Installing FIM 2010 R2 SP1 Portal on SharePoint Foundation 2013

http://www.fimspecialist.com/fim-portal/installing-fim-2010-r2-sp1-portal-on-sharepoint-foundation-2013/

I described in an earlier post the problems I was having installing and configuring FIM 2010 R2 SP1 on SharePoint Foundation 2013 and if you’ve had to do this, then chances are you’ve been just as disappointed by Microsoft’s documentation as I was. If that’s the case, then this is the guide for you.

Keep in mind, this is written from the perspective of a FIM consultant who had to nut it out using the Microsoft Installing FIM 2010 R2 on SharePoint Foundation 2013 guide and my own ingenuity. For a more in-depth guide from a SharePoint specialist, check out Spencer Harbar’s guide, which includes some detail around configuring SSL and takes a SharePoint “purist” approach, rather than the GUI-where-possible approach I used.

This guide is comprised of the following sections:

1. Why you shouldn’t use SharePoint Foundation 2013 for FIM 2010 R2 SP1
2. FIM Service and Portal Pre-requisites
3. Installing the SharePoint Foundation 2013 Pre-requisites
4. Installing SharePoint Foundation 2013
5. Running the SharePoint Foundation 2013 Farm Configuration Wizard (GUI)
6. Creating a SharePoint Foundation 2013 Web Application (Powershell)
7. Creating a 2010 Experience Mode Site Collection (GUI)
8. Configuring SharePoint Foundation 2013 for FIM 2010 R2 SP1 Portal
9. Installing the FIM Service and Portal

Why you shouldn’t use SharePoint Foundation 2013 for FIM 2010 R2 SP1

If you’re like me, then you’re probably tempted to upgrade to SharePoint Foundation 2013 when doing your FIM 2010 R2 SP1 upgrade. I mean, it makes sense – it’s the latest release, why wouldn’t you upgrade to it when you’re doing a major FIM upgrade anyway? However, unless you’re running Windows 2012, don’t use SPF 2013. Here’s why:

• If you run the “Standalone” installation, the default Web Application and Site Collection that are configured are incompatible with FIM 2010. You will need to uninstall both and re-install using the SharePoint Administration Shell (Powershell)
• The reason you need to do this via the Management Shell, is that Classic Authentication has now been deprecated in SPF 2013 in favour of Claims-Based authentication. As such, you can’t select it as an option via the GUI and you even get a big red warning message (see below) when configuring a new site via the shell.
• You have to run your sites in SharePoint 2010 Experience mode anyway, as the FIM Portal doesn’t support being installed on a SharePoint 2013 site collection.

My natural thought was to use the latest version of SharePoint Foundation when performing the upgrade, but as I was deploying I realised that while the FIM Portal will install on SPF 2013, it’s really designed to work with WSS 3.0 and SPF 2010. At this stage, it seems that the only reason support for SharePoint Foundation 2013 was added to FIM 2010 R2 SP1 was because Windows Server 2012 doesn’t yet support SharePoint Foundation 2010 – apparently this support is coming with SPF 2010 SP2. So until SPF 2010 SP2 is released, anyone wishing to install the FIM Portal for FIM 2010 R2 SP1 on Windows Server 2012 will need to use SharePoint Foundation 2013. In my opinion, everyone else should just stick to SharePoint Foundation 2010, or WSS 3.0.

That said, if you’re determined to do it, this guide should help you.

The screenshots detail an installation performed on Windows Server 2012, however I have also run through these steps on Windows 2008 R2.

FIM Service and Portal Pre-requisites

You should already be familiar with Microsoft’s Before You Begin guide if you’ve installed an earlier version of FIM. If you’re not, make sure you follow these steps before you install the FIM Service and Portal:

• Install FIM Synchronisation Service either on this server, or another server. In my environment, it’s a different sever.
• Prepare your FIMService, FIMMA, SPF and SPFAppPool service accounts.
• Have a mail server and an e-mail address for the FIM Service to use

Installing the SharePoint Foundation 2013 Pre-requisites

This is fairly straight forward, as the SPF Pre-requisites installer will setup almost all of the Windows Features, such as IIS, as well as the other SPF 2013 pre-requisites. If there are any warnings, or errors, it’s pretty helpful in telling you what you need to do. Download and run the SharePoint Foundation 2013 installer to be presented with the following:

Step 1: Select Install SharePoint 2013 Pre-Requisites

Step 2: Click Next to begin installing SharePoint Foundation 2013 Pre-requisites

Step 3: Microsoft SharePoint 2013 Products Preparation Tool will install Pre-requisites

Step 4: Pre-requisites are installed. Click finish to restart your system.

Installing SharePoint Foundation 2013

Once you’ve restarted your system, run the SharePoint Foundation 2013 installer again and this time select “Install SharePoint Foundation”.

Step 1: Select “Complete” and click Install Now

Server-Type: Complete or Stand-alone?

If you choose stand-alone, FIM will install an express database and pre-configure a SharePoint site. Unfortunately, the SharePoint site it pre-configures uses Claims-Based Authentication, which FIM doesn’t support, and to create a site that uses classic-mode Windows Authentication, you’re going to have to delete the pre-configured site and create a new one via the SharePoint 2013 Management Shell (not supported via the GUI). I also see no point in using an express database if you have access to a proper SQL Server database.

Step 2: Leave the box checked to run the Configuration Wizard and click “Close”

Running the SharePoint Foundation 2013 Farm Configuration Wizard (GUI)

Now that SharePoint Foundation is installed, you need to create a new Server Farm and configure SharePoint Central Administration. If you’re familiar with SharePoint, you can do this via the SharePoint Management Shell using Powershell, however you can use the GUI at this stage. Since I like things simple, that’s exactly what I did.

Step 1: Click next to start the wizard.

Step 2: Click yes to accept that it will restart some of your services.

Step 3: Select Create a new server farm

Step 4: Specify configuration database settings. This is where your SharePoint Foundation database will reside. I put mine on the same SQL Server that I use for the FIMPortal, but only because I’m in a development environment.

Note: SharePoint Foundation 2013 will actually issue a health warning in Central Administration if your database is on the same server as your SharePoint server. Don’t do this in a production environment.

Step 5: Specify Farm Security Settings. Here, you specify the password that other servers will need to know if they want to join your farm

Step 6: Specify a custom port number if you want. Also, select NTLM as the authentication provider, or else you will have issues logging in to SharePoint Central administration. You can add Kerberos back in later.

Step 7: Confirm the configuration details and click Next to create your SharePoint Web Application

Step 8: Your SharePoint instance has been created

Once configured, Central Administration should load. You can now close this window, as we will create your Web Application via Powershell, in the next step.

Creating a SharePoint Foundation 2013 Web Application (Powershell)

Okay, now that the Server Farm has been created, and Central Administration is configured, the next step is for you to create your SharePoint Web Application. You actually need to use the SharePoint Management Shell, which is a Powershell interface, in order to do this, as the GUI will set up your site in a way that means FIM can’t use it. Load the SharePoint Management Shell from your start menu and enter the following:

$adminCredentials = get-credential “FIMSPECIALIST\FIMSPAppPool”

$adminManagedAccount = New-SPManagedAccount -Credential $adminCredentials

New-SpWebApplication -Name “FIM Portal” -ApplicationPool “FIMAppPool” -ApplicationPoolAccount $adminManagedAccount -AuthenticationMethod “Kerberos” -Port 80 -URL http://FIMPortal.fimspecialist.com

Note that it can take quite a while to create your Web Application. At some stage, you should see a warning pop up, telling you that Windows Classic authentication is deprecated in SPF 2013, and then confirmation that your site has been created:

Creating a 2010 Experience Mode Site Collection (GUI)

Now that your Web Application has been created, you can actually go in and create a site collection for FIM through the SharePoint Central Administration GUI.

Step 1: In SharePoint Central Administration, go to Create Site collections under Application Management

Step 2: Give your site collection a meaningful name

Step 3: Ensure you select 2010 experience version and Blank Site from the templates.

Note: When I was creating my site collection through the GUI, I seemed to have a bit of problem here, where SharePoint was still creating the site collection in 2013 experience mode. After you’ve created your site, run the following to double check that the site collection has been installed as the correct version:

$spSite = SpSite(“http://fimporta.fimspecialist.com”);
$spSite.CompatibilityLevel

If this returns ’14′, all is good. If this returns ’15′, you need to delete your site collection and try again. Interestingly, after fiddling around a bit, I’m now only able to create sites in 2010 Experience mode:

Anyway, scroll down and you will be presented with more options:

Step 4: Enter your Primary Site Collection Administrator account details

Step 5: Site Collection is now created. Click OK.

Configuring SharePoint Foundation 2013 for FIM 2010 R2 SP1 Portal

Now that you’ve installed SharePoint, created a Web Application and create a site collection within that web application, there are just a last few configuration steps to ensure that the SPF2013 instance is ready to have FIM Portal installed on it:

Step 1: Disable server-side viewstate.

Open the SharePoint Management Shell again and as per the Microsoft guide to Installing FIM 2010 R2 on SharePoint Foundation 2013, execute the following:

$contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService;
$contentService.ViewStateOnServer = $false;
$contentService.Update();

Step 2: Disable Self-service upgrades

In the same SharePoint Management Shell, execute:

$spSite = SpSite(“http://fimportal.fimspecialist.com/”);
$spSite.AllowSelfServiceUpgrade = $false

Note: As mentioned above, I had an issue where the site collection was still being created in 2013 Experience Mode, despite selecting the 2010 option during creation. In this case, when I ran “$spSite.AllowSelfServiceUpgrade = $false”, I would receive the error:

System.InvalidOperationException: Invalid operation given the current state of the object.

After digging around, I discovered that the error is caused because a 2013 site is already considered to be upgraded, so you can’t set the AllowSelfServiceUpgrade value. If you get this error, delete your site collection and re-create it, double-checking that you select 2010 Experience Mode. Be sure to check the CompatibilityLevel to ensure ’14′ is returned.

Step 3: Create the SPNs for your SharePoint instance

I always forget this step. These are required for you to be able to actually login to the FIM Portal once it’s installed. Open a normal command prompt and execute the following:

setspn -S FIMService/fimportal.fimspecialist.com FIMSPECIALIST\FIMservice
setspn -S HTTP/fimportal.fimspecialist.com FIMSPECIALIST\FIMSPAppPool

Installing the FIM Service and Portal

This is the last step! Finally! After all that preparation, installing the FIM Service and Portal is actually quite straight forward.

Step 1: Select Install Service and Portal from the FIM 2010 R2 SP1 splash screen

Step 2: Click next to begin the installer

Step 3: Check the Accept terms box and click next

Step 4: Check “I don’t want to join the program at this time” and click next.

Step 5: I only want to install the FIM Service and Portal, so I deselect the Reporting, Password Reset Portal and Password Registration Portals and click next

Step 6: I am creating a new database on my database server with the default name.

Note: Best practice would dictate that you use a SQL alias here. This will more easily allow you to migrate your FIM database between database servers.

Step 7: Configure your mail server settings. In my development environment, I’m using a non-Exchange enabled mail server.

Step 8: Generate a new self-issued certificate and click next. If you have your own certificates installed on the server, you can select them at this point

Step 9: Configure your FIMService service account details here.

Step 10: Configure your FIM Synchronization Service server details here

Step 11: Enter the server address for your FIM Portal

Step 12: Enter the URL for the SharePoint site collection you created earlier.

Step 13: I leave this blank, as I’m not installing the Registration Portal

Step 14: Check both of these boxes. The first opens firewall Windows ports for your portal, so you can access it from other machines. The second ensures that users are able to access the SharePoint site collection

Step 15: Again, left blank as I am not using these features.

Step 16: All done configuring, click install

Step 17: If all goes well, you should get this screen at the end of the installation

Note: If you do not get this screen, but instead get a screen saying “FIM Service and Portal Setup Wizard ended Prematurely”, then read my post describing some of my troubleshooting for this issue.

Step 18: You should now be able to login to http://fimportal.fimspecialist.com/IdentityManagement/ with your administrator account to see the FIM Portal. Success!

Anyway, because of the lack of documentation at the time, I really had to work a lot of this out the first time I had to run through it, so I wanted to put it down as a guide for others who also want to install and configure FIM 2010 R2 SP1 on SharePoint Foundation 2013. I may come back and add to this over time so that it’s a more comprehensive guide, but this should get you started. As usual, please ask any questions below.