If you want to set the MIM Portal up to use Office 365 for sending email, and you hadn’t previously set it up during installation, you have the option of re-running the MIM installer and setting up the Office 365 details, as described in this helpful post on tlktechidentitythoughts
There are a couple of scenarios where this isn’t possible:
- You no longer have the installation media to hand
- You do have the installation media to hand, but you have upgraded your environment from FIM to MIM. In this case, you end up in a catch-22 situation, where it complains about it not being for the original version you installed, and if you try the original version, it says you need to run the newer installer.
Thankfully, there is a way to make the change manually without having to run the installer.
The tasks we need to do are:
- Change config to make MIM use Exchange Online instead of a local Exchange/SMTP server.
- Store an encrypted password for the service account that will be connecting to Exchange Online in the registry key HKLM\SOFTWARE\Microsoft\Forefront Identity Manager\2010\Service\EncryptedExchangeOnlineAccountPassword
Point MIM at Office 365
The first is easy enough – on each of you r MIM Service servers, open the MIM Service config file, Microsoft.ResourceManagement.Service.exe.config, usually located in C:\Program Files\Forefront Identity Manager\Service\
and update the mail server lines as follows:
|
1 2 |
<add key=“mailServer” value=“https://outlook.office365.com/ews/exchange.asmx” /> <add key=“isExchange” value=“1” /> |
Encrypt the MIM Service account password
The second is a little tricker, but we can use a handy script provided by Microsoft (copied at the end of this post in case that page ever stops working). The script will work for Group Managed Service Accounts as well as normal service accounts.
Run the script and follow the prompts. It takes the plain text password, encrypts it, and stores it in the necessary registry key.
That’s all.
One tip: if you want to see the emails MIM is sending, but don’t want them to actually be delivered to the named recipients, a good solution is to set up a mailbox, and have your Exchange admin create a mail flow rule to divert all email sent by the MIM service account to the dedicated mailbox. This is really useful for seeing what people would have received without having to change any configuration in MIM or make exceptions in your workflows etc.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 |
#O365update.ps1 #author&contributers: David Steadman, Anthony Ho ############################### # Script for changing Exchange password # 1. Could be used for Exchange online and normal account # 2. Could be used for Exchange Online or On-Premise for managed accounts ############################### Write-host “Is service run under managed account (Default is No)” -ForegroundColor Yellow $answer = Read-Host ” ( y / n ) “ $isManaged = $false; if ($answer -eq “Y”) { $isManaged = $true; } if($isManaged) { Write-host “Changing Exchange (Online or On-Premise) password for service running under managed account” -ForegroundColor Green Write-host “You should be logged as someone with local admin privilege to set the value in registry” -ForegroundColor Green Write-host “NOTE: In case script fails, please ensure that MIMKeyProtectService is uninstalled (uninstall it if it is necessary)” -ForegroundColor Green ############################### #Script executes following steps # 1. Install service to encrypt password # 2. Run the service under service account # 3. Send password to the service # 4. Receive encrypted password # 5. Stop and uninstall service # 6. Save password in registry ############################### # NOTE: In case script fails, please ensure that MIMKeyProtectService is uninstalled (uninstall it if it is necessary) # If MIMKeyProtectService remains installed, installer will fail when it tries to use the service next time ############################### $account = Read-Host “Please enter managed account with $ symbol at the end (format: domain\managedaccount$)” $securePssword = Read-Host “Please enter the password” -AsSecureString $secureConfirmPassword = Read-Host “Please confirm the password” -AsSecureString $bstr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($securePssword) $password = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($bstr) $bstr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($secureConfirmPassword) $confirmPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($bstr) if ($password -ne $confirmPassword) { throw “Password does not match” } #Create service sc.exe create MIMKeyProtectService binpath= “C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\Microsoft.IdentityManagement.KeyProtectService.exe” displayname= “MIM Key Protect Service” obj= “$account” #sc.exe description MIMKeyProtectService “Key protection/unprotection service for Microsoft Identity Manager. It is used for group managed accounts” #Start service with parameter “e” – Encrypt $service = Get-Service “MIMKeyProtectService” $service.Start(“e”); $service.WaitForStatus(“Running”, ’00:00:30′); if ($service.Status -eq “Running”) { Write-Host “Service is running” #Send password $pipe = new-object System.IO.Pipes.NamedPipeClientStream ‘.’,‘keypipe’,‘Out’; $pipe.Connect(); $sw = new-object System.IO.StreamWriter $pipe; $sw.AutoFlush = $true; $sw.Write($password); $sw.Dispose(); $pipe.Dispose(); #Receive encrypted password $pipe = new-object System.IO.Pipes.NamedPipeClientStream ‘.’,‘keypipe’,‘In’; $pipe.Connect(); $sr = new-object System.IO.StreamReader $pipe; $encryptedData = $sr.ReadToEnd(); $sr.Dispose(); $pipe.Dispose(); } #Stop and delete service $service.Stop(); $service.WaitForStatus(“Stopped”, ’00:00:30′); if ($service.Status -eq “Stopped”) { Write-Host “Service is stopped” sc.exe delete MIMKeyProtectService } Write-Host “Encrypted Password” -ForegroundColor Cyan Write-Host ($encryptedData) -ForegroundColor DarkGreen Set-ItemProperty -Path HKLM:“\SOFTWARE\Microsoft\Forefront Identity Manager\2010\Service” -Name EncryptedExchangeOnlineAccountPassword -Value $encryptedData } else { Write-host “Changing Exchange Online password for service running under normal account” -ForegroundColor Green Write-host “You should be logged as FIMService service account to encrypt the pwd” -ForegroundColor Green Write-host “If account don’t have rights to write in registry login as someone with local admin privilege to set the value” -ForegroundColor Green ## RUNAS /user:contoso\MIMService “powershell” #Login as mimservice account and then impersonate to update office365 login #We need to do the following: #1. Login as FIMService service account to encrypt the pwd #2. Login as someone with local admin privilege to set the value in registry ############################### Add-Type -AssemblyName System.Security #$o365user = Read-Host “Please enter office 365 email” $securePssword = Read-Host “Please enter the password” -AsSecureString $secureConfirmPassword = Read-Host “Please confirm the password” -AsSecureString $bstr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($securePssword) $password = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($bstr) $bstr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($secureConfirmPassword) $confirmPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($bstr) if ($password -ne $confirmPassword) { throw “Password does not match” } # Convert a plain text string to a character array # and cast it to a byte array. $bytes = [System.Text.Encoding]::Unicode.GetBytes($password) # Encrtyped the byte array. $encryptedBytes = [System.Security.Cryptography.ProtectedData]::Protect( $bytes, $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser) $encryptedData = [Convert]::ToBase64String($encryptedBytes) Write-Host “Encrypted Password” -ForegroundColor Cyan Write-Host ($encryptedData) -ForegroundColor DarkGreen Set-ItemProperty -Path HKLM:“\SOFTWARE\Microsoft\Forefront Identity Manager\2010\Service” -Name EncryptedExchangeOnlineAccountPassword -Value $encryptedData } |