My quest to bring Best Practices to Identity Management especially with Microsoft FIM / ILM

Thursday, March 25, 2010

FIM Pitfall for old ILM hands

In the days of MIIS 2003 and ILM 2007 we usually wrote our provisioning code to provision a new AD account only when the particular metaverse object didn’t already have any connectors in the AD connector space. With FIM your outbound synchronization rule is quite happy to provision another AD account if the existing one it is joined to doesn’t meet the relationship criteria. So I have usually been in the habit of not worrying about extraneous provisioning if I already had an account connected to that metaverse object.

Well a few days ago I learned that old habits die hard. Fortunately, only 7 duplicate accounts were created and only in the connector space as pending exports of type add. So they were easily dealt with. Nonetheless, it just reminded me that when technology changes sometimes your old instincts can betray you.

One another note: in writing this post I felt a bit like my friend and former co-worker, Craig Martin, who in is very humorous TEC speaker BIO wrote:

Craig Martin speaks in the third person when writing his own brief biography … spending countless hours weeding out issues in his lab environments learning CLM lessons the hard way in order to beat his chest in triumph and share his scars as lessons in a self-deprecating manner.

Man what a crack up. Of course his bio shows up right after mine on the speakers bio page! Gosh don’t I feel a bit pompous with the contrast as I list off all of my accomplishments dating back to grade school. Oh, I forgot to mention in my bio that I won 1st place in the Gilroy Unified School District Math Contest when I was in 4th grade! That treasured trophy was kept in a cardboard box for many years until one day my then six year old son asked if I ever earned any trophies – and it has endured several repair jobs since my son got his hands on it. Well I suppose, I just wanted to let people know that I have some cool things to share this TEC and hope you come along to hear them

I also encourage everyone to attend Craig’s session (hopefully he won’t lose his voice this year), of course if you attend Brad Turner’s session right beforehand you won’t even have to change rooms!

Labels: , ,

Wednesday, March 17, 2010

Register for TEC 2010 – hope to see you there

 banner-im-speakingsponsor-ensynch

Register using this code to get a discount: ATESENSYNC

Labels: , , ,

TEC 2010 – Speaking and Sponsoring

I am super excited about speaking at The Experts Conference 2010 (I also spoke at Directory Experts in ‘07, and ‘08 as well as last year’s The Experts Conference). banner-im-speakingsponsor-ensynch

Register using this code to get a discount: ATESENSYNC

Once more Ensynch is sponsoring TEC but this year we are a gold sponsor for TEC 2010.

Here is the lineup of Ensynch Speakers at The Experts Conference (also see Brad Turner’s take on our new speakers)

Track Speaker Picture Topic Date
Exchange – Pre conference workshop Justin Hiedeman speaker-justin Exchange 2010 Migration to Microsoft Exchange Online: Hands-on Workshop Sunday April 25th
1pm-5pm
Directory & Identity David Lundell speaker_lundell

FIM 2010 Performance Tuning (SQL and more)

Monday April 26th 1:00 pm
Directory & Identity Brad Turner speaker_turner Using DFS and GPO in ILM High Availability Scenarios Monday April 26th 2:15 pm
Directory & Identity and SharePoint Chris Calderon   and Jeff Holliday Jeffspeaker_holliday

Federated SSO Solutions Using SharePoint 2010

Tuesday April 27th
9:45 am
Directory & Identity David Lundell speaker_lundell

Proper Care and Feeding of Your Databases: FIM, ILM, CLM, RMS, SharePoint and OCS

Tuesday April 27th 1:30 pm
Directory & Identity Joe Zamora speaker-zamora Custom Workflow Development in FIM 2010 Wednesday April 28th
8:00 am
Directory & Identity Brad Turner speaker_turner

Practical Converged Physical and Logical Access Control

Wednesday April 28th
9:45 am

TEC2010-300x250sponsor-ensynch

Labels: , , ,

Tuesday, March 9, 2010

FIM Technet Webcasts

The FIM product group has some great webcasts coming up on technet

Forefront Identity Manager 2010 has RTM'ed

This first webinar is using many of the slides that I created as part of our engagement to write the FIM 2010 Technical Overview Whitepaper (due out soon). Anyhow it makes me feel cool.

 

3/9/2010 6 PM Pacific time- TechNet Webcast: Forefront Identity Manager 2010: Technical Overview and Deployment (Level 300)

http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032444011&Culture=en-US

3/18/2010 - TechNet Webcast: Forefront Identity Manager 2010: Monitoring and Troubleshooting FIM in Production (Level 300)

http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032444015&Culture=en-US

3/30/2010 - TechNet Webcast: Forefront Identity Manager 2010: Deploying FIM (Level 300)

http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032444017&Culture=en-US

4/5/2010 - TechNet Webcast: Forefront Identity Manager 2010: Extending FIM (Level 300)

http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032444019&Culture=en-US

Labels: ,

Tuesday, March 2, 2010

FIM 2010 RTM Today!

Today, March 2, at the RSA conference Microsoft announced the release to manufacturing of Forefront Identity Manager 2010 (FIM, formerly codenamed ILM “2”) with General Availability starting next month.

Download the eval here:

Microsoft® Forefront™ Identity Manager 2010 Evaluation Version

Yeah!

FIM gives us capabilities for User provisioning (and deprovisioning), Group management, Self-Service Password Reset, Password Synchronization, Workflows with Approvals, User profile self-service management, and accomplishing these items through Declarative Provisioning. Yet FIM retains an incredible set of extensibility points, allows customization of the Portal, schema of the objects, managing new systems, custom workflows, custom clients to the FIM web service.

 

According to the release notes there are some nice new enhancements:

You can now have explicit members in a set which has a defined filter (so sets can have dynamic members based on the filter and explicitly added members).

Password Reset now accepts the user principal name (UPN) as well as the fully qualified domain name (FQDN) when specifying user credentials

In addition to the enhancements found in RC 1 and its update 1, update 2 and update 3 (Brad’s take on update 3):

Adds support for SQL Server Failover Clusters for High Availability

New type of MPR (Set based Transition vs. Request based)

· Adds support for taking database backups without stopping the FIM Service.

· New Supported Platforms for FIM Certificate Management

· Windows Server 2008 R2

· Windows Server Datacenter edition

· Added support for Exchange 2010 for the following scenarios:

· FIM Synchronization Service support for Active Directory Management Agent and GAL Management Agent

· The FIM Service sending and receiving mail

· Outlook 2007 on Exchange 2010 sending approvals and group membership requests

· You can now copy and paste a vertical list from Excel to the Resource Picker input box. This is especially useful for doing bulk Adds.

· The UOC text box now lets you check uniqueness using a custom XPATH statement that you provide.

The FIMMA will now store error messages with the operation during export. You do not have to look in the FIMService event log anymore to see the errors.

You can now have several MAs that are responsible for deleting a resource, which solves a common problem where custom code still was needed for declarative provisioning.

· Added two new Declarative provisioning functions:

· Null – This Synchronization Rule should not contribute a value to support not flowing values to disabled accounts.

· ReplaceString – Find and replace a substring in another string

Added support for Exchange 14 mailbox provisioning

Labels: , , ,