This post is part of a series. The chapter index is located here.
In this post we install and configure the MIM Portal / Service.
Be aware that I had to make some changes to things I did in previous labs to make this work. I hope I have included all the details, but I have yet to re-run a complete install to test it.
If you have followed this series, you know that I deviate from the official guide. Primarily I use Windows and SQL Server 2016 instead of 2012/2014. I also refuse to run the installation as the Domain Administrator account, mostly because I am not able to do so in my production systems, and neither should you. If you do not know why it is not a good idea to use the default administrator account, that is to big of a topic to cover here, but suffice to say it is a security issue.
Another thing I elected to do in LAB 2 was to use a specific portal URL (portal.mim.local) instead of just using the computer name. This is to make a more production like environment, and it does require some extra steps.
When you are using a separate URL for your MIM-portal, you have to create a DNS record for it. In production you should probably also have a load balancer and more than one frontend server, but let us for the moment limit our adventures to the portal URL itself. I will simply point it at the IP of the frontend.
As you can see in the picture, I have created both IPv4 and IPv6 entries. You could do this for the Password Reset and Password Registration portals as well.
Remove the Default Web Site
When you install Internet Information Server, a default web site is created. This site is not needed and should be removed. Just open IIS Manager and locate it under sites. Right-click the site and select remove.
Remove Sharepoint – 80
The Sharepoint wizard creates a Sharepoint web application called Sharepoint – 80 that snags the port 80 binding. This is a bit impractical, as the MIM installation wizard is unaware of the concept of URL bindings and thus refuses to install your portal on port 80. Thus, you have to remove this web application.
- Start the Sharepoint powershell console.
- Run Get-SPWebApplication “SharePoint – 80″|Remove-SPWebApplication
- Remove the corresponding site from IIS
Verify your Sharepoint mappings
Sharepoint is using something called Alternate Access Mappings to define what URLs are used for what Sharepoint application. I am no Sharepoint expert, but my installation failed because these were not set correctly. I do not know why they were incorrect, but I found out how to change them. You find the options on the central administration page. If you followed the guide, this is located at IM01:20230. Select System Settings, and then click Configure alternate access mappings.
Change the Alternate Access Mapping Collection to MIM Portal, and make sure that the URL for the Default zone are set to http://portal.mim.local:82. Make sure you have a mapping for http://im01 or localhost if you want to be able to view the portal on the host itself.
Verify your IIS Bindings
While you are at it, make sure that IIS is set to recognize your URL. Open IIS Manager and locate the MIM Portal site. Right click and select Edit Bindings:
It should look something like the example below. You have to change this if you are using an URL that is not the local computer name or localhost. Make sure you have a binding for http://im01 if you want to be able to view the portal on the host itself.
I have left it on port 82 as it is used in the guide, but I see no reason why you can’t change it to port 80.
If you want to change the port after you have installed the portal/service, re-run the installer and select change. Remember to change the Sharepoint access mappings as well if you do so. Furthermore, there is a registry called “BaseSiteCollectionURL” setting at “HKLM\Software\Microsoft\Forefront Identity Manager\2010\Portal” that you have to change manually. It is not necessary to get the portal to work, but patching will fail (and probably other things as well).
Talking about port 82, the portal will not be accessible outside the frontend unless you add a firewall rule to allow traffic on port 82.
- Log in to you VM as your admin account, but do not use Domain\Administrator (see LAB 3 for details).
- Start by getting hold of the MIM 2016 installation ISO and mount it on you VM. You could also extract the contents of the ISO to a folder.
- Make sure that you have a C:\Temp folder
- Open an administrative command prompt.
- CD to the Service and Portal folder on the ISO
- Run msiexec /i “Service and Portal.msi” /L*v c:\temp\MIM_Service_Install.log
- Click through until you reach the feature selection page (Custom Setup)
- Accept the default setup (everything sans MIM Reporting and PAM), or make changes at will. As a minimum, MIM Service and MIM Portal should be selected. Be aware that special preparations are needed to install MIM Reporting and PAM.
- Specify the SQL Server and database name. The SQL Server should be specified as name\instance. We are using the default instance, thus we only have to specify name. It is highly recommended to accept the default database name. As this is a new setup we accept the option to create a new database.
- After you click next, it may take some time for the wizard to move to the next screen.
- Then specify your SMTP-settings. As I have not created an exchange server yet, I just specified the server name and unchecked all the boxes. If I get time, Exchange integration will be covered in a later LAB. If you have an Exchange server, select Use SSL and Mail Server is Exchange. It says Exchange 2007 or 2010, but 2013 should also work.
- Again, you may have to wait for the next page to appear.
- As this is a lab, you may want to use a self signed certificate. In production you should use a proper certificate.
- Then it is time to set up the service account and email address. This address has to exist in Exchange if you want integration to work properly.
- On this screen you specify the name of the MIM Sync server (IM01) and the name of the MIM MA service account. We have not created the MIM MA yet, but we have to specify the account here and use this account when we create the MIM MA later. In this lab the MIM\MIMMA account should be used, you created it in LAB1 together with all the other service accounts.
- Now comes the URL configuration. In a production environment you would use a specific name like portal.mim.local, pwreset.mim.local and so on. In a lab can you use the server name to simplify the setup.
- MIM Service Server address: IM01 (computer name only)
- Sharepoint site collection URL: http://portal.mim.local:82
- Password registration link: This field can be left blank.
- Accept Open port 5725 and 5726
- Accept Grant authenticated users access to the MIM Portal
Password Registration Portal configuration
- On configure password registration, use MIM\MIMSSPR as the service account, specify host name and port and check the Open Port in firewall box. Be aware, the image in the guide references a MIMSSPRAdmin account, but the account created in LAB1 is called MIMSSPR.
- Computer name as URL sample:
- Specific URL sample:
- Remember to not use an http prefix in the box above.
- Setup will complain about missing SSL, which is OK for the lab.
- Enter http://IM01.mim.local as the address for the MIM Service server.
- Note that we are using different ports. That is because the wizard will not allow you to install multiple services on the same port.
Password reset portal configuration
- Account name: MIM\MIMSSPRService. This account does not exist and has to be created.
- Host name: http://pwreset.mim.local (again, you could use the computername to simplify in the lab)
- Port: 83
- Check open firewall port.
- Again, the wizard complains about SSL.
- MIM Service Server address: http://portal.mim.local
Did it work?
If you get the dreaded “Wizard Ended Prematurely” error, look in the C:\Temp\MIM_Service_Install.log. I have had troubles with the following:
- Missing dns records.
- DNS records pointing to a load balancer that has yet to be configured.
- Alternate Access Mappings.
- IIS Bindings.
- Missing prerequisites from LAB3.
- Writing http:// where I should not have done so.
- Forgetting http:// where it was necessary.
- No local access to the portal from IM01, only from a client computer.
- Solar flares.
- Badgers in the server.
- Bad karma.
- Did I mention that I just love Sharepoint and all it’s works?
Patching the MIM Portal / MIM Sync Service
Learning from the incident in LAB 3, I installed MIM 2016 SP1-erer instead of MIM 2016 SP 1, that is build 4.4.1302.0. Thus, I am spared the experience of having to remove and reinstall this time. Instead I am left with the somewhat easier task of upgrading to build 4.4.1459.0 that supports an in place upgrade.
- First you have to obtain the msp. It should be called something like this: FIMService_x64_KB4012498.msp.
- If you just installed the service, perform an IIS reset and test the site again to make sure that the installation was successful.
- Verify that you have a current database backup.
- You have to stop the MIM Service before you start the installation. It self-identifies as “FIMService”, with the display name “Forefront Identity Manager Service”.
- The .msp requires local admin mode to execute, but has not been written to correctly request it. It just pouts about it. Thus, you have to launch it from an administrative command prompt. You should also add logging, as this is connected to Sharepoint and Sharepoint never just works.
- msiexec /p FIMService_x64_KB4012498.msp /L*V “C:\Temp\MIMServicePatch.log”
The end of MIM LAB 4
This post is part of a series, and the chapter index is located here. In the next chapter, the MIM Service/Portal setup continues. We will create the MIM Portal MA and start synchronization.