Setting up SharePoint Foundation 2013 for MIM 2016 SP1

It occurred to me while fighting with this over the last couple of days that I have never installed the MIM Portal in anything other than a lab. FIM Portal yes, but then only on SharePoint 2010 (even after 2013 was available, because it was a heck of a lot easier). While I know MIM 2016 SP1 ican now run on Windows Server 2016 and SharePoint 2016, the customer’s SOE is still the earlier versions. Also I had (perhaps too optimistically) assumed I’d be better off with Sharepoint 2013 because of this walkthrough.

There are a few problems with following this walkthrough, which is written for a lab, in a customer installation. Domain Admin accounts are used, it uses server names rather than aliases, and the SharePoint site is installed on port 82 for some reason. So I thought it worthwhile writing up my steps for reference.

Create Service Account

Among the service accounts you create for the solution is one for SharePoint – let’s call it svc_MIM_SharePoint. We did not want to put it in local Administrators on the server, but I had ensured it had:

  • Log on as a Service
  • Log on as a Batch Job

What we found out after struggling with “An unexpected error has occurred” on loading the SharePoint Central Administration site is that you also need:

  • Impersonate a client after authentication

Thanks to this blog poster for pointing us towards this fix: https://blogs.msdn.microsoft.com/brian_farnhill/2015/01/15/system-io-fileloadexception-for-system-servicemodel-dll-in-sharepoint-2013/

DNS, SPNs

I have seperate DNS names for the MIM Service and the MIM Portal – I think this is a good practise because the customer might want to change the Portal address and it won’t effect anything talking directly to the Service.

  • iamportal.mydomain.net
  • iamservice.mydomain.net

The following SPNs were created (linked to the MIM Service service account):

setspn -S FIMService/iamservice MYDOMAIN\svc_MIM_Service
setspn -S FIMService/iamservice.mydomain.net MYDOMAIN\svc_MIM_Service
setspn -S HTTP/iamportal MYDOMAIN\svc_MIM_SharePoint
setspn -S HTTP/iamportal.mydomain.net MYDOMAIN\svc_MIM_SharePoint

And constrained Kerberos delegation applied:

  • svc_MIM_Service –> FIMService
  • svc_MIM_SharePoint –> FIMService

Install Pre-Requisites

As is typically the case in a customer environment, there was no internet access from the server so I had to do this manually. The pre-reqs for SharePoint 2013 are covered in this KB article. I did not need all of them on Windows Server 2012 R2, the ones I did need were:

Install SharePoint Foundation

Some extra notes in addition to the walkthrough:

  1. I always create a MIM Administrator account and install SharePoint and MIM using it. It is not a Domain Admin (as suggested by the walkthrough), but it is a local Administrator on the server.
  2. Select the “Complete” option,
  3. Allow the wizard to run,
  4. Select “Create a new server farm” – note this is also what you select when installing a second MIM Portal server, as each runs independantly, and they just share the FIMService database,
  5. The database server is the shared SQL server I have for the other solution databases, so I enter it’s servername\instance,
  6. I modified the default database name to specificy the server: SharePoint_Config_MIMServerName,
  7. Then it’s just a matter of clicking through the remaining dialogs.

At the end of this the SharePoint Central Administration page should load. Login using your current account (should be the MIM Administrator account) and check that the page loads. If the page doesn’t load or you get an error there is no point pushing on – this needs to work.

Configure SharePoint

I basically followed the script provided in the walkthrough, apart from configuring the SharePoint site on port 80, and setting the MIM Administrator account as the only owner.

#Initialize values required for the script
$URL = "iamportal.mydomin.net"
$DBName = "SharePoint_Config_MIMServer"
$DBOwner = "MYDOMAIN\svc_MIM_SharePoint"
$MIMAdmin = "MYDOMAIN\svc_MIM_Admin"

## Create Web Application
$dbManagedAccount = Get-SPManagedAccount -Identity $DBOwner
New-SpWebApplication -Name "MIM Portal" -ApplicationPool "MIMAppPool" -ApplicationPoolAccount $dbManagedAccount -AuthenticationMethod "Kerberos" -Port 80 -URL $URL

## Create SharePoint Site Collection
$t = Get-SPWebTemplate -compatibilityLevel 14 -Identity "STS#1"
$w = Get-SPWebApplication $Url
New-SPSite -Url $w.Url -Template $t -OwnerAlias $MIMAdmin -CompatibilityLevel 14 -Name "MIM Portal"
$s = SpSite($w.Url)
$s.AllowSelfServiceUpgrade = $false
if ($s.CompatibilityLevel -eq 14) {write-host "Site Collection creation successfully"}
else {throw ("Site collection has been created at the wrong compatability level. Expected 14, got " + $s.CompatibilityLevel)}

## Disable jobs
$contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService;
$contentService.ViewStateOnServer = $false;
$contentService.Update();
Get-SPTimerJob hourly-all-sptimerservice-health-analysis-job | disable-SPTimerJob

## Check site opens
start-process "http://iamportal.mydomin.net" 

At the end of this the new site should be opened and you may be prompted to login. Check that the empty site opens fine – then make sure you follow the step to add the site to Local Sites in the IE security settings.

You then need to make sure you’ve got Kerberos set up properly – you should be able to close all your browsers, restart IIS, and then open http://iamportal.mydomain.net without being prompted to login. Only when this happens are you ready to proceed with the MIM Service and Portal installation.

About: Carol

I've been doing IT for 30 years, and IdM for 15. I live in Australia and build IdM solutions based on Microsoft Identity Manager. I also play the violin, but that doesn't help much with the IdM solutions.


3 thoughts on “Setting up SharePoint Foundation 2013 for MIM 2016 SP1”

  1. Thanks for this blog. I am deploying a production SharePoint 2013 foundation similar to your scenario and had some questions related to this. A response would be much appreciated.

    1. Does the SharePoint service account require the 3 listed permissions (Log on as a Service, Log on as a Batch Job & Impersonate a client after authentication) in addition to local admin on the server ?
    So far I don’t see any similar error in my lab setup which is similar to what will be deployed in production.

    2. Please confirm we need to set the SPN as FIMService/iamservice and not MIMService/iamservice.
    ( I am aware the walkthrough uses FIMService )

    3. I have 2 SharePoint 2013 foundation servers and I am configuring them as separate farms.
    in Point 6. in SharePoint Foundation installation section you mention about the default database name. how about the wss_logging & wss_content databases ? the names will conflict with the second SharePoint you install.

    I am using a script to move the configuration to a fresh Database before installing the second SharePoint.
    wondering if there is an easier way.

    4. in Point 1. in SharePoint Foundation installation section, similar to your installation, I have 2 service accounts which are NOT domain admins but local admins on the SharePoint server & sysadmin on the SQL DB (domain\mimadmin, domain\spadmin)
    I start the SharePoint installation logging into windows with mimadmin and provide the spadmin at the wizard to install SharePoint.
    after installation wizard runs I see that I am logged in to the SharePoint website with mimadmin ( expected ).
    I hope this is what you meant.

    Thanks in advance.

  2. 1. It may be that if you give it local admin you won’t need to grant the explicit permissions. In some environments local admin is frowned upon.
    2. FIMService
    3. Name the databases whatever you want. I tend to go with adding “_servername” to the end of the default name.
    4. Yes you should be logged in as the account you used to run the installation, which should be the MIM Administrator account.

  3. Hi Carol,
    I managed to get the installation (MIM Service/Portal) succeed, but come across few more hurdles:
    The walkthrough doesn’t mention about Privileged Access Management, I used contoso\administrator credentials (:8090 on the same server.
    The password registration portal (:8080) didn’t load (even after verifying with correct identities (still asks for credentials (contoso\administrator)
    the password reset portal prompts for user to reset, but also throws out some error
    Cannot see the create management agent link in IM homepage.
    In a nutshell couldn’t get past the configuration stage to synchronisation stage in the walkthrough.
    Your suggestion in the right direction will be much appreciated.

Leave a Reply

Your email address will not be published. Required fields are marked *


*