Management Agent Communication Ports, Rights, and Permissions

Applies To: Windows Server 2003 with SP1

Download Instructions

This document is available for download as a Microsoft Word document at https://go.microsoft.com/fwlink/?LinkId=30737.

Overview

To establish secure communication channels between Microsoft Identity Integration Server (MIIS) 2003 and a connected data source, call-based management agents require open ports for each service and protocol that is used. In addition, if password synchronization is enabled, ports must be opened for the Remote Procedure Call service on both the server running MIIS 2003 and all Active Directory domain controllers.

The ports listed here are the default settings for each call-based management agent type. Your call-based connected data source might use different ports than those listed here.

Each connected data source also requires a minimum set of user rights and permissions necessary for MIIS 2003 to authenticate to it, and to add, modify, or delete objects. The user account configured within each management agent must have these user rights and permissions assigned to it in order for the management agent to run correctly. For help with configuring the user rights and permissions for different connected data sources, refer to the Help documentation for that data source.

Management Agent for Active Directory

Minimum Permissions

Operation Minimum Permissions

Connect and discover objects in Active Directory

Member of Domain Admins group.

- or -

Replicating Directory Changes permission for each domain of the forest that the management agent accesses. For more information about how to grant the Replicating Directory Changes permission, see the Microsoft web site.

Create, modify, or delete Active Directory objects and attributes

For non-administrative accounts, additional permissions might need to be added as appropriate. For example:

  • To create a new object, the Create All Child Objects permission is required.

  • To delete an object, the Delete All Child Objects permission is required.

For more information about setting the Replicating Directory Changes permission in Active Directory, see Microsoft Knowledge Base article 303972 (https://go.microsoft.com/fwlink/?LinkId=47854).

Communication Protocols and Ports

Service Protocol Port

LDAP

TCP/UDP

389

Kerberos

TCP/UDP

88

DNS

TCP/UDP

53

Kerberos Change Password

UDP

464

Management Agent for Active Directory Application Mode (ADAM)

Minimum Permissions

Operation Minimum Permissions

Detect changes to the ADAM application partitions

Replicate Directory Changes permission. For more information about how to grant the Replicating Directory Changes permission, see the Microsoft web site.

Discover the ADAM schema

Generic Read permissions on the configuration container

- or -

All of the following permissions:

  • List Contents

  • Read Property

  • List Object



Read objects in the application partition

Generic Read permissions on the configuration container

- or -

Both of the following permissions:

  • List Children

  • Read Property

Create, modify, or delete objects

Generic Write permissions on the configuration container

- or -

Both of the following permissions:

  • Delete Child

  • Write Property

Note

These permissions can all be inherited from the partition head. Inheritance is NOT required for the Replicate Directory Changes permission as this permission is only checked at the partition head and therefore is not required at any level below that.

Communication Protocols and Ports

Service Protocol Port

LDAP

TCP

389

Note

For this management agent type, port 389 is configured as the default port. However, you can change the port number by using Management Agent Designer. Secure Sockets Layer (SSL) can also be used for this management agent type. Using SSL does not affect the port that is used.

Management Agent for Microsoft Exchange Server 5.5

Minimum Permissions

Operation Minimum Permissions

Read only mode

Must be in Search role

Export mode

Must be in Admin role

Communication Protocols and Ports

Service Protocol Port

LDAP

TCP

636

Note

Port 636 is configured as the default port if SSL is enabled. However, you can change the port number by using Management Agent Designer. Ensure that port 389 is not selected for Exchange Server 5.5 if Active Directory is configured to use port 389 on the same server.

Management Agent for Microsoft Exchange Server 5.5 (bridgehead server)

Minimum Permissions

Operation Minimum Permissions

Read only mode

Must be in Search role

Export mode

Must be in Admin role

Communication Protocols and Ports

Service Protocol Port

LDAP

TCP

636

Note

Port 636 is configured as the default port if SSL is enabled. However, you can change the port number by using Management Agent Designer. Ensure that port 389 is not selected for Exchange Server 5.5 if Active Directory is configured to use port 389 on the same server.

Management Agent for Lotus Notes

Minimum Permissions

Operation Minimum Permissions

Read from the Name and Address Book (NAB)

Must not be member of a deny group that has an access control list (ACL) set on the NAB

Add, modify, or delete from the NAB

Must be a member of the administrator group

Set a password

Must be a member of the administrator group

.

Communication Protocols and Ports

Service Protocol Port

C API

TCP

1352

Management Agent for Novell eDirectory

Minimum Permissions

Operation Minimum Permissions

Connect

Any enabled user

Browse

  • Browse rights in the “Entry rights” property for the specified tree

  • Read/Compare rights in the “All attributes rights” for the specified tree

Modify

Rename/Write rights on “all attributes” for the specified tree

Create

  • Create rights in the “Entry rights” property for the specified tree

  • Write rights in the “All attributes rights” for the specified tree

Delete

Delete rights in the “Entry rights” property

Password management

Supervisor rights for the specified tree

Communication Protocols and Ports

Service Protocol Port

LDAP

TCP

389

Note

For this management agent type, port 389 is configured as the default port. However, you can change the port number by using Management Agent Designer. Secure Sockets Layer (SSL) can also be used for this management agent type. Using SSL does not affect the port that is used.

Management Agent for Oracle8i and Oracle9i Database

Minimum Permissions

Operation Minimum Permissions

Import objects

Refresh schema

Grant SELECT permission for the tables

Note

SELECT must be granted to ALL_SYNONYMS in the schema. For example, GRANT SELECT ON <schema_name>.ALL_SYNONYMS to <Oracle MA User Name>.

Add, modify, or delete single value attributes

Grant UPDATE permission for the primary table

Add, modify, or delete multi-valued attributes

Grant INSERT, UPDATE, and DELETE permissions for the multivalued table

Add new object

Grant INSERT permission for the primary table

Delete an object

Grant DELETE permission for the primary table

Communication Protocols and Ports

Service Protocol Port

SQL Net-Library

TCP

1433

Management Agent for Microsoft SQL Server 7.0 or SQL Server 2000

Minimum Permissions

Operation Minimum Permissions

Import objects

Refresh schema

Public Role access with Select rights for the primary, delta, and multivalued tables

Export: add a new row

Grant INSERT permission for the primary or multivalued table

Export: modify existing rows

Grant UPDATE permission for the primary or multivalued table

Export: delete objects or multivalued attributes

Grant DELETE permission for the primary or multivalued table

Communication Protocols and Ports

Service Protocol Port

SQL Net-Library

TCP

1433

Note

If your MicrosoftIdentityIntegrationServer database is running on a remote server running SQL Server, port 1433 is also used for the remote server. This SQL Server database, however, might not be running on the same computer that serves as a connected data source, and it can use a different port. It is strongly recommended that the server running MIIS 2003 and the remote server running SQL Server (if used) not be separated by a firewall.

Management Agent for Sun ONE Directory Server 4.12, 4.13, 5.0 or 5.1 (formerly iPlanet Directory Server)

Minimum Permissions

Operation Minimum Permissions

Connect

Anonymous access to RootDSE

Browse

Anonymous access

Read

Compare

Search

Create

Anonymous access to RootDSE

Read

Compare

Search

Add

Write

Modify

Anonymous access to RootDSE

Read

Compare

Search

Add

Delete

Anonymous access to RootDSE

Read

Compare

Search

Delete

Note

For delta imports, the account specified in the management agent should also have Read, Compare, and Search permissions for the cn=changelog object.

Communication Protocols and Ports

Service Protocol Port

LDAP

TCP

389

Note

For this management agent type, port 389 is configured as the default port. However, you can change the port number by using Management Agent Designer. Secure Sockets Layer (SSL) can also be used for this management agent type. Using SSL does not affect the port that is used.

Management Agent for Microsoft Windows NT 4.0

Minimum Permissions

Operation Minimum Permissions

Connect, browse and import

Domain user

Add, modify, or delete

Domain administrators group

Communication Protocols and Ports

Service Protocol Port

NetBIOS

TCP

445, 139

NetBIOS

UDP

137, 138

Management Agent for IBM DB2 Universal Database

Minimum Permissions

Operation Minimum Permissions

Import objects

Refresh schema

Default user permissions

Add to the users for the database

Grant SELECT permission to the user for tables that are owned by another user

Add, modify, or delete - single value operations

Grant INSERT, UPDATE, and DELETE permission for the primary table

Add, modify, or delete - multivalued operations

Grant INSERT, UPDATE, and DELETE permission for the multivalued table

Communication Protocols and Ports

Service Protocol Port

Universal DB Connect

TCP

50000

Management Agent for IBM Directory Server

Minimum Permissions

IBM Directory Server version 4.1

Operation Minimum Permissions

Connect, browse, add, modify, and delete

Must use the administrative credentials

IBM Directory Server version 5.x

Operation Minimum Permissions

Full import

None. Any user may run a full import

Delta import

Member of administrative group

Add, modify, or delete

Member of administrative group

Communication Protocols and Ports

Service Protocol Port

directory service

LDAP

389

Note

For this management agent type, port 389 is configured as the default port. However, you can change the port number by using Management Agent Designer. Secure Sockets Layer (SSL) can also be used for this management agent type. Using SSL does not affect the port that is used.

Password Synchronization Port Settings

Password synchronization on MIIS 2003 requires RPC ports to be open for the management agent for Active Directory, and for the Active Directory servers running the password change notification service (PCNS).

Minimum Permissions

Operation Minimum Permissions

Install PCNS

If the Active Directory schema needs to be updated, you must be a member of Schema Admins groups or Enterprise Admins group.

If the Active Directory schema is already updated, you need to be a member only in the Domain Admins group.

Synchronize passwords from one Active Directory forest to another Active Directory forest, when MIIS 2003 is installed on a member server in a domain in one forest and PCNS is installed on a domain controller in a different forest.

There must be a two-way forest trust established between the Active Directory forests.

Communication Protocols and Ports

Service Protocol Port

RPC Endpoint mapper

TCP

135

Dynamic RPC ports (PCNS)

TCP

5000 - 5100

Dynamic RPC ports (management agent for Active Directory)

TCP

57500 - 57520