Installation of the Privileged Access Management (PAM) feature

This post has been republished via RSS; it originally appeared at: Core Infrastructure and Security Blog articles.

First published on MSDN on Aug 25, 2015

Consideration before you install this feature

  1. Have you Already Installed MIM 2016 ?

  • Was it a Clean Install or an Upgrade ?

    • Have you verified that you have all PAM Prerequisites completed ?

      • Prerequisites ( Will Be posted shortly )

  • If you Have not previously installed MIM 2016 will this install be a clean install or and Upgrade ?

    • If this is a Clean Install are all Prerequisites Completed ?

    • Prerequisites ( Will Be posted shortly )

    • Has the MIM Synchronization Service been installed either via Clean install or an Upgrade ?

    • Will you be installing MIM and the PAM Features at same time or separately ?

      • I recommend Separately

    1. If this is an upgrade do you have the additional PAM Prerequisites completed ?

    • Prerequisites ( Will Be posted shortly )

    • Will you be installing MIM and the PAM Features at same time or separately ?

      • I recommend Separately

  • If you need assistance with the Installation of the MIM Service and Portal you can follow this post

  • Before you continue verify that you have completed the following Steps.

    1. If running a Virtual Machine i would also take a snapshot ( Although this is not necessary it may be good to have in case of emergency break glass kind of thing )

    2. Verify that the Synchronization Service has already been Successfully upgraded.

    3. Verify local SQL Agent is running

    4. Verify SharePoint Administration Service is started

    5. Verify what Version of the FIM Service and Portal is running

    6. Stop the Forefront Identity Manager Synchronization Service if it is running

    7. Stop Forefront Identity Manager Service service if it is running

    8. When you believe you are ready take a breath get a fresh cup of coffee and lets begin....

    9. Understanding Account Security Warning (Future Blog Post)

    Final note before Installation, Depending if MIM was a Clean install or an In place Upgrade you may notice some of the old names to associated with FIM

    Now to Configuration of the Privileged Access Management (PAM) featureIf

    If your going to install the MIM Service and Portal piece and the Privileged Access Management (PAM) feature at the same time i would recommend starting with the post for Installing the Microsoft Identity Manager 2016 (4.3.1935.0) Service and Portal - Upgrade from FIM 2010 R2 and when you get to the Privileged Access Management (PAM) feature you can follow the below steps.

    You will begin with the standard installation wizard

    If you have previously installed the MIM Service and Portal as recommended you will be presented with the following, click on Change this will allow you to add or remove additional features to the current installation.

    You are now presented with the MIM Customer Experience Program, Remember if you dont contribute how is it supposed to get better. of course your company policies may not allow you to participate so always follow your Corporate policies, once you make a selection select Next

    You are now presented with the Custom Setup screen, select the option for Privileged Access Management

    Select the Will be installed on local hard drive.

    Verify that all the Features that you wish to install have been selected

    Your now at the Configure Common Services screen, type in the following this should be pre-populated if this is installed as a change configuration

    • Database Server:

      • Type Name of SQL Server the FIM / MIMService is hosted on

    • Database Name:

      • Type Name of the FIM / MIMService

    After you enter or verify the information click on Next

    You now need to configure the mail server connection

    Enter in and verify that the information is correct and then click on Next to Continue

    In the next screen is where your presented with the Generate Certificate screen

    Unless you are using your own certificates click on Generate a new self-issued certificate Click on Next

    In the Next screen enter the Account Information ( if this is a change install some of this information will be per-populated) you will need to enter the password of the service account

    NOTE : This is also how you would correctly change the FIM / MIM Service Account. You would run through this Install package as a change install and update the password here. This is yet another reason i like to keep step by step document with screen shots other information in relation to the install because the last thing you want to do is inadvertently break your identity manage environment because you made a "Change" other than the password for a change install just to update the password for this or any other FIM / MIM Service Account.

    • Service Account Name -

    • Service Account Password -

    • Service Account Domain -

    • Service Email Account -

    After you verify that the information has been entered correctly click on Next , You may receive the following Account Security Warning, Steps to Secure

    Click on Next to continue

    Verify or enter the correct information needed for the FIM/MIM Service to communicate with the Synchronization Service.

    • Synchronization Service – Name of the Server the Synchronization Service is installed on.

    • MIM Management Agent Account – The domain and the Service account used for the MIIM or FIM if this was an upgrade.

    Then Click on Next

    The next screen requires the MIM Service Server address or the server that the FIM Service was installed on if this is an in place upgrade, then click Next

    Enter the name of the SharePoint Site Collection URL: which was used for in the configuration of SharePoint Foundations and click Next

    In the next screen you need to enter the Registration Portal URL but only if it has been previously installed or you are in the process of configuring it, then click Next

    In this screen you will need to Check this option to Grant authenticated users access to the MIM Portal Site, Click on Next to continue

    In this screen unless you are using a separate REST API you only need to enter the Port

    Enter 8086 and then click Next

    Remember the Service accounts that were mentioned during the MIM PAM Prerequisites section, you will now need this information, the first Service account needed is the P

    The First Service Account that is required is for the Privileged Access Management Rest API ,for this section enter the Service Account that was used when configuring  SharePoint Foundation

    • Application Pool Account Name

    • Application Pool Account Password

    • Application Pool Account Domain

    You will be unable to continue without having any of the Pre Requisite Service Accounts, any attempt to continue without entering the information will result in the following error

    After you have entered the information, verify that the information is correct

    Click on Next , and you may be presented with an Account Security Warning Steps to Secure

    If you get this warning this is the same as you may have seen in the past when installing, configuring, or upgrading FIM / MIM. We will review this later but for now click on Next

    You are now presented with the screen to Configure the PAM Component Service

    • Service Account Name

    • Service Account Password

    • Service Account Domain

    After you enter the Service Account information verify that the information is correct

    When you are ready click on Next to continue

    You may once again receive the Account Security Warning, Click on Next to continue Steps to Secure

    You are now presented with the Privileged Access Management Monitoring Service Configuration page

    Enter the information, Verify its correct

    Once your ready Click on Next to continue, you may once again get the Account Security Warning Steps to Secure

    Click on Next to Continue

    In the next window you will be presented with options for “SSPR” (Self Service Password Reset) If you are also installing Self Service Password Reset Features Click on and select the necessary options and enter the account name for each feature in the format of DOMAIN\SVC_Account

    If you are planning on installing this feature later, you can skip this section by just clicking on Next

    You are now presented with a screen that will allow you commit the Change and begin the Configuration. Click on Change to continue when you are ready.

    At this point the Configuration should begin but if you missed a step that was described in the Pre requisite section you may see one of the following messages.

    Possible Errors you may see

    • This Message notifies you that the SQL Agent is not running locally on the Server that you wish to install the PAM Feature on.

    • Start the correct SQL Agent

    • This Message will be displayed if the SharePoint 2010 Administration Service is not running. This is the same regardless of the SharePoint Foundations that is installed.

    • Start the Service and click on Retry

    Now regardless of whether you received any of the errors, when the errors have been resolved if any you will be presented with the following window that will display the installation process.

    There may be this one last error / Warning you can choose to let the Installation attempt to Close and Stop the listed Services or you can stop them yourself. Personally I like to stop them myself it just feels safer.

    When you’re ready click on OK to Continue

    The Installation will now continue

    If you see the following message you will need to verify the media is attached and can be found, Click on OK to continue

    If for some reason the media cannot be found you may need to copy the Installation Files locally and start over.

    The Installation will continue and at some point you should notice the Service is being restarted.

    The Installation will continue displaying various status updates and messages.

    Once complete you will be presented with the following Screen DO NOT CLICK ON FINISH YET

    Verify that the Message says “ Completed the Microsoft Service and Portal Setup Wizard”

    Sometimes the installation will get all the way to this point and it appears that it completed but it would give a message of not successful, what happens is sometimes people are click happy and they do not notice that it did not complete successfully and they are under the assumption that it completed successfully and when they try and open the portal they are unable to do so. Catching the status at this point will drastically reduce the amount of trouble shooting needed if it was in fact unsuccessful but because you are super lucky and everything always works that is not the case and you can click on Finish

    Congratulations you just installed the PAM Feature

    Your now presented with this message, close any applications and save any docs if needed and then click on Yes to Reboot the machine

    Once the Machine reboots verify that all the necessary services have been started in addition to the FIM Synchronization Service and the FIMService

    Verify that the Portal Page is still functional

    Verify Accounts are Secured

    Once again Congratulations you are ready to continue with your PAM Configuration

    Questions? Comments? Love FIM so much you can't even stand it?


    ## ##

    Leave a Reply

    Your email address will not be published. Required fields are marked *


    This site uses Akismet to reduce spam. Learn how your comment data is processed.