Friday, March 16, 2018

Speaking at SQL Saturday Tomorrow

As most of you know I am regarded as one of the SQL gurus among the Microsoft Identity Management gurus. For years, in my book and in speaking I have been recommending Ola Hallengren's SQL Maintenance Solution to help take care of your ILM/FIM/MIM databases. But the SQL Maintenance Plan Wizard has come along way. Tomorrow morning at 10 AM at Grand Canyon University I will be presenting as part of SQL Saturday #726 a showdown between the SQL Maintenance Plan Wizard and Ola's solution, discussing when you want to use one vs the other.

Tuesday, March 6, 2018

Kerberos, FIDO, what's next?

In the 1980's Steve Miller and Clifford Neuman published a new security protocol, called Kerberos, after the mythical three headed dog that guards the gates of Hades.

In 2014 the alliance published the FIDO standard. This exciting standard is enabling a passwordless world (yet to come). For example you can use a small USB device with a key on it to login instead of entering a password. FIDO 2.0 is requiring two-factor, type in a PIN plus your key. Other options exist as well potentially using Smart Phones, or other devices via USB, Bluetooth or NFC.

What's next more dog name related authentication schemes?

Goofy Authentication -- something like Dance Dance Authentication.

Snoopy Authentication -- you have to fight the Red Baron first.

Scooby Doo -- Solve a mystery in order to log in?

Lassie -- Requires saving Timmy first.

Pluto/Belka -- Must point your telescope at the Star you had named in the star registry.

Spike -- Biometric -- blood sample required.

Marmaduke -- this could work well with kids -- you have to make a mess that is uniquely you!

Friday, March 31, 2017

Open Source: Review of MIMTools

JefTek created a niche hybrid tool that tackles a few pieces of the sync and service puzzle in a way that none of the others do.

One noteable one for sync:
Get and Export MIM Deltas to CSV (based on a drop file either stop and drop or the audit log dropped during the export

It is great for setting up SharePoint and the Kerberos authentication to it.

While it doesn't do all that IS4U-FIM-PowerShell (see my review), does or Lithnext resourcemanagement-powershell or Lithnet-miis-powershell (see my review), or even the he  FIM PowerShell Module (see my review), it fills a small niche that none of the rest of them do. This is a solid contribution!

Open Source: Review of FIM 2010 PowerShell Cmdlets

Gil Kirkpatrick (a great guy, fellow MVP, who has taught me a lot over the years) created one of the very first, if not the first, PowerShell commandlets libraries to manage FIM/MIM service. It hasn't had any activity in years, but it served as a great example to get others going.

If you like this simple approach you could check out Adam Weigert's PowerShell for FIM 2010 (see my review).

I recommend  IS4U-FIM-PowerShell (see my review), this is what I use. But I also recommend  Lithnext resourcemanagement-powershell (see my review).

Open Source: Review of IS4U-FIM-PowerShell

Wim Beck's IS4U-FIM-PowerShell is a great example of open source, in that he has built on top of the  FIM PowerShell Module (see my review). This is what Open Source is about, building upon each other's contributions to make great stuff!

When I looked at it in Dec 2016 I almost dismissed it since it lacked a wiki, but since then Wim has added a lot of pages. They still lack examples, I plan on pitching in to help out with that by adding some examples to my fork and then asking Wim to pull it in.

Some of the commandlets don't do a good job of robust validation of parameters. Another area that could use some community involvement.

For me the approach of having commandlets focused around different object types allows for a natural and better validation of the data you need to create, update and delete objects in the FIM/MIM service.

One great example of building on things is the New-ObjectTypeConfiguration commandlet which (creates object type in the schema, the attributes, the bindings, an MPR for permissions, a search scope, a navbar element, and updates the sync filter). Awesome!

I also love the RCDC commandlets. Test-RCDCConfiguration just does a simple test against the XSD which you can setup Visual Studio to do for you, but this allows you to test it programatically after make programatic changes to an RCDC object before you upload it. I did feel the need to extend this and added a function to backup the RCDC and another to backup all of the RCDC's. I will add those to my fork when I get the chance.

I use this module and it saves me a lot of time. I am glad to see Wim continuing to work on it, smoothing out the rough edges.

I can see how some might prefer the config file approach of Ryan Newington's Lithnextresourcemanagement-powershell (see my review), which I also recommend.

Open Source: Review of Lithnet

Ryan Newington's Lithnet consists of several items:

  1. miis-powershell
  2. resourcemanagement-powershell
  3. resourcemanagement-webservice
  4. googleapps-managementagent
  5. acma
    1. "Codeless business rules engine for FIM/MIM"
  6. umare
    1. "Codeless data transform engine for FIM/MIM"

I will only review the items I know

Managing Sync
miis-powershell is amazing it can almost everything you can do through the UI. For example, Clear-FullSyncWarning and it has a great wiki. Gotta have it!

It wraps WMI calls, existing PowerShell modules, executables and sync client UI to interact with FIM/MIM Sync.

My WishList
Turn on and off Sync Rule Provisioning

Export Sync Server Config

Managing Service

I know many people love Ryan's approach with Lithnextresourcemanagement-powershell as it enables you to interact with the FIM/MIM Service in great ways. My big downside is that you just about have to learn a new language, the Config Management XML to use this most effectively. But when you do you can have every piece of FIM/MIM Service under source code control. Ike Ugochuku (recent MVP -- congrats!) has a nice video intro 

So while I use Wim Beck's IS4U-FIM-PowerShell (Check out my review of IS4U-FIM-PowerShell) I can wholeheartedly concur with other's recommendations that this is worthwhile!

Simplifying the Service
The Resourcemanagement-WebService is not something I have used but as one of the first beta users of the SOAP/WCF endpoint back in ILM 2 Beta 2 days I can really appreciate the notion of a simplified, Restful interface that returns JSON instead of bloated XML. Good work!

The other pieces will have to wait for another time.

Open Source: Review of PowerShell for FIM 2010

PowerShell for FIM 2010 by Adam Weigert consists of three parts but I further break the last into two:

  1. Management Agent(MA)  and MetaVerse (MV) Extensions that let you run PowerShell scripts as your extensions
  2. A Workflow Activity
  3. A PowerShell module
    1. Managing Sync
    2. Managing Service

Management Agent(MA)  and MetaVerse (MV) Extensions
The work done to enable you to write PowerShell scripts to be MA and MV extensions is crazy brilliant. However, I suspect (I haven't tested) that large installations should shy away from this as compiled C# and VB.NET code tends to run orders of magnitude faster than PowerShell scripts. Perhaps someone else knows a way to make it more comparable in performance. I can see some smaller shops taking advantage of this as they don't need to worry about performance in the Sync Engine

Workflow Activity
The workflow activity (see my review of a bunch of open source Workflow activities) was good in its time but like most has been surpassed by the excellent MIMWAL.

Managing Sync
Similar to the FIM PowerShell Module you can Get an MA's status, start it, and get the run history. It does go beyond that by allowing you to Clear the RunHistory, and Stop an MA. However all of these features are covered in  Ryan Newington's Lithnet-Miis-PowerShell (see my review on LithNet). This library is good but I recommend using the FIM PowerShell Module and Lithnet-Miis-PowerShell 

Managing Service
This library has a nice simple model for creating, updating and deleting FIM/MIM resources. It is easier to use than FIM 2010 PowerShell Cmdlets. However, the simple model doesn't add lots of intelligence to help you with creating and managing the various resource types.

This may indeed be the approach you want.

I prefer  IS4U-FIM-PowerShell (Check out my review of IS4U-FIM-PowerShell). 

I can see how others would prefer Lithnext resourcemanagement-powershell (see my review).

Here is an incomplete example from my notes:
New-FIMResource -ObjectType 'ManagementPolicyRule' -Set @{
= 'Users Can Edit Preferred Names with Approval';
Description ='Users can edit preferred names with their managers approval which are then used to calculate their new displayname';
PrincipalSetID = $Principalset; GrantRight= $True; ManagementPolicyRuleType= ''; AuthwfID= $AuthWFID; ActionWfID $ActionWfID; Disabled $false;
} -Add @{
ActionParameter= @('PreferredLastName', 'PreferredFirstName')
; ActionType = @('','')} | Set-FIMResource