My quest to bring Best Practices to Identity Management especially with Microsoft FIM / ILM

Thursday, April 8, 2010

FIM 2010 Technical Overview Published – short version

Microsoft has published a short version of the FIM Technical Overview whitepaper written by David Lundell (me), Brad Turner, Chris Calderon and Joe Zamora. The longer version will come out a bit later. Short version, long version makes me feel kind of like I am figure skating in the Olympics. Thank you to Brjann Brekkan, Mark Wahl, Joe Schulman, Darryl Russi, Jack Kabat and Andreas Kjellman for their support, editing, eluciations on blogs and encouragement on this paper.

Microsoft has also released the updated FIM documentation for RTM. Congrats to Dave Kreitler, Markus, Brad Benefield and the rest of the documentation team!

I love the capacity planning guide section as well as the section Expected State Detection (formerly Object State Detection, and also referred to as Existence Test, Detected Rules Entry, Detected Rules List).


Fellow FIM Bots, Fellow FIMers, Fellow FIMians, Fellow FIMsters! Enjoy!

Labels: ,

Thursday, March 25, 2010

FIM Pitfall for old ILM hands

In the days of MIIS 2003 and ILM 2007 we usually wrote our provisioning code to provision a new AD account only when the particular metaverse object didn’t already have any connectors in the AD connector space. With FIM your outbound synchronization rule is quite happy to provision another AD account if the existing one it is joined to doesn’t meet the relationship criteria. So I have usually been in the habit of not worrying about extraneous provisioning if I already had an account connected to that metaverse object.

Well a few days ago I learned that old habits die hard. Fortunately, only 7 duplicate accounts were created and only in the connector space as pending exports of type add. So they were easily dealt with. Nonetheless, it just reminded me that when technology changes sometimes your old instincts can betray you.

One another note: in writing this post I felt a bit like my friend and former co-worker, Craig Martin, who in is very humorous TEC speaker BIO wrote:

Craig Martin speaks in the third person when writing his own brief biography … spending countless hours weeding out issues in his lab environments learning CLM lessons the hard way in order to beat his chest in triumph and share his scars as lessons in a self-deprecating manner.

Man what a crack up. Of course his bio shows up right after mine on the speakers bio page! Gosh don’t I feel a bit pompous with the contrast as I list off all of my accomplishments dating back to grade school. Oh, I forgot to mention in my bio that I won 1st place in the Gilroy Unified School District Math Contest when I was in 4th grade! That treasured trophy was kept in a cardboard box for many years until one day my then six year old son asked if I ever earned any trophies – and it has endured several repair jobs since my son got his hands on it. Well I suppose, I just wanted to let people know that I have some cool things to share this TEC and hope you come along to hear them

I also encourage everyone to attend Craig’s session (hopefully he won’t lose his voice this year), of course if you attend Brad Turner’s session right beforehand you won’t even have to change rooms!

Labels: , ,

Wednesday, March 17, 2010

Register for TEC 2010 – hope to see you there


Register using this code to get a discount: ATESENSYNC

Labels: , , ,

Tuesday, March 9, 2010

FIM Technet Webcasts

The FIM product group has some great webcasts coming up on technet

Forefront Identity Manager 2010 has RTM'ed

This first webinar is using many of the slides that I created as part of our engagement to write the FIM 2010 Technical Overview Whitepaper (due out soon). Anyhow it makes me feel cool.


3/9/2010 6 PM Pacific time- TechNet Webcast: Forefront Identity Manager 2010: Technical Overview and Deployment (Level 300)

3/18/2010 - TechNet Webcast: Forefront Identity Manager 2010: Monitoring and Troubleshooting FIM in Production (Level 300)

3/30/2010 - TechNet Webcast: Forefront Identity Manager 2010: Deploying FIM (Level 300)

4/5/2010 - TechNet Webcast: Forefront Identity Manager 2010: Extending FIM (Level 300)

Labels: ,

Tuesday, March 2, 2010

FIM 2010 RTM Today!

Today, March 2, at the RSA conference Microsoft announced the release to manufacturing of Forefront Identity Manager 2010 (FIM, formerly codenamed ILM “2”) with General Availability starting next month.

Download the eval here:

Microsoft® Forefront™ Identity Manager 2010 Evaluation Version


FIM gives us capabilities for User provisioning (and deprovisioning), Group management, Self-Service Password Reset, Password Synchronization, Workflows with Approvals, User profile self-service management, and accomplishing these items through Declarative Provisioning. Yet FIM retains an incredible set of extensibility points, allows customization of the Portal, schema of the objects, managing new systems, custom workflows, custom clients to the FIM web service.


According to the release notes there are some nice new enhancements:

You can now have explicit members in a set which has a defined filter (so sets can have dynamic members based on the filter and explicitly added members).

Password Reset now accepts the user principal name (UPN) as well as the fully qualified domain name (FQDN) when specifying user credentials

In addition to the enhancements found in RC 1 and its update 1, update 2 and update 3 (Brad’s take on update 3):

Adds support for SQL Server Failover Clusters for High Availability

New type of MPR (Set based Transition vs. Request based)

· Adds support for taking database backups without stopping the FIM Service.

· New Supported Platforms for FIM Certificate Management

· Windows Server 2008 R2

· Windows Server Datacenter edition

· Added support for Exchange 2010 for the following scenarios:

· FIM Synchronization Service support for Active Directory Management Agent and GAL Management Agent

· The FIM Service sending and receiving mail

· Outlook 2007 on Exchange 2010 sending approvals and group membership requests

· You can now copy and paste a vertical list from Excel to the Resource Picker input box. This is especially useful for doing bulk Adds.

· The UOC text box now lets you check uniqueness using a custom XPATH statement that you provide.

The FIMMA will now store error messages with the operation during export. You do not have to look in the FIMService event log anymore to see the errors.

You can now have several MAs that are responsible for deleting a resource, which solves a common problem where custom code still was needed for declarative provisioning.

· Added two new Declarative provisioning functions:

· Null – This Synchronization Rule should not contribute a value to support not flowing values to disabled accounts.

· ReplaceString – Find and replace a substring in another string

Added support for Exchange 14 mailbox provisioning

Labels: , , ,

Monday, February 1, 2010

Final Update for FIM RC1 released

On Friday the product group released Update 3 for Forefront Identity Manager 2010 RC1 available through connect

Major changes as part of Update 3 (my regurgitation and comments from the release notes):

  • Fewer trips to the FIM Service event log – since the FIM MA export errors will now show up in the Synchronization Service Manager! Hallelujah!
  • Less need for custom old style code
    • Now more than 1 MA can be authoritative for deleting an object (resource)
    • New functions for Sync Rules (Declarative Provisioning) – I guess I will have to update my function cheatsheet
      • Null – not certain what they mean by this – null out the value or let another sync rule provide the value.
      • ReplaceString
  • New type of MPR – Set Transition MPRs vs. request based MPRs
    • Run on Policy Update only applies to this type
    • All other MPRs are – request based MPRs
    • This should easy some of the difficulty in wrapping heads around MPRs.
  • DBA’s will love these:
    • Backups without stopping the FIM Service and now supported!
    • SQL Failover Clusters are now supported! (I don’t know if this means that clustering the Synchronization Service is supported)
  • Prereqs have changed
    • Server Components
      • Windows Installer 4.5 is required,
    • FIM Service requires SQL 2008 SP 1
    • The addin for Outlook now needs Outlook 2007 SP 2



Even the certificate management side got some improvements: Windows Server 2008 R2


Also check out Brad’s post on the SP3 for MIIS or an update to ILM 2007 FP 1

Labels: , , ,

FIM Hand on Labs

More Hands on Labs for Forefront Identity Manager will be coming up (similar to the one I did in Irvine, CA) – Phoenix April 7th and 8th and then Dallas sometime in May.

Labels: , ,

Sunday, November 29, 2009

FIM RCDC explained in brief

In this post I attempt to give you the reader a quick overview of how the FIM RCDC works conceptually. As for the mechanics of modifying the RCDC the nearly complete but growing collection of documents downloadable from MSFT will suffice.

As you will recall FIM is the new abbreviation for ILM, since it has been renamed Forefront Identity Manager, and RCDC is the Resource Control Display Configuration formerly known as the Object Visualization Configuration (OVC). RCDC is the way you custom how FIM displays objects (now called resources) in the portal. Now for English: If you need to change the options and information users see in the FIM portal when they create new users, groups (security or distribution), or edit or view these resources you do it by modifying the RCDC. The RCDC is an XML object, and each resource type (user, group, request, etc) has three: Create, Edit and View. To get a handle on the terms take a look at the figure below:



Every RCDC has a Panel that contains all other visible elements. You don’t have to worry about the Panel, other than to know that you need a have it and it must have a name.

The next item to which I must call your attention is the Groupings. The little area which I have outlined in Red is the Header Grouping and provides the caption for the RCDC in this case: Create Security Group. The Header Grouping contains just one control the UocCaptionControl and it is this control that determines what will be displayed based on the Caption and Description Attributes.

The rest of the groupings show up as tabs. The first three are content groupings (there can be up. to 16 groupings counting the Header Grouping and the Summary Grouping, leave up to 14 slots for content groupings). Each content tab or grouping can contain between 1 and 256 controls.

Not visible in the screenshot above are data sources. Data sources provide access to the data of the resource (PrimaryResourceObjectDataSource), the changes that are being made during the edit or create process (PrimaryResourceDeltaDataSource), what rights the current user has to each attribute (PrimaryResourceRightsDataSource), information about the resource type and its attribute types, such as displayname and description (SchemaDataSource), and a listing of Active Directory Domains that are managed by this instance of FIM (DomainDataSource). Additionally, you can have XML data sources. There are two purposes for these: 1) to provide the xsl transformation to provide a different summary of changes on the Grouping Summary, and 2) to provide a list for use in UocDropDownList and UocRadioButtonList controls (there is at least one other method for providing the options list).

Controls have elements, and attributes. The element type you will be concerned with are the Properties. (Help only applies to groupings, CustomProperties is not supported, Options only applies to the UocDropDownList and UocRadioButtonList controls, Buttons only applies to the UoCListView Control, and you can’t make use of events.)

The attributes and properties are used to govern the behavior of the control. They can be bound to the different data sources, to cause the control to interact with an attribute on a resource, to control the visibility and editing on a control, and to provide the list of options to choose from.

Well that covers the conceptual overview. Next time I blog about RCDC, I plan on discussing the attributes of controls, and their common properties.

Labels: , , ,

Tuesday, November 24, 2009

Answering my FIM RC 1 question

Thanks to Darryl Russi for answering my questions in my earlier post An Update to FIM RC1 where I was asked about something I had read in the release notes:

Some of those items raise a few questions, like how to setup a FIM service that only takes requests from the sync service? Do we setup multiple FIM Service instances and then configure the FIM MA to talk to one of them, and not make that one available to web clients?

So the short answer to my last question is yes and then Darryl answers the first question in great deal.

Here is his answer: Service Partitions - Multiple Middle Tiers, Request & Workflow Processing

Great job Darryl! I see this as a great way to ensure good response time for users and to scale out.

Labels: , , ,

Monday, November 23, 2009

Identity Synchronization FIM 2010 HOL Irvine California

I will be at the Microsoft Technical Center in Irvine on Dec 1 and 2 presenting this HOL with Marvin Tansley of Gemalto.

Identity Synchronization – Hands on Training



Date: December 1-2, 2009

Location:   3 Park Plaza, Suite 1800   Irvine, CA  92614     949-263-3000

Microsoft, Gemalto and Ensynch invite you to a free 2-day training seminar and hands-on-lab on Microsoft’s Forefront Lifecycle Manager (FIM 2010).

Come and learn how FIM 2010 can help you by delivering simplicity, agility and efficiency while increasing security and compliance within your enterprise identity infrastructure.

The curriculum for this training is modular, which will allow users with different technical levels to attend. 

Day 1 Agenda:

· FIM 2010 Overview Presentation and Demo

· FIM 2010 Managing Users and Groups Hands-on Lab

· Introduction to identity management

· ROI - a Tool to Help you Sell Your Project

· OTP Provisioning using FIM 2010

· Certificate Basics Presentation

· Certificate Demo and Basic Use Cases

Day 2 Agenda:

· FIM 2010 Synchronization Presentation and Demo

· FIM 2010 Hands-on Lab

· FIM 2010 Policy Management Presentation and Demo

· FIM 2010 Hands-on Lab

· Making It All Work Together

Who Should Attend?
IT security staff as well as system administrators and engineers who work with the installation, configuration, and maintenance of a variety of server types and have two to three years of experience managing an enterprise-level Microsoft Windows Server environment.

Space is limited. Register to reserve your seat.   Invitation only registration link – click here!

Questions? Contact Gemalto |  |  (888) 343 5773  |

Labels: , , ,

Sunday, October 4, 2009

FIM RC 1 is here – what’s new?

FIM RC 1 is here.  Microsoft released it on Sept 30th which is the end of Q3 of 2009 which means the ILM/FIM team at Microsoft met their stated deadline announced back in March.

Here is the download:

What’s new:

Gil Kirkpatrick has a nice post about the differences in the data structure:

Auditing FIM 2010 RC1

Darryl Russi a Sr. Test Lead at Microsoft has started blogging about FIM RC 1 performance:

Microsoft has also included some pretty good documentation (available for independent download through the Microsoft connect site

Search for

Forefront Identity Manager 2010 (FIM 2010) Beta

Pay careful attention to the Release Notes.

One big thing I noticed, that I have been seeing with RC 0 and was hoping would be fixed with RC 1 was getting a “no-start-full-import-required” error during a delta import, however the release notes for RC 1 state:

Do not use delta-import with FIM MA

· In this release, always run a full import when synchronizing the FIM MA. Running a delta-import may result in a no-start-full-import-required error in some scenarios.

There are also several FIM schema changes you can make that make it impossible to restart the service and require a reinstall so keep an eye out for those: “[creating] a multi-valued Boolean attribute”, “[creating] custom attributes or resource types with duplicate names”,  or “[creating] a binding that uses the same resource type and attribute combination as another binding.” These last two are possible through the web service.

Password Reset

A nice thing is that the standard Password Reset workflows and MPRs are pre-created for you. I guess some people saw my Visio diagram of the fairly complex Password Reset process and heard the woes of everyone that tried to set it up. Kudos! This is possible because Management Policy Rules (MPRs) can be enabled and disabled!


Name Changes

Among other things is a documentation road map listing all of the documents available for IT Pros and an Identity Terminology guide. Defines almost everything including XAML, but they forgot XOML. They have changed some names but don’t mention the old name so here is my best attempt:

Old Name New Name Comment
ILM 2 FIM When Microsoft announced the name change back in April they said “ForeFront means business ready security.” I don’t know how you feel about Forefront Client Security but everything from Antigen, to ISA, to IAG, to ILM has been rebranded to Forefront. Does this mean that ForeFront Stirling is going to monitor FIM? I don’t know.
Object Visualization Configuration (OVC)

resource control display configuration (RCDC)

Same thing, new name, same limitations:  “you cannot write a customized function (Handler)” (Introduction to

resource control display configurations)

Although the documentation is much clearer on those limitations, and greatly expands on other topics as well.

CLM FIM CM FIM Certificate Management


Install Guide

The install guide looks fairly complete, just change any references to Enterprise Manager to mean Management Studio. When SQL 2005 came out I kept calling it Enterprise Management Studio (yes I would stutter on Manager-ment).

A big thing to note is this:

Assign enough space for the database

The FIM Service database will not autogrow even if those settings are enabled by default by SQL Server. You should expand the Data and Log files to be able to hold all data needed.


Wow! No autogrowth! I saw that happen with RC 0 but couldn’t believe it.

It also includes documentation on the parameters for unattended install. As you know from prior post my team and I prefer unattended installs.

Migrating from Test to Prod

There is a document called “Introduction to the Configuration Migration Tool

This document describes how to migrate a FIM 2010 configuration from a test environment to a production environment.

Yeah! We so needed this tool! Powershell! Sweet!

Labels: ,

Tuesday, June 2, 2009

To PKI or not to PKI?

When should one implement a Public Key Infrastructure and when should one not? Obviously we implement a PKI to solve a problem, usually around security, enabling secure communications with a web server, multi-factor authentication, encryption. A PKI solution can be very versatile, but it comes at a price in setup and maintenance. But what alternatives do we have? Let's examine each problem in turn


Problem PKI difficulties Alternatives Benefits for Alternatives
Enable Secure web transactions (SSL) certs expire without warning anyone none  
Secure network communications (IPSEC) Need to issue certificates to all client computers (can use AutoEnroll GPO) none  
Multi-factor authentication for Wireless networks using 802.1X Need to issue certificates to all client computers or smart cards to all users Radius -- One Time Password Tokens With Quest Defender issuing and maintaining of OTP is very easy. Defender is much easier than standing up a PKI and issuing smart cards to everyone
Multi-factor authentication (certificates, smart cards) Need to issue smart cards to all users (can be time consuming) Need special hardware One Time Password Tokens With Quest Defender issuing and maintaining of OTP is very easy. Defender is much easier than standing up a PKI and issuing smart cards to everyone. Can work even on computers without the smart card reader.
Encryption of files (EFS) Need to issue smart cards to all users (can be time consuming) AD Rights Management Services Enrollment of users is transparent -- new users can be given permissions by adding them to groups without having to re-encrypt the files. No need to renew certificates. Restrictions are enforced after file is opened. It allows you to assign rights and permissions to other people to documents (open, saving, edit, print, cut and paste) and emails (forward, cut and paste)
Enabling users (internal and/or external) to use your code without getting scary warning (Signing Code Modules, Macros, ActiveX controls etc) Need to issue/buy certificates for developers none  
Signing emails Need to issue certificates (whether on smart cards or not) to all users PGP (web of trust)  
Encrypting emails Need to issue certificates (whether on smart cards or not) to all users AD Rights Management Services

PGP (web of trust)
AD RMS Enrollment of users is transparent. Restrictions are enforced after file is opened. It allows you to assign rights and permissions to other people to documents (open, saving, edit, print, cut and paste) and emails (forward, cut and paste)

In short you need certificates for SSL, IPSEC, code signing and signing emails. Whether you build your own PKI or get certificates for them is another question. For SSL and code signing you can get away with buying your certs and should if your web site and/or code is for the public (although if you have enough you may want to look at setting up a subordinate CA with a Public CA that way you control the certs but they are issued through a trusted root CA and your customer don't get those confidence inspiring messages asking them whether to trust you or not) . For IPSEC and signing emails you should implement your own PKI in order to save the cost of buying so many certs.

If you need to implement signing of emails along with multi-factor authentication then it makes sense to take advantage of the versatility of certificates on smart cards. Then it makes sense to implement the Certificate Management component (CLM) of ILM 2007 to ease many of the challenges with issuing and managing smart cards.

However, if multi-factor authentication and encryption are your main goals you may want to take a look at one time password tokens with Defender and Microsoft's AD Rights Management Services (AD RMS) respectively. Both present easier and perhaps cheaper alternatives, that also add capabilities. Defender adds the capability to use multi-factor authentication on machines without smart card readers, and AD RMS adds the capability to restrict what users can do with content even after they decrypt it.

Labels: , , , , ,

Friday, May 15, 2009

The Business Impact of Identity and Access Management with Forefront Identity Manager 2010

Brad and I are going to cover the value of the whole Identity Management Stack from Microsoft and a few additional pieces from partners.

Thursday, May 28th

(Live Meeting links will be
sent to all registrants) (Click Here to RSVP)

David Lundell – Microsoft MVP for ILM, Ensynch Practice Director
Brad Turner – Microsoft MVP for ILM, Ensynch Sr. Technical Architect
9am-10am Pacific/Arizona
10am-11am Mountain
11am-12pm Central
12pm-1pm Eastern

*Convert time zone


Webinar: The Business Impact of Identity
and Access Management with Forefront Identity Manager 2010
(formerly ILM "2")

You’re invited to attend an informational webinar showcasing the business benefits associated of Identity and Access Management with the newly named Microsoft Forefront Identity Manager 2010 (Formerly ILM "2").

This webinar is designed for Business and Technology Decision-makers interested in reducing operational costs while increasing security, compliance and overall operational efficiency. If you're interested in how Identity and Access Management solutions can impact business results, this webinar is for you.
Ensynch is proud of our world-class Identity and Access Management practice, boasting 3 Microsoft MVPs (out of only a handful world-wide). This team’s efforts have earned Ensynch back-to-back Microsoft Worldwide Partner Awards for Identity Management in 2007 and 2006. Take advantage of this opportunity to learn from their vast enterprise and mid-market experience in incorporating Best Practices to deliver heightened business results.

The Business Value of Microsoft’s Identity Management Stack

  • Evaluate the business challenges, the cost and the opportunities for savings with Identity Management

    • IDA with Forefront Identity Manager 2010 (ILM 2)

    • Maintaining existing ILM 2007 deployments

  • Strong Authentication

    • Certificate Services

    • Quest Defender

  • Sharing with Partners and Customers

  • Active Directory Federation Services /Geneva

    • Reducing the need to provision Accounts for Partners

    • Speedier disabling of access for Partner/Customer’s Accounts

    • Implications with cloud based applications

  • Information Protection (now that you’re sharing your documents, how do you protect them)

  • Active Directory Rights Management Services

    • Add-ons

Labels: , , , , ,

Wednesday, April 29, 2009

Dealing with the ILM 2 RC 0 Cert in Windows server 2003 domain

The Password Reset  instructions ask us to use Group Policy to distribute the cert to the clients. This only works in Windows Server 2008 functional level domains. In Windows Server 2003 domains you can automate this using cerutil.exe
The following command will export the cert generated by ILM 2 install to the ilm2cert.cer file in the working directory

certutil -store trustedpeople IdentityLifeCycleManager2 ilm2cert.cer

This command can be used to import the cert from the command line
certutil -f -addstore trustedpeople ilm2cert.cer

-- I guess we could put the cert in a public share and then add this to the login script
certutil -f -addstore trustedpeople \\someserver\publicshare\ilm2cert.cer

Or add this to a batch file that also calls the password client install

Labels: , ,

Monday, April 20, 2009

Problems with Sync Rules in ILM 2 RC0 (err FIM RC0)?

Well I had a problem with a recent install -- the Metaverse Object Type Dropdown list was empty!


Turns out the source of this drop down list is the mv-data object type. However my install didn't have this object. Obviously something was wrong. How does one create this object in the first place? Not directly in the portal. I am not certain when this object is supposed to be created. Install time? First export through the ILM MA? None of these seem to match up based on time stamps. It wasn't created during install. It was created before the first import of the ILM MA, and the first Export of the ILM MA. It does match the time of the creation of the ILM MA in the Identity Manager tool in the synchronization engine.  The object is created by a request generated by the Built In Synchronization Account (BISA) this is the account used by the ILM MA.

My solution was to modify my ILM sync engine Metaverse schema and then viola the drop down list was populated (the mv-data object was created). This means that after the MA is created some process in the sync engine is either sending a request to the ILM 2 Web Service through the ILM MA or the ILM 2 web service is monitoring the Sync Engine. I am guessing the former.

Labels: , ,

ILM FIM Webinar Custom Workflow -- Joe Zamora

Joe Zamora the maintainer of the Ensynch ILM 2 Custom Workflow Walkthrough is our main presenter at our next Webinar this Thursday at 9 AM Pacific. To register click on the image below. The code from our Pre-con workshop is posted on CodePlex Ensynch Custom WF Activities


Labels: , , , ,

Thursday, April 16, 2009

Install ILM 2 in a SharePoint Farm

As I endeavored to install the ILM 2 Portal into a SharePoint farm (WSS 3.0 SP 1) with a remote database I encountered the following problem:

The dreaded Premature Failure during installation.

When I turned on logging for the install and examined the file, I found:

Action 14:55:25: ConfigPortalAnonymousAccess.


CAQuietExec:  This operation can be performed only on a computer that is joined to a server farm by users who have permissions in SQL Server to read from the configuration database. To connect this server to the server farm, use the SharePoint Products and Technologies Configuration Wizard, located on the Start menu in Administrative Tools.


CAQuietExec:  Error 0xffffffff: Command line returned an error.

CAQuietExec:  Error 0xffffffff: CAQuietExec Failed

Action ended 14:55:30: InstallFinalize. Return value 3.

Action 14:55:30: Rollback. Rolling back action:

So I turned on SQL Profiler and I noticed:


So I decided to go ahead and give anonymous access (temporarily of course)


Then I mapped the login to each of the three SharePoint databases and made it db_owner.

Then my install worked perfectly. I hope to research and find out exactly which limited permissions are needed.

Labels: , ,

What's in name? Forefront Identity Manager 2010

In case you haven't heard Zoomit VIA or rather Microsoft MetaDirectory Services has been renamed yet again, from Microsoft Identity Integration Server 2003 to Identity Lifecycle Manager 2007 to Forefront Identity Manager 2010 or FIM for short. For obvious reasons the L was dropped when the F was added (Forefront + ILM = FILM).

So ILM 2 => FIM 2010


(stole this graphic from Brad Turner's blog -- his Smart Art creations are beautiful -- recently I have been studying smart art under his tutelage I hope to soon approach his level of skill)

Doug Leland, general manager of Microsoft’s Identity and Security Business Group, explained, "For example, our Identity Lifecycle Manager product is now officially named Forefront Identity Manager. We see the Forefront brand as synonymous with Business Ready Security."

From Microsoft MetaDirectory Services (MMS) to MIIS was a complete rewrite dumping Zscript for .NET and putting the metadirectory in the SQL Server back end. ILM 2007 added the Certificate Lifecycle Management piece while leaving the core functionality of MIIS alone. FIM 2010 of course adds lots of new functionality (everything you have read about ILM 2, the portal for self-service, password reset, the web service) but good old MIIS is still there as the FIM Synchronization Engine, but there have been substantial improvements under the hood to enable synchronization rules to be configured in the portal and flow into the Sync Engine.

So what's in a name some new features that according to Doug Leland spell Business Ready Security.

The Target date is still Q1 of calendar year 2010.

Labels: , , , ,