Before You Begin
Before you install the FIM 2010 R2 server and client components, you must complete the following configuration tasks:
Creating an email enabled domain service account to run the FIM Service component.
Creating a domain service account to run the FIM Synchronization Service.
Creating a domain service account to run the FIM Password Reset Portals.
Creating a domain service account to run the Share
Creating a FIM Service Management Agent account.
Configuring the service accounts that are running the FIM server components in a secure manner.
If you are running the Exchange Web Service and Internet Information Services (IIS) default Web site (FIM Portal) on the same server, ensure that both are not configured to use port 80.
Ensuring that there is a default SharePoint Web site installed.
Ensuring that English is installed in SharePoint Services.
Selecting the correct identity for the SharePoint Application Pool.
Implementing Secure Sockets Layer (SSL) for FIM Portal.
Configuring the server running SQL Server.
Configuring the SQL Server aliases.
Configuring the SQL Server collation settings.
Configure the server running SCSM 2010 SP1.
Establishing Service Principal Names (SPNs) for FIM 2010 R2.
Creating an E-mail-Enabled Domain Service Account to Run the FIM Service
To run the FIM Service component, you must have a dedicated domain service account. To be able to use the Office Outlook integration feature, an Exchange Server mailbox must also be created for this account. To use the FIM 2010 R2 Add-in for Outlook feature, you must set up the domain service e-mail account on a server that hosts Exchange Server 2007 or Exchange Server 2010. If you plan to use SMTP for notifications rather than Exchange Server, ensure that this service account has the required permissions on the SMTP gateway.
This account also is used to send e-mail notifications from FIM 2010 R2 .
This account should not be granted local administrator permissions.
You must reserve the domain service e-mail account for the exclusive use of the FIM Service. If e-mail messages are being processed by other applications, such as Office Outlook 2007, the functionality of FIM Service might be affected.
Creating a Domain Service Account to Run the FIM Synchronization Service
You must create a service account to run the FIM Synchronization Service. This service account must be a domain service account. This account should not be a local administrator account.
Creating a Domain FIM Service Management Agent Account
You must create a domain account that is reserved for the exclusive use of the FIM Service management agent (FIM MA) used by the FIM Synchronization Service to communicate with the FIM Service. The FIM Service has to know the name of the account that the FIM MA is using so that during setup it can give the account the required permissions. This account should not be a local administrator account.
Understanding the Purpose of the FIM Service Management Agent Account
The purpose of this account is to make it possible for the FIM Service to be able to identify the FIM Synchronization Service when it is exporting to the FIM Service through the Web services. When the FIM Synchronization Service engine is exporting, all authentication (AuthN) and authorization (AuthZ) workflows are ignored and only action workflows run.
The account that you use for the FIM MA should be considered a trusted account. You should not use it to access the FIM Portal. If you do, all requests that are made through the FIM Portal with this account will skip AuthN and AuthZ.
If you later change this account in the FIM Synchronization Service, you must also run a change install on the FIM Service to update the service with the new account information.
Create a domain service account to run the FIM Password Service
If you are using FIM Password Reset, you must create a service account to run the FIM Password Service. This service account must be a domain service account. This account should not be a local administrator account.
Create a domain service account to run the SharePoint Service
You must create a service account to run the Sharepoint Service. This service account must be a domain service account. This account should not be a local administrator account.
Configuring the Service Accounts Running the FIM 2010 R2 Server Components in a Secure Manner
As mentioned previously, there are three service accounts that are used to run the FIM server components. They are called the FIM Service service account, the FIM Synchronization Service service account, and the FIM Password service account in this guide. The FIM MA account is not considered a service account, and it should be a regular user account. For the FIM Synchronization Service service account to be able to impersonate the FIM MA account, the FIM MA must be able to log on locally.
To enable the FIM MA to log on locally
Click Start, and then click Administrative Tools.
Click Local Security Policy, and then click Local Policies\User Rights Assignment.
In the policy Allow log on locally, ensure that the FIM MA account is explicitly specified, or add it to one of the groups that is already granted access.
To configure the server or servers running the FIM 2010 R2 server components in a secure manner, the service accounts should be restricted. The easiest way to do this is by running Local Security Policy from Administrative Tools, navigate to Local Policies\User Rights Assignment, and then add the service account to the policy.
On the server running the FIM Synchronization Service, you must restrict only the FIM Synchronization Service service account and not the FIM Service service account. On the server running the FIM Service, you must only restrict the FIM Service service account, and not the FIM Synchronization Service service account.
Use the following restrictions on the service accounts:
Deny logon as a batch job
Deny logon locally
Deny access to this computer from the network
Domain-based Group Policy objects (GPOs) might override settings in the Local Security Policy.
The service accounts should not be members of the local administrators group.
The FIM Synchronization Service service account should not be a member of the security groups that are used to control access to FIM Synchronization Service (groups starting with FIMSync, for example, FIMSyncAdmins).
If you are deploying password reset, do not use the Deny access to this computer from the network restriction option. If you choose to use the same account for both service accounts and you separate the FIM Service and the FIM Synchronization Service, you cannot set Deny access to this computer from the network on the FIM Synchronization Service server. If access is denied, that action prohibits the FIM Service from contacting the FIM Synchronization Service to change configuration and manage passwords.
Ensuring That the Exchange Web Service and IIS Default Web Site are Not Both Configured to Use Port 80
In a lab environment, you may want to run Exchange on the same server as the FIM Service. If you do, ensure that you are reconfiguring Exchange Web Service to not use the default port 80, or Exchange Web Service will not be reachable.
You must either specify a different port, a different IP, or a different host name in IIS.
Ensuring That English Is Installed for SharePoint
If the installed version of SharePoint is not English, the FIM 2010 R2 setup fails. Before you can install FIM 2010 R2 , you must first install the latest SharePoint Service English Language Pack Service Pack for your version of SharePoint. Visit the Microsoft download Center to download the Windows SharePoint Services 3.0 Language Pack Service Pack 2 (SP2), 64-Bit Edition (http://go.microsoft.com/fwlink/?LinkID=178266) or the Service Pack 1 for Microsoft SharePoint Foundation 2010 Language Pack (http://www.microsoft.com/download/en/details.aspx?id=26629).
Ensuring That a SharePoint Default Web Site Is Installed
Before you install the FIM Password Registration Portal and FIM Password Reset Portal, run the SharePoint Configuration Wizard. This creates a default SharePoint site for you.
If you installed SharePoint in a SharePoint farm, the default site cannot be created by the wizard and must be created manually. How to set up a SharePoint farm is outside the scope of this installation guide.
Verify the installation by navigating to http://localhost:80 on the server where you will install the FIM Portal. You should see a SharePoint site and not the standard Welcome to IIS7 message. If you see the Welcome to IIS7 message, reconfigure SharePoint to display a default SharePoint site at this server address or the address where you installed SharePoint.
If you do not perform this task, you may have to reinstall the FIM Portal and Password Portal components of FIM 2010 R2 .
Selecting the Correct Identity for the SharePoint Application Pool
By default, IIS uses the Network Service account for the Application Pool. In the steps above, you created a service account for SharePoint, which you will use for the following procedures. Later in this guide you will enable Kerberos delegation, and only one identity can use one SPN.
By default, an application pool running under a specific service account will not use the service account for Kerberos. In the second configuration step, you will configure IIS to use the service account for Kerberos.
To run the SharePoint Application Pool using an account that is located in the domain using WSS 3.0
Start SharePoint 3.0 Central Administration from Administrative Tools.
Select Operations and Service Accounts.
Select Web Application Pool, and select Windows SharePoint Services Web Application. Select the SharePoint Application Pool where the FIM Portal will be installed, which by default is SharePoint – 80.
Enter the user name and password for the service account that you created earlier.
Click OK to save your changes.
To run the SharePoint Application Pool using an account that is located in the domain using Sharepoint Foundation 2010
Click Start, click All Programs, click Microsoft SharePoint 2010 Products and then click SharePoint 2010 Central Administration.
Under Security, click Configure service accounts.
From the first drop-down list select Web Application Pool – SharePoint 80.
Under Select an account for this component click the link Register new managed account.
Enter the name and password of the service account you created earlier.
Under Select an account for this component, select the service account.
Click OK three times to save your changes.
Enable the Application Pool to use the service account for Kerberos.
- To configure IIS to use the service account for Kerberos delegation, set useAppPoolCredentials as described in Service Principal Name (SPN) checklist for Kerberos authentication with IIS 7.0 (http://go.microsoft.com/fwlink/?LinkId=188290).
Implementing Secure Sockets Layer for FIM Portal
We highly recommend that you implement Secure Sockets Layer (SSL) on the FIM Portal server to secure the traffic between the client and server computers.
To implement SSL with a certificate from an existing internal CA
Open IIS Manager on the FIM Portal server.
Click the local computer name.
Click Server Certificates.
Click Create Certificate Request.
For Common Name, enter the name of the server.
Click Next, and then Next.
Save the file to any location. You will need to access this location in subsequent steps.
In Windows Internet Explorer, browse to https://servername/certsrv. Replace servername with the name of the server that is issuing certificates.
Click Request a new Certificate.
Click Submit an Advanced Request.
Click Submit a Certificate Request by using a base-64-encoded.
Paste the contents of the file that you saved in the previous step.
From Certificate Template, select Web Server.
Save the certificate to your Desktop.
In IIS Manager, click Complete Certification Request.
Point IIS Manager to the certificate you just saved to the Desktop.
For Friendly name, type the name of the server.
Click Sites, and then select Sharepoint – 80.
Click Bindings, and then click Add.
For certificate, select the certificate that has the same name as the server. (This is the certificate that you just imported.)
Remove the HTTP binding.
Click SSL Settings, and then check Require SSL.
Save the settings.
If you are using SharePoint Foundation 2010
Click Start, click All Programs, click Microsoft SharePoint 2010 Products, and then click SharePoint 2010 Central Administration.
Under System Settings, click Configure alternate access mappings.
Change http://servername to https://servername, and then click OK.
Click Start, Run, enter iisreset, and then click OK.
If you are using WSS 3.0
Click Start, click Administrative Tools, and then click Sharepoint 3.0 Central Administration.
Click Operations, and then click Alternate Access Mappings.
Change http://servername to https://servername, and then click OK.
Click Start, Run, enter iisreset, and then click OK.
Configuring SQL Server
Before you install the FIM Service, certain tasks should be completed and verified on the server that is running SQL Server.
If you are using FIM Reporting, you will need to create two additional service accounts:
SQL Reporting Service Account
SQL Analysis Service Account
Ensure that the service accounts used by SQL Server Database and SQL Server Agent are either domain accounts or built-in service accounts (for example, Network Service). You cannot use local computer accounts.
When you configure the service accounts for SQL Server, consult the following articles:
The SQL Server service account should not be a local computer account. A local account cannot impersonate domain accounts and the FIM Service will not behave as expected.
Make sure that the SQL Server Agent service and the SQL Server Service Broker is set to start automatically.
If you install the SQL Server 2008 database on a different server than the FIM Service or FIM Synchronization Service, open additional ports so that FIM 2010 R2 setup can communicate with SQL Server 2008. For more information, see Configuring the Windows Firewall to Allow SQL Server Access (http://go.microsoft.com/fwlink/?LinkID=94001).
When the FIM Service and FIM Synchronization Service are installed, the data and log files are created in the default locations that are specified by SQL Server. For optimal performance, these log files should be located on different drives and on different spindles.
To locate databases on different drives
Start Microsoft SQL Server Enterprise Manager.
Right-click the server, and then click Properties.
Go to Database settings. Make the necessary adjustments on the Data and Log settings to ensure that the database files are located on a different drive than the operating system.
Configuring SQL Server Aliases
If you plan to install FIM Service or FIM Synchronization Service on a server running SQL Server that is using a nondefault port, you must create a SQL Server alias for Setup to be able to contact the server running SQL Server.
To create a SQL Server alias for Setup to be able to contact the server running SQL Server
Start the SQL Server Configuration Manager.
Navigate to SQL Native Client 10.0 Configuration/Aliases.
Create a new alias with your server information.
Configuring SQL Server Collation Settings
Work with your SQL Server database administrator (DBA) to determine the correct collation setting to use for your FIM Service database. The collation setting determines the sorting order and how indexing works.
The default collation set during installation is SQL_LATIN1_General_CP1_CI_AS.
If the server running Windows is using a character set that is different from the Latin alphabet, then you might consider a different collation based on the table found in Windows Collation Name (Transact-SQL) (http://go.microsoft.com/fwlink/?LinkId=185630).
Ensure that the selected collation is case insensitive (indicated by _CI_).
If you change the collation setting, ensure that the collation setting is the same on the FIM Service database and on the system databases master and tempdb.
If you install the FIM Service and later decide to change the collation setting, you must manually change the collation setting on every table in the FIM Service database, as described in Setting and Changing the Database Collation (http://go.microsoft.com/fwlink/?LinkId=185247).
Configuring System Center Service Manager 2010 SP1 (SCSM 2010 SP1)
If you are using FIM Reporting in FIM 2010 R2 , you must install and configure the SCSM 2010 SP1 Server before installing FIM 2010 R2 .
For guidance on installing SCSM 2010 SP1, see the Test Lab Guide: System Center Service Manager 2010 SP1(http://www.microsoft.com/downloads/en/details.aspx?FamilyID=b276879e-380f-4b40-809e-1574f4059277)
Use the steps outlined in the following article to ensure reporting is setup and functioning correctly Registering with the Service Manager 2010 SP1 Data Warehouse to Enable Reporting (http://technet.microsoft.com/en-us/library/ff461143.aspx).
Install the Microsoft Report Viewer Redistributable Security Update on the FIM 2010 R2 server. The Report Viewer installation files are located on the SCSM 2010 installation media, in the amd64/Prerequisites folder.
Install the Service Manager Console on the FIM 2010 R2 server. The Service Manager Console installation files are located on the SCSM 2010 installation media, in the amd64 folder. Run setup.exe and follow the steps to install a Service Manager console.
Install Cumulative Update 2 for SCSM 2010 SP1 (http://www.microsoft.com/download/en/details.aspx?displaylang=en\&id=1234) on the SCSM 2010 SP1 server and the FIM 2010 R2 server.
Establishing SPNs for FIM 2010 R2
SPNs are necessary for the Kerberos v5 protocol to be used for authentication. Enabling Kerberos helps to make the traffic secure, and it is required for the clients to be able to communicate with the FIM Service. SPNs must be registered in the domain for Kerberos to work.
We recommend that you use aliases for your FIM Service, FIM Password Portals and FIM Portal. They can be represented as host (A) or alias CNAME resource records in Domain Name System (DNS). For the FIM Service server and FIM Password service server, complete the following procedure:
To establish the SPNs for the FIM Service service and FIM Password Portals
Establish the SPNs for the FIM Service by running the following command:
setspn –S FIMService/<alias> <domain>\<serviceaccount>
The <alias> above is the address that is entered during FIM Service setup and used by the clients and the FIM Portal to contact the Web Service. This can be an alias (CNAME) or host (A) resource record in DNS. If you are using Network Load Balancing (NLB), this is the name of the cluster.
The <serviceaccount> above is the account that is used by the FIM Service.
If you are using several different names—for instance, fully qualified domain names (FQDNs) and NetBIOS names—to contact the server, repeat the steps for every name.
If you want cross forest scenarios to work in a separated environment, that is, portal on different machine than FIM service, then you must also set the FQDN. To accomplish this, use the following:
setspn.exe –S FIMService/FQDN <domain><serviceaccount>
Repeat the above step for each of the FIM Password portals, using
setspn.exe –S HTTP/<ssprPortalHostHeaderName> <domain>\<ssprPortalMachineAccount$>, where <ssprPortalHostHeaderName> is the binding information for the FIM Password portal Host Name that was entered during setup. This is the name that will be used by clients to contact the portals.
Turn on Kerberos delegation for the FIM Service and FIM Password service accounts in AD DS. You can turn on delegation for all services either by selecting Trust this user for delegation to any service (not recommended) or by using constrained delegation (recommended) by selecting Trust this user for delegation to the specified services only. If you use constrained delegation, search for the FIM Service service account, and then select the entry that you added in the previous step.
In a deployment with multiple FIMServices, ensure that each FIMService has constrained delegation configured so that each FIMService can successfully communicate to each other in order for Workflow Approvals to work properly. Approval Responses from users can come from any Portal or if Exchange is enabled from the FIMService that is polling. In all cases, the Approval Response will be directed to the FIMService machine that processed the original Request so cross-server communication: FIMPortal -> FIMService AND FIMService -> FIMService must work properly.
For the FIM Portal server, complete the steps in the next procedure.
If the address that the clients use to contact the FIM Portal is not the same as the server address, you have to establish an SPN for Hypertext Transfer Protocol (HTTP). That is, if you use an alias (CNAME) resource record in DNS, have a SharePoint farm, or use Networking Load Balancing (NLB), this address must be registered or Internet Explorer cannot use the Kerberos protocol when it contacts the portal. Run the following command:
setspn –S HTTP/<FIMPortalAlias> <domain>\<sharepointserviceaccount>
<FIMPortalAlias>is the address that clients use to contact the FIM Portal server.
<domain>\sharepointserviceaccount>is the account that the SharePoint Application Pool uses, as defined in IIS.
If you are using several different names, that is, FQDN and NetBIOS names, to contact the server, repeat the steps for every name.
The SharePoint service account must be allowed to delegate to the FIM Service. You can choose to enable delegation for all services either by selecting Trust this user for delegation to any service (not recommended) or by using constrained delegation (recommended) by selecting Trust this user for delegation to the selected services only. If you use constrained delegation, search for the FIM Service service account, and then select the entry that you added in the FIM Service step.
You do not have to create delegation for HTTP/FIMPortalAlias.