Service Accounts, SPNs, and Kerberos Delegation configurations for MIM Service and Portal Installation


Introduction:

This document is intended to be used as an operational preparatory document for the Microsoft Identity Management 2016 MIM Service and Portal Server installation. This guide covers the service accounts, Service Principal Names, and Delegation needed for use with the MIM 2016 Service and Portal.

Using this Guide:

You may perform search and replace on the variables listed below to create a detailed implementation guide customized for your environment.

Document Variables:

Description Search and Replace Variable
Full Domain Name (ex. Contoso.com) [FQDOMAIN]
Common name of the first MIM Service and Portal Server (ex. Portal01) [MIM SERVER 1]
Common name of the second MIM Service and Portal Server (ex. Portal02) [MIM SERVER 2]
Common name of the MIM Service and Portal url (ex. MIMPORTALVIP) [MIM VIP]
Common name of the MIM Installation Service Account (ex. MIMInstall) [INSTALL ACCOUNT]
Common name of the MIM MA Service Account (ex. MIMMA) [MIM MA SERVICE ACCOUNT]
Common name of the MIM Service Account (ex. MIMService) [MIM SERVICE ACCOUNT]
Common name of the MIM SharePoint Application Pool Service Account (ex. MIMSAP) [MIM SAP ACCOUNT]

Service Accounts:

The following service accounts are used in the installation and configuration of the MIM Service and Portal. Rights associated with each account are listed below:

Service Account Name Usage Notes
[MIM MA SERVICE ACCOUNT] MIM Sync server account for FIM Service

For MIM Management Agent

Allow logon locally rights assignment
[MIM SERVICE ACCOUNT] MIM Service Server User account for MIM service.

For MIM Portal Service Account

Deny logon as batch job

Deny logon locally

Deny access to this computer from network

Must be Member of FIMSyncAdmins group.

If using PW Reset, must be member of FIMSyncPasswordSet group.

[MIM SAP SERVICE ACCOUNT] MIM Service Server for SharePoint application Pool.

For MIM Share Point application on MIM Portal Server(s)

Impersonate a client after authentication
Log on as a batch job
Log on as a service.
[INSTALL ACCOUNT] Account used for initial installation of the MIM Software. Need local admin on Sync server and

SQL Admin Rights.

Option: Domain Admin to create Domain Groups

Setup Service Principal Names for MIM Service Accounts:

Configure SPN Commands:

SETSPN -S http/[MIM SERVER 1] [MIM SAP ACCOUNT]

SETSPN -S http/[MIM SERVER 1].[FQDOMAIN] [MIM SAP ACCOUNT]

SETSPN -S http/[MIM SERVER 2] [MIM SAP ACCOUNT]

SETSPN -S http/[MIM SERVER 2].[FQDOMAIN] [MIM SAP ACCOUNT]

SETSPN -S http/[MIM VIP] [MIM SAP ACCOUNT]

SETSPN -S http/[MIM VIP].[FQDOMAIN] [MIM SAP ACCOUNT]

SETSPN -S FIMService/[MIM SERVER 1] [MIM SERVICE ACCOUNT]

SETSPN -S FIMService/[MIM SERVER 1].[FQDOMAIN] [MIM SERVICE ACCOUNT]

SETSPN -S FIMService/[MIM SERVER 2] [MIM SERVICE ACCOUNT]

SETSPN -S FIMService/[MIM SERVER 2].[FQDOMAIN] [MIM SERVICE ACCOUNT]

Setup Kerberos Delegation:

Service Account Delegation Account Description
[MIM SAP ACCOUNT] [MIM SERVICE ACCOUNT] The MIM Portal on the MIM-Service server needs to access the MIM Service on the MIM-Service Server. MIM Portal uses Kerberos constrained delegation to act on behalf of the user.
[MIM SERVICE ACCOUNT] [MIM SERVICE ACCOUNT] This is needed in the event a workflow running in the MIM Service needs to access the MIM Service.

After configuring the Service Principal Names noted in the previous section, the following delegations must be configured to ensure proper Kerberos delegation functionality.

MIM SAP ACCOUNT [MIM SAP ACCOUNT] DELEGATION

Launch Active Directory Users and Computers

Select the [MIM SAP ACCOUNT] service account

Right Click and Select Properties.

Select Delegation Tab

Select Trust this user for delegation to specified services only

Select use Kerberos only

Select Add

Select Users or Computers button

Enter [MIM SERVICE ACCOUNT]

Select Check Names

Select Ok

Once complete, delegation for the [MIM SAP ACCOUNT] account should appear as follows:

Service Type User or Computer

http [MIM VIP].[FQDOMAIN]

http [MIM SERVER 1].[FQDOMAIN]

http [MIM SERVER 2].[FQDOMAIN]

MIM SERVICE ACCOUNT [MIM SERVICE ACCOUNT] DELEGATION

Launch Active Directory Users and Computers

Select the [MIM SERVICE ACCOUNT] service account

Right Click and Select Properties.

Select Delegation Tab

Select Trust this user for delegation to specified services only

Select use Kerberos only

Select Add

Select Users or Computers button

Enter [MIM SERVICE ACCOUNT]

Select Check Names

Select Ok

Once complete, delegation for the [MIM SAP ACCOUNT] account should appear as follows:

Service Type User or Computer

FIMService [MIM VIP].[FQDOMAIN]

FIMService [MIM SERVER 1].[FQDOMAIN]

FIMService [MIM SERVER 2].[FQDOMAIN]

Comments (1)

  1. Hi,

    I was reading your post and it appears based on the delegation shown above for the [MIM Service Account] you need to also create the following SPNs:

    SETSPN -S FIMService/[MIMVP] [MIMService]
    SETSPN -S FIMService/[MIMVP].[FQDOMAIN] [MIMService]

    Cheers,
    Wes

Skip to main content