FIM 2010 Installation Companion: Accounts
Overview / Purpose
The purpose or goal of this document is to provide additional assistance, or guidance to the actual Forefront Identity Manager 2010 installation guide. It is meant as a companion document to help in the preparation of your installation of the Microsoft Forefront Identity Manager 2010 product.
This document is more of a guideline to help make the installation easier.
Suggested Accounts
FIMInstall ( Or the account executing the installation )
This is a suggested account, not a mandatory account. The reason it is suggested, is because the installing account needs to have some elevated privileges to get the product installed.
- It will need SysAdmin permissions on the backend SQL Server
- It should have Local Administrator permissions on the different machines executing the installation of the different pieces of FIM
- The account executing the installation needs to be a member of the SharePoint Farm Administrators Group.
The easiest way to ensure that the installing account has SysAdmin permissions and Local Administrator permissions would be to make the account a Domain Admin account. In either case, it is recommended that the account be at-least a Domain User Account, as the different pieces of FIM are installed across different machines.
Now once the product is installed, this account can be disabled and only enabled for a hotfix installation as the hotfix installation requires the same permissions as the installation of the main product.
It is a good idea, not necessary, to have a generic FIMINSTALL account to allow for the ability to have a main FIM Administrator account in the FIM Portal.
Utilize this account for all hotfix installations as well.
SharePoint Permissions (These are configured in SharePoint Central Administration)
- SharePoint Farm Administrators Group
- SharePoint Site Administrators
Possible installation issues:
Svc_FimSync
-
- This account is the account for the FIM Synchronization Service Account.
- The account can be either a local account to the FIM Synchronization Service machine, or a Domain User Account.
- If you intend to setup a high availability scenario with the FIM Synchronization Service, then this account will need to be a Domain User Account.
Svc_FimService
-
- This account is for the FIM Web Service Account.
- It should be a Domain Account, as it will require ServicePrincipleNames (SPNs) in a distributed FIM Solution
- This account should be good as a Domain User Account.
- It is a good idea to go ahead and create a mailbox for the FIM Web Service Account.
- The FIM Web Service does send emails. It is based on how you have your FIM Solution configured.
Svc_SharePointService
-
- This account is the SharePoint - 80 Application Pool Account
- The account should be a Domain User account
FimMa (FIM Service Management Agent Account)
-
- The FIM MA account is the user account that is utilized inside of the FIM Service Management Agent.
- The account should be a Domain User Account.
- The account specified in the FIM Service Management Agent must match the account specified in this registry key. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FIMService\SynchronizationAccount
Other Possible Accounts
Based on your FIM Solution, you may want to create some other accounts. Here are some other possible accounts that you may consider creating prior to executing the installation of the Microsoft Forefront Identity Manager product.
*NOTE: Remember these are just suggested names for the accounts, and suggested that you create them prior to executing the installation.
The below accounts are very commonly used accounts for common solutions, such as Self-Service Password Reset (SSPR) and GalSync. If your FIM Solution is going to work with other data sources, you may consider creating those accounts now. For example, if you are incorporating a SQL Server Management Agent you may want to create an account to work with SQL Server, or if you are working with SAP, yu may want to get the SAP Management Agent Account created at this time.
userADMA
-
- This user is for use in an Active Directory Management Agent.
- An Active Directory Management Agent would be used in:
- Self-Service Password Reset (SSPR) Solutions
- Hire - Fire Scenario Solutions
- This user should be a Domain Account, as it will need access to Active Directory resources
- This user should be good as just a Domain User account
- Permissions:
The required permissions for the Active Directory Management Agent account really depend on the solution being developed. The reason is because the FIM Solution may only need to work with certain Organizational Units, certain Active Directory Object Types. The one permission that the Active Directory Management Agent account will need, is the Replicate Directory Changes.
- Specific Organizational Units
- Active Directory Users / Contacts
- Active Directory Groups
Thinking of FIM Solutions that would utilize the Active Directory Management Agent
- If you are not writing anything to Active Directory, then you will just need Read permissions on the Active Directory objects that are included in the solution.
Self-Service Password Reset Solution
*NOTE: Be sure to apply to Descendent User Objects
- Object Tab
- Change Password
- Reset Password
- Properties
-
- Read lockoutTime
- Write lockoutTime
- Object Tab
- Depending on your FIM Solution, and your Business Rules, you may need to place the user in some Security Groups to allow it the ability to do other actions.
- How to configure the Active Directory Management Agent Account
**userGALSYNC **
-
- This user is for use in a GalSync Management Agent.
- If you are developing a GalSync Solution, then you will need a GalSync User account in each of the forests.
- For permissions needed for the GalSync User account review the Permissions for GalSync User on the GalSync Resource Wiki
Other FIM Installation Resources
- FIM 2010: Planning security setup for accounts, groups and services
- Forefront Identity Manager 2010 Deployment (Installation Guide)
- Forefront Identity Manager 2010 Hotfix Installation Companion (MSP Information)
- Forefront Identity Manager 2010 - FIM Installation Companion - ServicePrincipleNames (SPNs) - Adding and Troubleshooting