Pre-setup tasks for FIM

By SuperG - Last updated: Monday, April 23, 2012 - Save & Share - Leave a Comment

The Bulk of the information here was taken from

Before you start this make sure your FIM server is setup. Look here for information.

Before you install the Microsoft Forefront Identity Manager (FIM) 2010 server there are some tasks that you must do before hand.

Create an e-mail-enabled domain service account to run the FIM Service

To run the FIM Service component, you must have a dedicated domain service account. To be able to use the Office Outlook integration feature, an Exchange Server mailbox must also be created for this account. To use the FIM Add-in for Outlook feature, you must set up the domain service e-mail account on a server that hosts Exchange Server 2007 or Exchange Server 2010. If you plan to use SMTP for notifications rather than Exchange Server, ensure that this service account has the required permissions on the SMTP gateway.

This account also is used to send e-mail notifications from FIM 2010.

This account should not be granted local administrator permissions.

You can make this however you want but this is how I did it.

Using Active Directory Users and Computers (ADUC)

Using Exchange management

Create a domain service account to run the FIM Synchronization Service

You must create a service account to run the FIM Synchronization Service. This service account must be a domain service account. This account should not be a local administrator account.

Using ADUC

Create a domain FIM Service management agent account

You must create a domain account that is reserved for the exclusive use of the FIM Service management agent (FIM MA) used by the FIM Synchronization Service to communicate with the FIM Service. The FIM Service has to know the name of the account that the FIM MA is using so that during setup it can give the account the required permissions. This account should not be a local administrator account.

Using ADUC

Configure the service accounts running the FIM 2010 server components in a secure manner
As mentioned previously, there are two service accounts that are used to run the FIM server components. They are called the FIM Service service account(SA-FIMService ) and the FIM Synchronization Service service account (SA-FIMSyncService). The FIM MA (SA-FIMServiceMA)account is not considered a service account, and it should be a regular user account. For the FIM Synchronization Service service account to be able to impersonate the FIM MA account, the FIM MA must be able to log on locally.

To enable the FIM MA to log on locally

This is done on the FIM server

  1. Click Start, and then click Administrative Tools.
  2. Click Local Security Policy, and then click Local Policies\User Rights Assignment.
  3. In the policy Allow log on locally, ensure that the FIM MA account is explicitly specified, or add it to one of the groups that is already granted access.
  4. Be aware of GPOs that might overwrite this!!!

Because I am running all the services on one server I skipped the section with the Deny settings

The service accounts should not be members of the local administrators group.
The FIM Synchronization Service service account should not be a member of the security groups that are used to control access to FIM Synchronization Service (groups starting with FIMSync, for example, FIMSyncAdmins).

Ensure that the Exchange Web Service and IIS default Web site are not both configured to use port 80

I do not have Exchange Web Services installed on the FIM Server.

Ensure that English is installed in SharePoint Services

I am only using English

Ensure that a SharePoint Default Web site is installed

Before you install the FIM Portal and Password Portal, run the SharePoint 3.0 Services Configuration Wizard. This creates a default SharePoint site for you.
Verify the installation by navigating to http://localhost:80 on the server where you will install the FIM Portal. You should see a SharePoint site and not the standard Welcome to IIS7 message. If you see the Welcome to IIS7 message, reconfigure Office SharePoint to display a default SharePoint site at this server address or the address where you installed Office SharePoint.

Mine works with a Basic and default install of SharePoint Services

Select the correct identity for the SharePoint Application Pool

By default, IIS uses the Network Service account for the Application Pool.

Change this to a Domain Service Account for SharePoint to use. Later you will enable Kerberos delegation, and only one identity can use one Service Principal Name (SPN).

To run the SharePoint Application Pool using an account that is located in the domain

Create an account in the domain for use by the SharePoint Application Pool.

Using ADUC

Start SharePoint 3.0 Central Administration from Administrative Tools.

On the FIM Server

Select Operations and Service Accounts.

Select Web Application Pool, and select Windows SharePoint Services Web Application. Select the SharePoint Application Pool where the FIM Portal will be installed, which by default is SharePoint – 80.

Enter the user name and password for the service account that you created in the first step.

Click OK to save your changes.

Enable the Application Pool to use the service account for Kerberos.

Implement Secure Sockets Layer for FIM Portal

Frankly I do not care how you get the certificate into IIS, in my case I use a self generated one as this is a lab.

Click Sites, and then select Sharepoint – 80.

Click Bindings, and then click Add.

Select https.

For certificate, select the one that has the same name as the server.

Click OK.

Remove the HTTP binding.

Now you need to change Sharepoint to use the new setting

Click Start, click Administrative Tools, and then click Sharepoint 3.0 Central Administration.

Click Operations, and then click Alternate Access Mappings.

Click http://servername.

Change http://servername to https://servername, and then click OK.

Click Start, Run, enter iisreset, and then click OK.Configure SQL Server

A lot of this was done when I setup SQL and is not covered here.

Before you install the FIM Service, certain tasks should be completed and verified on the server that is running SQL.
Ensure that the service accounts used by SQL Server Database and SQL Server Agent are domain accounts, do not use local computer accounts.

This was done when I setup the SQL server

When the FIM Service and FIM Synchronization Service are installed, the data and log files are created in the default locations that are specified by SQL. For optimal performance, these should be located on different drives and on different spindles.

This was done when I setup the SQL server

Configure SQL aliases

I will be using the default settings on the SQL server so I do not need to change this.

Configure SQL collation settings

This was done when I setup the SQL server (Defaults are fine)

Establish SPNs for FIM 2010

SPNs are necessary for the Kerberos v5 protocol to be used for authentication. Enabling Kerberos helps to make the traffic secure, and it is required for the clients to be able to communicate with the FIM Service. SPNs must be registered in the domain for Kerberos to work.
To establish the SPNs for the FIM Service

Establish the SPNs for the FIM Service by running the following command:

I did this on the FIM Server but you can do it on any server.

setspn -s FIMService/fim ad\SA-FIMService

setspn -s FIMService/ ad\SA-FIMService

Turn on Kerberos delegation for the FIM Service service account in AD DS.

Use ADUC on the Computer object for the FIM Server

Other steps were skipped as they did not apply to my Lab setup

Accounts made were:

SA-FIMService Mail enabled

Posted in FIM, Lab • Tags: , Top Of Page

Write a comment

You need to login to post comments!