none
How to reflect the use of a custom cert in an unattended setup of FIM R2 SP1 Portal & Service? RRS feed

  • Question

  • Hi,

    When doing an unattended installation of FIM Portal & Service there is a parameter that indicates the certificate subject name to generate: 'CERTIFICATE_NAME'.

    But, the GUI-based setup shows a choice:

    1. Select a certificate located in the local certificate store
    2. Generate a new self-issued certificate

    How do I accomplish a selection from the local certificate store through an unattended install?

    It seems that for instance using 'CERTIFICATE_NAME=MyCustomFIMCert' does not search the store first but creates an additional self-issued certificate with exactly the same name; in the msi installer log it then complaints that the installer found certificates with the same name.

    Anyone any tips how to deal with this behavior?

    THANKS :-)


    Danny Alvares, Senior Technology Consultant

    Thursday, November 6, 2014 8:43 PM

Answers

  • Or... there is a chance.

    After digging into MSI package of FIMService installer, I have found that you are able to set the following parameters:

    SecureCustomProperties BROWSER;CAN_CONNECT_TO_SQL_SERVER;CERTIFICATE_NAME;CERTIFICATE_NAME_REGISTRY;CERTIFICATE_THUMBPRINT;DOTNETINSTALLROOT;ENABLE_REPORTING;FULL_TEXT_SEARCH_INSTALLED;INSTALLDIR;IS_BEST_PRACTICE_ACCOUNT;IS_CERT_SELECTED;IS_DATABASE_ALREADY_EXISTS;IS_REMOTE_SQL_SERVER;IS_RUNNINGUSER_SYSADMIN;IS_SQL_AGENT_RUNNING;IS_SYNC_SERVICE_EXISTS;IS_SYNC_SERVICE_RUNNING;IS_VALID_DATABASE_NAME;IS_VALID_DOTNET_VERSION;IS_VALID_SERVICE_ACCOUNT;IS_VALID_SQL_PERMISSION;IS_VALID_SQL_SERVER_VERSION;IS_VALID_SYNCHRONIZATION_SERVER_ACCOUNT;MAIL_SERVER;MAIL_SERVER_IS_EXCHANGE;MAIL_SERVER_USE_SSL;MIN_DOTNET_VERSION;MIN_SQLSERVER_VERSION;PATHWWWROOT;POLL_EXCHANGE_ENABLED;POLL_EXCHANGE_ENABLED_REGISTRY;POWERSHELL_INSTALL;PREV_IS_REGISTRATION_EXTRANET;PREV_IS_RESET_EXTRANET;PREV_REGISTRATION_SERVER_NAME;PREV_RESET_SERVER_NAME;REGISTRATION_ACCOUNT_DOMAIN;REGISTRATION_ACCOUNT_NAME;REGISTRATION_ACCOUNT_PASSWORD;REGISTRATION_ACCOUNT_SID;REGISTRATION_HOSTNAME;REGISTRATION_PORTAL_URL;RESET_ACCOUNT_DOMAIN;RESET_ACCOUNT_NAME;RESET_ACCOUNT_PASSWORD;RESET_ACCOUNT_SID;RESET_HOSTNAME;RMS_PORT_REGISTRY;RUNNING_USER_DOMAIN;RUNNING_USER_EMAIL;RUNNING_USER_NAME;SERVICE_ACCOUNT_DOMAIN;SERVICE_ACCOUNT_EMAIL;SERVICE_ACCOUNT_NAME;SERVICE_ACCOUNT_PASSWORD;SERVICE_ACCOUNT_PREV;SERVICE_ACCOUNT_SID;SERVICE_ACCOUNT_SID_HEX;SERVICE_ACCOUNT_SID_REGISTRY;SERVICE_MANAGER_SERVER;SERVICEADDRESS;SERVICEADDRESS_REGISTRY;SHAREPOINT_SITE_URL;SHAREPOINT_URL;SHAREPOINT_URL_REGISTRY;SHAREPOINTTIMEOUT;SQLAGENTEXIST;SQLSERVER_DATABASE;SQLSERVER_SERVER;SQMOPTINSETTING_REG;STS_PORT_REGISTRY;STSADMPATH;SYNCHRONIZATION_SERVER;SYNCHRONIZATION_SERVER_ACCOUNT;SYNCHRONIZATION_SERVER_ACCOUNT_PREV;UPGRADE_BLOCK;UPGRADE_BUILD;WSS14INSTALLDIR;WSS15INSTALLDIR;WSSINSTALLDIR;WWF35
    MsiHiddenProperties ConfigureIIsExec;CreateUser;REGISTRATION_ACCOUNT_PASSWORD;RESET_ACCOUNT_PASSWORD;SERVICE_ACCOUNT_PASSWORD;SetPolicyforServiceAccount

    You should probably try with CERTIFICATE_THUMBPRINT attribute to assign existing certificate :)


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    • Proposed as answer by MKołódź Friday, November 7, 2014 8:00 AM
    • Marked as answer by Danny Alvares Friday, November 7, 2014 9:18 AM
    Friday, November 7, 2014 7:21 AM

All replies

  • Hi Danny,

    CERTIFICATE_NAME is described as Name of certificate to generate (ForefrontIdentityManager). So it is to create additional certificate.

    The only idea that comes to my mind is to exclude this property from installation - I don't know if it would work.

    If it would not work (it would either create own certificate or installation would fail), I don't think you would be able to achieve this using command line installation.


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    Friday, November 7, 2014 7:06 AM
  • Or... there is a chance.

    After digging into MSI package of FIMService installer, I have found that you are able to set the following parameters:

    SecureCustomProperties BROWSER;CAN_CONNECT_TO_SQL_SERVER;CERTIFICATE_NAME;CERTIFICATE_NAME_REGISTRY;CERTIFICATE_THUMBPRINT;DOTNETINSTALLROOT;ENABLE_REPORTING;FULL_TEXT_SEARCH_INSTALLED;INSTALLDIR;IS_BEST_PRACTICE_ACCOUNT;IS_CERT_SELECTED;IS_DATABASE_ALREADY_EXISTS;IS_REMOTE_SQL_SERVER;IS_RUNNINGUSER_SYSADMIN;IS_SQL_AGENT_RUNNING;IS_SYNC_SERVICE_EXISTS;IS_SYNC_SERVICE_RUNNING;IS_VALID_DATABASE_NAME;IS_VALID_DOTNET_VERSION;IS_VALID_SERVICE_ACCOUNT;IS_VALID_SQL_PERMISSION;IS_VALID_SQL_SERVER_VERSION;IS_VALID_SYNCHRONIZATION_SERVER_ACCOUNT;MAIL_SERVER;MAIL_SERVER_IS_EXCHANGE;MAIL_SERVER_USE_SSL;MIN_DOTNET_VERSION;MIN_SQLSERVER_VERSION;PATHWWWROOT;POLL_EXCHANGE_ENABLED;POLL_EXCHANGE_ENABLED_REGISTRY;POWERSHELL_INSTALL;PREV_IS_REGISTRATION_EXTRANET;PREV_IS_RESET_EXTRANET;PREV_REGISTRATION_SERVER_NAME;PREV_RESET_SERVER_NAME;REGISTRATION_ACCOUNT_DOMAIN;REGISTRATION_ACCOUNT_NAME;REGISTRATION_ACCOUNT_PASSWORD;REGISTRATION_ACCOUNT_SID;REGISTRATION_HOSTNAME;REGISTRATION_PORTAL_URL;RESET_ACCOUNT_DOMAIN;RESET_ACCOUNT_NAME;RESET_ACCOUNT_PASSWORD;RESET_ACCOUNT_SID;RESET_HOSTNAME;RMS_PORT_REGISTRY;RUNNING_USER_DOMAIN;RUNNING_USER_EMAIL;RUNNING_USER_NAME;SERVICE_ACCOUNT_DOMAIN;SERVICE_ACCOUNT_EMAIL;SERVICE_ACCOUNT_NAME;SERVICE_ACCOUNT_PASSWORD;SERVICE_ACCOUNT_PREV;SERVICE_ACCOUNT_SID;SERVICE_ACCOUNT_SID_HEX;SERVICE_ACCOUNT_SID_REGISTRY;SERVICE_MANAGER_SERVER;SERVICEADDRESS;SERVICEADDRESS_REGISTRY;SHAREPOINT_SITE_URL;SHAREPOINT_URL;SHAREPOINT_URL_REGISTRY;SHAREPOINTTIMEOUT;SQLAGENTEXIST;SQLSERVER_DATABASE;SQLSERVER_SERVER;SQMOPTINSETTING_REG;STS_PORT_REGISTRY;STSADMPATH;SYNCHRONIZATION_SERVER;SYNCHRONIZATION_SERVER_ACCOUNT;SYNCHRONIZATION_SERVER_ACCOUNT_PREV;UPGRADE_BLOCK;UPGRADE_BUILD;WSS14INSTALLDIR;WSS15INSTALLDIR;WSSINSTALLDIR;WWF35
    MsiHiddenProperties ConfigureIIsExec;CreateUser;REGISTRATION_ACCOUNT_PASSWORD;RESET_ACCOUNT_PASSWORD;SERVICE_ACCOUNT_PASSWORD;SetPolicyforServiceAccount

    You should probably try with CERTIFICATE_THUMBPRINT attribute to assign existing certificate :)


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    • Proposed as answer by MKołódź Friday, November 7, 2014 8:00 AM
    • Marked as answer by Danny Alvares Friday, November 7, 2014 9:18 AM
    Friday, November 7, 2014 7:21 AM
  • Dominik, works wonderfully! 'CERTIFICATE_THUMBPRINT' it is. Thanks for the MSI hack :-)

    Danny Alvares, Senior Technology Consultant

    Friday, November 7, 2014 9:19 AM
  • Here's the full PowerShell script.

    # FIM Service & Portal MSI & Setup

    # See: http://technet.microsoft.com/en-us/library/hh322863(v=ws.10).aspx
    $FIMServicePortalMsi = "`"C:\FIMSetup\Service and Portal\Service and Portal.msi`""
    $FIMServicePortalInstallDir = "`"C:\Program Files\Microsoft Forefront Identity Manager\2010`""
    $FIMServicePortalSetupLog = "`"C:\FIMSetup\FIMServicePortalSetup_Log.txt`""
    $FIMServiceCustomCertificateName = "fimservice.domain.local"
    $FIMADDLOCAL = "CommonServices,WebPortals"
    $FIMSQMOPTINSETTING = 0
    $FIMSQLSERVER_SERVER = "dbFIMService" # REQUIRED
    $FIMSQLSERVER_DATABASE = "FIMService"
    $FIMEXISTINGDATABASE = 0
    $FIMMAIL_SERVER = "exch.domain.local" # REQUIRED
    $FIMMAIL_SERVER_USE_SSL = 0
    $FIMMAIL_SERVER_IS_EXCHANGE = 1
    $FIMPOLL_EXCHANGE_ENABLED = 0
    # $FIMCERTIFICATE_NAME = "ForefrontIdentityManager" # IMPORTANT: WHEN USING A CUSTOM CERTIFICATE USE THUMBPRINT
    $FIMCERTIFICATE_THUMBPRINT = (dir Cert:\LocalMachine\My | where {$_.subject -match $FIMServiceCustomCertificateName}).thumbprint
    $FIMSERVICE_ACCOUNT_NAME = "svcFIMservice" # REQUIRED
    $FIMSERVICE_ACCOUNT_PASSWORD = "********" # REQUIRED
    $FIMSERVICE_ACCOUNT_DOMAIN = "DOMAIN" # REQUIRED
    $FIMSERVICE_ACCOUNT_EMAIL = "fimservice@domain.local" # REQUIRED
    $FIMSERVICE_MANAGER_SERVER = "" # FIM Reporting Service Management Server
    $FIMSYNCHRONIZATION_SERVER = "fimsync.domain.local" # REQUIRED
    $FIMSYNCHRONIZATION_SERVER_ACCOUNT = "DOMAIN\svcFIMsyncservice"
    $FIMSERVICEADDRESS = "fimservice.domain.local" # DO NOT USE LOCALHOST OR HTTP(S) PREFIX
    $FIMSHAREPOINT_URL = "https://fimportal.domain.local"
    $FIMREGISTRATION_PORTAL_URL = ""
    $FIMFIREWALL_CONF = 1 # Ports 5725, 5726
    $FIMSHAREPOINTUSERS_CONF = 1
    $FIMREQUIRE_REGISTRATION_INFO = 0
    $FIMREGISTRATION_ACCOUNT_NAME = ""
    $FIMREGISTRATION_ACCOUNT_DOMAIN = ""
    $FIMREQUIRE_RESET_INFO = 0
    $FIMRESET_ACCOUNT_NAME = ""
    $FIMRESET_ACCOUNT_DOMAIN = ""

    #MSI Argument list
    $FIMArguments = @("/i", $FIMServicePortalMsi, "/qn", "INSTALLDIR=$FIMServicePortalInstallDir", "ADDLOCAL=$FIMADDLOCAL", "SQMOPTINSETTING=$FIMSQMOPTINSETTING", "SQLSERVER_SERVER=$FIMSQLSERVER_SERVER", "SQLSERVER_DATABASE=$FIMSQLSERVER_DATABASE", "EXISTINGDATABASE=$FIMEXISTINGDATABASE", "MAIL_SERVER=$FIMMAIL_SERVER", "MAIL_SERVER_USE_SSL=$FIMMAIL_SERVER_USE_SSL", "MAIL_SERVER_IS_EXCHANGE=$FIMMAIL_SERVER_IS_EXCHANGE", "POLL_EXCHANGE_ENABLED=$FIMPOLL_EXCHANGE_ENABLED", "CERTIFICATE_THUMBPRINT=$FIMCERTIFICATE_THUMBPRINT", "SERVICE_ACCOUNT_NAME=$FIMSERVICE_ACCOUNT_NAME", "SERVICE_ACCOUNT_PASSWORD=$FIMSERVICE_ACCOUNT_PASSWORD", "SERVICE_ACCOUNT_DOMAIN=$FIMSERVICE_ACCOUNT_DOMAIN", "SERVICE_ACCOUNT_EMAIL=$FIMSERVICE_ACCOUNT_EMAIL", "SERVICE_MANAGER_SERVER=$FIMSERVICE_MANAGER_SERVER", "SYNCHRONIZATION_SERVER=$FIMSYNCHRONIZATION_SERVER", "SYNCHRONIZATION_SERVER_ACCOUNT=$FIMSYNCHRONIZATION_SERVER_ACCOUNT", "SERVICEADDRESS=$FIMSERVICEADDRESS", "SHAREPOINT_URL=$FIMSHAREPOINT_URL", "REGISTRATION_PORTAL_URL=$FIMREGISTRATION_PORTAL_URL", "FIREWALL_CONF=$FIMFIREWALL_CONF", "SHAREPOINTUSERS_CONF=$FIMSHAREPOINTUSERS_CONF", "REQUIRE_REGISTRATION_INFO=$FIMREQUIRE_REGISTRATION_INFO", "REGISTRATION_ACCOUNT_NAME=$FIMREGISTRATION_ACCOUNT_NAME", "REGISTRATION_ACCOUNT_DOMAIN=$FIMREGISTRATION_ACCOUNT_DOMAIN", "REQUIRE_RESET_INFO=$FIMREQUIRE_RESET_INFO", "RESET_ACCOUNT_NAME=$FIMRESET_ACCOUNT_NAME", "RESET_ACCOUNT_DOMAIN=$FIMRESET_ACCOUNT_DOMAIN", "/l*", $FIMServicePortalSetupLog)

    Clear-Host
    "Installing FIM Portal & Service..."
    $InstallExitCode = (Start-Process -FilePath msiexec.exe -ArgumentList $FIMArguments -Wait -Passthru).ExitCodeif ($InstallExitCode -eq 0) {"Installation successful."}else {"Installation failed with code $InstallExitCode. Check Windows Event Viewer for errors."}


    Danny Alvares, Senior Technology Consultant


    Friday, November 7, 2014 9:25 AM