Service Accounts, SPNs, and Kerberos Delegation configurations for MIM Service and Portal Installation

This post has been republished via RSS; it originally appeared at: Core Infrastructure and Security Blog articles.

First published on MSDN on Jun 07, 2018

Introduction:


This document is intended to be used as an operational preparatory document for the Microsoft Identity Management 2016 MIM Service and Portal Server installation. This guide covers the service accounts, Service Principal Names, and Delegation needed for use with the MIM 2016 Service and Portal.

Using this Guide:


You may perform search and replace on the variables listed below to create a detailed implementation guide customized for your environment.

Document Variables:

 

Description Search and Replace Variable
Full Domain Name (ex. Contoso.com) [FQDOMAIN]
Common name of the first MIM Service and Portal Server (ex. Portal01) [MIM SERVER 1]
Common name of the second MIM Service and Portal Server (ex. Portal02) [MIM SERVER 2]
Common name of the MIM Service and Portal url (ex. MIMPORTALVIP) [MIM VIP]
Common name of the MIM Installation Service Account (ex. MIMInstall) [INSTALL ACCOUNT]
Common name of the MIM MA Service Account (ex. MIMMA) [MIM MA SERVICE ACCOUNT]
Common name of the MIM Service Account (ex. MIMService) [MIM SERVICE ACCOUNT]
Common name of the MIM SharePoint Application Pool Service Account (ex. MIMSAP) [MIM SAP ACCOUNT]

 

Service Accounts:


The following service accounts are used in the installation and configuration of the MIM Service and Portal. Rights associated with each account are listed below:

Service Account Name Usage Notes
[MIM MA SERVICE ACCOUNT] MIM Sync server account for FIM Service
For MIM Management Agent
Allow logon locally rights assignment
[MIM SERVICE ACCOUNT] MIM Service Server User account for MIM service.
For MIM Portal Service Account
Deny logon as batch job
Deny logon locally
Deny access to this computer from network
Must be Member of FIMSyncAdmins group.
If using PW Reset, must be member of FIMSyncPasswordSet group.
[MIM SAP SERVICE ACCOUNT] MIM Service Server for SharePoint application Pool.
For MIM Share Point application on MIM Portal Server(s)
Impersonate a client after authentication
Log on as a batch job
Log on as a service.
[INSTALL ACCOUNT] Account used for initial installation of the MIM Software. Need local admin on Sync server and
SQL Admin Rights.
Option: Domain Admin to create Domain Groups

 

Setup Service Principal Names for MIM Service Accounts:

 

Configure SPN Commands:


SETSPN -S http/[MIM SERVER 1] [MIM SAP ACCOUNT]
SETSPN -S http/[MIM SERVER 1].[FQDOMAIN] [MIM SAP ACCOUNT]
SETSPN -S http/[MIM SERVER 2] [MIM SAP ACCOUNT]
SETSPN -S http/[MIM SERVER 2].[FQDOMAIN] [MIM SAP ACCOUNT]
SETSPN -S http/[MIM VIP] [MIM SAP ACCOUNT]
SETSPN -S http/[MIM VIP].[FQDOMAIN] [MIM SAP ACCOUNT]
SETSPN -S FIMService/[MIM SERVER 1] [MIM SERVICE ACCOUNT]
SETSPN -S FIMService/[MIM SERVER 1].[FQDOMAIN] [MIM SERVICE ACCOUNT]
SETSPN -S FIMService/[MIM SERVER 2] [MIM SERVICE ACCOUNT]
SETSPN -S FIMService/[MIM SERVER 2].[FQDOMAIN] [MIM SERVICE ACCOUNT]

Setup Kerberos Delegation:

 

Service Account Delegation Account Description
[MIM SAP ACCOUNT] [MIM SERVICE ACCOUNT] The MIM Portal on the MIM-Service server needs to access the MIM Service on the MIM-Service Server. MIM Portal uses Kerberos constrained delegation to act on behalf of the user.
[MIM SERVICE ACCOUNT] [MIM SERVICE ACCOUNT] This is needed in the event a workflow running in the MIM Service needs to access the MIM Service.


After configuring the Service Principal Names noted in the previous section, the following delegations must be configured to ensure proper Kerberos delegation functionality.

MIM SAP ACCOUNT [MIM SAP ACCOUNT] DELEGATION


Launch Active Directory Users and Computers
Select the [MIM SAP ACCOUNT] service account
Right Click and Select Properties .
Select Delegation Tab
Select Trust this user for delegation to specified services only
Select use Kerberos only
Select Add
Select Users or Computers button
Enter [MIM SERVICE ACCOUNT]
Select Check Names
Select Ok
Once complete, delegation for the [MIM SAP ACCOUNT] account should appear as follows:
Service Type User or Computer
http [MIM VIP].[FQDOMAIN]
http [MIM SERVER 1].[FQDOMAIN]
http [MIM SERVER 2].[FQDOMAIN]

MIM SERVICE ACCOUNT [MIM SERVICE ACCOUNT] DELEGATION


Launch Active Directory Users and Computers
Select the [MIM SERVICE ACCOUNT] service account
Right Click and Select Properties .
Select Delegation Tab
Select Trust this user for delegation to specified services only
Select use Kerberos only
Select Add
Select Users or Computers button
Enter [MIM SERVICE ACCOUNT]
Select Check Names
Select Ok
Once complete, delegation for the [MIM SAP ACCOUNT] account should appear as follows:
Service Type User or Computer
FIMService [MIM VIP].[FQDOMAIN]
FIMService [MIM SERVER 1].[FQDOMAIN]
FIMService [MIM SERVER 2].[FQDOMAIN]

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.