8/29/2012
Learn more about Forefront TMG 2010
Below are some resources that are available for learning about and trying Forefront TMG 2010:- Forefront TMG Virtual Lab – excellent resource for trying out TMG without having to install it first.
- Forefront TMG Trial version – 120 day, fully functional, trial version to install and test in your own labs.
- Microsoft Business Ready Security Lab - The Microsoft Business Ready Security trial environment provides an end to end trial experience across all of the Business Ready Security solutions. The environment provides an opportunity to evaluate protection, access, management and identity technologies as a pre-configured set of VHDs
- Case Studies Site
- Using Forefront TMG 2010 as a Secure Web Gateway solution – TechNet Magazine article.
- Forefront TMG Pricing and Licensing.
- MS Tech Edge Video about TMG migration from ISA.
- MS Tech Edge Video about TMG Web Access Protection.
- Forefront TMG Web Casts:
- TMG Team Blog
- Forefront Edge Community Site
- Microsoft Press Forefront TMG 2010 Administrator’s Companion Book
Microsoft Forefront TMG Core Capabilities
Microsoft Forefront TMG 2010 is positioned as a Secure Web Gateway. The core new features of this product are:- URL filtering: improves blocking of malicious or inappropriate sites using aggregated data from multiple URL filtering vendors and the anti-phishing and malware technologies that also protect Internet Explorer 8 users.
- HTTPS Inspection: inspect outbound HTTPS traffic in order to protect your organization from security risks inherent to Secure Sockets Layer (SSL) tunnels, such as viruses and other malicious content that could infiltrate the organization undetected.
- Intrusion Prevention (NIS): Protects against browser-based and other Microsoft vulnerabilities.
- Web anti-malware: Provides highly accurate malware detection with the same world-class engine that is used by Microsoft Security Essentials and Microsoft Forefront products.
- Support for Windows Server 2008 R2 (x64): first Microsoft Edge protection product that leverages the scalability and increased memory space improvements of the Windows 64 bit platform.
8/28/2012
Federating FIM 2010 using UAG/ADFS and KCD
This post is about leveraging ADFS/UAG to publish FIM to identities outside the trusted security realms for delegation and/or self-service identity related tasks. Before getting into the technical stuff, this post is not meant to be a “How To” guide. It’s really just to demonstrate the capabilities of our identity stack.
Where is this applicable? Say you have a resource forest where FIM resides so how do you provide access to the portal from autonomous security realms without having to create a bunch of NT trusts or maintaining secondary credentials. Because shadow accounts exist within the resource forest as security principals for dependent services (for example BPOS or O365), you can leverage UAG, ADFS, and KCD together to provide secure access. UAG is claims-aware and supports Kerberos protocol extensions for (1) protocol transitioning and (2) constrained delegation.
- Protocol transition is a Kerberos extension introduced in Windows 2003 which allows a service that uses Kerberos to obtain a Kerberos service ticket on behalf of a Kerberos principal to the service without requiring the principal to initially authenticate to the KDC with credentials.
- Constrained delegation is an extension which allows a service to obtain service tickets (under the delegated users identity) to a subset of other services after it has been presented with a service ticket that is obtained either through the TGS_REQ protocol, as defined in IETF RFC 1510, or in the protocol transition extension.
To get this working you need the following:
- Kerberos-enabled WSS 3.0 (FIM Portal Server) + working FIM 2010 installation
- ADFS 2.0 Server (STS-RP and STS-IP)
- UAG 2010 SP1
Configuring WSS for Kerberos
- Reference the following TechNet article to configure Kerberos authentication within WSS:
- Insure Kerberos enabled end-to-end:
- Run the following query to determine Kerberos is being used for SQL:
SELECT SESSION_ID,AUTH_SCHEMA,NET_TRANSPORT FROM SYS.DM_EXEC_CONNECTIONS WHERE @@SSPID = SESSION_ID
- Verify Kerberos is being used on the WSS Web Front-end event logs. You should be able to filter the log to Event ID: 4624.
- You can also use Fiddler to validate WWW-Authentication from the client browser to IIS.
- Run the following query to determine Kerberos is being used for SQL:
- Once you’re sure Kerberos is configured end-to-end within WSS, you should be good to proceed.
For the ADFS and UAG configuration make sure the common pre-requisites are configured properly. What I’m referring to is name resolution, certificates, and a working configuration. To insure this, I recommend configuring a sample claims-aware application to insure ADFS is working. This can be accomplished by using any of the step-by-step guides published by the PG.
The next step is to create a portal trunk in UAG and wire it up to the STS.
- Within the UAG Management Tool, add an ADFS Authentication Server.
- Specify the URL of the federation metadata and select the “Retrieve Metadata” button.
- Select the claim value to be used as lead user value. I used Name but this can be something like UPN or Windows Account Name; whatever you want really.
- Create a portal trunk which will use ADFS as an authentication mechanism.
- Save and activate the configuration. The next step would be configuring UAG as an RP in ADFS.
- Verify the federation metadata on UAG and save it to a file for later use.
- Configure UAG as an RP Trust in ADFS. To do this, you will need to import the federation metadata from the file created in the previous step.
- Edit the Claims Rules to pass data from the attribute store. In my configuration, the minimum was SAM-Account-Name mapping to Name. Save and test the configuration.
- As a test, you should attempt to access the UAG Portal. You should be redirected to your IDP. If you have more than one identity provider, then the requestor will need to select their IdP within the HRD page. Otherwise, you should get the FBA login page presented by the IdP. Enter the appropriate credentials to successfully authenticate and be redirected to the RP (UAG Portal). The RP will consume the AuthN token and the end result is to successfully long into the UAG Portal.
Now that requestors can successfully log into UAG using Federated AuthN, the next step is to publish FIM 2010 as an application within UAG.
- Add an application within the existing trunk. UAG comes with a template to use with FIM 2010.
- Specify the URL for FIM under the web servers’ properties.
- Enable SSO under the authentication properties. Select “Use Kerberos constrained delegation for single sign-on. Additionally, select a value from this claim type as the shadow account user name for KCD when using federated authentication.The final step is to configure the SPNs in Active Directory for KCD to the UAG server object. Using the UAG Management Tool, Export KCD Settings to Active Directory. Then use Ldifde.exe to import the SPN value which is set on the msDS-AllowToDelegateTo attribute of the UAG computer object.
- I prefer publishing applications directly through UAG. To do this, uncheck “Add portal and toolbar link” and “Open in a new window” within the Portal Link properties. Within the Portal Trunk configuration, I modify the “Portal home page” to the FIM Application and uncheck “Display home page within portal frame. Assuming, the FIM SPNs are configured properly…we can assume a working FIM Portal.
- The final step is to test the configuration. Browse the FIM URL from an untrusted workstation outside of the network. The end result is the FIM Portal being rendered in the same way as if you were accessing it internally.
Chris Calderon
MSFT
Release Notes for Forefront Identity Manager 2010 R2
by MS Technet
Welcome to the release notes for Microsoft® Forefront® Identity Manager (FIM) 2010 R2. Before you install this application, we recommend that you read this entire document and the Forefront Identity Manager 2010 R2 Deployment Guide. You can use these notes to guide you as you troubleshoot issues that may arise when you use FIM 2010 R2.
Release Notes for Forefront Identity Manager 2010 R2 – Known Issues
These release notes are broken down into 3 main areas of focus. These areas are Pre-Installation and Upgrade, Installation and Upgrade, and Post-Installation. Each of these areas is then subdivided into the various features that make up FIM 2010 R2. This will provide easy and quick reference to the features and components that pertain to you.
Area | Description |
---|---|
Pre-Installation and Upgrade | Includes known issues that need to be understood prior to installing or upgrading to FIM 2010 R2 |
Installation and Upgrade | Includes known issues that may occur during installation or upgrade |
Post-Installation | Includes known issues may occur once FIM 2010 R2 is installed and running. |
Pre-Installation and Upgrade
This section includes known issues that can occur and must be understood prior to installing and upgrading FIM 2010 R2. These issues are broken down by feature area. If a feature area does not appear that is because there are no known issues at this time.
Feature Area | Includes Information on the following components |
---|---|
Service and Portal – Pre-Installation and Upgrade |
|
Service and Portal Language Packs – Pre-Installation and Upgrade | Service and Portal Language Packs |
Service and Portal – Pre-Installation and Upgrade
- FIM Service: Domain and DomainConfiguration attributes default behavior for user and groups has now been extended to all resources in FIM
If you have used either of these attributes as part of your current implementation in FIM, this change may result in unexpected behavior and/or failed requests. If you have used either of these attributes please test prior to upgrading your production environment. - FIM Service Database: Custom Schedules for FIM SQL Agent jobs are overwritten during upgrade
If you have a customized the schedules for the FIM SQL Server agent jobs, you will need to reapply your changes. - Password Registration Portal ,Password Reset Portal: Upgrading the SSPR portals from RC/RC Refresh to RTM is not possible.
If you try and upgrade the SSPR portal from RC/RC Refresh to R2 RTM it will fail with an “invalid port” error. The fix for this is to uninstall the SSPR portals and install the new versions from the R2 RTM media. - FIM Synchronization Service: Users who installed FIM 2010 RTM from the MSDN website are un-able to upgrade the Synchronization Service.
If you have deployed FIM 2010 RTM from the MSDN website an in-place upgrade is not supported for the Synchronization Service. However, the database can be preserved and used in FIM 2010 R2 RTM. To do this, you must uninstall the FIM 2010 RTM Synchronization Service and then install FIM 2010 R2 RTM using the existing database. The uninstall and then subsequent install of FIM 2010 R2 is supported. The FIM Service and Portal can then be upgraded using the normal method. This only affects users who have installed FIM 2010 RTM from MSDN and only the Synchronization Service. This is a known issue. - Reporting: Upgrading from FIM 2010 R2 RC/RC Refresh Reporting to FIM 2010 R2 RTM Reporting is only supported for TAP customers who deployed the schema hotfix for RC
Only customers that have participated in the TAP program and installed the shcema hot fix for RC are supported when upgrading from FIM 2010 R2 RC/RC Refresh. To be supported you must meet the following criteria:- Participated in the TAP program for FIM 2010 R2 RC
- Have deployed RC Reporting into production
- Have deployed RC using the schema hotfix
- Participated in the TAP program for FIM 2010 R2 RC
Service and Portal Language Packs – Pre-Installation and Upgrade
- Service and Portal Language Packs: Customers should back-up their customized RCDC symbol-value pairs for non-English languages
It is a known bug in upgrade that those non-English string resource values will be overwritten.
Backing up involves exporting these RCDCs. To make these customizations appear again, you will need to re-do the customizations looking at the differences between the old and new symbol value pairs.
For more information see Considerations for Upgrading to FIM 2010 R2 in the Forefront Identity Manager 2010 Deployment Guide.
Installation and Upgrade
This section includes known issues that can occur with installation and upgrade. These issues are broken down by feature area. If a feature area does not appear that is because there are no known issues at this time.
Feature Area | Includes Information on the following components |
---|---|
Add-ins and extensions – Installation Upgrade |
|
Certificate Management –Installation and Upgrade |
|
Service and Portal – Installation and Upgrade |
|
Service and Portal Language Packs – Installation and Upgrade |
|
Synchronization Service – Installation and Upgrade |
|
Add-ins and extensions – Installation Upgrade
- FIM Password and Authentication Extensions After installing the FIM Password and Authentication Extensions a reboot is required
The reason is is that when these extensions are installed, changes are made to the Windows Authentication Framework. This requires a reboot. Likewise, if the FIM Password and Authentication Extensions are uninstalled, a reboot will be required.
Certificate Management –Installation and Upgrade
- Certificate Management: FIM CM configuration fails if database name contains an apostrophe (‘)
The FIM CM database name should not contain any apostrophe characters within it. The presence of an apostrophe in the database name causes an error when the FIM CM Configuration Wizard runs. - Certificate Management: FIM CM configuration fails if username or password contains an apostrophe (‘) as first or last character
The FIM CM database username or password should not contain an apostrophe as the first or last character. The presence of an apostrophe as the first or last character causes an error when the FIM CM Configuration Wizard runs.
Service and Portal – Installation and Upgrade
- FIM Portal: Running setup with a non-default SharePoint site URL or a SharePoint site that uses SSL will fail
If you attempt to upgrade and are using a non-default SharePoint site URL (other than localhost) or you are using SSL on your SharePoint site the upgrade will fail. To workaround this add http://localhost into the SharePoint alternative mappings and re-run setup. - FIM Portal, FIM Service: Object reference not set to an instance of an object
If you receive this error while attempting to install the FIM 2010 R2 Service and Portal, it is most likely an indication that the SQL Server service is unavailable or down. Please verify that the SQL Server service is running and the connection between the FIM Service and Portal is established and working. - FIM Service: Administrator must open firewall ports manually
During a change installation, there is no option to open the firewall ports. The administrator must open the firewall ports manually. - Password Registration Portal: FIM Service Installer does not mask password for Self Service Password Reset accounts
When running the FIM 2010 R2 Service and Portal MSI from the command line using the verbose log parameter (msiexec /i "Service and Portal.msi" /l*v log.txt), the REGISTRATION_ACCOUNT_PASSWORD property in the log file is not masked to “*” as it should be. This is a known issue that only occurs when verbose logging is turned on. - FIM Service Database: Database should use a collation that supports surrogate pair characters or searches on string attributes may return improper results
If your environment contains string data with surrogate pair characters, you must have a SQL Database collation that supports them. Failure to do so will result in invalid search results. For more information on the available options refer to this article: http://msdn.microsoft.com/en-us/library/ms143503(v=sql.105).aspx
After installation of the FIMService, run the following TSQL statement to determine the FIMService database collation.SELECT DATABASEPROPERTYEX('FimService', 'Collation') SQLCollation;
Follow the SQL Server documentation for how to change collation if you need to do so to support your environmenthttp://msdn.microsoft.com/en-us/library/ms175835(v=sql.105)
Service and Portal Language Packs – Installation and Upgrade
- Service and Portal Language Packs: Installing language packs from the command line may fail
Installing language packs from the command line using the following syntax will fail:msiexec /i "Service and Portal Language Pack.msi" ADDLOCAL=FIMPortalLP,FIMServiceLP /l* Install.log
To install language packs:- Do not use the command line. Double click the .msi to launch the installation.
or - You may use the command line to install one language pack at a time, using the following format (example shown is for the Russian locale (ruRU)):
msiexec /i "Service and Portal Language Pack.msi" ADDLOCAL=FIMPortalLP,PortalruRU,FIMServiceLP,MTruRU /l* Install.log
- Do not use the command line. Double click the .msi to launch the installation.
- Service and Portal Language Packs: Service and Portal Language Packs are uninstallable if FIM components that depend on SharePoint are uninstalled
If you have installed the FIM Portal Language Pack or the FIM Password Reset Portal Language Pack (the old RTM password portal, not R2 SSPR Portals) and then you uninstall all of the FIM components that depend on SharePoint (the FIM Portal and the old FIM Password Reset Portal) you will not be able to uninstall or upgrade the language pack.
This is because both the FIM Portal and old FIM Password portal rely on SharePoint and hence store the SharePoint base site collection URL in the registry (BaseSiteCollectionUrl). The Service and Portal language packs (for FIM portal, old password portal) also rely on that key to be in the registry.
Therefore, uninstalling the FIM components that rely on SharePoint will result in the inability to uninstall/upgrade the language packs because you lost that registry key.
To correct this issue do the following:- Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Forefront Identity Manager\2010\Portal.
- Create a string regkey named BaseSiteCollectionUrl.
- Inside that key, enter the SharePoint URL at which the FIM Portal/Password Reset Portal was deployed.
- You can now either uninstall or upgrade the language pack.
- Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Forefront Identity Manager\2010\Portal.
- Service and Portal Language Packs: Object reference not set to an instance of an object
If you receive this error while attempting to install the FIM 2010 R2 Service and Portal Language Pack, it is most likely an indication that the SQL Server service is unavailable or down. Please verify that the SQL Server service is running and the connection between the FIM Service and Portal is established and working.
Synchronization Service – Installation and Upgrade
- FIM MA: Interactive logon required for setting up the FIM Service Management Agent
The FIM MA requires the interactive logon right during setup. This requirement is a Windows behavior. When the Service account impersonates the MA account, Windows will do an interactive logon to be able to load the user profile (etc). If the user isn’t allowed to login interactively you will see an access denied in the security eventlog. This is needed for all operations.
Post-Installation
This section includes known issues that can occur once FIM 2010 R2 is installed and running. These issues are broken down by feature area. If a feature area does not appear that is because there are no known issues at this time.
Feature Area | Includes Information on the following components |
---|---|
Add-ins and extensions – Post-Installation |
|
Certificate Management – Post Installation | All Certificate Management Features |
Service and Portal – Post-Installation |
|
Synchronization Service – Post-Installation |
|
Add-ins and extensions – Post-Installation
- FIM Add-in for Outlook Unicode is not fully supported when launching the Outlook add-in for users with names that contains Unicode characters.
This is because of a bug in Outlook.
Certificate Management – Post Installation
- Certificate Management: User PIN dialog may not display on IE9
FIM CM portal users may be blocked from completing a request when the FIM CM client is unable to display the user PIN dialog. This issue occurs intermittently for IE9 users who have not yet applied the IE 9 cumulative update located at here.
Service and Portal – Post-Installation
- FIM Portal: Double Quote in Contains Search Fails
Entering a search string containing double quotes into a search scope that uses Contains functionality will fail with the following stack trace:
Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException:
Other ---> System.Data.SqlClient.SqlException: Syntax error near 'User' in the full-text search condition '""User 1"*"' - FIM Portal: Authentication functionality changes
With FIM 2010 R2, the following functionality is deprecated: interactive registration for an authentication workflow from the FIM 2010 R2 Portal, and interactive authentication for a request from the FIM 2010 R2 portal. - FIM Portal: Wildcard character * is not supported in Filter builder
Important If you create a filter that uses the * character, for example
DisplayName contains *
the * character will be discarded from the filter definition and the resulting expression will be considered invalid, and will fail. - FIM Portal: Custom resources with ":", "(", or ")" in the name render the FIM Portal inoperable
In this release, do not use a colon [:] or parentheses [()] in the system name of a custom resource. Creation of custom resources with these characters in the system name cause the FIM 2010 R2 Portal to become inoperable and requires a reinstallation of the FIM 2010 R2 Portal. - FIM Portal: User cannot modify the StringRegex, IntegerMinimum, and IntegerMaximum values for some attributes and bindings on group and user resources
In this release, the user cannot modify the StringRegex, IntegerMinimum, and IntegerMaximum values for some attributes and bindings on groups and user resources. To work around the issue, you can temporarily add StringRegex, IntegerMinimum, or IntegerMaximum to the Management Policy Rule (MPR) named Administration - Schema: Administrators can change selected attributes of schema-related resources. It is important to revert the changes after the modification since the MPR is there to protect against illegal modification to elements important to the system schema. - FIM Portal: Default DisplayName and Description is not submitted during creation of BindingDescription
In this release, if the user does not modify the existing DisplayName or Description of a BindingDescription resource, the BindingDescription is created without DisplayName or Description even though in the user interface (UI) it appears that FIM 2010 has supplied a default value. The workaround is to update the DisplayName and Description after creation or supply a different value for these attributes during creation. - FIM Portal: Custom resources with hyphens in their names do not create RCDC configuration XML correctly
You can create a custom attribute or custom resource type with a hyphen “-“ in the system name. However, if you create an RCDC for this new resource, the RCDC configuration file that is created automatically is not correct. The RCDC uses the attribute name as the control name, but the control name does not support “-“. The workaround is to remove “-“ from the control names in the RCDC configuration file. - FIM Portal: Timeouts while previewing dynamic membership of a set or group may prevent display of actual membership
When previewing dynamic members of a group or set, an error message is displayed if the request times out. If you subsequently click Preview a second time, the query may show no members in the group or set, even if they do contain members. If this happens, click Cancel to close the dialog box and retry the preview operation. If the request times out again, the administrator may need to increase the server timeout. - FIM Portal: Default search operator for DisplayName has been changed to starts-with from contains
As a result of working with a number of internal and external customers, on portal search performance we chose to change the default search operator used by the FIM Portal (Search Scopes, Identity Picker) to leverage starts-with rather than contains for the DisplayName attribute. This will impact your existing FIM Portal implementation and your FIM portal administrative searches. If you wish to return to the default search behavior for one or more search scopes, we have added the ability to configure an "Advanced Filter". Please see FIM 2010 R2 Search Changes for more information. - FIM Portal: ObjectPicker will not automatically resolve entered names when navigating to the next page
When the user enters a name into an object picker and clicks the "next" button down below, the user is prompted to finish resolving names. - FIM Portal: Matching Usage Keywords are necessary for a search scope to appear on a given page of the site
For example, the “Pending from Today” search scope may be expected to appear on the “Search Requests” page. The Usage Keywords for the “Pending from Today” search scope must be updated manually to include the Usage Keywords configured for the “Search Requests” page which, by default, are the following:- customized
- Request
- SearchRequests
- customized
- FIM Portal: Disable SharePoint 2010 job: “SharePoint Foundation Search Refresh”
The SharePoint Foundation 2010 job “SharePoint Foundation Search Refresh” will continuously generate FIM 2010 R2 event log entries. The errors can be ignored, but the FIM 2010 R2 event log will become unnecessarily cluttered. To disable the job, in SharePoint 2010 Central Administration, click Check job status, then disable the job “SharePoint Foundation Search Refresh”. - FIM Portal: Supplying no input for a Search Scope with the Advanced Filter configured does not produce search results
As a work around you can type a % in to the Search box. - FIM Service, FIM Portal:Unicode not fully supported in certain cases
The FIM 2010 R2 Portal and Service does not fully support Unicode in the case of User Names of new users created through the portal. This is to limit the format of User Names to those that can be used to create mailboxes through SharePoint. - FIM Service: Custom workflows, that run under the context of the requestor (Actor) may fail with permission denied
If you encounter this error you will need to update your existing custom workflow(s) to explicitly set the ActorId and ensure that the appropriate MPRs have been configured. - FIM Service: Contains searches on String attributes relies on SQL Full Text Search (FTS) as part of the implementation
The FTS parser may break the search string into multiple search tokens if any word break characters are found. This may lead to the Contains search returning invalid results. You may notice missing rows, or extra rows being returned that do not match your search string. You can use the SQL FTS parser http://technet.microsoft.com/en-us/library/cc280463(v=sql.105) to test the behavior of search strings commonly used in your environment. If you find that the SQL FTS parser is not returning the expected results, consider setting up search scopes using Starts-With instead which do not use FTS. - FIM Service: Starts-With, and Ends-With searches on String and Text attributes are implemented using the TSQL LIKE operator with standard SQL wildcard behaviors
This means that the following characters %, _, [, ^ are treated as wildcards (http://msdn.microsoft.com/en-us/library/ms179859.aspx). If your use cases require these characters to be treated as literals, then you must escape them per the TSQL LIKE documentation by enclosing the wildcard character in brackets. - FIM Service::Running repair on the FIM Service does not repair SQL Server Agent jobs
When running a repair operation on the FIM 2010 R2 Service, SQL agent jobs are not repaired, as the repair operation does not have SQL Server Agent permissions. - FIM Service: Diagnostics tracing file format has changed for FIM 2010 R2
If you currently use data from the diagnostics tracing file, you will need to modify your tools or scripts to accommodate the new format. - FIM Service: The FIM Service web service contract for faults has changed
The fault contract for FIM 2010 R2 includes additional information to support the troubleshooting enhancements in this release. You will need to regenerate the client proxy based on the updated fault contracts. - FIM Service: New resource type CompositeType may interfere with custom Action workflows
A new resource type CompositeType has been introduced for A Request issued by the Build-in Synchronization Account. It may interfere with any custom Action workflows that parse request targets. To find the actual targets you will need to modify these workflows to parse the Request Parameters of a CompositeType. - FIM Service: UpdateRequestActivity has been removed from FIM 2010 R2
UpdateRequestActivity has been removed from FIM 2010 R2. If you have any custom code that references UpdateRequestActivity, it will no longer compile. Moving forward, you should use UpdateResourceActivity instead. - FIM Service: For asynchronous exports from the FIM MA, multiple FIM Service instances will process synchronization requests
In R2, all FIM service instances, irrespective of whether they belong to a particular service partition will process synchronization requests. In order to avoid performance impacts on specific FIM service instances and/or service partitions you will need to update the Microsoft.ResourceManagment.service.exe.config setting receiveSynchronizationRequestsEnabled as documented in the configuration file. - FIM Service: Do not reuse your existing Microsoft.ResourceManagement.Service.exe.config file
Reusing an existing configuration may fail due to changes in the content of the configuration file. Please review the new configuration file contents and update manually if appropriate to do so. - FIM Service: A request may fail when multiple workflows attempt to modify the same single valued attribute on the same object
The most likely scenario would be in the PostProcessing phase of a Request in which two or more Action workflows execute in parallel and they are trying to operate on the same object within a narrow time frame. The Request will fail with PostProcessingError and you will likely find this stack trace in the Event Log.
Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException:
Other ---> System.Data.SqlClient.SqlException: Reraised Error 50000, Level 14, State 1, Procedure
ReRaiseException, Line 37, Message: Reraised Error 50000, Level 14, State 1, Procedure
ReRaiseException, Line 37, Message: Reraised Error 2601, Level 14, State 1, Procedure
UpdateResource, Line 525, Message: Cannot insert duplicate key row in object 'fim.ObjectValueString' with unique index
'IX_ObjectValueString_ObjectKey_AttributeKey_LocaleKey-Filtered_Multivalued'.
If your system has this issue, you should consider merging the functionality into a single workflow that can perform the operations in a synchronous manner to avoid the race conditions. - FIM Service: Configuration Migration Compare-FIMConfig cmdlet comparisions today are case insensitive
When comparing settings, the Compare-FIMConfig cmdlet will not detect changes if the only difference is the case of the strings. For example if you compare the DisplayName attribute where source = "User1" and target = "user1" the tool will consider this as the same value. - FIM Service: Date time strings are not constructed or parsed properly when running on Windows 2008 Italian
FIM Service expects DateTime strings to be of this format "yyyy-MM-ddTHH:mm:ss.fff" and parses them with this code: DateTime.Parse(input, CultureInfo.InvariantCulture, DateTimeStyles.AssumeUniversal);
A customer has reported issues trying to run FIM Service on an Italian Server in which dates were represented as follows:"yyyy-MM-ddTHH.mm.ss.fff". In this case, the FIMService did not run properly and reported Exceptions like this:
mscorlib.dll!System.DateTimeParse.Parse(string s, System.Globalization.DateTimeFormatInfo dtfi, System.Globalization.DateTimeStyles styles)
mscorlib.dll!System.DateTime.Parse(string s, System.IFormatProvider provider, System.Globalization.DateTimeStyles styles)
Microsoft.ResourceManagement.dll!Microsoft.ResourceManagement.Utilities.DateTimeSerializer.ReadCoordinatedUniversalTimeString(string input = "2010-02-25T09.14.12.237")
The work-around was to change the Server to format dates per this format "yyyy-MM-ddTHH:mm:ss.fff" - FIM Service: Viewing an Objects' Resource page in the Portal will fail if you mark the Description attribute as Required on the Object in the FIM Schema
When trying to view the Object's Resource page in the portal, you will end up on the ErrorPage.aspx page. To fix the problem, you must remove the Required setting, restart IIS, and then try again. - FIM Service: Deletion of an Attribute or ObjectType from FIM Schema must follow a specific order of steps or you will get an Unwilling to Perform exception
Exception: Other Stack Trace: Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---> System.Data.SqlClient.SqlException: Reraised Error 50000, Level
16, State 1, Procedure ReRaiseException, Line 37, Message: Reraised Error 50000, Level 16, State 1, Procedure ReRaiseException, Line 37, Message:
Reraised Error 547, Level 16, State 1, Procedure PostProcessObjectTypeDescriptionUpdate, Line 90, Message: The DELETE statement conflicted with the REFERENCE constraint
"FK_BindingInternal_ObjectTypeInternal". The conflict occurred in database "FIMService", table "fim.BindingInternal", column 'ObjectTypeKey'.
To delete an Attribute or ObjectType from the FIM Schema, do the following:- Delete all instances of any Objects that currently use those schema elements.
- If it is desired that the reporting data warehouse capture the deletion of the attribute or objects instances from the previous step. Run and complete an Incremental job. Failure to do this will not result in an error, however any Object changes recorded in the system since the last Incremental job will not have the history for these schema items once they are deleted.
- Search for any Set or Dynamic Group Filter that currently includes the FIM Schema items you plan to delete and delete the Set or Dynamic Group. If the Set is used in an MPR, you will first need to delete the MPR.
- Delete all Bindings that reference the FIM Schema items you plan to delete.
- Delete the Schema item.
- Delete all instances of any Objects that currently use those schema elements.
- FIM Service: Request will Fail and throw Unwilling to Perform Exception if duplicate MPRs trigger the same Action Workflow on the Request
If 2 or more MPRs are configured to execute the same Action Workflow and get triggered on the same Request, the Request will fail with the following exception:
Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---> System.Data.SqlClient.SqlException: Reraised Error 50000, Level 14, State 1, Procedure
ReRaiseException, Line 37, Message: Reraised Error 2601, Level 14, State 1, Procedure
DoProcessRequest, Line 267, Message: Cannot insert duplicate key row in object 'fim.PolicyApplication' with unique index
'IX_PolicyApplication_RequestKey_TargetKey_WorkflowDefinitionKey'.
To fix the problem you can use the Portal to search all enabled MPRs, locate the duplicate, and delete it. - FIM Service:Set or Dynamic Group Membership may be invalid if the Set or Dynamic Group Filter attribute contains a reference to Deleted Attributes or ObjectTypes in the FIM schema
The system will allow deletion of Attribute and ObjectTypes from the FIM schema without detecting whether or not these items may be in-use in Set or Dynamic Group definitions. As a result, the affected Set or Dynamic Groups will have invalid membership and should be deleted. To locate the affected Sets or Dynamic Groups, use advanced search in the portal on the Filter attribute of the Sets or Dynamic Groups to find these deleted schema items and delete the affected Set or Dynamic Group objects. - FIM Service: synchronizationExportThrottle not supported in FIM 2010 R2
The hotfix rollup package for build 4.0.3573.2 introduced a property, synchronizationExportThrottle, that is not supported in R2. For more information, see KB2417774. If this property exists in your FIM 2010 R2 Service configuration file, the FIM Service will fail to start. To resolve the issue, remove the property from the configuration file. - FIM Service: If your deployment contains multiple FIM Portal or FIMService machines and you are leveraging the FIM Approval workflow, you need to ensure that each machine can authenticate with each other
This is done by creating a service principal name for each FIMService and then configuring each FIM Portal to use constrained delegation to each FIMService. If your deployment takes advantage of receiving Group Management and Approval Requests to the FIM Service mailbox, the FIMService that has mailbox polling enabled (there is only supposed to be 1 instance) must also be configured to use constrained delegation to each FIMService.
Approval Responses are submitted directly by the FIM Portal and the FIM Service (receiving mail) to a Workflow Endpoint on the FIM Service that received the original Request. For example, assume your deployment has FIM Portal 1 and 2, and also FIM Service 1 and 2. A user issues a Request to join a Group on FIM Portal 1. That Request is processed by FIM Service 1 and this is where the Approval Workflow Instance lives. If the Approver approves by Email and that email response is processed by FIM Service 2, it is FIMService 2 that will try to communicate with FIMService 1 to send the Approval Response. If the same Approver went to FIM Portal 2 and approved the Request, it is the FIM Portal 2 that will communicate with FIMService 1 to send the Approval Response.
For instructions for how to setup SPNs and constrained delegation, see the following article: http://technet.microsoft.com/en-us/library/jj134299(v=ws.10).aspx - Password Registration Portal:GateRegistration Objects can accumulate over time
Because GateRegistration Objects can accumulate over time, periodic deletion is a recommended best practice. GateRegistration Objects may accumulate in the system that are no longer necessary due to various events in and around password reset scenarios. One such event is when an administrator updates an AuthN workflow and checks "force re-registration". When users re-register, new Gate Registration Objects are created, but the original ones are not removed. Periodic deletion of these unnecessary GateRegistration Objects would be a best practice to ensure your system maintains the minimum objects necessary to enable your scenarios. - Password Registration Portal:Communication Error: An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3008)
This error can occur when a user attempts to navigate to the Password Registration Portal and the SQL Server that runs the FIMService database is down or not accessible. If you receive this error, verify that the SQL Server is running and is accessible.
For additional troubleshooting information including how to enable logging see Troubleshooting FIM 2010. - Password Reset Portal:Communication Error: An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3008)
This error can occur when a user attempts to navigate to the Password Reset Portal and the SQL Server that runs the FIMService database is down or not accessible. If you receive this error, verify that the SQL Server is running and is accessible.
For additional troubleshooting information including how to enable logging see Troubleshooting FIM 2010. - Reporting: Filtering the Request History or Group History reports on an MPR name, you may receive incorrect results
When filtering the Request History or Group History reports on an MPR name, you may receive incorrect results. While the data represented in the report is accurate, you may need to export this report to a third party format (such as Excel) and then filter it there. - Reporting: Certain reports may time out on large datasets
You may experience SSRS timeouts when running reports on large data sets. The default SSRS timeout is set to 1800 seconds for all reports. You may change this timeout by navigating to the Site settings link in the upper right hand of the SSRS web interface, opening the General tab, and then changing the timeout to either no timeout or a value larger than the default 1800 seconds. - Reporting: Reports do not show Created Time for requests which exist before initial ETL was run
The Created Time column will appear blank for requests which were in the system before reporting setup was completed. There is no workaround for this issue, but since the request’s committed time will be captured, you will still be able to correlate when the change was made in the FIM 2010 R2 database. - Reporting: When the creator of a request is not a person resource in FIM (ie, FIMService, Anonymous User), no creator is shown in the out of box reports
Currently, if the FIM 2010 R2 service or an anonymous user issues a request in the FIM 2010 R2 portal, the creator is shown as blank in the out of box reports. This is due to the fact that these resources are not moved over as part of our ETL processes, since they are not person resources in FIM 2010 R2. - Reporting: Unique key constraint violation when running reporting synchronization jobs
If you attempt to run reporting synchronization jobs on a default System Console System Manager SP1 (SCSM SP1) installation, you may receive the error “Violation of UNIQUE KEY constraint ‘idx_ManagedEntityManagedTypeId’. Cannot insert duplicate key…”. To address this issue, please make sure you have the following updates installed on your System Center Service Manager Management Server, Data Warehouse Server, and any machines that have the System Center Service Manager Console installed on them:
- Reporting: If a resource is created and deleted inside one SCDW extract batch, that resources will not show up in the SCDW
When an instance of a resource is created and deleted inside one extract batch, the deleted instance will never be extracted from the SCSM Management Server to be moved over to the Data Warehouse. This is a known issue with the System Center Service Manager Product. You may see this issue in testing environments if you, for example, create a person in FIM 2010 R2, delete that person, and then run the SCSM ETL job. Because the creation and deletion event occur in the same ETL batch, these events do not get sent to the System Center Data Warehouse. - Reporting: When running on PowerShell version 1.0, running Get-Help on Import-FIMReportingReport results in an error
You may receive the error: “Error loading help content for Import-FIMReportingReport” in certain cases when attempting to load help information for Import-FIMReportingReport. If this occurs, try the alternate method of outputting the parameter list by typing “Import-FIMReportingReport -?”. If this also fails, refer to the Deployment Guide for Forefront Identity Manger 2010 R2 – PowerShell Reference. - Reporting:Out-of-box reports may not return data with default filtering parameters
The default end date for the out-of-box reports is defined as Todays Date in UTC + 1. As a result, running reports with the default filtering parameters may result in an empty data set, depending on what time zone the user is running in. This is a known issue that you can resolve by manually specifying the date range with which you wish to filter your report. - Reporting:Running an incremental synchronization after a large export from Active Directory may take several days to complete
Depending on the size of the export job, the incremental synchronization process may take up to several days to complete. This is due to the large number of requests generated by the export process that are then moved over to the Data Warehouse. You may safely continue to run this incremental synchronization job without regressing performance on the FIM 2010 R2 service or other components. However, if this waiting period is unacceptable, and you would like to ignore the requests generated by the export process, please contact the product support for assistance (see How and when to Contact Microsoft Customer Service and Support). - Reporting:Data does not appear in reports even after all synchronization processes are completed
For data consistency purposes, SCSM will not move data that has been modified in the last 30 seconds. Therefore, if you run the FIM 2010 R2 reporting synchronization processes immediately followed by the SCSM ETL jobs, the changes made in the reporting synchronization job may not appear in the Data Warehouse. You can solve this issue by either:- Waiting 30 seconds before starting the SCDW ETL jobs
- Running the SCDW ETL jobs again
- Waiting 30 seconds before starting the SCDW ETL jobs
- Reporting:Certain Chinese Characters may cause the SCSM console to fail to load a report
Double-byte length Chinese characters (surrogate pairs) in report data may cause the SCSM console to fail to load a report. This is caused by an issue in version 9.0.0.0 of the report viewer used by the SCSM console. To work around this issue, you can either:- Continue viewing the reports through the SQL Server Reporting Service (SSRS) web interface (which does not have this issue), or
- Delete the bad data, restart the SSRS service, and attempt to view the reports via the SCSM console
- Continue viewing the reports through the SQL Server Reporting Service (SSRS) web interface (which does not have this issue), or
- Reporting:Status of requests is different for initial and incremental synchronizations
In this release, during initial synchronization, FIM 2010 R2 Reporting moves finished requests with the final state of “completed” to the Data Warehouse, but it only moves finished requests with the final state of “committed” during incremental synchronization. This is a known issue that does not affect data integrity. - Reporting:FIM reporting initial sync moves over failed requests
In this release, during initial synchronization, FIM 2010 R2 Reporting moves both successful and failed requests to the Data Warehouse, whereas during incremental synchronization it only moves the successful requests. This will result in a small amount of extra data being present in the Data Warehouse in certain cases. This does not affect data integrity.
Synchronization Service – Post-Installation
- ECMA 2.0: ECMA 2.0 does not support "Multi-Partition" file based Connectors
ECMA 2.0 does not prevent a programmer from creating a file-based "multi-partition" Connector, however, it should be noted that these scenario are not supported and may result in unexpected or 'broken' behaviors.
Programmers should not try to use/implement the GetPartition() or GetHierarchy() interfaces when writing a file-based ECMA 2.0 connector, as they will not work properly. - ECMA 2.0: CustomData for OpenImportConnectionRunStep.CustomData comes from GetImportEntriesResults
The watermark data returned in OpenImportConnectionRunStep.CustomData does not come from CloseImportConnectionResults.CustomData as would be expected. Instead, the CustomData field is coming from the GetImportEntriesResults.CustomDataThis issue would be encountered by Connector programmers when writing their connectors to have watermark data passed between MA runs. - ECMA 2.0: ECMA 2.0 does not allow a page/batch size of greater than 9999
When configuring the batch size for a ECMA 2.0 based MA, you may not configure a batch size larger than 9999 objects. The UI will not allow a larger number to be configured, and there is no way to exceed this size in your Connector's configuration. - ECMA 2.0:: Generic Style DN's do not accept all characters
Generic Style DN's have the same character limitations as LDAP Style DN's, even though there is no specific reason for that limitation. - FIM MA: Using Service Partitioning to isolate FIM MA Export load is not supported for FIM 2010 R2.
Those customers who have more than one FIM 2010 R2 Service instance installed and who wish to control which of these FIM 2010 R2 Service instances processes the load from the FIM MA during an Export run will need to use the following setting in the FIM 2010 R2 Service configuration file, under resourceManagementService:
receiveSynchronizationRequestsEnabled
By default, the value is "True", meaning that that FIM 2010 R2 Service instance processes FIM MA Export requests. Setting the value to “False” would indicate that that FIM 2010 R2Service instance does not process export requests.Note Although you specify a FIM 2010 R2 Service address in the FIM MA properties in Synchronization Service Manager, all FIM 2010 R2 Service instances attached to a single FIM 2010 R2 Service database will process these requests. - FIM MA: A request based MPRs would not fire if the reference attribute needs to be evaluated on resource creation
A request based MPRs would not fire if the reference attribute needs to be evaluated on resource creation. Example: A request based MPR that sends an email to a manager of the created person. An error similar to the following will be written to FIM Service eventlog.
EXCEPTION DATA\r\n\r\nMESSAGE: Cannot deference non-instantiated attribute Manager\r\n\r\n**METHOD:System.Exception ThrowException(System.Exception)\r\n\r\n**METHOD:System.Object ResolveAttribute(System.String, Boolean, ResolverOptions, System.String ByRef)\r\n\r\n**METHOD:Void ResolveToLine(System.String)\r\n\r\n**METHOD:System.String ResolveRecipientLine(Microsoft.ResourceManagement.WFActivities.Resolver, System.String, System.Text.StringBuilder ByRef)\r\n\r\n**METHOD:Microsoft.ResourceManagement.Workflow.Runtime.MessageContent ResolveMailMessage(System.Guid, System.Guid, System.Guid, System.Collections.Generic.Dictionary`2[System.String,System.Object], System.String, System.String, System.String, System.Guid, Microsoft.ResourceManagement.Workflow.Activities.EmailResolutionOptions, System.String ByRef)\r\n\r\n**METHOD:Void ResolveMail(System.Object, System.EventArgs)\r\n\r\n**METHOD:Void RaiseEvent(System.Workflow.ComponentModel.DependencyProperty, System.Object, System.EventArgs)\r\n\r\n**METHOD:System.Workflow.ComponentModel.ActivityExecutionStatus Execute(System.Workflow.ComponentModel.ActivityExecutionContext)\r\n\r\n**METHOD:System.Workflow.ComponentModel.ActivityExecutionStatus Execute(T, System.Workflow.ComponentModel.ActivityExecutionContext)\r\n\r\n**METHOD:System.Workflow.ComponentModel.ActivityExecutionStatus Execute(System.Workflow.ComponentModel.Activity, System.Workflow.ComponentModel.ActivityExecutionContext)\r\n\r\n**METHOD:Boolean Run(System.Workflow.ComponentModel.IWorkflowCoreRuntime)\r\n\r\n**METHOD:Void Run()\r\n\r\n
This is expected. Reference attributes are not guaranteed to be part of the original Create request.
Workaround: The MPR should be on an update attribute instead of Create request. - FIM MA: FIM MA export of sets and dynamic groups filter attributes will impact performance
Synchronization requests containing updates to set or dynamic group filters will only be processed using the single object FIM MA export behavior. - Synchronization Service: Changing MV Object type during runtime is not supported
The FIM 2010 R2 code does not yet actively prohibit this so it must be stated that doing so is not supported. - Synchronization Service: Exception: 'Target(s): abc, Attribute Failure Code: 'RequiredValueIsMissing', Attribute Name: 'MembershipLocked''.
The FIM Service eventlog might have the following error: Request 'ca6a8db0-c084-4783-bb9b-5be054d38a10' failed while trying to commit the changes to the database. Exception: 'Target(s): abc, Attribute Failure Code: 'RequiredValueIsMissing', Attribute Name: 'MembershipLocked''. The ‘MembershipLocked’ attribute missing happens under the following conditions.- Sync engine sends an update request with attributes that got modified.
- The FIM MA does a quick lookup and finds the object missing in FIM Service (probably deleted through portal).
- The FIM MA treats the update as 'Create' request.
- The create request in FIM Service fails because it has missing attributes like ‘MembershipLocked’.
- Sync engine sends an update request with attributes that got modified.
- Synchronization Service: Do not reuse your existing miiserver.exe.config file
Re-using an existing configuration may fail due to changes in the content of the configuration file. Please review the new configuration file contents and update manually if appropriate to do so. - Synchronization Service: Sync Service manager shows a User object deleted when linked ERE was actually deleted
During migration from policy based sync rule to filter based sync rule, the sync engine will delete EREs which are linked to filter based sync rules. However, the Identity Manager statistics falsely show that the User linked to the ERE being deleted was deleted. The user was not, in fact deleted, it was the ERE that was deleted. Customers should only run into this problem once, when they are migrating from policy based to filter based rules. There is no action needed to be taken by the customer. The User object was not actually deleted. - Synchronization Service: The value of boolean type outbound scoping filter in Filter based Sync Rule is case sensitive.
It must be all lowercase.ie. "true" or "false" If the casing is different, it will crash.
Preinstallation and Topology Configuration
by MS Technet
This document provides an overview of the major components of a FIM 2010 deployment with recommendations for topology architecture, load-balancing, and high-availability scenarios.
Components to Deploy
FIM 2010 consists of these main components:
FIM Service
Deploying the FIM Service component consists of installing the FIM Service and configuring the FIM Service SQL database. This section discusses the options and recommendations for deploying the FIM Service. It also discusses the options and recommendations for deploying the FIM Service SQL database.
You can deploy the FIM Service:
You can deploy the FIM Service:
- On a stand-alone server
- On a shared server with the FIM Portal and Windows® SharePoint® Services 3.0
- On multiple servers, we recommend that you use:
- Network Load Balancing (NLB) to distribute the processing load.
- Aliases (for instance, A or CNAME records) so that one common name is exposed to the user.
- A separate alias for a dedicated FIM Service server as an alternative to offload intensive administration tasks to one or more servers so that the end-user tasks are not affected.
Important If you use a load-balancing technology other than the NLB feature in Windows Server 2008 or Windows Server 2008 R2, make sure your solution will redirect one session to the same server and not to a random server. - Network Load Balancing (NLB) to distribute the processing load.
- We strongly recommend that the FIM Service SQL database exist on a dedicated server.
- The server running Microsoft SQL Server® can be a single server or part of a failover cluster.
- You can run any SQL Server edition (such as Standard and Enterprise) except SQL Server Express. Which SQL Server edition you use depends on other business requirements such as high availability and manageability. For more information, see the Microsoft SQL Server Web site.
FIM Synchronization Service
Deploying the FIM Synchronization Service consists of installing the FIM Synchronization Service, configuring management agents for various connected data sources, and configuring the FIM Synchronization Service SQL database. This section discusses the options and recommendations for deploying the FIM Synchronization Service.
FIM Synchronization Service requirements:
FIM Synchronization Service requirements:
- Only one FIM Synchronization Service instance can exist in a deployment.
Warning Having more than one Synchronization Service instance can cause errors when attempting to upgrade a FIM deployment. - The FIM Synchronization Service may be installed on a stand-alone server or on the same server as the SQL Server database. If you connect the FIM Synchronization Service and the database with at least a 1-GB network, there is no significant performance difference when you separate the two components.
- The server running SQL Server can be a stand-alone server or part of a failover cluster.
- You can run any SQL Server edition (such as Standard and Enterprise) except SQL Server Express. Which SQL Server edition you use depends on other business requirements such as high availability and manageability. For more information, see the Microsoft SQL Server Web site.
FIM Portal
Deploying the FIM Portal consists of installing the FIM Portal component and configuring Windows SharePoint Services. This section discusses the options and recommendations for deploying Windows SharePoint Services and the options and recommendations for deploying the FIM Portal.
Deploying Windows SharePoint Services 3.0
- Deployment - You can deploy Windows SharePoint Services on either a stand-alone server or as a Windows SharePoint Services server farm. There is no performance advantage in either deployment, but a stand-alone deployment is in most configurations easier to manage. You can also deploy Windows SharePoint Services on a single server, along with the FIM Service and the FIM Portal.
- Load balancing
- If you are deploying a Windows SharePoint Services server farm, Windows SharePoint Services automatically load-balances the servers.
- NLB can also be used in addition to Windows SharePoint Services load-balancing to distribute the processing load. If you use another solution other than NLB, ensure that the solution makes sure that one user always is directed to the same server (also known as pinning).
- In a load-balanced environment, we also recommend that you use an alias (for example, CNAME record) so that one common name is exposed to the user.
- If you are deploying a Windows SharePoint Services server farm, Windows SharePoint Services automatically load-balances the servers.
- A SharePoint server farm will need one shared SQL database for its configuration. Make sure this database has the same high available solution as the other FIM databases to not have a single point of failure.
- SharePoint products and technologies - The following products are currently not supported:
- Microsoft Office SharePoint Server
- Microsoft SharePoint Foundation 2010
- Microsoft Office SharePoint Server
Deploying the FIM Portal
The FIM Portal is a component that does not demand intensive resources and can be deployed on the same server as the FIM Service. For more information, see the illustrations in the following sections.
Topology Considerations
How you deploy Microsoft® Forefront® Identity Manager (FIM) 2010 depends almost entirely on the size and complexity of the environment you need to support. This section is intended to help you determine an optimal network topology for your environment. It addresses ways to deploy FIM beginning with a basic topology typically used by smaller organizations, followed by more advanced topologies to meet the requirements of larger organizations. In general terms, the topology, hardware profiles, and related system requirements described in this document can be applied to organizations based on the following scale:
In the multitier topology, a dedicated computer to host each SQL database (one for the FIM 2010 R2 Service and another for the FIM 2010 R2 Synchronization Service) is allocated. The scalability of the performance of the computers that host the SQL databases can be increased by adding or upgrading hardware, for example, by upgrading the CPUs, adding additional CPUs, increasing random access memory (RAM) or upgrading the RAM, or upgrading the hard drive configurations to increase read and write access and decrease latency.
The following are examples of some standard FIM 2010 deployment scenarios.
- Small organization of up to 20,000 users and 10,000 groups. Basic deployment with multitier topology and network load balancing.
- Medium organization of up to 50,000 users and 50,000 groups. Advanced deployment with multitier topology, network load balancing, and dedicated servers for FIM services.
- Large organization of up to 200,000 users and 450,000 groups. Advanced deployment with multitier topology, network load balancing, and multiple multiple servers for FIM services.
In the multitier topology, a dedicated computer to host each SQL database (one for the FIM 2010 R2 Service and another for the FIM 2010 R2 Synchronization Service) is allocated. The scalability of the performance of the computers that host the SQL databases can be increased by adding or upgrading hardware, for example, by upgrading the CPUs, adding additional CPUs, increasing random access memory (RAM) or upgrading the RAM, or upgrading the hard drive configurations to increase read and write access and decrease latency.
The following are examples of some standard FIM 2010 deployment scenarios.
Basic FIM deployment
A basic deployment which could be used in a small organization may be deployed on three to four servers running Microsoft Windows Server® operating systems.
In this deployment there is one dedicated SQL server for the FIM Service DB. The FIM Service and Portal are installed on a stand-alone server in an NLB cluster. Additional FIM Service and Portal servers can be added to the NLB cluster when needed. In this configuration, the FIM 2010 R2 Synchronization Service and its database are hosted on the same computer. However, you should be able to achieve similar performance if there is a one-gigabit dedicated network connection between the FIM 2010 R2.
In this deployment there is one dedicated SQL server for the FIM Service DB. The FIM Service and Portal are installed on a stand-alone server in an NLB cluster. Additional FIM Service and Portal servers can be added to the NLB cluster when needed. In this configuration, the FIM 2010 R2 Synchronization Service and its database are hosted on the same computer. However, you should be able to achieve similar performance if there is a one-gigabit dedicated network connection between the FIM 2010 R2.
FIM deployment with multiple dedicated servers
In this example, which could be used in a medium-sized organization, the basic components, are deployed among five servers running Windows Server with both the FIM Portal and Windows SharePoint Services installed on the same stand-alone server.
A dedicated server is used for the FIM synchronization service and a dedicated server is used for the FIM synchronization service DB. The FIM Portal is separated from the FIM Service servers.
A dedicated server is used for the FIM synchronization service and a dedicated server is used for the FIM synchronization service DB. The FIM Portal is separated from the FIM Service servers.
Load-balancing the FIM Service with multiple servers
A more advanced deployment, which could be used in a larger organization, is to load balance FIM Services using multiple dedicated servers with some designated to handle user requests and others reserved for administrative requests. Synchronization of data with external systems can add a considerable load to the system and run over an extended period of time. If the synchronization configuration results in triggering policies with workflows, these policies contend for resources with end-user workflows. Such issues can be pronounced with authentication workflows, such as password resets, which are done in real time with an end user waiting for the process to complete. By providing one instance of the FIM 2010 R2 Service for end user operations and a separate portal for administrative data synchronization, you can provide better responsiveness for end-user operations.
Using different external names for FIM Service will also allow server partitioning for workflows. When a workflow instance is created the external name of the server is added to the instance. Another server with the same external name can pick up and resume hydrated workflows. This partitioning will ensure that workflows started on the FIM-Admin instance never will be processed by the FIM-User instances ensuring more responsive servers used by end-users.
Using different external names for FIM Service will also allow server partitioning for workflows. When a workflow instance is created the external name of the server is added to the instance. Another server with the same external name can pick up and resume hydrated workflows. This partitioning will ensure that workflows started on the FIM-Admin instance never will be processed by the FIM-User instances ensuring more responsive servers used by end-users.
Unattended Installation of FIM 2010 R2
by MS Technet
All components of the FIM 2010 R2 accept properties that allow unattended and silent installation. Those properties can either be set in a Windows Installer Transform (MST) file or specified at the command line during installation.
The FIM 2010 R2 installation packages do not support advertisement (msiexec /j) or administrative (msiexec /a) installations.
There are several different ways to install FIM 2010 R2 silently (unattended). Two methods are described in this section: pass-in parameters in a command line and MST files. It is outside the scope of this document to describe unattended installations in general.
The FIM 2010 R2 installation packages do not support advertisement (msiexec /j) or administrative (msiexec /a) installations.
There are several different ways to install FIM 2010 R2 silently (unattended). Two methods are described in this section: pass-in parameters in a command line and MST files. It is outside the scope of this document to describe unattended installations in general.
Pass-in parameters on the command line
This can be used with Microsoft System Center Configuration Manager 2007. To install silently, use the command msiexec with an option, followed by properties, for example:
The possible values of MSIFeatureName and Property can be found in Features and properties later in this document. Note that all parameters are case sensitive.
The following is an example command for an installation of FIM Add-ins and Extensions from a file server where only the FIM Outlook add-in is installed:
Msiexec has several command line switches for silent installations. Of those, only a limited number are supported. The following table is a list of supported switches.
Msiexec /q /i NameofMSI.msi /Option ADDLOCAL=MSIFeatureName Property=Value
The possible values of MSIFeatureName and Property can be found in Features and properties later in this document. Note that all parameters are case sensitive.
The following is an example command for an installation of FIM Add-ins and Extensions from a file server where only the FIM Outlook add-in is installed:
msiexec /i “\\MyServer\Distribution\FIM\32\Add-ins and extensions.msi” /quiet ADDLOCAL=OfficeClient PORTAL_LOCATION=MyPortalServer PORTAL_PREFIX=https MONITORED_EMAIL=fimservice@contoso.com
Msiexec has several command line switches for silent installations. Of those, only a limited number are supported. The following table is a list of supported switches.
Switch | Supported or Not Supported | Description |
---|---|---|
/quiet/q:n | Supported | Installation with no UI at all |
/q:f | Supported | (Full UI) The usual User Interface Wizard behavior. |
/q:b | Not supported | (Basic) No pop-ups, except error messages. |
/q:r | Not supported | (Reduced) Similar to basic. |
/a | Not supported | (Admin) Will unpack an MSI to have all files external. Since this is how we deliver the MSI, no need to support this. Will run the Admin sequences, but no compelling scenario for this. |
/x | Supported | Uninstall of the product |
/j | Not supported | No scenarios. (We don’t have install on demand.) |
Note |
---|
Windows Installer has a limit of 256 characters in the path when for installation of applications. Ensure that you do not place the root of the tree in a very deep structure, or the installation might fail. |
Create an MST file
Another solution is to use an MST file. MST files can be created with tools such as Orca (shipped with the Windows Software Development Kit (SDK)), and they contain the same settings as are passed in on the command line.
Troubleshoot an installation
If an unattended installation fails, add the option /l*v NameOfLogFile.txt to the command line. This option creates a log file that you can use for troubleshooting. You can identify an error in a Windows Installer log file by looking for the text Return Value 3.
Also, you can you the msiexec file without the /q switch. This will cause the UI to appear and the values you have specified in the msiexec command-line will be populated in their respective locations. This is good for determining if the correct value is being set or not.
Also, you can you the msiexec file without the /q switch. This will cause the UI to appear and the values you have specified in the msiexec command-line will be populated in their respective locations. This is good for determining if the correct value is being set or not.
Features and properties
The first table is listing the feature name in the UI and its feature name in the Synchronization Service.msi, Service and Portal.msi and the Add-ins and Extensions.msi. The second table is listing the feature name in the UI and its feature name in the Add-ins and Extensions.msi. The third table is the feature name in the UI and its feature name in the Service and Portal Language Pack.msi. These can all be used by the ADDLOCAL, REINSTALL, and REMOVE properties above.The tables in this section list the settings in the order that they appear during the user interface (UI) installation. Default values are in brackets.
Table 1 FIM 2010 R2 Windows Installer Features
Table 2 Service and Portal Language Pack Features
Table 3 Add-ins and Extensions Language Pack Features
The following tables list the properties that are associated with the features from above.
Table 4 Synchronization Service properties
Table 5 FIM Service and FIM Portal properties
Table 6 FIM 2010 R2 Certificate Management properties
Table 7 Add-ins and Extensions properties
The following is an example of installing the FIM 2010 R2 Synchronization Service:
The following is an example of installing the FIM 2010 R2 Service and Portal:
The following is an example of a command-line installation for the Password Reset and Registration Portal.
The following is an example of a command-line installation for the FIM CM Web Portal and FIM CM Update Service of FIM 2010 Certificate Management
The following is an example of a command-line installation for the FIM CM CA Modules of FIM 2010 Certificate Management
The following is an example of a command-line installation for the FIM CM Client of FIM 2010 Certificate Management
The following is an example of installing the Add-ins and Extensions:
The following is an example of installing the Service and Portal Language Pack. It shows how to install the Japanese language pack for all of the components
The following is an example of installing the Add-ins and Extensions Language Pack. It shows how to install the Japanese language.
Table 1 FIM 2010 R2 Windows Installer Features
Name of the feature in the UI | Windows Installer feature name |
---|---|
FIM Add-in for Outlook | OfficeClient |
FIM Password and Authentication Extensions | PasswordClient |
FIM Service | CommonServices |
FIM Portal | WebPortals |
FIM Password Reset Portal | PwdPortals |
FIM Synchronization Service | N/A (only one feature in the installer) |
Forefront Identity Manager Certificate Management (FIM CM) Update Service | CLM_Service |
FIM CM Portal | Web_Files |
FIM CM CA Modules | CA_Modules |
FIM CM Smart Card PIN Reset Tool | ChangePin |
FIM CM Smart Card Personalization Control | AppletManagement |
FIM CM Smart Card Client | SelfServiceControl |
FIM CM Update Client | ProfileUpdateControl |
FIM CM Bulk Issuance Client | ClientFiles |
Microsoft Password Change Notification Service | PCNSSVC |
FIM Password and Authentication Extensions FIM Password and Authentication Extensions for Windows XP FIM Password and Authentication Extensions for Windows Vista | PasswordClient |
FIM Password Registration Portal | RegistrationPortal |
FIM Password Reset Portal | ResetPortal |
Feature | Description |
---|---|
FIMPortalLP | Installs Languages for the FIM Portal |
FIMServiceLP | Installs Languages for the FIM Service |
FIMResetPortalLP | Installs Languages for the FIM Password Reset Portal |
FIMRegistrationPortalLP | Installs Languages for the FIM Password Registration Portal |
PortalzhCN | Chinese (Simplified) language pack for FIM Portal. |
PortalzhTW | Chinese (Taiwan) language pack for FIM Portal. |
PortalcsCZ | Czech language pack for FIM Portal. |
PortaldaDK | Danish language pack for FIM Portal. |
PortalnlNL | Dutch language pack for FIM Portal. |
PortalfiFI | Finnish language pack for FIM Portal. |
PortalfrFR | French language pack for FIM Portal. |
PortaldeDE | German language pack for FIM Portal. |
PortalitIT | Italian language pack for FIM Portal. |
PortaljaJP | Japanese language pack for FIM Portal. |
PortalkoKR | Korean language pack for FIM Portal. |
PortalnbNO | Norwegian language pack for FIM Portal. |
PortalplPL | Polish language pack for FIM Portal. |
PortalptBR | Portuguese (Brazil) language pack for FIM Portal. |
PortalptPT | Portuguese (Portugal) language pack for FIM Portal. |
PortalruRU | Russian language pack for FIM Portal. |
PortalesES | Spanish language pack for FIM Portal. |
PortalsvSE | Swedish language pack for FIM Portal. |
PortaltrTR | Turkish language pack for FIM Portal. |
MTzhCN | Chinese (Simplified) language pack for FIM Service. |
MTzhTW | Chinese (Taiwan) language pack for FIM Service. |
MTcsCZ | Czech language pack for FIM Service. |
MTdaDK | Danish language pack for FIM Service. |
MTnlNL | Dutch language pack for FIM Service. |
MTfiFI | Finnish language pack for FIM Service. |
MTfrFR | French language pack for FIM Service. |
MTdeDE | German language pack for FIM Service. |
MTitIT | Italian language pack for FIM Service. |
MTjaJP | Japanese language pack for FIM Service. |
MTkoKR | Korean language pack for FIM Service. |
MTnbNO | Norwegian language pack for FIM Service. |
MTplPL | Polish language pack for FIM Service. |
MTptBR | Portuguese (Brazil) language pack for FIM Service. |
MTptPT | Portuguese (Portugal) language pack for FIM Service. |
MTruRU | Russian language pack for FIM Service. |
MTesES | Spanish language pack for FIM Service. |
MTsvSE | Swedish language pack for FIM Service. |
MTtrTR | Turkish language pack for FIM Service. |
ResetbgBG | Bulgarian language pack for FIM Password Reset Portal. |
ResetzhCN | Chinese (Simplified) language pack for FIM Password Reset Portal. |
ResetzhTW | Chinese (Taiwan) language pack for FIM Password Reset Portal. |
ResethrHR | Croatian language pack for FIM Password Reset Portal. |
ResetcsCZ | Czech language pack for FIM Password Reset Portal. |
ResetdaDK | Danish language pack for FIM Password Reset Portal. |
ResetnlNL | Dutch language pack for FIM Password Reset Portal. |
ResetetEE | Estonian language pack for FIM Password Reset Portal. |
ResetfiFI | Finnish language pack for FIM Password Reset Portal. |
ResetfrFR | French language pack for FIM Password Reset Portal. |
ResetdeDE | German language pack for FIM Password Reset Portal. |
ResetelGR | Greek language pack for FIM Password Reset Portal. |
ResethiIN | Hindi language pack for FIM Password Reset Portal. |
ResethuHU | Hungarian language pack for FIM Password Reset Portal. |
ResetitIT | Italian language pack for FIM Password Reset Portal. |
ResetjaJP | Japanese language pack for FIM Password Reset Portal. |
ResetkoKR | Korean language pack for FIM Password Reset Portal. |
ResetlvLV | Latvian language pack for FIM Password Reset Portal. |
ResetltLT | Lithuanian language pack for FIM Password Reset Portal. |
ResetnbNO | Norwegian language pack for FIM Password Reset Portal. |
ResetplPL | Polish language pack for FIM Password Reset Portal. |
ResetptBR | Portuguese (Brazil) language pack for FIM Password Reset Portal. |
ResetptPT | Portuguese (Portugal) language pack for FIM Password Reset Portal. |
ResetroRO | Romanian language pack for FIM Password Reset Portal. |
ResetruRU | Russian language pack for FIM Password Reset Portal. |
ResetsrCS | Serbian language pack for FIM Password Reset Portal. |
ResetskSK | Slovak language pack for FIM Password Reset Portal. |
ResetslSI | Slovenian language pack for FIM Password Reset Portal. |
ResetesES | Spanish language pack for FIM Password Reset Portal. |
ResetsvSE | Swedish language pack for FIM Password Reset Portal. |
ResetthTH | Thai language pack for FIM Password Reset Portal. |
ResettrTR | Turkish language pack for FIM Password Reset Portal. |
ResetukUA | Ukranian language pack for FIM Password Reset Portal. |
RegistrationbgBG | Bulgarian language pack for FIM Password Registration Portal. |
RegistrationzhCN | Chinese (Simplified) language pack for FIM Password Registration Portal. |
RegistrationzhTW | Chinese (Taiwan) language pack for FIM Password Registration Portal. |
RegistrationhrHR | Croatian language pack for FIM Password Registration Portal. |
RegistrationcsCZ | Czech language pack for FIM Password Registration Portal. |
RegistrationdaDK | Danish language pack for FIM Password Registration Portal. |
RegistrationnlNL | Dutch language pack for FIM Password Registration Portal. |
RegistrationetEE | Estonian language pack for FIM Password Registration Portal. |
RegistrationfiFI | Finnish language pack for FIM Password Registration Portal. |
RegistrationfrFR | French language pack for FIM Password Registration Portal. |
RegistrationdeDE | German language pack for FIM Password Registration Portal. |
RegistrationelGR | Greek language pack for FIM Password Registration Portal. |
RegistrationhiIN | Hindi language pack for FIM Password Registration Portal. |
RegistrationhuHU | Hungarian language pack for FIM Password Registration Portal. |
RegistrationitIT | Italian language pack for FIM Password Registration Portal. |
RegistrationjaJP | Japanese language pack for FIM Password Registration Portal. |
RegistrationkoKR | Korean language pack for FIM Password Registration Portal. |
RegistrationlvLV | Latvian language pack for FIM Password Registration Portal. |
RegistrationltLT | Lithuanian language pack for FIM Password Registration Portal. |
RegistrationnbNO | Norwegian language pack for FIM Password Registration Portal. |
RegistrationplPL | Polish language pack for FIM Password Registration Portal. |
RegistrationptBR | Portuguese (Brazil) language pack for FIM Password Registration Portal. |
RegistrationptPT | Portuguese (Portugal) language pack for FIM Password Registration Portal. |
RegistrationroRO | Romanian language pack for FIM Password Registration Portal. |
RegistrationruRU | Russian language pack for FIM Password Registration Portal. |
RegistrationsrCS | Serbian language pack for FIM Password Registration Portal. |
RegistrationskSK | Slovak language pack for FIM Password Registration Portal. |
RegistrationslSI | Slovenian language pack for FIM Password Registration Portal. |
RegistrationesES | Spanish language pack for FIM Password Registration Portal. |
RegistrationsvSE | Swedish language pack for FIM Password Registration Portal. |
RegistrationthTH | Thai language pack for FIM Password Registration Portal. |
RegistrationtrTR | Turkish language pack for FIM Password Registration Portal. |
RegistrationukUA | Ukranian language pack for FIM Password Registration Portal. |
Feature | Description |
---|---|
FIMALP | FIM Add-ins and Extensions Language Pack |
bgBG | Bulgarian language |
zhCN | Chinese (Simplified) language |
zhTW | Chinese (Taiwan) language |
hrHR | Croatian language |
csCZ | Czech language |
daDK | Danish language |
nlNL | Dutch language |
etEE | Estonian language |
fiFI | Finnish language |
frFR | French language |
deDE | German language |
elGR | Greek language |
hiIN | Hindi language |
huHU | Hungarian language |
itIT | Italian language |
jaJP | Japanese language |
koKR | Korean language |
lvLV | Latvian language |
ltLT | Lithuanian language |
nbNO | Norwegian language |
plPL | Polish language |
ptBR | Portuguese (Brazil) language |
ptPT | Portuguese (Portugal) language |
roRO | Romanian language |
ruRU | Russian language |
srCS | Serbian language |
skSK | Slovak language |
slSI | Slovenian language |
esES | Spanish language |
svSE | Swedish language |
thTH | Thai language |
trTR | Turkish language |
ukUA | Ukranian language |
Table 4 Synchronization Service properties
Property Name | Description |
---|---|
STORESERVER | Name of SQL Server |
SQLDB | Name of database (FIMSynchronization) |
SQLINSTANCE | Name of database instance |
SERVICEACCOUNT | (Required) Service account name |
SERVICEPASSWORD | Required) Service account password |
SERVICEDOMAIN | (Required) Service account domain |
GROUPADMINS | Name of admin group (FIMSyncAdmins) |
GROUPOPERATORS | Name of operators group (FIMSyncOperators) |
GROUPACCOUNTJOINERS | Name of joiners group (FIMSyncJoiners) |
GROUPBROWSE | Name of browse group (FIMSyncBrowse) |
GROUPPASSWORDSET | Name of password set group (FIMSyncPasswordSet) |
FIREWALL_CONF | 0 – Do not configure firewall (default)1 – Configure firewall |
Property name | Description |
---|---|
SQMOPTINSETTING | 1 – opt in, 0 – opt out (default) |
SQLSERVER_SERVER | (Required) Name of SQL Server instance |
SQLSERVER_DATABASE | Name of database (FIMService) |
EXISTINGDATABASE | 0 – New database (default), 1 – Existing database |
MAIL_SERVER | (Required) Name of mailserver |
MAIL_SERVER_USE_SSL | 0 – Disable SSL, 1 – Enable SSL (default) |
MAIL_SERVER_IS_EXCHANGE | 0 – SMTP, 1 – Exchange (default) |
SERVICE_MANAGER_SERVER | Name of the FIM Reporting Service Manager management server. |
POLL_EXCHANGE_ENABLED | 0 – Server will not poll for e-mail messages1 – Server will poll for e-mail messages (default) |
CERTIFICATE_NAME | Name of certificate to generate (ForefrontIdentityManager) |
SERVICE_ACCOUNT_NAME | (Required) Service account name |
SERVICE_ACCOUNT_PASSWORD | (Required) Service account password |
SERVICE_ACCOUNT_DOMAIN | (Required) Service account domain |
SERVICE_ACCOUNT_EMAIL | (Required) Service account e-mail address |
SYNCHRONIZATION_SERVER | (Required) Address of FIM Synchronization Service server |
SYNCHRONIZATION_SERVER_ACCOUNT | FIM Service Management Agent account in format domain\accountname |
SERVICEADDRESS | Address used by clients to contact the server |
SHAREPOINT_URL | URL used to contact the SharePoint server |
REGISTRATION_PORTAL_URL | An optional URL of the FIM 2010 R2 password registration portal that the FIM portal will redirect to when the user clicks on the "Register for password reset" FIM portal homepage link. |
FIREWALL_CONF | 0 – Do not configure firewall (default)1 – Configure firewall |
SHAREPOINTUSERS_CONF | 0 – Do not add authenticated users (default1 – Add authenticated users |
PASSWORDUSERS_CONF | 0 – Do not add authenticated users (default1 – Add authenticated users |
REQUIRE_REGISTRATIONPORTAL_INFO | 0 – Do not require password registration information (default)1 – Require password registration information |
REGISTRATION_ACCOUNT_NAME | Account name of the application pool account that will run the password registration portal. |
REGISTRATION_ACCOUNT_DOMAIN | Domain of the application pool account that will run the password registration portal. |
REQUIRE_RESET_INFO | 0 – Do not require password reset information (default)1 – Require password reset information |
RESET_ACCOUNT_NAME | Account name of the application pool account that will run the password reset portal. |
RESET_ACCOUNT_DOMAIN | Domain of the application pool account that will run the password reset portal. |
SHAREPOINTTIMEOUT | Timeout in seconds the installer should wait for Office SharePoint to deploy the solution packs. |
Property Name | Description |
---|---|
WEBAPPNAME | Name of the virtual folder for certificate Management. |
SITELOCK_DOMAIN | List of sites used by FIM CM installations. This list is used for ActiveX controls to initiate. |
Property name | Description |
---|---|
SQMOPTINSETTING | 1 – opt in, 0 – opt out (default) |
PORTAL_LOCATION | Address to the FIM Portal. Used by Outlook add-in. |
PORTAL_PREFIX | Prefix used to contact the FIM Portal. http or https (default) |
MONITORED_EMAIL | FIM Service e-mail address. Used by the Outlook add-in when sending e-mail messages. |
RMS_LOCATION | Address to the FIM Service. Used by Password Reset extensions |
REGISTRATION_PORTAL_URL | The URL of the FIM 2010 R2 password registration portal that the rich client will navigate to by default. As part of the rich client password registration, the rich client will invoke the user's default browser to navigate to that URL if password registration be required. As part of the rich client password registration, the rich client will invoke the user's default browser to navigate to this URL if password registration be required. |
BEST_EFFORT_INSTALL | If both components are selected, but one cannot be installed due to failed prerequisites, silently continue installation with the other component. 0 – Fail installation (default) 1 – Silently continue |
msiexec /q /i “D:\Synchronization Service\Synchronization Service.msi" STORESERVER=LocalMachine SQLDB=FIMSynchronization SERVICEACCOUNT=FimSynchService SERVICEPASSWORD=Pass1word! SERVICEDOMAIN=CORP GROUPADMINS=FIMSyncAdmins GROUPOPERATORS=FIMSyncOperators GROUPACCOUNTJOINERS=FIMSyncJoiners GROUPBROWSE=FIMSyncBrowse GROUPPASSWORDSET=FIMSyncPasswordSet FIREWALL_CONF=1 /L*v C:\mylogfile.txt
msiexec /q /i "D:\Service and Portal\Service and Portal.msi" ADDLOCAL=CommonServices,WebPortals SQMOPTINSETTING=0 SQLSERVER_SERVER=APP1 SQLSERVER_DATABASE=FIMService EXISTINGDATABASE=0 MAIL_SERVER=EX1.corp.contoso.com MAIL_SERVER_USE_SSL=0 MAIL_SERVER_IS_EXCHANGE=1 POLL_EXCHANGE_ENABLED=1 CERTIFICATE_NAME=ForefrontIdentityManager SERVICE_ACCOUNT_NAME=FIMService SERVICE_ACCOUNT_PASSWORD=abc123*2k SERVICE_ACCOUNT_DOMAIN=CORP SERVICE_ACCOUNT_EMAIL=FIMService@corp.contoso.com SERVICE_MANAGER_SERVER=APP2 SYNCHRONIZATION_SERVER=FIM1 SYNCHRONIZATION_SERVER_ACCOUNT=CORP\FIMMA SERVICEADDRESS=FIM1 SHAREPOINT_URL=http://localhost REGISTRATION_PORTAL_URL=https://passwordregistration.corp.contoso.com FIREWALL_CONF=1 SHAREPOINTUSERS_CONF=1 REQUIRE_REGISTRATION_INFO=1 REGISTRATION_ACCOUNT_NAME=FIMPassword REGISTRATION_ACCOUNT_DOMAIN=CORP REQUIRE_RESET_INFO=1 RESET_ACCOUNT_NAME=FIMPassword RESET_ACCOUNT_DOMAIN=CORP /L*v C:\fimservicelog.txt
msiexec /q /i “D:\Service and Portal\Service and Portal.msi" ADDLOCAL=RegistrationPortal,ResetPortal REGISTRATION_ACCOUNT=CORP\FIMPassword REGISTRATION_ACCOUNT_PASSWORD=Pass1word$ REGISTRATION_HOSTNAME=passwordregistration.corp.contoso.com REGISTRATION_PORT=80 REGISTRATION_FIREWALL_CONFIG=1 REGISTRATION_SERVERNAME=FIM1 IS_REGISTRATION_EXTRANET=Extranet RESET_ACCOUNT=CORP\FIMPassword RESET_ACCOUNT_PASSWORD=Pass1word$ RESET_HOSTNAME=passwordreset.corp.contoso.com RESET_PORT=81 RESET_FIREWALL_CONF=1 RESET_SERVERNAME=FIM1 IS_RESET_EXTRANET=Extranet /L*v C:\mylogfile.txt
msiexec /q /i “D:\Certificate Management\x64\Certificate Management.msi" ADDLOCAL=CLM_Service,Web_Files WEBAPPNAME=CertificateManagement /L*v C:\mylogfile.txt
msiexec /q /i “D:\Certificate Management\x64\Certificate Management.msi" ADDLOCAL=CA_Modules /L*v C:\mylogfile.txt
msiexec /q /i “D:\CM Client\x64\CM Client.msi" ADDLOCAL=CMClient,ChangePin,AppletManagement,SelfServiceControl,ProfileUpdateControl /L*v C:\mylogfile.txt
msiexec /q /i “D:\Add-ins and extesnisons\x64\Add-ins and extensions.msi" ADDLOCAL=OfficeClient,PasswordClient PORTAL_LOCATION=FIM1 PORTAL_PREFIX=http RMS_LOCATION=FIM1 MONITORED_EMAIL=FIMService@corp.contoso.com REGISTRATION_PORTAL_URL=https://passwordregistratio.corp.contoso.com /L*v C:\mylogfile.txt
msiexec /q /i “D:\Service and Portal Language Pack\Service and Portal Language Pack.msi" ADDLOCAL=FIMPortalLP,PortaljaJP,FIMServiceLP,MTjaJP, FIMResetPortalLP,ResetjaJP,FIMRegistrationPortalLP,RegistrationjaJP /L*v C:\mylogfile.txt
msiexec /q /i “D:\Add-ins and Extensions Language Pack\Add-ins and Extensions Language Pack.msi" ADDLOCAL=FIMALP,jaJP /L*v C:\mylogfile.txt
Subscribe to:
Posts (Atom)