Implementing Privileged Access Management on Server 2016/2019: Part 2 – Installing and Configuring SharePoint Server 2016 for Microsoft identity Manager

Implementing Privileged Access Management on Server 2016/2019: Part 1 – Setting up the Privileged Domain

This is the second post in a series which will go through setting up Privileged Access Management on Server 2016/2019. in this post we will configure the SharePoint component of Microsoft Identity Manager.

*As I am using a lab environment I have chosen to install MIM, SQL and SharePoint on the same server but in production they would need to be planned and scaled out correctly.

 

Prerequisites:

  • I have installed SQL Server 2016 locally on the MIM/SharePoint server. a SQL instance will be required for both SharePoint and MIM
  • The PAM/MIM/SharePoint server should be joined to the priv domain

Installing SharePoint Server 2016

First download the SharePoint Server 2016 ISO and mount it. Open an administrative command prompt and navigate to the source files for the installation. From here run the prerequisite installer with the command:

.\prerequisiteinstaller.exe

prereqs.png

Follow the on screen prompts to install the required prerequisites, roles and features. when this finishes, the server will restart.

Next, open an administrative command prompt and navigate to the source files again. Run the setup using the command:

.\setup.exe

Follow the on screen prompts to enter your product key and install SharePoint Server 2016 as below:

setup.exe.png

 

setup.exe2.png

When the installer finishes, you should be prompted to run the SharePoint Products Configuration Wizard.

setup.exe3.png

Follow the screenshots below to configure SharePoint 2016 and create a new farm:

configwizard1.png

Specify a service account with access to your SQL instance

configwizard3.png

For my lab I will install a single server farm

configwizard4.png

 

configwizard5.png

 

configwizard6.png

 

When the configuration wizard finishes, you will be taken to the SharePoint Central Admin Page.

CentralAdmin.png

 

Now that the farm is set up, we can configure the MIM web app and Site Collection.

Set up Web App and Site Collection

Create two AD Service Accounts named priv\MIMPool  and priv\MIMInstall to use during the setup.

Also set up a DNS A record for your MIM Site Collection pointing to the SharePoint Server such as mim.priv.lab.corp.net.

 

Next, configure the MIMPool account as an SP Managed Service Account with the below commands:

*Note: in the below script blocks, I have marked in bold entries that you may need to change to match your environment

##Enter the credentials of the priv\MIMPool account

$ManagedServiceAccount = get-credential

## Create the SP Managed Service Account Entry

New-SPManagedAccount $ManagedServiceAccount

$dbManagedAccount = Get-SPManagedAccount -Identity $ManagedServiceAccount.username

## Create a new web application

New-SpWebApplication -Name “MIM Portal” -ApplicationPool “MIMAppPool” -ApplicationPoolAccount $dbManagedAccount -AuthenticationMethod “Kerberos” -Port 80 -URL http://mim.priv.lab.corp.net

spwebapp.png

Create a new site for MIM with the below commands:

$t = Get-SPWebTemplate -compatibilityLevel 15 -Identity “STS#1”

$w = Get-SPWebApplication http://mim.priv.lab.corp.net/

New-SPSite -Url $w.Url -Template $t -OwnerAlias priv\miminstall -CompatibilityLevel 15 -Name “MIM Portal”

$s = SpSite($w.Url)

create site.png

Run ‘$s.CompatibilityLevel’ to ensure the compatibility level of the new site is “15”

 

Disable the SP Timer Job “Health Analysis Job (Hourly, Microsoft SharePoint Foundation Timer, All Servers)” with the commands below:

$contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService;

$contentService.ViewStateOnServer = $false;

$contentService.Update();

Get-SPTimerJob hourly-all-sptimerservice-health-analysis-job | disable-SPTimerJob

 

Now that the site is set up, navigate to it and log in with the MIMInstall user credentials to verify it was created as expected. If you get an error logging in, follow one of the fixes here. When you are logged in successfully, you should see an empty site as below:

login.png

site.png

Finally add the site created to the local intranet zone on the server and restart the server:

localintranet.png

We have now Successfully configured SharePoint for MIM. In a following blog I will continue the MIM/PAM setup process.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s