Management Agent Communication Ports, Rights, and Permissions
Applies To: Windows Server 2003 with SP1
Download Instructions
This document is available for download as a Microsoft Word document at https://go.microsoft.com/fwlink/?LinkId=30737.
Overview
To establish secure communication channels between Microsoft Identity Integration Server (MIIS) 2003 and a connected data source, call-based management agents require open ports for each service and protocol that is used. In addition, if password synchronization is enabled, ports must be opened for the Remote Procedure Call service on both the server running MIIS 2003 and all Active Directory domain controllers.
The ports listed here are the default settings for each call-based management agent type. Your call-based connected data source might use different ports than those listed here.
Each connected data source also requires a minimum set of user rights and permissions necessary for MIIS 2003 to authenticate to it, and to add, modify, or delete objects. The user account configured within each management agent must have these user rights and permissions assigned to it in order for the management agent to run correctly. For help with configuring the user rights and permissions for different connected data sources, refer to the Help documentation for that data source.
Management Agent for Active Directory
Minimum Permissions
| Operation | Minimum Permissions |
|---|---|
Connect and discover objects in Active Directory |
Member of Domain Admins group. - or - Replicating Directory Changes permission for each domain of the forest that the management agent accesses. For more information about how to grant the Replicating Directory Changes permission, see the Microsoft web site. |
Create, modify, or delete Active Directory objects and attributes |
For non-administrative accounts, additional permissions might need to be added as appropriate. For example:
|
For more information about setting the Replicating Directory Changes permission in Active Directory, see Microsoft Knowledge Base article 303972 (https://go.microsoft.com/fwlink/?LinkId=47854).
Communication Protocols and Ports
| Service | Protocol | Port |
|---|---|---|
LDAP |
TCP/UDP |
389 |
Kerberos |
TCP/UDP |
88 |
DNS |
TCP/UDP |
53 |
Kerberos Change Password |
UDP |
464 |
Management Agent for Active Directory Application Mode (ADAM)
Minimum Permissions
| Operation | Minimum Permissions |
|---|---|
Detect changes to the ADAM application partitions |
Replicate Directory Changes permission. For more information about how to grant the Replicating Directory Changes permission, see the Microsoft web site. |
Discover the ADAM schema |
Generic Read permissions on the configuration container - or - All of the following permissions:
|
Read objects in the application partition |
Generic Read permissions on the configuration container - or - Both of the following permissions:
|
Create, modify, or delete objects |
Generic Write permissions on the configuration container - or - Both of the following permissions:
|
Note
These permissions can all be inherited from the partition head. Inheritance is NOT required for the Replicate Directory Changes permission as this permission is only checked at the partition head and therefore is not required at any level below that.
Communication Protocols and Ports
| Service | Protocol | Port |
|---|---|---|
LDAP |
TCP |
389 |
Note
For this management agent type, port 389 is configured as the default port. However, you can change the port number by using Management Agent Designer. Secure Sockets Layer (SSL) can also be used for this management agent type. Using SSL does not affect the port that is used.
Management Agent for Microsoft Exchange Server 5.5
Minimum Permissions
| Operation | Minimum Permissions |
|---|---|
Read only mode |
Must be in Search role |
Export mode |
Must be in Admin role |
Communication Protocols and Ports
| Service | Protocol | Port |
|---|---|---|
LDAP |
TCP |
636 |
Note
Port 636 is configured as the default port if SSL is enabled. However, you can change the port number by using Management Agent Designer. Ensure that port 389 is not selected for Exchange Server 5.5 if Active Directory is configured to use port 389 on the same server.
Management Agent for Microsoft Exchange Server 5.5 (bridgehead server)
Minimum Permissions
| Operation | Minimum Permissions |
|---|---|
Read only mode |
Must be in Search role |
Export mode |
Must be in Admin role |
Communication Protocols and Ports
| Service | Protocol | Port |
|---|---|---|
LDAP |
TCP |
636 |
Note
Port 636 is configured as the default port if SSL is enabled. However, you can change the port number by using Management Agent Designer. Ensure that port 389 is not selected for Exchange Server 5.5 if Active Directory is configured to use port 389 on the same server.
Management Agent for Lotus Notes
Minimum Permissions
| Operation | Minimum Permissions |
|---|---|
Read from the Name and Address Book (NAB) |
Must not be member of a deny group that has an access control list (ACL) set on the NAB |
Add, modify, or delete from the NAB |
Must be a member of the administrator group |
Set a password |
Must be a member of the administrator group |
.
Communication Protocols and Ports
| Service | Protocol | Port |
|---|---|---|
C API |
TCP |
1352 |
Management Agent for Novell eDirectory
Minimum Permissions
| Operation | Minimum Permissions |
|---|---|
Connect |
Any enabled user |
Browse |
|
Modify |
Rename/Write rights on “all attributes” for the specified tree |
Create |
|
Delete |
Delete rights in the “Entry rights” property |
Password management |
Supervisor rights for the specified tree |
Communication Protocols and Ports
| Service | Protocol | Port |
|---|---|---|
LDAP |
TCP |
389 |
Note
For this management agent type, port 389 is configured as the default port. However, you can change the port number by using Management Agent Designer. Secure Sockets Layer (SSL) can also be used for this management agent type. Using SSL does not affect the port that is used.
Management Agent for Oracle8i and Oracle9i Database
Minimum Permissions
| Operation | Minimum Permissions |
|---|---|
Import objects Refresh schema |
Grant SELECT permission for the tables Note SELECT must be granted to ALL_SYNONYMS in the schema. For example, GRANT SELECT ON <schema_name>.ALL_SYNONYMS to <Oracle MA User Name>. |
Add, modify, or delete single value attributes |
Grant UPDATE permission for the primary table |
Add, modify, or delete multi-valued attributes |
Grant INSERT, UPDATE, and DELETE permissions for the multivalued table |
Add new object |
Grant INSERT permission for the primary table |
Delete an object |
Grant DELETE permission for the primary table |
Communication Protocols and Ports
| Service | Protocol | Port |
|---|---|---|
SQL Net-Library |
TCP |
1433 |
Management Agent for Microsoft SQL Server 7.0 or SQL Server 2000
Minimum Permissions
| Operation | Minimum Permissions |
|---|---|
Import objects Refresh schema |
Public Role access with Select rights for the primary, delta, and multivalued tables |
Export: add a new row |
Grant INSERT permission for the primary or multivalued table |
Export: modify existing rows |
Grant UPDATE permission for the primary or multivalued table |
Export: delete objects or multivalued attributes |
Grant DELETE permission for the primary or multivalued table |
Communication Protocols and Ports
| Service | Protocol | Port |
|---|---|---|
SQL Net-Library |
TCP |
1433 |
Note
If your MicrosoftIdentityIntegrationServer database is running on a remote server running SQL Server, port 1433 is also used for the remote server. This SQL Server database, however, might not be running on the same computer that serves as a connected data source, and it can use a different port. It is strongly recommended that the server running MIIS 2003 and the remote server running SQL Server (if used) not be separated by a firewall.
Management Agent for Sun ONE Directory Server 4.12, 4.13, 5.0 or 5.1 (formerly iPlanet Directory Server)
Minimum Permissions
| Operation | Minimum Permissions |
|---|---|
Connect |
Anonymous access to RootDSE |
Browse |
Anonymous access Read Compare Search |
Create |
Anonymous access to RootDSE Read Compare Search Add Write |
Modify |
Anonymous access to RootDSE Read Compare Search Add |
Delete |
Anonymous access to RootDSE Read Compare Search Delete |
Note
For delta imports, the account specified in the management agent should also have Read, Compare, and Search permissions for the cn=changelog object.
Communication Protocols and Ports
| Service | Protocol | Port |
|---|---|---|
LDAP |
TCP |
389 |
Note
For this management agent type, port 389 is configured as the default port. However, you can change the port number by using Management Agent Designer. Secure Sockets Layer (SSL) can also be used for this management agent type. Using SSL does not affect the port that is used.
Management Agent for Microsoft Windows NT 4.0
Minimum Permissions
| Operation | Minimum Permissions |
|---|---|
Connect, browse and import |
Domain user |
Add, modify, or delete |
Domain administrators group |
Communication Protocols and Ports
| Service | Protocol | Port |
|---|---|---|
NetBIOS |
TCP |
445, 139 |
NetBIOS |
UDP |
137, 138 |
Management Agent for IBM DB2 Universal Database
Minimum Permissions
| Operation | Minimum Permissions |
|---|---|
Import objects Refresh schema |
Default user permissions Add to the users for the database Grant SELECT permission to the user for tables that are owned by another user |
Add, modify, or delete - single value operations |
Grant INSERT, UPDATE, and DELETE permission for the primary table |
Add, modify, or delete - multivalued operations |
Grant INSERT, UPDATE, and DELETE permission for the multivalued table |
Communication Protocols and Ports
| Service | Protocol | Port |
|---|---|---|
Universal DB Connect |
TCP |
50000 |
Management Agent for IBM Directory Server
Minimum Permissions
IBM Directory Server version 4.1
| Operation | Minimum Permissions |
|---|---|
Connect, browse, add, modify, and delete |
Must use the administrative credentials |
IBM Directory Server version 5.x
| Operation | Minimum Permissions |
|---|---|
Full import |
None. Any user may run a full import |
Delta import |
Member of administrative group |
Add, modify, or delete |
Member of administrative group |
Communication Protocols and Ports
| Service | Protocol | Port |
|---|---|---|
directory service |
LDAP |
389 |
Note
For this management agent type, port 389 is configured as the default port. However, you can change the port number by using Management Agent Designer. Secure Sockets Layer (SSL) can also be used for this management agent type. Using SSL does not affect the port that is used.
Password Synchronization Port Settings
Password synchronization on MIIS 2003 requires RPC ports to be open for the management agent for Active Directory, and for the Active Directory servers running the password change notification service (PCNS).
Minimum Permissions
| Operation | Minimum Permissions |
|---|---|
Install PCNS |
If the Active Directory schema needs to be updated, you must be a member of Schema Admins groups or Enterprise Admins group. If the Active Directory schema is already updated, you need to be a member only in the Domain Admins group. |
Synchronize passwords from one Active Directory forest to another Active Directory forest, when MIIS 2003 is installed on a member server in a domain in one forest and PCNS is installed on a domain controller in a different forest. |
There must be a two-way forest trust established between the Active Directory forests. |
Communication Protocols and Ports
| Service | Protocol | Port |
|---|---|---|
RPC Endpoint mapper |
TCP |
135 |
Dynamic RPC ports (PCNS) |
TCP |
5000 - 5100 |
Dynamic RPC ports (management agent for Active Directory) |
TCP |
57500 - 57520 |