Return to Table of Contents of the article series 

Appendix B: Documentation - Compact Check list

Pre-installation: Backend configuration

SPN

 
Importance
LOC
Acct.  Type
Account Reference
Name (to fill)
 
¨
HIGH
D
SPN
SQL Database Account
<domain>\<account>
¨
HIGH
D
SPN
FIM Service Account
<domain>\<account>
¨
HIGH
D
SPN
SharePoint Service Account
<domain>\<account>
¨
HIGH
D
SPN
Password Registration Server Account
<domain>\<account>
¨
HIGH
D
SPN
Password Reset Server Account
<domain>\<account>
¨
HIGH
D
SPN
FIM CM Web Pool Agent Account
 

Kerberos Constrained delegation

 
Importance
LOC
Acct.  Type
Account Reference
Name (to fill)
 
¨
HIGH
D
msDS-AllowedToDelegateTo
FIMService/<FIM Service Server>
FIM Service Account
<domain>\<account>
¨
HIGH
D
msDS-AllowedToDelegateTo
FIMService/<FIM Service Server>
SharePoint Service Account
<domain>\<account>

Pre-installation: Account creation

Back End

SQL

 
Importance
LOC
Acct.  Type
Account Reference
Name (to fill)
¨
HIGH
D
Service
SQL Server Database engine acct.
<domain>\<account>
¨
HIGH
D
Service
SQL Server Agent service* acct.
<domain>\<account>
¨
HIGH
D
Service
SQL Server Analysis Services acct.
<domain>\<account>
¨
HIGH
D
Service
SQL Server Reporting Services acct.
<domain>\<account>
¨
HIGH
D
Service
SQL Server Browser acct.
<domain>\<account>
 

SharePoint

 
Importance
LOC
Account Type
Account Reference
Name (to fill)
¨
HIGH
D
Functional
SharePoint Setup administrator acct*
<domain>\<account>
¨
HIGH
D
Functional
<domain>\<account>
¨
LOW
D
Functional
search service account
<domain>\<account>
¨
LOW
D
Functional
search content access account
<domain>\<account>
¨
LOW
D
Functional
SharePoint Application pool account
<domain>\<account>

All FIM Platforms

 
Importance
LOC
Account Type
Account Reference
Name (to fill)
¨
HIGH
D
Functional
FIM setup administrator account*
<domain>\<account>

FIM Synchronization

 
Importance
LOC
Account Type
Account Reference
Name (to fill)
¨
HIGH
D
Service
FIM Sync service
<domain>\<account>
¨
HIGH
D
Security Group
FIMSyncAdmins
<domain>\<account>
¨
HIGH
D
Security Group
FIMSyncOperators
<domain>\<account>
¨
HIGH
D
Security Group
FIMSyncJoiners
<domain>\<account>
¨
HIGH
D
Security Group
FIMSyncBrowse
<domain>\<account>
¨
HIGH
D
Security Group
FIMSyncPasswordSet
<domain>\<account>
¨
HIGH
D
Technical
FIM Task scheduler
<domain>\<account>

FIM Sync MAs

 
Importance
LOC
Account Type
Account Reference
Name (to fill)
¨
HIGH
D
Technical
ADMA Account
<domain>\<account>
 
See below
D
Technical
FIMMA Account
 
¨
HIGH
D
Technical
SQL MA Account
<domain>\<account>
¨
HIGH
D
Technical
Other MAs: 1 account per type of MA and by preference 1 account per MA.
<domain>\<account>

FIM Service

 
Importance
LOC
Account Type
Account Reference
Name (to fill)
¨
HIGH
D
Service
FIM service
<domain>\<account>
¨
HIGH
D
Technical
FIMMA Account
<domain>\<account>
¨
HIGH
D
Functional
Backup Portal Administrator
<domain>\<account>

FIM Portal

 
Importance
LOC
Account Type
Account Reference
Name (to fill)
¨
MEDIUM
D
Functional
Backup Portal Administrator
<domain>\<account>
¨
HIGH
D
Functional
FIM Portal - Application Pool Account
<domain>\<account>

FIM SSPR Registration Portal

 
Importance
LOC
Account Type
Account Reference
Name (to fill)
¨
HIGH
D
Functional
FIM SSPR Registration Portal - Application Pool Account
<domain>\<account>

FIM SSPR Reset Portal

 
Importance
LOC
Account Type
Account Reference
Name (to fill)
¨
HIGH
D
Functional
FIM SSPR Reset Portal - Application Pool Account
<domain>\<account>

FIM CM

 
Importance
LOC
Account Type
Account Reference
Name (to fill)
¨
HIGH
D
Functional
FIM CM Agent
<domain>\<account>
¨
HIGH
D
Functional
FIM CM Authorization Agent
 
¨
HIGH
D
Functional
FIM CM CA Manager Agent
 
¨
HIGH
D
Functional
FIM CM Enrollment Agent
 
¨
HIGH
D
Functional
FIM CM Key Recovery Agent
 
¨
HIGH
D
Functional
FIM CM Web Pool Agent
 

Pre-installation: Account lock down

General

 
Importance
LOC
Account Type
Account Reference
Procedure
¨
HIGH
D
Functional
FIM Installer account
Just before installation[1]
Grant local admin rights

FIM Sync

ýþ¨
Action
Account
¨
Account creation
 
¨
Account Configuration
 

AD

 
Importance
LOC
Account Type
Account Reference
Procedure
¨
HIGH
D
Functional
FIM ADMA
¨
HIGH
D
Functional
FIM ADMA
Lock down the account to the minimum required permissions to the minimum required containers

Post-Installation

Account Assignment

FIM Service & FIM Portal

 
Account Type
Account Reference
Name (to fill)
¨
Functional account
Add Backup Portal Administrator account to Administrators set
 

FIM Sync

 
Account Type
Account Reference
Name (to fill)
¨
Personal account
Add FIM Administrator account to FIMSyncAdmins group
 

Hotfix installation

Account Assignment

All FIM platforms

 
Account Type
Account Reference
Name (to fill)
¨
Functional account
Add FIM Setup account to

-          SQL SA

-          Local server admin (via AD)
 

FIM Service & FIM Portal

 
Account Type
Account Reference
Name (to fill)
¨
Functional account
Add Backup Portal Administrator account to Administrators set
 

FIM Sync

 
Account Type
Account Reference
Name (to fill)
¨
Personal account
Add FIM Administrator account to FIMSyncAdmins group
 

 

[1] This applies both to fresh installation of FIM component or implementation of an hotfix or service pack. Only during implementation of a service pack, the installation account that runs the installation needs the elevated rights. Only DURING installation, not before, not after.

Direct Links

 

Back to top