Note: this post applies to the RTM version of FIM 2010.
I’m starting a new series of posts today showing how to build an identity management environment with FIM 2010. A lot of the concepts are covered in the Getting Started documentation, which you should of course read, however I think it’s often useful to see the same information presented in a couple of different ways – here with pictures!
To kick things off by starting at the beginning – Installation.
Planning
FIM Components
When you first run the FIM setup program, you will see a screen with a number of different components to install. For an initial identity management installation you will want to install the Synchronization Service and the Service and Portal.
Following are the major requirements for these components. For a full list see Technet: Hardware and Software Requirements.
- Synchronization Service
- Windows Server 2008/2008r2 Standard x64
- SQL Server 2008 SP1
- Database Engine
- Service and Portal (which includes Workflows, Codeless Sync Rules and Password Reset)
- Windows Server 2008/2008r2 Standard x64
- SQL Server 2008 SP1
- Database Engine
- Full-text Indexing
- Windows Sharepoint Service 3.0
- Exchange 2007/2010 (see Brad Turner’s post on the subject if you don’t have Exchange, or mine if you have BPOS.)
Servers
If you’re just planning a test environment then the simplest thing is to install everything on the one server. I wouldn’t do it with any less than 4GB of RAM, though 8GB is better. I have run FIM 2010 on virtual machines, both ESX and Hyper-V.
The Preinstallation and Topoloy Configuration document will give you more information if you want to install some components on different servers, or use load-balancing or redundancy features.
Installation
In this example I’m going to show you how to install The Sync Service and the Portal on a single server. For detailed instructions see the official documentation.
Server Config
The server is called “FIM”, has 4GB of RAM and is a member of the domain “mydomain.local” which also includes an Exchange 2007 server. I’ve installed the following:
- Windows 2008 Standard x64
- SQL 2008 SP1
- WSS 3.0 (and I’ve run the Sharepoint Products and Technologies Configuration Wizard from the Administrative Tools menu)
- Exchange 2007 management tools
Service Accounts
First, create the service accounts in the domain. All accounts are regular users in the domain, and on the FIM server.
|
Install the Sync Service
Now we’re ready to start installing.From the setup splash screen click Install Synchronization Service. | |
I’ve skipped the initial screens, which are click-Next types. The first one you have to think about is specifying your SQL server. Sometimes you’ll get an error here about the SQL server not being found. This is usually either because your SQL server is the wrong version (minimum 2008 SP1) or because you haven’t properly specified the named instance. | |
Specify the service account you created for the Sync Service. | |
The installation creates these local groups for you.It will make it easier to move the Sync Service to another server if you use domin groups. To do this, create the equivalent domain groups yourself, and then specify them here in the format “domain\group”. | |
If you have the Windows Firewall enabled then you will need to tick this option. | |
You will now be prompted to save the keyset for the database. This is needed if you want to transfer to database to another server (it doesn’t actually encryt the database). You should save it somewhere you can find it again, though if the FIM server is available you can export the keyset again any time using miiskmu.exe. (Found in the Microsoft Forestfront Identity Manager/2010/Synchronization Service/bin folder.)The Sync Service should then install. |
Install the FIM Service and Portal
Now go back to the splash screen and choose Install Service and Portal.You need to be a bit careful about the acount you use to do this part with, as it will become the builtin Administrator account in the Portal. One idea is to create a “FIM Administrator” account in the domain, make it a local and SQL administrator, and install using that.Click through the first screens. Typically you would just leave this as default settings, unless you were doing an installation split across different servers. | |
Enter the name of the SQL Server and “FIMService” for the database name.Now I’m just using the local server here, and this screen pre-configures itself with the netbios name of the server rather than “localhost”, so I just leave it that way. If you were using a remote SQL server you would enter the fqdn, or fqdn/NamedInstance. | |
Enter the name of your email server.Ideally this will be a self-hosted Exchange 2007/2010 server, though you can also use non-Exchange or MSOnline. | |
It should be fine to use the default here. The certificate is used for internal, and not client, communications. | |
Now specify the (mail-enabled) account you created for the FIM Service. | |
Next you specify the account you created for the FIM Management Agent. | |
Here I’m just using the server name again, but in a production environment I’d probably be specifying some sort of publically acceptable CName, like “identity.mydomain.local”. You can change it later or add extra names, though you have to be careful with the Kerberos stuff. | |
With the FIM Service running on the WSS server you just reference localhost. | |
You need to select the first option if you have Windows Firewall enabled. And you definitely need options two and three, otherwise you’ll just be configuring it manually later. | |
The installation should now complete. To check that it’s working browse http://fimserver/identitymanagement. |
Hi ..this is great step by step that I followed to install FIM and all other pre-reqs.
After completeing the installation, I cant access the FIM portal. I am getting ” service not available” with a red x.
I am using a domian admin account that I used to install everything to access teh FIM portal. everything is also installed on one machine. Am I missing somethin ???
Thak you
Elias
Are you on the server itself when trying to access the portal? Check the FIM log for errors – it’s in the Event Viewer under the Applications and Services Logs. I also never install the service/portal as a domain admin because there was some problem with that in an early beta. I don’t think it’s a probem anymore, but you could try re-installing using either local Admin or the FIM service account (added to the local admin group). I’ve used both those options on production systems.
Hi Carol,
Thanks for this great guide – great for comparison and double-checking everything.
Having an issue with our FIM pilot install, namely with the portal. When browsing to http://hostname/IdentityManagement we get the following error:
Server Error in ‘/’ Application.
The provided URI scheme ‘hostname’ is invalid; expected ‘http’.
Parameter name: via
Stack Trace:
[ArgumentException: The provided URI scheme ‘qutpki-qa’ is invalid; expected ‘http’.
Parameter name: via]
System.ServiceModel.Channels.TransportChannelFactory`1.ValidateScheme(Uri via) +15241052
System.ServiceModel.Channels.HttpChannelFactory.ValidateCreateChannelParameters(EndpointAddress remoteAddress, Uri via) +28
System.ServiceModel.Channels.HttpChannelFactory.OnCreateChannel(EndpointAddress remoteAddress, Uri via) +37
System.ServiceModel.Channels.ChannelFactoryBase`1.InternalCreateChannel(EndpointAddress address, Uri via) +52
System.ServiceModel.Channels.ChannelFactoryBase`1.CreateChannel(EndpointAddress address, Uri via) +72
System.ServiceModel.Channels.ServiceChannelFactoryOverRequest.CreateInnerChannelBinder(EndpointAddress to, Uri via) +42
System.ServiceModel.Channels.ServiceChannelFactory.CreateServiceChannel(EndpointAddress address, Uri via) +41
System.ServiceModel.Channels.ServiceChannelFactory.CreateChannel(Type channelType, EndpointAddress address, Uri via) +59
System.ServiceModel.ChannelFactory`1.CreateChannel(EndpointAddress address, Uri via) +467
System.ServiceModel.ChannelFactory`1.CreateChannel() +45
System.ServiceModel.ClientBase`1.CreateChannel() +53
System.ServiceModel.ClientBase`1.CreateChannelInternal() +34
System.ServiceModel.ClientBase`1.get_Channel() +264
Microsoft.ResourceManagement.WebServices.MetadataClient.Get(String dialect, String identifier) +211
Microsoft.ResourceManagement.WebServices.Client.SchemaManagerImplementation.RefreshSchema() +68
Microsoft.ResourceManagement.WebServices.ResourceManager.get_SchemaManager() +150
Microsoft.ResourceManagement.WebServices.ResourceManager..ctor(String typeName, LocaleAwareClientHelper localePreferences, ContextualSecurityToken securityToken) +35
Microsoft.IdentityManagement.WebUI.Controls.ConfigurationModelBase.RetrieveResources(String type, String filter, List`1 attributes) +168
Microsoft.IdentityManagement.WebUI.Controls.PortalUIConfigurationModel.RetrievePortalUIConfiguration() +269
Microsoft.IdentityManagement.WebUI.Controls.PortalUIConfigurationModel.get_PortalUI() +118
Microsoft.IdentityManagement.WebUI.Controls.PortalUIConfigurationModel.get_BrandingLeftImageUrl() +16
Microsoft.IdentityManagement.WebUI.Controls.BrandBar.get_BrandTable() +117
Microsoft.IdentityManagement.WebUI.Controls.BrandBar.CreateChildControls() +32
System.Web.UI.Control.EnsureChildControls() +146
System.Web.UI.Control.PreRenderRecursiveInternal() +61
System.Web.UI.Control.PreRenderRecursiveInternal() +224
System.Web.UI.Control.PreRenderRecursiveInternal() +224
System.Web.UI.Control.PreRenderRecursiveInternal() +224
System.Web.UI.Control.PreRenderRecursiveInternal() +224
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3394
—
We’ve gone over our installation and nothing very obvious stands out with this. Is there anything you could do to shed some light on this? Much appreciated.
I’ve had a few problems like this, and I know many others have too – there are quite a few examples on the FIM forum on technet. One thing to check – does it make any difference if you access the portal locally via localhost? How about if you use the ip address? There are various kerberos errors which reveal themselves that way. The other thing that sometimes happen is that some accounts can access the portal and others get the unhelpful errors – which will usually indicate insufficient information on the user object in the portal.
Hi,
il install the FIM in order to use self password reset. after installation i have some problems with this message : you are not authorized to register for self-service password reset.
I need to now if i should do something with the synchronization service (because i dont see users in the fim management web interface.
thanks
Yes all users must exist in the Portal and must be able to login to it (so domain, account name and objectSid sync’d through the sync service). See http://technet.microsoft.com/en-us/library/ee534892(WS.10).aspx and http://technet.microsoft.com/en-us/library/ff686264(WS.10).aspx.
OK thanks, i will try it.