Step 3: Perform BHOLD Core prerequisite tasks

  • Article

 

Applies To: Forefront Identity Manager

To prepare for installing BHOLD Core on FIM1, you must first perform the following tasks:

  • Enable Windows authentication in Internet Information Services (IIS) on FIM1

  • Install Silverlight on FIM1

  • Create a user and group in the Active Directory Domain Services (AD DS) domain and enable the account to run as a service

  • Increase the service timeout period

Enable Windows authentication in IIS

BHOLD Core relies on the ability to access Web sites by using Windows authentication. Before you install BHOLD Core, you must enable Windows authentication in IIS on the FIM1 server.

To enable Windows authentication in IIS on FIM1

  1. Log on to FIM1 as CORP\Administrator.

  2. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

  3. In the Connections pane, click FIM1 (CORP\administrator, and then, under IIS, double-click Authentication.

  4. Right-click Windows Authentication, and then click Enable.

  5. Close Internet Information Services (IIS) Manager.

  6. Click Start, click All Programs, click Accessories, and then click Command Prompt. This opens a command prompt window.

  7. In the command prompt window, type iisreset, and then press Enter. When Internet services restarts and the command prompt returns, close the command prompt window.

  8. Close Internet Information Services (IIS) Manager.

Install Silverlight

Silverlight 4 or later is required for several BHOLD modules. Before installing BHOLD Core, you should install Silverlight on FIM1. For more information about Silverlight and installation instructions, see the Microsoft Silverlight home page (https://www.microsoft.com/silverlight/).

Create and configure required user and group

The BHOLD Core module must be able to log on to the domain with a user account that is dedicated to that purpose and which is a member of two specific security groups, including one that is created specifically for the BHOLD Core module. Because the user account will be used as the BHOLD Core service account, it must be granted the right to log on to FIM1 as a service. Membership in the Domain Admins group is required to perform this procedure.

To create and configure the BHOLD Core user and security group

  1. Log onto DC1 as CORP\Administrator, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

  2. In the console tree, expand corp.contoso.com, right-click ServiceAccounts, point to New, and then click Group.

  3. In the New Object – Group dialog box, in Group name, type BHOLDApplicationGroup, and then click OK.

  4. Right-click ServiceAccounts, point to New, and then click User.

  5. In Full name, type BHOLD Core Service.

  6. In User logon name, type b1user, and then click Next.

  7. In Password and Confirm password, type the password for the service account.

  8. Clear User must change password at next logon, select User cannot change password and Password never expires, click Next, and then click Finish.

  9. In the right pane, right-click BHOLD Core Service, and then click Add to a group.

  10. In the Select Groups dialog box, type BHOLDApplicationGroup, type a semicolon (;), and then type IIS_IUSRS.

  11. Click Check Names, and then click OK.

  12. Close Active Directory Computers and Users.

To enable the BHOLD Core user account to run as a service

  1. Log on to FIM1 as CORP\Administrator, click Start, point to Administrative Tools, and then click Local Security Policy.

  2. In the console tree, expand Local Policies, and then click User Rights Assignment.

  3. In the console results pane, right-click Log on as a service, and then click Properties.

  4. In the Log on as a service Properties dialog box, click Add User or Group.

  5. In the Select Users, Computers, or Groups dialog box, type b1user, click Check Names, and then click OK.

  6. Click OK to close the Log on as a service Properties dialog box.

  7. Close Local Security Policy.

Increase the service timeout period

During Microsoft BHOLD Core installation, the BHOLD Core service might take longer to start than is allowed by default settings in Windows. To avoid this, use the Registry Editor to change the default timeout value for all services.

Warning

Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data.

To change the service timeout period

  1. Log on to FIM1 as CORP\Administrator.

  2. Click the Start button, click Run, type regedit, and then press the Enter key..

  3. In the Registry Editor, click the registry subkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control.

  4. In the right pane, right-click the ServicesPipeTimeout entry, and then click Modify.

    Note

    If the ServicesPipeTimeout entry does not exist, you must create it. To create the entry, on the Edit menu point to New, click DWORD (32-bit) Value, type ServicesPipeTimeout, and then press the Enter key twice.

  5. Click Decimal, type 180000, and then click OK.

  6. Restart the FIM1 server.

Next step

To continue building the BHOLD Access Management Connector test lab, see Step 4: Install BHOLD Core.