PREPARATION

ADDC : USERS
PRIVATEFIMService
PRIVATEFIMMA
PRIVATEFIMSPContent

ADDC : SSL
Three Web Server SSL certificates are needed:

CN=fimservice.private.lan
CN=fimportal.private.lan
CN=fimspca.private.lan

2013-03-25_2246

ADDC : DNS
fimservice.private.lan (FIM Service)
fimportal.private.lan (FIM Portal)
fimspca.private.lan (SharePoint Central Administration)

ADDC : SPNs

[sourcecode language=”css”]
setspn -S FIMService/fimservice.private.lan PRIVATEfimservice
setspn -S HTTP/fimportal.private.lan PRIVATEfimspcontent
Import-Module ActiveDirectory
$fimPortalAccount = “fimspcontent”
$fimServiceAccount = “fimservice”
$fimServiceSpn = “FIMService/fimservice.private.lan”
Get-ADUser $fimPortalAccount | Set-ADObject -Add @{“msDS-AllowedToDelegateTo”=”$fimServiceSpn”}
Get-ADUser $fimServiceAccount | Set-ADObject -Add @{“msDS-AllowedToDelegateTo”=”$fimServiceSpn”}
[/sourcecode]

SQL
Enable named pipes

FIM : set “User Access Control setting” (UAC)
> NEVER NOTIFY

FIM : USER RIGHTS
For the FIM Service account apply the following User Rights Assignments:

Deny logon as batch job
Deny logon locally
Deny access to this computer from the network

2013-03-25_1111

FIM : INSTALL SHAREPOINT 2013 FOUNDATION
uncheck the Run the SharePoint Products Configuration Wizard checkbox at the end of the install

FIM : FARM & Sharepoint Central Administration

[sourcecode language=”css”]
asnp Microsoft.SharePoint.PowerShell
$databaseServer = “SQL”
$configDatabase = “FIM_SP_Config”
$adminContentDB = “FIM_SP_Content_Admin”
$passphrase = “Passw0rd”
$farmAccountName = “PRIVATEfimadmin”
$caUrl = “https://fimspca.private.lan”

$farmAccount = Get-Credential $farmAccountName
$passphrase = (ConvertTo-SecureString $passphrase -AsPlainText -force)

Write-Host “Creating CFG and CA Databases …”
New-SPConfigurationDatabase -DatabaseServer $databaseServer -DatabaseName $configDatabase -AdministrationContentDatabaseName $adminContentDB -Passphrase $passphrase -FarmCredentials $farmAccount

$spfarm = Get-SPFarm -ErrorAction SilentlyContinue -ErrorVariable err
if ($spfarm -eq $null -or $err) {throw “Unable to verify farm creation.”}

Write-Host “ACLing SharePoint Resources…”
Initialize-SPResourceSecurity
Write-Host “Installing Services …”
Install-SPService
Write-Host “Installing Features…”
Install-SPFeature -AllExistingFeatures

Write-Host “Creating Central Administration…”
New-SPCentralAdministration -Port 443 -WindowsAuthProvider NTLM
Write-Host “Fixing CA IIS binding…”
Set-SPCentralAdministration -Port 443 -Confirm:$false
Write-Host “Fixing Internal URL…”
Set-SPAlternateURL -Identity “https://$env:COMPUTERNAME” -Url $caUrl

Write-Host “Installing Help…”
Install-SPHelpCollection -All
Write-Host “Installing Application Content…”
Install-SPApplicationContent

Write-Host “Farm Creation Done!”
[/sourcecode]

apply SSL Certificate to the IIS binding for Central Administration.
2013-03-25_2253

FIM : ADD SERVICES

[sourcecode language=”css”]
asnp Microsoft.SharePoint.PowerShell
$stateName = “State Service”
$stateDBName = “FIM_SP_StateService”
$usageName = “Usage and Health Data Collection Service”
$usageDBName = “FIM_SP_Usage”

Write-Host “Creating $stateName Application and Proxy…”
$stateDB = New-SPStateServiceDatabase -Name $stateDBName
$state = New-SPStateServiceApplication -Name $stateName -Database $stateDB
$proxy = New-SPStateServiceApplicationProxy -Name “$stateName Proxy” -ServiceApplication $state -DefaultProxyGroup

# Create Usage Service Application and Proxy, add to Proxy Group, and provision it’s Proxy
Write-Host “Creating $usageName Application and Proxy…”
$serviceInstance = Get-SPUsageService
New-SPUsageApplication -Name $usageName -DatabaseName $usageDBName -UsageService $serviceInstance
$proxy = Get-SPServiceApplicationProxy | ? { $_.TypeName -eq “Usage and Health Data Collection Proxy” }
$proxy.Provision();

Write-Host “FIM SP Core Services done!”
[/sourcecode]

FIM : ADD CLASSIC MODE APPLICATION

[sourcecode language=”css”]
asnp Microsoft.SharePoint.PowerShell
$waAppPoolUserName = “PRIVATEfimspcontent”
$waAppPoolName = “SharePoint Content”

$waUrl = “https://fimportal.private.lan”
$hostHeader = “fimportal.private.lan”
$webAppName = “FIM Portal”
$contentDBName = “FIM_SP_Content_Portal”
$ownerEmail = “admin@private.lan”
$ownerAlias = “PRIVATEfimadmin”

# Create Managed Account
Write-Host “Please supply the password for the $waAppPoolUserName Account…”
$appPoolCred = Get-Credential $waAppPoolUserName
Write-Host “Creating Managed Account…”
$waAppPoolAccount = New-SPManagedAccount -Credential $appPoolCred

# Create a new SSL Web App in the default Proxy Group using Windows Classic on Port 80
Write-Host “Creating Web Application…”
$webApp = New-SPWebApplication -ApplicationPool $waAppPoolName -ApplicationPoolAccount $waAppPoolAccount -Name $webAppName -Port 443 -SecureSocketsLayer:$true -AuthenticationMethod NTLM -HostHeader $hostHeader -DatabaseName $contentDBName

# configure ViewState as FIM likes it
Write-Host “Configuring View State…”
$contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService;
$contentService.ViewStateOnServer = $false;
$contentService.Update();

# Create a root Site Collection in 2010 mode
Write-Host “Creating root Site Collection…”
New-SPSite -Url $waUrl -owneralias $ownerAlias -ownerEmail $ownerEmail -Template “STS#1” -CompatibilityLevel 14

Write-Host “Disabling self service upgrade…”
$spSite = Get-SpSite($waUrl);
$spSite.AllowSelfServiceUpgrade = $false

Write-Host “FIM SP Web Application done!”
[/sourcecode]

FIM : APPLY SSL CERTIFCATE
2013-03-25_2250

Do NOT configure Negotiate (Kerberos) authentication on this Web Application at this point, as we want to be able to validate everything is in working order before setting up Kerberos Delegation later on. SharePoint rather stupidly removes the Negotiate provider from IIS when creating Web Applications.

REGEDIT : register FQDN hostnames
BackConnectionHostnames
2013-03-25_2255

FIM

INSTALL FIM

FIM : NEGOTIATE / KERBEROS

[sourcecode language=”css”]
$fimPortalUrl = “https://fimportal.private.lan”
Set-SPWebApplication -Identity $fimPortalUrl -AuthenticationMethod Kerberos -Zone Default
[/sourcecode]

edit ApplicationHost.config
C:WindowsSystem32inetsrvconfigApplicationHost.config and set¬†useAppPoolCredentials=”true”

edit web.config
C:inetpubwwwrootwssVirtualDirectoriesfimportal.corp.contoso.com443web.config
and add¬†<resourceManagementClient requireKerberos=”true”

By not configuring the HTTP redirect I got rid of javascript errors, when browsing the IdentityManagement URI.

References and credits:

harbar.net