the Connector Space

View a PAM User's Roles with Advanced Search Scope Configuration

Sean Leonard — Wed, 05 Dec 2018 08:30:53 GMT

During a recent MIM PAM deployment, I was asked if it would be possible to create a page in the portal to display a user's roles in PAM. Out of the box, MIM does not provide such a view for an administrator. The only view that comes close is the "My PAM Roles" page and it is only viewable by the specific user. Additionally, the PAM cmdlets don't provide an efficient means of calculating the mappings of a user to the assigned roles. It would require a nifty PowerShell function utilizing the Get-PAMRole and Get-PAMUser functions, which is not in the scope of this post. To successfully implement the ask, I added a new search scope utilizing the Advanced Filter attribute. The Advanced Filter attribute is available to modify once a search scope object has been created. The attribute allows you to define the x-path query that is used. For more information about the Advanced Filter and how you can design your own, head over to the Microsoft Docs post.

Create New Search Scope

Let's go ahead and create a new search scope. As a warning, implement this in a LAB environment and verify that all functionality works as expected while not breaking any existing configuration. Do your due diligence ensuring your FIMService database is backed up prior to making changes in your environments. First, navigate to Adminstration -> Search Scopes Next, fill in the required values on the General tab. The usage keywords define where the scope will be present. Change the Order value to what you prefer. If you leave the value as 1, then this search scope will be shown first ahead of the default PAM Roles scope. The MIM version in my lab is 4.5.286.0 and the default All PAM Roles search scope has order value 400. To keep this scope first, set your value to a number greater than 400. Set the Attribute Searched value to msidmPamCandidates which represents all candidates of a role. Set the Search Scope Filter to msidmPamRole because our desired results will be the PAM roles. Lastly, set the Resource Type as msidmPamRole because that object type will represent our search results. Finish creating the object by submitting the changes.

Configure the Advanced Filter

Now that the search scope has been created, let's go back into the Extended Attributes tab of the object. A relevant snippet from the Advanced Filter document linked earlier outlines how we can use the value typed into and submitted from the search box: Although not listed in the document, I extrapolated the formatting of the token to cover string values. The Advanced Filter added is the following: /msidmPamRole[msidmPamCandidates= /Person[AccountName='%SEARCH_TERM_STRING%']/ObjectID] This filter requires the searched value be the user's account name. For the most appropriate results, you want to search an attribute that would hold a unique value to that user. That is why this filter uses the account name and specifically checks that the search value is equal to the account name and not starts-with or contains. After submitting the updates to the Search Scope object, restart IIS.

Verify New Search Functionality

The search scope will appear on the PAM Roles page Search within: drop down. Submitting a search with an account name yields all the attributed PAM roles in the results.

MIM 4.5.26.0 – MPR Creation - The Required Field Cannot Be Empty

Joe Zinn — Thu, 23 Aug 2018 18:36:31 GMT

I recently ran into an issue after updating MIM 2016 to version 4.5.26.0 where I was unable to select workflows when creating an MPR. The error displayed was The Required Field Cannot Be Empty. The Selected workflow would be cleared when hitting next or submit button.

Further testing identified that you could successfully add workflows from the first page of the paginated list of workflows, but not from subsequent pages of the paginated list of workflows.

MIM 4.5.26.0 Release documentation:

https://support.microsoft.com/en-us/help/4073679/hotfix-rollup-package-build-4-5-26-0-is-available-for-microsoft

ENVIRONMENT:

Windows Server 2012 R2

SharePoint Foundation 2013

SQL Client 2012

SQL Server 2016

.Net 4.6 (KB3045563)

RESOLUTION:

The resolution to the issue was to uninstall .Net 4.6 (KB3045563) after applying the MIM 4.5.26.0 patch which allowed workflows to be selected and successfully saved to the MPR from all pages of the paginated workflow list.

MIM 2016 SP1 - Portal Servers Run Out of Disk Space.

Joe Zinn — Wed, 15 Aug 2018 00:11:00 GMT

Summary:

I recently ran into an issue after upgrading a MIM Environment to MIM 2016 SP1 (version 4.4.1459.0 or greater) where the MIM portal trace log files would grow until all available disk space was consumed. Below is the root cause of the issue and the method I used to resolve it.

Temporary Fix to Restore Service:

In the event you experience this issue and need a quick fix to restore service to your MIM environment, the trace log files Microsoft.ResourceManagement.Service_tracelog00.svclog and Microsoft.ResourceManagement.Service_tracelog00.txt can be copied to another location or deleted to reclaim storage space. Please refer to your firm’s policies and guidelines on log file retention before moving or deleting these files.

Cause:

MIM SP1 implemented verbose logging to the trace logs located in the \Program Files\Microsoft Forefront Identity Manager\2010\Service container to improve visibility and logging of portal workflow activities. These trace log files are stored in the following files:

Microsoft.ResourceManagement.Service_tracelog00.svclog and Microsoft.ResourceManagement.Service_tracelog00.txt)

Additional details of this can be found at the following link: https://docs.microsoft.com/en-us/microsoft-identity-manager/infrastructure/mim-service-dynamic-logging

Resolution:

Trace Log file growth can be managed by upgrading to MIM version 4.5.26.0 which implements circular logging of the Trace Log files. The following link provides additional details on sizing the storage and setting the max file size for each of the log files:

https://docs.microsoft.com/en-us/microsoft-identity-manager/infrastructure/mim-service-dynamic-logging

MIM 4.5.26.0 Upgrade Procedure:

1. Please read the release notes carefully before upgrading your environment… https://support.microsoft.com/en-us/help/4073679/hotfix-rollup-package-build-4-5-26-0-is-available-for-microsoft

2. Applying a Release Update to the MIM Synchronization Service and Offline Spare

https://blogs.msdn.microsoft.com/connector_space/2018/06/12/applying-a-release-update-to-the-mim-synchronization-service-and-offline-spare/

3. Apply Prerequisites to MIM Portal Servers

Install 2013 x64 Visual C++ Redistributable Packages (vcresist_x64.exe)

https://www.microsoft.com/en-us/download/confirmation.aspx?id=40784&6B49FDFB-8E5B-4B07-BC31-15695C5A2143=1

4. Install .Net 4.6

https://www.microsoft.com/en-us/download/details.aspx?id=48130

5. Clean Up Trace Log Files

The trace log files Microsoft.ResourceManagement.Service_tracelog00.svclog and Microsoft.ResourceManagement.Service_tracelog00.txt can be copied copying to another location or deleted to reclaim storage space. Please refer to your firm’s policies and guidelines on log file retention before deleting these files.

6. Applying a Release Update to the MIM Service and Portal

https://blogs.msdn.microsoft.com/connector_space/2018/06/12/applying-a-release-update-to-the-mim-service-and-portal/

MIM 2016 SP1–Service and Portal Installation Guide

Joe Zinn — Thu, 19 Jul 2018 15:36:00 GMT

Introduction:

This document is intended to be used as an operational build document for the Microsoft Identity Management 2016 MIM Service and Portal Server installation. This guide does not cover the installation of the Password Registration and Password Reset Portals. These installations are covered in detail in separate blog posts.

Using this Guide:

You may perform search and replace on the variables listed below to create a detailed build guide customized for your environment.

Document Variables:

Description	Search and Replace Variable
Full Domain Name (ex. Contoso.com)	[FQDOMAIN]
Common name of the domain (ex. Contoso)	[DOMAIN]
Common name of the SQL Server (ex. SQL01)	[SQL SERVER]
Common name of the MIM Service and Portal SQL Instance (ex. Service)	[SQL INSTANCE]
Common name of the MIM Synchronization Server (ex. SyncServer01)	[MIM SYNC SERVER]
Common name of the first MIM Service and Portal Server (ex. Portal01)	[MIM SERVER 1]
Common name of the second MIM Service and Portal Server (ex. Portal02)	[MIM SERVER 2]
Common name of the MIM Installation Service Account (ex. MIMInstall)	[INSTALL ACCOUNT]
Common name of the MIM MA Service Account (ex. MIMMA)	[MIM MA SERVICE ACCOUNT]
Common name of the MIM Service Account (ex. MIMService)	[MIM SERVICE ACCOUNT]
Full email address of the MIM Service Account (ex. MIM.Service@contoso.com)	[MIM SERVICE EMAIL]
Common name of the MIM Password Registration service account. (ex. MIMPwdReg) When performing a search and replace on document variables, replace this variable with a space to clear the variable value in the documentation.	[MIM PWD REG ACCOUNT]
Common name of the MIM Password Reset service account. (ex. MIMPwdRst) When performing a search and replace on document variables, replace this variable with a space to clear the variable value in the documentation.	[MIM PWD RST ACCOUNT]
Full SMTP mail server address including domain name. (ex. mail.contoso.com)	[SMTP MAIL SERVER]
Full URL of the MIM Password Registration Portal if implemented. (ex. https://registrationportal.contoso.com). When performing a search and replace on document variables, replace this variable with a space to clear the variable value in the documentation.	[MIM PRP URL]

Requirements:

MIM Portal Server Requirements:

Two Windows 2012 R2 virtual servers are required for this effort. These servers provide for primary servers in the Test environment. Each should have a minimum of 4 CPUs and 32 Gb of RAM. The two servers should have the following disk allocations:

C:\ 100 gb Operating System and Software

E:\ 200 gb MIM 2016, associated management agents and rules extensions.

SQL Instance Installation Requirements:

Please reference the following Microsoft document for best practice guidance on SQL server configuration settings and builds for MIM Portal and Service Servers.

https://docs.microsoft.com/en-us/microsoft-identity-manager/mim-best-practices

Note: The SQL Server Instance requires full text search and the SQL Server Agent to be installed and activated to successfully complete the MIM Service and Portal installation.

Service Account Requirements:

The Service Accounts, SPNs, and Kerberos Delegation configurations needed for the MIM Service and Portal Installation can be found in the following blog post:

https://blogs.msdn.microsoft.com/connector_space/2018/06/07/service-accounts-spns-and-kerberos-delegation-configurations-for-mim-service-and-portal-installation/

Prerequisite Software Installations:

Windows 2012 R2 Operating System Roles and Features:

The following roles and features are needed to install SharePoint and the MIM Service and Portal.

Server Manager:

Launch Server Manager

Select Dashboard

Select Add Roles and Features

Select Next

Select Role-based or feature-based installation

Select Next

Roles:

For Roles select Web Server (IIS)

Select the Add Features button

Select Next

Add Features:

Select .NET Framework 3.5. Features,

Select .Net Framework 3.5 (Includes .Net 2.0 and 3.0)

Select Http Activation

Select Add Features

Scroll down the list and expand Windows PowerShell (2 of 5 installed)

Select Windows Powershell 2.0 Engine

Select Next

Web Server Role (IIS)

Select Next

Role Services:

Common HTTP Features

Default Document

Directory Browsing

HTTP Errors

Static Content

HTTP Redirection

Health and Diagnostics

HTTP Logging

Request Monitor

Performance

Static Content Compression

Dynamic Content Compression

Security

Request Filtering

Basic Authentication

Windows Authentication

Application Development

Select ASP

Select Add Features button

.NET Extensibility 3.5

.NET Extensibility 4.5

ASP.NET 3.5

Select Add Features button

ASP.NET 4.5

ISAPI Extensions

ISAPI Filters

Management Tools

Select IIS 6 Management Compatibility

IIS 6 Metabase Compatibility

IIS 6 Management Console

IIS 6 Scripting Tools

Select Add Features button

IIS 6 WMI Compatibility

Select Next,

Select Install,

Once Installation Succeeds, select Close

Install SQL Client:

You can download the SQL Client installer (sqlncli.msi) from the Microsoft SQL Server 2012 SP2 Feature Pack located at the following link:

https://www.microsoft.com/en-us/download/details.aspx?id=43339

Launch the Microsoft SQL Server 2012 Native Client Installer

On the Welcome to the installation Wizard for SQL Server 2012 Native Client select Next

Review and Accept the License Terms to continue installation

Select Next

On the Feature Selection window, select Next

On the Ready to Install the Program pane, select Install

If asked to allow program to make changes to this computer, select Yes.

Upon successful completion, select Finish

Install Optional Tools:

Some popular tools and utilities that you may consider installing include:

- NotePad++

- VisualStudio

- Telnet Client

- SQL Server Management Studio

Install SharePoint Foundation 2013 SP1

MIM 2016 Portal utilizes components of SharePoint. The installation instructions for SharePoint Foundation 2013 SP1 for use with FIM / MIM are posted in a separate blog post at the following location:

https://blogs.msdn.microsoft.com/connector_space/2018/06/01/install-of-sharepoint-foundation-2013-sp1-for-use-with-fim-mim/

Install the MIM Service and Portal:

From the MIM 2016 Installation Media launch FIMSplash.html

If prompted, select Yes to allow program to make changes to computer.

Under Identity Manager Service and Portal, select Install Service and Portal,

Select Run

If prompted, select Yes to allow program to make changes to computer.

On the Welcome to Microsoft Identity Manager Service and Portal Setup Wizard

select Next.

On the End-User License Agreement page,

Review the license agreement and accept to continue installation.

select Next.

On the MIM Customer Experience Improvement Program page,

choose your participation option and select Next.

On the Custom Setup page:

MIM Reporting and Privilege Access Management:

By Default, MIM Reporting and Privileged Access Management features are not installed. Under MIM Service the MIM Reporting and Privileged Access Management options are deselected with a red X appearing next to these optional features.

Should you choose to install these features, additional documentation on the installation of these features can be located online.

Password Registration and Reset:

Conversely, Password Registration and Reset are installed by default. Should you choose not to install these features, or if these features will be installed on a separate system, the following actions may be taken to prevent the installation of these features.

Select MIM Password Registration Portal

choose Entire Feature will be unavailable.

A red X will now appear next to the option as well.

Select MIM Password Reset Portal

choose Entire Feature will be unavailable.

A red X will appear next to the option.

Installation Path:

The default installation path is c:\Program Files\Microsoft Forefront Identity Manager\2010\

To specify an alternate installation path:

Select MIM Service or MIM Portal, and select Browse and change to the desired installation path.

The path selection will apply to both MIM Service and MIM Portal features if installed simultaneously.

select OK.

Select Next

On the Configure Common Services - MIM Database Connection page

Enter the following information:

Database Server: [SQL SERVER]\[SQL INSTANCE]

Database Name: FIMService

For the first server installed [MIM SERVER 1] select Create a new database

For each subsequent server [MIM SERVER 2] select Re-use the existing database.

Select Next

Database Backup Warning:

MIM Service database backup should be performed.

If you are installing the first server and selected the create new database option, this message does not appear. This message appears when selecting the use existing database option.

Select Next

On the Configure Common Services – Mail Server Connection page

Mail Server: [SMTP MAIL SERVER]

Check all relevant options noted below.

Use SSL

Mail Server is Exchange Server 2007 or Exchange Server 2010

Enable Polling for Exchange Server 2007 or Exchange Server 2010

Use Exchange Online

On the Configure Common Services – Service Certificate page

Select Generate a new self-issued certificate

Select Next

On the Configure Common Services – MIM Service Account page

Enter the following information:

Service Account Name: [MIM SERVICE ACCOUNT]

Service Account Password *******************

Service Account Domain [FQDOMAIN]

Service Email Account [MIM SERVICE EMAIL]

Select Next

Account Security Warning:

If an Account Security Warning stating the Service Account is not secure in its current configuration is received, select Next.

The Service Account security can be addressed after the installation by referencing the following blog post:

https://blogs.msdn.microsoft.com/connector_space/2015/08/28/warning-25051-service-account-is-not-secure-in-its-current-configuration/

On the Configure Common Services – Configure MIM Service and Portal Synchronization page

Enter the following information:

Synchronization Server: [MIM SYNC SERVER]

MIM Management Agent Account: [DOMAIN]\[MIM MA SERVICE ACCOUNT]

Select Next

You may receive a warning message:

The MIM synchronization server you have entered does not exist or is not running. Click ‘Back’ to enter a different server name. If you plan to install the MIM synchronization service on the ‘[MIM SYNC SERVER]’ later, click ‘Next’ to accept the configuration and continue. Refer to the installation guide for instructions on how to change this information post deployment.

Verify the server name is correct.

If it is not correct, select Back and correct the name.

Once the server name is verified to be correct, you may still receive this message.

select Next to continue

On the Configure Common Services – Configure Connection with MIM Service page

MIM Service Server Address: [MIM SERVER 1] or [MIM SERVER 2]

select Next

On the Configure Common Services – Configure Connection with MIM Service page

SharePoint Site Collection URL: https://FIMPortal

Select Next

On the Configure Common Services – Configure Optional Portal Home Page Configuration page

Registration Portal URL: [MIM PRP URL]

Select Next

Note: This should be left empty if this feature is not implemented.

On the Configure Common Services – Configure Security Changes Configured by Setup page

Select Open ports 5725 and 5726 in the Portal

Select Grant Authenticated Users Access to MIM Portal Site

Select Next

On the Enter Information for MIM Password Portals page

If applicable, select MIM Password Registration Portal will be installed on another host.

Account Name: [DOMAIN]\[MIM PWD REG ACCOUNT]

If applicable, select MIM Password Reset Portal will be installed on another host

Account Name: [DOMAIN]\[MIM PWD RST ACCOUNT]

Select Next

On the Install Microsoft Identity Manager Service and Portal page

Select Install

Please be patient, as the installation may take some time to complete while opening and closing command windows and at times giving the appearance that no actions are occurring.

On the Completed Microsoft Identity Manager Service and Portal Setup Wizard page,

Select Finished

Close the FIMSplash browser window.

Verify the FIMSPFPool is Started

Start, Internet Information Services Manager (IIS)

Expand the Server

Select Application Pools

Select FIMSPFPool

Verify the FIMSPFPool is started.

Close IIS

From the server [MIM SERVER 1], launch Internet Explorer

Enter the following Url to display the MIM Portal

https://[MIM SERVER 1]/identitymanagement/aspx/users/AllPersons.aspx

From the server [MIM SERVER 2], launch Internet Explorer

Enter the following Url to display the MIM Portal

https://[MIM SERVER 2]/identitymanagement/aspx/users/AllPersons.aspx

The MIM Portal should display without error.

Post Installation of MIM Service and Portal

Install the latest version of MIMWAL (MIM Workflow Application Library)

The Microsoft Identity Manager Workflow Activities Libraries (MIMWAL) is a Microsoft-maintained-open-source library that extends the functionality of MIM. Repeat the following steps on all MIM Service and MIM Portal Servers.

https://microsoft.github.io/MIMWAL/

Build and Deploy the MIMWAL solution:

Instructions for creating the MIMWAL assembly are located at the following link.

https://github.com/Microsoft/MIMWAL/wiki/build-and-deployment

MIM PAM Feature Installer Failure - SetADForestFunctionalLevel

Sean Leonard — Thu, 21 Jun 2018 09:00:00 GMT

I want to review a huge blocker that held up one of my recent installations of MIM PAM using the MIM Service and Portal installer. There are times where you may be under the impression that your MIM Portal pre-installation configuration work is sufficient to allow the installer to complete without rolling back everything it had tried to do.

SPNs are set
Service accounts are created with the correct delegations
The MIM install account has the correct permissions on the local server and target database including the ability to create Authentication policies and silos (more info here)
The MIM service account has the appropriate permissions to control msDS-ShadowPrincipal objects.

Additional information on the point above can be found in the PAM Installation Microsoft Docs: here. However, the installer aborts the installation procedure and rolls back all the changes that were made.

Enable Verbose Logging for Installer

Without verbose logging enabled, I was not going to get anywhere with troubleshooting. Make sure to run the installer with the following parameters and specify your desired file location.

msiexec /I "Service and Portal.msi" /L*v C:\MIM-Install-Artifacts\log.txt

Searching for Return Value 3 places you in the most likely sections of the log that contain the error. The log had failure messages such for the step

Doing action: UpdateADForestFunctionalLevel

Snippet of detailed error:

Calling custom action Microsoft.IdentityManagement.PAMRelatedCustomActions!Microsoft.IdentityManagement.ManagedCustomActions.PAMRelatedCustomActions.Set ADForestFunctionalLevel Access is Denied

Troubleshooting

My first thoughts were that my installer account didn't have the permissions to update the forest functional level. I did not give the installer account domain admin nor enterprise admin. But why would the installer be trying to do this in the first place? I was sure the forest functional level was correct. I verified that I had the correct forest functional level in my environment by running the command

(Get-ADForest).forestmode

PowerShell returned the expected ForestModeLevel 7 and ForestMode of Windows2016Forest

Solution

It turns out the MIM PAM install procedure attempts to create an OU in the root of your bastion forest called PAM Objects. I could bump up the privileges of the MIM install account as a quick workaround though, in many situations, that is not desirable or even allowed. So, to continue without granting the account unnecessary privileges, I manually added the PAM Objects OU into the root of my bastion forest. I re-ran the installer and, lo and behold, it completed successfully! This solution was carried out in a lab environment, proceed at your own risk.

Additional Comments

It is important to note, since I created the PAM Objects OU outside of the installation process, that the mimservice account that handles creating PAM users (i.e. New-PAMUser) needs to have create, delete, and modify permissions on user objects for this new OU. Be careful with the service or administrative accounts you create in your bastion forest. If you manually create a user in the bastion forest and try to have the New-PAMUser cmdlet create a PAM user that ends up taking the same account name, you will get an error such as

System.InvalidOperationException: A constraint violation occurred.

Applying a Release Update to the MIM Service and Portal

Joe Zinn — Tue, 12 Jun 2018 21:18:32 GMT

Using This Guide:

Introduction:

This document is intended to be used as an operational procedure document for updating the Microsoft Identity Management 2016 Service and Portal installations. You may perform search and replace on the variables listed below to create a detailed version update guide customized for your environment.

Document Variables:

Description	Search and Replace Variable
Common name of the first MIM Service and Portal Server (ex. Portal01)	[MIM SERVER 1]
Common name of the second MIM Service and Portal Server (ex. Portal02)	[MIM SERVER 2]
Primary Synchronization Server’s Common Name.	[Primary Sync Server]
The Installation account used to perform installation and updates of the MIM Synchronization Service Software.	[Install Account]

Procedure Summary for Updating FIM / MIM:

The update process consists of the following steps:

Identify the Current Version:

- Identify the current version of the Service and Portal.

Identify the Update Version:

- Identify the release appropriate for your environment.

- Download the selected update file.

Synchronization Service:

- Stop Scheduled Tasks associated with MIM Run Profiles

- Confirm all Synchronization jobs are completed.

- Validate Configuration of Off-line Spare

- Stop the Primary Server Synchronization Service

- Install the update on the Offline Spare

- Install the update on the Primary Sync Server

Service, Portal, Password Registration and Reset:

- If applicable, update the Portal and FIM Service to same release.

- If applicable, update the Password Reset and Registration Sites

Final wrap up:

- Enable Scheduled Tasks

Identify the Current Version:

Identify the current version of the FIM / MIM Portal:

Using a web browser, connect to the FIM / MIM Portal as an administrator. On the Home page, select About Microsoft Identity Manager.

The version is noted on the resulting page that is displayed. MIM 2016 R1 versions start at 4.4.xxxx.x whereas FIM 2010 R2 begins at 4.1.xxxx version.

Identify the Update Version:

Identify the update release appropriate for your environment:

The release version used for the sync engine should be the same release deployed to the Service and Portal.

You can find the latest update information for your release at the following URL: https://blogs.technet.microsoft.com/iamsupport/idmbuildversions/

Download the selected update file:

After reading the Release Notes and choosing an appropriate release for your environment, you can download the update by selecting the Microsoft Download Center link contained within the Release Note.

The update file for the Service and Portal is likely to have a file name format resembling FIMService_x64_KBxxxxxxx.msp. Download the file to the MIM Service and Portal Servers [MIM SERVER 1] and [MIM SERVER 2].

Synchronization Service:

Stop scheduled Tasks associated with MIM Run Profiles:

The first step in the update process is to ensure all synchronization service scheduled tasks on the Primary Synchronization Server [Primary Sync Server] are completed or properly stopped before performing the update on the Service and Portal servers [MIM SERVER 1] and [MIM SERVER 2]. Stop, or allow to complete, any currently running tasks associated with the Synchronization Service and its associated run profiles. Note the name of each task that is disabled.

To Open Task Scheduler:

From the Server select Start

Type task scheduler and run the task scheduler utility.

To Disable a task:

Select the task, right click and select Disable

To Stop a running task:

Select the running task, Right Click and select End.

Note: Stopping a scheduled task does not stop an import, export or synchronization job that is currently running in the Synchronization Engine.

Confirm all Synchronization jobs are completed:

On the Primary Synchronization Server [Primary Sync Server]

Launch the Synchronization Service Manager

Select the Operations Tab

Confirm all import, export and synchronization jobs have completed.

For any running jobs, you can allow the job to complete, or manually stop the job, which ever approach may be appropriate to your environment and associated change policies and service level agreements.

The remaining procedures for updating the Synchronization Engine are located at the following link:

https://blogs.msdn.microsoft.com/connector_space/2018/06/12/installing-mim-synchronization-service-with-an-offline-spare/

Service, Portal, Password Registration and Reset:

Update the Portal and FIM Service to same release

On the Service and Portal servers [MIM SERVER 1] and [MIM SERVER 2], stop the Forefront Identity Manager Service.

Using the Install Account [Install Account],

Launch Services management console by selecting Start and typing Services.msc

Double click the Forefront Identity Manager Service

Select the Stop button.

Exit the Services management console.

Once the Forefront Identity Manager Service is stopped on the Service and Portal Servers, perform the following actions on each server, completing [MIM SERVER 1] before updating [MIM SERVER 2].

From the server select Start

Type Command Prompt

Right Click Command Prompt and select Run as Administrator

If prompted to allow the program to make changes to the computer, select Yes.

Navigate to the directory location of the update file

Type the file name FIMService_x64_KBxxxxxxx.msp and press [Enter]

Welcome to the Update for MIM Service and Portal

Select Update

Once completed, select Finish

The Forefront Identity Manager Service is started upon selecting Finish

Update the Password Reset and Registration Sites:

The procedures for updating the Password Reset and Registration sites are located at the following link:

Final wrap up:

Enable Scheduled Tasks.

The final step in the update process is to ensure all synchronization service scheduled tasks are enabled on the Primary Synchronization Server [Primary Sync Server] after performing the update. Referring to the previously Noted disabled tasks, enable each of the scheduled tasks that were previously disabled.

Access the Primary Synchronization Server [Primary Sync Server]

To Open Task Scheduler:

From the Server select Start

Type task scheduler and run the task scheduler utility.

To Enable a task:

Select the task, right click and select Enable

Applying a Release Update to the MIM Synchronization Service and Offline Spare

Joe Zinn — Tue, 12 Jun 2018 21:04:48 GMT

Using This Guide:

Introduction:

This document is intended to be used as an operational procedure document for updating the Microsoft Identity Management 2016 Synchronization Server installation. You may perform search and replace on the variables listed below to create a detailed version update guide customized for your environment.

Document Variables:

Description	Search and Replace Variable
The Offline MIM Synchronization Server’s Common Name.	[Offline Sync Server]
Primary Synchronization Server’s Common Name.	[Primary Sync Server]
The Installation account used to perform installation and updates of the MIM Synchronization Service Software.	[Install Account]

Procedure Summary for Updating FIM / MIM:

The update process consists of the following steps:

Identify the Current Version:

- Identify the current version of the Synchronization Engine.

Identify the Update Version:

- Identify the release appropriate for your environment.

- Download the selected update file.

Synchronization Service:

- Stop Scheduled Tasks associated with MIM Run Profiles

- Confirm all Synchronization jobs are completed.

- Validate Configuration of Off-line Spare

- Stop the Primary Server Synchronization Service

- Install the update on the Offline Spare

- Install the update on the Primary Sync Server

Service, Portal, Password Registration and Reset:

- If applicable, update the Portal and FIM Service to same release.

- If applicable, update the Password Reset and Registration Sites

Final wrap up:

- Enable Scheduled Tasks

Identify the Current Version:

Identify the current version of the Synchronization Engine:

On the Primary Synchronization Server [Primary Sync Server]

From the Windows Server select Start

Type MIIS, and select Synchronization Service

To verify the version, click Help and About.

While the trademark is stamped Microsoft Forefront Identity Manager 2010 R2, the MIM 2016 R1 versions start at 4.4.xxxx.x whereas FIM 2010 R2 begins at 4.1.xxxx version. The full number is the release number of the installed version.

Identify the Update Version:

Identify the update release appropriate for your environment:

You can find the latest update information for your release at the following URL: https://blogs.technet.microsoft.com/iamsupport/idmbuildversions/

Download the selected update file:

The update file for the Synchronization Service is likely to have a file name format resembling FIMSyncService_x64_KBxxxxxxx.msp. Download the file to the MIM 2016 Offline Spare and Primary Synchronization [Primary Sync Server] Servers.

Synchronization Service:

Stop scheduled Tasks associated with MIM Run Profiles:

The first step in the update process is to ensure all synchronization service scheduled tasks on the Primary Synchronization Server [Primary Sync Server] are completed or properly stopped before performing the update. Stop, or allow to complete, any currently running tasks associated with the Synchronization Service and its associated run profiles. Note the name of each task that is disabled.

To Open Task Scheduler:

From the Server select Start

Type task scheduler and run the task scheduler utility.

To Disable a task:

Select the task, right click and select Disable

To Stop a running task:

Select the running task, Right Click and select End.

Note: Stopping a scheduled task does not stop an import, export or synchronization job that is currently running in the Synchronization Engine.

Confirm all Synchronization jobs are completed:

On the Primary Synchronization Server [Primary Sync Server]

Launch the Synchronization Service Manager

Select the Operations Tab

Confirm all import, export and synchronization jobs have completed.

Validate Configuration of Off-line Spare

Now is a good time to verify that the run profiles, scheduled tasks, batch files, PowerShell and visual basic scripts associated with the scheduled tasks on the Primary Synchronization Server [Primary Sync Server] are present in the same path of the Off-line Spare Synchronization Server [Offline Sync Server]. This will ensure that the Off-line Spare can be brought into service successfully if needed.

Stop the Primary Server Synchronization Service

On the Primary Synchronization Server [Primary Sync Server]

Once all scheduled tasks are stopped and disabled,

Stop the Forefront Identity Manager Synchronization Service.

Launch Services

Double click the Forefront Identity Manager Synchronization Service

Stop the service by selecting the Stop button.

Change the Startup Type from Automatic or Automatic (Delayed Start) to Manual.

Install the update on the Off-line Spare.

The Update of the Off-Line Spare Synchronization Server [Offline Sync Server] is performed before the update of the Primary Synchronization server [Primary Sync Server]. This is because the update process will set the Primary Synchronization server as the current server [Offline Sync Server] in the shared SQL Database.

Switch to the Off-Line Spare Synchronization server.

Launch Services by selecting Start and typing Services.msc

Double click the Forefront Identity Manager Synchronization Service

Change the Startup Type from Disabled to Manual.

From the server select Start

Type Command Prompt

Right Click Command Prompt and select Run as Administrator

If prompted to allow the program to make changes to the computer, select Yes.

Navigate to the directory location of the update file

Type the file name FIMSyncService_x64_KBxxxxxxx.msp and press [Enter]

Welcome to the Update for MIM Synchronization Service

Select Update

Once completed, select Finish

In most updates, the Forefront Identity Manager Synchronization Service will start after the update.

Launch the Synchronization Service Manager

Verify that the Synchronization Service Manager loads without error.

Close the Synchronization Service Manager

Launch Services

Double click the Forefront Identity Manager Synchronization Service

Stop the service, by selecting the Stop button.

Change the Startup Type from Manual to Disabled.

The update of the Off-Line Spare [Offline Sync Server] is now complete.

Install the update on the Primary Sync Server

The Update of the Primary Synchronization Server [Primary Sync Server] is performed after the update

of the Off-line Spare Synchronization server [Offline Sync Server]. This is because the last update executed will set the Primary Synchronization server as the current server [Primary Sync Server] in the shared SQL Database.

Switch to the Primary Synchronization server [Primary Sync Server].

From the server select Start

Type Command Prompt

Right Click Command Prompt and select Run as Administrator

If prompted to allow the program to make changes to the computer, select Yes.

Navigate to the directory location of the update file

Type the file name FIMSyncService_x64_KBxxxxxxx.msp and press [Enter]

Welcome to the Update for MIM Synchronization Service

Select Update

Once completed, select Finish

In most updates, the Forefront Identity Manager Synchronization Service will start after the update.

Launch the Synchronization Service Manager

Verify that the Synchronization Service Manager loads without error.

Close the Synchronization Service Manager

Launch Services

Double click the Forefront Identity Manager Synchronization Service

Stop the service, by selecting the Stop button.

Change the Startup Type from Manual to Automatic or Automatic (Delayed Start).

You may optionally choose to restart the Primary Synchronization server after the update.

Service, Portal, Password Registration and Reset:

If applicable, update the Portal and FIM Service to same release.

These instructions are contained in a separate blog post located at the following url:

https://blogs.msdn.microsoft.com/connector_space/2018/06/12/applying-a-release-update-to-the-mim-service-and-portal/

If applicable, update the Password Reset and Registration sites to same release.

These instructions are contained in a separate blog post located at the following url:

Final wrap up:

Enable Scheduled Tasks.

Access the Primary Synchronization Server [Primary Sync Server]

To Open Task Scheduler:

From the Server select Start

Type task scheduler and run the task scheduler utility.

To Enable a task:

Select the task, right click and select Enable

Installing MIM Synchronization Service with an Offline Spare

Joe Zinn — Tue, 12 Jun 2018 20:38:56 GMT

Using This Guide:

Introduction:

This document is intended to be used as an operational build document for the Microsoft Identity Management 2016 Synchronization Server installation. You may perform search and replace on the variables listed below to create a detailed build guide customized for your environment.

Document Variables:

Description	Search and Replace Variable
The Domain’s common Name.	[Domain]
The Offline MIM Synchronization Server’s Common Name.	[Offline Sync Server]
The Offline Synchronization Server’s IP Address.	[Offline Sync Server IP]
Primary Synchronization Server’s Common Name.	[Primary Sync Server]
The Primary Synchronization Server’s IP Address.	[Primary Sync Server IP]
The SQL Server’s Common Name.	[SQL Server]
The SQL Server’s IP Address.	[SQL Server IP]
The Microsoft SQL Server instance name.	[SQL Server Instance]
The service account that the MIM Synchronization Service runs under.	[Synchronization Service Account]
The Installation account used to perform installation and upgrades of the MIM Synchronization Service Software.	[Install Account]
The name of the Synchronization Server Client’s Administrators Security Group.	[Admin Group Name]
The name of the Synchronization Server Client’s Operators Security Group.	[Operators Group Name]
The name of the Synchronization Server Client’s Joiners Security Group.	[Joiners Group Name]
The name of the Synchronization Server Client’s Browse Security Group.	[Browse Group Name]
The name of the Synchronization Server Client’s Password Management Security Group.	[PW Group Name]

Requirements:

Virtual Server / Hardware Requirements:

Please reference the following document for best practice guidance on MIM Synchronization Server configurations.

https://docs.microsoft.com/en-us/microsoft-identity-manager/microsoft-identity-manager-2016-supported-platforms

In this Synchronization Server build example, we install two Windows 2012 R2 virtual servers. These servers provide for the Primary Synchronization server and an Offline Spare Synchronization Server. Each server should have a minimum of 2 virtual CPUs and 32 Gb of RAM. The two servers in this example have the following disk allocations:

C:\ 100 gb Operating System and LA USD Software

E:\ 200 gb MIM 2016, associated management agents and rules extensions.

SQL Server Requirements:

Please reference the following Microsoft document for best practice guidance on SQL server configuration settings and builds for MIM Synchronization Server.

https://docs.microsoft.com/en-us/microsoft-identity-manager/mim-best-practices

In this Synchronization Server build example, we install a separated Microsoft SQL Server 2016 instance entitled SYNC.

Server Names and Related Information:

Hostname	IP Address (Public)	Description
[Offline Sync Server]	[Offline Sync Server IP]	Offline Spare Synchronization Server
[Primary Sync Server]	[Primary Sync Server IP]	Primary Synchronization Server
[SQL Server]	[SQL Server IP]	SQL Server

Account Requirements:

The following new Active Directory domain accounts are needed to support the installation:

Service Account Name

Usage

Notes

[Synchronization Service Account]

Service account for the Synchronization Service with SQL Server Database access.

Deny logon as batch job

Deny logon locally

Deny access to this computer from network

SQL Server Admin Rights to FIMSynchronizationService database.

[Install Account]

This is the account used to perform the initial installation of the MIM Synchronization Service Software.

We will use this account for the installation in the MIM environment.

Need local admin on Sync server and

Full SQL Admin Rights to create and modify the FIMSynchronizationService database.

Server Software Installation:

Windows 2012 R2 Server Options Installation:

Launch Server Manager

Click Add Roles and Features, Next

Select Role-based or feature-based installation, Next
Next

Server Roles:

Web Server (IIS)
Click Add Features
Select Next

Features

Click Next

Web Server Role (IIS):

Roles Services

Web Server
- Common HTTP Features
    - Default Document
    - Directory Browsing
    - HTTP Errors
    - Static Content
    - HTTP Redirection
- Health and Diagnostics
    - HTTP Logging
    - Request Monitor
- Performance
    - Static Content Compression
    - Dynamic Content Compression
- Security
    - Request Filtering
    - Basic Authentication
    - Windows Authentication
- Application Development
    - .NET Extensibility 3.5 & 4.5
    - ASP .NET 3.5 & 4.5
    - ISAPI Extensions
    - ISAPI Filters
- Management Tools
    - IIS 6 Management Compatibility
       - IIS 6 Metabase Compatibility
       - IIS 6 Management Console
       - IIS 6 Scripting Tools
       - IIS 6 WMI Compatibility

Select Next, Install

Install SQL Client:

Install Microsoft SQL 2012 Client for SQL 2012 and higher. For version prior to 2012, use the SQL client of the same version as the installed SQL Server.

Launch the Microsoft SQL 2016 Client Installation

On the Welcome to the Installation Wizard for SQL Server 2016 Management Studio, select Next.

Review the license agreement and accept the terms if in agreement.

Select Next to install.

On the Feature Selection pane, select Next.

On the Ready to Install Pane, select Install

Once completed, select Finish.

Optional Tools:

Some popular tools and utilities that you may consider installing include:

- NotePad++

- VisualStudio

- Telnet Client

- Active Directory Users and Computers

- LDAP Client

- SQL Server Client

- Oracle Server Client (If connecting to Oracle database)

MIM 2016 Sync Server Installation:

Overview:

The following document is intended to function as an operations guide for the installation of the MIM 2016 Synchronization Server. This document covers both the installation of the Offline Spare and Primary MIM 2016 Synchronization Servers.

The Offline Spare functions as a pre-installed synchronization engine whose MIM service is disabled until needed (re. in the event of failure of the primary synchronization server). The Offline Spare is installed first, followed by the installation of the Primary Synchronization Server.

Only one MIM Synchronization Server may be operational at a time. The Offline Spare and Primary Synchronization Server share a common SQL database (FIMSynchronizationService) that retains all configuration options, source code, and management agent configurations. The database name is defined via the Microsoft Identity Manager installer and should not be modified.

Prerequisites:

Installation Media:

The installation media can be obtained from the Microsoft Customer Portal.

SQL Server Considerations:

· This installation document covers the installation of a stand-by synchronization server which requires the SQL server database to be hosted on a separate SQL server.

· The SQL Server client will need to be pre-installed on this server prior to installation of the MIM Synchronization Server Software.

· The SQL Server will need to be enabled for remote access.

· The SQL Server and SQL Server Agent services for the instance (Ex. Sync) need to be running.

Active Directory Service Accounts:

· Installation Account with SQL Admin rights.

· Sync Service Account with SQL read/write rights.

Active Directory Management Groups:

· [Admin Group Name]

· [Operators Group Name]

· [Joiners Group Name]

· [Browse Group Name]

· [PW Group Name]

Firewall and Port Consideration

· TCP Port 1433 open between Sync Servers and SQL Server.

o [Primary Sync Server] [Primary Sync Server IP] – [SQL Server] [SQL Server IP]

o [Offline Sync Server] [Offline Sync Server IP] – [SQL Server] [SQL Server IP]

MIM Synchronization Service Install:

Server Build Order:

The stand-by synchronization server is installed prior to the primary synchronization server.

Offline Server Build Action:

Primary Server Build Action:

Installation Software:

Mount the installation Media.

In Windows Explorer navigate to the root of the MIM 2016 installation media and double-click on FIMSplash to begin the installation.

If prompted how to view .htm files, select Internet Explorer.

This will open the MIM installation menu.

Note: This installation guide does not include screen captures of the installation process. If you prefer to view screen shots of the installation, please reference the following link provided below. Please be aware that you will need to return to this document for the remaining steps in completing the installation of the offline spare or Primary Synchronization Server. https://blogs.msdn.microsoft.com/connector_space/2015/08/26/installing-the-microsoft-identity-manager-2016-synchronization-service-clean-install/

Under Identity Manager Synchronization Service, Select Install Synchronization Service

Select Run

If prompted to allow the program to make changes to this computer, you must select Yes to continue the installation.

Microsoft Identity Manager 2016 – Synchronization Service Setup Wizard.

Click Next to continue.

End User License Agreement

Read and accept the terms of the License Agreement.

To continue installation, select Next.

Custom Setup

The default Installation Location is C:\program files\Microsoft Forefront Identity Manager\2010\

If you would like to modify the Installation Location, select the Change button, and enter the custom path setting.

Once complete, select Next to continue.

Configure Microsoft Identity Manager Synchronization Service – Database Connection

When installing your Synchronization Service with a warm stand-by, you must use a remote SQL Server configuration. The Stand-by and Live Synchronization servers reference the same SQL database.

SQL Server is located on:

Select A remote machine

Then enter the common name of the SQL server [SQL Server]

Note: Installation of the SQL Client is required as referenced in the Prerequisites section of this document.

The SQL Server instance is:

Select A named instance

Then enter the instance name [SQL Server Instance]

Select Next to continue.

Configure Microsoft Identity Manager Synchronization Service – Service Account

Enter the Service account information under which the MIM Sync Service will run:

Service Account: [Synchronization Service Account]

Password: **********

Service Account Domain: [Domain]

Select Next when completed.

Configure Microsoft Identity Manager Synchronization Service – Security Groups

When implementing a stand-by synchronization server you should use Domain groups. This ensures your access groups remain consistent after implementing the stand-by server.

Prior to proceeding with the installation, the security groups should be created in Active Directory. You may use any naming convention you like for these groups, or you may choose to retain the default group names (Re. FIMSyncAdmins, FIMSyncOperators, FIMSynchJoiners, FIMSyncBrowse, and FIMSyncPasswordSet).

To configure for use with Domain groups, enter the following information:

Administrator: [Domain]\[Admin Group Name]

Operator: [Domain]\ [Operators Group Name]

Joiner: [Domain]\[Joiners Group Name]

Connector browse: [Domain]\[Browse Group Name]

WMI password Management: [Domain]\[PW Group Name]

Click Next to continue.

Configure Microsoft Identity Manager Synchronization Service – Security Changes

Check the box to Enable firewall rules for inbound RPC communications

Select Next, Install

Note: Warning messages are expected as part of the normal installation process. Please pay close attention to any Warning or Error messages received. Actions may differ for Offline Spare vs. Primary Synchronization Server. See details below for specific actions.

Warning 25051:

Warning 25051. The Microsoft Identity Manager Synchronization Service service account is not secure in its current configuration. For more information about best practices for securing the service account, please see Microsoft Identity Manager Synchronization Service Help.

For Offline Spare and Primary Synchronization Server builds,

Select OK to continue.

To address this issue after installation, please refer to the following documentation:

https://blogs.msdn.microsoft.com/connector_space/2015/08/28/warning-25051-service-account-is-not-secure-in-its-current-configuration/

Error 25009:

Error 25009. The Microsoft Identity Manager Synchronization Service setup wizard cannot configure the specified database.

For Offline Spare and Primary Synchronization Server builds,

Select Ok to continue.

The installation will rollback, select Finish.

Verify your installation account has SQL admin rights and the .net 3.5 Components are installed via server manager. Once resolved, you will need to start the installation process from the beginning.

Warning, A Microsoft Identity Manager Synchronization Service database already exists:

A Microsoft Identity Manager Synchronization Service database already exists. If you click Yes, you will restore the configuration with this database. If you click No, you must manually remove the previous database before installation can continue. Do you want to use the existing database?

Offline Spare Server build action only:

If you are building the Offline Spare for the first time, you should not receive this message. Verify you are connecting to the correct SQL server and instance. This could occur if you are reinstalling the synchronization server. In such a case, you will need to manually remove the database from the SQL server to proceed. As a matter of extreme caution, always backup the database before removing it.

Primary Synchronization Server build only:

Select Yes

You should receive the following Warning:

The Microsoft Identity Manager Synchronization Service setup Wizard will restore the configuration using the previous database. You must provide the encryption key set to use the previous database. Do you want to do this now?

Select Yes

Select the encryption key file (ex. E:\MIM\Keys\SyncKeys.bin)

Select Open

Database Encryption Key

Offline Spare Server build action only:

At this point you will be prompted to back up the database encryption key.

Click OK

Select a location and enter a name for this key file, then click Save

Primary Synchronization Server build only:

If you installed an Offline Spare, you should not receive this message.

Completing the Microsoft Identity Manager Synchronization Service Setup Wizard:

When notified of successful completion,

Click Finish to complete setup.

You may receive the following Warning:

You must logoff and relogon your system for the security group membership to take effect. Please close the other applications and click Yes if you want to logoff now. You may click No if you want to logoff later.

Select Yes

Launch the Synchronization Service Client:

You should now be able to open the MIM 2016 Sync Service. (Start, Run

To verify the version, click Help and About.

While the trademark is stamped Microsoft Forefront Identity Manager 2010 R2, the MIM 2016 R1 starts at 4.4.xxxx.x whereas FIM 2010 R2 begins at 4.1.xxxx version.

Perform the following steps for the Offline Spare build Only:

From the Service management Console,

Right Click Forefront Identity Manager Synchronization Service

select Properties

On the General Tab, next to Startup Type select Disabled.

If Service Status is “Running” select Stop

Select Apply, Ok

Perform the following Steps for the Primary Synchronization Server build Only:

Once complete with the Offline Spare build, repeat the build instructions following all steps for the Primary Synchronization Server and skipping those steps noted for the Offline Spare build.

If you have completed the steps for both the Offline Spare and the Primary Synchronization Server, the synchronization server build process is complete.

Install the MIM 2016 Management Agent (MIM MA)

Joe Zinn — Tue, 12 Jun 2018 20:33:29 GMT

Introduction:

This document is intended to be used as an operational preparatory document for the Microsoft Identity Management 2016 base MIM MA installation.

Using this Guide:

You may perform search and replace on the variables listed below to create a detailed implementation guide customized for your environment.

Document Variables:

Description	Search and Replace Variable
Primary Sync Server (Ex. Sync01)	[PRIMARY SYNC SERVER]
Primary SQL Server (Ex. SQL01)	[SQL Server]
Common name of the MIM Service and Portal SQL Instance (ex. Service)	[SQL INSTANCE]
The database name of the FIM Service Database. (ex. FIMService)	[SERVICE DB NAME]
Common name of the domain (ex. Contoso)	[DOMAIN]
Common name of the URL / Virtual IP Address used to load balance the MIM Service and Portal Servers. (Ex. MIMPortal)	[MIM PORTAL URL]
Common name of the first MIM Service and Portal Server (ex. Portal01)	[MIM SERVER 1]
Common name of the second MIM Service and Portal Server (ex. Portal02)	[MIM SERVER 2]
Common name of the MIM Installation Service Account (ex. MIMInstall)	[INSTALL ACCOUNT]
Common name of the MIM MA Service Account (ex. MIMMA)	[MIM MA SERVICE ACCOUNT]

Service Accounts:

The following service accounts are used in the installation and configuration of the MIM Service and Portal. Rights associated with each account are listed below:

Service Account Name

Usage

Notes

[MIM MA SERVICE ACCOUNT]

MIM Sync server account for FIM Service

For MIM Management Agent

Allow logon locally rights assignment

[INSTALL ACCOUNT]

Account used for initial installation of the MIM Software.

Need local admin on Sync server and

SQL Admin Rights.

Option: Domain Admin to create Domain Groups

Configure the MIM MA:

From the Primary Synchronization Server [PRIMARY SYNC SERVER] Server

Logon as the Install Account [INSTALL ACCOUNT]

Launch the MIM Synchronization Service Manager

Select Management Agents tab

Under Actions, select Create

The Create Management Agent Window should display.

Create Management Agent:

Select Management Agent For: FIM Service Management Agent

Name: MIM_MA

Description: MIM Service Management Agent

Select Next

Update MV Schema:

Select Next

Connect to Database:

Server: [SQLSERVER]\[SQL INSTANCE]

Database: [SERVICE DB NAME]

FIM Service base address:

If using a single MIM Portal server, enter https://[MIM SERVER 1]:5725
If using load balancing, enter the common name of the MIM Portal URL https://[MIM PORTAL URL]:5725

For Windows Integrated Authentication mode enter

User Name: [MIM MA SERVICE ACCOUNT]

Password: ***************

Domain: [DOMAIN]

Select Next

Select Object Types:

Check the following objects:

if synchronizing person and group objects to the portal check:

DetectedRuleEntry

ExpectedRuleEntry

Person

Groups

SynchronizationRule

Select Next

Select Attributes:

Select Next

Configure Connector Filter:

Select Next

Configure Object Type Mappings:

Highlight Person

Select Add Mapping

Select person, OK

Select Next

Configure Attribute Flow:

Select Next

Configure Deprovisioning:

Select Next

Configure Extensions:

select Finish

Select New Profile

On the Profile Name Page For Name enter EX

Select Next

On the Configure Step page For Type select Export

Select Next

Select Finish

Select OK

Perform the First Import of the MIM MA

From the Synchronization Service Manager,

Select Management Agents

Select MIM_MA

Right Click MIM_MA

Select Run, Full Import, OK

The initial Full Import should generate 2 adds in the Synchronization Statistics Frame.

Filter the FIM Install Account and Built-in Synchronization Account

Double Click Adds

Double Click the First Entry 7fb2b853-24f0-4498-9534-4e10589723c4

Highlight the Distinguished Name value

Right click, select copy

Select Close, Close

Double Click MIM_MA

Select Configure Connector Filter

Select Person

Select New

For the Data Source Attribute value select

For the Operator value select Equals

For the Value paste the clipboard value 7fb2b853-24f0-4498-9534-4e10589723c4

Select Add Condition

Select OK, OK

Double Click Adds

Double Click the Second Entry fb89aefa-5ea1-47f1-8890-abe7797d6497

Highlight the Distinguished Name value

Right click, select copy

Select Close, Close

Double Click MIM_MA

Select Configure Connector Filter

Select Person

Select New

For the Data Source Attribute value select

For the Operator value select Equals

For the Value paste the clipboard value fb89aefa-5ea1-47f1-8890-abe7797d6497

Select Add Condition

Select OK, OK

Service Accounts, SPNs, and Kerberos Delegation configurations for MIM Service and Portal Installation

Joe Zinn — Thu, 07 Jun 2018 22:53:48 GMT

Introduction:

This document is intended to be used as an operational preparatory document for the Microsoft Identity Management 2016 MIM Service and Portal Server installation. This guide covers the service accounts, Service Principal Names, and Delegation needed for use with the MIM 2016 Service and Portal.

Using this Guide:

You may perform search and replace on the variables listed below to create a detailed implementation guide customized for your environment.

Document Variables:

Description	Search and Replace Variable
Full Domain Name (ex. Contoso.com)	[FQDOMAIN]
Common name of the first MIM Service and Portal Server (ex. Portal01)	[MIM SERVER 1]
Common name of the second MIM Service and Portal Server (ex. Portal02)	[MIM SERVER 2]
Common name of the MIM Service and Portal url (ex. MIMPORTALVIP)	[MIM VIP]
Common name of the MIM Installation Service Account (ex. MIMInstall)	[INSTALL ACCOUNT]
Common name of the MIM MA Service Account (ex. MIMMA)	[MIM MA SERVICE ACCOUNT]
Common name of the MIM Service Account (ex. MIMService)	[MIM SERVICE ACCOUNT]
Common name of the MIM SharePoint Application Pool Service Account (ex. MIMSAP)	[MIM SAP ACCOUNT]

Service Accounts:

The following service accounts are used in the installation and configuration of the MIM Service and Portal. Rights associated with each account are listed below:

Service Account Name	Usage	Notes
[MIM MA SERVICE ACCOUNT]	MIM Sync server account for FIM Service For MIM Management Agent	Allow logon locally rights assignment
[MIM SERVICE ACCOUNT]	MIM Service Server User account for MIM service. For MIM Portal Service Account	Deny logon as batch job Deny logon locally Deny access to this computer from network Must be Member of FIMSyncAdmins group. If using PW Reset, must be member of FIMSyncPasswordSet group.
[MIM SAP SERVICE ACCOUNT]	MIM Service Server for SharePoint application Pool. For MIM Share Point application on MIM Portal Server(s)	Impersonate a client after authentication Log on as a batch job Log on as a service.
[INSTALL ACCOUNT]	Account used for initial installation of the MIM Software.	Need local admin on Sync server and SQL Admin Rights. Option: Domain Admin to create Domain Groups

Setup Service Principal Names for MIM Service Accounts:

Configure SPN Commands:

SETSPN -S http/[MIM SERVER 1] [MIM SAP ACCOUNT] SETSPN -S http/[MIM SERVER 1].[FQDOMAIN] [MIM SAP ACCOUNT] SETSPN -S http/[MIM SERVER 2] [MIM SAP ACCOUNT] SETSPN -S http/[MIM SERVER 2].[FQDOMAIN] [MIM SAP ACCOUNT] SETSPN -S http/[MIM VIP] [MIM SAP ACCOUNT] SETSPN -S http/[MIM VIP].[FQDOMAIN] [MIM SAP ACCOUNT] SETSPN -S FIMService/[MIM SERVER 1] [MIM SERVICE ACCOUNT] SETSPN -S FIMService/[MIM SERVER 1].[FQDOMAIN] [MIM SERVICE ACCOUNT] SETSPN -S FIMService/[MIM SERVER 2] [MIM SERVICE ACCOUNT] SETSPN -S FIMService/[MIM SERVER 2].[FQDOMAIN] [MIM SERVICE ACCOUNT]

Setup Kerberos Delegation:

Service Account	Delegation Account	Description
[MIM SAP ACCOUNT]	[MIM SERVICE ACCOUNT]	The MIM Portal on the MIM-Service server needs to access the MIM Service on the MIM-Service Server. MIM Portal uses Kerberos constrained delegation to act on behalf of the user.
[MIM SERVICE ACCOUNT]	[MIM SERVICE ACCOUNT]	This is needed in the event a workflow running in the MIM Service needs to access the MIM Service.

After configuring the Service Principal Names noted in the previous section, the following delegations must be configured to ensure proper Kerberos delegation functionality.

MIM SAP ACCOUNT [MIM SAP ACCOUNT] DELEGATION

Launch Active Directory Users and Computers Select the [MIM SAP ACCOUNT] service account Right Click and Select Properties. Select Delegation Tab Select Trust this user for delegation to specified services only Select use Kerberos only Select Add Select Users or Computers button Enter [MIM SERVICE ACCOUNT] Select Check Names Select Ok Once complete, delegation for the [MIM SAP ACCOUNT] account should appear as follows: Service Type User or Computer http [MIM VIP].[FQDOMAIN] http [MIM SERVER 1].[FQDOMAIN] http [MIM SERVER 2].[FQDOMAIN]

MIM SERVICE ACCOUNT [MIM SERVICE ACCOUNT] DELEGATION

Launch Active Directory Users and Computers Select the [MIM SERVICE ACCOUNT] service account Right Click and Select Properties. Select Delegation Tab Select Trust this user for delegation to specified services only Select use Kerberos only Select Add Select Users or Computers button Enter [MIM SERVICE ACCOUNT] Select Check Names Select Ok Once complete, delegation for the [MIM SAP ACCOUNT] account should appear as follows: Service Type User or Computer FIMService [MIM VIP].[FQDOMAIN] FIMService [MIM SERVER 1].[FQDOMAIN] FIMService [MIM SERVER 2].[FQDOMAIN]