This post is part of a series. The chapter index is located here.
In this post we will install and configure the MIM Portal / Service management agent.
Preparations
Portal access
Verify that you are able to access the MIM Portal. It should look something like this:
Add the MIM Portal to the Localt intranet internet security zone. Open Internet Options, go to the security tab, select Local Internet, Sites, Advanced and add the local hostname to the list. On the frontend (IM01):
And on client computers:
This should enable single sign on, that is no need to authenticate when you access the portal in IE.
Portal permissions
All users should be able to look at their own object (for the purpose of this lab). To make that happen, you have to enable the “User management: Users can read attributes of their own” Management Policy Rule:
Open the rule, enable it, save and submit.
Firewall rules
Make sure that the MIM Portal / Service firewall rules are installed and enabled. On IM01, launch Windows Firewall with advanced security, and look for the Forefront Identity Manager Service rules. There should be two:
Creating the MIM Portal / Service Management agent
This MA is often referred to as the MIM MA or FIM MA. This can be a bit confusing for newcomers, so I will call it MIM Service MA for brevity.
Start by opening the Synchronization Service Manager and click Management Agents, then Create. Select FIM Service MA as the type of MA:
Connect to database
- Server: IM01
- Database: FIMService
- FIMService base address: http://im01.mim.local:5725
- Authentication mode: Windows integrated
- User name: MIMMA
- Domain: MIM
Select object types
Select the following object types:
- DetectedRuleEntry
- ExpectedRuleEntry
- Group
- Person
- SynchronizationRule
Select attributes
Make sure that all attributes are selected. You have to tick “Show all” to view the complete list.
Configure connector filter
Accept the defaults on this screen.
Configure Object Type Mappings
Create object type mappings for the Person and Group object types:
Configure attribute flow
Create Person attribute flows according to the table below. Be aware that the table in the MS-guide is incomplete, at least it was at time of writing. The import flows were missing, which will incite a visit from General Fault and his buddy Major Failure in LAB7. You can of course expand on this list to use additional attributes, the table below just adds the minimum to get the MAs working.
Data Source Attribute |
Flow Direction |
Metaverse Attribute |
AccountName | Export | accountName |
DisplayName | Export | displayName |
Domain | Export | domain |
Export | ||
EmployeeID | Export | employeeID |
EmployeeType | Export | employeeType |
FirstName | Export | firstName |
LastName | Export | lastName |
ObjectSID | Export | objectSid |
AccountName | Import | accountName |
DisplayName | Import | displayName |
Domain | Import | domain |
FirstName | Import | firstName |
LastName | Import | sn |
MailNickname | Import | mailNickname |
And for the group object type.
Data Source Attribute |
Flow Direction |
Metaverse Attribute |
AccountName | Export | accountName |
DisplayName | Export | displayName |
Domain | Export | domain |
Export | ||
MailNickName | Export | mailNickName |
Member | Export | member |
MembershipAddWorkflow | Export | membershipAddWorkflow |
MembershipLocked | Export | membershipLocked |
ObjectSID | Export | objectSid |
Scope | Export | scope |
Type | Export | type |
AccountName | Import | accountName |
DisplayedOwner | Import | displayedOwner |
DisplayName | Import | displayName |
MailNickName | Import | mailNickName |
Member | Import | member |
Scope | Import | scope |
Type | Import | type |
Configure deprovisioning
Accept the defaults for now.
The end of MIM LAB 5
This post is part of a series, and the chapter index is located here. In the next chapter, we will create the first AD MA for the mim.local forest and create run profiles.
One thought on “MIM LAB5: The MIM Service / Portal Management Agent”