During a recent customer case I created a small PowerShell script that creates all the service accounts used by FIM 2010 CM and configures the required SPN and delegation for Kerberos to work.
In the script just replace the initial parameters with your own before running it.
The script will prompt for the password to use for each of the accounts as it runs.
You can also download the script here.
#Script needs to run as domain admin on computer with AD DS Admin Tools. $FIMCMUPNDomain = "ad.company.com" $IssuingCA = "ca01" $OU = "OU=ServiceAccounts,DC=ad,DC=company,DC=com" $FIMCMPortalHostname = "cm.company.com" $FIMCMPool = "svcFIMCMPool" $FIMCMAgent = "svcFIMCMAgent" $FIMCMEnrollAgent = "svcFIMCMEnrollAgent" $FIMCMKRAgent = "svcFIMCMKRAgent" $FIMCMAuthZAgent = "svcFIMCMAuthZAgent" $FIMCMCAMngr = "svcFIMCMCAMngr" $FIMCMService = "svcFIMCMService" #FIM CM Pool New-ADUser $FIMCMPool -SamAccountName $FIMCMPool -GivenName FIMCM -Surname Pool -DisplayName "FIM CM Pool" -UserPrincipalName $FIMCMPool@$FIMCMUPNDomain -Path $OU -Description "Application pool account for FIM CM Portal, cm.company.com" -AccountPassword (Read-Host -AsSecureString "$FIMCMPool Password") -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true #Kerberos settings #SPN SETSPN -S http/$FIMCMPortalHostname $FIMCMPool #Delegation for rpcss/issuingca Get-ADUser $FIMCMPool| Set-ADObject -Add @{"msDS-AllowedToDelegateTo"="rpcss/$IssuingCA","rpcss/$IssuingCA.$FIMCMUPNDomain"} #FIM CM Agent. New-ADUser $FIMCMAgent -SamAccountName $FIMCMAgent -GivenName FIMCM -Surname Agent -DisplayName "FIM CM Agent" -UserPrincipalName $FIMCMAgent@$FIMCMUPNDomain -Path $OU -Description "FIM CM Agent account" -AccountPassword (Read-Host -AsSecureString "$FIMCMAgent Password") -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true #FIM CM Enrollment Agent New-ADUser $FIMCMEnrollAgent -SamAccountName $FIMCMEnrollAgent -GivenName FIMCM -Surname EnrollAgent -DisplayName "FIM CM Enroll Agent" -UserPrincipalName $FIMCMEnrollAgent@$FIMCMUPNDomain -Path $OU -Description "FIM CM Enrollment Agent account" -AccountPassword (Read-Host -AsSecureString "$FIMCMEnrollAgent Password") -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true #FIM CM Key Recovery Agent New-ADUser $FIMCMKRAgent -SamAccountName $FIMCMKRAgent -GivenName FIMCM -Surname KRAgent -DisplayName "FIM CM KR Agent" -UserPrincipalName $FIMCMKRAgent@$FIMCMUPNDomain -Path $OU -Description "FIM CM Key Recovery Agent account" -AccountPassword (Read-Host -AsSecureString "$FIMCMKRAgent Password") -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true #FIM CM Authorization Agent New-ADUser $FIMCMAuthZAgent -SamAccountName $FIMCMAuthZAgent -GivenName FIMCM -Surname AuthZAgent -DisplayName "FIM CM AuthZ Agent" -UserPrincipalName $FIMCMAuthZAgent@$FIMCMUPNDomain -Path $OU -Description "FIM CM Authorization Agent account" -AccountPassword (Read-Host -AsSecureString "$FIMCMAuthZAgent Password") -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true #FIM CM CA Manager account New-ADUser $FIMCMCAMngr -SamAccountName $FIMCMCAMngr -GivenName FIMCM -Surname CAMngr -DisplayName "FIM CM CA Mngr" -UserPrincipalName $FIMCMCAMngr@$FIMCMUPNDomain -Path $OU -Description "FIM CM CA Manager account" -AccountPassword (Read-Host -AsSecureString "$FIMCMCAMngr Password") -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true #FIM CM Service account New-ADUser $FIMCMService -SamAccountName $FIMCMService -GivenName FIMCM -Surname Service -DisplayName "FIM CM Service" -UserPrincipalName $FIMCMService@$FIMCMUPNDomain -Path $OU -Description "FIM CM Service account" -AccountPassword (Read-Host -AsSecureString "$FIMCMService Password") -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true