Web Service Configuration Settings
There are configuration settings for the FIM Service web services stored in the .NET app.config file and in the local computer registry. By default, the app.config file is named Microsoft.ResourceManagementService.exe.config. This file is consumed once when the FIM Service starts; therefore, the service must be restarted to consume any changes.
Web Service Configuration File Settings
The web service configuration is stored in two parts of the app.config file. The first part is the ResourceManagementService section and the second part is .NET appSettings. Generally, settings related to the service behavior such as endpoint addresses or workflow host configuration is stored in the ResourceManagementService section. Some settings, however, are also stored in the appSettings section. All of the configuration settings are optional, and the common settings are configured by initial setup. Some settings should only be changed as directed by customer support; they are included in this list for completeness. When making changes to an existing deployment, it may be necessary to edit the app.config file directly rather than running a change install.
| Configuration setting | Description | Default Value |
|---|---|---|
workflowManagerEndpointBaseAddress |
Used to create a service principal identity for all FIM endpoints. Do not edit this setting unless instructed to do so by customer support. |
ResourceManagementService/WorkflowManager |
dataReadTimeoutInSeconds |
The timeout used in all SQL select commands. Increase this when receiving SQL timeouts when processing complex queries. |
58 |
dataWriteTimeoutInSeconds |
The timeout used in all SQL update, insert, and delete commands. Increase this when receiving SQL timeouts when processing complex atomic web service requests. |
58 |
defaultKeySize |
The key sized used in SecurityToken service tokens. Do not edit this setting unless instructed to do so by customer support. |
256 |
defaultTokenLifetimeInMinutes |
The lifetime (in minutes) of tokens issued by the security token service. |
10 |
externalHostName |
The base URI to use when responding with CreateResponse and Authentication response. Use this for load-balanced scenarios. Also update the unified client resourceManagementServiceBaseAddress to have outgoing requests also hit the load-balanced server. The unified client settings are stored in the web.config file in the portal and in the app.config file for the password reset client. |
The default value is the first IP address of the server. |
hostActivationIntervalInMilliseconds |
The interval between the host activator polling workflow instances for status. Do not edit this setting unless instructed to do so by customer support. |
120000 |
intranetRegistrationEndpointAddress |
The name of the intranet password reset registration endpoint. Do not edit this setting unless instructed to do so by customer support. |
ResourceManagementService/SecurityTokenService/Registration |
metadataEndpointAddress |
The name of the metadata endpoint. Do not edit this setting unless instructed to do so by customer support. |
ResourceManagementService/MEX |
passwordResetEndpointAddress |
The name of the password reset endpoint. Do not edit this setting unless instructed to do so by customer support. |
ResourceManagementService/Alternate |
policyManagerIntervalInMilliseconds |
The interval between running stored procedure DequeuePolicyApplication. Do not edit this setting unless instructed to do so by customer support. |
5000 |
receiveTimeoutInSeconds |
The timeout used for receiving messages on all FIM endpoints. Do not edit this setting unless instructed to do so by customer support. |
300 |
resourceEndpointAddress |
The name of the WS-Transfer resource endpoint. The full address to the endpoint will be the following: |
ResourceManagementService/Resource |
resourceMailEndpointAddress |
The name of the Resource Mail endpoint. The full address to the endpoint will be the following: |
ResourceManagementService/ResourceMail |
resourceFactoryEndpointAddress |
The name of the WS-Transfer ResourceFactory endpoint. The full address to the endpoint will be the following: |
ResourceManagementService/ResourceFactory |
synchronizationEngineAccountName |
The logon name for the sync engine's account. This enables the server to provide elevated access to the sync engine without special configuration in FIM. |
SyncEngineAccount |
mailServer |
URL pointing to the Exchange 2007 web service. It typically looks similar to the following: |
(None) |
isExchange |
String literals “1" or “0" indicating whether the mail sender should instantiate an SMTP client or Exchange client. Note that “true" and “false" are both treated as false. |
1 |
exchangeListenerInterval |
Integer representing number of seconds to wait between polling Exchange. |
30 |
securityTokenServiceEndpointAddress |
The name of the WS-Trust security token endpoint. The full address to the endpoint will be the following: |
ResourceManagementService/SecurityTokenService |
securityTokenServiceMetadataEndpointAddress |
The name of the WS-Trust security token metadata endpoint. The full address to the endpoint will be the following: |
SecurityTokenService/MEX |
servicePrincipalName |
Used to create a service principal identity for all FIM endpoints. Do not edit this setting unless instructed to do so by customer support. |
There is no default value. Omitting this value results in the endpoints having the default principle identity (which depends on the WCF implementation of endpoints). |
maxReceivedMessageSizeInBytes |
The maximum size of messages in bytes the server will receive |
10 megabytes |
mailBatchSize |
The maximum number of Exchange mail items to retrieve during one poll. Do not edit this setting unless instructed to do so by customer support. |
100 items |
Example
The following is an example Web service configuration file.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<!-- ... -->
<resourceManagementService workflowManagerEndpointBaseAddress="ResourceManagementService/WorkflowManager"
dataReadTimeoutInSeconds="58"
dataWriteTimeoutInSeconds="58"
defaultKeySize="256"
defaultTokenLifetimeInMinutes="10"
externalHostName="identitymanagement.fabrikam.com"
hostActivationIntervalInMilliseconds="120000"
intranetRegistrationEndpointAddress="ResourceManagementService/SecurityTokenService/Registration"
metadataEndpointAddress="ResourceManagementService/MEX"
passwordResetEndpointAddress="ResourceManagementService/Alternate"
policyManagerIntervalInMilliseconds="5000"
receiveTimeoutInSeconds="300"
resourceEndpointAddress="ResourceManagementService/Resource"
resourceMailEndpointAddress="ResourceManagementService/ResourceMail"
resourceFactoryEndpointAddress="ResourceManagementService/ResourceFactory"
securityTokenServiceEndpointAddress="ResourceManagementService/SecurityTokenService"
securityTokenServiceMetadataEndpointAddress="SecurityTokenService/MEX"
servicePrincipalName="fimservice@fabrikam.com"
maxReceivedMessageSizeInBytes="10485760"
mailBatchSize="100"
/>
<appSettings>
<add key="synchronizationEngineAccountName" value="fimsyncservice"/>
<add key="mailServer" value="http://exchange.fabrikam.com/ews/exchange.asmx"/>
<add key="isExchange" value="1"/>
<add key="exchangeListenerInterval" value="30"/>
</appSettings>
</configuration>
Web Service Registry Settings
The registry settings configure how the FIM Service are stored in the current control set of the FIM Service. All of these settings may be updated by running a change install. Additional registry values may be present in the same registry key, but these are not used by the FIM Service.
| Registry Value | Class | Type | Description |
|---|---|---|---|
DatabaseServer |
HKLM |
DWORD |
Name of the FIM Service database server. |
DatabaseName |
HKLM |
DWORD |
Name of the FIM Service database name. |
CertificateThumbprint |
HKLM |
DWORD |
The cryptographic thumbprint of the certificate the FIM Service uses to authenticate its endpoint identity and to encrypt claims on SecurityTokenService tokens (see Security Token Service Endpoint). |
PollExchangeEnabled |
HKLM |
DWORD |
Indicates whether this instance of the FIM Service should monitor the Exchange mailbox for incoming mail. The FIM Service still may send outgoing mail even if the value is false. Only one instance of the FIM Service should poll the Exchange mailbox. |
Remarks
There is no general principle behind why some settings are stored in the registry and others are in the app.config file. When configuration settings are available in both locations, the registry generally takes precedence.