My quest to bring Best Practices to Identity Management especially with Microsoft FIM / ILM

Friday, August 14, 2009

ILM 2 RC 0 -- Luke, Check the Transaction Log!

 

A few weeks ago I encountered an ASP.NET error when I tried to access http://myilmserver/identitymanagement/

Eventually I went to my SQL Server and discovered that despite having space on the disk and Autogrow turned on the Transaction Log was full and wouldn't grow anymore.

So if you encounter this error then maybe you too can listen to the force telling you to check the SQL Server Transaction Log for MSILM.

In the event log I saw this:

Log Name:      Application
Source:        ASP.NET 2.0.50727.0
Event ID:      1309
Task Category: Web Event
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:     myILMServer
Description:
Event code: 3005
Event message: An unhandled exception has occurred.
Event sequence: 4
Event occurrence: 1
Event detail code: 0

Application information: 
    
    Trust level: WSS_Minimal
    Application Virtual Path: /
    Application Path: C:\inetpub\wwwroot\wss\VirtualDirectories\80\
    Machine name: PHX-52N-ILMWF91
Process information:
    Process ID: 2256
    Process name: w3wp.exe
    Account name: ILMTEST\svc.wss
Exception information:
    Exception type: SerializationException
    Exception message: Error in line 1 position 350. Expecting element 'Metadata' from namespace 'http://schemas.xmlsoap.org/ws/2004/09/mex'.. Encountered 'Element'  with name 'Fault', namespace 'http://www.w3.org/2003/05/soap-envelope'. 
Request information:
    Request URL: http://myilmserver/identitymanagement/default.aspx
    Request path: /identitymanagement/default.aspx
    User host address: 10.12.13.14
    User: ILM\Administrator
    Is authenticated: True
    Authentication Type: Negotiate
    Thread account name: ILM\svc.wss
Thread information:
    Thread ID: 4
    Thread account name: ILMT\svc.wss
    Is impersonating: False
    Stack trace:    at System.Runtime.Serialization.DataContractSerializer.InternalReadObject(XmlReaderDelegator xmlReader, Boolean verifyObjectName)
   at System.Runtime.Serialization.XmlObjectSerializer.ReadObjectHandleExceptions(XmlReaderDelegator reader, Boolean verifyObjectName)
   at System.ServiceModel.Channels.Message.GetBody[T](XmlObjectSerializer serializer)
   at System.ServiceModel.Channels.Message.GetBody[T]()
   at Microsoft.ResourceManagement.WebServices.MetadataClient.Get(String dialect, String identifier)
   at Microsoft.ResourceManagement.WebServices.Client.ResourceManagementClient.SchemaManagerImplementation.RefreshSchema()
   at Microsoft.ResourceManagement.WebServices.ResourceManager.get_SchemaManager()
   at Microsoft.ResourceManagement.WebServices.ResourceManager..ctor(String typeName, LocaleAwareClientHelper localePreferences, ContextualSecurityToken securityToken)
   at Microsoft.IdentityManagement.WebUI.Controls.ConfigurationModelBase.RetrieveResources(String type, List`1 attributes)
   at Microsoft.IdentityManagement.WebUI.Controls.PortalUIConfigurationModel.RetrievePortalUIConfiguration()
   at Microsoft.IdentityManagement.WebUI.Controls.PortalUIConfigurationModel.get_PortalUI()
   at Microsoft.IdentityManagement.WebUI.Controls.PortalUIConfigurationModel.get_BrandingLeftImageUrl()
   at Microsoft.IdentityManagement.WebUI.Controls.BrandBar.get_BrandTable()
   at Microsoft.IdentityManagement.WebUI.Controls.BrandBar.CreateChildControls()
   at System.Web.UI.Control.EnsureChildControls()
   at System.Web.UI.Control.PreRenderRecursiveInternal()
   at System.Web.UI.Control.PreRenderRecursiveInternal()
   at System.Web.UI.Control.PreRenderRecursiveInternal()
   at System.Web.UI.Control.PreRenderRecursiveInternal()
   at System.Web.UI.Control.PreRenderRecursiveInternal()
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

AD RMS on R2 -- new Federation Features

AD RMS on Windows Server 2008 R2 adds a really slick feature blogged about here: Group Expansion for Federated Users

Prior to R2 to issue a use license to a federated user they need to specifically be granted permissions. With Windows Server 2008 R2 you can create a contact matching the external federated user and then place the contact in the group and then they have the same RMS permissions as that group.

This is great to be able to include external users in groups, and still without provisioning a user account for them in your domain. Oops, now we need to provision a contact object for them and put that into the group. But perhaps if we combine this capability with custom claims transformation modules to do on demand provisioning the way my coworker Chris Calderon demonstrated on Windows Server 2008 at TEC 2009 (to get his slides go to  http://theexpertscommunity.com/item/show/blog/659/TEC-presentations-now-available  and follow the instructions).

But On-Demand Provisioning only solves half of the battle (and here all of the GI Joe fans thought knowing was half the battle ;)

Even though the user's access has been turned off by their employer disabling or deleting their account, the contact objects on your side still need to get cleaned up. But how to know when to deprovision an account from a federated partner? Perhaps you could use the RMS logging database as a starting point and look for users that haven't accessed the system in a while, email them and see if you get a bounce. After receiving an NDR for a federated user that hasn't accessed anything for months would be a pretty safe bet to delete their contact object.

How to make that happen? Create your own service or scripts to automate querying the logging database and sending the email. Another script to check for NDRs and then write to a table the contacts to be deleted. Then use FIM to read the table and delete the contacts, or your script could do it directly, as appropriate.

Labels: , , , ,

At it again -- Geneva Part II

Once more we invite you to another Ensynch Identity Management webinar. This is part 2 in our series of 4 on Geneva (ADFS, WIF). This one is going to be led by Chris Calderon one of our ADFS Experts, so naturally this will be filled with excellent technical content. As will Part 3 as it focuses on Windows Identity Foundation.

 

image

 

Webinar Agenda:
- How Geneva provides business value to organizations seeking Single-Sign-On (SSO)?

- Geneva Overview

- Transitioning from ADFS v1 to Geneva Server (ADFSv2)

- SSO Scenarios using Geneva

- Designing a Geneva Solution

- Managing Geneva Server

- Extending the functionality of Geneva

- Q & A

- Post Webinar Chat Session: Once the webinar concludes, our experts will stay online for an additional 30 minutes to field your questions via text chat.

[Register Now]

Also, stay tuned for the final two parts of this webinar series:
Using the Microsoft Geneva Framework to Solve Your Federation Needs
Thursday, September 10, 2009
Register Now
Accelerate Your Businesses for the Future with Microsoft Geneva and the Cloud
Wednesday, September 30, 2009
Register Now