My quest to bring Best Practices to Identity Management especially with Microsoft FIM / ILM

Wednesday, March 25, 2009

ILM 2 addons

Marvin Tansley of Gemalto demonstrated their add-on to ILM 2 for provisioning One Time Password (OTP) devices using ILM 2, with the goal of minimizing the # of portals that users visit in order to perform self service management. It looks really good, it even accounts for lost device management.

Gil Kirkpatrick of Quest interviewed me on camera to discuss my experiences at the conference. That was fun.

At lunch Gil handed out prizes (we provided a red colored XBox -- I guess the red had something to do with Resident Evil). But you had to present to win, and I do mean present -- you had to respond within 10 seconds to get your prize.

<PrizeOffering TTL="10 Seconds">Resident Evil Xbox</PrizeOffering>

New Certificate and Identity Blogger on the Loose

Marc Mac Donnell has just launched his blog on http://assurancesinidentity.blogspot.com/ and called it Assurances in Identity, and has posted the links to the CLM API documentation and case study about some work he did with MCS UK and CapGemini.

I look forward to many more posts from Mark about some of the wizardry and trick in managing certificates and identities.

Labels: , , ,

MSIT's implementation of ILM 2

TEC 2009 continues onto the last day.

Joel Silver spoke on his efforts and plans to implement ILM 2 for Microsoft. He presented a very interesting workflow to show how he addressed the challenge of creating unique email aliases.

Then I listened to Felix as he discussed some of the interesting aspects of LDAP enhancements from around the vendorscape (I think I just made that word up).

Labels: , ,

Tuesday, March 24, 2009

TEC 2009

Now that our pre-conference workshop on Taming the Chaos – Building a Practical Lifecycle Mgt. Application in the ILM “2” Portal is done

and our (Brad, Chris and me) sessions  done: Proper Care & Feeding of ILM, CLM and RMS , Designing an Object Expiration & Reconciliation process in ILM 2 , Rescue Your Identity Metasystem from Chaos (reporting against ILM 2), and ADFS Extensibility, we are all able to relax a little and enjoy everyone else's sessions.

I spent a fair amount of time looking at Quest's One Identity Management Solutions (thanks to Jonathan Sanders), and I also got to attend Felix Gaehtgens's (Kuppinger Cole) session on You've Authenticated the User, so Now What? wherein he discussed RBAC vs Attribute Based Access Control (ABAC) and a standard that is new to me called XACML (Zack uh mel). I really enjoyed it despite it being a forward looking theoretical discussion.

Brad was telling me how much he enjoyed the ILM “2” Chalktalk by Andreas Kjellman and Mark Wahl

Labels: ,

TEC 2009 -- Ensynch Identity Bus

Last night Fellow ILM MVP's Brad Turner, Chris Calderon, Carol Wapshere (pronounced Wap shear and well known as Miss MIIS) and I along with a number of other TEC 2009 attendees rode on the Ensynch Identity Bus to take us from the Green Valley Ranch Resort to the Las Vegas Strip. After a great steak dinner at Smith and Wollansky's (across from New York New York) a few us of walked the strip hoping to see the fountains at the Bellagio, but alas they shut off at midnight.

Our first run of the night was with a completely full bus!

The bus will also be running tonight

Departing Green Valley Ranch Resort 8:30pm, 9pm, 9:30pm, 10pm, 11pm, 11:30pm, 12am, 12:30am.
Drop-off / Pick-up at Mandalay Bay, 9pm, 9:30pm, 10pm, 10:30pm, 11pm, 11:30pm, 12am, 12:30am, 1:00am (last pick-up)
Drop-off / Pick-up at New York, New York, 9:10pm, 9:40pm, 10:10pm, 10:40pm, 11:10pm, 11:40pm, 12:10am, 12:40am, 1:10am (last pick-up)

image

Labels: ,

Monday, March 16, 2009

Posted: ILM 2 Business Value webinar recording

ILM 2 Business Value Webinar Recording

It has actually been posted for some time now, I have just been a bit busy (apology to my readers).

Other items will also get posted here in the column on the right hand side:

http://ensynch.com/pa_ci_identity_and_access_management.aspx

Labels: ,

ILM/MIIS Sync Engine Clustering Windows 2008

First, let me say thank you to Alex Tcherniakhovski for pioneering the way in clustering the MIIS Service or as it is now known the ILM Sync Engine. That blog, presentation and script was an excellent set of work. http://blogs.msdn.com/alextch/archive/2005/12/17/clusteredmiis.aspx

On Windows Server 2008, a few things have changed that break the script that Alex T. provides.

In Windows Server 2003 the cluster services runs as a domain account and as long as the user has access to all nodes, to stop and start services, and as an MIIS Administrator then it should be able to do the trick.

Well with Windows Server 2008 the security model for the cluster service has changed:

http://support.microsoft.com/kb/947049

http://technet.microsoft.com/en-us/magazine/2008.07.failover.aspx

There is no service account, instead there is a Cluster Name Object created in AD as a computer object.

So the cluster service, which runs the generic resource scripts, now runs under local system in a special context with limited privileges.

So this means you can’t impersonate during WMI calls because it doesn’t have enough rights.

I tried making the CNO a member of the local administrators group, but that wasn’t enough. I may still get this to work.

For the mean time I am switching the remote wmi calls to use embedded credentials, but the local WMI calls can't have credentials like so:

 

if Node = activeNode Then

Set objWMIService = objSWbemLocator.ConnectServer(Node, _

    "root\CIMV2")

Else

Set objWMIService = objSWbemLocator.ConnectServer(Node, _

    "root\CIMV2", _

    strUser, _

    strPassword, _

    "MS_409", _

    "ntlmdomain:" + strDomain)

End If

 

After changing this several places in the code -- fixing how the command to sleep worked, I can now failover without a problem!

Labels: , ,

Thursday, March 12, 2009

At TEC get on the Ensynch Identity Bus

If you are coming to TEC 2009 at the Green Valley Ranch Resort outside of Las Vegas, and want to take a trip to the strip Monday or Tuesday night then you are in luck -- Ensynch is sponsoring the Identity Bus -- we'll have some buses that will be running from the Resort to one of the Monorail stops on the strip. Details will be provided at the conference in your handouts. I will riding on the Identity Bus some of the time and hope to see you there!

Thanks to Stuart Kwan for coining the term Identity Bus, and thanks to Christine McDermott for helping suggest a practical way to make it happen, and thanks to Tyeson Cluff our marketing consultant for making it happen!

Labels:

Wednesday, March 11, 2009

Netpro DEC -> Quest TEC -- Ensynch's Sessions

Back in business school we always studied name changes and rebranding, and this one has been interesting

Last summer NetPro deciding to expand the Directory Experts Conference (DEC) to include an exchange conference and so they re-branded the conference NetPro's The Experts Conference. Then Quest acquired NetPro, so it became a completely re-branded conference as Quest's The Expert Conference. 

So NetPro DEC became Quest TEC.

Sunday Mar 22nd - Wed Mar 25th in Vegas www.tec2009.com 

Day Time Topic Speakers
Sunday 1PM - 5 PM Pre conference Workshop 2
Taming the Chaos – Building a Practical Lifecycle Mgt. Application in the ILM “2” Portal
David Lundell and Brad Turner
Monday 1 PM - 2:15 PM Designing an Object Expiration & Reconciliation process in ILM 2 Brad Turner
  1 PM - 2:15 PM Proper Care & Feeding of ILM, CLM and RMS Databases David Lundell
  Mon 4 PM - 5:15 PM Rescue Your Identity Metasystem from Chaos Through Reporting against ILM 2 with SSRS David Lundell
Brad Turner
Tue 2:45 PM - 4 PM ADFS Extensibility Chris Calderon will probably co-present with Randy Weimar

 

(yes the current schedule has Brad and I speaking on Monday at 1 PM in different rooms)

Labels: , , , ,