MIM LAB5: The MIM Service / Portal Management Agent

This post is part of a series. The chapter index is located here.

In this post we will install and configure the MIM Portal / Service management agent.

Preparations

Portal access

Verify that you are able to access the MIM Portal. It should look something like this:

image

Add the MIM Portal to the Localt intranet internet security zone. Open Internet Options, go to the security tab, select Local Internet, Sites, Advanced and add the local hostname to the list. On the frontend (IM01):

image

 

And on client computers:

image

 

This should enable single sign on, that is no need to authenticate when you access the portal in IE.

 

Portal permissions

All users should be able to look at their own object (for the purpose of this lab). To make that happen, you have to enable the “User management: Users can read attributes of their own” Management Policy Rule:

image

 

Open the rule, enable it, save and submit.

image

 

Firewall rules

Make sure that the MIM Portal / Service firewall rules are installed and enabled. On IM01, launch Windows Firewall with advanced security, and look for the Forefront Identity Manager Service rules. There should be two:

 

image

 

Creating the MIM Portal / Service Management agent

This MA is often referred to as the MIM MA or FIM MA. This can be a bit confusing for newcomers, so I will call it MIM Service MA for brevity.

Start by opening the Synchronization Service Manager and click Management Agents, then Create. Select FIM Service MA as the type of MA:

image

Connect to database

  • Server: IM01
  • Database: FIMService
  • FIMService base address: http://im01.mim.local:5725
  • Authentication mode: Windows integrated
  • User name: MIMMA
  • Domain: MIM

image

 

Select object types

Select the following object types:

  • DetectedRuleEntry
  • ExpectedRuleEntry
  • Group
  • Person
  • SynchronizationRule

 

image

 

Select attributes

Make sure that all attributes are selected. You have to tick “Show all” to view the complete list.

image

 

Configure connector filter

Accept the defaults on this screen.

image

 

Configure Object Type Mappings

Create object type mappings for the Person and Group object types:

image

 

Configure attribute flow

Create Person attribute flows according to the table below. Be aware that the table in the MS-guide is incomplete, at least it was at time of writing. The import flows were missing, which will incite a visit from General Fault and his buddy Major Failure in LAB7. You can of course expand on this list to use additional attributes, the table below just adds the minimum to get the MAs working.

 

Data
Source Attribute
Flow
Direction
Metaverse
Attribute
AccountName Export accountName
DisplayName Export displayName
Domain Export domain
Email Export mail
EmployeeID Export employeeID
EmployeeType Export employeeType
FirstName Export firstName
LastName Export lastName
ObjectSID Export objectSid
AccountName Import accountName
DisplayName Import displayName
Domain Import domain
FirstName Import firstName
LastName Import sn
MailNickname Import mailNickname

 

image

 

And for the group object type.



Data
Source Attribute
Flow
Direction
Metaverse
Attribute
AccountName Export accountName
DisplayName Export displayName
Domain Export domain
Email Export mail
MailNickName Export mailNickName
Member Export member
MembershipAddWorkflow Export membershipAddWorkflow
MembershipLocked Export membershipLocked
ObjectSID Export objectSid
Scope Export scope
Type Export type
AccountName Import accountName
DisplayedOwner Import displayedOwner
DisplayName Import displayName
MailNickName Import mailNickName
Member Import member
Scope Import scope
Type Import type

 

Configure deprovisioning

Accept the defaults for now.

image

 

The end of MIM LAB 5

This post is part of a series, and the chapter index is located here. In the next chapter, we will create the first AD MA for the mim.local forest and create run profiles.

Author: DizzyBadger

SQL Server DBA, Cluster expert, Principal Analyst

One thought on “MIM LAB5: The MIM Service / Portal Management Agent”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.