FIM R2 Showdown -- Classic vs. Declarative

Come join me at The Experts Conference 2012 in San Diego April 29 - May2 where I will be presenting:

FIM R2 Showdown — Classic vs. Declarative
Speaker: David Lundell

Is there room enough for both in this town? FIM 2010 R2 has two ways of accomplishing many tasks: Classic and Declarative. Attend this showdown to learn when to saddle up Classic vs. when to saddle up with Declarative Sync Rules and why. Dissenting opinions politely welcomed — join the controversy! Discussion will take into account performance, ease of implementation and maintainability.

My colleague Lutz Mueller-Hipper has been selected to present three sessions:

Data Loss Prevention with RMS: 2012 the Year of RMS
Speaker: Lutz Mueller-Hipper

In this session we talk about the reasons for RMS and the battle against PKI. RMS is growing up, so let’s see what we got with Mac Office, for unsupported documents formats and automatic data classification tools. We will also cover what is new with RMS in Windows 8 and RMS in the Cloud.

EZ PKI and PKI Housekeeping
Speaker: Lutz Mueller-Hipper

It is time to use PKI to simplify computer management, and this session will go over design recommendations and security aspects for scenarios with Wifi and VPN. Don’t just do it, do it right, and see why and how. The second part of this session will discuss user certificates in the wild, how to publish them securely with AD LDS and what needs to be done for housekeeping in Active Directory for PKI.

Public/Private Cloud Application Security and Single Sign On with BYOD –
Tear Down the Walls
Speaker: Lutz Mueller-Hipper

The IT business is moving rapidly to cloud based solutions. Want to know what that means to the traditional network infrastructure and how you can run an open but secured network? The session will look at all those things from an application level and authentication in enterprises with classic SSO and federation.

For all of the Directory and Identity Abstracts

Property Sets for Permissions in AD and AD LDS

A while back I needed to set up Property Sets in AD LDS for granting of permissions to many of the attributes on the person object all at once, as I reviewed the Technet documentation on AD Property Sets I realized that it doesn’t tell you what object type property sets are, nor does it tell you how to create a property set, nor does it tell you how to assign an attribute to a property set. The MSDN documentation on Property Sets lets you see which attributes where included in which property sets in the different versions of AD, and it hints that property sets are part of Control Access Rights. Finally there is some more MSDN documentation on Control Access Rights that starts to spell it out:

• For defining property sets, to enable controlling access to a subset of an object's attributes, rather than just to the individual attributes. Using the standard access rights, a single ACE can grant or deny access to all of an object's attributes or to a single attribute. Control access rights provide a way for a single ACE to control access to a set of attributes. For example, the user class supports the Personal-Information property set that includes attributes such as street address and telephone number. Property set rights are created on controlAccessRight objects by setting the validAccesses attribute to contain both the ACTR_DS_READ_PROP (16) and the ACTRL_DS_WRITE_PROP (32) access rights.

This illustrates the first goal of my post: property sets exist in AD as controlAccessRight objects. But still doesn’t tell us where in the AD do they live. In fact they live in the CN=Extended-Rights container inside the Configuration partition(not the schema):

Digging deeper into the MSDN docs on Creating Control Access Rights illustrates how you link attributes to a property set:

If you define a control access right for a property set, use the rightsGUID of the controlAccessRight object to identify the properties in the set. Every property is defined by an attributeSchema object in the Active Directory schema. The attributeSecurityGUID property of an attributeSchema object identifies the property set, if any, that the property belongs to. Be aware that the attributeSecurityGUID property is single-valued and stores the GUID in binary format (octet string syntax).

Another goal of this post is to help by making this a little more visual.When you create a property set, you must first generate a GUID and place in the rightsGUID attribute on the controlAccessRights object. To assign an attribute to a property set you need to place this same GUID in the attributeSecurityGUID attribute on the attributeSchema object (in the Schema partition). Remember an attribute can only belong to one property set.

Take a look at the following

Instructions on how to assign permissions to someone using a Property Set

For information on how to get the GUIDs into the right forms see my post

GUIDs to Octets, GUIDs to Base64 strings and back again

Suppose I generate a GUID of 8c4ac332-975f-4717-ad7b-ba4a4e968fff by running the following PowerShell Command line

[system.guid]::newguid()

Don’t worry if your GUID is from mine it should be! If it isn’t let me know because I think I’ll partner with you for the lottery (aka a tax on the mathematically impaired).

Some attributes (like the attributeSecurityGUID) when edited through ADSI Edit require you to convert the GUID to octet string (for little endian systems – Intel processors are little endian): 32c34a8c5f971747ad7bba4a4e968fff

Which you can do with this one line of PowerShell script

[System.String]::Join('',(( new-object system.guid('8c4ac332-975f-4717-ad7b-ba4a4e968fff') ).ToByteArray() | ForEach-Object { $_.ToString('x2') } ) )

Then if you want to put this in an LDIF file you must base64 encode the value

so that it looks like: MsNKjF+XF0ete7pKTpaP/w==

You can do that with this one line of PowerShell

[System.Convert]::ToBase64String((new-Object system.Guid("8c4ac332-975f-4717-ad7b-ba4a4e968fff")).ToByteArray())

To convert from the Base64 string to the GUID use this line of PowerShell:

new-Object -TypeName System.Guid -ArgumentList(, ( ([System.Convert]::FromBase64String("MsNKjF+XF0ete7pKTpaP/w==")) ) )

FYI – I chose to express all of these in PowerShell as opposed to C# as many readers are not C# developers and I still wanted to give all the ability to do these transforms without the complexity of compiling code or downloading an executable.

Thanks to John Geitzen whose reply to someone else’s question helped me see how to make the correct call to be able to pass the array as a whole parameter to the guid constructor instead of it getting splatted.

Thanks to Poshololic whose comment on this post showed how to do the Guid to Octet conversion in one line. 

Referenced by Other works and Sale at Lulu

I was pleasantly surprised today to find three other books, referencing FIM Best Practices Volume 1, which because of a Lulu Sale you can get at 25% off until 12/14/2011 Coupon Code: BUYMYBOOK305 Coupon expires December 14, 2011 $50 Max Savings. Of course today only 30% off, CYBERMONDAY305.

All three have an identical blurb about FIM and reference FIM Best Practices Volume 1 as additional material.

Title	Author
User Provisioning: High-impact Strategies - What You Need to Know: Definitions, Adoptions, Impact, Benefits, Maturity, Vendors	Kevin Roebuck (Jun 7, 2011)
Excerpt - Page 138: "... TechNet Wiki [7] FIM Best Practices Volume 1: Introduction ..."
Run Book Automation: What you Need to Know For IT Operations Management	by Michael Johnson (May 3, 2011)
Excerpt - Page 74: "... Microsoft TechNet Wiki [7] FIM Best Practices Volume 1 ..."
Federated Id management: High-impact Strategies - What You Need to Know: Definitions, Adoptions, Impact, Benefits, Maturity, Vendors	by Kevin Roebuck (Jun 7, 2011)
Excerpt - Page 148: "... TechNet Wiki [7] FIM Best Practices Volume 1: Introduction ..."

Although the blurb lists the license for FIM as Shareware. I hadn’t thought that FIM would fit the definition of Shareware.

All three appear to start with an introductory paper, and the contain a compilation of articles on various related technologies.

FIM exam 70-158 is now live oh and I passed

Exam 70-158: TS: Forefront Identity Manager 2010, Configuring is now live according to the MSL web site. I also received an email indicating that I passed the beta.

What the %_ is the deal with wildcards in FIM Queries in the latest hotfix?

Ok I am not actually swearing, nor are those substitute words, rather % and _ are two characters that until hotfix rollup package (build 4.0.3594.2) could be used to perform some much needed and cool searches for sets, search scopes, groups and 3rd party client queries against FIM. Such as querying for the presence of string attributes.

I am sure what happened is that someone created a resource with an underscore in the name and then couldn’t search for it. So the fix. However it wasn’t broken. We need this functionality. Furthermore, simply enclosing the wildcard character in [] would cause it to be evaluated as a literal.

The secret, as I previously blogged, is that FIM takes what you type in (on some searches) and passes it as the right hand parameter of the T-SQL LIKE operator. Ergo, whatever wildcards you can do with LIKE you can do here. Was this a form of SQL injection? Perhaps, but I tested it for other kinds of SQL injection, such as adding a single quote and other commands, and those don’t work. So it wasn’t a vulnerability, but a feature. Undocumented? Sure, but needed.

Using Wildcard Characters As Literals

You can use the wildcard pattern matching characters as literal characters. To use a wildcard character as a literal character, enclose the wildcard character in brackets. The following table shows several examples of using the LIKE keyword and the [ ] wildcard characters

The problem with this hotfix is that it destroys our ability to build sets and queries that test for presence of values in string attributes. This will break many of the implementations of FIM that I and my team have done. We need a mechanism for detecting nulls in the attributes in the FIM Service database so that we can create sets based on the presence or absence of attributes.

Some might say that we can use DRE’s to accomplish this too, but the calculation of sets of objects that have DRE is non-trivial requiring the creation of an Outbound Sync Rule, the creation of a set of DRE objects, and then another set of objects whose DRL has members in the first set. But worst of all this only applies to attributes in the connector space and their matching attribute in the Metaverse and requires a few syncs and I cannot apply this approach to attributes that exist only in the FIM Service, but not in the Metaverse.

Another alternative would be to create an IsPresent function in the XPath queries, but please ensure that it works on all attribute types.

Preference of fixes (in decreasing order of desirability):

1) We can still use the wildcards in the queries, but have a way to escape them and get an IsPresent function, in other words roll back this portion of the fix and teach/document how to have the wildcards treated as literals.

2) If we can’t do that then I would prefer to see an IsPresent function in the XPath

3) If we can’t do that still use the wildcards in the queries, but have a way to escape them

Official text from hotfix rollup package (build 4.0.3594.2):

Issue 2

Revised the FIM "Query and Sets" features to correctly treat percent signs, underscores, and opening brackets as literals instead of as SQL wildcard characters.
The approved character sets for strings that are used in FIM attribute values are defined in the attribute and binding schema in the FIM service. The syntax for representing an XPath filter is documented on MSDN in the following "FIM XPath Filter Dialect" article:

http://msdn.microsoft.com/en-us/library/ee652287.aspx ( http://msdn.microsoft.com/en-us/library/ee652287.aspx)

Some customers may have included characters that SQL defines as query wildcard characters, such as the percent character, in FIM searches and Set filters. In this case, the customers intended FIM to treat the characters as SQL wildcard characters. This is not a documented or supported feature of the product. In some cases, customers may be able to achieve the intended functionality by removing the wildcard and by using a “contains” query/filter instead.
Existing Set resources that have filters that contain SQL wildcard characters may not continue to function as the filters functioned before this hotfix was applied. Also, a filter that contains wildcard characters and that continued to function as expected after the hotfix was applied may function differently if the administrator later updates the filter definition.
Customers who used characters that SQL defined as query wildcard characters must check and revise their Set filters either before or after they upgrade to this hotfix. Customers should consider the impact of Set membership changes on Set transition MPRs. And, customers may want to temporarily disable MPRs or update workflow definitions while they change their Set filters to avoid unintentionally triggering provisioning or deprovisioning operations during Set definition maintenance.

FIM 2010 hotfix available (4.0.3594.2)

Microsoft has released a new hotfix (kb 2520954) at the end of October with some key fixes in it as well as one item that I will blog about next that prevents me from loading this on most implementations, until it is addressed.

Highlights

Component	Official Description	Comments
Workflow Engine (FIM Service)	Assume that you perform an operation that accesses the SQL database when the Microsoft SQL Server connection pooling feature is enabled in the FIM server. For example, you run a query or a request. If the operation times out for any reason, a future operation on the same thread may fail until that thread is removed from the SQL connection pool. An error message that resembles the following is displayed in the FIM Service Application event log, in the RequestStatusDetails property for a request, or in the WorkflowStatusDetails property of a workflow instance: Cannot enlist in the transaction because a local transaction is in progress on the connection. Additionally, the time stamp is the same as the time when the operation fails.	An operation on a thread that make a sql call that times out poisons the thread and all future operations on the thread fail. This could have lead to other problems that were hard to reproduce. Kudos on this one
Sync Engine	An ExpectedRulesEntry (ERE) object is associated to a child synchronization rule of a Metaverse object. If the ERE object has a Remove action, deprovisioning of the object is also being triggered. Then, the behavior causes the deletion of the Metaverse object	Much needed fix to ensure that deprovisioning doesn’t fire incorrecltly.
	Fixes many "Export not reimported" errors that might occur because of errors in SQL.	Hallelujah – we see a fair amount of those. Would like to see more detail on that one
	Improves the performance of all Sync Engine operations. Note This change involves an extensive upgrade to the sync database. This upgrade can take lots of time, depending on your hardware. A progress bar is displayed during the database upgrade.	Ok plan for a long time for your update. Be sure to back it up. This also sounds like a future blog article, to look a little deeper as to the changes.
	Feature 2 The FIM 2010 Active Directory Management Agent (AD MA) does not honor the preferred domain controller list when passwords are exported. This is an issue for customers who require password changes to flow to a specific set of domain controllers. This hotfix rollup package changes the AD MA to use the preferred domain controller list first. If the preferred domain controller list does not exist, the domain controller locator service will identify a domain controller for password export operations. Additionally, you can still force password operations to use the primary domain controller by setting the following registry subkey: Subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FIMSynchronizationService\Parameters\PerMAInstance\<MA_name> Value: UsePDCForPasswordOperations (REG_DWORD, 1 = True, 0 = False) This hotfix rollup package also updates the AD MA so that a trust relationship with the configured Active Directory forest is not required to export passwords to that forest.	This will be very helpful in large environments. Prior to this all password operations on FIM were targeting the PDC Emulator, which incidentally introduced a single point of failure. I also applaud the elimination of the need for the trust to do password exports!
	Feature 3 Adds the ability to filter objects before they are imported into the AD MA connector space.	Another big win for large environments where we need to ignore large portions of the domain!
Sets and Query (FIM Service)	Fixes an issue that would sometimes cause incorrect Set calculations. This resulted in lots of set corrections. Also revised the Sets Correction job so that it does not change special sets that are maintained by another system maintenance job.	Thank you!
FIM MA	Fixes an issue in which the FIM synchronization service configuration for synchronization rules and codeless provisioning was not correctly written to the FIM Service database.	Seen this one. Glad to have a fix.
FIM Service	Fixes an issue in which unexpected data in the FIM Service database could result in the FIM MA causing the Synchronization service to fail during import, and a stopped-server error occurred.	Seen this one too.
	Issue 4 Some ExpectedRuleEntry objects and DetectedRuleEntry objects in FIM 2010 can become "orphaned" over time. When a DetectedRuleEntry object is not referenced in the DetectedRulesList of any object in the system, that object is determined to be orphaned. Similarly, when an ExpectedRuleEntry object is not referenced in the ExpectedRulesList of any object in the system, that object is also determined to be orphaned.	Once more thank you.