificate

If your server running Exchange is using a certificate that is untrusted by the FIM Service, the certificate used by the Exchange server must be added to the local certificate store.

You can verify if you have an untrusted certificate by opening Internet Explorer and navigating to https://mailserver/ews/exchange.asmx. If you receive a certificate error, you must complete the all the steps in this section. Mailserver is the server running Exchange that you specified when you installed the FIM 2010 component.

If you have several FIM Service servers, this task must be completed on every server.

Note

You must run the installation of the Exchange certificate with elevated rights. If User Account Control (UAC) is turned on, installing the Exchange certificate without elevated rights causes the installation to fail.

To install the Exchange certificate on the FIM Service server

  1. Open Internet Explorer.

  2. In the address bar, type https://mailserver/EWS/exchange.asmx.

    Mailserver is the server running Exchange that you specified when you installed the FIM 2010 component.

    Select Continue to this Web site.

  3. In the Security Alert dialog box (where it reads Certificate Error), click View Certificate.

  4. In the Certificate dialog box, click Install Certificate.

  5. On the Welcome to the Certificate Import Wizard page, click Next.

  6. On the Certificate Store page, select Place all certificates in the following store, and then click Browse.

  7. Select the Show physical stores check box, navigate to Trusted People\Local Computer, and select this store. Click OK.

  8. Click Next.

  9. Click Finish to import the certificate.

Verifying that the certificate and verify that the EWS can be reached

In this procedure, you will ensure that the Exchange 2007 or Exchange 2010 Web Service (EWS) is running and can be accessed as the FIM service account.

To ensure that the Exchange 2007 or Exchange 2010 Web service (EWS) is running and is accessible as the FIM service account

  1. Open Internet Explorer as the FIM 2010 administrator.

  2. In the address bar, type https://<mail server>/EWS/Exchange.asmx. This ensures that you can access EWS by using the FIM service account.

Uninstalling the FIM 2010 Service and Portal Component of FIM 2010

If you encounter an unrecoverable error and need to uninstall and then reinstall the FIM Service and Portal component of FIM 2010, complete the following procedure to uninstall this component of FIM 2010.

To uninstall the FIM Service component of FIM 2010

  1. On the FIM 2010 startup screen, click the Install Service and Portal link.

  2. Run Setup.exe, and then follow the instructions in the installation wizard to remove the installation.

  3. Delete the FIM 2010 Service database.

    1. Open SQL Server Management Studio.

    2. Select the FIMService database.

    3. Right-click the database name, and then click Delete.

Note

To be able to uninstall the FIM Portal component, you must be a SharePoint administrator. By default, a local server administrator is not granted administrator permissions in Office SharePoint. You must explicitly grant either SharePoint site administrator or secondary administrator permissions.

Uninstalling FIM Server language pack fails if you have already uninstalled the FIM Service and Portal

If you have already uninstalled the FIM Service and Portal, you will need to enter a command in order to uninstall the FIM Server language pack

To uninstall the FIM Server language pack

  1. Open an elevated cmd window

  2. Run the following command: setup.exe SHAREPOINT_URL=https://localhost. (Change the URL according to your topology). The uninstaller wizard opens.

  3. Click Remove to start the language pack uninstallation.