FIM RCDC explained in brief

In this post I attempt to give you the reader a quick overview of how the FIM RCDC works conceptually. As for the mechanics of modifying the RCDC the nearly complete but growing collection of documents downloadable from MSFT will suffice.

As you will recall FIM is the new abbreviation for ILM, since it has been renamed Forefront Identity Manager, and RCDC is the Resource Control Display Configuration formerly known as the Object Visualization Configuration (OVC). RCDC is the way you custom how FIM displays objects (now called resources) in the portal. Now for English: If you need to change the options and information users see in the FIM portal when they create new users, groups (security or distribution), or edit or view these resources you do it by modifying the RCDC. The RCDC is an XML object, and each resource type (user, group, request, etc) has three: Create, Edit and View. To get a handle on the terms take a look at the figure below:

 

Every RCDC has a Panel that contains all other visible elements. You don’t have to worry about the Panel, other than to know that you need a have it and it must have a name.

The next item to which I must call your attention is the Groupings. The little area which I have outlined in Red is the Header Grouping and provides the caption for the RCDC in this case: Create Security Group. The Header Grouping contains just one control the UocCaptionControl and it is this control that determines what will be displayed based on the Caption and Description Attributes.

The rest of the groupings show up as tabs. The first three are content groupings (there can be up. to 16 groupings counting the Header Grouping and the Summary Grouping, leave up to 14 slots for content groupings). Each content tab or grouping can contain between 1 and 256 controls.

Not visible in the screenshot above are data sources. Data sources provide access to the data of the resource (PrimaryResourceObjectDataSource), the changes that are being made during the edit or create process (PrimaryResourceDeltaDataSource), what rights the current user has to each attribute (PrimaryResourceRightsDataSource), information about the resource type and its attribute types, such as displayname and description (SchemaDataSource), and a listing of Active Directory Domains that are managed by this instance of FIM (DomainDataSource). Additionally, you can have XML data sources. There are two purposes for these: 1) to provide the xsl transformation to provide a different summary of changes on the Grouping Summary, and 2) to provide a list for use in UocDropDownList and UocRadioButtonList controls (there is at least one other method for providing the options list).

Controls have elements, and attributes. The element type you will be concerned with are the Properties. (Help only applies to groupings, CustomProperties is not supported, Options only applies to the UocDropDownList and UocRadioButtonList controls, Buttons only applies to the UoCListView Control, and you can’t make use of events.)

The attributes and properties are used to govern the behavior of the control. They can be bound to the different data sources, to cause the control to interact with an attribute on a resource, to control the visibility and editing on a control, and to provide the list of options to choose from.

Well that covers the conceptual overview. Next time I blog about RCDC, I plan on discussing the attributes of controls, and their common properties.

Answering my FIM RC 1 question

Thanks to Darryl Russi for answering my questions in my earlier post An Update to FIM RC1 where I was asked about something I had read in the release notes:

Some of those items raise a few questions, like how to setup a FIM service that only takes requests from the sync service? Do we setup multiple FIM Service instances and then configure the FIM MA to talk to one of them, and not make that one available to web clients?

So the short answer to my last question is yes and then Darryl answers the first question in great deal.

Here is his answer: Service Partitions - Multiple Middle Tiers, Request & Workflow Processing

Great job Darryl! I see this as a great way to ensure good response time for users and to scale out.

Identity Synchronization FIM 2010 HOL Irvine California

I will be at the Microsoft Technical Center in Irvine on Dec 1 and 2 presenting this HOL with Marvin Tansley of Gemalto.

Identity Synchronization – Hands on Training

 

Date: December 1-2, 2009

Location:   3 Park Plaza, Suite 1800   Irvine, CA  92614     949-263-3000

Microsoft, Gemalto and Ensynch invite you to a free 2-day training seminar and hands-on-lab on Microsoft’s Forefront Lifecycle Manager (FIM 2010).

Come and learn how FIM 2010 can help you by delivering simplicity, agility and efficiency while increasing security and compliance within your enterprise identity infrastructure.

The curriculum for this training is modular, which will allow users with different technical levels to attend. 

Day 1 Agenda:

· FIM 2010 Overview Presentation and Demo

· FIM 2010 Managing Users and Groups Hands-on Lab

· Introduction to identity management

· ROI - a Tool to Help you Sell Your Project

· OTP Provisioning using FIM 2010

· Certificate Basics Presentation

· Certificate Demo and Basic Use Cases

Day 2 Agenda:

· FIM 2010 Synchronization Presentation and Demo

· FIM 2010 Hands-on Lab

· FIM 2010 Policy Management Presentation and Demo

· FIM 2010 Hands-on Lab

· Making It All Work Together

Who Should Attend?
IT security staff as well as system administrators and engineers who work with the installation, configuration, and maintenance of a variety of server types and have two to three years of experience managing an enterprise-level Microsoft Windows Server environment.

Space is limited. Register to reserve your seat.   Invitation only registration link – click here!

Questions? Contact Gemalto |  amy.gant@gemalto.com  |  (888) 343 5773  | www.gemalto.com/enterprise

An Update to FIM RC1

Microsoft has posted an update to FIM RC 1, dated Nov 6.

It looks like this update covers pretty much everywhere except Certificate Services (sorry Brian and Paul).

The Release notes included in the download lists the follow improvements:

• Query and Sets
• Resolved a number of issues that resulted in incorrect dynamic set membership.
• Removed support for the use of the != operator with multivalued attributes. Xpath equality expressions on multivalued attributes must use the not() function.  For example, the following xpath is not supported: /Group[Owner != /Person].  Instead, use the following xpath: /Group[not(Owner = /Person)]
• Synchronization engine
• Resolved a data corruption issue in Multi-Mastery scenarios where deleted Member attributes were being added back during full sync of AD and FIM.
• Workflows
• Workflows are now run on a FIM Service that uses the same ExternalHostName as the FIM Service that originally created the workflow. This enables the partitioning of workflow execution among servers dedicated to specific functionality. 
  For example, if a FIM Service is dedicated to servicing Requests submitted by the Synchronization Service, all workflows resulting from Synchronization Service Requests will only run on that FIM Service.
• Resolved an issue that caused a Request’s RequestStatus attribute to retain the value “Validating” even though the Request’s operation timed out.
• Resolved an issue in the EnumerateResourcesActivity that prevented selecting which attributes to return. Previously, regardless of the attribute selection specified, all attributes bound to the enumerated resources were returned.
• Resolved various issues and made general improvements for:
• Management Policy Rules
• Portal user interface Request Management
• Self-service Password Reset
• Schema

 

Some of those items raise a few questions, like how to setup a FIM service that only takes requests from the sync service? Do we setup multiple FIM Service instances and then configure the FIM MA to talk to one of them, and not make that one available to web clients?

 

Go to Connect.microsoft.com and 11/6/2009
Here’s the link: FIM 2010 RC1 Update 1
4.0.2570.0 (compare to 4.0.2560.0 the version released on 9/29/09 -- RC1)
Build

It references a KB article that I can’t find: KB976465

The total download is under 36 MB so this is definitely a patch and not the full enchilada.

Looks like Jorge got the news out first.

Identity Management Luncheon NYC

I will be speaking at an Identity Management Luncheon in New York City on Nov 12th. I will be speaking on FIM.

Come on down and join me if you can. (Please Register)

When: Thursday, November 12, 2009 10:45 AM to 2:00 PM (EST) Where: Del Frisco's Double Eagle Steak House 1221 Avenue of the Americas New York, New York 10020 Come join us at this exclusive luncheon at one of the best steak houses in NYC!

Realizing the Value of Identity Management

Using Microsoft Forefront Identity Manager 2010 to Empower People, Deliver Agility and Efficiency, and Increase Security and Compliance of your Business
Ensynch and Microsoft invite you to join other senior technology and business executives at a complementary exclusive luncheon where we will discuss and demonstrate how Microsoft’s new identity management platform and solutions can help you consolidate technologies and reduce cost.

Today’s IT enterprise must deliver identity and access management that is efficient, cost effective, and secure. The complexity of managing and securing users, devices, and services is increasing. Whether due to regulatory mandate or business growth, identity management becomes more complex, and does often not deliver as much business benefit as it could.

Come and learn how Forefront Identity Manager 2010 can help you by delivering simplicity, agility and efficiency while increasing security and compliance within your enterprise identity infrastructure.
Event Agenda:

Interactive demonstration and discussion of how Forefront Identity Manager 2010 helps to...
• Ease Administrative Functions of Managing Identities
• Enable Self Service Group Management
• Increase Security and Compliance
• Save Money – Realizing ROI
• Empower collaboration by integrating with other cutting edge Microsoft technologies such as Office Communications Server and SharePoint.

[Register Now]

-------
Contact Anthony.Morgante@microsoft.com if you have any questions or concerns.

Visit http://www.microsoft.com/forefront/identitymanager
for more information on ForeFront Identity Manager 2010

Password Reset?

How would you feel if this was the only barrier between the hacker and your data – a single password reset question? Just one!

I won’t tell you who this is since then you’ll just want to go after my data on that site.

Oh well. The barn door won’t be shut until the wolf has gotten into the sheep

Webinar: Accelerate Your Businesses for the Future with Microsoft Geneva (ADFS) and the Cloud

Get the rundown on Geneva from Frequent Industry Speaker and Nationally Recognized Microsoft ILM MVP, David Lundell When: Wednesday, October 14, 2009 10:30 to 11:30 (PST) 12:30 to 1:30 (CST) 1:30 to 2:30 (EST) Where: Web/Online Live Meeting Information will be sent to attendees Presenters: David Lundell, Identity Management Practice Leader, Ensynch Jonathan Sander IAM and Security Analyst Quest Software	Webinar: Accelerate Your Businesses for the Future with Microsoft Geneva (ADFS) and the Cloud Has your organization been considering moving applications to the cloud or using Software as a Service (SaaS) providers? Have you already done it? Have you realized the cost savings? Have you encountered the difficulties in managing the identities and passwords across the various identities? Using Microsoft Geneva (ADFS) and Quest Java SSO, and Quest inTrust, you can lower the cost of moving applications to the cloud and to SaaS, which can remove a big hurdle to a key strategic initiative. I would like to invite you to our latest exclusive "no frills" webinar: "How Microsoft Geneva Streamlines Business," the final part in a Identity Management Webinar Series from Ensynch's Identity Management Practice Director, Frequent Industry Speaker, and Microsoft Identity Management MVP, David Lundell, and Quest Software IAM and Security Analyst, Jonathan Sander. (Previous webinars are available for download here) This webinar is designed for business leaders, and will present discuss the business value of Microsoft Geneva and the Cloud. Whether identity management within the Cloud and SaaS is a major concern for your organization or if you are simply curious about using Microsoft Geneva as an asset to help your business, this webinar is for you. Webinar Agenda: - The Cloud’s little secret: Multiplying identity stores - High level discussion of The Cloud (Azure, Amazon, SaaS, etc) - High Level discussion of Geneva (ADFS, WIF) - The Value of the Cloud - The hidden Costs of the Cloud - How Geneva(ADFS) helps lower the cost of the Cloud - Gaps of the Cloud - Possible Solutions - Gaps of Geneva with the cloud - Possible Solutions from Quest [Register Now]

FIM RC 1 is here – what’s new?

FIM RC 1 is here.  Microsoft released it on Sept 30th which is the end of Q3 of 2009 which means the ILM/FIM team at Microsoft met their stated deadline announced back in March.

Here is the download:

http://technet.microsoft.com/en-us/evalcenter/cc872861.aspx

What’s new:

Gil Kirkpatrick has a nice post about the differences in the data structure:

Auditing FIM 2010 RC1

Darryl Russi a Sr. Test Lead at Microsoft has started blogging about FIM RC 1 performance:

http://blogs.msdn.com/darrylru/archive/2009/10/01/fim-2010-performance-testing-introduction.aspx

Microsoft has also included some pretty good documentation (available for independent download through the Microsoft connect site

http://connect.microsoft.com/directory/

Search for

Forefront Identity Manager 2010 (FIM 2010) Beta

Pay careful attention to the Release Notes.

One big thing I noticed, that I have been seeing with RC 0 and was hoping would be fixed with RC 1 was getting a “no-start-full-import-required” error during a delta import, however the release notes for RC 1 state:

Do not use delta-import with FIM MA

· In this release, always run a full import when synchronizing the FIM MA. Running a delta-import may result in a no-start-full-import-required error in some scenarios.

There are also several FIM schema changes you can make that make it impossible to restart the service and require a reinstall so keep an eye out for those: “[creating] a multi-valued Boolean attribute”, “[creating] custom attributes or resource types with duplicate names”,  or “[creating] a binding that uses the same resource type and attribute combination as another binding.” These last two are possible through the web service.

Password Reset

A nice thing is that the standard Password Reset workflows and MPRs are pre-created for you. I guess some people saw my Visio diagram of the fairly complex Password Reset process and heard the woes of everyone that tried to set it up. Kudos! This is possible because Management Policy Rules (MPRs) can be enabled and disabled!

 

Name Changes

Among other things is a documentation road map listing all of the documents available for IT Pros and an Identity Terminology guide. Defines almost everything including XAML, but they forgot XOML. They have changed some names but don’t mention the old name so here is my best attempt:

Old Name	New Name	Comment
ILM 2	FIM	When Microsoft announced the name change back in April they said “ForeFront means business ready security.” I don’t know how you feel about Forefront Client Security but everything from Antigen, to ISA, to IAG, to ILM has been rebranded to Forefront. Does this mean that ForeFront Stirling is going to monitor FIM? I don’t know.
Object Visualization Configuration (OVC)	resource control display configuration (RCDC)	Same thing, new name, same limitations:  “you cannot write a customized function (Handler)” (Introduction to resource control display configurations) Although the documentation is much clearer on those limitations, and greatly expands on other topics as well.
CLM	FIM CM	FIM Certificate Management

 

Install Guide

The install guide looks fairly complete, just change any references to Enterprise Manager to mean Management Studio. When SQL 2005 came out I kept calling it Enterprise Management Studio (yes I would stutter on Manager-ment).

A big thing to note is this:

Assign enough space for the database

The FIM Service database will not autogrow even if those settings are enabled by default by SQL Server. You should expand the Data and Log files to be able to hold all data needed.

 

Wow! No autogrowth! I saw that happen with RC 0 but couldn’t believe it.

It also includes documentation on the parameters for unattended install. As you know from prior post my team and I prefer unattended installs.

Migrating from Test to Prod

There is a document called “Introduction to the Configuration Migration Tool”

This document describes how to migrate a FIM 2010 configuration from a test environment to a production environment.

Yeah! We so needed this tool! Powershell! Sweet!

ILM 2 RC 0 -- Luke, Check the Transaction Log!

 

A few weeks ago I encountered an ASP.NET error when I tried to access http://myilmserver/identitymanagement/

Eventually I went to my SQL Server and discovered that despite having space on the disk and Autogrow turned on the Transaction Log was full and wouldn't grow anymore.

So if you encounter this error then maybe you too can listen to the force telling you to check the SQL Server Transaction Log for MSILM.

In the event log I saw this:

Log Name:      Application
Source:        ASP.NET 2.0.50727.0
Event ID:      1309
Task Category: Web Event
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:     myILMServer
Description:
Event code: 3005
Event message: An unhandled exception has occurred.
Event sequence: 4
Event occurrence: 1
Event detail code: 0

Application information: 
    
    Trust level: WSS_Minimal
    Application Virtual Path: /
    Application Path: C:\inetpub\wwwroot\wss\VirtualDirectories\80\
    Machine name: PHX-52N-ILMWF91
Process information:
    Process ID: 2256
    Process name: w3wp.exe
    Account name: ILMTEST\svc.wss
Exception information:
    Exception type: SerializationException
    Exception message: Error in line 1 position 350. Expecting element 'Metadata' from namespace 'http://schemas.xmlsoap.org/ws/2004/09/mex'.. Encountered 'Element'  with name 'Fault', namespace 'http://www.w3.org/2003/05/soap-envelope'. 
Request information:
    Request URL: http://myilmserver/identitymanagement/default.aspx
    Request path: /identitymanagement/default.aspx
    User host address: 10.12.13.14
    User: ILM\Administrator
    Is authenticated: True
    Authentication Type: Negotiate
    Thread account name: ILM\svc.wss
Thread information:
    Thread ID: 4
    Thread account name: ILMT\svc.wss
    Is impersonating: False
    Stack trace:    at System.Runtime.Serialization.DataContractSerializer.InternalReadObject(XmlReaderDelegator xmlReader, Boolean verifyObjectName)
   at System.Runtime.Serialization.XmlObjectSerializer.ReadObjectHandleExceptions(XmlReaderDelegator reader, Boolean verifyObjectName)
   at System.ServiceModel.Channels.Message.GetBody[T](XmlObjectSerializer serializer)
   at System.ServiceModel.Channels.Message.GetBody[T]()
   at Microsoft.ResourceManagement.WebServices.MetadataClient.Get(String dialect, String identifier)
   at Microsoft.ResourceManagement.WebServices.Client.ResourceManagementClient.SchemaManagerImplementation.RefreshSchema()
   at Microsoft.ResourceManagement.WebServices.ResourceManager.get_SchemaManager()
   at Microsoft.ResourceManagement.WebServices.ResourceManager..ctor(String typeName, LocaleAwareClientHelper localePreferences, ContextualSecurityToken securityToken)
   at Microsoft.IdentityManagement.WebUI.Controls.ConfigurationModelBase.RetrieveResources(String type, List`1 attributes)
   at Microsoft.IdentityManagement.WebUI.Controls.PortalUIConfigurationModel.RetrievePortalUIConfiguration()
   at Microsoft.IdentityManagement.WebUI.Controls.PortalUIConfigurationModel.get_PortalUI()
   at Microsoft.IdentityManagement.WebUI.Controls.PortalUIConfigurationModel.get_BrandingLeftImageUrl()
   at Microsoft.IdentityManagement.WebUI.Controls.BrandBar.get_BrandTable()
   at Microsoft.IdentityManagement.WebUI.Controls.BrandBar.CreateChildControls()
   at System.Web.UI.Control.EnsureChildControls()
   at System.Web.UI.Control.PreRenderRecursiveInternal()
   at System.Web.UI.Control.PreRenderRecursiveInternal()
   at System.Web.UI.Control.PreRenderRecursiveInternal()
   at System.Web.UI.Control.PreRenderRecursiveInternal()
   at System.Web.UI.Control.PreRenderRecursiveInternal()
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

AD RMS on R2 -- new Federation Features

AD RMS on Windows Server 2008 R2 adds a really slick feature blogged about here: Group Expansion for Federated Users

Prior to R2 to issue a use license to a federated user they need to specifically be granted permissions. With Windows Server 2008 R2 you can create a contact matching the external federated user and then place the contact in the group and then they have the same RMS permissions as that group.

This is great to be able to include external users in groups, and still without provisioning a user account for them in your domain. Oops, now we need to provision a contact object for them and put that into the group. But perhaps if we combine this capability with custom claims transformation modules to do on demand provisioning the way my coworker Chris Calderon demonstrated on Windows Server 2008 at TEC 2009 (to get his slides go to  http://theexpertscommunity.com/item/show/blog/659/TEC-presentations-now-available  and follow the instructions).

But On-Demand Provisioning only solves half of the battle (and here all of the GI Joe fans thought knowing was half the battle ;)

Even though the user's access has been turned off by their employer disabling or deleting their account, the contact objects on your side still need to get cleaned up. But how to know when to deprovision an account from a federated partner? Perhaps you could use the RMS logging database as a starting point and look for users that haven't accessed the system in a while, email them and see if you get a bounce. After receiving an NDR for a federated user that hasn't accessed anything for months would be a pretty safe bet to delete their contact object.

How to make that happen? Create your own service or scripts to automate querying the logging database and sending the email. Another script to check for NDRs and then write to a table the contacts to be deleted. Then use FIM to read the table and delete the contacts, or your script could do it directly, as appropriate.

At it again -- Geneva Part II

Once more we invite you to another Ensynch Identity Management webinar. This is part 2 in our series of 4 on Geneva (ADFS, WIF). This one is going to be led by Chris Calderon one of our ADFS Experts, so naturally this will be filled with excellent technical content. As will Part 3 as it focuses on Windows Identity Foundation.

 

 

Webinar Agenda:
- How Geneva provides business value to organizations seeking Single-Sign-On (SSO)?

- Geneva Overview

- Transitioning from ADFS v1 to Geneva Server (ADFSv2)

- SSO Scenarios using Geneva

- Designing a Geneva Solution

- Managing Geneva Server

- Extending the functionality of Geneva

- Q & A

- Post Webinar Chat Session: Once the webinar concludes, our experts will stay online for an additional 30 minutes to field your questions via text chat.

[Register Now]

Also, stay tuned for the final two parts of this webinar series:
Using the Microsoft Geneva Framework to Solve Your Federation Needs
Thursday, September 10, 2009
Register Now
Accelerate Your Businesses for the Future with Microsoft Geneva and the Cloud
Wednesday, September 30, 2009
Register Now

MVP for the 3rd time

Both my colleague Brad Turner and I were renewed for ILM MVP.

I am glad to receive this honor another year.

 

Congrats to new ILM MVP Marc Mac Donnell

You can see a list of all ILM MVP's that have chosen to make their profiles public (Marc hasn't setup his yet).

I just hope I can win the MVP at home!

Webinar: How Microsoft Geneva Streamlines Business

When:
Wednesday, July 29, 2009
10:30 to 11:30 (PST)
12:30 to 1:30 (CST)
1:30 to 2:30 (EST)

[Register Now]

Presenters:
David Lundell, ILM MVP
Identity Management
Practice Leader, Ensynch

Jonathan Sander
IAM and Security Analyst
Quest Software

Webinar: How Microsoft Geneva
Streamlines Business

- Learn How to Reap the Benefits of True Web
Single-Sign-On and Federation
Has your organization been forced to deploy one-off solutions to solve login or compliance problems with a newly deployed technology?
Are your employees tired of using multiple logins for all kinds of access needs?
Having trouble managing shared resources users both inside and outside of your organization?
Using open platform identity management solution Microsoft Geneva, you can save money and make your business more efficient today, and also make it more easily scalable for the future.
I would like to invite you to our latest exclusive "no frills" webinar: "How Microsoft Geneva Streamlines Business," the 1st in a 4-part Identity Management Webinar Series from Ensynch's Identity Management Practice Leader and Microsoft Identity Management MVP, David Lundell, and Quest Software IAM and Security Analyst, Jonathan Sander.
This webinar is designed for business leaders, and will present business value propositions for the Microsoft Geneva framework. Whether identity management is a major concern for your organization or if you are simply curious about using Microsoft Geneva as an asset to help your business, this webinar is for you.
Webinar Agenda:
- Yikes! The business pain points of managing lots of identities

- High level discussion of Microsoft Geneva

- Business value of Geneva

- Gaps of the Geneva framework

- Possible solutions to the gaps

- ROI of Geneva versus other Single-Sign-On solutions

- Geneva and the Cloud

- Q & A

Stay Tuned for the other three parts of this webinar series:
A Technical Overview of the Microsoft Geneva Infrastructure
Thursday, August 20, 2009
Using the Microsoft Geneva Framework to Solve
Your Federation Needs
Thursday, September 10, 2009
Accelerate Your Businesses for the Future with Microsoft Geneva and the Cloud
Thursday, October 1, 2009

4th of July -- Independence Day

233 years ago, 56 men signed a document and began a labor to give birth to a nation. I am very grateful for their service and for their sacrifices and for each and every soldier, and dutiful civil servant since then. They have afforded me and my family a great many blessings. As well some of my family members have been privileged to serve. One of my grandfathers taught ground school during World War II and the other served in the Army and was stationed in Greenland. I honor their service.

As part of my Independence Day celebration I read some of the writings of Abraham Lincoln. I found this moving passage from his first public speech in March 9, 1832 to the people of Sangamon County, he spoke on the topic of education :

"That every man may receive at least a moderate education, and thereby be enabled to read the histories of his own and other countries, by which he may duly appreciate the value of our free institutions, appears to be an object of vital importance, even on this account alone, to say nothing of the advantages and satisfaction  to be derived from all being to read the Scriptures and other works, both of a religious and moral nature themselves."

I believe that this "moderate education" unto "every man" is a key basis for our continuing freedom.

I also wonder whether Identity Management would have a much different meaning without the Declaration of Independence.

The attributes behind Message Delivery Restrictions

Do you know what attributes are used to control who can and can't send to a Distribution List in Exchange 2003 and Exchange 2007? or Does it use a DACL?

Knowing such things is key if you are going to automate distribution list management through .NET programs, or MIIS/ILM/FIM, Quest ARS or any other tool that is talking to LDAP attributes. For Powershell you need a separate list since the names are different.

Seeing as how a picture is worth a thousand words I'll include some after a brief explanation:

At first I was afraid that it used the SendTo permission on DACLs but fortunately that is not what the Exchange GUI tools change. This is fortunate since ILM does not have an out of the box MA that modifies DACLs on AD objects, it is also fortunate since programming against DACLs is somewhat complicated. I must give thanks to my friend Joe Kaplan and his co-author Ryan Dunn for the helps in their book (see page 302 listing 8.2 listing the DACL) and their forum http://directoryprogramming.net/default.aspx

The .NET Developer's Guide to Directory Services Programming

With the help from their book I was able to eliminate DACLs since the darn things never changed. FC never lies.

Open the Exchange Console, navigate to the Distribution lists open their properties and go to Mail Flow Settings click on Message Delivery Restrictions and then click on the Blue check mark next to Properties:

So what I found was five attributes that control the fate of who can and who can't send to a particular recipient (in this case a distribution list)

authOrig, unauthOrig, and msExchRequireAuthToSendTo,

Attribute Name	Name in GUI	Explanation	Powershell (Set-DistributionGroup)  Just as an FYI
authOrig	Accept messages from Only senders in the following list:	If this attribute and dLMemSubmitPerms are both empty then that is the equivalent of All Senders. If populated only those recipients and the members of Distribution Lists enumerated in dLMemSubmitPerms can sends listed can send items to this distribution list minus anyone listed in unauthOrig and anyone that is a member of distribution lists enumerated in dLMemRejectPerms	-AcceptMessagesOnlyFrom
dLMemSubmitPerms	same as above	see above	-AcceptMessagesOnlyFromDLMembers
unauthOrig	Reject messages from Senders in the following list:	Prevents recipients listed here from sending to this Distribution list	-RejectMessagesFrom
dLMemRejectPerms	same as above	Prevents recipients who are members of the Distribution lists mentioned from sending email to this Distribution list	-RejectMessagesFromDLMembers
msExchRequireAuthToSendTo	Require that all senders are authenticated	When set to True only authenticated users (no external users) can send mail to this Distribution list	-RequireAllSendersAreAuthenticated

For more info on attribute to Powershell attribute name conversions see

http://blogs.technet.com/evand/archive/2007/02/19/filterable-properties-in-exchange-2007-rtm.aspx

For more on the Powershell commands with some examples see

http://technet.microsoft.com/en-us/library/bb397214.aspx

What would be really nice would be if FIM 2010 already had the schema and OVC extended for this. Since this is the very next thing people at a big company ask for after finding out they can automate distribution list maintenance.

As promised some pretty pictures to help explain (on the left you see the screenshot from ADSI edit and on the right the snapshot of the Exchange Console

On this one I reverse the order

By now you get the idea, that if you select a distribution listt in the Senders in the following list they get put here:

So we see that the Exchange Console clever sorts the DLs from the individuals and puts them into their separate attributes.

H30, Geneva Cola, Sitrus and Orange Fizz

Back in business school I was a connoisseur of fine commercials.  Recently I watched a commercial for Lipton Ice Tea (note I am a teetotaler who doesn't drink tea) and I have to admire their cleverness in coming up with names for competitor products (see the title) in their "Lipton Tea, I think I love you" commercial. (Lyrics here)

Really the names are clever although the best is the H30 -- I just love it, a chemical compound that as far as I can tell can't exist, but we all know they are making fun of flavored water. Of course I also love ordering water by requesting Di-Hydrogen-Oxide.

OK they didn't actually have Geneva Cola it was really Milan Cola, but since I really wanted to blog about Geneva and how "I think I love [it]" well I couldn't resist the name substitution.

Now before I pester you with anymore puns let me tell you why I love Geneva, Microsoft's next evolutionary leap with Federation and SSO.

Of late there has been a lot of buzz about Cloud computing. But there are obstacles, when you host applications in the cloud or use SaS type applications you wind up creating new identity stores.

With Geneva your identities will be almost ubiquitous, in that you can use it anywhere and your applications built using the Geneva framework will be able to accept and use identities from anywhere that you decide to trust.  It won't matter anymore where your applications, are in Microsoft's cloud, your cloud, or your partner's cloud.

In short if Cloud Computing will transform the industry then Geneva is the way to get there. It certainly lowers some of the barriers

Additionally, we can use Geneva to provide SSO for apps within an organization.

Now to tie in the commercial, since Geneva also supports the SAML 2.0 protocol it even inter-operates with Hot Ball of GAS SSO, and "Fiction Books Access Manager"

Best Practices ILM 2007 Coding Conventions and Habits

In response to question in the MMSUG yahoo group I thought I would post the following:

Naming conventions for MV objects and attributes.

Most CS objects and attributes come to us with names -- the exception being when we are writing our own views in SQL or Oracle

There are many object types and attributes pre-defined in the metaverse if you use those no need to rename most of them seem to come from the required and suggested  attributes for either an X.500 Directory or LDAP Directory.

For new objects it depends on how you want to process things. If you need to take some code based actions that are identical for similar but different object types then using a prefix or suffix can help. I have seen some very complex GALSync scenarios implemented that way, div-Person, div2-Person, div3-Person, div-DL, Div2-DL, Div3-DL, div-Contact, div2-Contact, div3-Contact.  Then in provisioning code you can match on patterns to make decisions.

For Attributes some like to create them with a prefix with the client name. I generally like to match my attributes to the names from LDAP.

Naming conventions for coded attribute flows (AF).

In the 2731 class the instructions have you replacing the generated name User.samAccountName -> Person.sAMAccountName with something more like SamAccountName.

The benefit of the generated names is that they are pretty much unique and human readable although they are long. These days I tend to leave the default names.

Ways to make extensions for AF more adjustable without re-coding.

I have seen one developer use the flow rule names as a language to processor module to handle 90% of his string manipulation. That certainly cut down on the need for re-coding.

That may have been an extreme example but it shows you what is possible.

Another tactic is to preprocess Attribute flow by performing the transformations in a SQL view -- it is much faster, but you can only use information available from that database. If you need to change it you won't need to change the MA Extension code. This is my preferred approach.

Ways to make provisioning code more adjustable without re-coding.

Make use of XML config files to store things like Exchange Mailbox stores to use, and then read them in during the initialize method (called once when the dll is loaded, since the dll's stay in cache for 5 min after use this won't necessarily be every run) of the Provisioning dll, and then make use of them during the provision method (called once per connected cs object being synchronized). Don't load an xml config file in the provisioning method unless you are looking for a way to slow down performance.

Favorite ways to make the status for any particular object easy to understand for people who don't know ILM/AD, etc.

We like to use reports and give the reports and their columns good descriptive names like ILM Disconnectors. Uh I mean AD Objects (Users, Groups OUs etc) that don't have matches in the other systems (like HR).

In the reports on connected objects using the binary functions in SQL to translate

For info on reports see Brad Turner's blog on the community reporting pack that he created (I helped but only on one report).

Desert Code Camp -- SQL, XPath and FIM

I just presented 3 sessions at the 2009 Desert Code Camp on Saturday June 13, 2009  at Devry University

Thanks to Devry for hosting it and thanks to Lorin Thwaits of KB Alertz for being the Code Camp Director and to all other volunteers.

Title (and link to Desert Code Camp site)	Abstract	Presentation Link	Comments
I dream in SQL (writing queries)	Learn how to write SQL queries: SELECT statements, JOIN clauses, group by with Practical examples from the realm of Identity Management	I_Dream_in_SQL	Audience: 36 The room was packed. Despite the odd hum in the background due to feedback from the projectors, things went fairly well. I had created the session, slides and examples for a group that was brand new to SQL or pretty shaky but most that showed up had plenty of experience writing queries but wanted to formalize their knowledge learn some of the terms, best practices and gain understanding of why they write queries that way. I tweaked the slides to include some of the topics I added on the fly in response to questions and the audience's deeper than novice experience. I received lots of great questions.
Query Performance Tuning	Learn how to optimize your SQL 2008 queries, learn how to use Query Plans and Statistics to measure performance -- find the weak points and then what can be done to speed your queries, learn when to avoid cursors (usually) and how to replace them.	Optimizing SQL Queries	Audience: 37 About half the class from the 1st hour followed me to this one. It was a another packed session SRO! I wish I had more time to delve in. Showed people the different ways to analyze queries and some basics about query tuning with a focus on dumping cursors. I have also revamped these slides somewhat.
XPath Queries (tastes just like SQL)	On more and more fronts XPath queries are available to us, learn how to take your existing SQL query skills and translate them to XPath. See practical examples of XPath queries against a WCF based Web service (Forefront Identity Manager).	XPath Queries (tasted just like SQL)	Audience: 17 Joe Zamora co-presented this one with me so that we could show off his FIM query tool as an example to others that write against XML SOAP WCF web services. After the crowd did agree XPATH does taste like SQL!

To PKI or not to PKI?

When should one implement a Public Key Infrastructure and when should one not? Obviously we implement a PKI to solve a problem, usually around security, enabling secure communications with a web server, multi-factor authentication, encryption. A PKI solution can be very versatile, but it comes at a price in setup and maintenance. But what alternatives do we have? Let's examine each problem in turn

 

Problem	PKI difficulties	Alternatives	Benefits for Alternatives
Enable Secure web transactions (SSL)	certs expire without warning anyone	none
Secure network communications (IPSEC)	Need to issue certificates to all client computers (can use AutoEnroll GPO)	none
Multi-factor authentication for Wireless networks using 802.1X	Need to issue certificates to all client computers or smart cards to all users	Radius -- One Time Password Tokens	With Quest Defender issuing and maintaining of OTP is very easy. Defender is much easier than standing up a PKI and issuing smart cards to everyone
Multi-factor authentication (certificates, smart cards)	Need to issue smart cards to all users (can be time consuming) Need special hardware	One Time Password Tokens	With Quest Defender issuing and maintaining of OTP is very easy. Defender is much easier than standing up a PKI and issuing smart cards to everyone. Can work even on computers without the smart card reader.
Encryption of files (EFS)	Need to issue smart cards to all users (can be time consuming)	AD Rights Management Services	Enrollment of users is transparent -- new users can be given permissions by adding them to groups without having to re-encrypt the files. No need to renew certificates. Restrictions are enforced after file is opened. It allows you to assign rights and permissions to other people to documents (open, saving, edit, print, cut and paste) and emails (forward, cut and paste)
Enabling users (internal and/or external) to use your code without getting scary warning (Signing Code Modules, Macros, ActiveX controls etc)	Need to issue/buy certificates for developers	none
Signing emails	Need to issue certificates (whether on smart cards or not) to all users	PGP (web of trust)
Encrypting emails	Need to issue certificates (whether on smart cards or not) to all users	AD Rights Management Services or PGP (web of trust)	AD RMS Enrollment of users is transparent. Restrictions are enforced after file is opened. It allows you to assign rights and permissions to other people to documents (open, saving, edit, print, cut and paste) and emails (forward, cut and paste)

In short you need certificates for SSL, IPSEC, code signing and signing emails. Whether you build your own PKI or get certificates for them is another question. For SSL and code signing you can get away with buying your certs and should if your web site and/or code is for the public (although if you have enough you may want to look at setting up a subordinate CA with a Public CA that way you control the certs but they are issued through a trusted root CA and your customer don't get those confidence inspiring messages asking them whether to trust you or not) . For IPSEC and signing emails you should implement your own PKI in order to save the cost of buying so many certs.

If you need to implement signing of emails along with multi-factor authentication then it makes sense to take advantage of the versatility of certificates on smart cards. Then it makes sense to implement the Certificate Management component (CLM) of ILM 2007 to ease many of the challenges with issuing and managing smart cards.

However, if multi-factor authentication and encryption are your main goals you may want to take a look at one time password tokens with Defender and Microsoft's AD Rights Management Services (AD RMS) respectively. Both present easier and perhaps cheaper alternatives, that also add capabilities. Defender adds the capability to use multi-factor authentication on machines without smart card readers, and AD RMS adds the capability to restrict what users can do with content even after they decrypt it.

The Business Impact of Identity and Access Management with Forefront Identity Manager 2010

Brad and I are going to cover the value of the whole Identity Management Stack from Microsoft and a few additional pieces from partners.

When:
Thursday, May 28th

Where:
Webinar/Online
(Live Meeting links will be
sent to all registrants) (Click Here to RSVP)

Presenters:
David Lundell – Microsoft MVP for ILM, Ensynch Practice Director
Brad Turner – Microsoft MVP for ILM, Ensynch Sr. Technical Architect
Time:
9am-10am Pacific/Arizona
10am-11am Mountain
11am-12pm Central
12pm-1pm Eastern

*Convert time zone

 

Webinar: The Business Impact of Identity
and Access Management with Forefront Identity Manager 2010 (formerly ILM "2")

You’re invited to attend an informational webinar showcasing the business benefits associated of Identity and Access Management with the newly named Microsoft Forefront Identity Manager 2010 (Formerly ILM "2").

This webinar is designed for Business and Technology Decision-makers interested in reducing operational costs while increasing security, compliance and overall operational efficiency. If you're interested in how Identity and Access Management solutions can impact business results, this webinar is for you.
Ensynch is proud of our world-class Identity and Access Management practice, boasting 3 Microsoft MVPs (out of only a handful world-wide). This team’s efforts have earned Ensynch back-to-back Microsoft Worldwide Partner Awards for Identity Management in 2007 and 2006. Take advantage of this opportunity to learn from their vast enterprise and mid-market experience in incorporating Best Practices to deliver heightened business results.

---

Agenda:
The Business Value of Microsoft’s Identity Management Stack

• Evaluate the business challenges, the cost and the opportunities for savings with Identity Management

• IDA with Forefront Identity Manager 2010 (ILM 2)

• Maintaining existing ILM 2007 deployments

• Strong Authentication

• Certificate Services

• Quest Defender

• Sharing with Partners and Customers

• Active Directory Federation Services /Geneva

• Reducing the need to provision Accounts for Partners

• Speedier disabling of access for Partner/Customer’s Accounts

• Implications with cloud based applications

• Information Protection (now that you’re sharing your documents, how do you protect them)

• Active Directory Rights Management Services

• Add-ons

Dealing with the ILM 2 RC 0 Cert in Windows server 2003 domain

The Password Reset  instructions ask us to use Group Policy to distribute the cert to the clients. This only works in Windows Server 2008 functional level domains. In Windows Server 2003 domains you can automate this using cerutil.exe
The following command will export the cert generated by ILM 2 install to the ilm2cert.cer file in the working directory

certutil -store trustedpeople IdentityLifeCycleManager2 ilm2cert.cer

This command can be used to import the cert from the command line
certutil -f -addstore trustedpeople ilm2cert.cer

-- I guess we could put the cert in a public share and then add this to the login script
certutil -f -addstore trustedpeople \\someserver\publicshare\ilm2cert.cer

Or add this to a batch file that also calls the password client install

Problems with Sync Rules in ILM 2 RC0 (err FIM RC0)?

Well I had a problem with a recent install -- the Metaverse Object Type Dropdown list was empty!

Turns out the source of this drop down list is the mv-data object type. However my install didn't have this object. Obviously something was wrong. How does one create this object in the first place? Not directly in the portal. I am not certain when this object is supposed to be created. Install time? First export through the ILM MA? None of these seem to match up based on time stamps. It wasn't created during install. It was created before the first import of the ILM MA, and the first Export of the ILM MA. It does match the time of the creation of the ILM MA in the Identity Manager tool in the synchronization engine.  The object is created by a request generated by the Built In Synchronization Account (BISA) this is the account used by the ILM MA.

My solution was to modify my ILM sync engine Metaverse schema and then viola the drop down list was populated (the mv-data object was created). This means that after the MA is created some process in the sync engine is either sending a request to the ILM 2 Web Service through the ILM MA or the ILM 2 web service is monitoring the Sync Engine. I am guessing the former.

Earth Hour -- Mandatory?

Just because we didn't participate in Earth Hour, didn't mean that our Power company, Salt River Project (SRP) needed to turn off power to the whole neighborhood last night and again this morning ;)

I am all for using our resources wisely. But sometimes I rebel against the symbolic gestures.

I mean if the power company needs an hour off can't they just schedule downtime like we do with computer systems?

ILM FIM Webinar Custom Workflow -- Joe Zamora

Joe Zamora the maintainer of the Ensynch ILM 2 Custom Workflow Walkthrough is our main presenter at our next Webinar this Thursday at 9 AM Pacific. To register click on the image below. The code from our Pre-con workshop is posted on CodePlex Ensynch Custom WF Activities

Install ILM 2 in a SharePoint Farm

As I endeavored to install the ILM 2 Portal into a SharePoint farm (WSS 3.0 SP 1) with a remote database I encountered the following problem:

The dreaded Premature Failure during installation.

When I turned on logging for the install and examined the file, I found:

Action 14:55:25: ConfigPortalAnonymousAccess.

CAQuietExec: 

CAQuietExec:  This operation can be performed only on a computer that is joined to a server farm by users who have permissions in SQL Server to read from the configuration database. To connect this server to the server farm, use the SharePoint Products and Technologies Configuration Wizard, located on the Start menu in Administrative Tools.

CAQuietExec: 

CAQuietExec:  Error 0xffffffff: Command line returned an error.

CAQuietExec:  Error 0xffffffff: CAQuietExec Failed

Action ended 14:55:30: InstallFinalize. Return value 3.

Action 14:55:30: Rollback. Rolling back action:

So I turned on SQL Profiler and I noticed:

So I decided to go ahead and give anonymous access (temporarily of course)

Then I mapped the login to each of the three SharePoint databases and made it db_owner.

Then my install worked perfectly. I hope to research and find out exactly which limited permissions are needed.

What's in name? Forefront Identity Manager 2010

In case you haven't heard Zoomit VIA or rather Microsoft MetaDirectory Services has been renamed yet again, from Microsoft Identity Integration Server 2003 to Identity Lifecycle Manager 2007 to Forefront Identity Manager 2010 or FIM for short. For obvious reasons the L was dropped when the F was added (Forefront + ILM = FILM).

So ILM 2 => FIM 2010

(stole this graphic from Brad Turner's blog -- his Smart Art creations are beautiful -- recently I have been studying smart art under his tutelage I hope to soon approach his level of skill)

Doug Leland, general manager of Microsoft’s Identity and Security Business Group, explained, "For example, our Identity Lifecycle Manager product is now officially named Forefront Identity Manager. We see the Forefront brand as synonymous with Business Ready Security."

http://www.microsoft.com/presspass/features/2009/Apr09/04-16BusinessReadySecurity.mspx

From Microsoft MetaDirectory Services (MMS) to MIIS was a complete rewrite dumping Zscript for .NET and putting the metadirectory in the SQL Server back end. ILM 2007 added the Certificate Lifecycle Management piece while leaving the core functionality of MIIS alone. FIM 2010 of course adds lots of new functionality (everything you have read about ILM 2, the portal for self-service, password reset, the web service) but good old MIIS is still there as the FIM Synchronization Engine, but there have been substantial improvements under the hood to enable synchronization rules to be configured in the portal and flow into the Sync Engine.

So what's in a name some new features that according to Doug Leland spell Business Ready Security.

The Target date is still Q1 of calendar year 2010.

Ensynch The Place to Be

In the last four months two very talented people have joined Ensynch, Chris Calderon, ILM MVP, and Mark Struck.

Chris Calderon of IdentityJunkie.com fame is extremely talented with ILM, AD Federated Services (AD FS) and many other tools.

Mark Struck, is a very talented developer, and experienced implementer of ILM. Even before Mark joined the team he and I collaborated to figure out how to use the ILM 2 web services.

A few excellent Live@edu (Outlook Live) Blogs

I have been involved with the Microsoft Live@edu (formerly Windows Live@edu) and the Outlook Live (formerly Exchange Labs) programs for quite sometime.

What a wonderful opportunity for schools to alleviate the cost of hosting email for students and then to be able to offer it to alumni helping provide them with lifelong connection to the university and way to keep their email address from their student days. Maintaining stronger ties leads to more evangelism on the school's behalf and will lead to more Alumni donations. I would have love have kept my dpl@bigdog.engr.arizona.edu, lundelld@gas.uug.arizona.edu or dlundell@u.arizona.edu accounts. Instead of rediscovering friends on facebook I might never have lost touch with them in the first place.

A few weeks ago Robert Hughes of Bridgepoint introduced me to Jonny Chambers blog as another excellent resource to information about Outlook Live. So I thought I would collect some resources here:

Jonny Chambers blog

Jonny has a great list of official links to Live@edu

http://cid-c76eae4d4a509fbd.profile.live.com/Lists/cns!C76EAE4D4A509FBD!495/

Almero Steyn (pronounced Al mare Roo  Stain)  another ILM MVP has also put together some fantastic blog posts on Outlook Live.

ILM 2 addons

Marvin Tansley of Gemalto demonstrated their add-on to ILM 2 for provisioning One Time Password (OTP) devices using ILM 2, with the goal of minimizing the # of portals that users visit in order to perform self service management. It looks really good, it even accounts for lost device management.

Gil Kirkpatrick of Quest interviewed me on camera to discuss my experiences at the conference. That was fun.

At lunch Gil handed out prizes (we provided a red colored XBox -- I guess the red had something to do with Resident Evil). But you had to present to win, and I do mean present -- you had to respond within 10 seconds to get your prize.

<PrizeOffering TTL="10 Seconds">Resident Evil Xbox</PrizeOffering>

New Certificate and Identity Blogger on the Loose

Marc Mac Donnell has just launched his blog on http://assurancesinidentity.blogspot.com/ and called it Assurances in Identity, and has posted the links to the CLM API documentation and case study about some work he did with MCS UK and CapGemini.

I look forward to many more posts from Mark about some of the wizardry and trick in managing certificates and identities.

MSIT's implementation of ILM 2

TEC 2009 continues onto the last day.

Joel Silver spoke on his efforts and plans to implement ILM 2 for Microsoft. He presented a very interesting workflow to show how he addressed the challenge of creating unique email aliases.

Then I listened to Felix as he discussed some of the interesting aspects of LDAP enhancements from around the vendorscape (I think I just made that word up).

TEC 2009

Now that our pre-conference workshop on Taming the Chaos – Building a Practical Lifecycle Mgt. Application in the ILM “2” Portal is done

and our (Brad, Chris and me) sessions  done: Proper Care & Feeding of ILM, CLM and RMS , Designing an Object Expiration & Reconciliation process in ILM 2 , Rescue Your Identity Metasystem from Chaos (reporting against ILM 2), and ADFS Extensibility, we are all able to relax a little and enjoy everyone else's sessions.

I spent a fair amount of time looking at Quest's One Identity Management Solutions (thanks to Jonathan Sanders), and I also got to attend Felix Gaehtgens's (Kuppinger Cole) session on You've Authenticated the User, so Now What? wherein he discussed RBAC vs Attribute Based Access Control (ABAC) and a standard that is new to me called XACML (Zack uh mel). I really enjoyed it despite it being a forward looking theoretical discussion.

Brad was telling me how much he enjoyed the ILM “2” Chalktalk by Andreas Kjellman and Mark Wahl

TEC 2009 -- Ensynch Identity Bus

Last night Fellow ILM MVP's Brad Turner, Chris Calderon, Carol Wapshere (pronounced Wap shear and well known as Miss MIIS) and I along with a number of other TEC 2009 attendees rode on the Ensynch Identity Bus to take us from the Green Valley Ranch Resort to the Las Vegas Strip. After a great steak dinner at Smith and Wollansky's (across from New York New York) a few us of walked the strip hoping to see the fountains at the Bellagio, but alas they shut off at midnight.

Our first run of the night was with a completely full bus!

The bus will also be running tonight

Departing Green Valley Ranch Resort 8:30pm, 9pm, 9:30pm, 10pm, 11pm, 11:30pm, 12am, 12:30am.
Drop-off / Pick-up at Mandalay Bay, 9pm, 9:30pm, 10pm, 10:30pm, 11pm, 11:30pm, 12am, 12:30am, 1:00am (last pick-up)
Drop-off / Pick-up at New York, New York, 9:10pm, 9:40pm, 10:10pm, 10:40pm, 11:10pm, 11:40pm, 12:10am, 12:40am, 1:10am (last pick-up)

Posted: ILM 2 Business Value webinar recording

ILM 2 Business Value Webinar Recording

It has actually been posted for some time now, I have just been a bit busy (apology to my readers).

Other items will also get posted here in the column on the right hand side:

http://ensynch.com/pa_ci_identity_and_access_management.aspx

ILM/MIIS Sync Engine Clustering Windows 2008

First, let me say thank you to Alex Tcherniakhovski for pioneering the way in clustering the MIIS Service or as it is now known the ILM Sync Engine. That blog, presentation and script was an excellent set of work. http://blogs.msdn.com/alextch/archive/2005/12/17/clusteredmiis.aspx

On Windows Server 2008, a few things have changed that break the script that Alex T. provides.

In Windows Server 2003 the cluster services runs as a domain account and as long as the user has access to all nodes, to stop and start services, and as an MIIS Administrator then it should be able to do the trick.

Well with Windows Server 2008 the security model for the cluster service has changed:

http://support.microsoft.com/kb/947049

http://technet.microsoft.com/en-us/magazine/2008.07.failover.aspx

There is no service account, instead there is a Cluster Name Object created in AD as a computer object.

So the cluster service, which runs the generic resource scripts, now runs under local system in a special context with limited privileges.

So this means you can’t impersonate during WMI calls because it doesn’t have enough rights.

I tried making the CNO a member of the local administrators group, but that wasn’t enough. I may still get this to work.

For the mean time I am switching the remote wmi calls to use embedded credentials, but the local WMI calls can't have credentials like so:

 

if Node = activeNode Then

Set objWMIService = objSWbemLocator.ConnectServer(Node, _

    "root\CIMV2")

Else

Set objWMIService = objSWbemLocator.ConnectServer(Node, _

    "root\CIMV2", _

    strUser, _

    strPassword, _

    "MS_409", _

    "ntlmdomain:" + strDomain)

End If

 

After changing this several places in the code -- fixing how the command to sleep worked, I can now failover without a problem!

At TEC get on the Ensynch Identity Bus

If you are coming to TEC 2009 at the Green Valley Ranch Resort outside of Las Vegas, and want to take a trip to the strip Monday or Tuesday night then you are in luck -- Ensynch is sponsoring the Identity Bus -- we'll have some buses that will be running from the Resort to one of the Monorail stops on the strip. Details will be provided at the conference in your handouts. I will riding on the Identity Bus some of the time and hope to see you there!

Thanks to Stuart Kwan for coining the term Identity Bus, and thanks to Christine McDermott for helping suggest a practical way to make it happen, and thanks to Tyeson Cluff our marketing consultant for making it happen!

Netpro DEC -> Quest TEC -- Ensynch's Sessions

Back in business school we always studied name changes and rebranding, and this one has been interesting

Last summer NetPro deciding to expand the Directory Experts Conference (DEC) to include an exchange conference and so they re-branded the conference NetPro's The Experts Conference. Then Quest acquired NetPro, so it became a completely re-branded conference as Quest's The Expert Conference. 

So NetPro DEC became Quest TEC.

Sunday Mar 22nd - Wed Mar 25th in Vegas www.tec2009.com 

Day	Time	Topic	Speakers
Sunday	1PM - 5 PM	Pre conference Workshop 2 Taming the Chaos – Building a Practical Lifecycle Mgt. Application in the ILM “2” Portal	David Lundell and Brad Turner
Monday	1 PM - 2:15 PM	Designing an Object Expiration & Reconciliation process in ILM 2	Brad Turner
	1 PM - 2:15 PM	Proper Care & Feeding of ILM, CLM and RMS Databases	David Lundell
	Mon 4 PM - 5:15 PM	Rescue Your Identity Metasystem from Chaos Through Reporting against ILM 2 with SSRS	David Lundell Brad Turner
Tue	2:45 PM - 4 PM	ADFS Extensibility	Chris Calderon will probably co-present with Randy Weimar

 

(yes the current schedule has Brad and I speaking on Monday at 1 PM in different rooms)

Another talented Ensynchian joins the blogosphere

My colleague Joe Zamora, a talented developer, who has been instrumental in helping us advance our knowledge of custom workflows, has just launched his own blog: CShark.

His first post is on how to "Generate AccountName in ILM2 custom workflow activity" and it came in response to a question in the ILM 2 connect forum entitled:  Custom Workflow Activity to Generate samAccountName.

Go Joe Go!

Webinar: Business Impact of ILM 2

Thanks to everyone that attended our Technical webinar on ILM 2 an overview and diving into how password reset works.

We are at it again. Only this time we are presenting on the business impact of Identity Management with ILM 2. So invite your decision makers!

 

What’s new in Identity Lifecycle Manager 2, Ask the experts

Brad Turner and I are putting on a webinar on ILM 2.

ILM 2 Functions Explained

Function Name	Parameters	David's Description	Example	Example Explanation
BitAnd	1) mask Type: Integer 2) flag Type: Integer	BitAnd is a bitwise operation anding mask and flag. So if Flag is the UserAccountControl Attribute in AD and mask is negative 2147483645 (the two's complement of 2) Then the result is that the disable bit (bit 2) is turned off leaving all of the other bits unchanged. BitAnd can be combined with Eq to detect if a bit is set	BitAnd(-2147483645 , userAccountControl)  BitAnd(-2147483645 , 514) =512 BitAnd(-2147483645 , 512) =512 BitAnd(-2147483631 , 528) =512 BitAnd(-2147483631 , 512) =512 Eq( BitAnd(2,userAccountControl),2)	Turn off the disable bit Flow the result into userAccountControl in AD to enable a user. if userAccountControl is 514 then the example gives us 512, if it is 512 then it remains unchanged. To figure out what to use as the mask we first start with what bit we want to set bit 16 -- account is locked out) then take the two's complement (start with negative of (2^31 -1) -2147483647 and add the value of the bit, in this case 16 to give us -2147483631) If that is true then the disable bit is currently set in AD
BitOr	1) mask Type: Integer 2) flag Type: Integer	BitOr is a bitwise operation ORing mask and flag. So if Flag is the UserAccountControl Attribute in AD and mask is 2 Then the result is that the disable bit is turned on	BitOr(2, userAccountControl) BitOr(2, 512) = 514 BitOr(2, 514) = 514 Doesn't work (vote on this feedback): BitOr( IIF( Eq(scope,"Universal"),8,IIF(Eq(scope,"DomainLocal"),4,IIF(Eq(scope,"Global"),2,0))) , IIF(Eq(type,"Distribution"),0,2147483648) )	Turn on the disable bit. Flow the result into userAccountControl in AD to disable a user.   if userAccountControl is 512 then the example gives us 514. if it is 514 then it remains unchanged.  returns an error of "return type (Object) of function IIF is not Integer"
CRLF	None	puts in a Carriage return line feed	CRLF()=" " "Fred"+ CRLF() + "Flatstone" = "Fred Flatstone"	The only function with no parameters but it still needs the () otherwise ILM thinks you are looking for an attribute.
DateTimeFormat	1)dateTimeString Type:String 2)format Type:String	Take the date and time in the dateTimeString and format it according to the format parameter. As far as I have tested it works according to Standard Date Time Formats and .NET Custom Date and Time Format Strings	DateTimeFormat("12-28-2008 12:34:01.213 PM", "MM/dd/yyyy  ddd dddd hh:mm:ss  d  f M") ="12/28/2008 ;Sun ;Sunday ; 12:34:01 ;28 ;2 ;12" DateTimeFormat("12-28-2008 12:34:01.213 PM", "G")  ="12/28/2008 ;12:34:01 ;PM"	It looks like you can use either the custom strings (like MM/dd/yyyy) or standard strings (like G)
ConvertSidToString	1) ObjectSID Type:Binary	I suppose that this one works just like our good old Utils.ConvertSidToString method in the Metadirectory namespace and is used to convert a SID to a string
EscapeDNComponent	1) dnStr Type:String	Again I suppose this one works just like ConnectedMA.EscapeDNComponent	EscapeDNComponent("CN=Turner, Brad") = "CN=Turner\, Brad"	The function will escape out characters that are not permitted in distinguished names (this will vary MA by MA)
IIF	1)condition Type:Boolean 2)valueTrue Type: Object 3)valueFalse Type: Object	If condition is true then return valueTrue if condition is false return valueFalse	IIF(Eq(1,1), "Yes it's true", "No it's false") = "Yes it's true" IIF(Eq(1,2), "Yes it's true", "No it's false") = "No it's false" IIF(Eq(type,"Distribution"), IIF(Eq(scope,"Universal"),8, IIF(Eq(scope,"DomainLocal"),4, IIF(Eq(scope,"Global"),2,0))), IIF(Eq(scope,"Universal"),-2147483640,IIF(Eq(scope,"DomainLocal"),-2147483644,IIF(Eq(scope,"Global"),-2147483646,0))))	Example Brad and I cooked up for group translating the string attributes type, and scope into an integer which we then flowed into the AD group attribute groupType which combines group scope with whether it is a distribution list or not.
Left	1) str Type:String 2) numchars Type:Integer	Get a substring of str starting at the left and going numChars long	Left("David Lundell",5)="David"
LowerCase	1) str Type:String	The name says it all
LeftPad	1) str Type:String 2) length Type:Integer 3)padCharacter Type:String	According to my testing this function works like LeftPad in the String Utils library in org.apache.commons. take padcharacter and add it to the beginning of str until str is as long as length. If str is already as long as or longer than length then don't pad.	LeftPad("David",3,"a")="David" LeftPad("David",6,"a")="aDavid" LeftPad("David",8,"a")="aaaDavid" LeftPad("David",-1,"a")="David"	LeftPad and RightPad will never truncate or overwrite the original str
Mid	1)str Type: String 2)pos Type: String 3)numChars Type: Integer	Get a substring of str starting at pos and going for numChars.	Mid("Brad ILM Turner",3,5) = "ad IL"
LTrim	1) str Type:String	Remove leading whitespace	LTrim("  Fred Mitchell  ") = "Fred Mitchell  "
ProperCase	1) str Type:String	Capitalize the first letter of every word (presumably words are determined by having whitespace in between them)	ProperCase("david lundell") = "David Lundell" ProperCase("David lundell") = "David Lundell") ProperCase("DAVID lundell") = "David Lundell")
RandomNum	1)start Type:Integer 2)end Type:Integer	Generate a random Integer in between (inclusive) start and end	RandomNum(10,15) = ? where ? is between 10 and 15 (inclusive)
Right	1) str Type:String 2) numchars Type:Integer	Get a substring of str starting at the Right going numChars long	Right("David Lundell",5) = "ndell"
Trim	1) str Type:String	Remove leading and trailing whitespace	Trim("  Fred Mitchell  ") = "Fred Mitchell"	I haven't tested all of the whitespace characters like CRLF
RTrim	1) str Type:String	Remove trailing whitespace	RTrim("  Fred Mitchell  ") = "  Fred Mitchell"
RightPad	1) str Type:String 2) length Type:Integer 3)padCharacter Type:String	According to my testing this function works like RightPad in the String Utils library in org.apache.commons take padcharacter and add it to the end of str until str is as long as length. If str is already as long as or longer than length then don't pad.	RightPad("David",3,"a")="David" RightPad("David",6,"a")="Davida" RightPad("David",8,"a")="Davidaaa" RightPad("David",-1,"a")="David"	LeftPad and RightPad will never truncate or overwrite the original str
UpperCase	1) str Type:String	Self-Explanatory
Word	1) str Type:String 2)wordIndex Type:Integer 3)delimiters Type:String	Take str and chop it up into words based delimiters, and then return the 1st, 2nd, 3rd, 4th etc word based on wordIndex	Word("Brad;ILM,Turner",2,";,") = "ILM" Word("Brad;ILM;Turner",2,";") = "ILM" Word("Brad;,ILM;,Turner",2,";,")="" Word("Brad;,ILM;,Turner",3,";,") = "ILM" Word("Brad;ILM,Turner",3,";,")="Turner"	delimeters takes each delimiter character and uses them as separate delimitters not as a combination delimitter so ";," means that the second word in "Brad;,ILM;,Turner" is "" and the third word is "ILM"

Hopefully this helps you in your codeless provisioning quest.
Remember there are limitations like the output of IIF can't feed into a function parameter expecting an Integer like the mask or the flag in BitAND or BitOR -- and no, I am not BitOr about it. Without casting and conversion functions that is an obstacle that can't be overcome using the ILM 2 functions for that you may need to turn to custom workflows.