My quest to bring Best Practices to Identity Management especially with Microsoft FIM / ILM

Wednesday, April 29, 2009

Dealing with the ILM 2 RC 0 Cert in Windows server 2003 domain

The Password Reset  instructions ask us to use Group Policy to distribute the cert to the clients. This only works in Windows Server 2008 functional level domains. In Windows Server 2003 domains you can automate this using cerutil.exe
The following command will export the cert generated by ILM 2 install to the ilm2cert.cer file in the working directory

certutil -store trustedpeople IdentityLifeCycleManager2 ilm2cert.cer

This command can be used to import the cert from the command line
certutil -f -addstore trustedpeople ilm2cert.cer

-- I guess we could put the cert in a public share and then add this to the login script
certutil -f -addstore trustedpeople \\someserver\publicshare\ilm2cert.cer

Or add this to a batch file that also calls the password client install

Labels: , ,

Monday, April 20, 2009

Problems with Sync Rules in ILM 2 RC0 (err FIM RC0)?

Well I had a problem with a recent install -- the Metaverse Object Type Dropdown list was empty!


Turns out the source of this drop down list is the mv-data object type. However my install didn't have this object. Obviously something was wrong. How does one create this object in the first place? Not directly in the portal. I am not certain when this object is supposed to be created. Install time? First export through the ILM MA? None of these seem to match up based on time stamps. It wasn't created during install. It was created before the first import of the ILM MA, and the first Export of the ILM MA. It does match the time of the creation of the ILM MA in the Identity Manager tool in the synchronization engine.  The object is created by a request generated by the Built In Synchronization Account (BISA) this is the account used by the ILM MA.

My solution was to modify my ILM sync engine Metaverse schema and then viola the drop down list was populated (the mv-data object was created). This means that after the MA is created some process in the sync engine is either sending a request to the ILM 2 Web Service through the ILM MA or the ILM 2 web service is monitoring the Sync Engine. I am guessing the former.

Labels: , ,

ILM FIM Webinar Custom Workflow -- Joe Zamora

Joe Zamora the maintainer of the Ensynch ILM 2 Custom Workflow Walkthrough is our main presenter at our next Webinar this Thursday at 9 AM Pacific. To register click on the image below. The code from our Pre-con workshop is posted on CodePlex Ensynch Custom WF Activities


Labels: , , , ,

Thursday, April 16, 2009

Install ILM 2 in a SharePoint Farm

As I endeavored to install the ILM 2 Portal into a SharePoint farm (WSS 3.0 SP 1) with a remote database I encountered the following problem:

The dreaded Premature Failure during installation.

When I turned on logging for the install and examined the file, I found:

Action 14:55:25: ConfigPortalAnonymousAccess.


CAQuietExec:  This operation can be performed only on a computer that is joined to a server farm by users who have permissions in SQL Server to read from the configuration database. To connect this server to the server farm, use the SharePoint Products and Technologies Configuration Wizard, located on the Start menu in Administrative Tools.


CAQuietExec:  Error 0xffffffff: Command line returned an error.

CAQuietExec:  Error 0xffffffff: CAQuietExec Failed

Action ended 14:55:30: InstallFinalize. Return value 3.

Action 14:55:30: Rollback. Rolling back action:

So I turned on SQL Profiler and I noticed:


So I decided to go ahead and give anonymous access (temporarily of course)


Then I mapped the login to each of the three SharePoint databases and made it db_owner.

Then my install worked perfectly. I hope to research and find out exactly which limited permissions are needed.

Labels: , ,

What's in name? Forefront Identity Manager 2010

In case you haven't heard Zoomit VIA or rather Microsoft MetaDirectory Services has been renamed yet again, from Microsoft Identity Integration Server 2003 to Identity Lifecycle Manager 2007 to Forefront Identity Manager 2010 or FIM for short. For obvious reasons the L was dropped when the F was added (Forefront + ILM = FILM).

So ILM 2 => FIM 2010


(stole this graphic from Brad Turner's blog -- his Smart Art creations are beautiful -- recently I have been studying smart art under his tutelage I hope to soon approach his level of skill)

Doug Leland, general manager of Microsoft’s Identity and Security Business Group, explained, "For example, our Identity Lifecycle Manager product is now officially named Forefront Identity Manager. We see the Forefront brand as synonymous with Business Ready Security."

From Microsoft MetaDirectory Services (MMS) to MIIS was a complete rewrite dumping Zscript for .NET and putting the metadirectory in the SQL Server back end. ILM 2007 added the Certificate Lifecycle Management piece while leaving the core functionality of MIIS alone. FIM 2010 of course adds lots of new functionality (everything you have read about ILM 2, the portal for self-service, password reset, the web service) but good old MIIS is still there as the FIM Synchronization Engine, but there have been substantial improvements under the hood to enable synchronization rules to be configured in the portal and flow into the Sync Engine.

So what's in a name some new features that according to Doug Leland spell Business Ready Security.

The Target date is still Q1 of calendar year 2010.

Labels: , , , ,

Wednesday, April 15, 2009

Ensynch The Place to Be

In the last four months two very talented people have joined Ensynch, Chris Calderon, ILM MVP, and Mark Struck.

Chris Calderon of fame is extremely talented with ILM, AD Federated Services (AD FS) and many other tools.

Mark Struck, is a very talented developer, and experienced implementer of ILM. Even before Mark joined the team he and I collaborated to figure out how to use the ILM 2 web services.

Labels: , , , ,

Wednesday, March 25, 2009

MSIT's implementation of ILM 2

TEC 2009 continues onto the last day.

Joel Silver spoke on his efforts and plans to implement ILM 2 for Microsoft. He presented a very interesting workflow to show how he addressed the challenge of creating unique email aliases.

Then I listened to Felix as he discussed some of the interesting aspects of LDAP enhancements from around the vendorscape (I think I just made that word up).

Labels: , ,

Monday, March 16, 2009

Posted: ILM 2 Business Value webinar recording

ILM 2 Business Value Webinar Recording

It has actually been posted for some time now, I have just been a bit busy (apology to my readers).

Other items will also get posted here in the column on the right hand side:

Labels: ,

Wednesday, March 11, 2009

Netpro DEC -> Quest TEC -- Ensynch's Sessions

Back in business school we always studied name changes and rebranding, and this one has been interesting

Last summer NetPro deciding to expand the Directory Experts Conference (DEC) to include an exchange conference and so they re-branded the conference NetPro's The Experts Conference. Then Quest acquired NetPro, so it became a completely re-branded conference as Quest's The Expert Conference. 

So NetPro DEC became Quest TEC.

Sunday Mar 22nd - Wed Mar 25th in Vegas 

Day Time Topic Speakers
Sunday 1PM - 5 PM Pre conference Workshop 2
Taming the Chaos – Building a Practical Lifecycle Mgt. Application in the ILM “2” Portal
David Lundell and Brad Turner
Monday 1 PM - 2:15 PM Designing an Object Expiration & Reconciliation process in ILM 2 Brad Turner
  1 PM - 2:15 PM Proper Care & Feeding of ILM, CLM and RMS Databases David Lundell
  Mon 4 PM - 5:15 PM Rescue Your Identity Metasystem from Chaos Through Reporting against ILM 2 with SSRS David Lundell
Brad Turner
Tue 2:45 PM - 4 PM ADFS Extensibility Chris Calderon will probably co-present with Randy Weimar


(yes the current schedule has Brad and I speaking on Monday at 1 PM in different rooms)

Labels: , , , ,

Thursday, February 12, 2009

Another talented Ensynchian joins the blogosphere

My colleague Joe Zamora, a talented developer, who has been instrumental in helping us advance our knowledge of custom workflows, has just launched his own blog: CShark.

His first post is on how to "Generate AccountName in ILM2 custom workflow activity" and it came in response to a question in the ILM 2 connect forum entitled:  Custom Workflow Activity to Generate samAccountName.

Go Joe Go!

Labels: , ,

Monday, January 19, 2009

What’s new in Identity Lifecycle Manager 2, Ask the experts

Brad Turner and I are putting on a webinar on ILM 2.


Labels: , , ,

Tuesday, January 6, 2009

ILM 2 Functions Explained

Function Name Parameters David's Description Example Example Explanation
BitAnd 1) mask
Type: Integer

2) flag
Type: Integer
BitAnd is a bitwise operation anding mask and flag. So if Flag is the UserAccountControl Attribute in AD and mask is negative 2147483645 (the two's complement of 2) Then the result is that the disable bit (bit 2) is turned off leaving all of the other bits unchanged.

BitAnd can be combined with Eq to detect if a bit is set
BitAnd(-2147483645 , userAccountControl) 

BitAnd(-2147483645 , 514) =512

BitAnd(-2147483645 , 512) =512

BitAnd(-2147483631 , 528) =512

BitAnd(-2147483631 , 512) =512

Eq( BitAnd(2,userAccountControl),2)
Turn off the disable bit Flow the result into userAccountControl in AD to enable a user.

if userAccountControl is 514 then the example gives us 512,

if it is 512 then it remains unchanged.

To figure out what to use as the mask we first start with what bit we want to set bit 16 -- account is locked out) then take the two's complement (start with negative of (2^31 -1)
-2147483647 and add the value of the bit, in this case 16 to give us -2147483631)

If that is true then the disable bit is currently set in AD
BitOr 1) mask
Type: Integer

2) flag
Type: Integer
BitOr is a bitwise operation ORing mask and flag. So if Flag is the UserAccountControl Attribute in AD and mask is 2 Then the result is that the disable bit is turned on BitOr(2, userAccountControl)

BitOr(2, 512) = 514

BitOr(2, 514) = 514

Doesn't work (vote on this feedback):

IIF( Eq(scope,"Universal"),8,IIF(Eq(scope,"DomainLocal"),4,IIF(Eq(scope,"Global"),2,0)))
, IIF(Eq(type,"Distribution"),0,2147483648)

Turn on the disable bit. Flow the result into userAccountControl in AD to disable a user.  
if userAccountControl is 512 then the example gives us 514.
if it is 514 then it remains unchanged. 

returns an error of "return type (Object) of function IIF is not Integer"
CRLF None puts in a Carriage return line feed CRLF()="
"Fred"+ CRLF() + "Flatstone" =
The only function with no parameters but it still needs the () otherwise ILM thinks you are looking for an attribute.
DateTimeFormat 1)dateTimeString

Take the date and time in the dateTimeString and format it according to the format parameter. As far as I have tested it works according to Standard Date Time Formats and .NET Custom Date and Time Format Strings DateTimeFormat("12-28-2008 12:34:01.213 PM", "MM/dd/yyyy  ddd dddd hh:mm:ss  d  f M") ="12/28/2008 ;Sun ;Sunday ;
12:34:01 ;28 ;2 ;12"

DateTimeFormat("12-28-2008 12:34:01.213 PM", "G")  ="12/28/2008 ;12:34:01 ;PM"
It looks like you can use either the custom strings (like MM/dd/yyyy) or standard strings (like G)
ConvertSidToString 1) ObjectSID
I suppose that this one works just like our good old Utils.ConvertSidToString method in the Metadirectory namespace
and is used to convert a SID to a string
EscapeDNComponent 1) dnStr
Again I suppose this one works just like
EscapeDNComponent("Turner, Brad") = "Turner\, Brad" The function will escape out characters that are not permitted in distinguished names (this will vary MA by MA)
IIF 1)condition

Type: Object

Type: Object
If condition is true then return valueTrue if condition is false return valueFalse IIF(Eq(1,1), "Yes it's true", "No it's false") = "Yes it's true"

IIF(Eq(1,2), "Yes it's true", "No it's false") = "No it's false"


Example Brad and I cooked up for group translating the string attributes type, and scope into an integer which we then flowed into the AD group attribute groupType which combines group scope with whether it is a distribution list or not.
Left 1) str
2) numchars
Get a substring of str starting at the left and going numChars long Left("David Lundell",5)="David"  
LowerCase 1) str
The name says it all    
LeftPad 1) str
2) length
According to my testing this function works like LeftPad in the String Utils library in org.apache.commons.
take padcharacter and add it to the beginning of str until str is as long as length. If str is already as long as or longer than length then don't pad.
LeftPad and RightPad will never truncate or overwrite the original str
Mid 1)str
Type: String
Type: String
Type: Integer
Get a substring of str starting at pos and going for numChars. Mid("Brad ILM Turner",3,5) = "ad IL"  
LTrim 1) str
Remove leading whitespace LTrim("  Fred Mitchell  ") = "Fred Mitchell  "  
ProperCase 1) str
Capitalize the first letter of every word (presumably words are determined by having whitespace in between them) ProperCase("david lundell") = "David Lundell"
ProperCase("David lundell") = "David Lundell")
ProperCase("DAVID lundell") = "David Lundell")
RandomNum 1)start
Generate a random Integer in between (inclusive) start and end RandomNum(10,15) = ? where ? is between 10 and 15 (inclusive)  
Right 1) str
2) numchars
Get a substring of str starting at the Right going numChars long Right("David Lundell",5) = "ndell"  
Trim 1) str
Remove leading and trailing whitespace Trim("  Fred Mitchell  ") = "Fred Mitchell" I haven't tested all of the whitespace characters like CRLF
RTrim 1) str
Remove trailing whitespace RTrim("  Fred Mitchell  ") = "  Fred Mitchell"  
RightPad 1) str
2) length
According to my testing this function works like RightPad in the String Utils library in org.apache.commons
take padcharacter and add it to the end of str until str is as long as length. If str is already as long as or longer than length then don't pad.
LeftPad and RightPad will never truncate or overwrite the original str
UpperCase 1) str
Word 1) str
Take str and chop it up into words based delimiters, and then return the 1st, 2nd, 3rd, 4th etc word based on wordIndex

Word("Brad;ILM,Turner",2,";,") = "ILM"
Word("Brad;ILM;Turner",2,";") = "ILM"

Word("Brad;,ILM;,Turner",3,";,") = "ILM"


delimeters takes each delimiter character and uses them as separate delimitters not as a combination delimitter so ";," means that the second word in "Brad;,ILM;,Turner" is "" and the third word is "ILM"

Hopefully this helps you in your codeless provisioning quest.

Remember there are limitations like the output of IIF can't feed into a function parameter expecting an Integer like the mask or the flag in BitAND or BitOR -- and no, I am not BitOr about it. Without casting and conversion functions that is an obstacle that can't be overcome using the ILM 2 functions for that you may need to turn to custom workflows.

Labels: ,

Monday, January 5, 2009

ILM 2 Functions all in one place

I couldn't find in the ILM 2 RC 0 documentation anyplace that listed all of the functions available to you in sync rules and action workflows so here they are:

Don't forget about the boolean functions available for use in the IIF function  Now you can at a glance see the list of functions, their list of parameters and their official explanations









































Labels: ,

Tuesday, December 23, 2008

ILM "2" confirmHumanity="false"

I was getting ready to try out some of the various installation topologies that may be possible with ILM "2" including: separating the Portal and the Service (definitely possible), having two portals point back to the same service (I think it's possible), when I came across the most interesting item in the ILM "2" installation guide in the section on Installing the ILM Service and ILM Portal on separate servers. Let's see if you can spot it too:

On ILM Service server, edit the file

  • c:\Program Files\Microsoft Identity Management\Common Services\Microsoft.ResourceManagement.Service.exe.config as follows:
    • <resourceManagementService certificateName="IdentityLifecycleManager2" confirmHumanity="false" servicePrincipalName="IdentityManagementService/computername"/>


What in the world can that be about? confirmHumanity="false"? Well at least the coder followed camelCasing so we may have a hint as to the perpetrator's identity -- Jerry Camel have you been doing some work for Microsoft?

Will someone please explain what this means? Is ILM "2" the Terminator? I mean it will deactivate and deprovision your accounts when you leave -- and afterwards it can show that you have been terminated!

We may never know! But comments are welcome.

Labels: , ,

Monday, December 22, 2008

Business Problems VS Technical Problems

A business problem is when employees can't execute their job duties in an efficient fashion. In fact sometimes they are unable to complete the tasks at all. Business problems are especially costly when they directly affect customers. These problems can cause cash flowing into the company to be delayed as a customer waits to place an order, or to receive goods (and hence to pay), they can cause revenue to be lost as a customer temporarily takes their business to a competitor or a finds a substitute, sometimes this leads to customers forming new business relationships and loss of all future revenue from that customer. Non-customer affecting business problems may result in higher costs without affecting revenue. For example a problem on the job shop floor causes workers to put in overtime to complete customer jobs on time, raising costs without directly affecting the customer.

As Rodd Wagner and James K Harter point out in their book 12: The Elements of Great Managing company profitability is highly correlated with employees knowing what is expected of them, and when having adequate tools and materials (elements 1 and 2). When these two elements are short changed business problems result, costs go up and revenue goes down.

A technical problem is often the root cause of employees not having adequate tools or materials. A more specific definition could be that a technical problem is cause of the Information Technology department (people, process and technology) not being able to adequately fulfill a need expressed by the business. This inadequacy could be a matter of accuracy, timeliness, or consistency. It could also be a matter of lacking the capability. These are technical problems, like can't provision and deprovision accounts and entitlements quickly enough, accurately enough (deleted the account for the wrong Jane Smith), consistently enough (only 10 of the user's 16 accounts deprovisioned on the average per IDC) because the Identity Management system goes down frequently, or is too complex to change and the rules it enforces are outdated. Another possible technical problem could be that requests are lost or seem to take forever to be fulfilled either because the process supported by paper or a help desk ticket doesn't move efficiently. Requests may be fulfilled incorrectly, or inconsistently because the fulfillment is not automated and/or checklists don't exist or aren't followed.

Hence good managers look for ways to provide a knowledge of expectations and the sufficient tools and materials for their employees to do their jobs. I believe you'll agree that one of those great tools is ILM "2"

Labels: , , ,

Saturday, December 6, 2008

ILM 2 Web Services Part 1 and 1/2

A few days after my post about setting up the ILM 2 Web Service reference Joe Schulman and others from the ILM product group began a new blog designed to fill in the gaps in the knowledge in the community about how to use the web services. So far the blog looks great and is a welcome addition to my knowledge and the communities knowledge base! Great job Joe and Company and thanks for the link to my blog.

Identity Management Extensibility

I recommend starting out by reading the intro post as it gives a great overview of what to expect.

Also check out the code samples online at MSDN

Shortly I will be getting back to more technical posts.

Labels: , , , ,

Live@edu Partner Airlift and SQL PASS, Flat Tires, and Thanksgiving

As for me why no posts since Nov 11th -- well, I have attended the Live@edu Partner Airlift in Redmond, SQL PASS, had a flat tire, and enjoyed Thanksgiving. In this post

I attended the Live@edu Partner Airlift in Redmond to see what's new under the sun for schools and universities. Exchange Labs is now available on a widespread basis (see fellow MVP Almero Steyn's blog posts on Live@edu and on Exchange Labs) ! Students and alumni can now have school domain based exchange hosted email accounts for life at no cost to their schools. While this program has offered hotmail accounts now you can have hosted exchange accounts. I had a great time at the Airlift, thanks to Michael Wegman, Richard Wakeman, Andy Hoag, Steve Winfield (not Dave Winfield, nor Steve Winwood) and Anna Kinney and everyone else for putting it on.

I was privileged enough to attend SQL PASS for the first time. This year was in Seattle. So that meant two straight weeks in the Puget Sound area. It was fun to return and visit, see old friends, see my old house (where we lived for 9 months), see some beautiful wet countryside, experience more of downtown Seattle, but I sure was glad to get back to the warmth of the Arizona Sun! I did sneak my wife up for the weekend in between events and we did some of the tourist events we didn't have the chance to do while living there. We ate dinner at the space needle, took a cruise in the bay, saw some glass blowing, rode the monorail and visited pikes place fish market (the famous one featured in Fish! as well as the other two lesser known fish markets).

200811151323_00361  I took this photo on the cruise.


I greatly enjoyed SQL PASS, making and renewing acquaintances with many of the SQL Server MVP's. Thanks for letting me hang out and participate in all of the SQL MVP stuff without feeling like too much of an outsider! Saw lots of great sessions. Unfortunately I had to exit early from Gail Shaw's Dirty Dozen presentation on the twelve things not to do in your SQL code, but it seemed like it was going quite well.

After returning from Seattle we discovered that our 1 yr old Honda Odyssey had a flat. Out came the jack. Ouch went the back! But at least it prompted me to look at my other car and realize that I needed two new tires (an ounce of prevention is worth a pound of cure)!

I would like to remember this Thanksgiving as relaxing, fun, filled with family and friends and this year I can ;)

Labels: , , , ,