FIM / ILM Best Practices (Forefront Identity Manager)

This blog has moved

2010-05-18T07:53:00.001-07:00

This blog is now located at http://blog.ilmbestpractices.com/.
You will be automatically redirected in 30 seconds, or you may click here.

For feed subscribers, please update your feed subscriptions to
http://blog.ilmbestpractices.com/feeds/posts/default.

TEC 2010 -- Results

2010-05-17T15:01:00.001-07:00

TEC 2010 was a blast. In the Kickoff Gil Kirkpatrick issued several challenges including one to Brad Turner to simulate the workings of the FIM Sync Engine. Eventually we expect to see a video of the final presentation posted to YouTube. In the interim Brad has some nice pictures posted: TEC 2010 – Annual Wook Lee Memorial Challenge for Identity Results

I attended Craig Martin’s session “Automate FIM deployment with Powershell” and learned a few things about the FIM Powershell commandlets.

Next I split my time between Joe Zamora’s session on Custom Workflow in FIM 2010 and Gil and Jeremy’s session on Reporting in FIM 2010. (I had swapped my session time on Monday with Joe’s Wednesday time as I was worried that the Icelandic Volcanic Ash cloud was going to keep me from getting there on Monday – but it didn’t). I enjoyed both. I am afraid my late arrival in Gil and Jeremy’s session caused a bit of a stir as they were discussing some of their SQLXML tricks and Jeremy told everyone that wanted to know more about it to ask me (as I am looking at their stuff for the first time). I think Gil and Jeremy had a great presentation with a fascinating proof of concept. I heartily endorse their statements regarding this not being a production ready setup but I love what they showed.

Other concerns caused me to miss the rest of the afternoon. The Quest Hospitality Suite was nice.

Tuesday morning I put the finishing touches on my presentations and then attended Jack Kabat’s session on Deploying FIM, he provided some good advice on how to handle the initial load scenario.

After lunch I presented on Care and Feeding of Databases. I had quite a wide range of attendees. Some were interested in the SharePoint databases others in OCS and of course the majority for FIM Service and Sync. There were also a few who needed to know about FIM CM. I did also show a few photos from my recent trip to Prague including my evidence of elven habitation (they had their own check in kiosk at the Prague Airport).

That night we (Ensynch) had a great party at the ESPN Zone watching the Lakers eliminate the Oklahoma City Thunder. We rented out the Championship Lounge which is above the rest of the facility and feels like a skybox, including big windows out which you can see the big screen at the Bar. We were 100 yards away from the Staples center so after the game we had to fend off some game attendees intent on crashing our party.

Wednesday morning I presented on FIM Performance tuning and talked about the performance improvements that are possible. Then Brad spoke about using ROPU (Run On Policy Update, which we pronounce Rope You, because it ropes you into doing more things) and its power.

If you want access to the slides and videos etc you need to register on www.theexpertscommunity.com

Escape from Prague – Good to go for TEC

2010-04-23T15:20:00.001-07:00

I went to Prague for a project intending to stay one week, but unfortunately I was delayed an additional week (volcanic ash cloud from Iceland – reread the news if you missed it). While Prague is a beautiful city and I met many wonderful people, the uncertainty of when I would be able to get home weighed heavily on me. I was worried about being separated from my family for weeks? months? More importantly ;) I was worried about getting back for The Experts Conference!

Well I have made good my escape! I am back home and will be heading to TEC! Hope to see you there!

BTW, Joe Zamora and I traded speaking slots (I was afraid I wasn’t going to arrive at TEC before Tuesday). No worries now, but we are keeping the schedule change. Joe will speak Monday after lunch and I will speak both Tue after lunch and then Wed at 8 AM.

FIM 2010 Technical Overview Published – short version

2010-04-08T22:31:00.001-07:00

Microsoft has published a short version of the FIM Technical Overview whitepaper written by David Lundell (me), Brad Turner, Chris Calderon and Joe Zamora. The longer version will come out a bit later. Short version, long version makes me feel kind of like I am figure skating in the Olympics. Thank you to Brjann Brekkan, Mark Wahl, Joe Schulman, Darryl Russi, Jack Kabat and Andreas Kjellman for their support, editing, eluciations on blogs and encouragement on this paper.

Microsoft has also released the updated FIM documentation for RTM. Congrats to Dave Kreitler, Markus, Brad Benefield and the rest of the documentation team!

I love the capacity planning guide section as well as the section Expected State Detection (formerly Object State Detection, and also referred to as Existence Test, Detected Rules Entry, Detected Rules List).

~~Fellow FIM Bots, Fellow FIMers, Fellow FIMians~~, Fellow FIMsters! Enjoy!

FIM Pitfall for old ILM hands

2010-03-25T21:40:00.001-07:00

In the days of MIIS 2003 and ILM 2007 we usually wrote our provisioning code to provision a new AD account only when the particular metaverse object didn’t already have any connectors in the AD connector space. With FIM your outbound synchronization rule is quite happy to provision another AD account if the existing one it is joined to doesn’t meet the relationship criteria. So I have usually been in the habit of not worrying about extraneous provisioning if I already had an account connected to that metaverse object.

Well a few days ago I learned that old habits die hard. Fortunately, only 7 duplicate accounts were created and only in the connector space as pending exports of type add. So they were easily dealt with. Nonetheless, it just reminded me that when technology changes sometimes your old instincts can betray you.

One another note: in writing this post I felt a bit like my friend and former co-worker, Craig Martin, who in is very humorous TEC speaker BIO wrote:

Craig Martin speaks in the third person when writing his own brief biography … spending countless hours weeding out issues in his lab environments learning CLM lessons the hard way in order to beat his chest in triumph and share his scars as lessons in a self-deprecating manner.

Man what a crack up. Of course his bio shows up right after mine on the speakers bio page! Gosh don’t I feel a bit pompous with the contrast as I list off all of my accomplishments dating back to grade school. Oh, I forgot to mention in my bio that I won 1st place in the Gilroy Unified School District Math Contest when I was in 4th grade! That treasured trophy was kept in a cardboard box for many years until one day my then six year old son asked if I ever earned any trophies – and it has endured several repair jobs since my son got his hands on it. Well I suppose, I just wanted to let people know that I have some cool things to share this TEC and hope you come along to hear them

I also encourage everyone to attend Craig’s session (hopefully he won’t lose his voice this year), of course if you attend Brad Turner’s session right beforehand you won’t even have to change rooms!

Register for TEC 2010 – hope to see you there

2010-03-17T17:34:00.001-07:00

Register using this code to get a discount: ATESENSYNC

TEC 2010 – Speaking and Sponsoring

2010-03-17T15:25:00.001-07:00

I am super excited about speaking at The Experts Conference 2010 (I also spoke at Directory Experts in ‘07, and ‘08 as well as last year’s The Experts Conference).

Register using this code to get a discount: ATESENSYNC

Once more Ensynch is sponsoring TEC but this year we are a gold sponsor for TEC 2010.

Here is the lineup of Ensynch Speakers at The Experts Conference (also see Brad Turner’s take on our new speakers)

Track	Speaker	Picture	Topic	Date
Exchange – Pre conference workshop	Justin Hiedeman		Exchange 2010 Migration to Microsoft Exchange Online: Hands-on Workshop	Sunday April 25th 1pm-5pm
Directory & Identity	David Lundell		FIM 2010 Performance Tuning (SQL and more)	Monday April 26th 1:00 pm
Directory & Identity	Brad Turner		Using DFS and GPO in ILM High Availability Scenarios	Monday April 26th 2:15 pm
Directory & Identity and SharePoint	Chris Calderon and Jeff Holliday	Jeff	Federated SSO Solutions Using SharePoint 2010	Tuesday April 27th 9:45 am
Directory & Identity	David Lundell		Proper Care and Feeding of Your Databases: FIM, ILM, CLM, RMS, SharePoint and OCS	Tuesday April 27th 1:30 pm
Directory & Identity	Joe Zamora		Custom Workflow Development in FIM 2010	Wednesday April 28th 8:00 am
Directory & Identity	Brad Turner		Practical Converged Physical and Logical Access Control	Wednesday April 28th 9:45 am

FIM Technet Webcasts

2010-03-09T15:36:00.001-07:00

The FIM product group has some great webcasts coming up on technet

Forefront Identity Manager 2010 has RTM'ed

This first webinar is using many of the slides that I created as part of our engagement to write the FIM 2010 Technical Overview Whitepaper (due out soon). Anyhow it makes me feel cool.

3/9/2010 6 PM Pacific time- TechNet Webcast: Forefront Identity Manager 2010: Technical Overview and Deployment (Level 300)

http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032444011&Culture=en-US

3/18/2010 - TechNet Webcast: Forefront Identity Manager 2010: Monitoring and Troubleshooting FIM in Production (Level 300)

http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032444015&Culture=en-US

3/30/2010 - TechNet Webcast: Forefront Identity Manager 2010: Deploying FIM (Level 300)

http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032444017&Culture=en-US

4/5/2010 - TechNet Webcast: Forefront Identity Manager 2010: Extending FIM (Level 300)

http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032444019&Culture=en-US

FIM 2010 RTM Today!

2010-03-02T13:03:00.001-07:00

Today, March 2, at the RSA conference Microsoft announced the release to manufacturing of Forefront Identity Manager 2010 (FIM, formerly codenamed ILM “2”) with General Availability starting next month.

Download the eval here:

Microsoft® Forefront™ Identity Manager 2010 Evaluation Version

Yeah!

FIM gives us capabilities for User provisioning (and deprovisioning), Group management, Self-Service Password Reset, Password Synchronization, Workflows with Approvals, User profile self-service management, and accomplishing these items through Declarative Provisioning. Yet FIM retains an incredible set of extensibility points, allows customization of the Portal, schema of the objects, managing new systems, custom workflows, custom clients to the FIM web service.

According to the release notes there are some nice new enhancements:

You can now have explicit members in a set which has a defined filter (so sets can have dynamic members based on the filter and explicitly added members).

Password Reset now accepts the user principal name (UPN) as well as the fully qualified domain name (FQDN) when specifying user credentials

In addition to the enhancements found in RC 1 and its update 1, update 2 and update 3 (Brad’s take on update 3):

Adds support for SQL Server Failover Clusters for High Availability

New type of MPR (Set based Transition vs. Request based)

· Adds support for taking database backups without stopping the FIM Service.

· New Supported Platforms for FIM Certificate Management

· Windows Server 2008 R2

· Windows Server Datacenter edition

· Added support for Exchange 2010 for the following scenarios:

· FIM Synchronization Service support for Active Directory Management Agent and GAL Management Agent

· The FIM Service sending and receiving mail

· Outlook 2007 on Exchange 2010 sending approvals and group membership requests

· You can now copy and paste a vertical list from Excel to the Resource Picker input box. This is especially useful for doing bulk Adds.

· The UOC text box now lets you check uniqueness using a custom XPATH statement that you provide.

The FIMMA will now store error messages with the operation during export. You do not have to look in the FIMService event log anymore to see the errors.

You can now have several MAs that are responsible for deleting a resource, which solves a common problem where custom code still was needed for declarative provisioning.

· Added two new Declarative provisioning functions:

· Null – This Synchronization Rule should not contribute a value to support not flowing values to disabled accounts.

· ReplaceString – Find and replace a substring in another string

Added support for Exchange 14 mailbox provisioning

Final Update for FIM RC1 released

2010-02-01T10:40:00.001-07:00

On Friday the product group released Update 3 for Forefront Identity Manager 2010 RC1 available through connect

https://connect.microsoft.com/site433/Downloads

Major changes as part of Update 3 (my regurgitation and comments from the release notes):

Fewer trips to the FIM Service event log – since the FIM MA export errors will now show up in the Synchronization Service Manager! Hallelujah!
Less need for custom old style code
- Now more than 1 MA can be authoritative for deleting an object (resource)
- New functions for Sync Rules (Declarative Provisioning) – I guess I will have to update my function cheatsheet
  - Null – not certain what they mean by this – null out the value or let another sync rule provide the value.
  - ReplaceString
New type of MPR – Set Transition MPRs vs. request based MPRs
- Run on Policy Update only applies to this type
- All other MPRs are – request based MPRs
- This should easy some of the difficulty in wrapping heads around MPRs.
DBA’s will love these:
- Backups without stopping the FIM Service and now supported!
- SQL Failover Clusters are now supported! (I don’t know if this means that clustering the Synchronization Service is supported)
Prereqs have changed
- Server Components
  - Windows Installer 4.5 is required,
- FIM Service requires SQL 2008 SP 1
- The addin for Outlook now needs Outlook 2007 SP 2

Even the certificate management side got some improvements: Windows Server 2008 R2

Also check out Brad’s post on the SP3 for MIIS or an update to ILM 2007 FP 1

FIM Hand on Labs

2010-02-01T01:20:00.001-07:00

More Hands on Labs for Forefront Identity Manager will be coming up (similar to the one I did in Irvine, CA) – Phoenix April 7th and 8th and then Dallas sometime in May.

FIM RCDC explained in brief

2009-11-29T09:50:00.001-07:00

In this post I attempt to give you the reader a quick overview of how the FIM RCDC works conceptually. As for the mechanics of modifying the RCDC the nearly complete but growing collection of documents downloadable from MSFT will suffice.

As you will recall FIM is the new abbreviation for ILM, since it has been renamed Forefront Identity Manager, and RCDC is the Resource Control Display Configuration formerly known as the Object Visualization Configuration (OVC). RCDC is the way you custom how FIM displays objects (now called resources) in the portal. Now for English: If you need to change the options and information users see in the FIM portal when they create new users, groups (security or distribution), or edit or view these resources you do it by modifying the RCDC. The RCDC is an XML object, and each resource type (user, group, request, etc) has three: Create, Edit and View. To get a handle on the terms take a look at the figure below:

Every RCDC has a Panel that contains all other visible elements. You don’t have to worry about the Panel, other than to know that you need a have it and it must have a name.

The next item to which I must call your attention is the Groupings. The little area which I have outlined in Red is the Header Grouping and provides the caption for the RCDC in this case: Create Security Group. The Header Grouping contains just one control the UocCaptionControl and it is this control that determines what will be displayed based on the Caption and Description Attributes.

The rest of the groupings show up as tabs. The first three are content groupings (there can be up. to 16 groupings counting the Header Grouping and the Summary Grouping, leave up to 14 slots for content groupings). Each content tab or grouping can contain between 1 and 256 controls.

Not visible in the screenshot above are data sources. Data sources provide access to the data of the resource (PrimaryResourceObjectDataSource), the changes that are being made during the edit or create process (PrimaryResourceDeltaDataSource), what rights the current user has to each attribute (PrimaryResourceRightsDataSource), information about the resource type and its attribute types, such as displayname and description (SchemaDataSource), and a listing of Active Directory Domains that are managed by this instance of FIM (DomainDataSource). Additionally, you can have XML data sources. There are two purposes for these: 1) to provide the xsl transformation to provide a different summary of changes on the Grouping Summary, and 2) to provide a list for use in UocDropDownList and UocRadioButtonList controls (there is at least one other method for providing the options list).

Controls have elements, and attributes. The element type you will be concerned with are the Properties. (Help only applies to groupings, CustomProperties is not supported, Options only applies to the UocDropDownList and UocRadioButtonList controls, Buttons only applies to the UoCListView Control, and you can’t make use of events.)

The attributes and properties are used to govern the behavior of the control. They can be bound to the different data sources, to cause the control to interact with an attribute on a resource, to control the visibility and editing on a control, and to provide the list of options to choose from.

Well that covers the conceptual overview. Next time I blog about RCDC, I plan on discussing the attributes of controls, and their common properties.

Answering my FIM RC 1 question

2009-11-24T09:58:00.001-07:00

Thanks to Darryl Russi for answering my questions in my earlier post An Update to FIM RC1 where I was asked about something I had read in the release notes:

Some of those items raise a few questions, like how to setup a FIM service that only takes requests from the sync service? Do we setup multiple FIM Service instances and then configure the FIM MA to talk to one of them, and not make that one available to web clients?

So the short answer to my last question is yes and then Darryl answers the first question in great deal.

Here is his answer: Service Partitions - Multiple Middle Tiers, Request & Workflow Processing

Great job Darryl! I see this as a great way to ensure good response time for users and to scale out.

Identity Synchronization FIM 2010 HOL Irvine California

2009-11-23T17:44:00.001-07:00

I will be at the Microsoft Technical Center in Irvine on Dec 1 and 2 presenting this HOL with Marvin Tansley of Gemalto.

Identity Synchronization – Hands on Training

Date: December 1-2, 2009

Location: 3 Park Plaza, Suite 1800 Irvine, CA 92614 949-263-3000

Microsoft, Gemalto and Ensynch invite you to a free 2-day training seminar and hands-on-lab on Microsoft’s Forefront Lifecycle Manager (FIM 2010).

Come and learn how FIM 2010 can help you by delivering simplicity, agility and efficiency while increasing security and compliance within your enterprise identity infrastructure.

The curriculum for this training is modular, which will allow users with different technical levels to attend.

Day 1 Agenda:

· FIM 2010 Overview Presentation and Demo

· FIM 2010 Managing Users and Groups Hands-on Lab

· Introduction to identity management

· ROI - a Tool to Help you Sell Your Project

· OTP Provisioning using FIM 2010

· Certificate Basics Presentation

· Certificate Demo and Basic Use Cases

Day 2 Agenda:

· FIM 2010 Synchronization Presentation and Demo

· FIM 2010 Hands-on Lab

· FIM 2010 Policy Management Presentation and Demo

· FIM 2010 Hands-on Lab

· Making It All Work Together

Who Should Attend?
IT security staff as well as system administrators and engineers who work with the installation, configuration, and maintenance of a variety of server types and have two to three years of experience managing an enterprise-level Microsoft Windows Server environment.

Space is limited. Register to reserve your seat. Invitation only registration link – click here!

Questions? Contact Gemalto | amy.gant@gemalto.com | (888) 343 5773 | www.gemalto.com/enterprise

An Update to FIM RC1

2009-11-08T23:14:00.001-07:00

Microsoft has posted an update to FIM RC 1, dated Nov 6.

It looks like this update covers pretty much everywhere except Certificate Services (sorry Brian and Paul).

The Release notes included in the download lists the follow improvements:

Query and Sets

Resolved a number of issues that resulted in incorrect dynamic set membership.
Removed support for the use of the != operator with multivalued attributes. Xpath equality expressions on multivalued attributes must use the not() function. For example, the following xpath is not supported: /Group[Owner != /Person]. Instead, use the following xpath: /Group[not(Owner = /Person)]

Synchronization engine

Resolved a data corruption issue in Multi-Mastery scenarios where deleted Member attributes were being added back during full sync of AD and FIM.

Workflows

Workflows are now run on a FIM Service that uses the same ExternalHostName as the FIM Service that originally created the workflow. This enables the partitioning of workflow execution among servers dedicated to specific functionality.
For example, if a FIM Service is dedicated to servicing Requests submitted by the Synchronization Service, all workflows resulting from Synchronization Service Requests will only run on that FIM Service.
Resolved an issue that caused a Request’s RequestStatus attribute to retain the value “Validating” even though the Request’s operation timed out.
Resolved an issue in the EnumerateResourcesActivity that prevented selecting which attributes to return. Previously, regardless of the attribute selection specified, all attributes bound to the enumerated resources were returned.

Resolved various issues and made general improvements for:

Management Policy Rules
Portal user interface Request Management
Self-service Password Reset
Schema

Go to Connect.microsoft.com and 11/6/2009
Here’s the link: FIM 2010 RC1 Update 1
4.0.2570.0 (compare to 4.0.2560.0 the version released on 9/29/09 -- RC1)
Build

It references a KB article that I can’t find: KB976465

The total download is under 36 MB so this is definitely a patch and not the full enchilada.

Looks like Jorge got the news out first.

Identity Management Luncheon NYC

2009-10-29T14:44:00.001-07:00

I will be speaking at an Identity Management Luncheon in New York City on Nov 12th. I will be speaking on FIM.

Come on down and join me if you can. (Please Register)

When:
Thursday, November 12, 2009
10:45 AM to 2:00 PM (EST)
Where:
Del Frisco's
Double Eagle Steak House
1221 Avenue of the Americas
New York, New York 10020

Come join us at this exclusive luncheon at one of the best steak houses in NYC!

Realizing the Value of Identity Management

Using Microsoft Forefront Identity Manager 2010 to Empower People, Deliver Agility and Efficiency, and Increase Security and Compliance of your Business
Ensynch and Microsoft invite you to join other senior technology and business executives at a complementary exclusive luncheon where we will discuss and demonstrate how Microsoft’s new identity management platform and solutions can help you consolidate technologies and reduce cost.

Today’s IT enterprise must deliver identity and access management that is efficient, cost effective, and secure. The complexity of managing and securing users, devices, and services is increasing. Whether due to regulatory mandate or business growth, identity management becomes more complex, and does often not deliver as much business benefit as it could.

Come and learn how Forefront Identity Manager 2010 can help you by delivering simplicity, agility and efficiency while increasing security and compliance within your enterprise identity infrastructure.
Event Agenda:

Interactive demonstration and discussion of how Forefront Identity Manager 2010 helps to...
• Ease Administrative Functions of Managing Identities
• Enable Self Service Group Management
• Increase Security and Compliance
• Save Money – Realizing ROI
• Empower collaboration by integrating with other cutting edge Microsoft technologies such as Office Communications Server and SharePoint.

[Register Now]

-------
Contact Anthony.Morgante@microsoft.com if you have any questions or concerns.

Visit http://www.microsoft.com/forefront/identitymanager
for more information on ForeFront Identity Manager 2010

Password Reset?

2009-10-06T20:59:00.001-07:00

How would you feel if this was the only barrier between the hacker and your data – a single password reset question? Just one!

I won’t tell you who this is since then you’ll just want to go after my data on that site.

Oh well. The barn door won’t be shut until the wolf has gotten into the sheep

Webinar: Accelerate Your Businesses for the Future with Microsoft Geneva (ADFS) and the Cloud

2009-10-05T11:07:00.001-07:00

Get the rundown on Geneva from Frequent Industry Speaker and Nationally Recognized Microsoft ILM MVP,
David Lundell

When:
Wednesday, October 14, 2009
10:30 to 11:30 (PST)
12:30 to 1:30 (CST)
1:30 to 2:30 (EST)

Where:
Web/Online
Live Meeting Information
will be sent to attendees

Presenters:
David Lundell,
Identity Management
Practice Leader, Ensynch

Jonathan Sander
IAM and Security Analyst
Quest Software

Webinar: Accelerate Your Businesses for the Future with Microsoft Geneva (ADFS) and the Cloud
Has your organization been considering moving applications to the cloud or using Software as a Service (SaaS) providers? Have you already done it? Have you realized the cost savings?

Have you encountered the difficulties in managing the identities and passwords across the various identities?

Using Microsoft Geneva (ADFS) and Quest Java SSO, and Quest inTrust, you can lower the cost of moving applications to the cloud and to SaaS, which can remove a big hurdle to a key strategic initiative.

I would like to invite you to our latest exclusive "no frills" webinar: "How Microsoft Geneva Streamlines Business," the final part in a Identity Management Webinar Series from Ensynch's Identity Management Practice Director, Frequent Industry Speaker, and Microsoft Identity Management MVP, David Lundell, and Quest Software IAM and Security Analyst, Jonathan Sander. (Previous webinars are available for download here)

This webinar is designed for business leaders, and will present discuss the business value of Microsoft Geneva and the Cloud. Whether identity management within the Cloud and SaaS is a major concern for your organization or if you are simply curious about using Microsoft Geneva as an asset to help your business, this webinar is for you.
Webinar Agenda:
- The Cloud’s little secret: Multiplying identity stores

- High level discussion of The Cloud (Azure, Amazon, SaaS, etc)

- High Level discussion of Geneva (ADFS, WIF)

- The Value of the Cloud

- The hidden Costs of the Cloud

- How Geneva(ADFS) helps lower the cost of the Cloud

- Gaps of the Cloud

- Possible Solutions

- Gaps of Geneva with the cloud

- Possible Solutions from Quest

[Register Now]

FIM RC 1 is here – what’s new?

2009-10-04T22:46:00.001-07:00

FIM RC 1 is here. Microsoft released it on Sept 30th which is the end of Q3 of 2009 which means the ILM/FIM team at Microsoft met their stated deadline announced back in March.

Here is the download:

http://technet.microsoft.com/en-us/evalcenter/cc872861.aspx

What’s new:

Gil Kirkpatrick has a nice post about the differences in the data structure:

Auditing FIM 2010 RC1

Darryl Russi a Sr. Test Lead at Microsoft has started blogging about FIM RC 1 performance:

http://blogs.msdn.com/darrylru/archive/2009/10/01/fim-2010-performance-testing-introduction.aspx

Microsoft has also included some pretty good documentation (available for independent download through the Microsoft connect site

http://connect.microsoft.com/directory/

Search for

Forefront Identity Manager 2010 (FIM 2010) Beta

Pay careful attention to the Release Notes.

One big thing I noticed, that I have been seeing with RC 0 and was hoping would be fixed with RC 1 was getting a “no-start-full-import-required” error during a delta import, however the release notes for RC 1 state:

Do not use delta-import with FIM MA

· In this release, always run a full import when synchronizing the FIM MA. Running a delta-import may result in a no-start-full-import-required error in some scenarios.

There are also several FIM schema changes you can make that make it impossible to restart the service and require a reinstall so keep an eye out for those: “[creating] a multi-valued Boolean attribute”, “[creating] custom attributes or resource types with duplicate names”, or “[creating] a binding that uses the same resource type and attribute combination as another binding.” These last two are possible through the web service.

Password Reset

A nice thing is that the standard Password Reset workflows and MPRs are pre-created for you. I guess some people saw my Visio diagram of the fairly complex Password Reset process and heard the woes of everyone that tried to set it up. Kudos! This is possible because Management Policy Rules (MPRs) can be enabled and disabled!

Name Changes

Among other things is a documentation road map listing all of the documents available for IT Pros and an Identity Terminology guide. Defines almost everything including XAML, but they forgot XOML. They have changed some names but don’t mention the old name so here is my best attempt:

Old Name	New Name	Comment
ILM 2	FIM	When Microsoft announced the name change back in April they said “ForeFront means business ready security.” I don’t know how you feel about Forefront Client Security but everything from Antigen, to ISA, to IAG, to ILM has been rebranded to Forefront. Does this mean that ForeFront Stirling is going to monitor FIM? I don’t know.
Object Visualization Configuration (OVC)	resource control display configuration (RCDC)	Same thing, new name, same limitations: “you cannot write a customized function (Handler)” (Introduction to resource control display configurations) Although the documentation is much clearer on those limitations, and greatly expands on other topics as well.
CLM	FIM CM	FIM Certificate Management

Install Guide

The install guide looks fairly complete, just change any references to Enterprise Manager to mean Management Studio. When SQL 2005 came out I kept calling it Enterprise Management Studio (yes I would stutter on Manager-ment).

A big thing to note is this:

Assign enough space for the database

The FIM Service database will not autogrow even if those settings are enabled by default by SQL Server. You should expand the Data and Log files to be able to hold all data needed.

Wow! No autogrowth! I saw that happen with RC 0 but couldn’t believe it.

It also includes documentation on the parameters for unattended install. As you know from prior post my team and I prefer unattended installs.

Migrating from Test to Prod

There is a document called “Introduction to the Configuration Migration Tool”

This document describes how to migrate a FIM 2010 configuration from a test environment to a production environment.

Yeah! We so needed this tool! Powershell! Sweet!

ILM 2 RC 0 -- Luke, Check the Transaction Log!

2009-08-14T21:16:00.001-07:00

A few weeks ago I encountered an ASP.NET error when I tried to access http://myilmserver/identitymanagement/

Eventually I went to my SQL Server and discovered that despite having space on the disk and Autogrow turned on the Transaction Log was full and wouldn't grow anymore.

So if you encounter this error then maybe you too can listen to the force telling you to check the SQL Server Transaction Log for MSILM.

In the event log I saw this:

Log Name:      Application
Source:        ASP.NET 2.0.50727.0
Event ID:      1309
Task Category: Web Event
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:     myILMServer
Description:
Event code: 3005
Event message: An unhandled exception has occurred.
Event sequence: 4
Event occurrence: 1
Event detail code: 0

Application information:

    Trust level: WSS_Minimal
    Application Virtual Path: /
    Application Path: C:\inetpub\wwwroot\wss\VirtualDirectories\80\
    Machine name: PHX-52N-ILMWF91
Process information:
    Process ID: 2256
    Process name: w3wp.exe
    Account name: ILMTEST\svc.wss
Exception information:
    Exception type: SerializationException
    Exception message: Error in line 1 position 350. Expecting element 'Metadata' from namespace 'http://schemas.xmlsoap.org/ws/2004/09/mex'.. Encountered 'Element' with name 'Fault', namespace 'http://www.w3.org/2003/05/soap-envelope'.
Request information:
    Request URL: http://myilmserver/identitymanagement/default.aspx
    Request path: /identitymanagement/default.aspx
    User host address: 10.12.13.14
    User: ILM\Administrator
    Is authenticated: True
    Authentication Type: Negotiate
    Thread account name: ~~ILM~~\svc.wss
Thread information:
    Thread ID: 4
    Thread account name: ILMT\svc.wss
    Is impersonating: False
    Stack trace:    at System.Runtime.Serialization.DataContractSerializer.InternalReadObject(XmlReaderDelegator xmlReader, Boolean verifyObjectName)
   at System.Runtime.Serialization.XmlObjectSerializer.ReadObjectHandleExceptions(XmlReaderDelegator reader, Boolean verifyObjectName)
   at System.ServiceModel.Channels.Message.GetBody[T](XmlObjectSerializer serializer)
   at System.ServiceModel.Channels.Message.GetBody[T]()
   at Microsoft.ResourceManagement.WebServices.MetadataClient.Get(String dialect, String identifier)
   at Microsoft.ResourceManagement.WebServices.Client.ResourceManagementClient.SchemaManagerImplementation.RefreshSchema()
   at Microsoft.ResourceManagement.WebServices.ResourceManager.get_SchemaManager()
   at Microsoft.ResourceManagement.WebServices.ResourceManager..ctor(String typeName, LocaleAwareClientHelper localePreferences, ContextualSecurityToken securityToken)
   at Microsoft.IdentityManagement.WebUI.Controls.ConfigurationModelBase.RetrieveResources(String type, List`1 attributes)
   at Microsoft.IdentityManagement.WebUI.Controls.PortalUIConfigurationModel.RetrievePortalUIConfiguration()
   at Microsoft.IdentityManagement.WebUI.Controls.PortalUIConfigurationModel.get_PortalUI()
   at Microsoft.IdentityManagement.WebUI.Controls.PortalUIConfigurationModel.get_BrandingLeftImageUrl()
   at Microsoft.IdentityManagement.WebUI.Controls.BrandBar.get_BrandTable()
   at Microsoft.IdentityManagement.WebUI.Controls.BrandBar.CreateChildControls()
   at System.Web.UI.Control.EnsureChildControls()
   at System.Web.UI.Control.PreRenderRecursiveInternal()
   at System.Web.UI.Control.PreRenderRecursiveInternal()
   at System.Web.UI.Control.PreRenderRecursiveInternal()
   at System.Web.UI.Control.PreRenderRecursiveInternal()
   at System.Web.UI.Control.PreRenderRecursiveInternal()
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

AD RMS on R2 -- new Federation Features

2009-08-14T21:06:00.001-07:00

AD RMS on Windows Server 2008 R2 adds a really slick feature blogged about here: Group Expansion for Federated Users

Prior to R2 to issue a use license to a federated user they need to specifically be granted permissions. With Windows Server 2008 R2 you can create a contact matching the external federated user and then place the contact in the group and then they have the same RMS permissions as that group.

This is great to be able to include external users in groups, and still without provisioning a user account for them in your domain. Oops, now we need to provision a contact object for them and put that into the group. But perhaps if we combine this capability with custom claims transformation modules to do on demand provisioning the way my coworker Chris Calderon demonstrated on Windows Server 2008 at TEC 2009 (to get his slides go to http://theexpertscommunity.com/item/show/blog/659/TEC-presentations-now-available and follow the instructions).

But On-Demand Provisioning only solves half of the battle (and here all of the GI Joe fans thought knowing was half the battle ;)

Even though the user's access has been turned off by their employer disabling or deleting their account, the contact objects on your side still need to get cleaned up. But how to know when to deprovision an account from a federated partner? Perhaps you could use the RMS logging database as a starting point and look for users that haven't accessed the system in a while, email them and see if you get a bounce. After receiving an NDR for a federated user that hasn't accessed anything for months would be a pretty safe bet to delete their contact object.

How to make that happen? Create your own service or scripts to automate querying the logging database and sending the email. Another script to check for NDRs and then write to a table the contacts to be deleted. Then use FIM to read the table and delete the contacts, or your script could do it directly, as appropriate.

At it again -- Geneva Part II

2009-08-14T16:11:00.001-07:00

Once more we invite you to another Ensynch Identity Management webinar. This is part 2 in our series of 4 on Geneva (ADFS, WIF). This one is going to be led by Chris Calderon one of our ADFS Experts, so naturally this will be filled with excellent technical content. As will Part 3 as it focuses on Windows Identity Foundation.

Webinar Agenda:
- How Geneva provides business value to organizations seeking Single-Sign-On (SSO)?

- Geneva Overview

- Transitioning from ADFS v1 to Geneva Server (ADFSv2)

- SSO Scenarios using Geneva

- Designing a Geneva Solution

- Managing Geneva Server

- Extending the functionality of Geneva

- Q & A

- Post Webinar Chat Session: Once the webinar concludes, our experts will stay online for an additional 30 minutes to field your questions via text chat.

[Register Now]

Also, stay tuned for the final two parts of this webinar series:
Using the Microsoft Geneva Framework to Solve Your Federation Needs
Thursday, September 10, 2009
Register Now
Accelerate Your Businesses for the Future with Microsoft Geneva and the Cloud
Wednesday, September 30, 2009
Register Now

MVP for the 3rd time

2009-07-20T17:42:00.001-07:00

Both my colleague Brad Turner and I were renewed for ILM MVP.

I am glad to receive this honor another year.

Congrats to new ILM MVP Marc Mac Donnell

You can see a list of all ILM MVP's that have chosen to make their profiles public (Marc hasn't setup his yet).

I just hope I can win the MVP at home!

Webinar: How Microsoft Geneva Streamlines Business

2009-07-20T17:30:00.001-07:00

When:
Wednesday, July 29, 2009
10:30 to 11:30 (PST)
12:30 to 1:30 (CST)
1:30 to 2:30 (EST)

[Register Now]

Presenters:
David Lundell, ILM MVP
Identity Management
Practice Leader, Ensynch

Jonathan Sander
IAM and Security Analyst
Quest Software

Webinar: How Microsoft Geneva
Streamlines Business

- Learn How to Reap the Benefits of True Web
Single-Sign-On and Federation
Has your organization been forced to deploy one-off solutions to solve login or compliance problems with a newly deployed technology?
Are your employees tired of using multiple logins for all kinds of access needs?
Having trouble managing shared resources users both inside and outside of your organization?
Using open platform identity management solution Microsoft Geneva, you can save money and make your business more efficient today, and also make it more easily scalable for the future.
I would like to invite you to our latest exclusive "no frills" webinar: "How Microsoft Geneva Streamlines Business," the 1st in a 4-part Identity Management Webinar Series from Ensynch's Identity Management Practice Leader and Microsoft Identity Management MVP, David Lundell, and Quest Software IAM and Security Analyst, Jonathan Sander.
This webinar is designed for business leaders, and will present business value propositions for the Microsoft Geneva framework. Whether identity management is a major concern for your organization or if you are simply curious about using Microsoft Geneva as an asset to help your business, this webinar is for you.
Webinar Agenda:
- Yikes! The business pain points of managing lots of identities

- High level discussion of Microsoft Geneva

- Business value of Geneva

- Gaps of the Geneva framework

- Possible solutions to the gaps

- ROI of Geneva versus other Single-Sign-On solutions

- Geneva and the Cloud

- Q & A

Stay Tuned for the other three parts of this webinar series:
A Technical Overview of the Microsoft Geneva Infrastructure
Thursday, August 20, 2009
Using the Microsoft Geneva Framework to Solve
Your Federation Needs
Thursday, September 10, 2009
Accelerate Your Businesses for the Future with Microsoft Geneva and the Cloud
Thursday, October 1, 2009

4th of July -- Independence Day

2009-07-05T22:00:00.001-07:00

233 years ago, 56 men signed a document and began a labor to give birth to a nation. I am very grateful for their service and for their sacrifices and for each and every soldier, and dutiful civil servant since then. They have afforded me and my family a great many blessings. As well some of my family members have been privileged to serve. One of my grandfathers taught ground school during World War II and the other served in the Army and was stationed in Greenland. I honor their service.

As part of my Independence Day celebration I read some of the writings of Abraham Lincoln. I found this moving passage from his first public speech in March 9, 1832 to the people of Sangamon County, he spoke on the topic of education :

"That every man may receive at least a moderate education, and thereby be enabled to read the histories of his own and other countries, by which he may duly appreciate the value of our free institutions, appears to be an object of vital importance, even on this account alone, to say nothing of the advantages and satisfaction to be derived from all being to read the Scriptures and other works, both of a religious and moral nature themselves."

I believe that this "moderate education" unto "every man" is a key basis for our continuing freedom.

I also wonder whether Identity Management would have a much different meaning without the Declaration of Independence.