Step 7: Perform FIM 2010 R2 Prerequisite Tasks

FIM1 prerequisites for the Forefront Identity Manager 2010 R2 test lab consists of the following:

  • Create the FIM Service Accounts

  • Mailbox-Enable the CORP\FIMService Account

  • Secure the CORP\FIMService and CORP\FIMSynchService Accounts

  • Set the SQL Server Agent Service to Start Automatically

  • Enable SQL Firewall Ports on APP1, APP2, and APP3

  • Enable SQL Server Network Protocols on APP1, APP2, and APP3

  • Verify That the FIM Installation Account Has SharePoint Permissions

  • Change the SharePoint Application Pool Account to Use CORP\SPService

  • Configure IIS to Use CORP\SPService for Kerberos Ticket Decryption

  • Set the SPNs for CORP\SPService

  • Set the SPNs for CORP\FIMService

  • Set the SPNs for CORP\SQLDatabase

  • Set the SPNs for CORP\FIM2$

  • Turn on Delegation for CORP\SPService

  • Turn on Delegation for CORP\FIMService

  • Create DNS A records for passwordreset.corp.contoso.com and passwordregistration.corp.contoso.com

  • Start the SharePoint 2010 Administration service.

Create the FIM Service Accounts

Five service accounts need to be created in corp.contoso.com that will be used with the Forefront Identity Manager 2010 R2 installation.

Table 1 – Service Accounts

Full name User logon name Forest Password

FIM Service

FIMService

corp.contoso.com

Pass1word$

FIM Synch Service

FIMSynchService

corp.contoso.com

Pass1word$

FIM MA

FIMMA

corp.contoso.com

Pass1word$

FIM PW Service Account

FIMPassword

corp.contoso.com

Pass1word$

SharePoint Service

SPService

corp.contoso.com

Pass1word$

To create the Service Accounts

  1. Log on to DC1.corp.contoso.com as Administrator.

  2. Click Start, select Administrative Tools, and then click Active Directory Users and Computers. This will open the Active Directory Users and Computers MMC.

  3. In the Active Directory Users and Computers MMC, from the tree-view on the left, expand corp.contoso.com.

  4. Now, right-click ServiceAccounts, select New, and then select User. This will bring up the New Object – User window.

  5. On the New Object – User screen, in the Full Name box, type the following text:
    FIM Service

  6. On the New Object – User screen, in the User logon name box, type the following text, and then click Next:
    FIMService

  7. On the New Object – User screen, in the Password box, type the following text:
    Pass1word!

  8. On the New Object – User screen, in the Confirm Password box, type the following text:
    Pass1word!

  9. On the New Object – User screen, clear the User must change password at next logon check box.

  10. On the New Object – User screen, select Password never expires, and then click Next.

  11. Click Finish.

  12. Repeat these steps for all of the accounts listed in the Account Summary table.

    Service Accounts

  13. Log off DC1.corp.contoso.com.

Mailbox-Enable the CORP\FIMService Account

Now, create a mailbox for the CORP\FIMService account.

To mailbox-enable the CORP\FIMService account

  1. Log on to the EX1.corp.contoso.com server as Administrator.

  2. Click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console.

  3. In the Exchange Management Console, click Microsoft Exchange On-Premises. This will start an Initialization.

    Warning

    This may bring up a Microsoft Exchange box that says The following servers in your organization running Exchange Server 2010 are unlicensed. It will list EX1. If you plan to use this test lab for more than 120 days you will need to enter a product key. For now, just hit OK.

  4. In the Exchange Management Console, expand Microsoft Exchange On-Premises (ex1.corp.contoso.com), expand Recipient Configuration, and then click Mailbox.

  5. On the right, in the Actions pane, click New Mailbox to start the New Mailbox Wizard.

  6. On the Introduction page, select User Mailbox, and then click Next.

  7. On the User Type page, select Existing users, and then click Add. This will bring up the Select User – Entire Forest page.

  8. From the list, select FIM Service, click OK, and then click Next.

    Mailbox enable Fim Service

  9. On the Mailbox Settings page, click Next.

  10. On the New Mailbox page, click New.

  11. On the Completion page, verify that it was successful, and then click Finish.

  12. Close the Exchange Management Console.

  13. Log off EX1.corp.contoso.com.

Secure the CORP\FIMService and CORP\FIMSynchService Accounts

Now, you will secure the CORP\FIMService and CORP\FIMSynchService account by restricting its permissions.

Table 2 – FIMService Account and FIMSynchService Permissions

Account Permissions

CORP\FIMService

  • Deny logon as batch job

  • Deny logon locally

  • Deny access to this computer from the network

CORP\FIMSynchService

  • Deny logon as batch job

  • Deny logon locally

  • Deny access to this computer from the network

To secure the CORP\FIMService accounts

  1. Log on to FIM1.corp.contoso.com as Administrator.

  2. Click Start, select Administrative Tools, and then click Local Security Policy. This will open the Local Security Policy MMC.

  3. In the Local Security Policy MMC, on the left, expand Local Policies, and then click User Rights Assignment.

  4. Now, on the right, scroll down and double-click Deny access to the computer from the network.This will open the Deny access to the computer from the network Properties window.

  5. Now, click Add User of Group. This will bring up the Select Users, Computers, Service Accounts, or Groups window.

  6. In the box, below Enter the object names to select (examples), type the following text, and then click Check Names:
    FIMService;FIMSynchService.
    This should resolve to the FIM Service account and the FIM Synch Service account. Click OK.

  7. On the Deny access to the computer from the network Properties screen, click Apply, and then click OK.

  8. In the Local Security Policy, scroll down and double-click Deny logon as batch job. This will open the Deny logon locally Properties window.

  9. Now, click Add User of Group. This will bring up the Select Users, Computers, Service Accounts, or Groups window.

  10. In the box, below Enter the object names to select (examples), type the following text, and then click Check Names:
    FIMService;FIMSynchService
    This should resolve to the FIM Service account and the FIM Synch Service account. Click OK.

  11. On the Deny logon locally Properties screen, click Apply, and then click OK.

  12. In the Local Security Policy, scroll down and double-click Deny logon locally. This will open the Deny logon as batch job Properties window.

  13. Now, click Add User of Group. This will bring up the Select Users, Computers, Service Accounts, or Groups window.

  14. In the box, below Enter the object names to select (examples), type then following text, and then click Check Names:
    FIMService;FIMSynchService
    This should resolve to the FIM Service account and the FIM Synch Service account. Click OK.

  15. On the Deny logon locally Properties screen, click Apply, and then click OK.

    Secure FIM Accounts

  16. Close the Local Security Policy.

Set the SQL Server Agent Service to Start Automatically

To set SQL Server Agent service to start automatically

  1. Log on to APP1 as CORP\Administrator.

  2. Click Start, select Administrative Tools, and then click Services.

  3. Scroll down to SQL Server Agent (MSSQLSERVER) and double-click it. This will bring up the SQL Server Agent (MSSQLSERVER) Properties.

  4. In the middle, next to Startup Type, select Automatic from the drop-down list. Click Apply, and then click OK.

    SQL Server Agent Automatic

  5. In Services, right-click SQL Server Agent (MSSQLSERVER), and then click Start. This will start the SQL Server Agent.

  6. When this completes, verify that the SQL Server Agent (MSSQLSERVER) has a status of Started.

  7. Close Services.

Enable SQL Firewall Ports on APP1, APP2, and APP3

To enable the firewall ports on APP1, APP2, and APP3

  1. Click Start, select Administrative Tools, and then click Windows Firewall with Advanced Security. This will bring up Windows Firewall with Advanced Security.

  2. On the left, select Inbound Rules, and on the right click New Rule. This will bring up the New Inbound Rule Wizard.

  3. On the Rule Type page, select Port, and then click Next.

  4. On the Protocol and ports page, select TCP, and type the following text in the box next to Specific local ports, and then click Next:
    445

  5. On the Action page, select Allow the connection, and then click Next.

  6. On the Profile page, select Domain, Private, and Public, and then click Next.

  7. On the Name page, type the following text in the box, and then click Finish:
    SQL Server Named Pipes

  8. Repeat these steps for all of the entries in the table below.

    SQL Firewalls

  9. Close Windows Firewall with Advanced Security.

  10. Repeat these steps on APP2 and APP3.

Table 3 – SQL Server Firewall Port Exceptions

Protocol Port number Name

TCP

445

SQL Server Named Pipes

TCP

1433

SQL Server Listening Port

UDP

1434

SQL Server Browser Service

Enable SQL Server Network Protocols on APP1, APP2, and APP3

To enable SQL Server Network Protocols on APP1, APP2, and APP3

  1. Click Start, select All Programs, click Microsoft SQL Server 2008, click Configuration Tools, and then select SQL Server Configuration Manager. This will bring up the SQL Server Configuration Manager.

  2. In SQL Server Configuration Manager, on the left, expand SQL Server Network Configuration, and then click Protocols for MSSQLSERVER. This will populate the right pane with four protocols and their statuses.

  3. On the right, right-click Disabled next to Named Pipes, and then select Enable. This will bring up a pop-up box that says Any changes made will be saved; however, they will not take effect until the service is stopped and restarted. Click OK.

    SQL Network Protocols

  4. In SQL Server Configuration Manager, on the left, click SQL Server Services. This will populate the right pane with three services and their states.

  5. On the right, right-click SQL Server (MSSQLSERVER), and select Stop. This will bring up a pop-up box that says stopping this service will also stop the SQLServerAgent. Do you wish to continue? Click Yes. This will stop the SQL Server service.

  6. On the right, right-click SQL Server (MSSQLSERVER), and select Start. This will start the SQL Server service.

  7. On the right, right-click SQL Server Agent, and select Start. This will start the SQL Server Agent service.

  8. Close SQL Server Configuration Manager.

  9. Repeat these steps on APP2 and APP3.

Verify That the FIM Installation Account Has SharePoint Permissions

In this step, you will verify that the FIM Installation account, for example, CORP\Administrator, has SharePoint permissions. If the account that is used to install FIM does not have the correct permissions, the installation will fail.

To verify that the FIM Installation account has SharePoint permissions

  1. Log on to FIM1.corp.contoso.com as Administrator.

  2. Click Start, click All Programs, click Microsoft SharePoint 2010 Products and then click SharePoint 2010 Central Administration. This will bring up the SharePoint Central Administration in Internet Explorer.

  3. On the left, click Application Management. Now the Application Management page will appear.

  4. Under Site Collections, click Change site collection administrators. This will bring up the Site Collection Administrators page.

  5. Under Primary site collection administration, verify that it says Administrator.

    Verify SharePoint 1

  6. At the top of Internet Explorer, enter the new URL https://fim1 in the address box, and then hit Enter. This will bring up the SharePoint 2010 Service home page.

  7. In the upper left corner, click Site Actions and the select Site Settings from the drop-down list. This will bring up the Site Settings page.

  8. Under Users and Permissions, click Site Collection Administrators. This will bring up the Site Collection Administrators page.

  9. Verify that Administrator appears in the box next to Site Collection Administrators.

    Verify SharePoint 2

  10. Close Internet Explorer.

Change the SharePoint Application Pool Account to Use CORP\SPService

By default, IIS uses the Network Service account for the Application Pool. The recommended guidance is to use a service account.

To change the SharePoint Application Pool account to use CORP\SPService

  1. Click Start, click All Programs, click Microsoft SharePoint 2010 Products and then click SharePoint 2010 Central Administration. This will bring up the SharePoint Central Administration in Internet Explorer.

  2. Under Security, click Configure service accounts. This will bring up the Service Accounts page.

  3. From the first drop-down list select Web Application Pool – SharePoint 80.

  4. Under Select an account for this component click the link Register new managed account. This will bring up a Register Managed Account screen

  5. In the User name box enter CORP\SPService and in the Password box enter Pass1word$. Click OK.

  6. Now under Select an account for this component, select CORP\SPService from the drop-down.

    Warning

    Be sure Web Application Pool – SharePoint 80 is still selected in the first drop-down. If it is not, re-select it.

    Change SharePoint App Pool

  7. Click OK. This will bring up a pop-up that says the SPN must be updated by a domain administrator. This will be done later in this step. Click OK. This will bring up another pop-up that says that iisrest/NOFORCE must be run. Click OK. It may take a minute or two, but then the Operations page will come up.

  8. Close Internet Explorer.

Configure IIS to Use CORP\SPService for Kerberos Ticket Decryption

With the release of IIS 7.0 on Windows Server 2008 and IIS 7.5 on Windows Server 2008 R2 a new mode kernel-mode authentication was introduced. This means that the ticket for the responding service is decrypted using the Machine account (Local System) of the IIS Server. It no longer depends on the application pool Identity for this purpose by default. However, because SharePoint runs as a "farm" - even in single-server configurations - you have to run the site and authentication under the app pool account... AND still set up your SPN's. Also, we will be disabling kernel-mode authentication on the SharePoint server because kernel-mode authentication is currently not supported on SharePoint Foundation 2010 (https://technet.microsoft.com/en-us/library/gg502606.aspx).

To configure IIS to use CORP\SPService for Ticket Decryption

  1. Navigate to the following directory: C:\Windows\System32\inetsrv\config.

  2. Locate the ApplicationHost.config file, right-click and select Open. This will bring up a pop-up that states Windows cannot open this file and it will have two options. Choose Select a program from a list of installed program, and click OK.

  3. Select Notepad, and click OK. This will open the config file in Notepad.

  4. At the top, select Edit, Find, type the following text in the box, and then click Find Next:
    windowsAuthentication enabled=”true”

  5. You should now see the first instance and it will look like the Before image below. Insert useKernelMode=”false” useAppPoolCredentials=”true” in the line so it looks like the After image.

    User Kernel Mode Before

    Kernel-mode update

  6. Click Find Next and repeat the above steps. There should be a total of three instances that need to have useKernelMode=”false” useAppPoolCredentials = “true” added. Two of the instances will have useKernelMode=”false” already present. Do not change these.

    Warning

    There will be instances of windowsAuthentication enabled=”false”. These can be ignored. We only want to change the ones that are set to true.

  7. When you finish the last one, a window will pop-up and state that it cannot find windowsAuthentication enable=”true”. Click OK.

  8. On the Find box, click Cancel.

  9. At the top of Notepad, select Save. Close Notepad.

  10. Click Start, click All Programs, click Accessories, and then click Command Prompt. This will launch a Command Prompt window.

  11. In the Command Prompt window, type the following text, and then hit Enter:
    iisreset
    This will stop and then restart IIS. Once this completes, close the Command Prompt window.

Set the SPNs for CORP\SPService

In this step, you will be setting the service principal names (SPNs) for the CORP\SPService account.

To set the SPNs for CORP\SPService

  1. Log on to DC1 as CORP\Administrator.

  2. Click Start, select All Programs, click Accessories, and the click Command Prompt. This will bring up a command prompt.

  3. In the command prompt type: Setspn.exe  –S HTTP/fim1 CORP\SPService. Hit Enter

  4. In the command prompt type: Setspn.exe  –S HTTP/fim1.corp.contoso.com CORP\SPService. Hit Enter

Set the SPNs for CORP\FIMService

In this step, you will be setting the SPNs for the CORP\FIMService account. We will be using the same command prompt from above.

To set the SPNs for CORP\FIMService

  1. In the command prompt type: Setspn.exe  –S FIMService/fim1 CORP\FIMService. Hit Enter

  2. In the command prompt type: Setspn.exe  –S FIMService/fim1.corp.contoso.com CORP\FIMService. Hit Enter

Set the SPNs for CORP\SQLDatabase

In this step, you will be setting the SPNs for the CORP\SQLDatabase computer account. We will be using the same command prompt from above.

To set the SPNs for CORP\SQLDatabase

  1. In the command prompt type: Setspn –S MSSQLsvc/app1.corp.contoso.com:1433 corp\sqldatabase. Hit Enter

  2. In the command prompt type: Setspn –S MSSQLsvc/app1:1433 corp\sqldatabase. Hit Enter

Set the SPNs for CORP\FIM2$

In this step, you will be setting the SPNs for the CORP\FIM2$ computer account. We will be using the same command prompt from above. These are required for using password reset.

To set the SPNs for CORP\FIM2$

  1. In the command prompt type: Setspn.exe  –S HTTP/Passwordreset.corp.contoso.com CORP\FIM2$. Hit Enter

  2. In the command prompt type: Setspn.exe  –S HTTP/Passwordregistration.corp.contoso.com CORP\FIM2$. Hit Enter

    SetSpn

Turn on Delegation for CORP\SPService

Now you will enable Kerberos Delegation for the SharePoint Service account.

To turn on Delegation for CORP\SPService

  1. Click Start, select Administrative Tools, and click Active Directory Users and Computers. This will open the Active Directory Users and Computers MMC.

  2. In the Active Directory Users and Computers MMC, from the tree-view on the left, expand corp.contoso.com, expand ServiceAccounts and in the center, right-click SharePoint Service, and then select Properties.

  3. On the SharePoint Service Properties, select the Delegation tab.

  4. In the middle, select Trust this user for delegation to specified services only.

  5. Make sure Use Kerberos only is selected and click Add. This will bring up the Add Services dialog box.

  6. On the Add Services dialog box, click Users or Computers. This will bring up the Select Users or Computers dialog box.

  7. In the Select Users or Computers dialog box, enter FIM Service and click Check Names. This should resolve with an underline to the FIM Service account. Click OK. This will close the Select Users or Computers dialog box.

  8. On the Add Services screen, select FIM Service under Available Services: and click OK. This will close the Add Services dialog box.

    Constrained Delegation

  9. On the SharePoint Service Properties screen, click Apply.

  10. Click OK.

Turn on Delegation for CORP\FIMService

Now you will enable Kerberos delegation for the FIM Service account.

To turn on Delegation for CORP\FIMService

  1. Right-click FIM Service, and select Properties.

  2. On the FIM Service Properties, select the Delegation tab.

  3. In the middle, select Trust this user for delegation to specified services only.

  4. Make sure Use Kerberos only is selected and click Add. This will bring up the Add Services dialog box.

  5. On the Add Services dialog box, click Users or Computers. This will bring up the Select Users or Computers dialog box.

  6. In the Select Users or Computers dialog box, enter FIM Service and click Check Names. This should resolve with an underline to the FIM Service account. Click OK. This will close the Select Users or Computers dialog box.

  7. On the Add Services screen, select FIM Service under Available Services: and click OK. This will close the Add Services dialog box.

  8. On the FIM Service Properties screen, click Apply.

  9. Click OK.

Create DNS A records for passwordreset.corp.contoso.com and passwordregistration.corp.contoso.com

In this step we will be creating DNS A records for our password reset and password registration websites.

To create DNS A records for passwordreset.corp.contoso.com and passwordregistration.corp.contoso.com.

  1. Log on to DC1 as CORP\Administrator.

  2. Click Start, select Administrative Tools, and then click DNS. This will bring up the DNS Manager.

  3. In the DNS Manager, expand DC1, expand Forward Lookup Zones, and select corp.contoso.com.

  4. In the middle pane, right-click a blank spot below the already existing records and select New Host (A or AAAA) record. This will bring up a new Host dialog.

  5. In the box under Name (users parent domain name if blank): enter: passwordreset.

  6. In the box under IP address: enter 10.0.0.8. Click Add Host.

    password reset a record

  7. On the box that says the record was created successfully click OK. This will bring you back to the New Host dialog.

  8. In the box under Name (users parent domain name if blank): enter: passwordregistration.

  9. In the box under IP address: enter 10.0.0.8. Click Add Host.

    password registration a record

  10. On the box that says the record was created successfully click OK. This will bring you back to the New Host dialog. Click Done.

    password reset dns records

Start the SharePoint 2010 Administration service.

Now we need to start the SharePoint Administration service.

To start the SharePoint 2010 Administration service.

  1. Log on to FIM1 as CORP\Administrator.

  2. Click Start, select Administrative Tools, and then click Services.

  3. Scroll down to SharePoint 2010 Administration right-click it and select Start. This will start the SharePoint 2010 Administration service.

  4. Close Services.