Wednesday, November 13, 2013

FIM Deprecated Features FIM TEAM user group meeting

So in 1 hr and 20 min I will present on

November 13, 2013 21:00 UTC
See when this is in your timezone
David Lundell
Impact of deprecated features.This session will go over various deprecated features that the FIM product group have announced are to be eliminated in future releases, such as XMA v1 (ECMA v1), transaction properties, multi-mastery and equal precedence, with advice on planning for and working around their future absence.

Friday, October 4, 2013

DirSync w/ domain if NetBios and FQDN don't match

If one of your AD domains has a NetBios domain name that doesn't match the leftmost part of your FQDN you need to have the Replicating Directory Changes permission given to your AD MA account. This is documented in a few places including my book. However, DirSync misses this step. Normally, Dirsync does a very good job of installing and configuring everything which you need without needing you to be an expert in FIM, but this is one thing it misses.

For Example if the FQDN is Exchange.loc but the netbios name of the domain was Snappy then you would use this command to solve the issue

DSACLS "CN=Configuration,dc=exchange,dc=loc" /G "exchange\Grp_DirChanges:CA;Replicating Directory Changes;"

Declarative or Bust!

Michael Pearn from down under wrote about his experience trying to use just Declarative Sync Rules

His experience -- especially the religious debates are similar to my own. It made me recall my presentation at TEC 2012 the FIM 2010 R2 Showdown: Classic vs. Declarative

The vast majority of old hands at the presentation declared for Classic both before and after the presentation. During the presentation I attempted to view anything you could do without code as declarative whether it came from a sync rule or not, especially if it was a new feature. But the crowd wouldn't let me claim anything configured in the sync engine as declarative. But in this post only classic code counts as not declarative.

Michael found that he needed classic code for Advance Join rules, doing anything with multi-valued attributes other than just flowing them and "Converting Binary values to ISO8601 Datetime." In his example he could have modified his SQL query that gets the data from HR and avoided the need for the Advanced Join rule.

In addition to Michael's list here are some other things that you may need classic code to do:

  • Advanced Filtering scenario to cause disconnections
  • Changing the Metaverse object type when a connector joins to it
  • Join Resolution Rules
  • Manual Precedence Import Flows
  • Provision objects with Auxiliary classes
  • Decide on a case by case basis whether to deprovision as a Disconnector, Explicit Disconnector or just delete the object.

But what does the FIM Sync engine bring us beyond what we had in ILM 2007 FP1?

  • A lot less need for MVDeletion rules extension since we can indicate that disconnection from any of a list of MA's should trigger MV Deletion or if it is disconnected from all MA's (but ignore this one and that one)
  • Many, many attribute transformations can be done with Sync Rules and don't need code
  • A way to do fairly sophisticated provisioning logic without code (Transition Sets, MPRs, Workflows, OutBound Sync Rules)
  • R2: A way to do some basic provisioning logic with filter based Outbound Sync rules that performs pretty decently and doesn't require a detour through the FIM Service
  • New ways to trigger deprovisioning (Transition Sets, MPRs, Workflows, OutBound Sync Rules)
  • OU creation w/o code (That sure is nice and no worried about the OU being a connector to the MV object that first needed it)
  • DN Rename w/o code (also very nice)

In my presentation I contrasted the new sync rules with the classic config and code:











Finally here were my recommendations that many disagreed with but it sounds like Michael would agree:


There are some high volume scenarios where sync rules are too slow and there are still some customers that get all they want out the classic sync engine and don't want to pay for CALs.

Wednesday, September 11, 2013

Windows 2012 R2 and Windows 8.1 RTM now on MSDN and Technet

One of my fellow MVPs and Insight teammates Alessandro Cardoso (he runs one of our practices down under) announced on his blog that Windows 2012 R2 and Windows 8.1 RTM now on MSDN and Technet.

He goes on to mention the salient points around 2012 R2 for virtualization so I thought I would discuss some of the benefits for Active Directory and ADFS

One key thing is that ADFS on Windows Server 2012 R2 doesn't require IIS so now it can and should be installed on domain controllers.

But the most exciting aspect is the enhancement to security specifically mobile security. With the advent of Workplace Join (or Join to Workplace) mobile devices (iOS and Windows) can be part of the domain and participate in SSO.

One of the best enhancements to ADFS is the ability to "Set [multi-factor authentication] requirement for all extranet access or conditionally based on the user’s identity, network location or a device that is used to access protected resources."

Thursday, August 15, 2013

MS13-066 causes ADFS 2.0 problems

Microsoft put out a release day before yesterday (8/13/13) to fix a security vulnerability in ADFS 2.0

It caused an outage for SSO with Office365 for a customer of ours (they had the servers set to auto update).

At the moment we recommend NOT installing these updates.

We saw the following error repeated for every authentication attempt:

Event ID 111 Federation service encountered an error while processing the ws-trust request.

Exception Details:

System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation ---> System.TypeLoadException: Could not load type 'Microsoft.IdentityModel.Protocols.XmlSignature.AsymmetricSignatureOperatorsDelegate' from assembly 'Microsoft.IdentityModel, Version=

It goes on with the stack trace.

Uninstalling these updates has partially restored service: Outlook and Lync now work, but the Outlook Web Access and SharePoint online still aren't working.

In fact they pulled the patch later in the day yesterday.

Monday, July 8, 2013

Is the Password dead? Gotta eat what you kill!

At last year's Cloud Identity Summit in Vail I heard a lot about how the password is dead. I expect to hear a lot more this year.

Most of it fit into one of several categories:

  1. Complaints about why passwords should be dead
    1. In other words all of the various problems with passwords -- and there are
  2. Schemes to have various applications depend on someone else's password
    1. While this is helpful it doesn't kill the password
  3. Schemes for authentication that don't quite apply.

Last year when talking about DMZ's Gunnar Peterson said "You have to eat what you kill." Meaning you have to provide replacement functionality.

As I was recently reminded by a business analyst co-worker you always have to start with the requirements. So let's list what are the requirements for a password replacement? Well we need to consider the requirements from several view points

  1. The consumer end-user
  2. The Business To Consumer (B2C) website developers and admins
  3. The corporate end-user
  4. Those developing apps principally for consumption by corporate users
  5. Corporate IT Security
  6. Legal departments responsible for reducing the liability of #2 and #4

The password killer that best meets the expectations of all of these groups should become the most widely adopted.

So in the next several posts I will explore what each of these view points want in a password killer

Then I plan on evaluating all of the password killers I find against these criteria.

Monday, July 1, 2013

The MVP 7 year itch

This morning I received an email letting me know that for the 7th time (every year since 2007) I have been honored by Microsoft with the Microsoft Most Valuable Professional (MVP) Award. All 7 times I have received the award for my "outstanding contributions in Forefront Identity Manager technical communities" and its predecessors.

In 2007 despite the product rename Identity Lifecycle Manager (ILM) 2007 the MVP award was for Microsoft Identity Integration Server (MIIS) 2003. By 2008 it was changed to ILM, in 2010 it was changed to FIM.

So I have been an MIIS MVP an ILM MVP and a FIM MVP. Entering into my 7th year I am experiencing an itch. I wonder what product name will come next:

  • Microsoft Identity Manager Experience (MIME) That acronym is taken
  • Microsoft Identity Manager (MIM)
  • Microsoft Identity Access Manager (MIAM) pronounced Me-am
  • Microsoft Identity Access Manager Integrator (MIAMI)
  • Microsoft Identity Access Control Engine (MIACE)
  • Microsoft Access Control Engine (MACE) -- great for medieval weapon enthusiasts
  • Microsoft Identity Control Engine (MICE)
  • Windows Active Directory Identity Manager (WADIM) too long
  • Azure Identity Manager (AIM) that one's taken too.
  • Azure Cloud Identity Manager (ACIM)
  • Microsoft Azure Identity Manager (MAIM) Bad acronym
  • Azure Provisioning Engine (APE)
  • Windows Identity Manager (WIM)
  • Windows Identity Manager Program (WIMP) Not strong enough
  • Azure Identity Integration Engine (AIIE)
  • Azure Identity Integration Manager (AIIM)
  • Azure Identity Integration Service (AIIS)
  • Azure Identity Bridge (AIB)

What do you think it will be?

Wednesday, June 26, 2013

Implications of Office 365 Password Sync for ADFS (SSO)

The article on Password Sync for Office 365 is interesting news and clearly states that Federated users can't have their password's synced. In the Community Additions many curious users asked their questions treating it as a forum. Well here are my responses:

If you do Password Sync do you still need ADFS or any other SSO tool that works with Office365? 

Password Sync gives you the ability to login to Office365 using the same username and password that you use with your Active Directory. This is usually referred to as Simplified SignOn or Reduced SignOn. 

ADFS gives you Single Sign On, meaning that when you are on a computer and have already authenticated an SSO token (a SAML token) is stored on your computer and when you access Office 365 services your computer will transmit the token to the Office365 service, which means that you usually won't need to type in your username and password. That is Single Sign On (you signed on a single time and can now access many services).

Does this mean that you don't need ADFS? That depends (the consulting guild requires that I initially answer all questions in that fashion ;). As you can see Password Sync gets you some benefits that previously required ADFS (use the same password as AD) but not all of the benefits (sign in a single time, and not have to re-authenticate to every service).

If your only online service is Office365 and you are willing to live with your users having to type in their passwords repeatedly then you probably don't need ADFS.

If your only online service is Office365 and you do not want your users to have to type in their passwords repeatedly then you do need ADFS.

If you have multiple online services then you want ADFS or another SSO tool so that you can do SSO to all of them (Dir Sync won't sync your password to anything but Office365 and its Azure AD).

Another question asked is about Password Reset -- in effect why does the Office365 Password Reset feature get disabled if you do Password Sync? The answer is that if you are syncing passwords your local AD is now in charge of passwords (good because it simplifies things for the users -- fewer passwords to remember) rather than Office 365. I suppose Microsoft could have set it up whereby the password reset tool would reset the on premise AD password but probably felt that was too invasive and risky. So if you do go with Password Sync users need to reset their passwords in the local AD using whatever means you already have to do that -- Forefront Identity Manager, some third party Password Reset tool, or the helpdesk.

Wednesday, May 1, 2013

How to get from the Sync-Rule-ID to the Sync Rule Resource ID

If you are looking at the XML export of the FIM synchronization config and you are trying to track down which sync rule is supplying a particular flow you just need to know which numbers lead you where.

For example:

<import-flows mv-attribute="accountName" type="ranked">
      <import-flow src-ma="{9686B319-E4BF-49C5-90C9-59054CCE3F92}"
                   cd-object-type="user" id="{210D4BB7-B886-4898-8361-7A232BBD65E8}">
        <sync-rule-mapping mapping-type="direct"
                           initial-flow-only="false" is-existence-test="false">

The key to finding the Sync rule is of course the Sync rule ID. However, this is not the resource ID that I can search for in the FIM Portal. Rather this is the metaverse ID.


From there I can open the list of connectors and for sync rules there should be one -- the FIM MA.

Then I can see the Distinguished Name of the Sync rule which is the Resource ID (aka ObjectID)


Then I can search in the FIM Portal by ResourceId and find the corresponding Synchronization rule:


Even better is to use the Join-ImportToExportAttributeFlow PowerShell commandlet originally created by Craig Martin

Joe Zamora found and tweaked a minor bug in it: be sure to use this fix.

Using the commandlet you can have a spreadsheet showing you the end to end attribute flow.

Friday, April 12, 2013

FIM Functions Updated, Bitwise Functions

In addition to the official reference for functions I thought I would update my examples from back in the ILM 2 Beta days

Function Name BitAnd
Parameters 1) mask Type: Integer

2) flag Type: Integer
Description BitAnd is a bitwise operation anding mask and flag. So if Flag is the UserAccountControl Attribute in AD and mask is -3
(the 64-bit two's complement of 2) Then the result is that the disable bit (bit 2) is turned off leaving all of the other bits unchanged.

To figure out what mask to use to turn off a bit multiply that number by negative 1 and then subtract one. To turn off bit 2 and the userAccountControl with -3. To turn off bit 16 -- account is locked out and it with a -17.
Examples BitAnd(-3, userAccountControl) 

Turn off the disable bit Flow the result into userAccountControl in AD to enable a user.
  BitAnd(-3, 514) =512

if userAccountControl is 514 then the example gives us 512, which reactivates an account
  BitAnd(-3, 512) =512

if it is 512 then it remains unchanged. The account was already active
  BitAnd(-17, 528) =512
A locked out account (the bit in the 16's place was on) was unlocked
  BitAnd(-17, 512) =512
An account that was already unlocked was guaranteed to be unlocked
  Eq( BitAnd(2,userAccountControl),2)
This is a test to see if an account in AD is currently disabled.  If so it will return a true otherwise it will return a false.


Function Name BitOr
Parameters 1) mask Type: Integer

2) flag Type: Integer
Description BitOr is a bitwise operation ORing mask and flag. So if Flag is the UserAccountControl Attribute in AD and mask is 2 Then the result is that the disable bit is turned on
Examples BitOr(2, userAccountControl)
Turn on the disable bit. Flow the result into userAccountControl in AD to disable a user.
  BitOr(2, 512) = 514
if userAccountControl is 512 then the example gives us 514.
  BitOr(2, 514) = 514
if it is 514 then it remains unchanged.

Hopefully this helps you in your codeless provisioning quest.

Remember there are limitations like the output of IIF can't feed into a function parameter expecting an Integer like the mask or the flag in BitAND or BitOR -- and no, I am not BitOr about it. Without casting and conversion functions that is an obstacle that can't be overcome using the FIM functions for that you may need to turn to custom workflows.

Friday, March 22, 2013

Insight Cloud SSO Solution and FIM Jumpstart offerings

I wrote an article for the Insight Newsletter about two of our new offerings.

Solving identity and access management for mid-sized business
By David Lundell, Sr. Manager, Identity and Security Practice
User productivity, IT budgets, and security and compliance all suffer from ineffective identity and access management. Insight has two new packages aimed at helping mid-sized businesses confront these challenges in the age of the cloud. Read more.

Secrets of the Metaverse Part 5

Parts 1-5:

  1. What is the Metaverse?
  2. How is the Metaverse data stored?
  3. Is there a limit to how many Metaverse attributes I can have?
  4. Has access to the metaverse gotten faster with recent releases?
  5. How do I safely query the metaverse?
  6. Added (Aug 5 2015): How Many Metaverse Attributes can I have?

First of all the FIM Product group does not support direct modification of the data in any of the FIM databases. Do so can leave your database in a state that is entirely unsupportable.

Second, the FIM Product group doesn't support direct queries against any of the FIM databases. However, it is possible to query the FIM Synchronization Service database without causing problems and without enormous gyrations. The FIM Service database has a very *interesting* data structure and is much more difficult to query.

So how do you safely query the FIM Synchronization Service database?

1) Use no lock hint


2) Set the transaction isolation level to read uncommitted.

Both of these tell SQL to not obtain locks on the records you are querying. This means that other threads such as the one that is synchronizing records don't get stuck waiting on your query. However this does also mean that some of the data you read could be in the middle of transaction, a transaction that could be rolled back. For example you query could catch it at the moment when a new MV object has just been projected from the HR MA but has not yet provisioned to AD. That transaction could succeed and commit or it could get rolled back and the MV project undone.

On to the how:

To use the no lock hint you must place it after every table and view name referenced in your query like this:

SELECT MetaverseObjectCount, ConnectorSpaceObjectCount, MetaDirectoryObjectCount = MetaverseObjectCount  + ConnectorSpaceObjectCount
FROM (select count(*) AS MetaverseObjectCount
    FROM MicrosoftIdentityIntegrationServer.dbo.[mms_metaverse] with (nolock)) as MVC
(select  count(*) AS ConnectorSpaceObjectCount

FROM MicrosoftIdentityIntegrationServer.dbo.[mms_connectorspace] WITH (nolock) ) AS CSOC

To Set the transaction isolation level to read uncommitted you simply run that command and the keyword GO before your queries -- sometimes your reporting tools permit you to set that with a checkbox

set transaction isolation level read uncommitted

SELECT MetaverseObjectCount, ConnectorSpaceObjectCount, MetaDirectoryObjectCount = MetaverseObjectCount  + ConnectorSpaceObjectCount
FROM (select count(*) AS MetaverseObjectCount
    FROM MicrosoftIdentityIntegrationServer.dbo.[mms_metaverse] ) as MVC
(select  count(*) AS ConnectorSpaceObjectCount

FROM MicrosoftIdentityIntegrationServer.dbo.[mms_connectorspace]  ) AS CSOC

One might ask: Can you do both? Yes you can and it will cause no harm. The one place you can use the set transaction isolation level command is in a view or stored procedure -- so inside of those objects you must use the WITH (nolock) hint

Monday, March 11, 2013

Secrets of the Metaverse Part 4

Parts 1-5:

  1. What is the Metaverse?
  2. How is the Metaverse data stored?
  3. Is there a limit to how many Metaverse attributes I can have?
  4. Has access to the metaverse gotten faster with recent releases?
  5. How do I safely query the metaverse?
  6. Added (Aug 5 2015): How Many Metaverse Attributes can I have?

    Has access to the metaverse gotten faster with recent releases? Well I won't cover everything they have done but two really significant things:

    1) Skinnier clustered index key for the mms_metaverse table:

    2) Sequential numbering of the clustered index key

    1) Skinnier clustered index key for the mms_metaverse table:

      Old New
    column used as the clustered Index key: object_id row_key
    DataType: uniqueIdentifier big_int
    Size: 16 bytes 8 bytes

    The mms_metaverse table previously used the object_id column of type uniqueIdentifier (16 bytes) as the clustered index key. The product group added a new column called row_key of type big_int (8 bytes).

    So how does this help?

    Think of a database table like a book. The clustered index is the Table of Contents and the main text of the book, excluding the indexes in the back. There is only one order for the book to go in and that is the same with a table. In the book the key used in the table of contents is the page #. In a table we pick one or more columns to serve as the clustered index key.

    The non-clustered indexes are like the indexes in the back of the book (a topical index, a place index, a person index) and they make include the clustered index key. So the topical index lists a subject and then the page(s) where it is found.

    Clustered Index ~ Table of Contents

    Clustered Index Key ~ page number

    Non-Clustered Index ~ Topical Index at the back of the book

    Non-Clustered Index Key ~ topic

    Pretend we had to pad the page # so it looked like 00000000045?

    Chapter 1 page 0000 0000 0000 0000 0000 0000 0001

    Chapter 2 page 0000 0000 0000 0000 0000 0000 0093

    Then the topical index would look like (the topical index includes the key from the table of contents -- the page number):

    Beach 0000 0000 0000 0000 0000 0000 0006

    Desert 0000 0000 0000 0000 0000 0000 0020

    Suddenly this limits how many columns of the index I can print on a single page.

    Both the table of contents and the index are much larger consuming more pages. It also takes more time to search through those pages for my topic.

    By going to a skinnier clustered index key it is as though the product group changed the book to be like this:

    Chapter 1 page 0001

    Chapter 2 page 0093

    and the index to this:

    Beach 0006

    Desert 0020

    Suddenly the table of contents and the index take fewer pages and it is faster to leaf through them when searching. So it is with a database table reading the table and its indexes is now much faster.

    2) Sequential numbering of the clustered index key

    This new column has data populated automatically using the SQL Server identity feature (this feature allows new rows to be added with an incrementing counter). Previously new pages would be inserted in random order and sometimes that mean splitting pages.

    So how does this help?

    The use of an identity column to increment 1 by 1 as opposed to a randomly generated unique identifier is enormously helpful in writes and will lead to less fragmentation. Whereas prior to the change a new row could be inserted anywhere in the entire table, now it will be inserted at "the end."

    Monday, February 18, 2013

    Secrets of the Metaverse Part 3

    Parts 1-5:

      1. What is the Metaverse?
      2. How is the Metaverse data stored?
      3. Is there a limit to how many Metaverse attributes I can have?
      4. Has access to the metaverse gotten faster with recent releases?
      5. How do I safely query the metaverse?
      6. Added (Aug 5 2015): How Many Metaverse Attributes can I have?

      Many times people wonder how many attributes they can create in the Metaverse Designer tool.

      The answer is confusing because ... it depends.

      Per my calculations there is a hard limit for single-valued, non-reference attributes of 502. Now to show you my work (in school my math teachers always insisted that I show my work).

      Remember from Part 2 that the Metaverse consists of 5 tables:

      When you create a new single-valued, non-reference attribute using the Metaverse Designer tool FIM modifies not just data but the table structure of three of these tables: mms_metaverse, mms_metaverse_lineagedate, and mms_metaverse_lineageguid. FIM will add a column to each of these tables. The mms_metaverse table will get a column of a datatype  based on what has been selected as the attribute data type:

      Metaverse DataType

      SQL Data Type

      Min Size Max Size Comments

      String (Indexable)


      2 898  

      String (non-Indexable)


        2 GB If the data is small (less than 4000 bytes or whatever limit is set) and doesn't cause the row to exceed the 8060 byte limit it will stored in the row, otherwise only pointers will be stored in the row and the data will be stored in its own set of pages (off-row).



      2 902  



        2 GB see the note on string non-indexable



      1/8 1

      If there are between 1-8 bit columns in the table 1 byte of storage is consumed, if 9-16 bits then 2 bytes, if 17-24 then 3 bytes and so on



      8 8  

      In the mms_metaverse_lineagedate table FIM adds a new column of type DateTime which takes 8 bytes. In the mms_metaverse_lineageguid table FIM adds a column of type UniqueIdentifier which takes 16 bytes.

      A row in SQL Server 2000 and beyond can only hold 8060 bytes. With SQL 2005 and beyond there is a feature called row overflow that allows for the variable length columns (like varchar) to overflow to other pages. However that doesn't apply to fixed length data types like BigInt, DateTime and UniqueIdentifier.

      So the mms_metaverse_lineageguid has two columns (row_key a bigInt and object_id a unique identifier so 24 bytes) and then one column of type UniqueIdentifier for every single-valued non-reference attribute. 8060-24 = 8036 and 8036/16 = 502.25, which rounds down to 502.

      So while there may be other limits that may depend on the datatype selected, this is one limit that cannot be escaped.

      Friday, February 15, 2013

      Secrets of the Metaverse Part 2

      Parts 1-5:

        1. What is the Metaverse?
        2. How is the Metaverse data stored?
        3. Is there a limit to how many Metaverse attributes I can have?
        4. Has access to the metaverse gotten faster with recent releases?
        5. How do I safely query the metaverse?
        6. Added (Aug 5 2015): How Many Metaverse Attributes can I have?

        Where and how is the Metaverse data stored?

        Before I get into that I must caution you that modifying data directly will put you in a position that is unsupported by Microsoft. Even querying the data is something of a touchy issue (see Part 5).

        The Metaverse consists of 5 tables in the FIM Synchronization Service Database:

        Table Comment
        mms_metaverse Every object in the metaverse has a row in this table. Single-Valued non-reference attributes are stored in this table
        mms_metaverse_lineagedate This table has a DateTime column of the same name of every attribute column in the mms_metaverse table (in other words -- single-valued non-reference attributes).
        mms_metaverse_lineageguid This table has a UniqueIdentifier column of the same name of every attribute column in the mms_metaverse table (in other words -- single-valued non-reference attributes).


        Reference attributes (both single valued and multi-valued) are stored in this table in an Entity Attribute Value format. The references are kept as uniqueIdentifiers
        mms_metaverse_multivalue Non-Reference multi-valued attributes are stored in this table in an Entity Attribute Value format (with a column for each of the possible data types)

        Thursday, February 14, 2013

        Secrets of the Metaverse Part 1

        Many FIMsters wonder about the Metaverse and how works, how the data is stored. In this series I will reveal the secrets of the Metaverse. Parts 1-5 (links live but post yet to come)
        1. What is the Metaverse?
        2. How is the Metaverse data stored?
        3. Is there a limit to how many Metaverse attributes I can have?
        4. Has access to the metaverse gotten faster with recent releases?
        5. How do I safely query the metaverse?
        6. Added (Aug 5 2015): How Many Metaverse Attributes can I have?
        Forefront Identity Manager 2010 R2 SP1 (and its predecessors) can be classified as a MetaDirectory based Identity Management Solution. A MetaDirectory collects, aggregates, and stores data from various directories and data sources, such as Active Directory and your HR database.
        The Metaverse is the heart of FIM's MetaDirectory. As an implementer of FIM you customize the data model, you decide what object types and attributes you need.

        Updated Vote: Top 5 Deprecated Features of FIM 2010 R2 SP1

        Here is an update on the impact of the newly deprecated features: The big change is that XMA has caught up to Multi-Mastery and is tied for first.


        Massive FIM and AD LDS project at DPDHL

        Watch the presentation that James Booth (who worked with us on the project) and Joe Gasowski (DPDHL) gave at the Redmond Identity Summit 2013 about our project at DHL to replace the DPDHL Sun One Directory and deploy FIM to replace both CriticalPath and a home-grown admin portal.

        Tuesday, January 29, 2013

        Voted: Top 5 Deprecated Features of FIM 2010 R2 SP1

        I conducted a linkedIn poll to find out what others thought of the features that are deprecated starting in FIM 2010 R2 SP1. For the poll I only listed the ones I put in my top 5 list. With 15 votes and 1 abstention I thought it would be worthwhile to publish the results:

        Here we can see the winner:


        1. Multi-mastery/equal precedence (I had this 2nd)
        2. ECMA1 (XMA) (I had this third)
        3. Tie: Combined Run Profile Steps (e.g. DI/DS)  (this was my vote)
          1. Tie:Transaction properties (I had this 4th)
        4. FIM CM MA and CLM utils (I had this last)

        If the results change significantly over the next two weeks I will post again.

        Thursday, January 17, 2013

        The rest of the FIM 2010 R2 SP1 Deprecations

        Remember that these features are still here but will be removed in a future version (probably the next major release or the one after)

        Feature Impact

        Unselect “allow nulls” for exported values

        You need to be more careful to ensure that you aren't deleting values

        Web Service configuration interface

        You will no longer be able to send a request to the web service to update the mv-data or ma-data objects in order to configure the sync engine. The article says that we will be able to use PowerShell to configure the sync engine.
        Running Connectors(MA) out of process Can no longer run the MA out of process
        Run Rules Extensions out of process Can no longer run rules extensions out of process

        Join on “Any” object type

        Shouldn't be doing that anyway it makes your join search far less efficient.

        “Do not recall attributes”

        Yeah! I always hated this feature as I have seen many Metaverse attributes left in states where you can't update that attribute in the Metaverse -- especially if the contributing MA has been decommissioned
        Exchange 5.5 Utils Are you still provisioning to Exchange 5.5? Way past time to upgrade!
        Configure partition display name This really only applied to the old MIIS password change site that hasn't been part of the product since ILM 2007 shipped.

        Wednesday, January 16, 2013

        Top 5 Deprecated features as of FIM 2010 R2 SP1

        Yesterday Microsoft published a list of features that have been deprecated in FIM and will be removed from the product at some point in the future. In other words these don't require immediate action but when the next major release of * Identity Manager (* because we don't know what the new name will be -- see my tweet from last week at the Redmond Identity Summit) emerges those features will likely be gone. So over the next 18-36 months you need to begin working away from these issues.

        Rank Feature Impact
        1 Combined Run Profiles steps such as Delta Import/Delta Sync, Full Import/Delta Sync, and Full Import/Full Sync Removing the Delta Import/Delta Sync combined run profile step will have a huge impact on shops that have lots of disconnectors in their connector space. Remember that disconnectors are considered pending and so a delta sync always processes them. The Delta Import/Delta Sync single step only processes pending objects that were imported during the delta import.

        Hopefully, MSFT will add a feature: a checkbox to determine whether you want to process all disconnectors or just those with import changes since your last sync.

        Multi-mastery/equal precedence

        As Paul Loonen describes it:

        As a net effect, when the MV attribute is multi-valued, all values contributed by the different MAs are accumulated in the MV attribute.
        When the MV attribute is single valued, the value that is last contributed is stored in the MV attribute, or, “the last writer wins”.

        The deprecation article leaves in a bit of confusion it says it will be removed but you can still keep using it if you have the FIM MA deployed:

        You can continue to use this feature if your environment has a FIM Service management agent deployed (this management agent does not provide manual precedence) and to avoid export-not-precedent for declarative provisioning.

        So will it be removed or not?


        ECMA1 (XMA)

        Lots of XMA (ECMA 1) code running out there and all of it will need to be switched to ECMA 2.0 at some point in the future. While I have this one third this could actually have the biggest impact. If someone could create a tool that would auto-magically transform them that would be cool. I don't expect that they would take advantage of all of the new features but at least people will be able to upgrade without tons of recoding.

        Transaction properties

        This handy feature is used in many advanced coding scenarios to be able to signal to your provisioning code that this object just projected or joined and then to take some one time action or skip taking some action.
        5 FIM CM MA and CLMUtils So unlike the Lotus Notes MA and SAP R/3 MA which have been replaced with newer versions the FIM CM MA doesn't look like it will be getting replaced. Honestly there aren't many implementations using this MA. But this has some portents about the future of FIM Certificate Management. I would say that it suggests no future development of FIM CM but they did just add support for the DataCard CD800 printer as part of SP1 so I don't think it is going away entirely.   At a minimum it does suggest a decoupling of the FIM CM from the rest of FIM.

        I do think that the acquisition of PhoneFactor suggests that Smart Cards and certificates will have less importance in the authentication game.

        Tuesday, January 15, 2013

        Top 11 new features of FIM 2010 R2 SP1

        My comments on What's new and the release notes for FIM 2010 R2 SP1:


        Rank Feature Impact
        1 Deferred evaluation of criteria based groups
        This setting can be enabled one group at a time. You can also change the default so that as new criteria based groups are created they will be set for Deferred. The default is to calculate group membership twice a day at 2:30 AM and 2:30 PM.
        HUGE! Thank you product group for answering my wishes. You see whenever a request is received by the FIM Service it evaluates permissions, it evaluates whether the request will cause any criteria based set memberships to change, and it also evaluates whether criteria based group memberships to change. For large systems with lots of users and lots of criteria based groups this can take a long time.Now we have the option to defer those calculations, and then the system can perform those calculations using SQL based set logic. I suspect that this is done using SQL Agent jobs and if a more frequent schedule is needed you could tweak the schedule of the job.
        2 Upgrading the FIM database from FIM 2010 to R2 used to be quite time consuming -- this has been improved by at least an order of magnitude from "days [down] to hours." Phew! It is now safe to get up and upgrade!
        3 "imports of groups with 30,000 members are 2.5 times faster" for AD MA, FIM MA and ECMA 2.0 This is on the import side rather than the sync side but every bit of additional speed we get on dealing with references without sacrificing integrity is appreciated.
        4 ECMA has been updated to 2.1 You can now do updates on multi-valued attributes instead of having to do a replace.

        You can also skip doing confirmations on add.
        Good impact on performance
        5 FIM Server components are now supported for:
        Windows Server 2012
        SQL 2012
        SharePoint Foundation 2013 (read Installing FIM 2010 R2 on SharePoint Foundation 2013.)
        SCSM 2012
        Note support for earlier versions hasn't been dropped yet.
        6 FIM Client components are now supported for:
        Windows 8
        Outlook 2013
        Note support for earlier versions hasn't been dropped yet.
        7 Support for Windows Server 2012 based AD and Exchange 2013 has been added to the AD MA Note support for earlier versions hasn't been dropped yet.
        8 Support for SQL Server 2012 has been added to the SQL MA Note support for earlier versions hasn't been dropped yet.
        9 Support for the FIM Portal in IE 10 (be sure to install the hotfixes mentioned)
        10 The Sun and Netscape MA is now called Oracle Directory Servers and includes support for Sun 7.x and Oracle 11 Support for Oracle Internet Directory 11g!!!
        11 "Import-MIISServerConfig PowerShell cmdlet supports now overwriting an existing configuration" This will help with automated testing scenarios!

        Source Articles:

        What's New in Forefront Identity Manager 2010 R2 SP1

        Release Notes for Forefront Identity Manager 2010 R2 SP1