8/28/2012

Before You Begin - FIM 2010

by Microsoft Technet.
           

Before you install the FIM 2010 R2 server and client components, you must complete the following configuration tasks:
  1. Creating an email enabled domain service account to run the FIM Service component.
  2. Creating a domain service account to run the FIM Synchronization Service.
  3. Creating a domain service account to run the FIM Password Reset Portals.
  4. Creating a domain service account to run the Share

    point Service.
  5. Creating a FIM Service Management Agent account.
  6. Configuring the service accounts that are running the FIM server components in a secure manner.
  7. If you are running the Exchange Web Service and Internet Information Services (IIS) default Web site (FIM Portal) on the same server, ensure that both are not configured to use port 80.
  8. Ensuring that there is a default SharePoint Web site installed.
  9. Ensuring that English is installed in SharePoint Services.
  10. Selecting the correct identity for the SharePoint Application Pool.
  11. Implementing Secure Sockets Layer (SSL) for FIM Portal.
  12. Configuring the server running SQL Server.
  13. Configuring the SQL Server aliases.
  14. Configuring the SQL Server collation settings.
  15. Configure the server running SCSM 2010 SP1.
  16. Establishing Service Principal Names (SPNs) for FIM 2010 R2.

Creating an E-mail-Enabled Domain Service Account to Run the FIM Service

To run the FIM Service component, you must have a dedicated domain service account. To be able to use the Office Outlook integration feature, an Exchange Server mailbox must also be created for this account. To use the FIM 2010 R2 Add-in for Outlook feature, you must set up the domain service e-mail account on a server that hosts Exchange Server 2007 or Exchange Server 2010. If you plan to use SMTP for notifications rather than Exchange Server, ensure that this service account has the required permissions on the SMTP gateway.
This account also is used to send e-mail notifications from FIM 2010 R2 .
This account should not be granted local administrator permissions.
ImportantImportant
You must reserve the domain service e-mail account for the exclusive use of the FIM Service. If e-mail messages are being processed by other applications, such as Office Outlook 2007, the functionality of FIM Service might be affected.

Creating a Domain Service Account to Run the FIM Synchronization Service

You must create a service account to run the FIM Synchronization Service. This service account must be a domain service account. This account should not be a local administrator account.

Creating a Domain FIM Service Management Agent Account

You must create a domain account that is reserved for the exclusive use of the FIM Service management agent (FIM MA) used by the FIM Synchronization Service to communicate with the FIM Service. The FIM Service has to know the name of the account that the FIM MA is using so that during setup it can give the account the required permissions. This account should not be a local administrator account.

Understanding the Purpose of the FIM Service Management Agent Account

The purpose of this account is to make it possible for the FIM Service to be able to identify the FIM Synchronization Service when it is exporting to the FIM Service through the Web services. When the FIM Synchronization Service engine is exporting, all authentication (AuthN) and authorization (AuthZ) workflows are ignored and only action workflows run.
ImportantImportant
The account that you use for the FIM MA should be considered a trusted account. You should not use it to access the FIM Portal. If you do, all requests that are made through the FIM Portal with this account will skip AuthN and AuthZ.

If you later change this account in the FIM Synchronization Service, you must also run a change install on the FIM Service to update the service with the new account information.

Create a domain service account to run the FIM Password Service

If you are using FIM Password Reset, you must create a service account to run the FIM Password Service. This service account must be a domain service account. This account should not be a local administrator account.

Create a domain service account to run the SharePoint Service

You must create a service account to run the Sharepoint Service. This service account must be a domain service account. This account should not be a local administrator account.

Configuring the Service Accounts Running the FIM 2010 R2 Server Components in a Secure Manner

As mentioned previously, there are three service accounts that are used to run the FIM server components. They are called the FIM Service service account, the FIM Synchronization Service service account, and the FIM Password service account in this guide. The FIM MA account is not considered a service account, and it should be a regular user account. For the FIM Synchronization Service service account to be able to impersonate the FIM MA account, the FIM MA must be able to log on locally.

To enable the FIM MA to log on locally

  1. Click Start, and then click Administrative Tools.
  2. Click Local Security Policy, and then click Local Policies\User Rights Assignment.
  3. In the policy Allow log on locally, ensure that the FIM MA account is explicitly specified, or add it to one of the groups that is already granted access.
To configure the server or servers running the FIM 2010 R2 server components in a secure manner, the service accounts should be restricted. The easiest way to do this is by running Local Security Policy from Administrative Tools, navigate to Local Policies\User Rights Assignment, and then add the service account to the policy.
ImportantImportant
On the server running the FIM Synchronization Service, you must restrict only the FIM Synchronization Service service account and not the FIM Service service account. On the server running the FIM Service, you must only restrict the FIM Service service account, and not the FIM Synchronization Service service account.

Use the following restrictions on the service accounts:
  • Deny logon as a batch job
  • Deny logon locally
  • Deny access to this computer from the network
noteNote
Domain-based Group Policy objects (GPOs) might override settings in the Local Security Policy.

The service accounts should not be members of the local administrators group.
The FIM Synchronization Service service account should not be a member of the security groups that are used to control access to FIM Synchronization Service (groups starting with FIMSync, for example, FIMSyncAdmins).
ImportantImportant
If you are deploying password reset, do not use the Deny access to this computer from the network restriction option.
If you choose to use the same account for both service accounts and you separate the FIM Service and the FIM Synchronization Service, you cannot set Deny access to this computer from the network on the FIM Synchronization Service server. If access is denied, that action prohibits the FIM Service from contacting the FIM Synchronization Service to change configuration and manage passwords.

Ensuring That the Exchange Web Service and IIS Default Web Site are Not Both Configured to Use Port 80

In a lab environment, you may want to run Exchange on the same server as the FIM Service. If you do, ensure that you are reconfiguring Exchange Web Service to not use the default port 80, or Exchange Web Service will not be reachable.
You must either specify a different port, a different IP, or a different host name in IIS.

Ensuring That English Is Installed for SharePoint

If the installed version of SharePoint is not English, the FIM 2010 R2 setup fails. Before you can install FIM 2010 R2 , you must first install the latest SharePoint Service English Language Pack Service Pack for your version of SharePoint. Visit the Microsoft download Center to download the Windows SharePoint Services 3.0 Language Pack Service Pack 2 (SP2), 64-Bit Edition (http://go.microsoft.com/fwlink/?LinkID=178266) or the Service Pack 1 for Microsoft SharePoint Foundation 2010 Language Pack (http://www.microsoft.com/download/en/details.aspx?id=26629).

Ensuring That a SharePoint Default Web Site Is Installed

Before you install the FIM Password Registration Portal and FIM Password Reset Portal, run the SharePoint Configuration Wizard. This creates a default SharePoint site for you.
If you installed SharePoint in a SharePoint farm, the default site cannot be created by the wizard and must be created manually. How to set up a SharePoint farm is outside the scope of this installation guide.
Verify the installation by navigating to http://localhost:80 on the server where you will install the FIM Portal. You should see a SharePoint site and not the standard Welcome to IIS7 message. If you see the Welcome to IIS7 message, reconfigure SharePoint to display a default SharePoint site at this server address or the address where you installed SharePoint.
If you do not perform this task, you may have to reinstall the FIM Portal and Password Portal components of FIM 2010 R2 .

Selecting the Correct Identity for the SharePoint Application Pool

By default, IIS uses the Network Service account for the Application Pool. In the steps above, you created a service account for SharePoint, which you will use for the following procedures. Later in this guide you will enable Kerberos delegation, and only one identity can use one SPN.
By default, an application pool running under a specific service account will not use the service account for Kerberos. In the second configuration step, you will configure IIS to use the service account for Kerberos.

To run the SharePoint Application Pool using an account that is located in the domain using WSS 3.0

  1. Start SharePoint 3.0 Central Administration from Administrative Tools.
  2. Select Operations and Service Accounts.
  3. Select Web Application Pool, and select Windows SharePoint Services Web Application. Select the SharePoint Application Pool where the FIM Portal will be installed, which by default is SharePoint – 80.
  4. Enter the user name and password for the service account that you created earlier.
  5. Click OK to save your changes.

To run the SharePoint Application Pool using an account that is located in the domain using Sharepoint Foundation 2010

  1. Click Start, click All Programs, click Microsoft SharePoint 2010 Products and then click SharePoint 2010 Central Administration.
  2. Under Security, click Configure service accounts.
  3. From the first drop-down list select Web Application Pool – SharePoint 80.
  4. Under Select an account for this component click the link Register new managed account.
  5. Enter the name and password of the service account you created earlier.
  6. Under Select an account for this component, select the service account.
  7. Click OK three times to save your changes.
Enable the Application Pool to use the service account for Kerberos.

Implementing Secure Sockets Layer for FIM Portal

We highly recommend that you implement Secure Sockets Layer (SSL) on the FIM Portal server to secure the traffic between the client and server computers.

To implement SSL with a certificate from an existing internal CA

  1. Open IIS Manager on the FIM Portal server.
  2. Click the local computer name.
  3. Click Server Certificates.
  4. Click Create Certificate Request.
  5. For Common Name, enter the name of the server.
  6. Click Next, and then Next.
  7. Save the file to any location. You will need to access this location in subsequent steps.
  8. In Windows Internet Explorer, browse to https://servername/certsrv. Replace servername with the name of the server that is issuing certificates.
  9. Click Request a new Certificate.
  10. Click Submit an Advanced Request.
  11. Click Submit a Certificate Request by using a base-64-encoded.
  12. Paste the contents of the file that you saved in the previous step.
  13. From Certificate Template, select Web Server.
  14. Click Submit.
  15. Save the certificate to your Desktop.
  16. In IIS Manager, click Complete Certification Request.
  17. Point IIS Manager to the certificate you just saved to the Desktop.
  18. For Friendly name, type the name of the server.
  19. Click Sites, and then select Sharepoint – 80.
  20. Click Bindings, and then click Add.
  21. Select https.
  22. For certificate, select the certificate that has the same name as the server. (This is the certificate that you just imported.)
  23. Click OK.
  24. Remove the HTTP binding.
  25. Click SSL Settings, and then check Require SSL.
  26. Save the settings.
  27. If you are using SharePoint Foundation 2010
    1. Click Start, click All Programs, click Microsoft SharePoint 2010 Products, and then click SharePoint 2010 Central Administration.
    2. Under System Settings, click Configure alternate access mappings.
    3. Click http://servername.
    4. Change http://servername to https://servername, and then click OK.
    5. Click Start, Run, enter iisreset, and then click OK.
  28. If you are using WSS 3.0
    1. Click Start, click Administrative Tools, and then click Sharepoint 3.0 Central Administration.
    2. Click Operations, and then click Alternate Access Mappings.
    3. Click http://servername.
    4. Change http://servername to https://servername, and then click OK.
    5. Click Start, Run, enter iisreset, and then click OK.

Configuring SQL Server

Before you install the FIM Service, certain tasks should be completed and verified on the server that is running SQL Server.
If you are using FIM Reporting, you will need to create two additional service accounts:
  • SQL Reporting Service Account
  • SQL Analysis Service Account
Ensure that the service accounts used by SQL Server Database and SQL Server Agent are either domain accounts or built-in service accounts (for example, Network Service). You cannot use local computer accounts.
When you configure the service accounts for SQL Server, consult the following articles:
ImportantImportant
The SQL Server service account should not be a local computer account. A local account cannot impersonate domain accounts and the FIM Service will not behave as expected.

ImportantImportant
Make sure that the SQL Server Agent service and the SQL Server Service Broker is set to start automatically.

ImportantImportant
If you install the SQL Server 2008 database on a different server than the FIM Service or FIM Synchronization Service, open additional ports so that FIM 2010 R2 setup can communicate with SQL Server 2008. For more information, see Configuring the Windows Firewall to Allow SQL Server Access (http://go.microsoft.com/fwlink/?LinkID=94001).

When the FIM Service and FIM Synchronization Service are installed, the data and log files are created in the default locations that are specified by SQL Server. For optimal performance, these log files should be located on different drives and on different spindles.

To locate databases on different drives

  1. Start Microsoft SQL Server Enterprise Manager.
  2. Right-click the server, and then click Properties.
  3. Go to Database settings. Make the necessary adjustments on the Data and Log settings to ensure that the database files are located on a different drive than the operating system.

Configuring SQL Server Aliases

If you plan to install FIM Service or FIM Synchronization Service on a server running SQL Server that is using a nondefault port, you must create a SQL Server alias for Setup to be able to contact the server running SQL Server.

To create a SQL Server alias for Setup to be able to contact the server running SQL Server

  1. Start the SQL Server Configuration Manager.
  2. Navigate to SQL Native Client 10.0 Configuration/Aliases.
  3. Create a new alias with your server information.

Configuring SQL Server Collation Settings

Work with your SQL Server database administrator (DBA) to determine the correct collation setting to use for your FIM Service database. The collation setting determines the sorting order and how indexing works.
The default collation set during installation is SQL_LATIN1_General_CP1_CI_AS.
If the server running Windows is using a character set that is different from the Latin alphabet, then you might consider a different collation based on the table found in Windows Collation Name (Transact-SQL) (http://go.microsoft.com/fwlink/?LinkId=185630).
Ensure that the selected collation is case insensitive (indicated by _CI_).
If you change the collation setting, ensure that the collation setting is the same on the FIM Service database and on the system databases master and tempdb.
If you install the FIM Service and later decide to change the collation setting, you must manually change the collation setting on every table in the FIM Service database, as described in Setting and Changing the Database Collation (http://go.microsoft.com/fwlink/?LinkId=185247).

Configuring System Center Service Manager 2010 SP1 (SCSM 2010 SP1)

If you are using FIM Reporting in FIM 2010 R2 , you must install and configure the SCSM 2010 SP1 Server before installing FIM 2010 R2 .
noteNote
For guidance on installing SCSM 2010 SP1, see the Test Lab Guide: System Center Service Manager 2010 SP1(http://www.microsoft.com/downloads/en/details.aspx?FamilyID=b276879e-380f-4b40-809e-1574f4059277)

  • Use the steps outlined in the following article to ensure reporting is setup and functioning correctly Registering with the Service Manager 2010 SP1 Data Warehouse to Enable Reporting (http://technet.microsoft.com/en-us/library/ff461143.aspx).
  • Install the Microsoft Report Viewer Redistributable Security Update on the FIM 2010 R2 server. The Report Viewer installation files are located on the SCSM 2010 installation media, in the amd64/Prerequisites folder.
  • Install the Service Manager Console on the FIM 2010 R2 server. The Service Manager Console installation files are located on the SCSM 2010 installation media, in the amd64 folder. Run setup.exe and follow the steps to install a Service Manager console.
  • Install Cumulative Update 2 for SCSM 2010 SP1 (http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=12342) on the SCSM 2010 SP1 server and the FIM 2010 R2 server.

Establishing SPNs for FIM 2010 R2

SPNs are necessary for the Kerberos v5 protocol to be used for authentication. Enabling Kerberos helps to make the traffic secure, and it is required for the clients to be able to communicate with the FIM Service. SPNs must be registered in the domain for Kerberos to work.
We recommend that you use aliases for your FIM Service, FIM Password Portals and FIM Portal. They can be represented as host (A) or alias CNAME resource records in Domain Name System (DNS). For the FIM Service server and FIM Password service server, complete the following procedure:

To establish the SPNs for the FIM Service service and FIM Password Portals

  1. Establish the SPNs for the FIM Service by running the following command:
    • setspn –S FIMService/<alias> <domain>\<serviceaccount>
    • The <alias> above is the address that is entered during FIM Service setup and used by the clients and the FIM Portal to contact the Web Service. This can be an alias (CNAME) or host (A) resource record in DNS. If you are using Network Load Balancing (NLB), this is the name of the cluster.
    • The <serviceaccount> above is the account that is used by the FIM Service.
    • If you are using several different names—for instance, fully qualified domain names (FQDNs) and NetBIOS names—to contact the server, repeat the steps for every name.

      noteNote
      If you want cross forest scenarios to work in a separated environment, that is, portal on different machine than FIM service, then you must also set the FQDN. To accomplish this, use the following: setspn.exe –S FIMService/FQDN <domain>\<serviceaccount>

  2. Repeat the above step for each of the FIM Password portals, using setspn.exe –S HTTP/<ssprPortalHostHeaderName> <domain>\<ssprPortalMachineAccount$>, where <ssprPortalHostHeaderName> is the binding information for the FIM Password portal Host Name that was entered during setup. This is the name that will be used by clients to contact the portals.
  3. Turn on Kerberos delegation for the FIM Service and FIM Password service accounts in AD DS. You can turn on delegation for all services either by selecting Trust this user for delegation to any service (not recommended) or by using constrained delegation (recommended) by selecting Trust this user for delegation to the specified services only. If you use constrained delegation, search for the FIM Service service account, and then select the entry that you added in the previous step.
WarningWarning
In a deployment with multiple FIMServices, ensure that each FIMService has constrained delegation configured so that each FIMService can successfully communicate to each other in order for Workflow Approvals to work properly. Approval Responses from users can come from any Portal or if Exchange is enabled from the FIMService that is polling. In all cases, the Approval Response will be directed to the FIMService machine that processed the original Request so cross-server communication: FIMPortal -> FIMService AND FIMService -> FIMService must work properly.

For the FIM Portal server, complete the steps in the next procedure.
  • If the address that the clients use to contact the FIM Portal is not the same as the server address, you have to establish an SPN for Hypertext Transfer Protocol (HTTP). That is, if you use an alias (CNAME) resource record in DNS, have a SharePoint farm, or use Networking Load Balancing (NLB), this address must be registered or Internet Explorer cannot use the Kerberos protocol when it contacts the portal. Run the following command:

    setspn –S HTTP/<FIMPortalAlias> <domain>\<sharepointserviceaccount>

    • The <FIMPortalAlias> is the address that clients use to contact the FIM Portal server.
    • The <domain>\sharepointserviceaccount> is the account that the SharePoint Application Pool uses, as defined in IIS.
    • If you are using several different names, that is, FQDN and NetBIOS names, to contact the server, repeat the steps for every name.
    • The SharePoint service account must be allowed to delegate to the FIM Service. You can choose to enable delegation for all services either by selecting Trust this user for delegation to any service (not recommended) or by using constrained delegation (recommended) by selecting Trust this user for delegation to the selected services only. If you use constrained delegation, search for the FIM Service service account, and then select the entry that you added in the FIM Service step.
noteNote
You do not have to create delegation for HTTP/FIMPortalAlias.
Posted by at No comments:

Virtual Labs for improving your skills by microsoft Technet Vlabs

 
Posted by at No comments:

How Do I Synchronize Users from Active Directory Domain Services to FIM ?

 
 
External Link from Microsoft Technet Wiki.
Posted by at No comments:

FIM  Installation Guide  

by Microsoft
           
Information technology (IT) professionals can use this Microsoft Forefront® Identity Manager (FIM 2010 R2) Installation Guide to install FIM 2010. A FIM 2010 deployment has two major component groups, the server side and the client side.
The server-side components are as follows:
  • FIM Synchronization Service
  • FIM Service
  • FIM Portal
  • FIM Password Portal
  • FIM Service and Portal Language Pack
The client-side components are as follows:
  • FIM Add-in for Outlook®
  • FIM Password Reset Extensions
  • FIM Add-ins and Extensions Language Pack
For information about installing Forefront Identity Manager Certificate Management (FIM CM), see FIM CM Deployment in the FIM documentation.

What This Document Covers

This document covers the installation of FIM 2010. It discusses the steps to successfully deploy FIM 2010 in your environment. It also discusses the installation of each of the components and subcomponents that make up a FIM 2010 installation.
For an overview of FIM 2010 documentation and guidance for using it, see the Documentation Roadmap.

Prerequisite Knowledge

This document assumes that you have a basic understanding of the following IT tasks:
  • Installing software on server and client computers
  • Basic knowledge of Active Directory® Domain Services (AD DS), Microsoft SQL Server® 2008 database software, Windows® SharePoint® Services 3.0, and Microsoft Exchange Server 2007 or 2010
  • A description of how to set up and configure dependent technologies such as AD DS, SQL Server 2008, Windows SharePoint Services 3.0, and Microsoft Exchange Server 2007 is out of the scope of this document.

Audience

This document is intended for IT planners, systems architects, technology decision-makers, consultants, infrastructure planners, and IT personnel who plan to deploy FIM 2010.

Topology

FIM supports a variety of deployment topologies. Each of the main components may be installed separately or in combination on individual servers. They are include the following:
  • FIM Service
  • FIM Synchronization Service
  • FIM Portal
  • FIM Password Portal
  • SQL Server 2008 database for the FIM Service
  • SQL Server 2008 database for the FIM Synchronization Service
In addition, the FIM Service and the FIM Portal can be scaled to support multiple servers. For more information, see Overview of Network Load Balancing (http://go.microsoft.com/fwlink/?LinkID=164080) and Office SharePoint Server Farm Architecture (http://go.microsoft.com/fwlink/?LinkID=129821).
Posted by at No comments:

8/19/2012

                         

UAG Unique signature URL encoding

Articles about UAG URL Encoding (HAT-Host Address Translation),it is very important to understand how to securely publish applications over UAG.



See you later on another article.
Posted by at No comments:

5/05/2012

DirectAccess-DA Benefits


DirectAccess provides the following benefits:
• Seamless connectivity. DirectAccess is on whenever the user has an Internet
connection, giving users access to intranet resources whether they are traveling, at the local
coffee shop, or at home.
• Remote management. IT administrators can connect directly to DirectAccess client
computers to monitor them, manage them, and deploy updates, even when the user is not
logged on. This can reduce the cost of managing remote computers by keeping them up-to-date with critical updates and configuration changes.
• Improved security. DirectAccess uses IPsec for authentication and encryption.
Optionally, you can require smart cards for user authentication. DirectAccess integrates with
NAP to require that DirectAccess clients must be compliant with system health requirements
before allowing a connection to the DirectAccess server. IT administrators can configure the
DirectAccess server to restrict the servers that users and individual applications can access.
DirectAccess also enables users to get more out of other Windows 7 networking improvements,
such as:
• Federated Search. With Federated Search, desktop searches can include files and Web
pages on your intranet whenever the user is connected to your intranet. Because
DirectAccess connects users to the intranet when then connect to the Internet, Federated
Search works automatically any time the user has an Internet connection.
• Folder Redirection. With Folder Redirection, folders can automatically synchronize
between multiple computers across the network. If you enable DirectAccess, users with both
mobile and desktop computers can stay synchronized automatically whenever they connect
to the Internet.
• Replaceable computer scenario. In this scenario, a user’s applications, documents,
and settings are stored on the network and available from any computer. If a computer is lost
or corrupted, the replacement computer does not require user-specific configuration.
With DirectAccess, client computers are always connected, better protected, and easier to
manage.
Posted by at No comments:

References


Active Directory http://go.microsoft.com/fwlink/?LinkID=147288
DirectAccess http://go.microsoft.com/fwlink/?LinkId=151854
DNS http://go.microsoft.com/fwlink/?LinkId=147013
Group Policy http://go.microsoft.com/fwlink/?LinkId=100760
IPv6 http://go.microsoft.com/fwlink/?LinkId=17074
IPsec http://go.microsoft.com/fwlink/?LinkId=50170
NAP http://go.microsoft.com/fwlink/?LinkId=56443
PKI http://go.microsoft.com/fwlink/?LinkId=83694
UAG http://go.microsoft.com/fwlink/?LinkId=159955
Posted by at No comments:
Subscribe to: Posts (Atom)