9 Min

Microsoft Identity Manager (MIM) and Privileged Access Management (PAM) provide companies with tools to manage and secure access to privileged accounts. A MIM-PAM test environment allows you to solidify the security of MIM and PAM before implementing them in a production environment. Here is an overview of how this test environment can be set up and used.

1. What is Microsoft Identity Manager (MIM)?

Microsoft Identity Manager (MIM) is an identity and access management system. It helps companies:

  • Manage identities across different systems
  • Define user roles and permissions
  • Set up automated workflows for managing user accounts and access

2. What is Privileged Access Management (PAM)?

Microsoft Privileged Access Management (PAM) is a security solution designed to control access to highly privileged accounts and sensitive systems. PAM helps secure access to administrative accounts by:

  • Granting privileged access based on just-in-time access policies
  • Creating special administrative forests or environments to separate critical systems from regular Active Directory (AD) environments

3. Why a test environment for MIM and PAM?

A MIM-PAM test environment is often used to:

  • Test new configurations before applying them in the production environment
  • Simulate security features and potential attack vectors
  • Analyze changes in identity and access control without compromising real data
  • Evaluate the functionality of MIM and PAM in a secure and controlled environment

4. Components of a MIM-PAM test environment

Setting up a MIM-PAM test environment involves several components that interact with each other:

A. Active Directory (AD)

An AD environment serves as the primary source for managing user accounts and permissions. An isolated AD is often set up in a test environment.

B. Privileged Access Management (PAM) forest

PAM often implements a separate PAM-AD forest that is used only for administrative accounts and sensitive tasks. This forest is isolated from the regular AD environment to better control access.

C. Microsoft Identity Manager (MIM)

MIM orchestrates the identity lifecycle and user rights management. It integrates with AD and PAM to grant users access and implement role-based access controls.

D. SQL Server

A SQL Server is required for the database in which MIM stores the identity and access information.

E. PAM Components

The specific PAM components in a test environment include:

  • PAM Trust: Enables the connection between the regular AD and the privileged PAM AD.
  • PAM Role: Specific roles that grant access to privileged accounts.
  • PAM Requests: Mechanisms through which users request time-limited access to sensitive tasks.

5. Setting up a MIM PAM test environment

A. Installing the components

  1. AD Domain Controller: Install an AD domain and set up a forest.
  2. SQL Server: Install SQL Server as the backend for MIM.
  3. MIM Service and Portal: Install the MIM service and MIM portal to manage user roles and workflows.
  4. PAM Environment: Set up the PAM AD forest that isolates privileged access.

B. Configuring PAM

  1. Create the PAM trust: Establish a trust between the regular AD domain and the PAM AD forest.
  2. Define PAM roles: Create privileged roles that grant temporary access to sensitive accounts or resources.
  3. PAM workflows: Configure the workflows that determine how and when users can request access to privileged roles.

C. Testing scenarios

  1. Scenario 1: Just-In-Time (JIT) access
    • Simulate temporary access to an administrative account by a user who makes a request via the PAM portal.
  2. Scenario 2: Role-based Access Control (RBAC)
    • Test access to administrative functions based on the predefined roles and the permissions granted.
  3. Scenario 3: Multi-Factor Authentication (MFA)
    • Implement and test MFA to further secure access to privileged accounts.

6. PAM security features in the test environment

In the MIM-PAM test environment, you can test the following security features:

  • Just-In-Time (JIT) Privilege Elevation: Test time-limited access to administrative roles to minimize the risk of permanent rights.

  • PAM Monitoring and Auditing: Ensure that all privileged access is logged and monitored.
  • PAM Role Approvals: Test the approval processes for access to administrative accounts.
  • Isolated PAM Forest Architecture: Check the isolation of the privileged AD forest from the regular environment.

7. Tools and resources for setting up the test environment

Microsoft offers several tools to support the setup of a MIM-PAM test environment:

  • Microsoft PAM PowerShell Cmdlets: These help manage and automate PAM components.

  • PAM Monitoring Tools: Monitor and log access to privileged accounts.

  • MIM Portal: Enables the management of users, roles and approval processes.

8. Benefits of a MIM-PAM test environment

  • Security testing: Test all security mechanisms before activating them in the production environment.

  • Fault analysis: Errors or misconfigurations in an isolated environment can be easily identified and corrected.

  • Skills building: Teams can gain experience with MIM and PAM before taking on the management of productive identities.

Errors

Unable to create a PAM request (approval is required)

The error “Unable to create a PAM request (approval is required) after implementation of MIM 2016” in Microsoft’s MIM-PAM software occurs when a user attempts to request privileged access, but the request cannot be granted because it requires an approval process that has not been properly configured or completed.

Background to the error

In Microsoft Identity Manager (MIM) 2016 with Privileged Access Management (PAM), access to privileged accounts is governed by role requests. These requests often go through an approval process to ensure that access to administrative functions is granted only to authorized users. The error indicates that approval for the role is required, but has not been properly granted.

Possible causes of the error

  1. Missing approval workflows: The PAM request requires approval, but the corresponding approval workflow is not configured correctly.

  2. Approval policy errors: There could be a problem with the approval policy (MPR - Management Policy Rule) that specifies which steps are required to obtain approval for privileged access.

  3. Missing approvers: The user or group that should grant the approval is not configured or is unavailable.

  4. Role configuration: The PAM role that was requested requires approval, but the associated configuration (e.g. the PAM policy or approval rules) is incomplete or incorrect.

  5. Delays in the workflow process: The approval process could be delayed or stuck in a queue, causing the request to be blocked.

Troubleshooting steps

  1. Check approval workflows:
    • Make sure the workflow that controls the approval of the PAM request is properly configured.
    • Make sure the appropriate approvers are assigned in the correct role or group.
  2. Check Management Policy Rules (MPRs):
    • Check the MPRs associated with the role that was requested. Make sure the MPRs are correctly configured and trigger the approval request properly.
  3. Check group or user assignment:
    • Check that the user who is supposed to grant the approval is properly enrolled in the appropriate group or role.
  4. Check PAM policies and roles:
    • Check the PAM policy and make sure the correct approval rule is assigned for the requested role.
  5. Monitor workflow status messages:
    • Use the MIM portal or appropriate PowerShell cmdlets to check the status of the workflow. If the workflow gets stuck, check for root causes such as server delays or permission issues.
  6. Check logs and event logs:
    • Search the event logs on the MIM server to find any indication of specific errors related to the workflow or approval request.
  7. Set up a test environment:
    • If the error persists, a test environment can be helpful to verify the configurations step by step without affecting the production environment.

MIM PAM sample web portal won’t open error 406

The error “MIM PAM sample web portal won’t open error 406” occurs when the PAM web portal cannot be opened and the web server returns the HTTP status code 406 Not Acceptable. This error means that the server cannot process the request from the client (browser) because the requested content type or accepted language is not supported.

Causes of the error “406 Not Acceptable”

The HTTP error code 406 is usually caused by problems in the configuration of the server or web portal. The most common causes are:

  1. Incorrect requests: The client requests a content type or language that the server cannot provide. This could indicate problems with the browser’s Accept header configuration or server settings.

  2. Web server settings: The web server (IIS, the Internet Information Services web server used for the MIM PAM web portal) might be configured to block or not accept certain content types or languages.

  3. Missing modules or extensions in IIS: The server might be missing certain IIS modules required to handle certain content.

  4. Incorrect PAM portal configuration: The MIM PAM Sample Web Portal might not work properly due to incorrect configuration, incorrect content negotiation settings, or incorrectly installed dependencies.

Troubleshooting steps

1. Check the IIS (Internet Information Services) server

  • Search IIS logs: Check the IIS logs (usually located at C:\inetpub\logs\LogFiles) for detailed information about the error. Look for requests with error 406 to find out which headers or content were rejected.

  • Configuring MIME Types: Make sure all required Multipurpose Internet Mail Extensions (MIME) types are correctly configured in IIS. If a requested file type is not supported, add it:

  • Open IIS Manager.

  • Navigate to your PAM web portal.

  • Select “MIME Types” and check that all relevant types (like .json, .xml, etc.) are configured.

  • Accept Languages: Check the language acceptance configuration in IIS and make sure the server can handle requests in the language accepted by the browser.

2. Checking the PAM web portal configuration

  • Checking the web.config file: Check the PAM web portal web.config file for possible configuration errors. Pay particular attention to:
  • The accepted Content-Type headers and other settings that are responsible for routing or outputting content.
  • Check if there are any adjustments in the area of ​​MIME types or content negotiation that could trigger the problem.

    3. Check browser settings

  • Check browser Accept header: Sometimes the problem is client-side, especially if the browser sends an Accept header that is incompatible. You can check the request using developer tools (F12) in the browser and make sure the requested content type is correct (e.g. application/json, text/html).

4. Install IIS modules

  • Install missing IIS modules: Important IIS modules may be missing (like ASP.NET or the URL Rewrite module). Check if all required modules for the MIM-PAM web portal are installed:

  • Open IIS Manager and go to “Modules”.

  • Make sure all required modules are present (e.g. ASP.NET modules for correct content output).

5. Check firewall/antivirus settings

  • Firewall/antivirus blocking requests: There is a possibility that a firewall or antivirus program is blocking certain content or requests. Check the logs and temporarily disable the firewall or antivirus software to see if this is causing the issue.

6. Check compatibility mode in browser

  • Compatibility issues: Try opening the PAM portal in a different browser or in incognito mode to make sure no extensions or cache issues are causing the issue.

Conclusion

The “406 Not Acceptable” error in MIM-PAM indicates that the server cannot process the request because the requested content type or language is not accepted. This can be caused by incorrect configurations in IIS, incorrect MIME types or configurations in the PAM web portal. Checking and adjusting IIS and web portal settings as well as browser requests usually resolves the issue.

Updated:

Similar Content