Before You Begin
Applies To: Forefront Identity Manager 2010
Before You Begin
Before you install the Microsoft® Forefront® Identity Manager (FIM) 2010 server and client components, you must complete the following configuration tasks:
Create an e-mail-enabled domain service account to run the FIM Service component.
Create a domain service account to run the FIM Synchronization Service.
Create a FIM Service Management Agent account.
Configure the service accounts that are running the FIM server components in a secure manner.
If you are running the Exchange Web Service and Internet Information Services (IIS) default Web site (FIM Portal) on the same server, ensure that both are not configured to use port 80.
Ensure that there is a default Office SharePoint Web site installed.
Ensure that English is installed in SharePoint Services.
Select the correct identity for the SharePoint Application Pool.
Implement Secure Sockets Layer (SSL) for FIM Portal.
Configure the server running SQL.
Configure the SQL aliases.
Configure the SQL collation settings.
Establish Service Principal Names (SPN) for FIM 2010.
Create an e-mail-enabled domain service account to run the FIM Service
To run the FIM Service component, you must have a dedicated domain service account. To be able to use the Office Outlook integration feature, an Exchange Server mailbox must also be created for this account. To use the FIM Add-in for Outlook feature, you must set up the domain service e-mail account on a server that hosts Exchange Server 2007 or Exchange Server 2010. If you plan to use SMTP for notifications rather than Exchange Server, ensure that this service account has the required permissions on the SMTP gateway.
This account also is used to send e-mail notifications from FIM 2010.
This account should not be granted local administrator permissions.
You must reserve the domain service e-mail account for the exclusive use of the FIM Service. If e-mail messages are being processed by other applications, such as Office Outlook 2007, the functionality of FIM Service might be affected.
Create a domain service account to run the FIM Synchronization Service
You must create a service account to run the FIM Synchronization Service. This service account must be a domain service account. This account should not be a local administrator account.
Create a domain FIM Service management agent account
You must create a domain account that is reserved for the exclusive use of the FIM Service management agent (FIM MA) used by the FIM Synchronization Service to communicate with the FIM Service. The FIM Service has to know the name of the account that the FIM MA is using so that during setup it can give the account the required permissions. This account should not be a local administrator account.
Understanding the purpose of the FIM Service management agent account
The purpose of this account is to make it possible for the FIM Service to be able to identify the FIM Synchronization Service when it is exporting to the FIM Service through the Web services. When the FIM Synchronization Service engine is exporting, all authentication (AuthN) and authorization (AuthZ) workflows are ignored and only action workflows run.
The account that you use for the FIM MA should be considered a trusted account. You should not use it to access the FIM Portal. If you do, all requests that are made through the FIM Portal with this account will skip AuthN and AuthZ.
If you later change this account in the FIM Synchronization service, you must also run a change install on the FIM Service to update the service with the new account information.
Configure the service accounts running the FIM 2010 server components in a secure manner
As mentioned previously, there are two service accounts that are used to run the FIM server components. They are called the FIM Service service account and the FIM Synchronization Service service account in this guide. The FIM MA account is not considered a service account, and it should be a regular user account. For the FIM Synchronization Service service account to be able to impersonate the FIM MA account, the FIM MA must be able to log on locally.
To enable the FIM MA to log on locally
Click Start, and then click Administrative Tools.
Click Local Security Policy, and then click Local Policies\User Rights Assignment.
In the policy Allow log on locally, ensure that the FIM MA account is explicitly specified, or add it to one of the groups that is already granted access.
To configure the server or servers running the FIM server components in a secure manner, the service accounts should be restricted. The easiest way to do this is by running Local Security Policy from Administrative Tools, navigate to Local Policies\User Rights Assignment, and then add the service account to the policy.
On the FIM Synchronization Service server, you must restrict only the FIM Synchronization Service service account and not the FIM Service service account. On the FIM Service server, you must restrict only the FIM Service service account, and not the FIM Synchronization Service service account.
Use the following restrictions on the service accounts:
Deny logon as a batch job
Deny logon locally
Deny access to this computer from the network
Domain-based Group Policy objects (GPOs) might override settings in the Local Security Policy.
The service accounts should not be members of the local administrators group.
The FIM Synchronization Service service account should not be a member of the security groups that are used to control access to FIM Synchronization Service (groups starting with FIMSync, for example, FIMSyncAdmins).
If you are deploying password reset, do not use the Deny access to this computer from the network restriction. If you choose to use the same account for both service accounts and you separate the FIM Service and the FIM Synchronization Service, you cannot set Deny access to this computer from the network on the FIM Synchronization Service server. If access is denied, that prohibits the FIM Service from contacting the FIM Synchronization Service to change configuration and manage passwords.
Ensure that the Exchange Web Service and IIS default Web site are not both configured to use port 80
In a lab environment, you may want to run Exchange on the same server as the FIM Service. If you do, ensure that you are reconfiguring Exchange Web Service to not use the default port 80, or Exchange Web Service will not be reachable.
You must either specify a different port, a different IP, or a different host name in IIS.
Ensure that English is installed in SharePoint Services
If the installed version of SharePoint Services is not English, the FIM 2010 setup fails. Before you can install FIM 2010, you must first install the SharePoint Service English Language Pack Service Pack 2 (SP2). Visit the Microsoft download Center to download the Windows SharePoint Services 3.0 Language Pack Service Pack 2 (SP2), 64-Bit Edition (http://go.microsoft.com/fwlink/?LinkID=178266).
Ensure that a SharePoint Default Web site is installed
Before you install the FIM Portal and Password Portal, run the SharePoint 3.0 Services Configuration Wizard. This creates a default SharePoint site for you.
If you installed Microsoft Office SharePoint in a SharePoint farm, the default site cannot be created by the wizard and must be created manually. How to set up a SharePoint farm is outside the scope of this installation guide. For more information, see Office SharePoint Server farm architecture (http://go.microsoft.com/fwlink/?LinkID=129821).
Verify the installation by navigating to http://localhost:80 on the server where you will install the FIM Portal. You should see a SharePoint site and not the standard Welcome to IIS7 message. If you see the Welcome to IIS7 message, reconfigure Office SharePoint to display a default SharePoint site at this server address or the address where you installed Office SharePoint.
If you do not perform this task, you may have to reinstall the FIM Portal and Password Portal components of FIM 2010.
Select the correct identity for the SharePoint Application Pool
By default, IIS uses the Network Service account for the Application Pool. We recommend that you use a service account for SharePoint to use. Later in this guide you will enable Kerberos delegation, and only one identity can use one Service Principal Name (SPN).
By default an application pool running under a specific service account will not use the service account for Kerberos. In the second configuration step, you will configure IIS to use the service account for Kerberos.
To run the SharePoint Application Pool using an account that is located in the domain
Create an account in the domain for use by the SharePoint Application Pool.
Start SharePoint 3.0 Central Administration from Administrative Tools.
Select Operations and Service Accounts.
Select Web Application Pool, and select Windows SharePoint Services Web Application. Select the SharePoint Application Pool where the FIM Portal will be installed, which by default is SharePoint – 80.
Enter the user name and password for the service account that you created in the first step.
Click OK to save your changes.
Enable the Application Pool to use the service account for Kerberos.
- To configure IIS to use the service account for Kerberos delegation, set useAppPoolCredentials as described in Service Principal Name (SPN) checklist for Kerberos authentication with IIS 7.0 (http://go.microsoft.com/fwlink/?LinkId=188290).
Implement Secure Sockets Layer for FIM Portal
We highly recommend that you implement Secure Sockets Layer (SSL) on the FIM Portal server to secure the traffic between the client and server computers.
To implement SSL with a certificate from an existing internal CA
Open IIS Manager on the FIM Portal server.
Click the local computer name.
Click Server Certificates.
Click Create Certificate Request.
For Common Name, enter the name of the server.
Click Next, then Next.
Save the file to any location. You will need to access this location in subsequent steps.
In Windows Internet Explorer, browse to https://servername/certsrv. Replace servername with the name of the server that is issuing certificates.
Click Request a new Certificate.
Click Submit an Advanced Request.
Click Submit a Certificate Request by using a base-64-encoded.
Paste the contents of the file that you saved in the previous step.
From Certificate Template, select Web Server.
Save the Certificate to your Desktop.
In IIS Manager, click Complete Certification Request.
Point IIS Manager to the certificate you just saved to the Desktop.
For Friendly name, type the name of the server.
Click Sites, and then select Sharepoint – 80.
Click Bindings, and then click Add.
For certificate, select the one that has the same name as the server (this is the certificate that you just imported).
Remove the HTTP binding.
Click SSL Settings, and then check Require SSL.
Save the settings.
Click Start, click Administrative Tools, and then click Sharepoint 3.0 Central Administration.
Click Operations, and then click Alternate Access Mappings.
Change http://servername to https://servername, and then click OK.
Click Start, Run, enter iisreset, and then click OK.
Configure SQL Server
Before you install the FIM Service, certain tasks should be completed and verified on the server that is running SQL.
Ensure that the service accounts used by SQL Server Database and SQL Server Agent are either domain accounts or built-in service accounts (for example, Network Service). You cannot use local computer accounts.
When you configure the service account for SQL, consult the following articles:
The SQL Server service account should not be a local computer account. A local account cannot impersonate domain accounts and the FIM Service does not behave as expected.
Make sure the SQL Server Agent service is set to start automatically.
If you install the SQL Server 2008 database on a different server than the FIM Service or FIM Synchronization Service, open additional ports so that FIM 2010 setup can communicate with SQL Server 2008. For more information, see Configuring the Windows Firewall to Allow SQL Server Access (http://go.microsoft.com/fwlink/?LinkID=94001).
When the FIM Service and FIM Synchronization Service are installed, the data and log files are created in the default locations that are specified by SQL. For optimal performance, these should be located on different drives and on different spindles.
To locate databases on different drives
Start Microsoft SQL Server Enterprise Manager
Right-click the server, and then click Properties.
Go to Database settings. Make the necessary adjustments on the Data and Log settings to ensure that the database files are located on a different drive than the operating system.
Configure SQL aliases
If you plan to install FIM Service or FIM Synchronization Service on a server running SQL that is using a nondefault port, you must create a SQL alias for Setup to be able to contact the SQL server.
To create a SQL alias for Setup to be able to contact the SQL server
Start the SQL Server Configuration Manager.
Navigate to SQL Native Client 10.0 Configuration/Aliases.
Create a new alias with your server information.
Configure SQL collation settings
Work with your SQL database administrator (DBA) to determine the correct collation setting to use for your FIM Service database. The collation setting determines sorting order and how indexing works.
The default collation set during installation is SQL_LATIN1_General_CP1_CI_AS.
If the server running Windows is using a character set that is different from the Latin alphabet, then you might consider a different collation based on the table found in Windows Collation Name (Transact-SQL) (http://go.microsoft.com/fwlink/?LinkId=185630).
Ensure that the selected collation is case insensitive (indicated by _CI_).
If you change the collation setting, ensure that the collation setting is the same on the FIM Service database and on the system databases master and tempdb.
If you install the FIM Service and later decide to change the collation setting, you must manually change the collation setting on every table in the FIM Service database, as described in Setting and Changing the Database Collation (http://go.microsoft.com/fwlink/?LinkId=185247).
Establish SPNs for FIM 2010
SPNs are necessary for the Kerberos v5 protocol to be used for authentication. Enabling Kerberos helps to make the traffic secure, and it is required for the clients to be able to communicate with the FIM Service. SPNs must be registered in the domain for Kerberos to work.
We recommend that you use aliases for your FIM Service and FIM Portal. They can be represented as host (A) or CNAME resource records in Domain Name System (DNS). For the FIM Service server, complete the following procedure:
To establish the SPNs for the FIM Service
Establish the SPNs for the FIM Service by running the following command:
setspn –S FIMService/<alias> <domain>\<serviceaccount>
The <alias> above is the address that is entered during FIM Service setup and used by the clients and the FIM Portal to contact the Web Service. This can be a CNAME or host (A) resource record in DNS. If you are using Network Load Balancing (NLB), this is the name of the cluster.
The <serviceaccount> above is the account that is used by the FIM Service.
If you are using several different names—for instance, fully qualified domain names (FQDNs) and NetBIOS names—to contact the server, repeat the steps for every name.
Turn on Kerberos delegation for the FIM Service service account in AD DS. You can turn on delegation for all services either by selecting Trust this user for delegation to any service (not recommended) or by using constrained delegation (recommended) by selecting Trust this user for delegation to the specified services only. If you use constrained delegation, search for the FIM Service service account, and then select the entry that you added in the previous step.
For the FIM Portal server, complete the steps in the next procedure.
If the address that the clients use to contact the FIM Portal is not the same as the server address, you have to establish an SPN for HTTP. That is, if you use a CNAME resource record in DNS, have a SharePoint farm, or use NLB, this address must be registered or Internet Explorer cannot use the Kerberos protocol when it contacts the portal. Run the following command:
setspn –S HTTP/<FIMPortalAlias> <domain>\<sharepointserviceaccount>
<FIMPortalAlias>is the address that clients use to contact the FIM Portal server.
<domain>\sharepointserviceaccount>is the account that the SharePoint Application Pool uses, as defined in IIS.
If you are using several different names, that is, FQDN and NetBIOS names, to contact the server, repeat the steps for every name.
The SharePoint service account must be allowed to delegate to the FIM Service. You can choose to enable delegation for all services either by selecting Trust this user for delegation to any service (not recommended) or by using constrained delegation (recommended) by selecting Trust this user for delegation to the selected services only. If you use constrained delegation, search for the FIM Service service account, and then select the entry that you added in the FIM Service step.
You do not have to create delegation for HTTP/FIMPortalAlias.