Installation of the Privileged Access Management (PAM) feature

Consideration before you install this feature

1. Have you Already Installed MIM 2016 ?
   • Was it a Clean Install or an Upgrade ?
     • Have you verified that you have all PAM Prerequisites completed ?
       • Prerequisites ( Will Be posted shortly )
2. If you Have not previously installed MIM 2016 will this install be a clean install or and Upgrade ?
   • If this is a Clean Install are all Prerequisites Completed ?
   • Prerequisites ( Will Be posted shortly )
   • Has the MIM Synchronization Service been installed either via Clean install or an Upgrade ?
   • Will you be installing MIM and the PAM Features at same time or separately ?
     • I recommend Separately
   1. If this is an upgrade do you have the additional PAM Prerequisites completed ?
      • Prerequisites ( Will Be posted shortly )
      • Will you be installing MIM and the PAM Features at same time or separately ?
        • I recommend Separately
3. If you need assistance with the Installation of the MIM Service and Portal you can follow this post
   • Clean Install
     • Installing the Microsoft Identity Manager 2016 Service and Portal (With SSPR) - Clean Install
   • Upgrade
     • Installing the Microsoft Identity Manager 2016 (4.3.1935.0) Synchronization Service - Upgrade from FIM 2010 R2

Before you continue verify that you have completed the following Steps.

1. If running a Virtual Machine i would also take a snapshot ( Although this is not necessary it may be good to have in case of emergency break glass kind of thing )
2. Verify that the Synchronization Service has already been Successfully upgraded.
3. Verify local SQL Agent is running
4. Verify SharePoint Administration Service is started
5. Verify what Version of the FIM Service and Portal is running
6. Stop the Forefront Identity Manager Synchronization Service if it is running
7. Stop Forefront Identity Manager Service service if it is running
8. When you believe you are ready take a breath get a fresh cup of coffee and lets begin....
9. Understanding Account Security Warning (Future Blog Post)

Final note before Installation, Depending if MIM was a Clean install or an In place Upgrade you may notice some of the old names to associated with FIM

Now to Configuration of the Privileged Access Management (PAM) featureIf

If your going to install the MIM Service and Portal piece and the Privileged Access Management (PAM) feature at the same time i would recommend starting with the post for Installing the Microsoft Identity Manager 2016 (4.3.1935.0) Service and Portal - Upgrade from FIM 2010 R2 and when you get to the Privileged Access Management (PAM) feature you can follow the below steps.

You will begin with the standard installation wizard

If you have previously installed the MIM Service and Portal as recommended you will be presented with the following, click on Change this will allow you to add or remove additional features to the current installation.

You are now presented with the MIM Customer Experience Program, Remember if you dont contribute how is it supposed to get better. of course your company policies may not allow you to participate so always follow your Corporate policies, once you make a selection select Next

You are now presented with the Custom Setup screen, select the option for Privileged Access Management

Select the Will be installed on local hard drive.

Verify that all the Features that you wish to install have been selected

Your now at the Configure Common Services screen, type in the following this should be pre-populated if this is installed as a change configuration

• Database Server:
  • Type Name of SQL Server the FIM / MIMService is hosted on
• Database Name:
  • Type Name of the FIM / MIMService

After you enter or verify the information click on Next

You now need to configure the mail server connection

Enter in and verify that the information is correct and then click on Next to Continue

In the next screen is where your presented with the Generate Certificate screen

Unless you are using your own certificates click on Generate a new self-issued certificate Click on Next

In the Next screen enter the Account Information ( if this is a change install some of this information will be per-populated) you will need to enter the password of the service account 

NOTE : This is also how you would correctly change the FIM / MIM Service Account. You would run through this Install package as a change install and update the password here. This is yet another reason i like to keep step by step document with screen shots other information in relation to the install because the last thing you want to do is inadvertently break your identity manage environment because you made a "Change" other than the password for a change install just to update the password for this or any other FIM / MIM Service Account. 

• Service Account Name -
• Service Account Password -
• Service Account Domain -
• Service Email Account -

 After you verify that the information has been entered correctly click on Next , You may receive the following Account Security Warning, Steps to Secure

Click on Next to continue

Verify or enter the correct information needed for the FIM/MIM Service to communicate with the Synchronization Service.

• Synchronization Service – Name of the Server the Synchronization Service is installed on.
• MIM Management Agent Account – The domain and the Service account used for the MIIM or FIM if this was an upgrade.

Then Click on Next

 

The next screen requires the MIM Service Server address or the server that the FIM Service was installed on if this is an in place upgrade, then click Next

 

Enter the name of the SharePoint Site Collection URL: which was used for in the configuration of SharePoint Foundations and click Next

 

In the next screen you need to enter the Registration Portal URL but only if it has been previously installed or you are in the process of configuring it, then click Next

 

In this screen you will need to Check this option to Grant authenticated users access to the MIM Portal Site, Click on Next to continue

 

In this screen unless you are using a separate REST API you only need to enter the Port

 

Enter 8086 and then click Next

Remember the Service accounts that were mentioned during the MIM PAM Prerequisites section, you will now need this information, the first Service account needed is the P

The First Service Account that is required is for the Privileged Access Management Rest API ,for this section enter the Service Account that was used when configuring  SharePoint Foundation

• Application Pool Account Name
• Application Pool Account Password
• Application Pool Account Domain

 

You will be unable to continue without having any of the Pre Requisite Service Accounts, any attempt to continue without entering the information will result in the following error

 

After you have entered the information, verify that the information is correct

 

Click on Next, and you may be presented with an Account Security Warning Steps to Secure

 

If you get this warning this is the same as you may have seen in the past when installing, configuring, or upgrading FIM / MIM. We will review this later but for now click on Next

You are now presented with the screen to Configure the PAM Component Service

• Service Account Name
• Service Account Password
• Service Account Domain

After you enter the Service Account information verify that the information is correct

When you are ready click on Next to continue

You may once again receive the Account Security Warning, Click on Next to continue Steps to Secure

You are now presented with the Privileged Access Management Monitoring Service Configuration page

 

Enter the information, Verify its correct

Once your ready Click on Next to continue, you may once again get the Account Security Warning Steps to Secure

Click on Next to Continue

 

In the next window you will be presented with options for “SSPR” (Self Service Password Reset) If you are also installing Self Service Password Reset Features Click on and select the necessary options and enter the account name for each feature in the format of DOMAIN\SVC_Account

If you are planning on installing this feature later, you can skip this section by just clicking on Next

 

You are now presented with a screen that will allow you commit the Change and begin the Configuration. Click on Change to continue when you are ready.

At this point the Configuration should begin but if you missed a step that was described in the Pre requisite section you may see one of the following messages.

Possible Errors you may see

• This Message notifies you that the SQL Agent is not running locally on the Server that you wish to install the PAM Feature on.

• Start the correct SQL Agent

• This Message will be displayed if the SharePoint 2010 Administration Service is not running. This is the same regardless of the SharePoint Foundations that is installed.

• Start the Service and click on Retry

 

Now regardless of whether you received any of the errors, when the errors have been resolved if any you will be presented with the following window that will display the installation process.

 

There may be this one last error / Warning you can choose to let the Installation attempt to Close and Stop the listed Services or you can stop them yourself. Personally I like to stop them myself it just feels safer.

 

When you’re ready click on OK to Continue

The Installation will now continue

If you see the following message you will need to verify the media is attached and can be found, Click on OK to continue

 

If for some reason the media cannot be found you may need to copy the Installation Files locally and start over.

The Installation will continue and at some point you should notice the Service is being restarted.

 

The Installation will continue displaying various status updates and messages.

 

Once complete you will be presented with the following Screen DO NOT CLICK ON FINISH YET

 

Verify that the Message says “Completed the Microsoft Service and Portal Setup Wizard”

Sometimes the installation will get all the way to this point and it appears that it completed but it would give a message of not successful, what happens is sometimes people are click happy and they do not notice that it did not complete successfully and they are under the assumption that it completed successfully and when they try and open the portal they are unable to do so. Catching the status at this point will drastically reduce the amount of trouble shooting needed if it was in fact unsuccessful but because you are super lucky and everything always works that is not the case and you can click on Finish

 

Congratulations you just installed the PAM Feature

Your now presented with this message, close any applications and save any docs if needed and then click on Yes to Reboot the machine

 

Once the Machine reboots verify that all the necessary services have been started in addition to the FIM Synchronization Service and the FIMService

 

Verify that the Portal Page is still functional

 

Verify Accounts are Secured

• FIM MIM Synchronization Service and FIMService Service Accounts (Same for MIM Service accounts)
  • https://blogs.msdn.com/b/connector_space/archive/2015/08/28/warning-25051.aspx

• MIM PAM Service Accounts
  • https://blogs.msdn.com/b/connector_space/archive/2015/08/28/service-account-is-not-secure-in-its-current-configuration.aspx

Once again Congratulations you are ready to continue with your PAM Configuration

 

Questions? Comments? Love FIM so much you can't even stand it?

 

EMAIL US>EMAIL US<

 

## https://blogs.msdn.com/connector_space ##