[Technical] Setting up SharePoint Foundation 2013 for MIM 2016 SP1

Share this content:

It occurred to me while fighting with this over the last couple of days that I have never installed the MIM Portal in anything other than a lab. FIM Portal yes, but then only on SharePoint 2010 (even after 2013 was available, because it was a heck of a lot easier). While I know MIM 2016 SP1 ican now run on Windows Server 2016 and SharePoint 2016, the customer’s SOE is still the earlier versions. Also I had (perhaps too optimistically) assumed I’d be better off with Sharepoint 2013 because of this walkthrough.

There are a few problems with following this walkthrough, which is written for a lab, in a customer installation. Domain Admin accounts are used, it uses server names rather than aliases, and the SharePoint site is installed on port 82 for some reason. So I thought it worthwhile writing up my steps for reference.

Create Service Account

Among the service accounts you create for the solution is one for SharePoint – let’s call it svc_MIM_SharePoint. We did not want to put it in local Administrators on the server, but I had ensured it had:

  • Log on as a Service
  • Log on as a Batch Job

What we found out after struggling with “An unexpected error has occurred” on loading the SharePoint Central Administration site is that you also need:

  • Impersonate a client after authentication

Thanks to this blog poster for pointing us towards this fix: https://blogs.msdn.microsoft.com/brian_farnhill/2015/01/15/system-io-fileloadexception-for-system-servicemodel-dll-in-sharepoint-2013/


I have seperate DNS names for the MIM Service and the MIM Portal – I think this is a good practise because the customer might want to change the Portal address and it won’t effect anything talking directly to the Service.

  • iamportal.mydomain.net
  • iamservice.mydomain.net

The following SPNs were created (linked to the MIM Service service account):

setspn -S FIMService/iamservice MYDOMAIN\svc_MIM_Service
setspn -S FIMService/iamservice.mydomain.net MYDOMAIN\svc_MIM_Service
setspn -S HTTP/iamportal MYDOMAIN\svc_MIM_SharePoint
setspn -S HTTP/iamportal.mydomain.net MYDOMAIN\svc_MIM_SharePoint

And constrained Kerberos delegation applied:

  • svc_MIM_Service –> FIMService
  • svc_MIM_SharePoint –> FIMService

Install Pre-Requisites

As is typically the case in a customer environment, there was no internet access from the server so I had to do this manually. The pre-reqs for SharePoint 2013 are covered in this KB article. I did not need all of them on Windows Server 2012 R2, the ones I did need were:

Install SharePoint Foundation

Some extra notes in addition to the walkthrough:

  1. I always create a MIM Administrator account and install SharePoint and MIM using it. It is not a Domain Admin (as suggested by the walkthrough), but it is a local Administrator on the server.
  2. Select the “Complete” option,
  3. Allow the wizard to run,
  4. Select “Create a new server farm” – note this is also what you select when installing a second MIM Portal server, as each runs independantly, and they just share the FIMService database,
  5. The database server is the shared SQL server I have for the other solution databases, so I enter it’s servername\instance,
  6. I modified the default database name to specificy the server: SharePoint_Config_MIMServerName,
  7. Then it’s just a matter of clicking through the remaining dialogs.

At the end of this the SharePoint Central Administration page should load. Login using your current account (should be the MIM Administrator account) and check that the page loads. If the page doesn’t load or you get an error there is no point pushing on – this needs to work.

Configure SharePoint

I basically followed the script provided in the walkthrough, apart from configuring the SharePoint site on port 80, and setting the MIM Administrator account as the only owner.

#Initialize values required for the script
$URL = "iamportal.mydomin.net"
$DBName = "SharePoint_Config_MIMServer"
$DBOwner = "MYDOMAIN\svc_MIM_SharePoint"
$MIMAdmin = "MYDOMAIN\svc_MIM_Admin"

## Create Web Application
$dbManagedAccount = Get-SPManagedAccount -Identity $DBOwner
New-SpWebApplication -Name "MIM Portal" -ApplicationPool "MIMAppPool" -ApplicationPoolAccount $dbManagedAccount -AuthenticationMethod "Kerberos" -Port 80 -URL $URL

## Create SharePoint Site Collection
$t = Get-SPWebTemplate -compatibilityLevel 14 -Identity "STS#1"
$w = Get-SPWebApplication $Url
New-SPSite -Url $w.Url -Template $t -OwnerAlias $MIMAdmin -CompatibilityLevel 14 -Name "MIM Portal"
$s = SpSite($w.Url)
$s.AllowSelfServiceUpgrade = $false
if ($s.CompatibilityLevel -eq 14) {write-host "Site Collection creation successfully"}
else {throw ("Site collection has been created at the wrong compatability level. Expected 14, got " + $s.CompatibilityLevel)}

## Disable jobs
$contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService;
$contentService.ViewStateOnServer = $false;
Get-SPTimerJob hourly-all-sptimerservice-health-analysis-job | disable-SPTimerJob

## Check site opens
start-process "http://iamportal.mydomin.net"

At the end of this the new site should be opened and you may be prompted to login. Check that the empty site opens fine – then make sure you follow the step to add the site to Local Sites in the IE security settings.

You then need to make sure you’ve got Kerberos set up properly – you should be able to close all your browsers, restart IIS, and then open http://iamportal.mydomain.net without being prompted to login. Only when this happens are you ready to proceed with the MIM Service and Portal installation.

Carol Wapshere

I’ve been working in the IT industry for rather a lot of years now, starting in sys admin then moving through project work and consultancy, eventually coming across MIIS 2003 in 2005 while working on an email migration project in London. After a few years in Switzerland I am now back in Australia, based in Canberra, working for UNIFY Solutions. I have been awarded the MVP for ILM/FIM every year since 2009.

One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *