Using a BPOS service account with FIM

One of the requirements for FIM 2010 is to have an email server (preferably Exchange 2007-2010) for notifications and other email-based functionality. But what do you do if you’ve migrated to a cloud-based email solution such as BPOS? You can use a BPOS service account with FIM, but unfortunately you won’t get the Outlook client functionality – it will be just like have another non-Exchange 2007-2010 mail server.

Update for Office 365: They’ve published some proper instructions now however I did have one problem – I kept getting “Authentication+unsuccessful” in the SMTP logs. I raised a call with Microsoft and was told to use the smarthost address pod58001.outlook.com instead of the ones published in their document. SMTP relay then started to work immediately. Otherwise all settings were as in this post.

Configuring the BPOS service account

What we will essentially do is relay emails via the BPOS SMTP service, and for this we need a BPOS mail account. For simplicity you can give the BPOS account the same name as your FIM service account, but it is not necessary to DirSync the actual FIM service account. In my case DirSync runs in a completely different forest to FIM so the BPOS object is not sourced off the actual FIM service account. I could have also created the mailbox directly in MOAC.

There are instructions in this MSOnline Team Blog post but they are incomplete in several key points:

  1. The note in the post about using a mail address in an authorative domain is critical, and especially important to note if you are in a migration phase, during which BPOS is not authoratative for most of your mail domains. I had to use the default mycompany.emea.microsoftonline.com address to get it working.
  2. What is not mentioned anywhere is that the domain of the UPN of the BPOS account must match the domain of the email address. I struggled for weeks with  “Client does not have permissions to send as this sender” errors because of this!
  3. The comments on that post about Administrator permissions being required can be ignored. I have it working with a non-Administrator account.

Also I wanted to add that the license type may be an issue. I am using an “Exchange Online Standard” license and it’s working. However a Microsoft engineer suggested to me that it may not work with the “Deskless” license. I haven’t tried that so I don’t know but I’d be glad to hear from anyone who has.

Setting up IIS as an internal relay

The next problem you face with FIM and the published instructions is that you have to use a non-standard port, enable TLS, and also send the logon credentials of the BPOS mail user. FIM has no capacity for any of this extra configuration, so what I did was to use IIS on the FIM Server as an internal relay.

As I’m talking FIM 2010 here, these instructions are for Windows 2008/r2.

First you have to install the SMTP Server feature.
While you’re at it, make sure the ODBC Logging service is installed for the IIS feature. Otherwise you, like me, may waste much time wondering why an SMTP log is not being generated.
Now for some reason that I don’t understand, if you want to get at all the configuration options of IIS SMTP you have to go through the IIS 6.0 admin tool. I have some idea that I had to go through the IIS 7 interface and double-click SMTP Email before the SMTP Virtual Server showed up in IIS 6 Manager, but I’ve definitely done all the config in IIS 6 Manager
For security, it’s not a bad idea to set the ip addresses that are allowed to relay via this instance of IIS. As I’m using the IIS service on the same server as the FIM service I only need to enable localhost.
For the Outbound Security, enter BPOS username and password (taking note of my comment above about the dependency of the UPN on the authoratative domain), and also make sure you tick the TLS encryption box.
On the Outbound Connections, enter “587” for the TCP port.
For the Advanced Delivery Options, enter the address of the BPOS SMTP server. I’m in Europe so I’m using the emea address. The other options are listed in the MSOnline post.

Configuring FIM

Configuring FIM is now pretty easy. Basically you just tell it that the mail server is “localhost”.Unfortunately you have to deselect the “Exchange” option – while BPOS is built on Exchange you don’t have access to the web services, so it doesn’t count.Also, here I’ve disabled SSL because, as far as FIM is concerned, the email is only being passed into the queue on the local server.
For the email address of the FIM service account enter the email address of the BPOS mail user (making sure the address is an authoratative domain, and matches the UPN domain).

To test

First, make sure you enable logging on the SMTP virtual server.

Next, create the following objects in the FM Portal:

  • A Workflow that calls a Notification activity,
  • A Set that you  can easily transition users in and out of,
  • A MPR that calls the Workflow, based on transitions in or out of the Set,
  • Now trigger the workflow and see what happens.

Troubleshooting tips

  • In the FIM Portal, check the status of the request on the Search Requests page.
  • Check the SMTP log. (If it’s not there, double-check you installed ODBC logging, and enabled logging on the SMTP virtual server.)
  • Check the Badmail folder.

About: Carol

I've been doing IT for 30 years, and IdM for 15. I live in Australia and build IdM solutions based on Microsoft Identity Manager. I also play the violin, but that doesn't help much with the IdM solutions.