Implementing Privileged Access Management on Server 2016/2019: Part 3 – Deploying the MIM/PAM Server

Implementing Privileged Access Management on Server 2016/2019: Part 1 – Setting up the Privileged Domain

Implementing Privileged Access Management on Server 2016/2019: Part 2 – Installing and Configuring SharePoint Server 2016 for Microsoft identity Manager

In part three of this blog series, I will go through the steps to deploy the MIM/PAM server to host the MIM Synchronization Service and Portal.

*As I am using a lab environment I have chosen to install MIM, SQL and SharePoint on the same server but in production they would need to be planned and scaled out correctly.

 

Server Configuration

First install the required Windows features by running the following PowerShell commands:

## Install Prereqs

import-module ServerManager

Install-WindowsFeature Web-WebServer, Net-Framework-Features,rsat-ad-powershell,Web-Mgmt-Tools,Windows-Identity-Foundation,Server-Media-Foundation,Xps-Viewer –includeallsubfeature

Once the features are installed successfully, we need to define the local security policy. To do this open the Local Security Policy (secpol.exe) and make the following changes:

In the policy Local Policies > User Rights Assignment > Log on as a service

Add priv\MIMonitor, priv\MIMService, priv\SharePoint, priv\MIMComponent and priv\SQLServer

In the policy Local Policies > User Rights Assignment > Deny access to this computer from the network

Add priv\mimmonitor, priv\MIMService and priv\mimcomponent

In the policy Local Policies > User Rights Assignment > Deny log on locally

Add priv\mimmonitor, priv\MIMService and priv\mimcomponent

Configure local security policy and local admins

Close the local security policy window and open “Computer Management”. Navigate to “Local Users and Groups -> Groups -> Administrators”  and add priv\MIMAdmin and priv\SharePoint as local admins on the server.

localadmins.png

 

IIS Config

To configure IIS for Windows Authentication, run the below PowerShell commands:

iisreset /STOP

C:\Windows\System32\inetsrv\appcmd.exe unlock config /section:windowsAuthentication -commit:apphost

iisreset /START

 

Installing the Synchronization Service

Mount the MIM 2016 ISO and run the “FIMSplash.htm” page in the root folder to open the splash page.

syncservice.png

Follow through the wizard, accepting the terms and conditions and specify your SQL instance. In my lab I am using a local default SQL instance

sync1.png

Specify your MIMSync service account details

sync2.png

Update the group names to be created if you like

sync3.png

On the next page you can allow the installer to open the required firewall ports on the server for you

sync4.png

Finally click install and wait for the synchronization service to finish installing. At the end you will be prompted to save the encryption key locally. Save this key and keep it safe.

When the install completes click finish and you will be prompted to log off the server to update group membership.

sync5.png

 

Install MIM Service and Portal

After logging back on to the server, open up “FIMSplash.htm” again and this time run the “Service and Portal” installer.

portal1.png

Follow through the Wizard, accepting the license terms and opting in or out of the Customer Experience Program until you get to the Custom Setup page. At this page, select the options to install the MIM Service, Privileged Access Management and MIM Portal Roles and click next.

portal2.png

Select the SQL settings and click next. Again, in my lab I am using a local SQL instance.

portal3.png

Select a mail server to use, you can also optionally use Exchange Online or if there is no Exchange server in place enter “localhost” as the server name and deselect the top two options.

portal4.png

Create a new self-signed cert or use an existing certificate.

portal5.png

Enter the service account details for the MIMService.

portal6.png

Enter the details of the synchronization service.

portal7.png

Enter the name of the local server for the MIM Service Server Address.

portal9.png

Enter the name of the SharePoint Site Collection we created in part 2 of this blog to host the MIM Portal.

portal10.png

We are not using the Password Registration Portal so leave the next page blank.

portal11.png

Check the boxes to open the appropriate firewall ports and to allow authenticated users to access the MIM Portal site.

portal12.png

Leave the REST API Hostname blank and set the port to 8086.

portal13.png

Enter the account details of the SharePoint service account for the PAM REST API.

portal14.png

Enter the MIMComponent service account details for the PAM Component Service.

portal15.png

Enter the MIMMonitor service account details for the PAM Monitoring Service.

portal16.png

If you are using the other components on another server enter the details here, if not, click next.

portal17.png

Finally, click Install

 

When the installer finishes, reboot the system and log back on. Browse to your MIM Portal URL configured in Part 2 and you should see the MIM Portal page has been configured successfully.

portal18.png

 

Now the MAM Portal and Service are successfully installed. In the next and final post in this series, I will finalize and test the PAM configuration!

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s