Planning MIM 2016 SP2 in TLS 1.2 or FIPS-mode environments
This article applies to MIM 2016 SP2 only
When installing MIM 2016 SP2 in the locked-down environment that has all encryption protocols but TLS 1.2 disabled, the following requirements apply:
- To establish secure TLS 1.2 connection MIM components require the latest updates for Windows Server and .NET Framework that enable TLS 1.2 support in .NET 3.5 Framework to be installed. Depending on your server configuration, you might need to enable SystemDefaultTlsVersions for .NET Framework and / or disable all SCHANNEL protocols except TLS 1.2 in registry in Client and Server subkeys.
MIM Synchronization Service, SQL MA
- To establish secure TLS 1.2 connection with SQL server, MIM Synchronization Service and built-in SQL management agent require SQL Native Client 11.0.7001.0 or later.
MIM 2016 SP2 unattended install fails in TLS 1.2 only environment. Either install MIM Service in interactive mode or, if installing unattended, make sure TLS 1.1 is enabled. After unattended installation completes, enforce TLS 1.2 if needed.
- Self-signed certificates cannot be used by MIM Service in TLS 1.2 only environment. Choose strong encryption compatible certificate issued by trusted Certification Authority when installing MIM Service.
- MIM Service installer additionally requires OLE DB Driver for SQL Server version 18.2 or later.
If you install MIM Service on a server with FIPS-mode enabled you need to disable FIPS policy validation to allow MIM Service Workflows to be executed. To do so, add enforceFIPSPolicy enabled=false element into runtime section of Microsoft.ResourceManagement.Service.exe.config file between runtime and assemblyBinding sections as shown below:
<runtime> <enforceFIPSPolicy enabled="false"/> <assemblyBinding ...>