Service Accounts RRS feed

  • Question

  • Hello Everyone,

    I would like to know the minimum number of accounts that one must have to install and work with FIM 2010 R2, from Ms documentation i can see 12 accounts which to me they seem so many.


    Monday, November 11, 2013 7:05 AM

All replies

  • Hello,

    in my first test installs of beta FIM 2010 I once used only one (administrator) account and it works but thats not in any circumstances a recommendation :D

    there is a need for all that accounts, because of the different security settings they need.

    once thing you can do is use only one account for PW Register and PW reset portal for example.

    So at a minimum you need seperate accounts for:



    FIMPortal (AppPool)



    FIMReporting (if you use if)

    and also one account for the SQL Server of course.
    After that there are also needs for more accounts of the Connectors/MAs

    for Domain Integrated Connected Systems we use one account to Connect AD and some SQL Servers


    Peter Stapf - Doeres AG - My blog:

    Monday, November 11, 2013 6:44 PM
  • Thanks for this Peter, Do you have any step by step link/document or video on how to install FIM 2010 R2 and get started? what am getting is so much detailed.


    Monday, November 11, 2013 6:55 PM
  • Hello,

    you need that details because sometimes installing FIM can become painful in detail.

    beside the official deployment guide i can recommend the following guide from a blog post if you want to install FIM in a uptodate environment with SP Foundation 2013 and Server 2012.

    I used that guide on my last install of our test environment and it worked like charm.


    Peter Stapf - Doeres AG - My blog:

    Monday, November 11, 2013 7:03 PM
  • Some notes I've done for successful installation of FIM 2010 R2 SP1 (on UNSUPPORTED Server 2012 R2):

    1. Create AD accounts: fimservice (email-enabled), fimma, fimspoint, fimsync, fimsql
    2. Create AD groups: fimadmins, fimsyncadmins, fimsyncoperators, fimsyncjoiners, fimsyncbrowse, fimsyncpwdset
    3. Join fimservice to fimsyncadmins group
    4. Configure SPNs for fimspoint, fimsql and fimservice
    5. Configure GPOs accoring to Technet guides (User right assignments) for the service accounts
    6. Configure firewall (local or GPO) for needed ports, again Technet guides...
    7. Install SQL server (db_engine, full text search and management tools collation SQL_LATIN1_General_CP1_CI_AS)
    8. Enable named pipes for SQL and configure SQL agent to start automaticly
    9. Install Sharepoint 2010 SP2 (prereqs are needed, googling helps) standalone, configure sharepoint 2010 admin service to be started automatically
    10. Configure IIS to use kerberos (technet guides help)
    11. Reboot
    12. Configure sharepoint to use your fimspoint account from sharepoint central admin
    13. Disable sharepoint foundation search refresh from sharepoint central admin
    14. Install FIM sync and use the accounts and groups created in steps 1 and 2
    15. Install FIM portal and use the accounts created in step 1
    16. Configure FIM portal to use kerberos (technet guides..)
    17. Configure SSL for the portal
    18. Install hotfixes for FIM

    • Edited by Narcoticoo Tuesday, November 12, 2013 7:49 PM
    • Proposed as answer by Narcoticoo Tuesday, November 12, 2013 7:49 PM
    Tuesday, November 12, 2013 7:48 PM
  • Thanks Narcoticoo,

    Am installing all FIM roles on one server but something is confusing me here on whether the applications need to be seperate, this same server has sharepoint running on default port 80. I have created DNS records; RegistrationPortal, PasswordReset, PasswordRegistration to point to the IP of this machine.

    1. In Configure FIM Service and Portal on the registration portal URL section, will i need to sepcify a different port ( or i can just have it as
    2. In Configure FIM Password Registration portal i have set the host name as with port 8080, is this ok?
    3. In Configure FIM Password Reset portal, on host name i have then port 8081, is this ok?
    Please assist me get this clear kindly.


    Thursday, November 14, 2013 8:03 AM
  • In my example all the roles are installed on a single server and actually I don't use the pwdportal at all... I'm not sure if you have to install the pwdreset to another server or perhaps you can configure IIS bindings to set the correct address for your pwdportal, so then you wouldn't need to change the ports used.

    Thursday, November 14, 2013 7:51 PM