Reference: FIM 2010 - Installation Companion - Accounts

Reference: FIM 2010 - Installation Companion - Accounts

Overview / Purpose

The purpose or goal of this document is to provide additional assistance, or guidance to the actual Forefront Identity Manager 2010 installation guide.  It is meant as a companion document to help in the preparation of your installation of the Microsoft Forefront Identity Manager 2010 product.

This document is more of a guideline to help make the installation easier.

 

Suggested Accounts

FIMInstall ( Or the account executing the installation )

  • This is a suggested account, not a mandatory account. The reason it is suggested, is because the installing account needs to have some elevated privileges to get the product installed.

    • It will need SysAdmin permissions on the backend SQL Server
    • It should have Local Administrator permissions on the different machines executing the installation of the different pieces of FIM
    • The account executing the installation needs to be a member of the SharePoint Farm Administrators Group.
  • The easiest way to ensure that the installing account has SysAdmin permissions and Local Administrator permissions would be to make the account a Domain Admin account. In either case, it is recommended that the account be at-least a Domain User Account, as the different pieces of FIM are installed across different machines.
  • Now once the product is installed, this account can be disabled and only enabled for a hotfix installation as the hotfix installation requires the same permissions as the installation of the main product.
  • It is a good idea, not necessary, to have a generic FIMINSTALL account to allow for the ability to have a main FIM Administrator account in the FIM Portal.
  • Utilize this account for all hotfix installations as well.
  • SharePoint Permissions (These are configured in SharePoint Central Administration)
    • SharePoint Farm Administrators Group
    • SharePoint Site Administrators
  • Possible installation issues:

Svc_FimSync

    • This account is the account for the FIM Synchronization Service Account.
    • The account can be either a local account to the FIM Synchronization Service machine, or a Domain User Account.
    • If you intend to setup a high availability scenario with the FIM Synchronization Service, then this account will need to be a Domain User Account.

Svc_FimService

    • This account is for the FIM Web Service Account.
    • It should be a Domain Account, as it will require ServicePrincipleNames (SPNs) in a distributed FIM Solution
    • This account should be good as a Domain User Account.
    • It is a good idea to go ahead and create a mailbox for the FIM Web Service Account. 
      • The FIM Web Service does send emails.  It is based on how you have your FIM Solution configured.

Svc_SharePointService

    • This account is the SharePoint - 80 Application Pool Account
    • The account should be a Domain User account

FimMa (FIM Service Management Agent Account)

    • The FIM MA account is the user account that is utilized inside of the FIM Service Management Agent.
    • The account should be a Domain User Account.
    • The account specified in the FIM Service Management Agent must match the account specified in this registry key.  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FIMService\SynchronizationAccount
 

Other Possible Accounts

Based on your FIM Solution, you may want to create some other accounts.  Here are some other possible accounts that you may consider creating prior to executing the installation of the Microsoft Forefront Identity Manager product.

*NOTE: Remember these are just suggested names for the accounts, and suggested that you create them prior to executing the installation.

The below accounts are very commonly used accounts for common solutions, such as Self-Service Password Reset (SSPR) and GalSync.  If your FIM Solution is going to work with other data sources, you may consider creating those accounts now.  For example, if you are incorporating a SQL Server Management Agent you may want to create an account to work with SQL Server, or if you are working with SAP, yu may want to get the SAP Management Agent Account created at this time.

userADMA

    • This user is for use in an Active Directory Management Agent.
    • An Active Directory Management Agent would be used in:
      • Self-Service Password Reset (SSPR) Solutions
      • Hire - Fire Scenario Solutions
    • This user should be a Domain Account, as it will need access to Active Directory resources
    • This user should be good as just a Domain User account
    • Permissions:
      • The required permissions for the Active Directory Management Agent account really depend on the solution being developed.  The reason is because the FIM Solution may only need to work with certain Organizational Units, certain Active Directory Object Types.  The one permission that the Active Directory Management Agent account will need, is the Replicate Directory Changes.
        • Specific Organizational Units
        • Active Directory Users / Contacts
        • Active Directory Groups
      • Thinking of FIM Solutions that would utilize the Active Directory Management Agent
        • If you are not writing anything to Active Directory, then you will just need Read permissions on the Active Directory objects that are included in the solution.
        • Self-Service Password Reset Solution
          *NOTE: Be sure to apply to Descendent User Objects
          • Object Tab
            • Change Password
            • Reset Password
          • Properties
            • Read lockoutTime
            • Write lockoutTime
    • Depending on your FIM Solution, and your Business Rules, you may need to place the user in some Security Groups to allow it the ability to do other actions.
    • How to configure the Active Directory Management Agent Account

userGALSYNC 

    • This user is for use in a GalSync Management Agent.
    • If you are developing a GalSync Solution, then you will need a GalSync User account in each of the forests.
    • For permissions needed for the GalSync User account review the Permissions for GalSync User on the GalSync Resource Wiki 
 

Other FIM Installation Resources

See Also

 

 

Sort by: Published Date | Most Recent | Most Useful
Comments
  • Thank you--this is useful. And now I'm going to ask for more. :-)

    Would you be able to address which service account should be used when installing the password reset portal please? I'm not sure I'm clear on how that account needs to be configured or if it's OK to just use an existing service account. Thank you!

  • Great article. I always recommend the installer account to avoid dependencies on a specific person, especially with SharePoint. That should really make it into the product docs.

    One note about permissions,..Making someone a domain (or local) admin won't automatically give them SQL permission unless it was configured that way during SQL install. It was that way in SQL 2005, but changed in 2008 I believe.

Page 1 of 1 (2 items)