Using an External Identity Manager for SharePoint User Profile Synchronization

Forefront Identity Manager 2010 R2 SP1 and SharePoint Server 2013 has introduced the ability to leverage FIM for User Profile Synchronization with Active Directory, versus the built-in version of FIM included with SharePoint Server. Currently, the process to support this is in beta. It also only official supports SharePoint Server 2013, but will unofficially support SharePoint Server 2010. You will need a few Domain accounts.  An account to run the FIM Service (s-fim), an account to run the FIM Management Agents (s-fimma), the SharePoint farm administrator account (s-sp2013farm), and finally a synchronization account for Active Directory (s-sp2013sync).  For the last account, this guide will be using the same account as the one used for the UPA connection.  Configure the permissions appropriately for s-sp2013sync. Provision the UPA and UPSS per the standard instructions.  Once both services have been configured, stop the FIM services on the SharePoint server and set them to Disabled.  In the UPA under Configure Synchronization Settings, you have Enable External Identity Manager selected. First, we’ll start out with a SQL Server running SQL Server 2012 SP1 with the Database Engine, Integration Services, and Management Studio.  All other settings are at their defaults.  If you are using a SQL Server that is not running on the same server as the FIM services, make sure to install the SQL Server Native Client on the server running the FIM services. The FIM server will run SharePoint Foundation 2013, the FIM Synchronization Service as well as FIM Service and Portal, along with the SharePoint User Profile Connector. Install SharePoint Foundation 2013 and create a Classic Web Application for the FIM Portal.  The FIM Portal does not currently work with Claims-based Authentication.  Next, install the FIM Synchronization Service.  During the installation, specify the FIM Synchronization Service account. Next, install the FIM Service and Portal.  The Portal will leverage our SharePoint Foundation installation and Classic Web Application.  The Classic Web Application has been configured with an Alternate Access Mapping of “FIM02″ in this example. Enter the SharePoint site collection URL. Enter the hostname of the FIM Service server.  We’re installing the Portal and Service on the same server, so again we’ll use “FIM02″ here. Enter the hostname of the Synchronization Service, along with the Management Agent account. Again, enter the FIM Service service account information. You can either let FIM generate a self-signed certificate, or use a certificate signed by a Certificate Authority.  For purposes of synchronization, a self-signed certificate will work. Enter the mail server information.  Since we’re just after synchronization, the remaining options are unchecked (leaving the polling option checked, if not configured properly, will generate Event Log warnings). Enter the database server name and database name.   Finish the installation of the FIM Service and Portal.  Next, install the KB2832389 update for the FIM Synchronization Service and FIM Portal and Service.  This update is required prior to installing the SharePoint User Profile Connector.  Until the SharePoint User Profile Connector goes RTW, it can be downloaded from the Forefront Identity Manager 2010 Connect site.  Install the SharePoint User Profile Connector on the FIM Synchronization Service server. The next step is to use the FIM client and FIM Portal to set up our Management Agents, Synchronization Rules, Workflows, and Management Policy Rules.  This will cover the basics required, but you will want to adjust the attributes used and users targeted based on business requirements.  Lastly, this will only cover User objects, but Contact and Group objects are also available for synchronization. First, let’s add a new attributes that we’ll use.  Using the Synchronization Service client, under the Metaverse Designer, select the person object type.  Create one attribute: Attribute name: sAMAccountName Attribute type: String (non-indexable) Next, create the Management Agents.  Create a new Active Directory Domain Services MA.  Go through the Management Agent, enter the appropriate information.  For the username to connect to AD DS, specify the same account used for the User Profile Application connection (e.g. s-sp2013sync).  Select the Directory Partition as well as specify any Containers (or all Containers) you want to synchronize objects from.  Under object types, make sure at least User objects are selected.  Under Attributes, select: displayName, givenName, mail, objectSid, sAMAccountName, sn, telephoneNumber Click Next until you complete the Management Agent. Create the FIM Service Management Agent.  For this agent, under Connect to database, specify the values used to connect to the FIM Service.  In this example, the values are: Server: localhost Database: FIMService FIM Service base address: http://localhost:5725 Using Windows Authentication, specify the FIM Service Management Agent account (not the FIM Service account): User name: s-fimma Password: <password> Domain: nauplius Under Object Types, make sure the Person, and optionally Group, object type is selected.  All Attributes should be selected.  Configure the Person Object Type Mapping to map from “Person” to “person”.  This is the only Management Agent where we will configure the Attribute Flow.  In this example, the flow is configured with these values: Click Next until you complete the Management Agent. The last Management Agent we will create is the SharePoint Profile Store Management Agent.  Under Connectivity, specify the hostname and port number of the server running Central Administration.  Enter the domain credentials of the SharePoint farm administrator account.  For the picture flow directly, we are going to select “Export only (NEVER from SharePoint)”.  This will flow pictures from Active Directory to SharePoint.  Select all 3 Object Types.  This Management Agent will throw errors when attempting to synchronize with SharePoint if any of the object types are left deselected.  On the Attributes, select at least the following: AccountName, Anchor, domain, FirstName, LastName, Picture, PreferredName, ProfileIdentifier, SID, UserName You may also add other attributes, such as WorkEmail, WorkPhone, and so forth.  This example will use some of these other attributes later in the Synchronization Rules.  Complete the SharePoint Management Agent. If you export pictures from Active Directory to SharePoint, make sure you run the following on the SharePoint server: [crayon-51ac1dca0f1bb/] Configure Run Profiles for each Management Agent.  The Active Directory Management Agent requires Full Import, Full Synchronization, Delta Import, and Delta Synchronization.  The FIM [...]