Registry Keys and Configuration File Settings in FIM 2010
Applies To: Forefront Identity Manager 2010
Registry and Configuration Settings for FIM 2010
What this document covers
This document provides the registry settings and configuration file options for the Microsoft® Forefront Identity Manager (FIM) 2010 R2 Service, the FIM Portal, and Forefront Identity Manager Certificate Management (FIM CM).
For an overview of FIM 2010 documentation and guidance for using it, see the Documentation Roadmap.
If you have questions regarding the content of this document or if you have general feedback, post a message to the Forefront Identity Manager 2010 TechNet Forum (https://go.microsoft.com/fwlink/?LinkId=163230).
Audience
This document is intended for information technology (IT) planners and systems administrators.
Group Policy settings
Add-ins and extensions
The values in Table 1 are located in the registry key: SOFTWARE\Policies\Microsoft\Forefront Identity Manager\2010\Add-ins.
Table 1
Registry value name | Value type | Class | Display name | Notes |
---|---|---|---|---|
MonitoredAccountName |
<string> |
User |
Configure FIM Service mailbox address |
With this policy setting, you can specify the mailbox address of the FIM Service service account that processes incoming requests sent by the FIM Add-in for Outlook®. If you do not configure this policy setting, the mailbox address specified during the setup is used. |
ValidApprovalRequestSenders |
<string> |
User |
Configure valid senders of approval requests |
With this policy setting, you can specify the mailbox addresses of valid service accounts which can send approval requests that are being accepted by the FIM Add-in for Outlook. You need to configure this policy setting if you change the FIM Service service account, for example, by using the policy setting “Configure FIM Service mailbox address.” This policy setting should contain both the new and old mailbox addresses to ensure that all previously sent approval e-mail messages are still treated as valid. You can specify several mailbox addresses by separating them with semicolon. If you do not configure this policy setting, only the mailbox address in “Configure FIM Service mailbox address” is used. |
ShowGroupManagementUi |
<dword> |
User |
Configure group management in the user interface (UI) |
With this policy setting, you can specify whether the FIM Add-in for Outlook should show the group management options in the Outlook ribbon. The options for this value are:
If you do not configure this policy setting, the group management options in the Outlook ribbon are displayed. |
PortalUrl |
<string> |
User |
Configure FIM Portal address |
With this policy setting, you can specify the URL for the FIM Portal used in the FIM Add-in for Outlook when the user selects Group Management Website. If you do not configure this policy setting, the URL specified during the setup is used. |
AllGroupsAddressBookName |
<string> |
User |
Configure the address book containing valid groups |
With this policy setting, you can specify the address book used by the FIM Add-in for Outlook when the user selects groups to add members to. If you do not configure this policy setting, the address book All Groups is used. |
AllMembersAddressBookName |
<string> |
User |
Configure the address book containing valid members |
With this policy setting, you can specify the address book used by the FIM Add-in for Outlook when the user selects members to add to groups. If you do not configure this policy setting, the address book Global Address Book is used. |
DeleteApprovalRequest |
<dword> |
User |
Configure Approval Request deletion |
With this policy setting, you can specify whether the FIM Add-in for Outlook should delete the Approval message when the user has responded. The options for this value are:
If you do not configure this policy setting, the user can configure this setting in the FIM Add-in for Outlook. The default is to delete the e-mail. |
The values in Table 2 are located in the registry key: SOFTWARE\Policies\Microsoft\Forefront Identity Manager\2010\Extensions.
Table 2
Registry value name | Value type | Class | Display name | Notes |
---|---|---|---|---|
SiteLock |
<string> |
User |
Configure valid Microsoft ActiveX® sites |
With this policy setting, you can specify the sites used by the FIM Password and Authentication component. The ActiveX control only runs from sites specified in this list. You can specify several sites by separating them with semicolons. Note Do not include a prefix in the addresses, for example, https://. If you do not configure this policy setting, the sites specified during the setup are used. |
CacheInterval |
<dword> |
User |
Configure cache duration for password reset registration |
With this policy setting, you can configure how often the password reset registration status is checked for a user at logon. If you do not configure this policy setting, the password reset registration status is checked every time the user logs on. |
MaxOffset |
<dword> |
User |
Configure max random offset for password reset registration |
With this policy setting, you can configure the offset for the policy setting “Configure cache duration for password reset registration” to prevent all password reset registration checks for all users from occurring during the same day. If you do not configure this policy setting but have configured “Configure cache duration for password reset registration,” then password reset registration checks for all users will occur at the next logon after the duration has been reached. If you do not configure this policy setting and have not configured “Configure cache duration for password reset registration,” then password reset registration checks happen at every logon for all users. |
The values in Table 3 are located in the registry key: Software\Policies\Microsoft\Forefront Identity Manager\2010\Extensions\GatePlugins\45C4D8BB-D34C-453d-8346-C9061A2A1E4C.
Table 3
Registry value name | Value type | Class | Display name | Notes |
---|---|---|---|---|
PrivacyLink |
<string> |
Computer |
Configure a custom privacy hyperlink for password reset registration |
With this policy setting, you can configure a custom privacy hyperlink which will be displayed to the user during password reset registration. If you do not configure this policy setting, the default privacy statement will be displayed during the password reset registration. Maximum length is 127 characters. |
Note
This registry key is only available in FIM version 4.0.3558 and later.
The values in Table 4 are located in the registry key: SOFTWARE\Policies\Microsoft\Forefront Identity Manager\2010\Extensions\Intranet.
Table 4
Registry value name | Value type | Class | Display name | Notes |
---|---|---|---|---|
Address |
<string> |
Computer |
Configure FIM Service address |
With this policy setting, you can specify the address to the FIM Service used by password reset. The format is: https://serveraddress:5725. If you do not configure this policy setting, the address specified during the setup is used. |
Certificate management client
The values in Table 5 are located in the registry key: SOFTWARE\Policies\Microsoft\Clm\v1.0\SmartCardClient.
Table 5
Registry value name | Value type | Class | Display name | Notes |
---|---|---|---|---|
SiteLock |
<string> |
User |
Configure valid ActiveX sites |
With this policy setting, you can specify the sites used by the FIM CM Client component. The ActiveX control only runs from sites specified in this list. You can specify several sites by separating them with semicolons. Note Do not include a prefix in the address, for example, https://. If you do not configure this policy setting, the sites specified during the setup are used. |
Registry settings
The following tables present the registry settings available for FIM and FIM CM.
Note
When both HKLM and HKCU are listed, then the system reads from both locations, in the order specified, and use the value it finds first.
Add-ins and extensions
The values in Table 6 are located in the registry key: SOFTWARE\Microsoft\Forefront Identity Manager\2010.
Table 6
Registry value name | Value type | Class | Created by | Notes |
---|---|---|---|---|
AddinsandExtensionsCEIP |
<string> |
HKLM |
Setup |
This setting enables the CEIP (Customer Experience Improvement Program) and allows the components to collect data. The options for this value are:
|
AddinsandExtensionsLocation |
<string> |
HKLM |
Setup |
The location of the main product. |
AddinsandExtensionsX86Location |
<string> |
HKLM |
Setup |
The location of the main product for x86 components. |
GUID |
<string> |
HKLM |
Setup |
Identifier for CEIP. This value is hard coded and should not be changed. |
The values in Table 7 are located in the registry key: SOFTWARE\Microsoft\Forefront Identity Manager\2010\Add-ins.
Table 7
Registry value name | Value type | Class | Created by | Notes |
---|---|---|---|---|
Location |
<string> |
HKLM |
Setup |
The directory path where the FIM Add-in component is installed. |
MonitoredAccountName |
<string> |
HKCU HKLM |
User Setup |
The mailbox address of the FIM Service service account that processes incoming requests sent by the FIM Add-in for Outlook. |
PortalUrl |
<string> |
HKCU HKLM |
User Setup |
The URL for the FIM Portal used in the FIM Add-in for Outlook when the user selects Group Management Website. |
ValidApprovalRequestSenders |
<string> |
HKCU HKLM |
User Admin |
The mailbox addresses of valid service accounts which can send approval requests that are being accepted by the FIM Add-in for Outlook. You need to change this setting if you change the FIM Service service accountThis policy setting should contain both the new and old mailbox addresses to ensure that all previously sent approval e-mail messages are still treated as valid. You can specify several mailbox addresses by separating them with semicolons. |
ShowGroupManagementUi |
<dword> |
HKCU HKLM |
User Admin |
You can specify whether the FIM Add-in for Outlook should show the group management options in the Outlook ribbon. The options for this value are:
|
DeleteApprovalRequest |
<dword> |
HKCU HKLM |
User Admin |
You can specify whether the FIM Add-in for Outlook should delete the Approval Request message when the user has responded. The options for this value are:
If you do not configure this setting, the user can configure this setting in the FIM Add-in for Outlook. The default is to delete the email. |
AllGroupsAddressBookName |
<string> |
HKCU HKLM |
User Admin |
The address book used by the FIM Add-in for Outlook when the user selects groups to add members to. If you do not configure this setting, the address book All Groups is used. |
AllMembersAddressBookName |
<string> |
HKCU HKLM |
User Admin |
The address book used by the FIM Add-in for Outlook when the user selects members to add to groups. If you do not configure this setting, the address book Global Address Book is used. |
The values in Table 8 are located in the registry key: SOFTWARE\Microsoft\Forefront Identity Manager\2010\Extensions.
Table 8
Registry value name | Value type | Class | Created by | Notes |
---|---|---|---|---|
Location |
<string> |
HKLM |
Setup |
The directory where this component is installed. |
SiteLock |
<string> |
HKLM |
Setup |
The sites used by the FIM Password and Authentication component. The ActiveX control only runs from sites specified in this list. You can specify several sites by separating them with semicolons. Note Do not include a prefix in the address, for example, https://. |
The values in Table 9 are located in the registry key: SOFTWARE\Microsoft\Forefront Identity Manager\2010\Extensions\GatePlugins.
Table 9
Registry value name | Value type | Class | Created by | Notes |
---|---|---|---|---|
Path |
<string> |
HKLM |
Setup |
The path to the location of the password gate plug-ins. |
The values in Table 10 are located in the registry key: \Software\Microsoft\Forefront Identity Manager\2010\Extensions\GatePlugins\45C4D8BB-D34C-453d-8346-C9061A2A1E4C.
Table 10
Registry value name | Value type | Class | Created by | Notes |
---|---|---|---|---|
PrivacyLink |
<string> |
HKLM |
Admin |
You can specify a custom privacy hyperlink which will be displayed to the user during password reset registration. Maximum length is 127 characters. |
Note
This registry key is only available in FIM version 4.0.3558 and later.
The values in Table 11 are located in the registry key: SOFTWARE\Microsoft\Forefront Identity Manager\2010\Extensions\Intranet.
Table 11
Registry value name | Value type | Class | Created by | Notes |
---|---|---|---|---|
Address |
<string> |
HKLM |
Setup |
The address to the FIM Service used by password reset. The format is: https://serveraddress:5725. |
FIM Service and Portal
The values in Table 12 are located in the registry key: SOFTWARE\Microsoft\Forefront Identity Manager\2010.
Table 12
Registry value name | Value type | Class | Created by | Notes |
---|---|---|---|---|
ServiceandPortalCEIP |
<dword> |
HKLM |
Setup |
CEIP (Customer Experience Improvement Program, also known as SQM) is enabled and the components can collect data. The options for this value are:
|
ServiceandPortalLocation |
<string> |
HKLM |
Setup |
Value of INSTALLDIR. By default, this path is c:\Program File\Microsoft Forefront Identity Manager\2010 |
The values in Table 13 are located in the registry key: SOFTWARE\Microsoft\Forefront Identity Manager\2010\Portal.
Table 13
Registry value name | Value type | Class | Created by | Notes |
---|---|---|---|---|
Location |
<string> |
HKLM |
Setup |
The directory where the FIM Portal is installed. By default, this path is c:\Program File\Microsoft Forefront Identity Manager\2010\Portal. |
BaseSiteCollectionURL |
<string> |
HKLM |
Setup |
The URL to the Microsoft SharePoint® site Collection where the FIM Portal is located. This value is used for patching during the Language Pack installation. |
The values in Table 14 are located in the registry key: SOFTWARE\Microsoft\Forefront Identity Manager\2010\Service.
Table 14
Registry value name | Value type | Class | Created by | Notes |
---|---|---|---|---|
Location |
<string> |
HKLM |
Setup |
The directory where FIM Service is installed. |
The values in Table 15 are located in the registry key: SOFTWARE\Microsoft\Forefront Identity Manager\2010\Service\Activities\QAActivity.
Table 15
Registry value name | Value type | Class | Created by | Notes |
---|---|---|---|---|
HashType |
<dword> |
HKLM |
Setup |
Default value is SHA256 Changing this value is not supported. It is reserved by Microsoft for future use. |
The values in Table 16 are located in the registry key: SYSTEM\CurrentControlSet\Services\FIMService.
Table 16
Registry value name | Value type | Class | Created by | Notes |
---|---|---|---|---|
DatabaseServer |
<string> |
HKLM |
Setup |
Name of the FIM Service database server, with the instance name if needed. |
DatabaseName |
<string> |
HKLM |
Setup |
Name of the FIM Service database. The default value is FIMService. |
CertificateThumbprint |
<string> |
HKLM |
Setup |
The thumbprint of the certificate in the local computer store used by password reset. |
DisableSecurityTokenService |
<dword> |
HKLM |
Admin |
If this value is set to 1, then the Security Token Service (STS) cannot be started and the CertificateThumbprint value cannot be consumed. If this key does not exist, or is set to 0, then the STS starts and a CertificateThumbprint must be present. |
DefaultKeySize |
<dword> |
HKLM |
Setup |
This value is created by Setup, but is not used. |
DefaultTokenLifetimeInMinutes |
<dword> |
HKLM |
Setup |
This value is created by Setup, but is not used. |
ServiceAccountSid |
<string> |
HKLM |
Setup |
This value is created by Setup, but is not used. |
MetadataEndpointAddress |
<string> |
HKLM |
Setup |
This value is created by Setup, but is not used. |
EnumerationEndpointAddress |
<string> |
HKLM |
Setup |
This value is created by Setup, but is not used. |
ResourceManagementServicePort |
<string> |
HKLM |
Setup |
This value is created by Setup, but is not used. |
ResourceManagementServiceBaseAddress |
<string> |
HKLM |
Setup |
This value is created by Setup, but is not used. |
ResourceEndpointAddress |
<string> |
HKLM |
Setup |
This value is created by Setup, but is not used. |
SecurityTokenServicePort |
<string> |
HKLM |
Setup |
This value is created by Setup, but is not used. |
SecurityTokenServiceBaseAddress |
<string> |
HKLM |
Setup |
This value is created by Setup, but is not used. |
SecurityTokenServiceEndpointAddress |
<string> |
HKLM |
Setup |
This value is created by Setup, but is not used. |
PasswordResetEndpointAddress |
<string> |
HKLM |
Setup |
This value is created by Setup, but is not used. |
WorkflowManagerEndpointBaseAddress |
<string> |
HKLM |
Setup |
This value is created by Setup, but is not used. |
PollExchangeEnabled |
<dword> |
HKLM |
Setup |
Specifies whether this instance of the FIM Service should monitor the Microsoft Exchange Server mailbox for incoming mail. The options for this value are:
Note The FIM Service still may send outgoing mail if false. |
FIM Synchronization Service
The values in Table 17 are located in the registry key: SOFTWARE\Microsoft\ERP Management Agent.
Table 17
Registry value name | Value type | Class | Created by | Notes |
---|---|---|---|---|
InstallPath |
<string> |
HKLM |
Setup |
The directory where the management agent for SAP R/3 (ERP MA) Configuration UI is installed. |
MaInstallPath |
<string> |
HKLM |
Setup |
The directory where the ERP MA is installed. |
The values in Table 18 are located in the registry key: SOFTWARE\Microsoft\ERP Management Agent\ERP Management Agent Configuration Tool.
Table 18
Registry value name | Value type | Class | Created by | Notes |
---|---|---|---|---|
ConnectionString |
<string> |
HKCU |
Setup |
A text string informing the user about the correct format for connecting to SAP. |
InstallPath |
<string> |
HKLM |
Setup |
This has the same value as MaInstallPath in Table 15. |
The values in Table 19 are located in the registry key: SOFTWARE\Microsoft\Forefront Identity Manager\2010\Synchronization Service.
Table 19
Registry value name | Value type | Class | Created by | Notes |
---|---|---|---|---|
ReadTimeOut |
<dword> |
HKLM |
Admin |
The default value is 58, specified in seconds. Note Only used by the management agent for FIM (FIM MA) for reading from the FIM Service data base. |
FullImportPageSize |
<dword> |
HKLM |
Admin |
The default value is 100, specified in the number of objects returned. Note Only used by the FIM MA for reading from the FIM Service data base. |
DeltaImportPageSize |
<dword> |
HKLM |
Admin |
The default value is 1,000, specified in the number of rows returned. Note Only used by the FIM MA for reading from the FIM Service data base. |
ADMARecursiveUserDelete |
<dword> |
HKLM |
Admin |
Allows deprovisioning of non-leaf user objects. |
The values in Table 20 are located in the registry key: SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\ManagementAgents.
Table 20
Registry value name | Value type | Class | Created by | Notes |
---|---|---|---|---|
<name of MA> |
<string> |
HKLM |
Setup |
The name of the registry key is the name of the management agent. The value is a string representation of the CLSID for each type of management agent. |
The values in Table 21 are located in the registry key: SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters.
Table 21
Registry value name | Value type | Class | Created by | Notes |
---|---|---|---|---|
Server |
<string> |
HKLM |
Setup |
Name of the FIM Synchronization database server. |
SQLInstance |
<string> |
HKLM |
Setup |
Name of the FIM Synchronization database instance. |
DBName |
<string> |
HKLM |
Setup |
Name of the FIM Synchronization database. |
Path |
<string> |
HKLM |
Setup |
The directory where the FIM Synchronization Service is installed. |
EventSource |
<string> |
HKLM |
Setup |
The default value is FIMSynchronizationService. |
EventProductName |
<string> |
HKLM |
Setup |
The default value is FIM Synchronization Service. |
AdExtTimeout |
<dword> |
HKLM |
Admin |
This is the Exchange 2007 PowerShell utility timeout in milliseconds. The default value is 40,000 in FIM RTM and 120,000 in FIM Update 2. |
DisableRunStepDetails |
<dword> |
HKLM |
Admin |
If this value is set to 1, then FIM does not save details of the current run. The default value is 0. |
ErrorLimit |
<dword> |
HKLM |
Admin |
The value is an integer in the range of 0-100,000.
Note From FIM Update 2 and later, warnings will not be counted against the error limit. |
ConnectionTimeout |
<dword> |
HKLM |
Admin |
SQL Connection timeout |
ADMAUseACLSecurity |
<dword> |
HKLM |
Admin |
The options for this value are:
If not defined, the default value is 0. Note This setting is only supported on FIM Update 2 and later. |
eDirectoryMASupportedServers |
<multi-sz> |
HKLM |
Admin |
If the eDirectory MA does not recognize the NDS version, add the vendorVersion found in the RootDSE in NDS to this multi-valued string. |
IBMDSMASupportedServers |
<multi-sz> |
HKLM |
Admin |
If the IBM DS MA does not recognize the DS version, add the vendorVersion found in the RootDSE in IBM DS to this multi-valued string. |
iPlanetMASupportedServers |
<multi-sz> |
HKLM |
AdminAdmin |
If the Sun DS MA does not recognize the DS version, add the vendorVersion found in the RootDSE in Sun DS to this multi-valued string. |
ADMADoNormalization |
<dword> |
HKLM |
Admin |
The options for this value are:
Setting this value to “1” will cause the ADMA to export an object to AD, and then read back the AD normalized ‘nTSecurityDescriptor’ attribute and write it back onto the export image to avoid ‘exported-change-not-reimported’ errors. |
iPlanetMAAllowInvalidUTF8 |
<dword> |
HKLM |
Admin |
The options for this value are:
Setting this value to “1” will cause the iPlanet MA to coerce invalid UTF8 data in the import stream to a base64 string and import the data in that form. This allows customers with misbehaving apps running against their iPlanet directory server to import the malformed data into the synchronization engine. |
MinimalObjectLogging |
<dword> |
HKLM |
Admin |
The options for this value are:
Setting this value to “1” will cause the Sync Engine to only log minimal information about an object during if an error occurs. Note This setting is only supported on FIM Update 2 and later. |
CsObjectCacheSize |
<dword> |
HKLM |
Admin |
If no value is specified, the default value is 20480. This value describes how large the cache size for connector space objects is and the number of members the internal cache will hold. If there are more members in a group, we will process the group in chunks. Set this to one of the following values:
|
The values in Table 22 are located in the registry key: SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters\PerMAInstance\<ma name>.
Table 22
Registry value name | Value type | Class | Created by | Notes |
---|---|---|---|---|
AnchorCacheSize |
<dword> |
HKLM |
Admin |
The accepted value range is 100–100,000. Used by the management agents for SunOne and IBM DS to set the size of the cache for resolved anchor values. |
StackSize |
<dword> |
HKLM |
Admin |
This value only applies to the Management Agent for Extensible Connectivity (ECMA). This specifies the stack size that a new instance of the management agent should have and is read every time a new ECMA is started. |
ADMAUseACLSecurity |
<dword> |
HKLM |
Admin |
The options for this value are:
If not defined, the default value is 0. Note This setting is only supported on FIM Update 2 and later. |
ECMAAlwaysExportUnconfirmed |
<dword> |
HKLM |
Admin |
The options for this value are:
The default value is 0. Note This value only applies to the Management Agent for Extensible Connectivity (ECMA) Note This setting is only supported on FIM Update 2 and later. |
iPlanetMAOptionFiltering |
<string> |
HKLM |
Admin |
This value is used to specify the suffix of attributes that should be filtered from the image during import. If this is not specified, the attributes will be read, and any suffix will be stripped off before adding the value to the import image. |
ADMAEnforcePasswordPolicy |
<dword> |
HKLM |
Admin |
The options for this value are:
Setting this value to “1” will cause the AD MA to verify the password history before it will reset a password during password reset. Note This setting is only supported on FIM Update 2 and later. Note This is only supported where the DC is Windows Server 2008 R2 SP1. |
The values in Table 23 are located in the registry key: SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Performance.
Table 23
Registry value name | Value type | Class | Created by | Notes |
---|---|---|---|---|
Library |
<string> |
HKLM |
Setup |
The directory where the FIM Synchronization Service is installed. |
Open/Collect/ Close |
<string> |
HKLM |
Setup |
These values are hard coded at setup time. |
MaxObjectImportRate |
<dword> |
HKLM |
Admin |
This key specifies the number of objects per second that should serve as an upper boundary of any Import Run Profile run on the server. During an import run, the number of objects per second measured by the “Objects Read /sec” performance counter must remain below the value set in MaxObjectImportRate. The range for this value is 1 to Max (Int32). A value of 0, or the absence of the key, is treated as having no maximum value defined. |
MaxObjectSynchronizationRate |
<dword> |
HKLM |
Admin |
This key specifies the number of objects per second that should serve as an upper boundary of any Synchronization Run Profile run on the server. During a synchronization run, the number of objects per second measured by the “Objects Synchronized / sec” performance counter must remain below the value set in MaxObjectSynchronizationRate. The range for this value is 1 to Max (Int32). A value of 0 or the absence of the key is treated as having no maximum value defined. |
MaxObjectExportRate |
<dword> |
HKLM |
Admin |
This key specifies the number of objects per second that should serve as an upper boundary of any Export Run Profile run on the server. During an export run, the number of objects per second measured by the “Objects Exported / sec” performance counter must remain below the value set in MaxObjectExportedRate. |
Certificate management
The values in Table 24 are located in the registry key: SOFTWARE\Microsoft\Clm\v1.0\Server\Setup.
Table 24
Registry value name | Value type | Class | Created by |
---|---|---|---|
LogFile |
<string> |
HKLM |
Setup |
DATAFolder |
<string> |
HKLM |
Setup |
WebAppName |
<string> |
HKLM |
Setup |
Microsoft.Clm.Service.Exe.config |
<string> |
HKLM |
Setup |
ClmUtil.exe.config |
<string> |
HKLM |
Setup |
CaFolder |
<string> |
HKLM |
Setup |
Certificate management client
The values in Table 25 are located in the registry key: SOFTWARE\Microsoft\Clm\v1.0\SmartCardClient.
Table 25
Registry value name | Value type | Class | Created by | Notes |
---|---|---|---|---|
SiteLock |
<string> |
HKLM |
Setup |
A list of sites from which ActiveX is allowed to run. |
Configuration file settings
This section describes the two configuration files used by the FIM Service and the FIM Portal.
C:\inetpub\wwwroot\wss\VirtualDirectories\80\web.config
C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\Microsoft.ResourceManagement.Service.exe.config
The FIM Service and Portal share the same overall format of the configuration files. The main difference is that the client reads from the ResourceManagementClient section and the server reads from the ResourceManagementService section. Either section can appear in both the service and portal configuration files, but the way they are used is different.
The FIM Portal discards the ResourceManagementService section altogether and uses the ResourceManagementClient section for configuring the client to communicate with the service. The service uses the ResourceManagementService section as expected, but also uses the ResourceManagementClient section to configure how workflow activities, the mail listener, and other components within the service communicate with the Web service endpoints.
FIM Service and FIM Portal
ResourceManagementService
XPath | Values | Default value | Notes |
---|---|---|---|
/configuration/ resourceManagementService/ @dataReadTimeoutInSeconds |
[0,inf) |
58 |
The timeout used in all SQL select commands. |
/configuration/ resourceManagementService/ @dataWriteTimeoutInSeconds |
[0,inf) |
58 |
The timeout used in all SQL update, insert, and delete commands. |
/configuration/ resourceManagementService/ @defaultKeySize |
[0,inf) |
256 |
The key size used in session keys. |
/configuration/ resourceManagementService/ @defaultTokenLifetimeInMinutes |
[0,inf] |
10 |
The lifetime of tokens issued by the security token service. |
/configuration/ resourceManagementService/ @enumerationEndpointAddress |
<string> |
ResourceManagementService/ Enumeration |
The name of the WS-Enumeration enumeration endpoint. |
configuration/ resourceManagementService/ @externalHostName |
<string> |
“localhost” |
The base Uniform Resource Identifier (URI) to use when responding with CreateResponse and Authnetication (AuthN) responses. Use this value for load-balanced scenarios and to update the unified client resourceManagementServiceBaseAddress to have outgoing requests also go to the load-balanced server. This could be DNS name or IP Address. If the base address is the string literal “localhost,” this also emits the health event https://sharepoint/sites/imtmanage/Lists/Ilm%20Events/DispForm.aspx?ID=43 to indicate to operators that the base address, in its current configuration, prevents external clients from communicating with the service. |
/configuration/ resourceManagementService/ @hostActivationIntervalInMilliseconds |
[0,inf] |
120,000 |
This is the interval between the host activator polling workflow instances for status. |
/configuration/ resourceManagementService/@intranetRegistrationEndpointAddress |
<string> |
ResourceManagementService/SecurityTokenService/Registration |
The name of the intranet password reset registration endpoint. |
<configuration>…….<resourceManagementService maxSimultaneousAuthenticationWorkflows = “200” />…</configuration> |
[0,Int32.Max] A value of 0 results in all workflows being throttled and no workflows being started. |
For more information see Troubleshooting FIM 2010 |
|
|
[0,Int32.Max] A value of 0 results in all workflows being throttled and no workflows being started. |
For more information see Troubleshooting FIM 2010 |
|
/configuration/ resourceManagementService/ @metadataEndpointAddress |
<string> |
ResourceManagementService/MEX |
The name of the metadata endpoint. |
/configuration/ resourceManagementService/ @passwordResetEndpointAddress |
<string> |
ResourceManagementService/Alternate |
The name of the password reset endpoint. |
/configuration/ resourceManagementService/ @policyManagerIntervalInMilliseconds |
[0,inf] |
5,000 |
The interval between running the stored procedure DequeuePolicyApplication. |
/configuration/ resourceManagementService/ @receiveTimeoutInSeconds |
[0,inf] |
300 |
The timeout used for receiving messages on all FIM endpoints. This is used as a parameter to the constructor for ServiceMultipleTokenBinding. |
/configuration/ resourceManagementService/ @resourceEndpointAddress |
<string> |
ResourceManagementService/Resource |
The name of the WS-Transfer resource endpoint. |
/configuration/ resourceManagementService/ @resourceMailEndpointAddress |
<string> |
ResourceManagementService/ResourceMail |
The name of the Resource Mail endpoint. |
/configuration/ resourceManagementService/ @resourceFactoryEndpointAddress |
<string> |
ResourceManagementService/ResourceFactory |
The name of the WS-Transfer resource factory endpoint. |
/configuration/ resourceManagementService/ @securityTokenServiceEndpointAddress |
<string> |
ResourceManagementService/SecurityTokenService |
The name of the WS-Trust security token endpoint |
/configuration/ resourceManagementService/ @securityTokenServiceMetadataEndpointAddress |
<string> |
ResourceManagementService/SecurityTokenService/MEX |
The name of the WS-Trust security token metadata endpoint. |
/configuration/ resourceManagementService/ @servicePrincipalName |
<string> |
There is no default value. Omitting this value results in the endpoints having the default principle identity (which depends on the WCF implementation of endpoints and should be the Windows service account). |
Used to create a service principle identity for all FIM endpoints. |
/configuration/ resourceManagementService/ @workflowManagerEndpointBaseAddress |
<string> |
ResourceManagementService/WorkflowManager |
The name of the workflow activity endpoint. |
/configuration/ appSettings/ add[@key='synchronizationEngineAccountName’] |
<string> |
SyncEngineAccount |
The logon name for the synchronization engine account. This enables the server to provide elevated access to the synchronization engine without special configuration in FIM. |
/configuration/ appSettings/ add[@key='mailServer'] |
<string> |
(None, and not required) |
The URL that points to the Exchange 2007 Web service, for example, https://server/ews/exchange.asmx |
/configuration/ appSettings/ add[@key='isExchange'] |
<string> |
1 |
String literals 1 or 0 indicating whether the mail sender should instantiate an SMTP client or Exchange client. Note that the strings “true” and “false” are both treated as false. |
/configuration/ appSettings/ add[@key='exchangeListenerInterval'] |
[0,3600] |
30 |
Number of seconds to wait between polling the server running Exchange, measured in seconds. |
/configuration/ resourceManagementService/ @mailBatchSize |
[0,inf] |
100 |
The maximum number of mail items to download from the Exchange mailbox in one batch. |
ResourceManagementClient
XPath | Values | Default | Notes |
---|---|---|---|
/configuration/ resourceManagementClient/ @resourceManagementServiceBaseAddress |
<string> |
This value is required. |
The endpoint base address from the perspective of the client. |
/configuration/ resourceManagementClient/ @maxReceivedMessageSizeInBytes |
[0, Int32.MaxValue] |
14 MB 0xE00000 (14680064 decimal) |
The maximum received message size the client is willing to receive. |
/configuration/ resourceManagementClient/ @servicePrincipalName |
<string> |
There is no default value. Omitting this value results in the endpoints having the default principle identity (which depends on the WCF implementation of endpoints and should be the Windows service account). |
This value is used to create a service principle identity for the client. |
/configuration/ resourceManagementClient/ @timeoutInMilliseconds |
[0,360000] |
90,000 |
The timeout of the client side of communication. |