My quest to bring Best Practices to Identity Management especially with Microsoft FIM / ILM

Wednesday, April 29, 2009

Dealing with the ILM 2 RC 0 Cert in Windows server 2003 domain

The Password Reset  instructions ask us to use Group Policy to distribute the cert to the clients. This only works in Windows Server 2008 functional level domains. In Windows Server 2003 domains you can automate this using cerutil.exe
The following command will export the cert generated by ILM 2 install to the ilm2cert.cer file in the working directory

certutil -store trustedpeople IdentityLifeCycleManager2 ilm2cert.cer

This command can be used to import the cert from the command line
certutil -f -addstore trustedpeople ilm2cert.cer

-- I guess we could put the cert in a public share and then add this to the login script
certutil -f -addstore trustedpeople \\someserver\publicshare\ilm2cert.cer

Or add this to a batch file that also calls the password client install

Labels: , ,

Monday, April 20, 2009

Problems with Sync Rules in ILM 2 RC0 (err FIM RC0)?

Well I had a problem with a recent install -- the Metaverse Object Type Dropdown list was empty!

image

Turns out the source of this drop down list is the mv-data object type. However my install didn't have this object. Obviously something was wrong. How does one create this object in the first place? Not directly in the portal. I am not certain when this object is supposed to be created. Install time? First export through the ILM MA? None of these seem to match up based on time stamps. It wasn't created during install. It was created before the first import of the ILM MA, and the first Export of the ILM MA. It does match the time of the creation of the ILM MA in the Identity Manager tool in the synchronization engine.  The object is created by a request generated by the Built In Synchronization Account (BISA) this is the account used by the ILM MA.

My solution was to modify my ILM sync engine Metaverse schema and then viola the drop down list was populated (the mv-data object was created). This means that after the MA is created some process in the sync engine is either sending a request to the ILM 2 Web Service through the ILM MA or the ILM 2 web service is monitoring the Sync Engine. I am guessing the former.

Labels: , ,

Earth Hour -- Mandatory?

Just because we didn't participate in Earth Hour, didn't mean that our Power company, Salt River Project (SRP) needed to turn off power to the whole neighborhood last night and again this morning ;)

I am all for using our resources wisely. But sometimes I rebel against the symbolic gestures.

I mean if the power company needs an hour off can't they just schedule downtime like we do with computer systems?

ILM FIM Webinar Custom Workflow -- Joe Zamora

Joe Zamora the maintainer of the Ensynch ILM 2 Custom Workflow Walkthrough is our main presenter at our next Webinar this Thursday at 9 AM Pacific. To register click on the image below. The code from our Pre-con workshop is posted on CodePlex Ensynch Custom WF Activities

image

Labels: , , , ,

Thursday, April 16, 2009

Install ILM 2 in a SharePoint Farm

As I endeavored to install the ILM 2 Portal into a SharePoint farm (WSS 3.0 SP 1) with a remote database I encountered the following problem:

The dreaded Premature Failure during installation.

When I turned on logging for the install and examined the file, I found:

Action 14:55:25: ConfigPortalAnonymousAccess.

CAQuietExec: 

CAQuietExec:  This operation can be performed only on a computer that is joined to a server farm by users who have permissions in SQL Server to read from the configuration database. To connect this server to the server farm, use the SharePoint Products and Technologies Configuration Wizard, located on the Start menu in Administrative Tools.

CAQuietExec: 

CAQuietExec:  Error 0xffffffff: Command line returned an error.

CAQuietExec:  Error 0xffffffff: CAQuietExec Failed

Action ended 14:55:30: InstallFinalize. Return value 3.

Action 14:55:30: Rollback. Rolling back action:

So I turned on SQL Profiler and I noticed:

image

So I decided to go ahead and give anonymous access (temporarily of course)

image

Then I mapped the login to each of the three SharePoint databases and made it db_owner.

Then my install worked perfectly. I hope to research and find out exactly which limited permissions are needed.

Labels: , ,

What's in name? Forefront Identity Manager 2010

In case you haven't heard Zoomit VIA or rather Microsoft MetaDirectory Services has been renamed yet again, from Microsoft Identity Integration Server 2003 to Identity Lifecycle Manager 2007 to Forefront Identity Manager 2010 or FIM for short. For obvious reasons the L was dropped when the F was added (Forefront + ILM = FILM).

So ILM 2 => FIM 2010

image

(stole this graphic from Brad Turner's blog -- his Smart Art creations are beautiful -- recently I have been studying smart art under his tutelage I hope to soon approach his level of skill)

Doug Leland, general manager of Microsoft’s Identity and Security Business Group, explained, "For example, our Identity Lifecycle Manager product is now officially named Forefront Identity Manager. We see the Forefront brand as synonymous with Business Ready Security."

http://www.microsoft.com/presspass/features/2009/Apr09/04-16BusinessReadySecurity.mspx

From Microsoft MetaDirectory Services (MMS) to MIIS was a complete rewrite dumping Zscript for .NET and putting the metadirectory in the SQL Server back end. ILM 2007 added the Certificate Lifecycle Management piece while leaving the core functionality of MIIS alone. FIM 2010 of course adds lots of new functionality (everything you have read about ILM 2, the portal for self-service, password reset, the web service) but good old MIIS is still there as the FIM Synchronization Engine, but there have been substantial improvements under the hood to enable synchronization rules to be configured in the portal and flow into the Sync Engine.

So what's in a name some new features that according to Doug Leland spell Business Ready Security.

The Target date is still Q1 of calendar year 2010.

Labels: , , , ,

Wednesday, April 15, 2009

Ensynch The Place to Be

In the last four months two very talented people have joined Ensynch, Chris Calderon, ILM MVP, and Mark Struck.

Chris Calderon of IdentityJunkie.com fame is extremely talented with ILM, AD Federated Services (AD FS) and many other tools.

Mark Struck, is a very talented developer, and experienced implementer of ILM. Even before Mark joined the team he and I collaborated to figure out how to use the ILM 2 web services.

Labels: , , , ,

Tuesday, April 14, 2009

A few excellent Live@edu (Outlook Live) Blogs

I have been involved with the Microsoft Live@edu (formerly Windows Live@edu) and the Outlook Live (formerly Exchange Labs) programs for quite sometime.

What a wonderful opportunity for schools to alleviate the cost of hosting email for students and then to be able to offer it to alumni helping provide them with lifelong connection to the university and way to keep their email address from their student days. Maintaining stronger ties leads to more evangelism on the school's behalf and will lead to more Alumni donations. I would have love have kept my dpl@bigdog.engr.arizona.edu, lundelld@gas.uug.arizona.edu or dlundell@u.arizona.edu accounts. Instead of rediscovering friends on facebook I might never have lost touch with them in the first place.

A few weeks ago Robert Hughes of Bridgepoint introduced me to Jonny Chambers blog as another excellent resource to information about Outlook Live. So I thought I would collect some resources here:

Jonny Chambers blog

Jonny has a great list of official links to Live@edu

http://cid-c76eae4d4a509fbd.profile.live.com/Lists/cns!C76EAE4D4A509FBD!495/

Almero Steyn (pronounced Al mare Roo  Stain)  another ILM MVP has also put together some fantastic blog posts on Outlook Live.

Labels: , , ,