MIM 2016 SP1–Service and Portal Installation Guide
Introduction:
This document is intended to be used as an operational build document for the Microsoft Identity Management 2016 MIM Service and Portal Server installation. This guide does not cover the installation of the Password Registration and Password Reset Portals. These installations are covered in detail in separate blog posts.
Using this Guide:
You may perform search and replace on the variables listed below to create a detailed build guide customized for your environment.
Document Variables:
Description |
Search and Replace Variable |
Full Domain Name (ex. Contoso.com) |
[FQDOMAIN] |
Common name of the domain (ex. Contoso) |
[DOMAIN] |
Common name of the SQL Server (ex. SQL01) |
[SQL SERVER] |
Common name of the MIM Service and Portal SQL Instance (ex. Service) |
[SQL INSTANCE] |
Common name of the MIM Synchronization Server (ex. SyncServer01) |
[MIM SYNC SERVER] |
Common name of the first MIM Service and Portal Server (ex. Portal01) |
[MIM SERVER 1] |
Common name of the second MIM Service and Portal Server (ex. Portal02) |
[MIM SERVER 2] |
Common name of the MIM Installation Service Account (ex. MIMInstall) |
[INSTALL ACCOUNT] |
Common name of the MIM MA Service Account (ex. MIMMA) |
[MIM MA SERVICE ACCOUNT] |
Common name of the MIM Service Account (ex. MIMService) |
[MIM SERVICE ACCOUNT] |
Full email address of the MIM Service Account (ex. MIM.Service@contoso.com) |
[MIM SERVICE EMAIL] |
Common name of the MIM Password Registration service account. (ex. MIMPwdReg) When performing a search and replace on document variables, replace this variable with a space to clear the variable value in the documentation. |
[MIM PWD REG ACCOUNT] |
Common name of the MIM Password Reset service account. (ex. MIMPwdRst) When performing a search and replace on document variables, replace this variable with a space to clear the variable value in the documentation. |
[MIM PWD RST ACCOUNT] |
Full SMTP mail server address including domain name. (ex. mail.contoso.com) |
[SMTP MAIL SERVER] |
Full URL of the MIM Password Registration Portal if implemented. (ex. https://registrationportal.contoso.com). When performing a search and replace on document variables, replace this variable with a space to clear the variable value in the documentation. |
[MIM PRP URL] |
Requirements:
MIM Portal Server Requirements:
Two Windows 2012 R2 virtual servers are required for this effort. These servers provide for primary servers in the Test environment. Each should have a minimum of 4 CPUs and 32 Gb of RAM. The two servers should have the following disk allocations:
C:\ 100 gb Operating System and Software
E:\ 200 gb MIM 2016, associated management agents and rules extensions.
SQL Instance Installation Requirements:
Please reference the following Microsoft document for best practice guidance on SQL server configuration settings and builds for MIM Portal and Service Servers.
/en-us/microsoft-identity-manager/mim-best-practices
Note: The SQL Server Instance requires full text search and the SQL Server Agent to be installed and activated to successfully complete the MIM Service and Portal installation.
Service Account Requirements:
The Service Accounts, SPNs, and Kerberos Delegation configurations needed for the MIM Service and Portal Installation can be found in the following blog post:
Prerequisite Software Installations:
Windows 2012 R2 Operating System Roles and Features:
The following roles and features are needed to install SharePoint and the MIM Service and Portal.
Server Manager:
Launch Server Manager
Select Dashboard
Select Add Roles and Features
Select Next
Select Role-based or feature-based installation
Select Next
Select Next
Roles:
For Roles select Web Server (IIS)
Select the Add Features button
Select Next
Add Features:
Select .NET Framework 3.5. Features,
Select .Net Framework 3.5 (Includes .Net 2.0 and 3.0)
Select Http Activation
Select Add Features
Scroll down the list and expand Windows PowerShell (2 of 5 installed)
Select Windows Powershell 2.0 Engine
Select Next
Web Server Role (IIS)
Select Next
Role Services:
Common HTTP Features
Default Document
Directory Browsing
HTTP Errors
Static Content
HTTP Redirection
Health and Diagnostics
HTTP Logging
Request Monitor
Performance
Static Content Compression
Dynamic Content Compression
Security
Request Filtering
Basic Authentication
Windows Authentication
Application Development
Select ASP
Select Add Features button
.NET Extensibility 3.5
.NET Extensibility 4.5
ASP.NET 3.5
Select Add Features button
ASP.NET 4.5
ISAPI Extensions
ISAPI Filters
Management Tools
Select IIS 6 Management Compatibility
IIS 6 Metabase Compatibility
IIS 6 Management Console
IIS 6 Scripting Tools
Select Add Features button
IIS 6 WMI Compatibility
Select Next,
Select Install,
Once Installation Succeeds, select Close
Install SQL Client:
You can download the SQL Client installer (sqlncli.msi) from the Microsoft SQL Server 2012 SP2 Feature Pack located at the following link:
https://www.microsoft.com/en-us/download/details.aspx?id=43339
Launch the Microsoft SQL Server 2012 Native Client Installer
On the Welcome to the installation Wizard for SQL Server 2012 Native Client select Next
Review and Accept the License Terms to continue installation
Select Next
On the Feature Selection window, select Next
On the Ready to Install the Program pane, select Install
If asked to allow program to make changes to this computer, select Yes.
Upon successful completion, select Finish
Install Optional Tools:
Some popular tools and utilities that you may consider installing include:
- NotePad++
- VisualStudio
- Telnet Client
- SQL Server Management Studio
Install SharePoint Foundation 2013 SP1
MIM 2016 Portal utilizes components of SharePoint. The installation instructions for SharePoint Foundation 2013 SP1 for use with FIM / MIM are posted in a separate blog post at the following location:
Install the MIM Service and Portal:
From the MIM 2016 Installation Media launch FIMSplash.html
If prompted, select Yes to allow program to make changes to computer.
Under Identity Manager Service and Portal, select Install Service and Portal,
Select Run
If prompted, select Yes to allow program to make changes to computer.
On the Welcome to Microsoft Identity Manager Service and Portal Setup Wizard
select Next.
On the End-User License Agreement page,
Review the license agreement and accept to continue installation.
select Next.
On the MIM Customer Experience Improvement Program page,
choose your participation option and select Next.
On the Custom Setup page:
MIM Reporting and Privilege Access Management:
By Default, MIM Reporting and Privileged Access Management features are not installed. Under MIM Service the MIM Reporting and Privileged Access Management options are deselected with a red X appearing next to these optional features.
Should you choose to install these features, additional documentation on the installation of these features can be located online.
Password Registration and Reset:
Conversely, Password Registration and Reset are installed by default. Should you choose not to install these features, or if these features will be installed on a separate system, the following actions may be taken to prevent the installation of these features.
Select MIM Password Registration Portal
choose Entire Feature will be unavailable.
A red X will now appear next to the option as well.
Select MIM Password Reset Portal
choose Entire Feature will be unavailable.
A red X will appear next to the option.
Installation Path:
The default installation path is c:\Program Files\Microsoft Forefront Identity Manager\2010\
To specify an alternate installation path:
Select MIM Service or MIM Portal, and select Browse and change to the desired installation path.
The path selection will apply to both MIM Service and MIM Portal features if installed simultaneously.
select OK.
Select Next
On the Configure Common Services - MIM Database Connection page
Enter the following information:
Database Server: [SQL SERVER] \ [SQL INSTANCE]
Database Name: FIMService
For the first server installed [MIM SERVER 1] select Create a new database
For each subsequent server [MIM SERVER 2] select Re-use the existing database.
Select Next
Database Backup Warning:
MIM Service database backup should be performed.
If you are installing the first server and selected the create new database option, this message does not appear. This message appears when selecting the use existing database option.
Select Next
On the Configure Common Services – Mail Server Connection page
Mail Server: [SMTP MAIL SERVER]
Check all relevant options noted below.
Use SSL
Mail Server is Exchange Server 2007 or Exchange Server 2010
Enable Polling for Exchange Server 2007 or Exchange Server 2010
Use Exchange Online
On the Configure Common Services – Service Certificate page
Select Generate a new self-issued certificate
Select Next
On the Configure Common Services – MIM Service Account page
Enter the following information:
Service Account Name: [MIM SERVICE ACCOUNT]
Service Account Password *******************
Service Account Domain [FQDOMAIN]
Service Email Account [MIM SERVICE EMAIL]
Select Next
Account Security Warning:
If an Account Security Warning stating the Service Account is not secure in its current configuration is received, select Next.
The Service Account security can be addressed after the installation by referencing the following blog post:
On the Configure Common Services – Configure MIM Service and Portal Synchronization page
Enter the following information:
Synchronization Server: [MIM SYNC SERVER]
MIM Management Agent Account: [DOMAIN]\[MIM MA SERVICE ACCOUNT]
Select Next
You may receive a warning message:
The MIM synchronization server you have entered does not exist or is not running. Click ‘Back’ to enter a different server name. If you plan to install the MIM synchronization service on the ‘[MIM SYNC SERVER]’ later, click ‘Next’ to accept the configuration and continue. Refer to the installation guide for instructions on how to change this information post deployment.
Verify the server name is correct.
If it is not correct, select Back and correct the name.
Once the server name is verified to be correct, you may still receive this message.
select Next to continue
On the Configure Common Services – Configure Connection with MIM Service page
MIM Service Server Address: [MIM SERVER 1] or [MIM SERVER 2]
select Next
On the Configure Common Services – Configure Connection with MIM Service page
SharePoint Site Collection URL: https://FIMPortal
Select Next
On the Configure Common Services – Configure Optional Portal Home Page Configuration page
Registration Portal URL: [MIM PRP URL]
Select Next
Note : This should be left empty if this feature is not implemented.
On the Configure Common Services – Configure Security Changes Configured by Setup page
Select Open ports 5725 and 5726 in the Portal
Select Grant Authenticated Users Access to MIM Portal Site
Select Next
On the Enter Information for MIM Password Portals page
If applicable, select MIM Password Registration Portal will be installed on another host.
Account Name: [DOMAIN]\[MIM PWD REG ACCOUNT]
If applicable, select MIM Password Reset Portal will be installed on another host
Account Name: [DOMAIN]\[MIM PWD RST ACCOUNT]
Select Next
On the Install Microsoft Identity Manager Service and Portal page
Select Install
Please be patient, as the installation may take some time to complete while opening and closing command windows and at times giving the appearance that no actions are occurring.
On the Completed Microsoft Identity Manager Service and Portal Setup Wizard page,
Select Finished
Close the FIMSplash browser window.
Verify the FIMSPFPool is Started
Start, Internet Information Services Manager (IIS)
Expand the Server
Select Application Pools
Select FIMSPFPool
Verify the FIMSPFPool is started.
Close IIS
From the server [MIM SERVER 1], launch Internet Explorer
Enter the following Url to display the MIM Portal
https://[MIM SERVER 1]/identitymanagement/aspx/users/AllPersons.aspx
From the server [MIM SERVER 2], launch Internet Explorer
Enter the following Url to display the MIM Portal
https://[MIM SERVER 2]/identitymanagement/aspx/users/AllPersons.aspx
The MIM Portal should display without error.
Post Installation of MIM Service and Portal
Install the latest version of MIMWAL (MIM Workflow Application Library)
The Microsoft Identity Manager Workflow Activities Libraries (MIMWAL) is a Microsoft-maintained-open-source library that extends the functionality of MIM. Repeat the following steps on all MIM Service and MIM Portal Servers.
https://microsoft.github.io/MIMWAL/
Build and Deploy the MIMWAL solution:
Instructions for creating the MIMWAL assembly are located at the following link.
https://github.com/Microsoft/MIMWAL/wiki/build-and-deployment