SharePoint 2010 and 2013 both use some parts of ForeFront Identity Manager (FIM) for the synchronization of users between for example AD and SharePoint. It is possible to use the FIM client to monitor this process and review issues related to the User Profile Service Application.
The SharePoint Connector officially supports SharePoint Server 2013, but will unofficially work with SharePoint Server 2010. You will need a few Domain accounts. An account to run the FIM Service (s-fim), an account to run the FIM Management Agents (s-fimma), the SharePoint farm administrator account (s-sp2013farm), and finally a. Using SharePoint 2013 to Install the Root Certificate. Log into the DigiCert® Management Console (your account). In the DigiCert® Management Console, under Order, click the order number for the SSL Certificate that you just installed. On the My Orders tab, click Download. In the Download Certificate section, click the Download or Copy/Paste Individual Certificates link. The SharePoint Foundation 2013 SP1 Prerequisite installer requires access to multiple sites to download prerequisite installers. Temporarily disabling IE Enhanced Security for Administrators will allow access to these sites to complete the installations.
The client application is located under the following folder:
SharePoint 2010
C:Program FilesMicrosoft Office Servers14.0Synchronization ServiceUIShellmiisclient.exe
SharePoint 2013
C:Program FilesMicrosoft Office Servers15.0Synchronization ServiceUIShellmiisclient.exe
Unable to connect to the Synchronization Service
The following error can occur when opening the FIM Client:
The reasons described above are normally the correct steps to investigate this issue.
1) The service is not started.
There are 2 windows services that are related to FIM:
– Forefront Identity Manager Service
– Forefront Identity Manager Synchronization Service
These services have to be started before you can use the FIM client! You can start these services by going to the Central Administration of SharePoint and start the User Profile Synchronization Service.
Note that the Windows Service can still be stopped even if Central Administration shows that the service is started! Stop this service and start it again.
Please see the following blog from Spencer for other issues related to the User Profile Service Application: http://www.harbar.net/articles/sp2010ups.aspx
2) Your account is not a member of a required security group.
First verify if you can open the client using the farm account, because this service account has sufficient permissions.
The Admin account should have local admin permissions and located permissions in the Local Security Group “WSS_ADMIN_WPG”. Members of this group have write access to system resources used by Microsoft SharePoint Foundation.
Starting and monitoring multiple syncs
Sync with 2 new AD Users
I have added two new users to Active Directory and will start a new incremental Sync from the SharePoint User Profile Service Application. You can now open the FIM client and view the different syncs.
The DS_DELTAIMPORT shows the import from your Synchronization Connection and you will see more if you have multiple Connections.
There are 2 users added to SharePoint. Clicking on the number shows which users have been added.
Sync with 1 deleted and 1 changed user
I have deleted ‘Sync Test 2’ and changed the display name for ‘Sync Test 1’ to ‘Change test 1’. DS_DELTAIMPORT now shows the following information
You can also view the user that has been deleted by clicking on the number
You can also view the changed properties of the other user by using the MOSS_EXPORT_<GUID> profile and clicking on the number next to updates.
And clicking properties for this user
Searching users
Looking for a specific change may be time consuming when your organizations has thousands of users
You can use the Metaverse Search to find the user you are looking for and see if this user has been updated with the correct information.
You can filter the search on multiple attributes
My filter is for users which display name contains “Change”
You can then view the properties of this user
You can find the change by clicking on the connectors tab
Delete Fim Certification Sharepoint 2013
And opening the connector “MOSS-<GUID>”
And find the latest sync on Lineage
You can troubleshoot further if the last import change is different from the latest sync. This normally happens when the user has been moved from the specified OU in Synchronization Connections.
Summarizing
You can now troubleshoot the error prompted when opening the FIM client and you can do basic monitoring of the specified syncs. You can find if a user has been updated to the latest AD information and when the user has last been updated.
Contents
First published on MSDN on Jun 01, 2018
This document is intended to be used as an operational build document for the installation of SharePoint Foundation 2013 SP1 for use with Forefront Identity Manager 2010 R2 or Microsoft Identity Management 2016 MIM Service and Portal Server installations.
Using this Guide:
You may perform search on the variables listed below and replace with your respective data values to create a detailed build guide customized for your environment.
Document Variables:
Description | Search and Replace Variable |
Common name of the domain (ex. Contoso) | [DOMAIN] |
Common name of the first MIM Service and Portal Server (ex. Portal01) | [MIM SERVER 1] |
Common name of the second MIM Service and Portal Server (ex. Portal02) | [MIM SERVER 2] |
Common name of the MIM Installation Service Account (ex. MIMInstall) | [INSTALL ACCOUNT] |
Common name of the MIM Service Account (ex. MIMService) | [MIM SERVICE ACCOUNT] |
Common name of the MIM SharePoint Application Pool Service Account (ex. MIMSAP) | [MIM SAP ACCOUNT] |
Preparing for Installation
SharePoint Foundation 2013 SP1 Installation Media:
The download for SharePoint Foundation 2013 SP1 is located at the following link:
To successfully install SharePoint Foundation 2013, some updates must be removed prior to installation. Windows Updates are temporarily disabled during the installation procedure to prevent these updates from being downloaded and reinstalled.
Launch Server Manager
Select Local Server
Adjacent to Windows Update select the link to access the Windows Update settings page.
Select Change Settings
Select Never Check for updates (not recommended)
Select OK
Close the Windows Update window
Exit Server Manager
Temporarily Disable IE Enhanced Security Configuration for Administrators:
The SharePoint Foundation 2013 SP1 Prerequisite installer requires access to multiple sites to download prerequisite installers. Temporarily disabling IE Enhanced Security for Administrators will allow access to these sites to complete the installations.
Launch Server Manager
Select Local Server
Adjacent to IE Enhanced Security Configuration select the link to access the configuration settings page.
Under Administrators , select Off
Select Ok
Restart the server
Uninstall .Net Framework 4.6 and higher
SharePoint Foundation 2013 SP1 requires .Net version 4.5 and requires the removal of later version 4.6 and higher to install properly. Please refer to the blog post below for .Net removal instructions and updates.
Connect to the server using the [INSTALL ACCOUNT] service account
Right click SharePoint.exe and select run as Administrator
If asked to allow program to make changes to this computer, select Yes .
Under Install, select Install software prerequisites .
On the Welcome to the Microsoft SharePoint 2013 Products Preparation Tool pane , select Next
To continue installation, Review and Accept the terms of the license agreement.
select Next to proceed with prerequisite installations.
If prompted that your system needs to restart to continue, select Finish
Please Note multiple server restarts can occur during installation.
Reconnect to the server using the [INSTALL ACCOUNT] service account
If asked to allow program to make changes to this computer, select Yes .
If prompted that your system needs to restart to continue, select Finish
Repeat this section as many times as necessary to complete the installation of Prerequisites.
Once installation of prerequisites completes, select Finish .
Select Start , Update and Restart if available, otherwise Restart .
Repeat this section as many times as necessary to complete the installation of all updates.
Once installation of prerequisites completes, select Finish .
Install SharePoint Foundation 2013 SP1
Login as the [INSTALL ACCOUNT] account
Right click SharePoint.exe and run as Administrator
Select Yes to allow the installer to make change to the server.
The SharePoint Foundation 2013 splash screen will appear.
Under Install , select Install SharePoint Foundation
If you are prompted with a setup error and informed that the product requires .Net Framework 4.5 refer to the section above entitled Uninstall the following KBs..Net Framework 4.6 and higher must be removed and the machine restarted for the installation to…
On the Read the Microsoft Software License Terms screen, review the terms and accept as appropriate.
Select Continue
On the Server Type panel, select Stand-alone option, then Install Now
The Installation Progress bar will be displayed.
On the Run Configuration Wizard pane, select Run the SharePoint Products Configuration Wizard now
Option
Select Close.
On the Welcome to SharePoint Products page, select Next .
When notified that services may need to be restarted, select Yes
The Configuring SharePoint Product page will be displayed.
Once notified Configuration Successful , select Finish .
The SharePoint 2013 Foundation Home Page will be displayed.
Close the browser,
Exit SharePoint Foundation 2013 installer.
Restart the server.
Prepare SharePoint Foundation 2013 SP1 for use with FIM / MIM:
Configure SharePoint Farm Admins
Select the Windows Start button, type SharePoint 2013 Central Administration
If prompted, select Yes to allow program to make changes to computer.
Fim Sharepoint 2013 Download
Select Security , Manage the farm administrators group
Add the following accounts as members of the Farm Administrators group:
[INSTALL ACCOUNT] (This should be present.)
[MIM SERVICE ACCOUNT]
Remove the SharePoint-80 Configuration
In SharePoint, Central Administration select Application Management ,
Under Web Applications , select Manage Web Applications ,
Select SharePoint-80 ,
Select Delete from menu bar.
When prompted select Yes to delete content databases and delete IIS web sites.
Select Delete , and Ok to continue.
Note: This may take several minutes to complete at which time the open window will close and return you back to the SharePoint Central Admin Console.
Close the SharePoint Central Admin Console .
Start, Internet Information Services Manager
On left expand the server, and select Application Pools
If present, delete the SharePoint-80 Application pool.
Close Internet Information Services Manager
The PowerShell script included below was obtained from the original Connector Space blog post by Anthony Marsiglia located at: https://blogs.msdn.microsoft.com/connector_space/2014/09/23/sharepoint-foundations-2013-configu…
The script provided in this document is updated to include remarks on how to manually perform some of the script’s actions, thereby simplifying code review. Additionally, search and replace document variables used throughout this document are incorporated into the script to customize the installation script for your environment.
During script processing PowerShell will display the following Warning message which can be ignored:
WARNING: The Windows Classic authentication method is deprecated in this release and the default behavior of this cmdlet, which creates Windows Classic based web application, is obsolete. It is recommended to use Claims authentication methods. You can create a web application that uses Claims authentication method by specifying the AuthenticationProvider parameter set in this cmdlet. Refer to the http://go.microsoft.com/fwlink/?LinkId=234549 site for more information. Please note that the default behavior of this cmdlet is expected to change in the future release to create a Claims authentication based web application instead of a Windows Classic based web application.
When copying and pasting the script to Notepad, be sure to verify that all ” quotes copy correctly. Additionally, ensure the line containing “STS#0” (open quote, letters STS, pound, zero, close quote) is properly typed and does not contain special characters.
You should not experience PowerShell errors (Errors appear in red text) during execution of this script. If you do experience errors, review the error message and resolve accordingly. Rerunning the script may cause other errors to occur due to partial completion during the first run.
Finally, be patient, the script may take several minutes to complete its processing and at times may appear as if it is not running.
Create and Execute the SharePoint Foundation 2013 Configuration Script:
Create and Execute SharePoint Foundation 2013 Configuration Script
Launch Notepad
Copy the below script into Notepad
Save the file entitled SPConfig.ps1 and save on [MIM SERVER 1].
Copy the script from [MIM SERVER 1] to [MIM SERVER 2] .
Start PowerShell as Administrator.
Run the script on the [DOMAIN] domain Servers [MIM SERVER 1] and [MIM SERVER 2] .
Enter the FIMSPFPoolAccount password when prompted.
####################################################################################
## BEGIN SCRIPT
##This first line only needs to be run if you’re not running the Sharepoint 2013 Management Console.
Add-PSSnapin Microsoft.SharePoint.PowerShell -EA SilentlyContinue
function Prompt-ForInput
{
Param($message)
$success = “n”
while($success -ne “” -and $success.ToLower() -ne “y”)
{
$val = Read-Host $message
$success = Read-Host “You entered: $val. Is this correct? Enter y or n”
}
return $val
}
## This next block of code sets your variables the script will need to build your Sharepoint Site
## Below you will need to know the following information
## NetBIOS Domain name
## The account that will be used run the actual website
## An account that will be used as a Farm Administrator
## ————————————————————————————————————
## SCRIPT VARIABLES
## ————————————————————————————————————
## $Domain = $(Get-ADDomain).NetBIOSName
$Domain='[DOMAIN]’
## $svcFIMPool = Prompt-ForInput “Enter the FIM Service Pool Service
$svcFIMPool = ‘[MIM SAP ACCOUNT]’
## $FarmAdminUser = Prompt-ForInput “Enter the Primary Site Collection Administrator Account”
$FarmAdminUser = ‘[INSTALL ACCOUNT]’
## $SecFarmAdmin = Prompt-ForInput “Enter the Secondary Site Administrator Account”
$SecFarmAdmin = ‘[MIM SERVICE ACCOUNT]’
#$Site = “http://” + $(Prompt-ForInput “Enter the site url”)
$Site = ‘http://FIMPortal’
## ————————————————————————————————————
## SET THE CREDENTIALS FOR THE SHAREPOINT SITE
## ————————————————————————————————————
## MANUAL METHOD:
## The steps to manually configure this setting in the SharePoint Central Admin Console follow
## Start SharePoint Central Admin
## Under Security section select Configure Service Accounts
## Select the Register new managed account link
## Enter User Name and Password
## select OK
## POWERSHELL SCRIPT:
## A pop up will appear for you to type in the Password of the account that was set as the variable of $svcFIMPool
## You may need to correct the username in the following format DOMAINACCOUNT NAME
## Enter the Password in the window
New-SPManagedAccount -Credential (Get-Credential -Message “FIMSPFPoolAccount” -UserName “$Domain$svcFIMPool”)
## ————————————————————————————————————
## CREATE THE SHAREPOINT APPLICATION POOL
## ————————————————————————————————————
## MANUAL METHOD:
## The steps to manually configure this setting in the SharePoint Central Admin Console follow
## Start SharePoint Central Admin
## Under Application Management Select Manage Service Applications
## From the Menu Bar select New
## Select App Management Service
##
## POWERSHELL SCRIPT:
New-SPServiceApplicationPool -Name FIMSPFPool -Account $svcFIMPool
##This next block of code This creates a Web application that uses classic mode windows authentication
New-SPWebApplication -Name “FIM” -Url $site -Port 80 -SecureSocketsLayer:$false -ApplicationPool “FIMSPFPool” -ApplicationPoolAccount (Get-SPManagedAccount $($svcFIMPool)) -AuthenticationMethod “Kerberos” -DatabaseName “FIM_SPF_Content”
##This block of code creates the creates the SP Site
New-SPSite -Name “FIM” -Url $Site -CompatibilityLevel 14 -Template “STS#0” -OwnerAlias $FarmAdminUser
##This next block of code sets Secondary Site Administrator
Set-SPSite –Identity $Site –SecondaryOwnerAlias “$Domain$SecFarmAdmin”
##This block of code disables server side view state which is required for FIM
$contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService
$contentService.ViewStateOnServer = $false
$contentService.Update()
##This last block of code disables self-service upgrade to 2013 Experience mode
#2013 Experience mode is not supported by FIM
$SPSite = SPSite(“http://FIMPortal”)
$SPSite.AllowSelfServiceUpgrade = $false
## END OF SCRIPT
####################################################################################
Set the SharePoint Administration Service to Automatic and start the service
Start , Services.msc
Right Click the SharePoint Administration service, select Properties
Set Startup type to Automatic
Select Start
Select OK
Remove SharePoint Search Service Application and Proxy
Select the Windows Start button, type SharePoint 2013 Central Administration
If prompted, select Yes to allow program to make changes to computer.
Select Application Management
Under Service Applications, select Manage service applications
Highlight Search Service Application Proxy ,
Select Delete button.
On the Delete Service Application Connection page
Select Delete Data associated with the Service Application connections
Select Ok
When notified Service Application connection has been deleted, select Ok
Highlight Search Service Application ,
Select Delete button.
On the Delete Service Application page
Select Delete Data associated with the Service Applications
Select Ok
When notified Service Application has been deleted, select Ok
Close the SharePoint Central Administration Window
To successfully install SharePoint Foundation 2013 SP1, Windows Update was disabled prior to the installation. Windows Updates should be enabled after the installation procedure is completed to ensure proper patching of the system. Application patches are not enabled, opting to manually install application updates after proper testing.
Launch Server Manager
Select Local Server
Adjacent to Windows Update select the link to access the Windows Update settings page.
Select Change Settings
Select Install Updates automatically (recommended)
Under Microsoft Update
Do Not select Give Me Updates for other Microsoft products when I update Windows
Select OK
Close the Windows Update window
Exit Server Manager
Enable IE Enhanced Security Configuration for Administrators:
The SharePoint Foundation 2013 SP1 Prerequisite installer required access to multiple sites to download prerequisite installers. We temporarily disabled IE Enhanced Security for Administrators to allow access to these sites. Now that the installation is complete, this can be turned back on.
Launch Server Manager
Select Local Server
Adjacent to IE Enhanced Security Configuration select the link to access the configuration settings page.
Under Administrators , select On
Select Ok
Restart the server