Step by step MIM PAM setup and evaluation Guide – Part 3

This is third part of the series. In the previous posts we have prepared test environment for PAM deployment, created and configured all needed service accounts, installed SQL Server and prepared PIM server for further installation. Now we have two forests – prod.contoso.com and priv.contoso.com. In PROD we have set up Certificate services, Exchange server, ADFS services and configured two test applications – one is using Windows Integrated Authentication and the second Claim based Authentication. In PRIV forest we have PAM server prepared for MIM/PAM deployment with SQL server ready.

Series:

Installing PAM Server

    1. Install SharePoint 2016
      1. a. Download SharePoint 2016 Prerequisites

Please download following binaries into one selected folder (for example C:SetupSoftwareSP2016-Prerequisites) on the PRIV-PAM server

Cumulative Update 7 (KB3092423) for Microsoft AppFabric 1.1 for Windows Server [https://www.microsoft.com/en-us/download/details.aspx?id=49171]

Microsoft Identity Extensions [http://go.microsoft.com/fwlink/?LinkID=252368]

Microsoft ODBC Driver 11 for SQL Server [http://www.microsoft.com/en-us/download/details.aspx?id=36434]

Microsoft Information Protection and Control Client [http://go.microsoft.com/fwlink/?LinkID=528177]

Microsoft SQL Server 2012 Native Client [http://go.microsoft.com/fwlink/?LinkID=239648&clcid=0x409]

Microsoft Sync Framework Runtime v1.0 SP1 (x64) [http://www.microsoft.com/en-us/download/details.aspx?id=17616] – Open SyncSetup_en.x64.zip and extract to this folder only Synchronization.msi

Visual C++ Redistributable Package for Visual Studio 2013 [http://www.microsoft.com/en-us/download/details.aspx?id=40784]

Visual C++ Redistributable for Visual Studio 2015 [https://www.microsoft.com/en-us/download/details.aspx?id=48145]

Microsoft WCF Data Services 5.0 [http://www.microsoft.com/en-us/download/details.aspx?id=29306]

Windows Server AppFabric 1.1 [http://www.microsoft.com/en-us/download/details.aspx?id=27115]

At the end You will need to have in the selected folder following binaries:

        • AppFabric-KB3092423-x64-ENU.exe
        • MicrosoftIdentityExtensions-64.msi
        • msodbcsql.msi
        • setup_msipc_x64.msi
        • sqlncli.msi
        • Synchronization.msi
        • vcredist_x64.exe
        • vc_redist.x64.exe
        • WcfDataServices.exe
        • WindowsServerAppFabricSetup_x64.exe
      1. Install SharePoint Prerequisites

Log on to PRIV-PAM as a privPAMAdmin (use password P@$$w0rd)

Open PowerShell ISE as an Admin and paste following script:

$spPrereqBinaries = ‘C:SetupSoftwareSP2016-Prerequisites’

$sharePointBinaries = ‘C:SetupSoftwareSharePoint2016’

function Run-SystemCommand {

Param(

[parameter(Mandatory=$true)]

[string]$Command,

[parameter(Mandatory=$false)]

[string]$Arguments = [String]::Empty,

[parameter(Mandatory=$false)]

[bool]$RestartIfNecessary = $false,

[parameter(Mandatory=$false)]

[int]$RestartResult

)

Process {

try{

$myProcess = [Diagnostics.Process]::Start($Command, $Arguments)

$myProcess.WaitForExit()

[int]$exitCode = $myProcess.ExitCode

$result = ($exitCode -eq 0)

if($result) { Write-Host “[OK] $Command was successful” }

elseif ($RestartIfNecessary -and ($exitCode -eq $RestartResult)){

Write-Host “[Warning]Please rerun script after restart of the server”

Restart-Computer -Confirm

}

else { Write-Host “[Error] Failed to run $Command” }

}

catch {

Write-Host “[Error] Failed to run $Command”

Write-Host (“`t`t`t{0}” -f $_.Exception.Message)

}

}

}

$arguments = “/sqlncli:`”$spPrereqBinariessqlncli.msi`” ”

$arguments += “/idfx11:`”$spPrereqBinariesMicrosoftIdentityExtensions-64.msi`” ”

$arguments += “/sync:`”$spPrereqBinariesSynchronization.msi`” ”

$arguments += “/appfabric:`”$spPrereqBinariesWindowsServerAppFabricSetup_x64.exe`” ”

$arguments += “/kb3092423:`”$spPrereqBinariesAppFabric-KB3092423-x64-ENU.exe`” ”

$arguments += “/msipcclient:`”$spPrereqBinariessetup_msipc_x64.msi`” ”

$arguments += “/wcfdataservices56:`”$spPrereqBinariesWcfDataServices.exe`” ”

$arguments += “/odbc:`”$spPrereqBinariesmsodbcsql.msi`” ”

$arguments += “/msvcrt11:`”$spPrereqBinariesvc_redist.x64.exe`” ”

$arguments += “/msvcrt14:`”$spPrereqBinariesvcredist_x64.exe`””

Run-SystemCommand -Command “$sharePointBinariesprerequisiteinstaller.exe” -Arguments $arguments -RestartIfNecessary $true -RestartResult 3010

Replace $spPrereqBinaries value with path where your prerequisite binaries are located.

Replace $sharePointBinaries with path to root of your SharePoint 2016 distribution.

Run above script. Result should confirm successful installation. In case server restarts, after restart run again previous command

Repeat until restart is not needed.

Restart PRIV-PAM server.

      1. Create SharePoint Server 2016 Installation configuration file

Log on to PRIV-PAM as a privPAMAdmin (use password P@$$w0rd)

In the Notepad paste following:

<Configuration>

<Package Id=”sts”>

<Setting Id=”LAUNCHEDFROMSETUPSTS” Value=”Yes” />

</Package>

<Package Id=”spswfe”>

<Setting Id=”SETUPCALLED” Value=”1″ />

</Package>

<Logging Type=”verbose” Path=”%temp%” Template=”SharePoint Server Setup(*).log” />

<PIDKEY Value=”RTNGH-MQRV6-M3BWQ-DB748-VH7DM” />

<Display Level=”none” CompletionNotice=”no” />

<Setting Id=”SERVERROLE” Value=”SINGLESERVER” />

<Setting Id=”USINGUIINSTALLMODE” Value=”1″ />

<Setting Id=”SETUP_REBOOT” Value=”Never” />

<Setting Id=”SETUPTYPE” Value=”CLEAN_INSTALL” />

</Configuration>

In the configuration I have added SharePoint 2016 evaluation key for Standard version. You are free to replace key with your license key

Save file as config.xml to chosen location.

      1. Install SharePoint

Open PowerShell ISE as an Admin and paste following script:

$sharePointBinaries = ‘C:SetupSoftwareSharePoint2016’

$configPath = ‘C:Setup’

function Run-SystemCommand {

Param(

[parameter(Mandatory=$true)]

[string]$Command,

[parameter(Mandatory=$false)]

[string]$Arguments = [String]::Empty,

[parameter(Mandatory=$false)]

[bool]$RestartIfNecessary = $false,

[parameter(Mandatory=$false)]

[int]$RestartResult

)

Process {

try{

$myProcess = [Diagnostics.Process]::Start($Command, $Arguments)

$myProcess.WaitForExit()

[int]$exitCode = $myProcess.ExitCode

$result = ($exitCode -eq 0)

if($result) { Write-Host “[OK] $Command was successful” }

elseif ($RestartIfNecessary -and ($exitCode -eq $RestartResult)){

Write-Host “[Warning]Please rerun script after restart of the server”

Restart-Computer -Confirm

}

else { Write-Host “[Error] Failed to run $Command” }

}

catch {

Write-Host “[Error] Failed to run $Command”

Write-Host (“`t`t`t{0}” -f $_.Exception.Message)

}

}

}

Run-SystemCommand -Command “$sharePointBinariessetup.exe” -Arguments “/config $configPathconfig.xml” -RestartIfNecessary $true -RestartResult 30030

Replace $ configPath value with path where config file created in previous step is located.

Replace $sharePointBinaries with path to root of your SharePoint 2016 distribution.

Run above script. Wait until script finishes – it won’t display installation progress.Result should confirm successful installation.

    1. Create SharePoint Site
      1. Request, issue and install SSL certificate

Open PowerShell ISE as an Admin and paste following script:

$file = @”

[NewRequest]

Subject = “CN=pamportal.contoso.com,c=AE, s=Dubai, l=Dubai, o=Contoso, ou=Blog”

MachineKeySet = TRUE

KeyLength = 2048

KeySpec=1

Exportable = TRUE

RequestType = PKCS10

[RequestAttributes]

CertificateTemplate = “WebServerV2”

“@

Set-Content C:Setupcertreq.inf $file

Invoke-Expression -Command “certreq -new C:Setupcertreq.inf C:Setupcertreq.req”

(Replace C:Setup with folder of your choice – in this folder we will save request file)

Run above script and respond to message boxes prompt “Template not found. Do you wish to continue anyway?” with “Yes”.

Copy C:Setupcertreq.req to corresponding folder on PROD-DC server.

Log on to PROD-DC as an administrator

Open command prompt as an admin.

Run following command:

certreq -submit C:Setupcertreq.req C:Setuppamportal.contoso.com.cer

Here C:Setup is folder where certificate request file is placed – modify path according to your location.

Confirm CA when prompted

Now we have in C:Setup certificate file C:Setuppamportal.contoso.com.cer. Copy that file back to PRIV-PAM server.

Log on to PRIV-PAM as a privPAMAdmin (use password P@$$w0rd)

Run PowerShell as Admin and execute following:

$cert = Import-Certificate -CertStoreLocation Cert:LocalMachinemy -FilePath C:Setuppamportal.contoso.com.cer

$guid = [guid]::NewGuid().ToString(“B”)

$tPrint = $cert.Thumbprint

netsh http add sslcert hostnameport=”pamportal.contoso.com:443″ certhash=$tPrint certstorename=MY appid=”$guid”

      1. Run script to create SharePoint Site where PAM Portal will be placed.

Open PowerShell ISE as an Admin and paste following script:

$Passphrase = ‘Y0vW8sDXktY29’

$password = ‘P@$$w0rd’

Add-PSSnapin Microsoft.SharePoint.PowerShell

#

#Initialize values required for the script

$SecPhassphrase = (ConvertTo-SecureString -String $Passphrase -AsPlainText -force)

$FarmAdminUser = ‘PRIVsvc_PAMFarmWSS’

$svcMIMPool = ‘PRIVsvc_PAMAppPool’

#

#Create new configuration database

$secstr = New-Object -TypeName System.Security.SecureString

$password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)}

$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $FarmAdminUser, $secstr

New-SPConfigurationDatabase -DatabaseName ‘MIM_SPS_Config’ -DatabaseServer ‘SPSSQL’ -AdministrationContentDatabaseName ‘MIM_SPS_Admin_Content’ -Passphrase $SecPhassphrase -FarmCredentials $cred -LocalServerRole WebFrontEnd

#

#Create new Central Administration site

New-SPCentralAdministration -Port ‘2016’ -WindowsAuthProvider “NTLM”

#

#Perform the config wizard tasks

#Install Help Collections

Install-SPHelpCollection -All

#Initialize security

Initialize-SPResourceSecurity

#Install services

Install-SPService

#Register features

Install-SPFeature -AllExistingFeatures

#Install Application Content

Install-SPApplicationContent

#

#Add managed account for Application Pool

$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $svcMIMPool, $secstr

New-SPManagedAccount -Credential $cred

#

#Create new ApplicationPool

New-SPServiceApplicationPool -Name PAMSPSPool -Account $svcMIMPool

#

#Create new Web Application.

#This creates a Web application that uses classic mode windows authentication.

#Claim-based authentication is not supported by MIM

New-SPWebApplication -Name ‘PAM Portal’ -Url “https://pamportal.contoso.com&#8221; -Port 443 -HostHeader ‘pamportal.contoso.com’ -SecureSocketsLayer:$true -ApplicationPool “PAMSPSPool” -ApplicationPoolAccount (Get-SPManagedAccount $($svcMIMPool)) -AuthenticationMethod “Kerberos” -DatabaseName “PAM_SPS_Content”

#

#Create new SP Site

New-SPSite -Name ‘PAM Portal’ -Url “https://pamportal.contoso.com&#8221; -CompatibilityLevel 15 -Template “STS#0” -OwnerAlias $FarmAdminUser

#

#Disable server-side view state. Required by MIM

$contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService

$contentService.ViewStateOnServer = $false

$contentService.Update()

#

#configure SSL

Set-WebBinding -name “PAM Portal” -BindingInformation “:443:pamportal.contoso.com” -PropertyName “SslFlags” -Value 1

#Add Secondary Site Collection Administrator

Set-SPSite -Identity “https://pamportal.contoso.com&#8221; -SecondaryOwnerAlias “PAMAdmin”

    1. Install MIM Service, MIM Portal and PAM

Open Command prompt as an Admin and run following command

msiexec.exe /passive /i “C:SetupSoftwareMIM2016SP1RTMService and PortalService and Portal.msi” /norestart /L*v C:SetupPAM.LOG ADDLOCAL=”CommonServices,WebPortals,PAMServices” SQMOPTINSETTING=”1″ SERVICEADDRESS=”pamsvc.contoso.com” FIREWALL_CONF=”1″ SHAREPOINT_URL=”https://pamportal.contoso.com&#8221; SHAREPOINTUSERS_CONF=”1″ SQLSERVER_SERVER=”SVCSQL” SQLSERVER_DATABASE=”FIMService” EXISTINGDATABASE=”0″ MAIL_SERVER=”mail.contoso.com” MAIL_SERVER_USE_SSL=”1″ MAIL_SERVER_IS_EXCHANGE=”1″ POLL_EXCHANGE_ENABLED=”1″ SERVICE_ACCOUNT_NAME=”svc_PAMWs” SERVICE_ACCOUNT_PASSWORD=”P@$$w0rd” SERVICE_ACCOUNT_DOMAIN=”PRIV” SERVICE_ACCOUNT_EMAIL=”svc_PAMWs@prod.contoso.com” REQUIRE_REGISTRATION_INFO=”0″ REQUIRE_RESET_INFO=”0″ MIMPAM_REST_API_PORT=”8086″ PAM_MONITORING_SERVICE_ACCOUNT_DOMAIN=”PRIV” PAM_MONITORING_SERVICE_ACCOUNT_NAME=”svc_PAMMonitor” PAM_MONITORING_SERVICE_ACCOUNT_PASSWORD=”P@$$w0rd” PAM_COMPONENT_SERVICE_ACCOUNT_DOMAIN=”PRIV” PAM_COMPONENT_SERVICE_ACCOUNT_NAME=”svc_PAMComponent” PAM_COMPONENT_SERVICE_ACCOUNT_PASSWORD=”P@$$w0rd” PAM_REST_API_APPPOOL_ACCOUNT_DOMAIN=”PRIV” PAM_REST_API_APPPOOL_ACCOUNT_NAME=”svc_PAMAppPool” PAM_REST_API_APPPOOL_ACCOUNT_PASSWORD=”P@$$w0rd” REGISTRATION_PORTAL_URL=”http://localhost&#8221; SYNCHRONIZATION_SERVER_ACCOUNT=”PRIVsvc_MIMMA” SHAREPOINTTIMEOUT=”600″

(“C:SetupSoftwareMIM2016SP1RTMService and PortalService and Portal.msi” replace with path to Service and Portal installation path, C:SetupPAM.LOG replace with path where installation log will be placed)

When installation finishes open C:SetupPAM.LOG file in Notepad and goto the end of the file. You should find line

… Product: Microsoft Identity Manager Service and Portal — Installation completed successfully.

Open Internet Explorer and navigate to https://pamportal.contoso.com/IdentityManagement

Portal should be loaded:

clip_image002

Restart the PRIV-PAM server

    1. Configure SSL for pamapi.contoso.com
      1. Request, issue and install SSL certificate for the portal

Open PowerShell ISE as an Admin and paste following script:

$file = @”

[NewRequest]

Subject = “CN=pamapi.contoso.com,c=AE, s=Dubai, l=Dubai, o=Contoso, ou=Blog”

MachineKeySet = TRUE

KeyLength = 2048

KeySpec=1

Exportable = TRUE

RequestType = PKCS10

[RequestAttributes]

CertificateTemplate = “WebServerV2”

“@

Set-Content C:Setupcertreq.inf $file

Invoke-Expression -Command “certreq -new C:Setupcertreq.inf C:Setupcertreq.req”

(Replace C:Setup with folder of your choice – in this folder we will save request file)

Run above script and respond to message boxes with “OK”.

Copy C:Setupcertreq.req to corresponding folder on PROD-DC server.

Log on to PROD-DC as an administrator

Open command prompt as an admin.

Run following command:

certreq -submit C:Setupcertreq.req C:Setuppamapi.contoso.com.cer

Here C:Setup is folder where certificate request file is placed – modify path according to your location.

Confirm CA when prompted

Now we have in C:Setup certificate file C:Setuppamapi.contoso.com.cer. Copy that file back to PRIV-PAM server.

Log on to PRIV-PAM as a privPAMAdmin (use password P@$$w0rd)

Run PowerShell as Admin and execute following:

$cert = Import-Certificate -CertStoreLocation Cert:LocalMachinemy -FilePath C:Setuppamapi.contoso.com.cer

$guid = [guid]::NewGuid().ToString(“B”)

$tPrint = $cert.Thumbprint

netsh http add sslcert hostnameport=”pamapi.contoso.com:8086″ certhash=$tPrint certstorename=MY appid=”$guid”

      1. Configure SSL on pamapi.contoso.com

Run PowerShell as Admin and execute following:

Set-WebBinding -Name ‘MIM Privileged Access Management API’ -BindingInformation “:8086:” -PropertyName Port -Value 8087

New-WebBinding -Name “MIM Privileged Access Management API” -Port 8086 -Protocol https -HostHeader “pamapi.contoso.com” -SslFlags 1

Remove-WebBinding -Name “MIM Privileged Access Management API” -BindingInformation “:8087:”

Conclusion of Part 3

Now we are ready for the Part 4 – Installing PAM Example portal.

In this exercise we went step by step through PAM Portal set up. If you carefully followed all steps you have healthy and well configured PAM deployment.

We didn’t spent time on Portal customization and branding, what I leave to you for the future.

In the Part 4 we will set up PAM Example Portal.

Until then

Have a great week

Disclaimer – All scripts and reports are provided ‘AS IS’

This sample script is not supported under any Microsoft standard support program or service. This sample script is provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of this sample script and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of this script be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use this sample script or documentation, even if Microsoft has been advised of the possibility of such damages.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.