Step 9: Perform FIM 2010 R2 Post-Installation Tasks

  • Article

The FIM1 post installation tasks for the Forefront Identity Manager 2010 test lab consists of the following:

  • Add CORP\FIMService to the FIMSyncAdmins Group

  • Configure the CORP\FIMService Mailbox to Only Accept Mail from Internal E-mail Addresses

  • Configure the CORP\FIMService Mailbox to Reject E-mail Greater Than 1 MB

  • Turn Off NTLM Authentication for the FIM Portal

  • Disable SharePoint Indexing

  • Implement Secure Sockets Layer (SSL) for the FIM Portal

  • Create the SSL certificate that will be used for the Password Reset and Password Registration portals

  • Add host headers and bind SSL certificate to the Password Reset and Password Registration portals

  • Add the FIM Portal URL to Local Intranet Sites for CORP\Administrator

  • Add the Password Registration and Password Reset Portal URLs to Local Intranet Sites for CORP\Administrator

  • Restrict Membership in the User Administrators Set

  • Pre-allocate Space in the FIM Service Database

  • Pre-allocate Space in the FIM Synchronization Service Database

  • Verify Initial MPSyncJob has completed for Reporting

  • Deploy FIM Data Warehouse Support Scripts

Add CORP\FIMService to the FIMSyncAdmins Group

By adding the CORP\FIMService account to the FIMSyncAdmins group, it allows the FIM Service to configure the FIM Synchronization service.

To add CORP\FIMService to the local FIMSyncAdmins group

  1. Log on to FIM1.corp.contoso.com as Administrator.

  2. Click Start, select Administrative Tools, and then click Computer Management. This will open the Computer Management MMC.

  3. In the Computer Management MMC, from the tree-view on the left, expand Local Users and Groups, and then select Groups.

    Add the FIM Service Account to FIMSynchAdmins

  4. In the center pane, right-click FIMSynchAdmins and select Properties. This will bring up the FIMSynchAdmins Properties.

  5. Click Add.

  6. This will bring up the Select Users, Computers, Service Accounts, Groups dialog box.

  7. In the box, below Enter the object names to select (examples), type the following text, and then click Check Names:
    CORP\FIMService
    This should resolve to the FIM Service account and the FIM Synch Service account. Click OK.

  8. Click Apply.

  9. Click OK.

  10. Close Computer Management.

Configure the CORP\FIMService Mailbox to Only Accept Mail from Internal E-mail Addresses

Now you will need to configure the CORP\FIMService mailbox so that it will only accept e-mail from internal addresses.

To configure the CORP\FIMService mailbox to only accept mail from internal e-mail addresses

  1. Log on to the EX1.corp.contoso.com server as Administrator.

  2. Click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console.

  3. In the Exchange Management Console, click Microsoft Exchange On-Premises.

    Warning

    This may bring up a Microsoft Exchange box that says The following servers in your organization running Exchange Server 2010 are unlicensed. It will list EX1. If you plan to use this test lab for more than 120 days you will need to enter a product key. For now, just hit OK.

  4. In the Exchange Management Console, expand Microsoft Exchange On-Premises (ex1.corp.contoso.com), click Recipient Configuration, in the center pane, right-click FIM Service, and then select Properties. This will bring up the FIM Service Properties.

  5. In FIM Service Properties, click the Mail Flow Settings tab, and then double-click Mail Delivery Restrictions. This will bring up the Mail Delivery Restrictions.

    Add FIM portal to local intranet

  6. In Mail Delivery Restrictions, select the Require that all senders are authenticated check box, and then click OK.

Configure the CORP\FIMService Mailbox to Reject E-mail Greater Than 1 MB

Now you will need to configure the CORP\FIMService mailbox so that it will only accept e-mail that is less than or equal to 1 MB in size.

To configure the CORP\FIMService mailbox to reject e-mail greater than 1 MB

  1. Double-click Message Size Restrictions. This will bring up the Message Size Restrictions.

  2. In Message Size Restrictions, select the Maximum Message Size (in KB) check box, and enter 1024 in the box.

  3. Click OK. Click Apply.

    Configure FIM Service Account Email

  4. Close the Exchange Management Console.

Turn Off NTLM Authentication for the FIM Portal

In order to make the FIM portal more secure, it is recommended that NTLM Authentication be disabled.

To turn off NTLM Authentication for the FIM portal

  1. Log on to FIM1.corp.contoso.com as CORP\Administrator.

  2. Navigate to the following directory: C:\inetpub\wwwroot\wss\VirtualDirectories\80.

  3. Locate the Web.config file, right-click and select Open. This will bring up a pop-up that states Windows cannot open this file and it will have two options. Choose Select a program from a list of installed program, and then click OK.

  4. Select Notepad, and click OK. This will open the config file in Notepad.

  5. At the top, select Edit, Find, type the following text in in the box, and then click Find Next:
    <resourceManagementClient

  6. There should be only one instance and it will look like the following Before image. Insert requireKerberos=”true” in the line so it looks like the After image.

    Web Config Before

    Web Config After

  7. At the top of the Notepad, select Save. Close Notepad.

  8. Click Start, click All Programs, click Accessories, and then click Command Prompt. This will launch a Command Prompt window.

  9. In the Command Prompt window, type the following text, and then hit Enter:
    iisreset
    This will stop and then restart IIS. Once this completes, close the Command Prompt window.

Disable SharePoint Indexing

Because SharePoint Indexing is not required and it can decrease performance, you will need to disable it now.

To disable SharePoint indexing

  1. Click Start, click All Programs, click Microsoft SharePoint 2010 Products and then click SharePoint 2010 Central Administration. This will bring up the SharePoint Central Administration in Internet Explorer.

  2. Under Monitoring click Check job status. This will bring up the Timer Job Status screen.

    Disable SharePoint Indexing

  3. Click SharePoint Foundation Search Refresh. This will bring up the Edit Timer Job page.

  4. Click Disable.

  5. Close Internet Explorer.

Implement Secure Sockets Layer (SSL) for the FIM Portal

In this step, you will implement SSL for the FIM Portal, Password Registration Portal, and the Password Reset Portal. You will be requesting a new domain certificate and binding it to SharePoint site. This certificate will be used for the FIM Portal. If you recall, the Base Configuration Test Lab guide automatically issues a server certificate to FIM1 when it joins the domain. However, because this certificate uses the FQDN (FIM1.corp.contoso.com) as its common name and not the NetBios name (FIM1), you will receive a certificate error when attempting to access the site with the URL https://fim1. If you used https://FIM1.corp.contoso.com as the URL you will not receive the error. However, because this site will be used inside the domain and primarily accessed using https://fim1, you should request a new certificate to use. For the Password Registration Portal and the Password Reset Portal the process will be slightly different and is outlined below.

To implement Secure Sockets Layer (SSL) for the FIM Portal

  1. Click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager. This will bring up the Internet Information Services (IIS) Manager.

  2. On the left, expand FIM1 (CORP\Administrator). This will populate the center pane with icons. Make sure that FIM1(CORP\Administrator) is still selected.

  3. In the center, double-click Server Certificates.

  4. On the right, click Create Domain Certificate. This will launch the Create Certificate Wizard.

  5. For Common Name, type the following text:
    FIM1

  6. For Organization, type the following text:
    Contoso

  7. For Organizational Unit, type the following text:
    IT

  8. For City, type the following text:
    Anywhere

  9. For State, type the following text:
    NC

    Implement SSL

  10. Click Next.

  11. On the On-line Certificate Authority page, under Specify Online-Certificate Authority, click Select. This will bring up a Select Certificate Authority page.

  12. Select corp-DC1-ca, and click OK.

  13. On the On-line Certificate Authority page, under Friendly Name, type the following text, and then click Finish:
    FIM1_SSL.
    This will close the Create Certificate Wizard and you should see the newly created certificate in the center pane.

  14. On the left, expand Sites, right-click SharePoint-80, and then select Edit Bindings. This will bring up the Site Bindings window.

  15. Click Add.

  16. Under type, select https from the drop-down list.

  17. Under SSL Certificate, select FIM1_SSL from the drop-down list. Click OK, and then click Close.

  18. On the left, select SharePoint-80 and from the center pane double-click SSL Settings.

  19. Place a check in Require SSL. On the right, click Apply.

  20. Close Internet Information Services (IIS) Manager.

  21. Click Start, click All Programs, click Accessories, and click Command Prompt. This will launch a command prompt window.

  22. In the command prompt window, type iisreset and hit enter. This will stop and then re-start IIS. Once this completes, close the command prompt window.

Create the SSL certificate that will be used for the Password Reset and Password Registration portals

For Password Registration and the Password Reset Portal there are a couple of things that need to be done to ensure this is working properly with regards to implementing SSL. Because we want to use the same port and IP combination for both the Password Reset and Password Registration portals we are going to have to use host headers. Also, since we can’t have multiple SSL certificates bound to different sites, we need to create a certificate that has both sites common name associated with them. This will prevent users from seeing the warning message that there is a problem with the certificate that was issued. In this step we will be creating the SSL certificate.

To create the SSL certificate that will be used for the Password Reset and Password Registration portals

  1. Log on to FIM2.corp.contoso.com as CORP\Administrator.

  2. Click Start, click Run, type mmc, and hit enter. This will bring up a management console.

  3. At the top, select File and from the drop-down select Add/Remove Snap-in. This will bring up the Add or Remove Snap-in window.

  4. On the left, under Available snap-ins: select Certificates and click Add. This will bring up a Certificates snap-in dialog box.

  5. Select the Computer account radio button and click Next.

  6. Leave local computer selected and click Finish.

  7. On the Add or Remove Snap-ins click OK. This will bring us back to the management console.

  8. In the management console, on the left, expand Certificates (Local Computer), expand Personal, under Personal, right-click Certificates, select All Tasks…, select Advanced Operations, and select Create Custom Request. This will begin the Certificate Enrollment wizard.

    password req cert 1

  9. Click Next.

  10. Under Custom Request, select Active Directory Enrollment Policy. Click Next.

    password req cert 2

  11. On the Custom Request screen, select Web Server from the drop-down and click Next.

    password req cert 3

  12. On the Certificate Information screen, on the right, cick the down arrow and expand Details. Click the Properties button. This will bring up the Certificate Properties dialog box.

    password req cert 4

  13. On Certificate Properties, under Subject name:, from the drop-down under Type:, select Common name.

  14. In the Value: box enter passwordregistration.corp.contoso.com and click Add.

  15. In the Value: box enter passwordreset.corp.contoso.com and click Add.

    password req cert 5

  16. At the top, click the General tab and under Friendly name: enter FIM_SSPR

    password req cert 6

  17. Click Apply. Click OK. This will close the Certificate Properties.

  18. Click Next.

  19. On the Where do you want to save the offline request screen, click Browse, under Favorites select Desktop, and in the box next to File name: enter fimpasswordsslcertrequest.req and click Save.

  20. Click Finish. You can close the mmc.

  21. Now, click Start, select Run, and enter \\DC1\C$ in the box next to Open:. This will open the share on the domain controller.

  22. Copy the request we created from the desktop to the share we just opened. You can leave the share open.

    password req cert 7

  23. Now, log on to DC1.corp.contoso.com as CORP\Administrator.

  24. Click Start, select Administrative Tools, and select Certificate Authority.

  25. Right-click corp-DC1-CA and select Submit new request.

    password req cert 8

  26. Navigate to the C:\ drive and select fimpasswordsslcertrequest.req and click Open. This will open a Save Certificate window and you should still be in the C:\ drive.

  27. In the File name: box enter fimpasswordsslcertcertificate.cer and click Save.

  28. Log off of DC1.

  29. Back on FIM2, access the share that we left open and copy the fimpasswordsslcertcertificate.cer to the desktop.

  30. Click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager. This will bring up the Internet Information Services (IIS) Manager.

  31. On the left, expand FIM2 (CORP\Administrator). This will populate the center pane with icons. Make sure that FIM2(CORP\Administrator) is still selected.

  32. In the center, double-click Server Certificates.

  33. On the right, select Complete Certificate Request. This will bring up the Specify Certificate Authority Response screen.

  34. Click the button and navigate to the desktop and select fimpasswordsslcertcertificate.cer. Click Open.

  35. In the box next to Friendly name: enter FIM_SSPR.

    password req cert 9

  36. Click OK.

Add host headers and bind SSL certificate to the Password Reset and Password Registration portals

For Password Registration and the Password Reset Portal there are a couple of things that need to be done to ensure this is working properly with regards to implementing SSL. Because we want to use the same port and IP combination for both the Password Reset and Password Registration portals we are going to have to use host headers. Also, since we can’t have multiple SSL certificates bound to different sites, we need to create a certificate that has both sites common name associated with them. This will prevent users from seeing the warning message that there is a problem with the certificate that was issued. In this step we will be adding the host headers and binding the SSL certificate that we created in the previous step.

To add host headers and bind SSL certificate to the Password Reset and Password Registration portals

  1. On FIM2, click Start, click All Programs, click Accessories, and click Command Prompt. This will launch a command prompt window.

  2. In the command prompt window, navigate to C:\Windows\System32\inetsrv and type appcmd set site /site.name:”FIM Password Registration Site” /”+bindings.[protocol=’https’,bindingInformation=’*:443:passwordregistration.corp.contoso.com’] and hit enter. This should return a message that says SITE object “FIM Password Registration Site” changed.

  3. Type appcmd set site /site.name:”FIM Password Reset Site” /”+bindings.[protocol=’https’,bindingInformation=’*:443:passwordreset.corp.contoso.com’] and hit enter. This should return a message that says SITE object “FIM Password Reset Site” changed.

    Add host headers

  4. Close the command prompt.

  5. Back in IIS Manager, on the left, expand Sites and select FIM Password Registration Site and from the center pane double-click SSL Settings.

  6. Place a check in Require SSL. On the right, click Apply.

  7. Back in IIS Manager, on the left, expand Sites and select FIM Password Reset Site and from the center pane double-click SSL Settings.

  8. Place a check in Require SSL. On the right, click Apply.

  9. Back in IIS Manager, on the left, expand Sites, right-click FIM Password Registration Site, and then select Edit Bindings. This will bring up the Site Bindings window.

  10. Select the https entry and click Edit. This will bring up the Edit Site bindings window.

  11. Under SSL Certificate:, from the drop-down select FIM_SSPR. Click OK. This will bring up a window that says The certificate associated with this binding is also assigned to another site's binding. Editing this binding will cause the HTTPS binding of the other site to bue unusable. Do you want to continue? Click Yes. Click Close.

    Warning

    At this point the Host Name portion associated with the https binding disappears on the FIM Password Registration Site and the FIM Password Reset Site will be automatically bound to the FIM_SSPR cert as well. You can verify that SSL is working after doing an iisreset by opening Internet Explorer and navigating to https://passwordregistration.corp.contoso.com or https://passwordreset.corp.contoso.com. The password registration portal will prompt you for credentials. Any attempt to go to https://passwordregistration.corp.contosoc.om or https://passwordreset.corp.contoso.com should give a 403 error.

  12. Click Start, click All Programs, click Accessories, and click Command Prompt. This will launch a command prompt window.

  13. In the command prompt window, type iisreset and hit enter. This will stop and then re-start IIS. Once this completes, close the command prompt window.

Add the FIM Portal URL to Local Intranet Sites for CORP\Administrator

In this step you will add the FIM Portal URL to the local intranet sites.

To add the FIM Portal URL to Local Intranet Sites

  1. Log on to FIM1.corp.contoso.com as CORP\Administrator.

  2. Click Start, click All Programs, and then click Internet Explorer (64-bit).

  3. At the top of Internet Explorer, under Tools, click Internet Options.

    Warning

    You may need to enable the menu bar if you do not see Tools at the top.

  4. Click the Security tab and select Local intranet from the Select a zone to view or change security settings box.

  5. Click Sites to show a Local intranet window. Click Advanced.

  6. In the Add this website to the zone: box, type https://fim1. Click Add.

    Add FIM portal to local intranet

  7. Place a check in Require server verification (https:) for all sites in this zone and click Close. Click Ok.

  8. Click OK to close the Internet Options dialog box.

Add the Password Registration and Password Reset Portal URLs to Local Intranet Sites for CORP\Administrator

In this step you will add the Password Registration and Password Reset Portal URLs to the local intranet sites.

To add the Password Registration and Password Reset Portal URLs to Local Intranet Sites

  1. Log on to FIM2.corp.contoso.com as CORP\Administrator.

  2. Click Start, click All Programs, and then click Internet Explorer (64-bit).

  3. At the top of Internet Explorer, under Tools, click Internet Options.

    Warning

    You may need to enable the menu bar if you do not see Tools at the top.

  4. Click the Security tab and select Local intranet from the Select a zone to view or change security settings box.

  5. Click Sites to show a Local intranet window. Click Advanced.

  6. In the Add this website to the zone: box, type https://passwordregistration.corp.contoso.com. Click Add.

  7. In the Add this website to the zone: box, type https://passwordreset.corp.contoso.com. Click Add.

  8. Place a check in Require server verification (https:) for all sites in this zone and click Close. Click Ok.

  9. Click OK to close the Internet Options dialog box.

Restrict Membership in the User Administrators Set

By default, everyone is a member of the User Administrators set. In order to increase security, you will want to prevent users from having too much authority.

To restrict membership in the user administrators set

  1. Log on to FIM1.corp.contoso.com as CORP\Administrator.

  2. In Internet Explorer, in the address bar at the top, enter https://fim1/identitymanagement and hit enter. This should bring up the Forefront Identity Manager 2010 page.

  3. On the left, under Management Policy Rules, click Sets. This will bring up the Sets Page.

  4. Scroll through the list of sets and select User Administrators. This will be on the last page of the sets.

  5. On the User Administrators pop-up, at the top, click Criteria-based Members.

  6. Click to select Add Statement.

  7. Click to select <Click to select attribute>.

  8. From the drop-down list that appears, select Resource ID.

  9. Next to Resource ID, click the word is. This will change to a drop-down box. Select in.

  10. Next to in, click to select <click to select value>. This will bring up a Select Set pop-up.

  11. At the top, next to the Search for box, click the magnifying glass.

    Tip

    Leave the box empty before clicking to select the magnifying glass. This will return a list of all the sets.

  12. Select Administrators in the check box, and then click OK. It should now look like the following image.

    Restirct User Admin Set

  13. Click OK.

  14. Click Submit.

Pre-allocate Space in the FIM Service Database

Because SQL Server performance can suffer when SQL Server must allocate space during processing, you will want to prevent this by pre-allocating space for the FIM Service database.

To pre-allocate space in the FIM Service database

  1. Log on to APP1.corp.contoso.com as Administrator.

  2. Click Start, click All Programs, click Microsoft SQL Server 2008 R2, and then click SQL Server Management Studio. This will launch SQL Server Management Studio.

  3. On the Connect to Server dialog box, under Server Type select Database Engine.

  4. On the Connect to Server dialog box, under Server name select APP1.

  5. On the Connect to Server dialog box, under Authentication select Windows Authentication.

  6. Click Connect. This should be successful and the database information will be displayed on the left. The SQL Server Agent should have a green arrow.

  7. On the left, expand Databases, right-click FIMService, and then select Properties. This will bring up the Database Properties – FIMService screen.

  8. On the left, click Files.

  9. For the row with FIMService, under Initial Size, change the value to 5000.

  10. For the row with FIMService_log, under Initial Size, change the value to 1000. It should now look like the following image.

    Change FIM DB

  11. Click OK. This may take a few minutes to complete.

Pre-allocate Space in the FIM Synchronization Service Database

Because SQL Server performance can suffer when SQL Server must allocate space during processing, you will want to prevent this by preallocating space for the FIM Synchronization Service database.

To pre-allocate space in the FIM Synchronization Service database

  1. In SQL Server Management Studio, right-click FIMSynchronizationService, and then select Properties. This will bring up the Database Properties – FIMSyncrhonizationService screen.

  2. On the left, click Files.

  3. For the row with FIMSynchronizationService, under Initial Size, change the value to 5000.

  4. For the row with FIMSynchronizationService_log, under Initial Size, change the value to 1000. It should now look like the following image.

  5. Click OK. This may take a few minutes to complete.

Verify Initial MPSynch Job has completed for Reporting

Prior to deploying the FIM Data Warehouse Support Scripts we must ensure that the initial MPSynch job has completed and that the reports are visible within SCSM.

Warning

This initial process can take some time put is required before continuing on to the next section.

To Verify Initial MPSyncJob has completed for Reporting

  1. Log on to APP2 as CORP\Administrator

  2. Click Start, select All Programs, select Microsoft System Center and select Service Manager Console. This will launch the Service Manager Console. This may take a moment.

  3. In the Service Manager Console, at the bottom on the left, click Data Warehouse.

  4. At the top, on the left, double-click Data Warehouse Jobs. This will populate the center with the Data Warehouse Jobs.

  5. Double-click MPSyncJob. This will bring up a window with the job details.

  6. At the top of this window, click Management Pack to sort the jobs by Management Pack.

  7. Scroll down to the jobs that have a Management Pack name that begins with Microsoft.FIM_ and Microsoft.Forefront. Verify the status of these jobs as either Associated or Imported. If any of these jobs have a status of Pending Association you must wait until the status becomes Associated or Imported.

    MPSyncJob

  8. Close the job details.

  9. Back in the System Center Service Manager Console, on the left, at the bottom, click Reporting.

  10. Verify that at the top, on the left, Forefront Identity Manager Reporting is visible.

  11. Click on Forefront Identity Manager Reporting and verify that 8 reports are present in the center pane.

    FIM Reports

  12. Close the System Center Service Manager Console.

Deploy FIM Data Warehouse Support Scripts

Before you may start the initial ETL job which will synchronize data from FIM into the Data Warehouse, you must first deploy the FIM Data Warehouse Support Scripts to the Data Warehouse machine in order to fully support the FIM Reporting Pruning and Grooming processes which will maintain data integrity in the Data Warehouse over time.

Important

These scripts are included on the Forefront Identity 2010 R2 installation media.

Warning

This step MUST occur after FIM Reporting has been installed and the MPSynch process to move over the FIM reports has been completed. This initial process may take some time. Running these scripts before this process is complete will result in an error. You may verify that MPSynch has completed by completing the Verify Initial MPSynch Job has completed for Reporting section of this document.

Warning

It is highly recommended that you take a backup of your Management Server Databases (ServiceManager) and Data Warehouse Databases (DWStagingAndConfig, DWRepository, and DWDataMart) before running these scripts.

To Deploy FIM Data Warehouse Support Scripts

  1. Log on to APP3 as CORP\Administrator.

  2. Copy the entire Data Warehouse Support Scripts folder to a location on the local disk APP3 (the Data Warehouse machine).

    Warning

    You must ensure that your Data Warehouse machine has PowerShell v2 installed. If it does not, please install PowerShell v2 by downloading and installing the Windows Update package found here: https://support.microsoft.com/kb/968930

  3. On APP3, open a PowerShell v2 prompt and navigate to the Data Warehouse Support Scripts directory you just copied. In this directory, you will notice a PowerShell script called FIMPostInstallScriptsForDataWarehouse.ps1. Run this script.

    Important

    This script must be run with an account that has DBOwner privileges on the following Data Warehouse Databases: DWStagingAndConfig, DWDataMart, and DWRepository.

    Note

    Depending on your environment’s settings, you may need to run the PowerShell command Set-ExecutionPolicy Unrestricted before being able to execute these scripts.

  4. You will be prompted for the name of your Data Warehouse server, the Data Warehouse SQL instance, and the FIM Service Account name. Because we are running this on APP3, enter localhost for the DataWarehouseServerInstance.

    For the DataWarehouseDatabaseServerInstance enter localhost.

    For the FIM Service account, enter CORP\FIMService. Hit enter. You will be prompted to backup the database prior to continuing. Enter Y. Once this completes you can move to the additional Test Lab Guides on Reporting.

    Warning

    The account executing this script must be a different account than the FIM Service account. If you receive an error when executing, please ensure that you are logged on as CORP\Administrator.

    Data Warehouse Support Scripts