Share via


Registry Keys and Configuration File Settings in FIM 2010

Applies To: Forefront Identity Manager 2010

Registry and Configuration Settings for FIM 2010

What this document covers

This document provides the registry settings and configuration file options for the Microsoft® Forefront Identity Manager (FIM) 2010 R2 Service, the FIM Portal, and Forefront Identity Manager Certificate Management (FIM CM).

For an overview of FIM 2010 documentation and guidance for using it, see the Documentation Roadmap.

If you have questions regarding the content of this document or if you have general feedback, post a message to the Forefront Identity Manager 2010 TechNet Forum (https://go.microsoft.com/fwlink/?LinkId=163230).

Audience

This document is intended for information technology (IT) planners and systems administrators.

Group Policy settings

Add-ins and extensions

The values in Table 1 are located in the registry key: SOFTWARE\Policies\Microsoft\Forefront Identity Manager\2010\Add-ins.

Table 1

Registry value name Value type Class Display name Notes

MonitoredAccountName

<string>

User

Configure FIM Service mailbox address

With this policy setting, you can specify the mailbox address of the FIM Service service account that processes incoming requests sent by the FIM Add-in for Outlook®.

If you do not configure this policy setting, the mailbox address specified during the setup is used.

ValidApprovalRequestSenders

<string>

User

Configure valid senders of approval requests

With this policy setting, you can specify the mailbox addresses of valid service accounts which can send approval requests that are being accepted by the FIM Add-in for Outlook. You need to configure this policy setting if you change the FIM Service service account, for example, by using the policy setting “Configure FIM Service mailbox address.” This policy setting should contain both the new and old mailbox addresses to ensure that all previously sent approval e-mail messages are still treated as valid. You can specify several mailbox addresses by separating them with semicolon.

If you do not configure this policy setting, only the mailbox address in “Configure FIM Service mailbox address” is used.

ShowGroupManagementUi

<dword>

User

Configure group management in the user interface (UI)

With this policy setting, you can specify whether the FIM Add-in for Outlook should show the group management options in the Outlook ribbon.

The options for this value are:

  • 0 – Disable Group management UI

  • 1 – Enable Group management UI

If you do not configure this policy setting, the group management options in the Outlook ribbon are displayed.

PortalUrl

<string>

User

Configure FIM Portal address

With this policy setting, you can specify the URL for the FIM Portal used in the FIM Add-in for Outlook when the user selects Group Management Website.

If you do not configure this policy setting, the URL specified during the setup is used.

AllGroupsAddressBookName

<string>

User

Configure the address book containing valid groups

With this policy setting, you can specify the address book used by the FIM Add-in for Outlook when the user selects groups to add members to.

If you do not configure this policy setting, the address book All Groups is used.

AllMembersAddressBookName

<string>

User

Configure the address book containing valid members

With this policy setting, you can specify the address book used by the FIM Add-in for Outlook when the user selects members to add to groups.

If you do not configure this policy setting, the address book Global Address Book is used.

DeleteApprovalRequest

<dword>

User

Configure Approval Request deletion

With this policy setting, you can specify whether the FIM Add-in for Outlook should delete the Approval message when the user has responded.

The options for this value are:

  • 0 – Do not delete

  • 1 – Delete

If you do not configure this policy setting, the user can configure this setting in the FIM Add-in for Outlook. The default is to delete the e-mail.

The values in Table 2 are located in the registry key: SOFTWARE\Policies\Microsoft\Forefront Identity Manager\2010\Extensions.

Table 2

Registry value name Value type Class Display name Notes

SiteLock

<string>

User

Configure valid Microsoft ActiveX® sites

With this policy setting, you can specify the sites used by the FIM Password and Authentication component. The ActiveX control only runs from sites specified in this list. You can specify several sites by separating them with semicolons.

Note

Do not include a prefix in the addresses, for example, https://.

If you do not configure this policy setting, the sites specified during the setup are used.

CacheInterval

<dword>

User

Configure cache duration for password reset registration

With this policy setting, you can configure how often the password reset registration status is checked for a user at logon.

If you do not configure this policy setting, the password reset registration status is checked every time the user logs on.

MaxOffset

<dword>

User

Configure max random offset for password reset registration

With this policy setting, you can configure the offset for the policy setting “Configure cache duration for password reset registration” to prevent all password reset registration checks for all users from occurring during the same day.

If you do not configure this policy setting but have configured “Configure cache duration for password reset registration,” then password reset registration checks for all users will occur at the next logon after the duration has been reached.

If you do not configure this policy setting and have not configured “Configure cache duration for password reset registration,” then password reset registration checks happen at every logon for all users.

The values in Table 3 are located in the registry key: Software\Policies\Microsoft\Forefront Identity Manager\2010\Extensions\GatePlugins\45C4D8BB-D34C-453d-8346-C9061A2A1E4C.

Table 3

Registry value name Value type Class Display name Notes

PrivacyLink

<string>

Computer

Configure a custom privacy hyperlink for password reset registration

With this policy setting, you can configure a custom privacy hyperlink which will be displayed to the user during password reset registration.

If you do not configure this policy setting, the default privacy statement will be displayed during the password reset registration.

Maximum length is 127 characters.

Note

This registry key is only available in FIM version 4.0.3558 and later.

The values in Table 4 are located in the registry key: SOFTWARE\Policies\Microsoft\Forefront Identity Manager\2010\Extensions\Intranet.

Table 4

Registry value name Value type Class Display name Notes

Address

<string>

Computer

Configure FIM Service address

With this policy setting, you can specify the address to the FIM Service used by password reset. The format is: https://serveraddress:5725.

If you do not configure this policy setting, the address specified during the setup is used.

Certificate management client

The values in Table 5 are located in the registry key: SOFTWARE\Policies\Microsoft\Clm\v1.0\SmartCardClient.

Table 5

Registry value name Value type Class Display name Notes

SiteLock

<string>

User

Configure valid ActiveX sites

With this policy setting, you can specify the sites used by the FIM CM Client component. The ActiveX control only runs from sites specified in this list. You can specify several sites by separating them with semicolons.

Note

Do not include a prefix in the address, for example, https://.

If you do not configure this policy setting, the sites specified during the setup are used.

Registry settings

The following tables present the registry settings available for FIM and FIM CM.

Note

When both HKLM and HKCU are listed, then the system reads from both locations, in the order specified, and use the value it finds first.

Add-ins and extensions

The values in Table 6 are located in the registry key: SOFTWARE\Microsoft\Forefront Identity Manager\2010.

Table 6

Registry value name Value type Class Created by Notes

AddinsandExtensionsCEIP

<string>

HKLM

Setup

This setting enables the CEIP (Customer Experience Improvement Program) and allows the components to collect data.

The options for this value are:

  • 0 – Not Enabled

  • 1 – Enabled

AddinsandExtensionsLocation

<string>

HKLM

Setup

The location of the main product.

AddinsandExtensionsX86Location

<string>

HKLM

Setup

The location of the main product for x86 components.

GUID

<string>

HKLM

Setup

Identifier for CEIP. This value is hard coded and should not be changed.

The values in Table 7 are located in the registry key: SOFTWARE\Microsoft\Forefront Identity Manager\2010\Add-ins.

Table 7

Registry value name Value type Class Created by Notes

Location

<string>

HKLM

Setup

The directory path where the FIM Add-in component is installed.

MonitoredAccountName

<string>

HKCU

HKLM

User

Setup

The mailbox address of the FIM Service service account that processes incoming requests sent by the FIM Add-in for Outlook.

PortalUrl

<string>

HKCU

HKLM

User

Setup

The URL for the FIM Portal used in the FIM Add-in for Outlook when the user selects Group Management Website.

ValidApprovalRequestSenders

<string>

HKCU

HKLM

User

Admin

The mailbox addresses of valid service accounts which can send approval requests that are being accepted by the FIM Add-in for Outlook. You need to change this setting if you change the FIM Service service accountThis policy setting should contain both the new and old mailbox addresses to ensure that all previously sent approval e-mail messages are still treated as valid. You can specify several mailbox addresses by separating them with semicolons.

ShowGroupManagementUi

<dword>

HKCU

HKLM

User

Admin

You can specify whether the FIM Add-in for Outlook should show the group management options in the Outlook ribbon.

The options for this value are:

  • 0 – Disable Group management UI

  • 1 – Enable Group management UI

DeleteApprovalRequest

<dword>

HKCU

HKLM

User

Admin

You can specify whether the FIM Add-in for Outlook should delete the Approval Request message when the user has responded.

The options for this value are:

  • 0 – Do not delete

  • 1 – Delete

If you do not configure this setting, the user can configure this setting in the FIM Add-in for Outlook. The default is to delete the email.

AllGroupsAddressBookName

<string>

HKCU

HKLM

User

Admin

The address book used by the FIM Add-in for Outlook when the user selects groups to add members to.

If you do not configure this setting, the address book All Groups is used.

AllMembersAddressBookName

<string>

HKCU

HKLM

User

Admin

The address book used by the FIM Add-in for Outlook when the user selects members to add to groups.

If you do not configure this setting, the address book Global Address Book is used.

The values in Table 8 are located in the registry key: SOFTWARE\Microsoft\Forefront Identity Manager\2010\Extensions.

Table 8

Registry value name Value type Class Created by Notes

Location

<string>

HKLM

Setup

The directory where this component is installed.

SiteLock

<string>

HKLM

Setup

The sites used by the FIM Password and Authentication component. The ActiveX control only runs from sites specified in this list. You can specify several sites by separating them with semicolons.

Note

Do not include a prefix in the address, for example, https://.

The values in Table 9 are located in the registry key: SOFTWARE\Microsoft\Forefront Identity Manager\2010\Extensions\GatePlugins.

Table 9

Registry value name Value type Class Created by Notes

Path

<string>

HKLM

Setup

The path to the location of the password gate plug-ins.

The values in Table 10 are located in the registry key: \Software\Microsoft\Forefront Identity Manager\2010\Extensions\GatePlugins\45C4D8BB-D34C-453d-8346-C9061A2A1E4C.

Table 10

Registry value name Value type Class Created by Notes

PrivacyLink

<string>

HKLM

Admin

You can specify a custom privacy hyperlink which will be displayed to the user during password reset registration.

Maximum length is 127 characters.

Note

This registry key is only available in FIM version 4.0.3558 and later.

The values in Table 11 are located in the registry key: SOFTWARE\Microsoft\Forefront Identity Manager\2010\Extensions\Intranet.

Table 11

Registry value name Value type Class Created by Notes

Address

<string>

HKLM

Setup

The address to the FIM Service used by password reset. The format is: https://serveraddress:5725.

FIM Service and Portal

The values in Table 12 are located in the registry key: SOFTWARE\Microsoft\Forefront Identity Manager\2010.

Table 12

Registry value name Value type Class Created by Notes

ServiceandPortalCEIP

<dword>

HKLM

Setup

CEIP (Customer Experience Improvement Program, also known as SQM) is enabled and the components can collect data.

The options for this value are:

  • 0 – Not Enabled

  • 1 – Enabled

ServiceandPortalLocation

<string>

HKLM

Setup

Value of INSTALLDIR. By default, this path is c:\Program File\Microsoft Forefront Identity Manager\2010

The values in Table 13 are located in the registry key: SOFTWARE\Microsoft\Forefront Identity Manager\2010\Portal.

Table 13

Registry value name Value type Class Created by Notes

Location

<string>

HKLM

Setup

The directory where the FIM Portal is installed. By default, this path is c:\Program File\Microsoft Forefront Identity Manager\2010\Portal.

BaseSiteCollectionURL

<string>

HKLM

Setup

The URL to the Microsoft SharePoint® site Collection where the FIM Portal is located. This value is used for patching during the Language Pack installation.

The values in Table 14 are located in the registry key: SOFTWARE\Microsoft\Forefront Identity Manager\2010\Service.

Table 14

Registry value name Value type Class Created by Notes

Location

<string>

HKLM

Setup

The directory where FIM Service is installed.

The values in Table 15 are located in the registry key: SOFTWARE\Microsoft\Forefront Identity Manager\2010\Service\Activities\QAActivity.

Table 15

Registry value name Value type Class Created by Notes

HashType

<dword>

HKLM

Setup

Default value is SHA256

Changing this value is not supported. It is reserved by Microsoft for future use.

The values in Table 16 are located in the registry key: SYSTEM\CurrentControlSet\Services\FIMService.

Table 16

Registry value name Value type Class Created by Notes

DatabaseServer

<string>

HKLM

Setup

Name of the FIM Service database server, with the instance name if needed.

DatabaseName

<string>

HKLM

Setup

Name of the FIM Service database. The default value is FIMService.

CertificateThumbprint

<string>

HKLM

Setup

The thumbprint of the certificate in the local computer store used by password reset.

DisableSecurityTokenService

<dword>

HKLM

Admin

If this value is set to 1, then the Security Token Service (STS) cannot be started and the CertificateThumbprint value cannot be consumed. If this key does not exist, or is set to 0, then the STS starts and a CertificateThumbprint must be present.

DefaultKeySize

<dword>

HKLM

Setup

This value is created by Setup, but is not used.

DefaultTokenLifetimeInMinutes

<dword>

HKLM

Setup

This value is created by Setup, but is not used.

ServiceAccountSid

<string>

HKLM

Setup

This value is created by Setup, but is not used.

MetadataEndpointAddress

<string>

HKLM

Setup

This value is created by Setup, but is not used.

EnumerationEndpointAddress

<string>

HKLM

Setup

This value is created by Setup, but is not used.

ResourceManagementServicePort

<string>

HKLM

Setup

This value is created by Setup, but is not used.

ResourceManagementServiceBaseAddress

<string>

HKLM

Setup

This value is created by Setup, but is not used.

ResourceEndpointAddress

<string>

HKLM

Setup

This value is created by Setup, but is not used.

SecurityTokenServicePort

<string>

HKLM

Setup

This value is created by Setup, but is not used.

SecurityTokenServiceBaseAddress

<string>

HKLM

Setup

This value is created by Setup, but is not used.

SecurityTokenServiceEndpointAddress

<string>

HKLM

Setup

This value is created by Setup, but is not used.

PasswordResetEndpointAddress

<string>

HKLM

Setup

This value is created by Setup, but is not used.

WorkflowManagerEndpointBaseAddress

<string>

HKLM

Setup

This value is created by Setup, but is not used.

PollExchangeEnabled

<dword>

HKLM

Setup

Specifies whether this instance of the FIM Service should monitor the Microsoft Exchange Server mailbox for incoming mail.

The options for this value are:

  • 0 – Not Enabled

  • 1 – Enabled

Note

The FIM Service still may send outgoing mail if false.

FIM Synchronization Service

The values in Table 17 are located in the registry key: SOFTWARE\Microsoft\ERP Management Agent.

Table 17

Registry value name Value type Class Created by Notes

InstallPath

<string>

HKLM

Setup

The directory where the management agent for SAP R/3 (ERP MA) Configuration UI is installed.

MaInstallPath

<string>

HKLM

Setup

The directory where the ERP MA is installed.

The values in Table 18 are located in the registry key: SOFTWARE\Microsoft\ERP Management Agent\ERP Management Agent Configuration Tool.

Table 18

Registry value name Value type Class Created by Notes

ConnectionString

<string>

HKCU

Setup

A text string informing the user about the correct format for connecting to SAP.

InstallPath

<string>

HKLM

Setup

This has the same value as MaInstallPath in Table 15.

The values in Table 19 are located in the registry key: SOFTWARE\Microsoft\Forefront Identity Manager\2010\Synchronization Service.

Table 19

Registry value name Value type Class Created by Notes

ReadTimeOut

<dword>

HKLM

Admin

The default value is 58, specified in seconds.

Note

Only used by the management agent for FIM (FIM MA) for reading from the FIM Service data base.

FullImportPageSize

<dword>

HKLM

Admin

The default value is 100, specified in the number of objects returned.

Note

Only used by the FIM MA for reading from the FIM Service data base.

DeltaImportPageSize

<dword>

HKLM

Admin

The default value is 1,000, specified in the number of rows returned.

Note

Only used by the FIM MA for reading from the FIM Service data base.

ADMARecursiveUserDelete

<dword>

HKLM

Admin

Allows deprovisioning of non-leaf user objects.
The default value is 1.

The values in Table 20 are located in the registry key: SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\ManagementAgents.

Table 20

Registry value name Value type Class Created by Notes

<name of MA>

<string>

HKLM

Setup

The name of the registry key is the name of the management agent. The value is a string representation of the CLSID for each type of management agent.

The values in Table 21 are located in the registry key: SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters.

Table 21

Registry value name Value type Class Created by Notes

Server

<string>

HKLM

Setup

Name of the FIM Synchronization database server.

SQLInstance

<string>

HKLM

Setup

Name of the FIM Synchronization database instance.

DBName

<string>

HKLM

Setup

Name of the FIM Synchronization database.

Path

<string>

HKLM

Setup

The directory where the FIM Synchronization Service is installed.

EventSource

<string>

HKLM

Setup

The default value is FIMSynchronizationService.

EventProductName

<string>

HKLM

Setup

The default value is FIM Synchronization Service.

AdExtTimeout

<dword>

HKLM

Admin

This is the Exchange 2007 PowerShell utility timeout in milliseconds. The default value is 40,000 in FIM RTM and 120,000 in FIM Update 2.

DisableRunStepDetails

<dword>

HKLM

Admin

If this value is set to 1, then FIM does not save details of the current run. The default value is 0.

ErrorLimit

<dword>

HKLM

Admin

The value is an integer in the range of 0-100,000.

  • Value set to 0 = Error limit set to 100,000

  • Value in the range of 1-99,999 = Error limit set to value

  • Value set to 100,000 = Error limit set to 100,000

  • Value set greater than 100,000 = Error limit set to 100,000

  • No key present = Default error limit set to 5,000

Note

From FIM Update 2 and later, warnings will not be counted against the error limit.

ConnectionTimeout

<dword>

HKLM

Admin

SQL Connection timeout

ADMAUseACLSecurity

<dword>

HKLM

Admin

The options for this value are:

  • 0 – Use DirSync permissions

  • 1 - Use AD ACL permissions

If not defined, the default value is 0.

Note

This setting is only supported on FIM Update 2 and later.

eDirectoryMASupportedServers

<multi-sz>

HKLM

Admin

If the eDirectory MA does not recognize the NDS version, add the vendorVersion found in the RootDSE in NDS to this multi-valued string.

IBMDSMASupportedServers

<multi-sz>

HKLM

Admin

If the IBM DS MA does not recognize the DS version, add the vendorVersion found in the RootDSE in IBM DS to this multi-valued string.

iPlanetMASupportedServers

<multi-sz>

HKLM

AdminAdmin

If the Sun DS MA does not recognize the DS version, add the vendorVersion found in the RootDSE in Sun DS to this multi-valued string.

ADMADoNormalization

<dword>

HKLM

Admin

The options for this value are:

  • 1 - True

  • All other values - False

Setting this value to “1” will cause the ADMA to export an object to AD, and then read back the AD normalized ‘nTSecurityDescriptor’ attribute and write it back onto the export image to avoid ‘exported-change-not-reimported’ errors.

iPlanetMAAllowInvalidUTF8

<dword>

HKLM

Admin

The options for this value are:

  • 1 - True

  • All other values - False

Setting this value to “1” will cause the iPlanet MA to coerce invalid UTF8 data in the import stream to a base64 string and import the data in that form. This allows customers with misbehaving apps running against their iPlanet directory server to import the malformed data into the synchronization engine.

MinimalObjectLogging

<dword>

HKLM

Admin

The options for this value are:

  • 1 - True

  • All other values - False

Setting this value to “1” will cause the Sync Engine to only log minimal information about an object during if an error occurs.

Note

This setting is only supported on FIM Update 2 and later.

CsObjectCacheSize

<dword>

HKLM

Admin

If no value is specified, the default value is 20480.

This value describes how large the cache size for connector space objects is and the number of members the internal cache will hold. If there are more members in a group, we will process the group in chunks.

Set this to one of the following values:

  • 20480

  • 40960

  • 81920

  • (etc, multiply by 2 if needed)

The values in Table 22 are located in the registry key: SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters\PerMAInstance\<ma name>.

Table 22

Registry value name Value type Class Created by Notes

AnchorCacheSize

<dword>

HKLM

Admin

The accepted value range is 100–100,000. Used by the management agents for SunOne and IBM DS to set the size of the cache for resolved anchor values.

StackSize

<dword>

HKLM

Admin

This value only applies to the Management Agent for Extensible Connectivity (ECMA). This specifies the stack size that a new instance of the management agent should have and is read every time a new ECMA is started.
Examples of values:
0x800000 = 512 MB, 0x1000000 = 1,024 MB
A value of 0 or a missing value means the default for the process.

ADMAUseACLSecurity

<dword>

HKLM

Admin

The options for this value are:

  • 0 – Use DirSync permissions

  • 1 - Use AD ACL permissions

If not defined, the default value is 0.

Note

This setting is only supported on FIM Update 2 and later.

ECMAAlwaysExportUnconfirmed

<dword>

HKLM

Admin

The options for this value are:

  • 0 – Do not re-export unconfirmed

  • 1 - Export until confirmed

The default value is 0.

Note

This value only applies to the Management Agent for Extensible Connectivity (ECMA)

Note

This setting is only supported on FIM Update 2 and later.

iPlanetMAOptionFiltering

<string>

HKLM

Admin

This value is used to specify the suffix of attributes that should be filtered from the image during import. If this is not specified, the attributes will be read, and any suffix will be stripped off before adding the value to the import image.

ADMAEnforcePasswordPolicy

<dword>

HKLM

Admin

The options for this value are:

  • 1 - True

  • All other values - False

Setting this value to “1” will cause the AD MA to verify the password history before it will reset a password during password reset.

Note

This setting is only supported on FIM Update 2 and later.

Note

This is only supported where the DC is Windows Server 2008 R2 SP1.

The values in Table 23 are located in the registry key: SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Performance.

Table 23

Registry value name Value type Class Created by Notes

Library

<string>

HKLM

Setup

The directory where the FIM Synchronization Service is installed.

Open/Collect/ Close

<string>

HKLM

Setup

These values are hard coded at setup time.

MaxObjectImportRate

<dword>

HKLM

Admin

This key specifies the number of objects per second that should serve as an upper boundary of any Import Run Profile run on the server. During an import run, the number of objects per second measured by the “Objects Read /sec” performance counter must remain below the value set in MaxObjectImportRate.

The range for this value is 1 to Max (Int32). A value of 0, or the absence of the key, is treated as having no maximum value defined.

MaxObjectSynchronizationRate

<dword>

HKLM

Admin

This key specifies the number of objects per second that should serve as an upper boundary of any Synchronization Run Profile run on the server. During a synchronization run, the number of objects per second measured by the “Objects Synchronized / sec” performance counter must remain below the value set in MaxObjectSynchronizationRate.

The range for this value is 1 to Max (Int32). A value of 0 or the absence of the key is treated as having no maximum value defined.

MaxObjectExportRate

<dword>

HKLM

Admin

This key specifies the number of objects per second that should serve as an upper boundary of any Export Run Profile run on the server. During an export run, the number of objects per second measured by the “Objects Exported / sec” performance counter must remain below the value set in MaxObjectExportedRate.

Certificate management

The values in Table 24 are located in the registry key: SOFTWARE\Microsoft\Clm\v1.0\Server\Setup.

Table 24

Registry value name Value type Class Created by

LogFile

<string>

HKLM

Setup

DATAFolder

<string>

HKLM

Setup

WebAppName

<string>

HKLM

Setup

Microsoft.Clm.Service.Exe.config

<string>

HKLM

Setup

ClmUtil.exe.config

<string>

HKLM

Setup

CaFolder

<string>

HKLM

Setup

Certificate management client

The values in Table 25 are located in the registry key: SOFTWARE\Microsoft\Clm\v1.0\SmartCardClient.

Table 25

Registry value name Value type Class Created by Notes

SiteLock

<string>

HKLM

Setup

A list of sites from which ActiveX is allowed to run.

Configuration file settings

This section describes the two configuration files used by the FIM Service and the FIM Portal.

  • C:\inetpub\wwwroot\wss\VirtualDirectories\80\web.config

  • C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\Microsoft.ResourceManagement.Service.exe.config

The FIM Service and Portal share the same overall format of the configuration files. The main difference is that the client reads from the ResourceManagementClient section and the server reads from the ResourceManagementService section. Either section can appear in both the service and portal configuration files, but the way they are used is different.

The FIM Portal discards the ResourceManagementService section altogether and uses the ResourceManagementClient section for configuring the client to communicate with the service. The service uses the ResourceManagementService section as expected, but also uses the ResourceManagementClient section to configure how workflow activities, the mail listener, and other components within the service communicate with the Web service endpoints.

FIM Service and FIM Portal

ResourceManagementService
XPath Values Default value Notes

/configuration/ resourceManagementService/ @dataReadTimeoutInSeconds

[0,inf)

58

The timeout used in all SQL select commands.

/configuration/ resourceManagementService/ @dataWriteTimeoutInSeconds

[0,inf)

58

The timeout used in all SQL update, insert, and delete commands.

/configuration/ resourceManagementService/ @defaultKeySize

[0,inf)

256

The key size used in session keys.

/configuration/ resourceManagementService/ @defaultTokenLifetimeInMinutes

[0,inf]

10

The lifetime of tokens issued by the security token service.

/configuration/ resourceManagementService/ @enumerationEndpointAddress

<string>

ResourceManagementService/ Enumeration

The name of the WS-Enumeration enumeration endpoint.

configuration/ resourceManagementService/ @externalHostName

<string>

“localhost”

The base Uniform Resource Identifier (URI) to use when responding with CreateResponse and Authnetication (AuthN) responses. Use this value for load-balanced scenarios and to update the unified client resourceManagementServiceBaseAddress to have outgoing requests also go to the load-balanced server. This could be DNS name or IP Address.

If the base address is the string literal “localhost,” this also emits the health event https://sharepoint/sites/imtmanage/Lists/Ilm%20Events/DispForm.aspx?ID=43 to indicate to operators that the base address, in its current configuration, prevents external clients from communicating with the service.

/configuration/ resourceManagementService/ @hostActivationIntervalInMilliseconds

[0,inf]

120,000

This is the interval between the host activator polling workflow instances for status.

/configuration/ resourceManagementService/@intranetRegistrationEndpointAddress

<string>

ResourceManagementService/SecurityTokenService/Registration

The name of the intranet password reset registration endpoint.

<configuration>…….<resourceManagementService maxSimultaneousAuthenticationWorkflows = “200” />…</configuration>

[0,Int32.Max]

A value of 0 results in all workflows being throttled and no workflows being started.

For more information see Troubleshooting FIM 2010

<configuration> …<resourceManagementService maxSimultaneousAuthorizationAndActionWorkflows = “200” />…</configuration>

[0,Int32.Max]

A value of 0 results in all workflows being throttled and no workflows being started.

For more information see Troubleshooting FIM 2010

/configuration/ resourceManagementService/ @metadataEndpointAddress

<string>

ResourceManagementService/MEX

The name of the metadata endpoint.

/configuration/ resourceManagementService/ @passwordResetEndpointAddress

<string>

ResourceManagementService/Alternate

The name of the password reset endpoint.

/configuration/ resourceManagementService/ @policyManagerIntervalInMilliseconds

[0,inf]

5,000

The interval between running the stored procedure DequeuePolicyApplication.

/configuration/ resourceManagementService/ @receiveTimeoutInSeconds

[0,inf]

300

The timeout used for receiving messages on all FIM endpoints. This is used as a parameter to the constructor for ServiceMultipleTokenBinding.

/configuration/ resourceManagementService/ @resourceEndpointAddress

<string>

ResourceManagementService/Resource

The name of the WS-Transfer resource endpoint.

/configuration/ resourceManagementService/ @resourceMailEndpointAddress

<string>

ResourceManagementService/ResourceMail

The name of the Resource Mail endpoint.

/configuration/ resourceManagementService/ @resourceFactoryEndpointAddress

<string>

ResourceManagementService/ResourceFactory

The name of the WS-Transfer resource factory endpoint.

/configuration/ resourceManagementService/ @securityTokenServiceEndpointAddress

<string>

ResourceManagementService/SecurityTokenService

The name of the WS-Trust security token endpoint

/configuration/ resourceManagementService/ @securityTokenServiceMetadataEndpointAddress

<string>

ResourceManagementService/SecurityTokenService/MEX

The name of the WS-Trust security token metadata endpoint.

/configuration/ resourceManagementService/ @servicePrincipalName

<string>

There is no default value. Omitting this value results in the endpoints having the default principle identity (which depends on the WCF implementation of endpoints and should be the Windows service account).

Used to create a service principle identity for all FIM endpoints.

/configuration/ resourceManagementService/ @workflowManagerEndpointBaseAddress

<string>

ResourceManagementService/WorkflowManager

The name of the workflow activity endpoint.

/configuration/ appSettings/ add[@key='synchronizationEngineAccountName’]

<string>

SyncEngineAccount

The logon name for the synchronization engine account. This enables the server to provide elevated access to the synchronization engine without special configuration in FIM.

/configuration/ appSettings/ add[@key='mailServer']

<string>

(None, and not required)

The URL that points to the Exchange 2007 Web service, for example, https://server/ews/exchange.asmx

/configuration/ appSettings/ add[@key='isExchange']

<string>

1

String literals 1 or 0 indicating whether the mail sender should instantiate an SMTP client or Exchange client. Note that the strings “true” and “false” are both treated as false.

/configuration/ appSettings/ add[@key='exchangeListenerInterval']

[0,3600]

30

Number of seconds to wait between polling the server running Exchange, measured in seconds.

/configuration/ resourceManagementService/ @mailBatchSize

[0,inf]

100

The maximum number of mail items to download from the Exchange mailbox in one batch.

ResourceManagementClient
XPath Values Default Notes

/configuration/ resourceManagementClient/ @resourceManagementServiceBaseAddress

<string>

This value is required.

The endpoint base address from the perspective of the client.

/configuration/ resourceManagementClient/ @maxReceivedMessageSizeInBytes

[0, Int32.MaxValue]

14 MB 0xE00000 (14680064 decimal)

The maximum received message size the client is willing to receive.

/configuration/ resourceManagementClient/ @servicePrincipalName

<string>

There is no default value. Omitting this value results in the endpoints having the default principle identity (which depends on the WCF implementation of endpoints and should be the Windows service account).

This value is used to create a service principle identity for the client.

/configuration/ resourceManagementClient/ @timeoutInMilliseconds

[0,360000]

90,000

The timeout of the client side of communication.