BHOLD Core Installation
Updated: January 11, 2013
Applies To: Forefront Identity Manager 2010
The BHOLD Core module provides the key features of BHOLD Suite within your environment. The BHOLD Core module must be installed and configured on a server in your local area network before you can install other BHOLD Suite modules.
For more information about general requirements for installing BHOLD Suite, see Microsoft BHOLD Suite SP1 Installation Guide. For information about upgrading an existing BHOLD Suite installation, see Replacing BHOLD Suite with BHOLD Suite SP1.
The BHOLD Core module forms the foundation of Microsoft BHOLD Suite. You must install the BHOLD Core module before installing other Microsoft BHOLD Suite modules.
In addition to the minimum requirements for running the Windows Server 2008, Windows Server 2008 R2, or Windows 2012 operating systems, the following table shows the minimum and, where appropriate, recommended hardware components for running the BHOLD Core module:
|Processor||64-bit processor||Multicore 64-bit processor|
|Memory||3 GB||6 GB or more|
|Storage||30 GB available||Depends on deployment size|
|Network adapter||100Mbps connection to SQL and Forefront Identity Manager (FIM) server||1Gbps connection to SQL and FIM server|
These recommendations are based on typical implementations and do not take into consideration other applications running on the server. You might need to use higher-performing components depending on your particular environment.
The BHOLD Core module must be installed on a computer that meets the following requirements:
The server must be running Windows Server 2008 (64-bit), Windows Server 2008 R2 Standard or Enterprise edition, or Windows Server 2012 Standard edition.
The server must be a member of an Active Directory Domain Services (AD DS) domain. In test environments, the server may be an AD DS domain controller.
BHOLD Core must be installed by a user logged on with an account in the same domain as the server and which belongs to the Domain Admins group in the domain and to the Administrators group on the server.
Microsoft Internet Information Services (IIS) with ASP.NET must be installed on the server. IIS must be configured with Windows Authentication enabled. If BHOLD Core is being installed on Windows Server 2008 R2 or Windows Server 2012, IIS 6 Management Compatibility must be installed. If BHOLD Core is being installed on Windows Server 2012, IIS 6 Scripting tools must be installed.
The .NET 3.5 framework must be installed.
Because BHOLD Core requires .NET 3.5, it cannot be installed on Server Core.
Silverlight 4 is required by other BHOLD modules, and so it is recommended that you install it prior to installing BHOLD Core.
Microsoft SQL Server 2008 or Microsoft SQL Server 2008 R2 (recommended) must be installed either on the BHOLD Core server or on another server on the LAN.
Windows Client computers must be running Microsoft Internet Explorer version 6 or later and Microsoft Silverlight version 4 or later.
When you install BHOLD Core, you can use an existing SQL Server database as the BHOLD Core database, or you can allow the BHOLD Core Setup wizard to create the BHOLD Core database for you. If you choose to use an existing database, you must ensure that no other users can access the database while you are installing BHOLD Core. Before installing BHOLD Core, verify that the access controls of the SQL Server database do not permit access by anyone other than the user who is installing BHOLD Core.
The BHOLD Core module requires a user account which is used to authenticate and authorize the BHOLD Core service to the server and other network entities. This section explains how to create and configure that user account and provides a preinstallation worksheet that will help you gather the information you need to complete BHOLD Core Setup.
The BHOLD Core module must be able to log on to the domain with a user account that is dedicated to that purpose and which is a member of two specific security groups, including one that is created specifically for the BHOLD Core module. Membership in the Domain Admins group is required to perform this procedure.
On a domain controller, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
In the console tree, expand the domain where the account is to be created, right-click Users, point to New, and then click Group.
In the New Object – Group dialog box, in Group name, type the name of the group (BHOLD default:
BHOLDApplicationGroup), and then click OK.
Right-click Users, point to New, and then click User.
In Full name, type a name that will help you identify the account, for example, BHOLD Core Service Account.
In User logon name, type the user name of the BHOLD Core service account (BHOLD default:
b1user), and then click Next.
In Password and Confirm password, type the password for the service account.
Clear User must change password at next logon, select User cannot change password and Password never expires, click Next, and then click Finish.
In the console results pane, right-click the user account, and then click Add to a group.
In the Select Groups dialog box, type the display name of the group that you created earlier, type a semicolon (;), and then type
Click Check Names, and then click OK.
The following procedure must be performed on the computer where the BHOLD Core module is to be installed. You must be logged in as a member of the Domain Admins group to perform this procedure.
On the BHOLD server, click Start, point to Administrative Tools, and then click Local Security Policy.
In the console tree, expand Local Policies, and then click User Rights Assignment.
In the console results pane, right-click Log on as a service, and then click Properties.
In the Log on as a service Properties dialog box, click Add User or Group.
In the Select Users, Computers, or Groups dialog box, type the display name of the BHOLD Core service account that you created earlier, click Check Names, and then click OK.
Click OK to close the Log on as a service Properties dialog box.
Before you begin to install the BHOLD Core module, you need to be prepared to provide the information that the BHOLD Core Setup wizard requires to complete the installation. The following worksheet will help you record that information so you will be ready to supply it when it is needed. Each section corresponds to a page in the BHOLD Core setup wizard.
|Use Security Provider on Domain/Machine||When selected, specifies that Active Directory Domain Services security will control access to BHOLD Core.||Select the check box. Important: The installation will fail if this check box is not selected.|
|Domain||Specifies the domain containing the BHOLD server, service account, and application group. Important: Specify the domain name by using the NetBIOS (short) name, not the fully qualified domain name (FQDN). For example, if the FQDN of the domain is fabrikam.com, specify the domain name as FABRIKAM.||Write the domain name here:|
|Application group||Specifies the name of the security group that you created previously in Required user and group.||Write the group name here:|
|Service user||Specifies the logon name of the service user account that you created previously in Required user and group.||Write the user account name here:|
|Password||Specifies the password of the BHOLD Core service user account.||Write the password here: Important: Be sure to keep this password in a hidden, secure location.|
|Website IP/Port||Specifies the IP address and port number of the website to be created on the intranet server. Change the default value (*) only if you will not use the same IP address as the default website. Change the port number to an available port only if the default port (5151) is already in use.||If a nondefault IP address is used by the default website, write it here:|
If the default port number is already in use, write the BHOLD website port number here:
|Use integrated Security||Specifies that Windows Authentication is used to access the database.||Select the check box if Windows Authentication is used to connect to the SQL Server. Clear the check box if SQL Server Authentication is used. The database must have been created before running BHOLD Core Setup If SQL Server Authentication is used. Note: If Windows Authentication is used, you must be logged on with an account that has the sysadmin server role on the database server.|
|Specifies the user name and password of a user with the sysadmin server role on the database server. These values are supplied only when SQL Server Authentication is used.||Write the SQL Server user name here:|
Write the SQL Server user password here: Note: Be sure to keep this password in a hidden, secure location.
|Specifies the NetBIOS name of the database server and the name of the database (default: b1) that BHOLD Core Setup will create. If you are not using the default database server instance, specify the database server instance in the form <server>||Write the server (or server and instance) name here:|
Write the database name here:
|Make restrictions for the database user||Obsolete.||Do not change the default value|
To install the BHOLD Core module, log on as a member of the Domain Admins group, download the following file and run it as administrator on the server that you intend to install the BHOLD Core module on:
- BholdCore <Version>_Release.msi
Replace <Version> with the version number of the BHOLD Core release that you are installing.
To run the program file as an administrator, right-click the file and then click Run as administrator.
After BHOLD Core Setup completes, you must configure the Windows Firewall and change advanced settings in the BHOLD Core application pool in Internet Information Services to complete the BHOLD Core configuration. If necessary, you should also change BHOLD system attributes to meet your requirements.
If users will access BHOLD by using web browsers on remote computers, you must configure Windows Firewall on the BHOLD Core server to allow incoming connections to the website port that you specified when you installed BHOLD Core.
To perform this procedure, you must be a member of the Administrators group on the local computer.
Click Start, point to Administrative Tools, right-click Windows Firewall with Advanced Settings, and then click Run as administrator.
In the left pane, click Inbound Rules, and then, in the right pane, click New Rule.
In the New Inbound Rule wizard, click Port, and then click Next.
Ensure that TCP is selected, in Specific local ports, type the default BHOLD Core port number (5151) or the port number that you specified when you installed BHOLD Core, and then click Next.
Ensure that Allow the connection is selected, and then click Next.
On the Profile page, clear check boxes for locations from which you do not want access to the BHOLD website, and then click Next.
On the Name page, type a name for the rule (such as
Permit incoming connections to BHOLD Core), and then click Finish.
To allow IIS to work properly with the BHOLD Core module, you must configure the BHOLD Core application pool to support 32-bit applications. You must be logged in with the account used to install the BHOLD Core module to perform this procedure.
To open Internet Information Services Manager, click Start, point to Administrator Tools, and then click Internet Information Services (IIS) Manager.
In the console tree, expand the server name, and then click Application Pools.
In the Application Pools list, right-click CoreAppPool, and then click Advanced Settings.
In the Advanced Settings dialog box, in the Enable 32-Bit Applications list, select True, and then click OK.
If the network name that is used to contact the BHOLD website is not the same as the server host name, you must establish a service principal name (SPN) for HTTP. For example, if you use a CNAME resource record in DNS to specify an alias for the server, or if you use network load balancing, you must register these additional network addresses in Active Directory. If you fail to do so, Internet Explorer cannot use the Kerberos protocol when contacting the BHOLD website.
If the BHOLD Core module is installed on the same computer as the FIM Portal, you must create DNS resource records (CNAME or A) with different host names for the servers running BHOLD Core and the server running the FIM Portal. Only one SPN can be established for a particular service-type/server-alias pair, and so BHOLD Core and the FIM Portal require separate SPNs because they typically run under different accounts. The
Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure.
On the Active Directory Domain Services domain controller, click Start, click All programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
At the command prompt, type the following command, and then press ENTER:
setspn –S HTTP/<networkalias> <domain>
<networkalias> is the address that clients use to contact the BHOLD website
<domain>\<accountname> is the domain and user name of the BHOLD Core service account that you created when you installed BHOLD Core.
Repeat the previous step for all other names that clients use to contact the BHOLD website, for example, CNAME aliases, names that include a fully qualified domain name, or names that include a NetBIOS (short) domain name.
In order to validate that the installation of the BHOLD Core module was successful, open the BHOLD Core portal and view the system attributes. In addition, to ensure that the BHOLD Core module functions properly in your environment, you can modify the following BHOLD system attributes, as appropriate:
|NoHistory||Set to |
|MoveorgunitToSameorgtype||Set to |
|Days between ABA run||Set to a two-digit integer to specify the interval (in days) between two attribute-based authorization (ABA) runs. For example, to specify that ABA runs will be separated by two days, type 02.|
|Start hour of ABA run||Set to a two-digit integer to specify the hour of the day when an attribute-based authorization run will occur. For example, to specify that the ABA run will take place at 11:00 p.m. (23:00), type 23.|
|System Cardinality||Set to |
|Logging||Set to |
|SystemQueue Processing||Set to |
You must be logged in as a member of the Domain Admins group to perform this procedure.
Click Start, click All Programs, and then click Internet Explorer.
In the address box, type
/bhold/core, where <server> is the name of the BHOLD website server and <port> is the port number bound to the website.
Click Home, click Values, and then click Modify.
Locate the name of the attribute you want to change, type the new value in the box next to the attribute name, and then click OK.
After you have installed BHOLD Core and validated that the installation was successful, you can install additional modules. At this point, the BHOLD database will be essentially empty, containing only one user account, the root account, and one organizational unit (orgunit), the root orgunit. To add more users to the BHOLD database, you can either install the Access Management Connector module or the BHOLD Model Generator module, depending on your needs. You can use the Access Management Connector module to import user data from the FIM Synchronization Service, or you can use the BHOLD Model Generator to import user data from a set of structured files. For more information about using the Access Management Connector module, see Test Lab Guide: BHOLD Access Management Connector. For more information about using the BHOLD Model Generator module, see Microsoft BHOLD Suite Concepts Guide and Microsoft BHOLD Suite Technical Reference.