Thursday, May 17, 2018

European Identity Conference 2018 - Wednesday

Jet lag and other issues caught up with me the next day (Tuesday) and I didn't attend any sessions :(

One thing I love is that most presentations including keynotes are only 20 min long so even when we get a terrible one -- we know it will be over soon. But most of the sessions were good and some were great!

My first Wednesday session was listening to Sebastian Goodrick of SUVA and Dr. Jacek Jonczy discussing how agile methodologies did and didn't work well with replacing their existing Identity Management system with another one. Hire an agile coach! Recognize that replacing an existing system is often big bang and so you won't really be pushing out to production, but you can still do sprints.

Martin Kuppinger covered whether it is best to buy best of breed or a suite. The answer -- it depends! But Martin laid out a good model to help us evaluate the suites.

Matthias Reinwarth covered Privilege Management and Access Governance and how they can work together. Although one snag I see is that for access governance you need to have mature policies about who can access what and many organizations are still in adolescence or infancy. Still, it was really interesting to remember that integrating them is a good idea so that when people no longer need to be privileged we remove their privilege.

My favorite of the day was by Joseph Carson who talked about how a light bulb almost allowed pirates to ruin Christmas, in his talk "The Anatomy of a Privileged Account Hack."

Then we had a 20 min panel on How to Establish governance. Some interesting tidbits. Matthias determined that 20 min panels are hard to run but I don't mind it because it forces the panel to be prepared with two or three prepared responses to questions.

After the break, we returned with three sessions on lessons learned, starting with mine on Top Lessons from Disasters in Identity Management. Martin Kuppinger introduced me and wanted to know why I ended up doing the Top 13 lessons instead of Top 10 like I proposed. I told him that 13 is luckier than 10. The reality of it was just based on my stories. As I told my war stories I got some good laughs and lots of great comments. After, three people including Martin shared their stories. Another attendee even emailed me his story.

Following my presentation, Nishant opened our eyes to the importance of user experience. Finally, Andrea revealed something that in hindsight should be obvious that Separation of duties needs to be applied based on the effective permissions rather than roles. Because it is too easy for us to later modify roles in ways that could violate SOD but if our SOD check is merely to ensure that someone isn't in the two roles.

Then we had the evening Keynotes. Of the three, Ian Glazer's merits mentioning. It was very insightful as he presented how to evaluate our skills on competence and reputation. I really enjoyed it.


European Identity Conference 2018 -- Overview and Mon Night

I have spent this week in Munich Germany, where it has been mostly cloudy, lots of rain, and a little thunder.

I have seen a number of familiar faces to those who attended Directory Experts conference: Pamela Dingle, Alex Simons, Alex Weinert, Jackson Shaw, Jonathan Sander, Kim Cameron, and others. Also a lot of faces familiar to those who have attended Cloud Identity Summits: Andrew Hindle, Colin Wallis, Steve Hutchinson, Eve Maler, and Ian Glazer and fellow Microsoft MVP: Naohiro Fujie.

I have also seen a lot of new faces like the people from Kuppinger Cole, starting with Martin Kuppinger, but also Matthias Reinwarth, John Tolbert, and others.

The conference kicked off with a Blockchain slam. Not slamming Blockchain per se, although most examples of Identity and Blockchain are still full of potential and not a lot of practice. Most blockchain based identity proposals have blockchain way off to the side. With most of the proposals, I don't see how blockchain actually contributes value. One presentation showed how their proof of concept system would use blockchain for quick auditing to ensure that their logs have not been tampered with. One presentation got me thinking about potential uses for blockchain. Well, it solves the double pay problem really well without a central authority, so what about Napster, peer to peer sharing? We could use blockchain to ensure that I loan my music copies to one and only one user at a time.

Saturday, May 5, 2018

MIM Join and spaces

Working on a customer's lab and look what I found. They had created (through some other process) two user accounts for the same user, and the samAccountName was nearly identical, just a space, ascii 32, appended to the end of one of the samAccountNames differentiates the two. Apparently, AD allows this.

The account with the space was projected into the Metaverse, and then later in the sync the account without the space attempted to join, and it matched. The join failed because of the ambiguous import flow error. But samAccountName "myuser1" matched samAccountName "myuser1 " already in the metaverse.

Turns out this is a feature of SQL. Not just SQL Sever but the ANSI SQL spec created in 1992 ANSI/ISO SQL-92 specification (Section 8.2, , General rules #3).

Wow! So be aware that everywhere in SQL that we do a string comparison and one side has a trailing space or more it will show up as equal. So the consequence of this to MIM users is that when joining it will treat two strings one of which has trailing spaces as equal and try to join them.

Moral of the story: don't rely on trailing spaces to be the differentiator anywhere in any kind of data.

Thursday, March 29, 2018

Top 10 Lessons from Disasters in Identity Management


I will speak at Kuppinger Cole's European Identity Conference on Top 10 Lessons from Disasters in Identity Management in May in Munich.

With great automation capability comes great responsibility! Come discuss and learn vital lessons gleaned from disasters in Identity Management.

So if you would like your disaster story to be considered for inclusion let me know. I would love to add to the stories.

This will be a fun interactive session.

Identiverse, Cloud Identity Summit

Last summer I attended and spoke at the Cloud Identity Summit in Chicago. First big news: it was renamed to Identiverse and 2018 will be in Boston. As a consultant I have limited time to attend conferences and speak. So conferences have to be great. I do love this one, but in the interest of time, I will be skipping it this year in favor of speaking at the European Identity Conference in May 2018 in Munich, Germany.

I have enjoyed the Cloud Identity Summit every year I have attended, Vail, Napa, and Chicago. The family atmosphere is incredible. Each year it seems to grow. Lots of great content.

Andre Durand, CEO of Ping Identity, is always very approachable. His wife plans the family events. My kids have some great memories from the repelling, special trampoline, pool parties, story times, museum visits, and gondola rides.

Andre led off with a great keynote, talking about how someone invaded his hot tub at his vacation home. He even showed us video. With more to protect, just enough, just in time access is the key. Running, blocking and hiding are the instinctual first level of defense, but it isn't enough. Memory and habit is the next level, i.e. don't click on email links, but yet we must still reach further to intelligent reaction. Environmental awareness, to pattern recognition to avoid the threat in order to survive. Summing it up with Intelligent Identity equaling real time contextual authentication.
In the last two years they have added more content discussing actual implementations of different kinds of Identity Management technology, for example my friend Frank Drewes delivered a session on Identity Challenges to Office 365 deployment. I think that is very important.

To Farm or not to Farm Part 2

In the original To Farm or Not to Farm post I discussed the pros and cons of setting up FIM on a SharePoint farm or using Stand Alone. Well we now have SharePoint 2016 and it isn't possible to install Stand Alone, although you can do a single server farm. Also, absolutely everything is virtualized and so we tend to share lots and lots of processing so we can't really think of a server as having spare cycles, because we share those processors with lots of other VM's.

This first point got me thinking and the last point now has me convinced that we shouldn't do Stand Alone on SharePoint 2013 Foundations or any other, because it adds the overhead of SQL Express when we can get better overall performance by using the real SQL Server, even if the SharePoint databases share it with all of the MIM databases. However, the patching issues brought up by Paul Williams are still real.

I think a lot of people have been sticking with the free option -- SharePoint Foundations 2013. Which is  possible to install on Windows Server 2016 even if it is not exactly supported. So a lot of folks have avoided thinking about SharePoint. Here are some points to consider
  1. The challenge has to do with the way MIM does its updates. If you separate MIM Service from the MIM Portal then you are better off when it comes to the MIM updates if you are in a multi-server farm.
  2. I have not seen any guidance from Microsoft Identity about what roles are needed in SharePoint 2016. However, it appears to me that the MIM solution is essentially a content farm which perMSFT would require 3 roles or 2 servers with shared roles, or the single server farm: Front End, Application and Distributed Cache.
  3. For Zero Downtime patching to apply you need to be in a Highly Available solution. With Min Role that takes 4 servers. Unfortunately, I don't know if that will allow you to update the MIM solution pack without downtime. One of the changes that the SharePoint team made is to keep stored procedures in the SharePoint databases backwards compatible. I don't think the MIM product group has made any such guarantees. So when we patch MIM Service it will update the database and the MIM Service. At that instant only updated MIM Service instances should talk to the database (they might work, but no guarantees), and only updated Portals should talk to the update MIM Service Instance. So I think we still end up with downtime, the key is to minimize it. The Zero downtime patching would certainly reduce it when you patch the actual SharePoint binaries. But we could accomplish the same thing with two single server farms load balanced through NLB.

Anyone else have any thoughts or experiences to share?
So for now, I recommend essentially a single server farm on SharePoint 2013 Foundations, and to use your own variant of Spencer Harbar's scripts to configure it. If you want to do that don't check this box:


For HA: deploy another one (be sure to use different database names) and then load balance.

SQL Server Management Studio SQL 2016

So I went to install SQL 2016 on a server (been using it for a while, I get vm's on CloudShare where SQL is preinstallled, so first time installing it for myself) -- no problem. Hey, where is SQL Management Studio (SSMS)? Well it isn't include in the 2.6  GB SQL Server ISO. You have to download it separately. 800 MB. All I can say is You're Welcome!

I get why they did it -- they can update SSMS much more often etc.But what a surprise.

SharePoint Foundations 2013 -- Identity Extensions Installation error

As you install SharePoint 2013 Foundations pre-reqs if you encounter "Microsoft Identity Extensions Installation error"
and then when you install it manually you might encounter
"Installation of Microsoft Identity Extensions requires Windows Identity Foundation v1.0 to be installed"

Then when you go to install WIF through the Server Manager you realize that it is WIF 3.5 rather than WIF 1.0 and you think hmm... maybe that will work. It will. Take heart.

Finding my groove, again

In 2017 and the beginning of 2018 I have had some rough times. The Long and the Short of it is that late last year my mother passed away in the hospital. Then early this year, my father died, probably of a broken heart.

Thanks to many friends from church, our neighborhood, professionally, other Microsoft MVP's, I have had a lot of support while mourning their temporary absence from my life. Especially, thanks to my wife, kids, siblings, aunts, uncles, and cousins.

Last Saturday, one of my sisters was married, it was a beautiful but slightly sad moment for our family.

I am feeling a return to my usual high energy levels and am resuming blogging to help you, my friends, avoid the pains that I have endured and that I have seen others endure as we labor to implement Identity Management across the world.

I am also excited about some other projects that I will soon announce here and through other venues.

Well back to blogging about the technical stuff!

SharePoint Foundation 2013 IIS Configuration Error

SharePoint is a great product but I wish that FIM and MIM did not use it. In my opinion, it adds unnecessary infrastructure and really complicates the setup, because SharePoint must be installed and configured (and maintained). Leaving that aside, allow me to point out some gotchas that might impede your ability to install this MIM/FIM prerequisite.

First up: if your server has limited access to the Internet you should probably download all of these prerequisites and copy them to the server -- because that's what the SharePoint Installer has to do -- it doesn't include these items.

Should you encounter the following message:
Application Server Role, Web Server (IIS) Role: configuration error
If you click on Review the Log File and find this:

 - "C:\WINDOWS\system32\cscript.exe" "C:\WINDOWS\system32\iisext.vbs" /enext "ASP.NET v4.0.30319"
 - Install process returned (1)
- [In HRESULT format] (-2147024895)

 - Error when enabling ASP.NET v4.0.30319

Then the issue is you are missing some of the IIS Role Services -- specifically the IIS 6 Scripting Tools:
Yes this is a screenshot from my book. Yes, I clearly identify that you need these role services. So I must have made this mistake just out of the goodness of my heart in order to help anyone else.

Friday, March 16, 2018

Speaking at SQL Saturday Tomorrow

As most of you know I am regarded as one of the SQL gurus among the Microsoft Identity Management Gurus. For years, in my book and in speaking I have been recommending Ola Hallengren's SQL Maintenance Solution to help take care of your ILM/FIM/MIM databases. But the SQL Maintenance Plan Wizard has come a long way. Tomorrow morning at 10 AM at Grand Canyon University I will be presenting as part of SQL Saturday #726 a showdown between the SQL Maintenance Plan Wizard and Ola's solution, discussing when you want to use one vs the other.

Tuesday, March 6, 2018

Kerberos, FIDO, what's next?

In the 1980's Steve Miller and Clifford Neuman published a new security protocol, called Kerberos, after the mythical three headed dog that guards the gates of Hades.

In 2014 the alliance published the FIDO standard. This exciting standard is enabling a passwordless world (yet to come). For example you can use a small USB device with a key on it to login instead of entering a password. FIDO 2.0 is requiring two-factor, type in a PIN plus your key. Other options exist as well potentially using Smart Phones, or other devices via USB, Bluetooth or NFC.

What's next more dog name related authentication schemes?

Goofy Authentication -- something like Dance Dance Authentication.

Snoopy Authentication -- you have to fight the Red Baron first.

Scooby Doo -- Solve a mystery in order to log in?

Lassie -- Requires saving Timmy first.

Pluto/Belka -- Must point your telescope at the Star you had named in the star registry.

Spike -- Biometric -- blood sample required.

Marmaduke -- this could work well with kids -- you have to make a mess that is uniquely you!