Step 3: Perform BHOLD Core prerequisite tasks
Applies To: Forefront Identity Manager
To prepare for installing BHOLD Core on FIM1, you must first perform the following tasks:
Enable Windows authentication in Internet Information Services (IIS) on FIM1
Install Silverlight on FIM1
Create a user and group in the Active Directory Domain Services (AD DS) domain and enable the account to run as a service
Increase the service timeout period
Enable Windows authentication in IIS
BHOLD Core relies on the ability to access Web sites by using Windows authentication. Before you install BHOLD Core, you must enable Windows authentication in IIS on the FIM1 server.
To enable Windows authentication in IIS on FIM1
Log on to FIM1 as CORP\Administrator.
Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
In the Connections pane, click FIM1 (CORP\administrator, and then, under IIS, double-click Authentication.
Right-click Windows Authentication, and then click Enable.
Close Internet Information Services (IIS) Manager.
Click Start, click All Programs, click Accessories, and then click Command Prompt. This opens a command prompt window.
In the command prompt window, type
iisreset
, and then press Enter. When Internet services restarts and the command prompt returns, close the command prompt window.Close Internet Information Services (IIS) Manager.
Install Silverlight
Silverlight 4 or later is required for several BHOLD modules. Before installing BHOLD Core, you should install Silverlight on FIM1. For more information about Silverlight and installation instructions, see the Microsoft Silverlight home page (https://www.microsoft.com/silverlight/).
Create and configure required user and group
The BHOLD Core module must be able to log on to the domain with a user account that is dedicated to that purpose and which is a member of two specific security groups, including one that is created specifically for the BHOLD Core module. Because the user account will be used as the BHOLD Core service account, it must be granted the right to log on to FIM1 as a service. Membership in the Domain Admins group is required to perform this procedure.
To create and configure the BHOLD Core user and security group
Log onto DC1 as CORP\Administrator, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
In the console tree, expand corp.contoso.com, right-click ServiceAccounts, point to New, and then click Group.
In the New Object – Group dialog box, in Group name, type
BHOLDApplicationGroup
, and then click OK.Right-click ServiceAccounts, point to New, and then click User.
In Full name, type
BHOLD Core Service
.In User logon name, type
b1user
, and then click Next.In Password and Confirm password, type the password for the service account.
Clear User must change password at next logon, select User cannot change password and Password never expires, click Next, and then click Finish.
In the right pane, right-click BHOLD Core Service, and then click Add to a group.
In the Select Groups dialog box, type
BHOLDApplicationGroup
, type a semicolon (;), and then typeIIS_IUSRS
.Click Check Names, and then click OK.
Close Active Directory Computers and Users.
To enable the BHOLD Core user account to run as a service
Log on to FIM1 as CORP\Administrator, click Start, point to Administrative Tools, and then click Local Security Policy.
In the console tree, expand Local Policies, and then click User Rights Assignment.
In the console results pane, right-click Log on as a service, and then click Properties.
In the Log on as a service Properties dialog box, click Add User or Group.
In the Select Users, Computers, or Groups dialog box, type
b1user
, click Check Names, and then click OK.Click OK to close the Log on as a service Properties dialog box.
Close Local Security Policy.
Increase the service timeout period
During Microsoft BHOLD Core installation, the BHOLD Core service might take longer to start than is allowed by default settings in Windows. To avoid this, use the Registry Editor to change the default timeout value for all services.
Warning
Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data.
To change the service timeout period
Log on to FIM1 as CORP\Administrator.
Click the Start button, click Run, type regedit, and then press the Enter key..
In the Registry Editor, click the registry subkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control.
In the right pane, right-click the ServicesPipeTimeout entry, and then click Modify.
Note
If the ServicesPipeTimeout entry does not exist, you must create it. To create the entry, on the Edit menu point to New, click DWORD (32-bit) Value, type
ServicesPipeTimeout
, and then press the Enter key twice.Click Decimal, type
180000
, and then click OK.Restart the FIM1 server.
Next step
To continue building the BHOLD Access Management Connector test lab, see Step 4: Install BHOLD Core.