Service Accounts, SPNs, and Kerberos Delegation configurations for MIM Service and Portal Installation
Introduction:
This document is intended to be used as an operational preparatory document for the Microsoft Identity Management 2016 MIM Service and Portal Server installation. This guide covers the service accounts, Service Principal Names, and Delegation needed for use with the MIM 2016 Service and Portal.
Using this Guide:
You may perform search and replace on the variables listed below to create a detailed implementation guide customized for your environment.
Document Variables:
| Description | Search and Replace Variable |
| Full Domain Name (ex. Contoso.com) | [FQDOMAIN] |
| Common name of the first MIM Service and Portal Server (ex. Portal01) | [MIM SERVER 1] |
| Common name of the second MIM Service and Portal Server (ex. Portal02) | [MIM SERVER 2] |
| Common name of the MIM Service and Portal url (ex. MIMPORTALVIP) | [MIM VIP] |
| Common name of the MIM Installation Service Account (ex. MIMInstall) | [INSTALL ACCOUNT] |
| Common name of the MIM MA Service Account (ex. MIMMA) | [MIM MA SERVICE ACCOUNT] |
| Common name of the MIM Service Account (ex. MIMService) | [MIM SERVICE ACCOUNT] |
| Common name of the MIM SharePoint Application Pool Service Account (ex. MIMSAP) | [MIM SAP ACCOUNT] |
Service Accounts:
The following service accounts are used in the installation and configuration of the MIM Service and Portal. Rights associated with each account are listed below:
| Service Account Name | Usage | Notes |
| [MIM MA SERVICE ACCOUNT] | MIM Sync server account for FIM ServiceFor MIM Management Agent | Allow logon locally rights assignment |
| [MIM SERVICE ACCOUNT] | MIM Service Server User account for MIM service.For MIM Portal Service Account | Deny logon as batch jobDeny logon locallyDeny access to this computer from networkMust be Member of FIMSyncAdmins group.If using PW Reset, must be member of FIMSyncPasswordSet group. |
| [MIM SAP SERVICE ACCOUNT] | MIM Service Server for SharePoint application Pool.For MIM Share Point application on MIM Portal Server(s) | Impersonate a client after authenticationLog on as a batch jobLog on as a service. |
| [INSTALL ACCOUNT] | Account used for initial installation of the MIM Software. | Need local admin on Sync server andSQL Admin Rights.Option: Domain Admin to create Domain Groups |
Setup Service Principal Names for MIM Service Accounts:
Configure SPN Commands:
SETSPN -S http/[MIM SERVER 1] [MIM SAP ACCOUNT]
SETSPN -S http/[MIM SERVER 1].[FQDOMAIN] [MIM SAP ACCOUNT]
SETSPN -S http/[MIM SERVER 2] [MIM SAP ACCOUNT]
SETSPN -S http/[MIM SERVER 2].[FQDOMAIN] [MIM SAP ACCOUNT]
SETSPN -S http/[MIM VIP] [MIM SAP ACCOUNT]
SETSPN -S http/[MIM VIP].[FQDOMAIN] [MIM SAP ACCOUNT]
SETSPN -S FIMService/[MIM SERVER 1] [MIM SERVICE ACCOUNT]
SETSPN -S FIMService/[MIM SERVER 1].[FQDOMAIN] [MIM SERVICE ACCOUNT]
SETSPN -S FIMService/[MIM SERVER 2] [MIM SERVICE ACCOUNT]
SETSPN -S FIMService/[MIM SERVER 2].[FQDOMAIN] [MIM SERVICE ACCOUNT]
Setup Kerberos Delegation:
| Service Account | Delegation Account | Description |
| [MIM SAP ACCOUNT] | [MIM SERVICE ACCOUNT] | The MIM Portal on the MIM-Service server needs to access the MIM Service on the MIM-Service Server. MIM Portal uses Kerberos constrained delegation to act on behalf of the user. |
| [MIM SERVICE ACCOUNT] | [MIM SERVICE ACCOUNT] | This is needed in the event a workflow running in the MIM Service needs to access the MIM Service. |
After configuring the Service Principal Names noted in the previous section, the following delegations must be configured to ensure proper Kerberos delegation functionality.
MIM SAP ACCOUNT [MIM SAP ACCOUNT] DELEGATION
Launch Active Directory Users and Computers
Select the [MIM SAP ACCOUNT] service account
Right Click and Select Properties.
Select Delegation Tab
Select Trust this user for delegation to specified services only
Select use Kerberos only
Select Add
Select Users or Computers button
Enter [MIM SERVICE ACCOUNT]
Select Check Names
Select Ok
Once complete, delegation for the [MIM SAP ACCOUNT] account should appear as follows:
Service Type User or Computer
http [MIM VIP].[FQDOMAIN]
http [MIM SERVER 1].[FQDOMAIN]
http [MIM SERVER 2].[FQDOMAIN]
MIM SERVICE ACCOUNT [MIM SERVICE ACCOUNT] DELEGATION
Launch Active Directory Users and Computers
Select the [MIM SERVICE ACCOUNT] service account
Right Click and Select Properties.
Select Delegation Tab
Select Trust this user for delegation to specified services only
Select use Kerberos only
Select Add
Select Users or Computers button
Enter [MIM SERVICE ACCOUNT]
Select Check Names
Select Ok
Once complete, delegation for the [MIM SAP ACCOUNT] account should appear as follows:
Service Type User or Computer
FIMService [MIM VIP].[FQDOMAIN]
FIMService [MIM SERVER 1].[FQDOMAIN]
FIMService [MIM SERVER 2].[FQDOMAIN]
Comments
- Anonymous
June 26, 2018
Hi,I was reading your post and it appears based on the delegation shown above for the [MIM Service Account] you need to also create the following SPNs:SETSPN -S FIMService/[MIMVP] [MIMService]SETSPN -S FIMService/[MIMVP].[FQDOMAIN] [MIMService]Cheers,Wes