I described in an earlier post the problems I was having installing and configuring FIM 2010 R2 SP1 on SharePoint Foundation 2013 and if you’ve had to do this, then chances are you’ve been just as disappointed by Microsoft’s documentation as I was. If that’s the case, then this is the guide for you.
Keep in mind, this is written from the perspective of a FIM consultant who had to nut it out using the Microsoft Installing FIM 2010 R2 on SharePoint Foundation 2013 guide and my own ingenuity. For a more in-depth guide from a SharePoint specialist, check out Spencer Harbar’s guide, which includes some detail around configuring SSL and takes a SharePoint “purist” approach, rather than the GUI-where-possible approach I used.
This guide is comprised of the following sections:
- Why you shouldn’t use SharePoint Foundation 2013 for FIM 2010 R2 SP1
- FIM Service and Portal Pre-requisites
- Installing the SharePoint Foundation 2013 Pre-requisites
- Installing SharePoint Foundation 2013
- Running the SharePoint Foundation 2013 Farm Configuration Wizard (GUI)
- Creating a SharePoint Foundation 2013 Web Application (Powershell)
- Creating a 2010 Experience Mode Site Collection (GUI)
- Configuring SharePoint Foundation 2013 for FIM 2010 R2 SP1 Portal
- Installing the FIM Service and Portal
Why you shouldn’t use SharePoint Foundation 2013 for FIM 2010 R2 SP1
If you’re like me, then you’re probably tempted to upgrade to SharePoint Foundation 2013 when doing your FIM 2010 R2 SP1 upgrade. I mean, it makes sense – it’s the latest release, why wouldn’t you upgrade to it when you’re doing a major FIM upgrade anyway? However, unless you’re running Windows 2012, don’t use SPF 2013. Here’s why:
- If you run the “Standalone” installation, the default Web Application and Site Collection that are configured are incompatible with FIM 2010. You will need to uninstall both and re-install using the SharePoint Administration Shell (Powershell)
- The reason you need to do this via the Management Shell, is that Classic Authentication has now been deprecated in SPF 2013 in favour of Claims-Based authentication. As such, you can’t select it as an option via the GUI and you even get a big red warning message (see below) when configuring a new site via the shell.
- You have to run your sites in SharePoint 2010 Experience mode anyway, as the FIM Portal doesn’t support being installed on a SharePoint 2013 site collection.
My natural thought was to use the latest version of SharePoint Foundation when performing the upgrade, but as I was deploying I realised that while the FIM Portal will install on SPF 2013, it’s really designed to work with WSS 3.0 and SPF 2010. At this stage, it seems that the only reason support for SharePoint Foundation 2013 was added to FIM 2010 R2 SP1 was because Windows Server 2012 doesn’t yet support SharePoint Foundation 2010 – apparently this support is coming with SPF 2010 SP2. So until SPF 2010 SP2 is released, anyone wishing to install the FIM Portal for FIM 2010 R2 SP1 on Windows Server 2012 will need to use SharePoint Foundation 2013. In my opinion, everyone else should just stick to SharePoint Foundation 2010, or WSS 3.0.
That said, if you’re determined to do it, this guide should help you.
The screenshots detail an installation performed on Windows Server 2012, however I have also run through these steps on Windows 2008 R2.
FIM Service and Portal Pre-requisites
You should already be familiar with Microsoft’s Before You Begin guide if you’ve installed an earlier version of FIM. If you’re not, make sure you follow these steps before you install the FIM Service and Portal:
- Install FIM Synchronisation Service either on this server, or another server. In my environment, it’s a different sever.
- Prepare your FIMService, FIMMA, SPF and SPFAppPool service accounts.
- Have a mail server and an e-mail address for the FIM Service to use
Installing the SharePoint Foundation 2013 Pre-requisites
This is fairly straight forward, as the SPF Pre-requisites installer will setup almost all of the Windows Features, such as IIS, as well as the other SPF 2013 pre-requisites. If there are any warnings, or errors, it’s pretty helpful in telling you what you need to do. Download and run the SharePoint Foundation 2013 installer to be presented with the following:
Installing SharePoint Foundation 2013
Once you’ve restarted your system, run the SharePoint Foundation 2013 installer again and this time select “Install SharePoint Foundation”.
Server-Type: Complete or Stand-alone?
If you choose stand-alone, FIM will install an express database and pre-configure a SharePoint site. Unfortunately, the SharePoint site it pre-configures uses Claims-Based Authentication, which FIM doesn’t support, and to create a site that uses classic-mode Windows Authentication, you’re going to have to delete the pre-configured site and create a new one via the SharePoint 2013 Management Shell (not supported via the GUI). I also see no point in using an express database if you have access to a proper SQL Server database.
Running the SharePoint Foundation 2013 Farm Configuration Wizard (GUI)
Now that SharePoint Foundation is installed, you need to create a new Server Farm and configure SharePoint Central Administration. If you’re familiar with SharePoint, you can do this via the SharePoint Management Shell using Powershell, however you can use the GUI at this stage. Since I like things simple, that’s exactly what I did.
Note: SharePoint Foundation 2013 will actually issue a health warning in Central Administration if your database is on the same server as your SharePoint server. Don’t do this in a production environment.
Creating a SharePoint Foundation 2013 Web Application (Powershell)
Okay, now that the Server Farm has been created, and Central Administration is configured, the next step is for you to create your SharePoint Web Application. You actually need to use the SharePoint Management Shell, which is a Powershell interface, in order to do this, as the GUI will set up your site in a way that means FIM can’t use it. Load the SharePoint Management Shell from your start menu and enter the following:
$adminCredentials = get-credential “FIMSPECIALIST\FIMSPAppPool”
$adminManagedAccount = New-SPManagedAccount -Credential $adminCredentials
New-SpWebApplication -Name “FIM Portal” -ApplicationPool “FIMAppPool” -ApplicationPoolAccount $adminManagedAccount -AuthenticationMethod “Kerberos” -Port 80 -URL http://FIMPortal.fimspecialist.com
Note that it can take quite a while to create your Web Application. At some stage, you should see a warning pop up, telling you that Windows Classic authentication is deprecated in SPF 2013, and then confirmation that your site has been created:
Creating a 2010 Experience Mode Site Collection (GUI)
Now that your Web Application has been created, you can actually go in and create a site collection for FIM through the SharePoint Central Administration GUI.
Note: When I was creating my site collection through the GUI, I seemed to have a bit of problem here, where SharePoint was still creating the site collection in 2013 experience mode. After you’ve created your site, run the following to double check that the site collection has been installed as the correct version:
$spSite = SpSite(“http://fimporta.fimspecialist.com”);
$spSite.CompatibilityLevel
If this returns ’14’, all is good. If this returns ’15’, you need to delete your site collection and try again. Interestingly, after fiddling around a bit, I’m now only able to create sites in 2010 Experience mode:
Anyway, scroll down and you will be presented with more options:
Configuring SharePoint Foundation 2013 for FIM 2010 R2 SP1 Portal
Now that you’ve installed SharePoint, created a Web Application and create a site collection within that web application, there are just a last few configuration steps to ensure that the SPF2013 instance is ready to have FIM Portal installed on it:
Step 1: Disable server-side viewstate.
Open the SharePoint Management Shell again and as per the Microsoft guide to Installing FIM 2010 R2 on SharePoint Foundation 2013, execute the following:
$contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService;
$contentService.ViewStateOnServer = $false;
$contentService.Update();
Step 2: Disable Self-service upgrades
In the same SharePoint Management Shell, execute:
$spSite = SpSite(“http://fimportal.fimspecialist.com/”);
$spSite.AllowSelfServiceUpgrade = $false
Note: As mentioned above, I had an issue where the site collection was still being created in 2013 Experience Mode, despite selecting the 2010 option during creation. In this case, when I ran “$spSite.AllowSelfServiceUpgrade = $false”, I would receive the error:
System.InvalidOperationException: Invalid operation given the current state of the object.
After digging around, I discovered that the error is caused because a 2013 site is already considered to be upgraded, so you can’t set the AllowSelfServiceUpgrade value. If you get this error, delete your site collection and re-create it, double-checking that you select 2010 Experience Mode. Be sure to check the CompatibilityLevel to ensure ’14’ is returned.
Step 3: Create the SPNs for your SharePoint instance
I always forget this step. These are required for you to be able to actually login to the FIM Portal once it’s installed. Open a normal command prompt and execute the following:
setspn -S FIMService/fimportal.fimspecialist.com FIMSPECIALIST\FIMservice
setspn -S HTTP/fimportal.fimspecialist.com FIMSPECIALIST\FIMSPAppPool
Installing the FIM Service and Portal
This is the last step! Finally! After all that preparation, installing the FIM Service and Portal is actually quite straight forward.
Note: Best practice would dictate that you use a SQL alias here. This will more easily allow you to migrate your FIM database between database servers.
Note: If you do not get this screen, but instead get a screen saying “FIM Service and Portal Setup Wizard ended Prematurely”, then read my post describing some of my troubleshooting for this issue.
Anyway, because of the lack of documentation at the time, I really had to work a lot of this out the first time I had to run through it, so I wanted to put it down as a guide for others who also want to install and configure FIM 2010 R2 SP1 on SharePoint Foundation 2013. I may come back and add to this over time so that it’s a more comprehensive guide, but this should get you started. As usual, please ask any questions below.
Hello!
Great post!
Though I have tried both this one and the “harbar post” ending up with a portal saying “service unavailable” and with the error:
GetCurrentUserFromSecurityIdentifier: No Such User
pointing to the Sharepoint apppool account eg ‘MYDOMAIN\FIMSPAppPool’
Tried so much I can think of (configuration files, spns, entirely new installation ending up with same result) etc etc.
My first installation worked fine (harbars post), when doing the exact same installation in another environment I ended up with this error. Tried several times with different settings ending up with the same result.
What am i doing wrong here? Is FIM on Sharepoint Foundation 2013 really this bad?
Any help would be appreciated.
Best Regards
Hi Nils,
That error is generally thrown by the FIM Portal when a user trying to login to the Portal isn’t configured correctly in the Portal.
Normally, if a user couldn’t login, I would suggest that you log on to your FIM Portal with your administrator account and check that the user trying to access the portal has the correct details set (Account Name, Domain, objectSID, etc.), but in your case it sounds like you wouldn’t even be able to get that far.
When you install SPF 2010, are you able to login to the SharePoint portal that results? Can you get into Central administration? That should be your first check to confirm you’re on the right track.
Also, I trust you’re installing FIM with a domain user account? Similarly, when you login to the FIM Portal, you’re using the credentials you used to install the FIM Portal with?
Just completed all the steps and when I run the Install Service and Portal I get the following error:
Installation Prerequisites Not Met
The Features you have selected have the following prerequisites. Refer to the installation guide for more information. Please update your machine and retry the installation.
-SharePoint.
I can get into admin central just fine and I see the site collection as created by this article.
Any ideas? googling “FIM 2010R2 Prerequisites Not Met” has only lead me back to initial install documents. Thanks for any help you can provide.
Now i’m having the same problem. Did you solve it?
Hi,
Great post which I followed to implement my FIM Service and Portal.
I was lucky and everything went smoothly right in the first try.
So I can Access SP Administration site as well SP Default site. I also can Access to the FIM Portal site.
Unfortunately I am not able to open the IdentityManagement site. Always ending up in a HTTP 404 error.
Any Suggestion how to solve this issue? (apologize but I am new on FIM and SP)
Thanks, Markus
Used your article today as a resource for the scenario you describe and had no issues. Thanks for the writing and posting!
Kind regards, Danny
No worries Danny, glad you found it helpful!
Hi Ross,
Very nice article, i have a question about deploying the Password Reg and Reset portals on the farm, do they follow the same way as described here ?
Thank you so much!
great post.
🙂
Does anybody make a FIM 2010 R2 Auto deployment tool like the script/tool that exists for Sharepoint?
A GUI tool exists too to edit up a XML file for SPAutoDeploy and once that is setup you can just about do a hands-off install of SharePoint. Somebody has to make this for FIM..!
Ie:
http://autospinstaller.codeplex.com
http://autospinstallergui.codeplex.com/
I have been doing IT for many many years, I gotta say a FIM 2010 R2 install is the most brutal installation method of any product I ever worked with.
Thanks?
Im having pronlems with the sharepoint config too powershell not recognising the cmdlet…
Thanks T
Ross,
Cant tell you how many times I refer back to this page, its been very helpful.
I’m now in the process of creating an automated install of FIM and found a lot of information for doing so. Have you ever automated the install and configuration of SharePoint Foundations for the FIM Service\Portal?
Any thoughts would be helpful.
I am in the process of installing the service and portal part of this and keep getting the error “The Microsoft Identity Manager Server Database could not be successfully populated”. Do you have any idea why I am experiencing this issue? Thanks in advance.
I am trying to install MIM 2016.I am getting error
The Forefront Identity Manager Service could not bind to its endpoints. This failure prevents clients from communicating with the Web services.
A most likely cause for the failure is another service, possibly another instance of Forefront Identity Manager Service, has already bound to the endpoint. Another, less likely cause, is that the account under which the service runs does not have permission to bind to endpoints.
Ensure that no other processes have bound to that endpoint and that the service account has permission to bind endpoints. Further, check the application configuration file to ensure the Forefront Identity Manager Service is binding to the correct endpoints.
To get it working in a high availability farm we need to edit the web.config, adding the ‘useAppPoolCredentials’ as described here: https://blogs.msdn.microsoft.com/webtopics/2009/01/19/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-07-5/