FIM requires several service accounts and groups, each with their own configuration requirements. However, there isn’t a single document that I’ve found that lists out all the accounts and the access they need.
This is a compilation of information from various Microsoft articles with information on FIM service accounts.
User logon name
|FIM Service||FIMService||Required by FIM to run the FIM Portal. If using PCNS, SPNs for this account need to be added. Setspn.exe –S FIMService/fim1CORP\FIMServiceSetspn.exe –S FIMService/fim1.corp.contoso.com CORP\FIMServiceIf using Kerberos, delegation needs to be enabled.If using PCNS, SPNs also need to be set on this account for that (see section on PCNS below this table.)|
|FIM Synch Service||FIMSyncService||Required by FIM to run the FIM Synchronization Service|
|FIM MA||FIMMA||Required by FIM to provision and deprovision from the FIM Portal|
|SharePoint Service||SPService||SharePoint service accountSetspn.exe –S HTTP/fim1 CORP\SPServiceSetspn.exe –S HTTP/fim1.corp.contoso.com CORP\SPServiceIf using Kerberos, delegation needs to be enabled.|
|FIM ADMA||FIMADMA||Required by FIM to manage objects in Active Directory- Need replicate directory changes permissions- Needs full control on OUs FIM is managing- Needs Organization Management role for Exchange if mailboxes are being provisioned.A full explanation of configuring the ADMA account can be found here: https://social.technet.microsoft.com/wiki/contents/articles/how-to-configure-the-adma-account.aspx|
|FIM Installer||FIMInstaller||Recommended account with administrator rights on FIM servers to install software. This should be a local administrator account on the FIM and SCSM servers. It also needs sysadmin on SQL during installation. If using SCSM, the account also needs local administrator rights on the SQL server. After installation on development, rights can be lowered or the account can be disabled. (Note: during updates, this right may need to be granted while the update is installing.)|
Detailed instructions on setting up the FIM Service accounts can be found here: https://technet.microsoft.com/en-us/library/hh322882(v=ws.10)
Detailed information on the SPNs used by FIM can be found here: https://technet.microsoft.com/en-us/library/jj134299(v=ws.10).aspx
One thing to take careful note of is this step:
Note: When the installation is split between two servers, the service account for FIMService (the one that runs the service) should not be configured in the secure matter (deny logon as a batch job, deny logon locally, deny access to this computer from the network) on the server with the synchronization service. FIM Service account should be configured in the secure matter only on the server with FIM Service and Portal.
Password Reset SPNS
If using the password reset portal, set SPNs as follows:
Setspn.exe –S HTTP/Passwordreset.corp.contoso.com CORP\FIM2$
Setspn.exe –S HTTP/Passwordregistration.corp.contoso.com CORP\FIM2$
To configure the SPN using Setspn.exe
- At a command-line prompt, type the commands shown by the following syntax:
Setspn.exe -a <user defined named for target FIM Sync server>/<fully qualified domain name of the server running FIM Sync>\<domain\user name of the FIM Sync service account>
Setspn.exe -a PCNSCLNT/fab-dev-01.usergroup.fabrikam.com fab-dev-01\MIISServAccount
The SPN must be unique and cannot appear on any other service account. Otherwise, the Kerberos authentication fails and password change requests are not sent to FIM. If there are multiple SPN, you can delete the superfluous ones as follows:
In ADUC, refresh the domain. Then, making sure “Advanced Features” is turned on under “View”, navigate to “System” then “Password Change Notification Service”. It with show the list of the targets and you can delete the incorrect one.
Using the –s switch with the Setspn.exe helps ensure that no duplicates are created when you are configuring SPNs. This switch sets the spn only after verifying that no duplicates exist.
To verify the SPN setting for MIIS 2003
- Log on to each Active Directory domain controller where PCNS was installed with administrative privileges.
- At a command prompt, type setspn –L <FIM Sync service account>, and then press ENTER.
- Verify that the following SPN is registered for the <FIM Sync service account>: PCNSCLNT\<FIM Sync server host name>
PCNS uses inclusion and exclusion AD groups. These need to be created in Active Directory (only the inclusion group is required, the exclusion group is optional. If a user is in the exclusion group, the password change will not be transmitted even if the user is in the inclusion group).
To configure PCNS, run the configuration utility found in the installation directory of PCNS.
pcnscfg ADDTARGET /N:FIMserver1 /A:FIMserver1.contoso.edu /S:PCNSCLNT/FIMserver1.contoso.edu/FI:”Domain Users” /FE:”Domain Admins” /F:1 /I:600 /D:False /WL:20 /WI:60
- PCNS inclusion and exclusion groups
Apart from the PCNS groups, these groups are needed when installing the FIM Service. They can be AD groups or local groups.
The membership needs to be:
– FIM Installer account
FIMInstaller needs to have read access to the OU the groups are in if they are Active Directory groups.
For more information on group configuration and permissions, please see this article: https://technet.microsoft.com/en-us/library/jj590183(v=ws.10).aspx.
- With the release of FIM R2 came a new reporting feature that leverages System Center Service Manager (SCSM).If using this feature, the following accounts will be needed:
SCSM Installer Account
Must be a local admin on the SCSM and SCSMDW server.
Must have rights in SQL to create databases and assign security roles. (We used sysadmin.)
Must be a member of the local Administrators group on the SQL Server.
After installation, the account access can be lowered or the account can be disabled and re-enabled if updates need to be installed.
It is also possible to use the FIM Installer account rather than creating a separate SCSM Installer account.
SCSM Administrators Group
Security group in AD
The Installer account is added to this group automatically.
The group is added to the Service Manager Administrators role automatically.
The group is added to the Data Warehouse Administrators role automatically.
Service Manager Service Account
Local admin on the SCSM and SCSMDW server. (Use the same account for both servers.)
After installation becomes the Operational System Account, is assigned to logon account for both System Center Data Access Service and System Center Management Configuration Service.
In SQL, it is added to the sdk_users and configsvc_users database roles on the SCSM and SCSMDW databases becomes a member of the db_datareader role for the DWRepository database.
After installation, becomes the data warehouse run as account, is assigned to the Service Manager SDK account and Service Manager Config account.
Member of the local Users security group.
If email notifications are required, this account must be mail enabled.
Used by SSRS to access the DWDataMart data.
In SQL, it is added to the db_datareader and reportuser roles on the DWDataMart database.