My quest to bring Best Practices to Identity Management especially with Microsoft FIM / ILM

Thursday, March 25, 2010

FIM Pitfall for old ILM hands

In the days of MIIS 2003 and ILM 2007 we usually wrote our provisioning code to provision a new AD account only when the particular metaverse object didn’t already have any connectors in the AD connector space. With FIM your outbound synchronization rule is quite happy to provision another AD account if the existing one it is joined to doesn’t meet the relationship criteria. So I have usually been in the habit of not worrying about extraneous provisioning if I already had an account connected to that metaverse object.

Well a few days ago I learned that old habits die hard. Fortunately, only 7 duplicate accounts were created and only in the connector space as pending exports of type add. So they were easily dealt with. Nonetheless, it just reminded me that when technology changes sometimes your old instincts can betray you.

One another note: in writing this post I felt a bit like my friend and former co-worker, Craig Martin, who in is very humorous TEC speaker BIO wrote:

Craig Martin speaks in the third person when writing his own brief biography … spending countless hours weeding out issues in his lab environments learning CLM lessons the hard way in order to beat his chest in triumph and share his scars as lessons in a self-deprecating manner.

Man what a crack up. Of course his bio shows up right after mine on the speakers bio page! Gosh don’t I feel a bit pompous with the contrast as I list off all of my accomplishments dating back to grade school. Oh, I forgot to mention in my bio that I won 1st place in the Gilroy Unified School District Math Contest when I was in 4th grade! That treasured trophy was kept in a cardboard box for many years until one day my then six year old son asked if I ever earned any trophies – and it has endured several repair jobs since my son got his hands on it. Well I suppose, I just wanted to let people know that I have some cool things to share this TEC and hope you come along to hear them

I also encourage everyone to attend Craig’s session (hopefully he won’t lose his voice this year), of course if you attend Brad Turner’s session right beforehand you won’t even have to change rooms!

Labels: , ,

Tuesday, March 2, 2010

FIM 2010 RTM Today!

Today, March 2, at the RSA conference Microsoft announced the release to manufacturing of Forefront Identity Manager 2010 (FIM, formerly codenamed ILM “2”) with General Availability starting next month.

Download the eval here:

Microsoft® Forefront™ Identity Manager 2010 Evaluation Version


FIM gives us capabilities for User provisioning (and deprovisioning), Group management, Self-Service Password Reset, Password Synchronization, Workflows with Approvals, User profile self-service management, and accomplishing these items through Declarative Provisioning. Yet FIM retains an incredible set of extensibility points, allows customization of the Portal, schema of the objects, managing new systems, custom workflows, custom clients to the FIM web service.


According to the release notes there are some nice new enhancements:

You can now have explicit members in a set which has a defined filter (so sets can have dynamic members based on the filter and explicitly added members).

Password Reset now accepts the user principal name (UPN) as well as the fully qualified domain name (FQDN) when specifying user credentials

In addition to the enhancements found in RC 1 and its update 1, update 2 and update 3 (Brad’s take on update 3):

Adds support for SQL Server Failover Clusters for High Availability

New type of MPR (Set based Transition vs. Request based)

· Adds support for taking database backups without stopping the FIM Service.

· New Supported Platforms for FIM Certificate Management

· Windows Server 2008 R2

· Windows Server Datacenter edition

· Added support for Exchange 2010 for the following scenarios:

· FIM Synchronization Service support for Active Directory Management Agent and GAL Management Agent

· The FIM Service sending and receiving mail

· Outlook 2007 on Exchange 2010 sending approvals and group membership requests

· You can now copy and paste a vertical list from Excel to the Resource Picker input box. This is especially useful for doing bulk Adds.

· The UOC text box now lets you check uniqueness using a custom XPATH statement that you provide.

The FIMMA will now store error messages with the operation during export. You do not have to look in the FIMService event log anymore to see the errors.

You can now have several MAs that are responsible for deleting a resource, which solves a common problem where custom code still was needed for declarative provisioning.

· Added two new Declarative provisioning functions:

· Null – This Synchronization Rule should not contribute a value to support not flowing values to disabled accounts.

· ReplaceString – Find and replace a substring in another string

Added support for Exchange 14 mailbox provisioning

Labels: , , ,

Monday, February 1, 2010

Final Update for FIM RC1 released

On Friday the product group released Update 3 for Forefront Identity Manager 2010 RC1 available through connect

Major changes as part of Update 3 (my regurgitation and comments from the release notes):

  • Fewer trips to the FIM Service event log – since the FIM MA export errors will now show up in the Synchronization Service Manager! Hallelujah!
  • Less need for custom old style code
    • Now more than 1 MA can be authoritative for deleting an object (resource)
    • New functions for Sync Rules (Declarative Provisioning) – I guess I will have to update my function cheatsheet
      • Null – not certain what they mean by this – null out the value or let another sync rule provide the value.
      • ReplaceString
  • New type of MPR – Set Transition MPRs vs. request based MPRs
    • Run on Policy Update only applies to this type
    • All other MPRs are – request based MPRs
    • This should easy some of the difficulty in wrapping heads around MPRs.
  • DBA’s will love these:
    • Backups without stopping the FIM Service and now supported!
    • SQL Failover Clusters are now supported! (I don’t know if this means that clustering the Synchronization Service is supported)
  • Prereqs have changed
    • Server Components
      • Windows Installer 4.5 is required,
    • FIM Service requires SQL 2008 SP 1
    • The addin for Outlook now needs Outlook 2007 SP 2



Even the certificate management side got some improvements: Windows Server 2008 R2


Also check out Brad’s post on the SP3 for MIIS or an update to ILM 2007 FP 1

Labels: , , ,

FIM Hand on Labs

More Hands on Labs for Forefront Identity Manager will be coming up (similar to the one I did in Irvine, CA) – Phoenix April 7th and 8th and then Dallas sometime in May.

Labels: , ,

Sunday, November 29, 2009

FIM RCDC explained in brief

In this post I attempt to give you the reader a quick overview of how the FIM RCDC works conceptually. As for the mechanics of modifying the RCDC the nearly complete but growing collection of documents downloadable from MSFT will suffice.

As you will recall FIM is the new abbreviation for ILM, since it has been renamed Forefront Identity Manager, and RCDC is the Resource Control Display Configuration formerly known as the Object Visualization Configuration (OVC). RCDC is the way you custom how FIM displays objects (now called resources) in the portal. Now for English: If you need to change the options and information users see in the FIM portal when they create new users, groups (security or distribution), or edit or view these resources you do it by modifying the RCDC. The RCDC is an XML object, and each resource type (user, group, request, etc) has three: Create, Edit and View. To get a handle on the terms take a look at the figure below:



Every RCDC has a Panel that contains all other visible elements. You don’t have to worry about the Panel, other than to know that you need a have it and it must have a name.

The next item to which I must call your attention is the Groupings. The little area which I have outlined in Red is the Header Grouping and provides the caption for the RCDC in this case: Create Security Group. The Header Grouping contains just one control the UocCaptionControl and it is this control that determines what will be displayed based on the Caption and Description Attributes.

The rest of the groupings show up as tabs. The first three are content groupings (there can be up. to 16 groupings counting the Header Grouping and the Summary Grouping, leave up to 14 slots for content groupings). Each content tab or grouping can contain between 1 and 256 controls.

Not visible in the screenshot above are data sources. Data sources provide access to the data of the resource (PrimaryResourceObjectDataSource), the changes that are being made during the edit or create process (PrimaryResourceDeltaDataSource), what rights the current user has to each attribute (PrimaryResourceRightsDataSource), information about the resource type and its attribute types, such as displayname and description (SchemaDataSource), and a listing of Active Directory Domains that are managed by this instance of FIM (DomainDataSource). Additionally, you can have XML data sources. There are two purposes for these: 1) to provide the xsl transformation to provide a different summary of changes on the Grouping Summary, and 2) to provide a list for use in UocDropDownList and UocRadioButtonList controls (there is at least one other method for providing the options list).

Controls have elements, and attributes. The element type you will be concerned with are the Properties. (Help only applies to groupings, CustomProperties is not supported, Options only applies to the UocDropDownList and UocRadioButtonList controls, Buttons only applies to the UoCListView Control, and you can’t make use of events.)

The attributes and properties are used to govern the behavior of the control. They can be bound to the different data sources, to cause the control to interact with an attribute on a resource, to control the visibility and editing on a control, and to provide the list of options to choose from.

Well that covers the conceptual overview. Next time I blog about RCDC, I plan on discussing the attributes of controls, and their common properties.

Labels: , , ,

Tuesday, November 24, 2009

Answering my FIM RC 1 question

Thanks to Darryl Russi for answering my questions in my earlier post An Update to FIM RC1 where I was asked about something I had read in the release notes:

Some of those items raise a few questions, like how to setup a FIM service that only takes requests from the sync service? Do we setup multiple FIM Service instances and then configure the FIM MA to talk to one of them, and not make that one available to web clients?

So the short answer to my last question is yes and then Darryl answers the first question in great deal.

Here is his answer: Service Partitions - Multiple Middle Tiers, Request & Workflow Processing

Great job Darryl! I see this as a great way to ensure good response time for users and to scale out.

Labels: , , ,

Monday, November 23, 2009

Identity Synchronization FIM 2010 HOL Irvine California

I will be at the Microsoft Technical Center in Irvine on Dec 1 and 2 presenting this HOL with Marvin Tansley of Gemalto.

Identity Synchronization – Hands on Training



Date: December 1-2, 2009

Location:   3 Park Plaza, Suite 1800   Irvine, CA  92614     949-263-3000

Microsoft, Gemalto and Ensynch invite you to a free 2-day training seminar and hands-on-lab on Microsoft’s Forefront Lifecycle Manager (FIM 2010).

Come and learn how FIM 2010 can help you by delivering simplicity, agility and efficiency while increasing security and compliance within your enterprise identity infrastructure.

The curriculum for this training is modular, which will allow users with different technical levels to attend. 

Day 1 Agenda:

· FIM 2010 Overview Presentation and Demo

· FIM 2010 Managing Users and Groups Hands-on Lab

· Introduction to identity management

· ROI - a Tool to Help you Sell Your Project

· OTP Provisioning using FIM 2010

· Certificate Basics Presentation

· Certificate Demo and Basic Use Cases

Day 2 Agenda:

· FIM 2010 Synchronization Presentation and Demo

· FIM 2010 Hands-on Lab

· FIM 2010 Policy Management Presentation and Demo

· FIM 2010 Hands-on Lab

· Making It All Work Together

Who Should Attend?
IT security staff as well as system administrators and engineers who work with the installation, configuration, and maintenance of a variety of server types and have two to three years of experience managing an enterprise-level Microsoft Windows Server environment.

Space is limited. Register to reserve your seat.   Invitation only registration link – click here!

Questions? Contact Gemalto |  |  (888) 343 5773  |

Labels: , , ,

Monday, July 20, 2009

MVP for the 3rd time

Both my colleague Brad Turner and I were renewed for ILM MVP.

I am glad to receive this honor another year.


Congrats to new ILM MVP Marc Mac Donnell

You can see a list of all ILM MVP's that have chosen to make their profiles public (Marc hasn't setup his yet).

I just hope I can win the MVP at home!


Monday, June 29, 2009

The attributes behind Message Delivery Restrictions

Do you know what attributes are used to control who can and can't send to a Distribution List in Exchange 2003 and Exchange 2007? or Does it use a DACL?

Knowing such things is key if you are going to automate distribution list management through .NET programs, or MIIS/ILM/FIM, Quest ARS or any other tool that is talking to LDAP attributes. For Powershell you need a separate list since the names are different.

Seeing as how a picture is worth a thousand words I'll include some after a brief explanation:

At first I was afraid that it used the SendTo permission on DACLs but fortunately that is not what the Exchange GUI tools change. This is fortunate since ILM does not have an out of the box MA that modifies DACLs on AD objects, it is also fortunate since programming against DACLs is somewhat complicated. I must give thanks to my friend Joe Kaplan and his co-author Ryan Dunn for the helps in their book (see page 302 listing 8.2 listing the DACL) and their forum

The .NET Developer's Guide to Directory Services Programming

With the help from their book I was able to eliminate DACLs since the darn things never changed. FC never lies.

Open the Exchange Console, navigate to the Distribution lists open their properties and go to Mail Flow Settings click on Message Delivery Restrictions and then click on the Blue check mark next to Properties:


So what I found was five attributes that control the fate of who can and who can't send to a particular recipient (in this case a distribution list)

authOrig, unauthOrig, and msExchRequireAuthToSendTo,

Attribute Name Name in GUI Explanation Powershell (Set-DistributionGroup) 
Just as an FYI
authOrig Accept messages from
Only senders in the following list:
If this attribute and dLMemSubmitPerms are both empty then that is the equivalent of All Senders. If populated only those recipients and the members of Distribution Lists enumerated in dLMemSubmitPerms can sends listed can send items to this distribution list minus anyone listed in unauthOrig and anyone that is a member of distribution lists enumerated in dLMemRejectPerms -AcceptMessagesOnlyFrom
dLMemSubmitPerms same as above see above -AcceptMessagesOnlyFromDLMembers
unauthOrig Reject messages from
Senders in the following list:
Prevents recipients listed here from sending to this Distribution list


dLMemRejectPerms same as above Prevents recipients who are members of the Distribution lists mentioned from sending email to this Distribution list


msExchRequireAuthToSendTo Require that all senders are authenticated When set to True only authenticated users (no external users) can send mail to this Distribution list


For more info on attribute to Powershell attribute name conversions see

For more on the Powershell commands with some examples see

What would be really nice would be if FIM 2010 already had the schema and OVC extended for this. Since this is the very next thing people at a big company ask for after finding out they can automate distribution list maintenance.

As promised some pretty pictures to help explain (on the left you see the screenshot from ADSI edit and on the right the snapshot of the Exchange Console



On this one I reverse the order


By now you get the idea, that if you select a distribution listt in the Senders in the following list they get put here:


So we see that the Exchange Console clever sorts the DLs from the individuals and puts them into their separate attributes.

Labels: , , ,

Monday, June 22, 2009

Best Practices ILM 2007 Coding Conventions and Habits

In response to question in the MMSUG yahoo group I thought I would post the following:

Naming conventions for MV objects and attributes.

Most CS objects and attributes come to us with names -- the exception being when we are writing our own views in SQL or Oracle

There are many object types and attributes pre-defined in the metaverse if you use those no need to rename most of them seem to come from the required and suggested  attributes for either an X.500 Directory or LDAP Directory.

For new objects it depends on how you want to process things. If you need to take some code based actions that are identical for similar but different object types then using a prefix or suffix can help. I have seen some very complex GALSync scenarios implemented that way, div-Person, div2-Person, div3-Person, div-DL, Div2-DL, Div3-DL, div-Contact, div2-Contact, div3-Contact.  Then in provisioning code you can match on patterns to make decisions.

For Attributes some like to create them with a prefix with the client name. I generally like to match my attributes to the names from LDAP.

Naming conventions for coded attribute flows (AF).

In the 2731 class the instructions have you replacing the generated name User.samAccountName -> Person.sAMAccountName with something more like SamAccountName.

The benefit of the generated names is that they are pretty much unique and human readable although they are long. These days I tend to leave the default names.

Ways to make extensions for AF more adjustable without re-coding.

I have seen one developer use the flow rule names as a language to processor module to handle 90% of his string manipulation. That certainly cut down on the need for re-coding.

That may have been an extreme example but it shows you what is possible.

Another tactic is to preprocess Attribute flow by performing the transformations in a SQL view -- it is much faster, but you can only use information available from that database. If you need to change it you won't need to change the MA Extension code. This is my preferred approach.

Ways to make provisioning code more adjustable without re-coding.

Make use of XML config files to store things like Exchange Mailbox stores to use, and then read them in during the initialize method (called once when the dll is loaded, since the dll's stay in cache for 5 min after use this won't necessarily be every run) of the Provisioning dll, and then make use of them during the provision method (called once per connected cs object being synchronized). Don't load an xml config file in the provisioning method unless you are looking for a way to slow down performance.

Favorite ways to make the status for any particular object easy to understand for people who don't know ILM/AD, etc.

We like to use reports and give the reports and their columns good descriptive names like ILM Disconnectors. Uh I mean AD Objects (Users, Groups OUs etc) that don't have matches in the other systems (like HR).

In the reports on connected objects using the binary functions in SQL to translate

For info on reports see Brad Turner's blog on the community reporting pack that he created (I helped but only on one report).


Tuesday, June 2, 2009

To PKI or not to PKI?

When should one implement a Public Key Infrastructure and when should one not? Obviously we implement a PKI to solve a problem, usually around security, enabling secure communications with a web server, multi-factor authentication, encryption. A PKI solution can be very versatile, but it comes at a price in setup and maintenance. But what alternatives do we have? Let's examine each problem in turn


Problem PKI difficulties Alternatives Benefits for Alternatives
Enable Secure web transactions (SSL) certs expire without warning anyone none  
Secure network communications (IPSEC) Need to issue certificates to all client computers (can use AutoEnroll GPO) none  
Multi-factor authentication for Wireless networks using 802.1X Need to issue certificates to all client computers or smart cards to all users Radius -- One Time Password Tokens With Quest Defender issuing and maintaining of OTP is very easy. Defender is much easier than standing up a PKI and issuing smart cards to everyone
Multi-factor authentication (certificates, smart cards) Need to issue smart cards to all users (can be time consuming) Need special hardware One Time Password Tokens With Quest Defender issuing and maintaining of OTP is very easy. Defender is much easier than standing up a PKI and issuing smart cards to everyone. Can work even on computers without the smart card reader.
Encryption of files (EFS) Need to issue smart cards to all users (can be time consuming) AD Rights Management Services Enrollment of users is transparent -- new users can be given permissions by adding them to groups without having to re-encrypt the files. No need to renew certificates. Restrictions are enforced after file is opened. It allows you to assign rights and permissions to other people to documents (open, saving, edit, print, cut and paste) and emails (forward, cut and paste)
Enabling users (internal and/or external) to use your code without getting scary warning (Signing Code Modules, Macros, ActiveX controls etc) Need to issue/buy certificates for developers none  
Signing emails Need to issue certificates (whether on smart cards or not) to all users PGP (web of trust)  
Encrypting emails Need to issue certificates (whether on smart cards or not) to all users AD Rights Management Services

PGP (web of trust)
AD RMS Enrollment of users is transparent. Restrictions are enforced after file is opened. It allows you to assign rights and permissions to other people to documents (open, saving, edit, print, cut and paste) and emails (forward, cut and paste)

In short you need certificates for SSL, IPSEC, code signing and signing emails. Whether you build your own PKI or get certificates for them is another question. For SSL and code signing you can get away with buying your certs and should if your web site and/or code is for the public (although if you have enough you may want to look at setting up a subordinate CA with a Public CA that way you control the certs but they are issued through a trusted root CA and your customer don't get those confidence inspiring messages asking them whether to trust you or not) . For IPSEC and signing emails you should implement your own PKI in order to save the cost of buying so many certs.

If you need to implement signing of emails along with multi-factor authentication then it makes sense to take advantage of the versatility of certificates on smart cards. Then it makes sense to implement the Certificate Management component (CLM) of ILM 2007 to ease many of the challenges with issuing and managing smart cards.

However, if multi-factor authentication and encryption are your main goals you may want to take a look at one time password tokens with Defender and Microsoft's AD Rights Management Services (AD RMS) respectively. Both present easier and perhaps cheaper alternatives, that also add capabilities. Defender adds the capability to use multi-factor authentication on machines without smart card readers, and AD RMS adds the capability to restrict what users can do with content even after they decrypt it.

Labels: , , , , ,

Friday, May 15, 2009

The Business Impact of Identity and Access Management with Forefront Identity Manager 2010

Brad and I are going to cover the value of the whole Identity Management Stack from Microsoft and a few additional pieces from partners.

Thursday, May 28th

(Live Meeting links will be
sent to all registrants) (Click Here to RSVP)

David Lundell – Microsoft MVP for ILM, Ensynch Practice Director
Brad Turner – Microsoft MVP for ILM, Ensynch Sr. Technical Architect
9am-10am Pacific/Arizona
10am-11am Mountain
11am-12pm Central
12pm-1pm Eastern

*Convert time zone


Webinar: The Business Impact of Identity
and Access Management with Forefront Identity Manager 2010
(formerly ILM "2")

You’re invited to attend an informational webinar showcasing the business benefits associated of Identity and Access Management with the newly named Microsoft Forefront Identity Manager 2010 (Formerly ILM "2").

This webinar is designed for Business and Technology Decision-makers interested in reducing operational costs while increasing security, compliance and overall operational efficiency. If you're interested in how Identity and Access Management solutions can impact business results, this webinar is for you.
Ensynch is proud of our world-class Identity and Access Management practice, boasting 3 Microsoft MVPs (out of only a handful world-wide). This team’s efforts have earned Ensynch back-to-back Microsoft Worldwide Partner Awards for Identity Management in 2007 and 2006. Take advantage of this opportunity to learn from their vast enterprise and mid-market experience in incorporating Best Practices to deliver heightened business results.

The Business Value of Microsoft’s Identity Management Stack

  • Evaluate the business challenges, the cost and the opportunities for savings with Identity Management

    • IDA with Forefront Identity Manager 2010 (ILM 2)

    • Maintaining existing ILM 2007 deployments

  • Strong Authentication

    • Certificate Services

    • Quest Defender

  • Sharing with Partners and Customers

  • Active Directory Federation Services /Geneva

    • Reducing the need to provision Accounts for Partners

    • Speedier disabling of access for Partner/Customer’s Accounts

    • Implications with cloud based applications

  • Information Protection (now that you’re sharing your documents, how do you protect them)

  • Active Directory Rights Management Services

    • Add-ons

Labels: , , , , ,

Monday, April 20, 2009

ILM FIM Webinar Custom Workflow -- Joe Zamora

Joe Zamora the maintainer of the Ensynch ILM 2 Custom Workflow Walkthrough is our main presenter at our next Webinar this Thursday at 9 AM Pacific. To register click on the image below. The code from our Pre-con workshop is posted on CodePlex Ensynch Custom WF Activities


Labels: , , , ,

Thursday, April 16, 2009

What's in name? Forefront Identity Manager 2010

In case you haven't heard Zoomit VIA or rather Microsoft MetaDirectory Services has been renamed yet again, from Microsoft Identity Integration Server 2003 to Identity Lifecycle Manager 2007 to Forefront Identity Manager 2010 or FIM for short. For obvious reasons the L was dropped when the F was added (Forefront + ILM = FILM).

So ILM 2 => FIM 2010


(stole this graphic from Brad Turner's blog -- his Smart Art creations are beautiful -- recently I have been studying smart art under his tutelage I hope to soon approach his level of skill)

Doug Leland, general manager of Microsoft’s Identity and Security Business Group, explained, "For example, our Identity Lifecycle Manager product is now officially named Forefront Identity Manager. We see the Forefront brand as synonymous with Business Ready Security."

From Microsoft MetaDirectory Services (MMS) to MIIS was a complete rewrite dumping Zscript for .NET and putting the metadirectory in the SQL Server back end. ILM 2007 added the Certificate Lifecycle Management piece while leaving the core functionality of MIIS alone. FIM 2010 of course adds lots of new functionality (everything you have read about ILM 2, the portal for self-service, password reset, the web service) but good old MIIS is still there as the FIM Synchronization Engine, but there have been substantial improvements under the hood to enable synchronization rules to be configured in the portal and flow into the Sync Engine.

So what's in a name some new features that according to Doug Leland spell Business Ready Security.

The Target date is still Q1 of calendar year 2010.

Labels: , , , ,

Wednesday, April 15, 2009

Ensynch The Place to Be

In the last four months two very talented people have joined Ensynch, Chris Calderon, ILM MVP, and Mark Struck.

Chris Calderon of fame is extremely talented with ILM, AD Federated Services (AD FS) and many other tools.

Mark Struck, is a very talented developer, and experienced implementer of ILM. Even before Mark joined the team he and I collaborated to figure out how to use the ILM 2 web services.

Labels: , , , ,

Tuesday, April 14, 2009

A few excellent Live@edu (Outlook Live) Blogs

I have been involved with the Microsoft Live@edu (formerly Windows Live@edu) and the Outlook Live (formerly Exchange Labs) programs for quite sometime.

What a wonderful opportunity for schools to alleviate the cost of hosting email for students and then to be able to offer it to alumni helping provide them with lifelong connection to the university and way to keep their email address from their student days. Maintaining stronger ties leads to more evangelism on the school's behalf and will lead to more Alumni donations. I would have love have kept my, or accounts. Instead of rediscovering friends on facebook I might never have lost touch with them in the first place.

A few weeks ago Robert Hughes of Bridgepoint introduced me to Jonny Chambers blog as another excellent resource to information about Outlook Live. So I thought I would collect some resources here:

Jonny Chambers blog

Jonny has a great list of official links to Live@edu!C76EAE4D4A509FBD!495/

Almero Steyn (pronounced Al mare Roo  Stain)  another ILM MVP has also put together some fantastic blog posts on Outlook Live.

Labels: , , ,

Wednesday, March 25, 2009

New Certificate and Identity Blogger on the Loose

Marc Mac Donnell has just launched his blog on and called it Assurances in Identity, and has posted the links to the CLM API documentation and case study about some work he did with MCS UK and CapGemini.

I look forward to many more posts from Mark about some of the wizardry and trick in managing certificates and identities.

Labels: , , ,

MSIT's implementation of ILM 2

TEC 2009 continues onto the last day.

Joel Silver spoke on his efforts and plans to implement ILM 2 for Microsoft. He presented a very interesting workflow to show how he addressed the challenge of creating unique email aliases.

Then I listened to Felix as he discussed some of the interesting aspects of LDAP enhancements from around the vendorscape (I think I just made that word up).

Labels: , ,

Tuesday, March 24, 2009

TEC 2009

Now that our pre-conference workshop on Taming the Chaos – Building a Practical Lifecycle Mgt. Application in the ILM “2” Portal is done

and our (Brad, Chris and me) sessions  done: Proper Care & Feeding of ILM, CLM and RMS , Designing an Object Expiration & Reconciliation process in ILM 2 , Rescue Your Identity Metasystem from Chaos (reporting against ILM 2), and ADFS Extensibility, we are all able to relax a little and enjoy everyone else's sessions.

I spent a fair amount of time looking at Quest's One Identity Management Solutions (thanks to Jonathan Sanders), and I also got to attend Felix Gaehtgens's (Kuppinger Cole) session on You've Authenticated the User, so Now What? wherein he discussed RBAC vs Attribute Based Access Control (ABAC) and a standard that is new to me called XACML (Zack uh mel). I really enjoyed it despite it being a forward looking theoretical discussion.

Brad was telling me how much he enjoyed the ILM “2” Chalktalk by Andreas Kjellman and Mark Wahl

Labels: ,

TEC 2009 -- Ensynch Identity Bus

Last night Fellow ILM MVP's Brad Turner, Chris Calderon, Carol Wapshere (pronounced Wap shear and well known as Miss MIIS) and I along with a number of other TEC 2009 attendees rode on the Ensynch Identity Bus to take us from the Green Valley Ranch Resort to the Las Vegas Strip. After a great steak dinner at Smith and Wollansky's (across from New York New York) a few us of walked the strip hoping to see the fountains at the Bellagio, but alas they shut off at midnight.

Our first run of the night was with a completely full bus!

The bus will also be running tonight

Departing Green Valley Ranch Resort 8:30pm, 9pm, 9:30pm, 10pm, 11pm, 11:30pm, 12am, 12:30am.
Drop-off / Pick-up at Mandalay Bay, 9pm, 9:30pm, 10pm, 10:30pm, 11pm, 11:30pm, 12am, 12:30am, 1:00am (last pick-up)
Drop-off / Pick-up at New York, New York, 9:10pm, 9:40pm, 10:10pm, 10:40pm, 11:10pm, 11:40pm, 12:10am, 12:40am, 1:10am (last pick-up)


Labels: ,

Monday, March 16, 2009

ILM/MIIS Sync Engine Clustering Windows 2008

First, let me say thank you to Alex Tcherniakhovski for pioneering the way in clustering the MIIS Service or as it is now known the ILM Sync Engine. That blog, presentation and script was an excellent set of work.

On Windows Server 2008, a few things have changed that break the script that Alex T. provides.

In Windows Server 2003 the cluster services runs as a domain account and as long as the user has access to all nodes, to stop and start services, and as an MIIS Administrator then it should be able to do the trick.

Well with Windows Server 2008 the security model for the cluster service has changed:

There is no service account, instead there is a Cluster Name Object created in AD as a computer object.

So the cluster service, which runs the generic resource scripts, now runs under local system in a special context with limited privileges.

So this means you can’t impersonate during WMI calls because it doesn’t have enough rights.

I tried making the CNO a member of the local administrators group, but that wasn’t enough. I may still get this to work.

For the mean time I am switching the remote wmi calls to use embedded credentials, but the local WMI calls can't have credentials like so:


if Node = activeNode Then

Set objWMIService = objSWbemLocator.ConnectServer(Node, _



Set objWMIService = objSWbemLocator.ConnectServer(Node, _

    "root\CIMV2", _

    strUser, _

    strPassword, _

    "MS_409", _

    "ntlmdomain:" + strDomain)

End If


After changing this several places in the code -- fixing how the command to sleep worked, I can now failover without a problem!

Labels: , ,

Wednesday, March 11, 2009

Netpro DEC -> Quest TEC -- Ensynch's Sessions

Back in business school we always studied name changes and rebranding, and this one has been interesting

Last summer NetPro deciding to expand the Directory Experts Conference (DEC) to include an exchange conference and so they re-branded the conference NetPro's The Experts Conference. Then Quest acquired NetPro, so it became a completely re-branded conference as Quest's The Expert Conference. 

So NetPro DEC became Quest TEC.

Sunday Mar 22nd - Wed Mar 25th in Vegas 

Day Time Topic Speakers
Sunday 1PM - 5 PM Pre conference Workshop 2
Taming the Chaos – Building a Practical Lifecycle Mgt. Application in the ILM “2” Portal
David Lundell and Brad Turner
Monday 1 PM - 2:15 PM Designing an Object Expiration & Reconciliation process in ILM 2 Brad Turner
  1 PM - 2:15 PM Proper Care & Feeding of ILM, CLM and RMS Databases David Lundell
  Mon 4 PM - 5:15 PM Rescue Your Identity Metasystem from Chaos Through Reporting against ILM 2 with SSRS David Lundell
Brad Turner
Tue 2:45 PM - 4 PM ADFS Extensibility Chris Calderon will probably co-present with Randy Weimar


(yes the current schedule has Brad and I speaking on Monday at 1 PM in different rooms)

Labels: , , , ,

Thursday, February 12, 2009

Another talented Ensynchian joins the blogosphere

My colleague Joe Zamora, a talented developer, who has been instrumental in helping us advance our knowledge of custom workflows, has just launched his own blog: CShark.

His first post is on how to "Generate AccountName in ILM2 custom workflow activity" and it came in response to a question in the ILM 2 connect forum entitled:  Custom Workflow Activity to Generate samAccountName.

Go Joe Go!

Labels: , ,

Monday, January 19, 2009

What’s new in Identity Lifecycle Manager 2, Ask the experts

Brad Turner and I are putting on a webinar on ILM 2.


Labels: , , ,

Tuesday, January 6, 2009

ILM 2 Functions Explained

Function Name Parameters David's Description Example Example Explanation
BitAnd 1) mask
Type: Integer

2) flag
Type: Integer
BitAnd is a bitwise operation anding mask and flag. So if Flag is the UserAccountControl Attribute in AD and mask is negative 2147483645 (the two's complement of 2) Then the result is that the disable bit (bit 2) is turned off leaving all of the other bits unchanged.

BitAnd can be combined with Eq to detect if a bit is set
BitAnd(-2147483645 , userAccountControl) 

BitAnd(-2147483645 , 514) =512

BitAnd(-2147483645 , 512) =512

BitAnd(-2147483631 , 528) =512

BitAnd(-2147483631 , 512) =512

Eq( BitAnd(2,userAccountControl),2)
Turn off the disable bit Flow the result into userAccountControl in AD to enable a user.

if userAccountControl is 514 then the example gives us 512,

if it is 512 then it remains unchanged.

To figure out what to use as the mask we first start with what bit we want to set bit 16 -- account is locked out) then take the two's complement (start with negative of (2^31 -1)
-2147483647 and add the value of the bit, in this case 16 to give us -2147483631)

If that is true then the disable bit is currently set in AD
BitOr 1) mask
Type: Integer

2) flag
Type: Integer
BitOr is a bitwise operation ORing mask and flag. So if Flag is the UserAccountControl Attribute in AD and mask is 2 Then the result is that the disable bit is turned on BitOr(2, userAccountControl)

BitOr(2, 512) = 514

BitOr(2, 514) = 514

Doesn't work (vote on this feedback):

IIF( Eq(scope,"Universal"),8,IIF(Eq(scope,"DomainLocal"),4,IIF(Eq(scope,"Global"),2,0)))
, IIF(Eq(type,"Distribution"),0,2147483648)

Turn on the disable bit. Flow the result into userAccountControl in AD to disable a user.  
if userAccountControl is 512 then the example gives us 514.
if it is 514 then it remains unchanged. 

returns an error of "return type (Object) of function IIF is not Integer"
CRLF None puts in a Carriage return line feed CRLF()="
"Fred"+ CRLF() + "Flatstone" =
The only function with no parameters but it still needs the () otherwise ILM thinks you are looking for an attribute.
DateTimeFormat 1)dateTimeString

Take the date and time in the dateTimeString and format it according to the format parameter. As far as I have tested it works according to Standard Date Time Formats and .NET Custom Date and Time Format Strings DateTimeFormat("12-28-2008 12:34:01.213 PM", "MM/dd/yyyy  ddd dddd hh:mm:ss  d  f M") ="12/28/2008 ;Sun ;Sunday ;
12:34:01 ;28 ;2 ;12"

DateTimeFormat("12-28-2008 12:34:01.213 PM", "G")  ="12/28/2008 ;12:34:01 ;PM"
It looks like you can use either the custom strings (like MM/dd/yyyy) or standard strings (like G)
ConvertSidToString 1) ObjectSID
I suppose that this one works just like our good old Utils.ConvertSidToString method in the Metadirectory namespace
and is used to convert a SID to a string
EscapeDNComponent 1) dnStr
Again I suppose this one works just like
EscapeDNComponent("Turner, Brad") = "Turner\, Brad" The function will escape out characters that are not permitted in distinguished names (this will vary MA by MA)
IIF 1)condition

Type: Object

Type: Object
If condition is true then return valueTrue if condition is false return valueFalse IIF(Eq(1,1), "Yes it's true", "No it's false") = "Yes it's true"

IIF(Eq(1,2), "Yes it's true", "No it's false") = "No it's false"


Example Brad and I cooked up for group translating the string attributes type, and scope into an integer which we then flowed into the AD group attribute groupType which combines group scope with whether it is a distribution list or not.
Left 1) str
2) numchars
Get a substring of str starting at the left and going numChars long Left("David Lundell",5)="David"  
LowerCase 1) str
The name says it all    
LeftPad 1) str
2) length
According to my testing this function works like LeftPad in the String Utils library in org.apache.commons.
take padcharacter and add it to the beginning of str until str is as long as length. If str is already as long as or longer than length then don't pad.
LeftPad and RightPad will never truncate or overwrite the original str
Mid 1)str
Type: String
Type: String
Type: Integer
Get a substring of str starting at pos and going for numChars. Mid("Brad ILM Turner",3,5) = "ad IL"  
LTrim 1) str
Remove leading whitespace LTrim("  Fred Mitchell  ") = "Fred Mitchell  "  
ProperCase 1) str
Capitalize the first letter of every word (presumably words are determined by having whitespace in between them) ProperCase("david lundell") = "David Lundell"
ProperCase("David lundell") = "David Lundell")
ProperCase("DAVID lundell") = "David Lundell")
RandomNum 1)start
Generate a random Integer in between (inclusive) start and end RandomNum(10,15) = ? where ? is between 10 and 15 (inclusive)  
Right 1) str
2) numchars
Get a substring of str starting at the Right going numChars long Right("David Lundell",5) = "ndell"  
Trim 1) str
Remove leading and trailing whitespace Trim("  Fred Mitchell  ") = "Fred Mitchell" I haven't tested all of the whitespace characters like CRLF
RTrim 1) str
Remove trailing whitespace RTrim("  Fred Mitchell  ") = "  Fred Mitchell"  
RightPad 1) str
2) length
According to my testing this function works like RightPad in the String Utils library in org.apache.commons
take padcharacter and add it to the end of str until str is as long as length. If str is already as long as or longer than length then don't pad.
LeftPad and RightPad will never truncate or overwrite the original str
UpperCase 1) str
Word 1) str
Take str and chop it up into words based delimiters, and then return the 1st, 2nd, 3rd, 4th etc word based on wordIndex

Word("Brad;ILM,Turner",2,";,") = "ILM"
Word("Brad;ILM;Turner",2,";") = "ILM"

Word("Brad;,ILM;,Turner",3,";,") = "ILM"


delimeters takes each delimiter character and uses them as separate delimitters not as a combination delimitter so ";," means that the second word in "Brad;,ILM;,Turner" is "" and the third word is "ILM"

Hopefully this helps you in your codeless provisioning quest.

Remember there are limitations like the output of IIF can't feed into a function parameter expecting an Integer like the mask or the flag in BitAND or BitOR -- and no, I am not BitOr about it. Without casting and conversion functions that is an obstacle that can't be overcome using the ILM 2 functions for that you may need to turn to custom workflows.

Labels: ,

Monday, January 5, 2009

ILM 2 Functions all in one place

I couldn't find in the ILM 2 RC 0 documentation anyplace that listed all of the functions available to you in sync rules and action workflows so here they are:

Don't forget about the boolean functions available for use in the IIF function  Now you can at a glance see the list of functions, their list of parameters and their official explanations









































Labels: ,

Tuesday, December 23, 2008

ILM "2" confirmHumanity="false"

I was getting ready to try out some of the various installation topologies that may be possible with ILM "2" including: separating the Portal and the Service (definitely possible), having two portals point back to the same service (I think it's possible), when I came across the most interesting item in the ILM "2" installation guide in the section on Installing the ILM Service and ILM Portal on separate servers. Let's see if you can spot it too:

On ILM Service server, edit the file

  • c:\Program Files\Microsoft Identity Management\Common Services\Microsoft.ResourceManagement.Service.exe.config as follows:
    • <resourceManagementService certificateName="IdentityLifecycleManager2" confirmHumanity="false" servicePrincipalName="IdentityManagementService/computername"/>


What in the world can that be about? confirmHumanity="false"? Well at least the coder followed camelCasing so we may have a hint as to the perpetrator's identity -- Jerry Camel have you been doing some work for Microsoft?

Will someone please explain what this means? Is ILM "2" the Terminator? I mean it will deactivate and deprovision your accounts when you leave -- and afterwards it can show that you have been terminated!

We may never know! But comments are welcome.

Labels: , ,

Monday, December 22, 2008

Business Problems VS Technical Problems

A business problem is when employees can't execute their job duties in an efficient fashion. In fact sometimes they are unable to complete the tasks at all. Business problems are especially costly when they directly affect customers. These problems can cause cash flowing into the company to be delayed as a customer waits to place an order, or to receive goods (and hence to pay), they can cause revenue to be lost as a customer temporarily takes their business to a competitor or a finds a substitute, sometimes this leads to customers forming new business relationships and loss of all future revenue from that customer. Non-customer affecting business problems may result in higher costs without affecting revenue. For example a problem on the job shop floor causes workers to put in overtime to complete customer jobs on time, raising costs without directly affecting the customer.

As Rodd Wagner and James K Harter point out in their book 12: The Elements of Great Managing company profitability is highly correlated with employees knowing what is expected of them, and when having adequate tools and materials (elements 1 and 2). When these two elements are short changed business problems result, costs go up and revenue goes down.

A technical problem is often the root cause of employees not having adequate tools or materials. A more specific definition could be that a technical problem is cause of the Information Technology department (people, process and technology) not being able to adequately fulfill a need expressed by the business. This inadequacy could be a matter of accuracy, timeliness, or consistency. It could also be a matter of lacking the capability. These are technical problems, like can't provision and deprovision accounts and entitlements quickly enough, accurately enough (deleted the account for the wrong Jane Smith), consistently enough (only 10 of the user's 16 accounts deprovisioned on the average per IDC) because the Identity Management system goes down frequently, or is too complex to change and the rules it enforces are outdated. Another possible technical problem could be that requests are lost or seem to take forever to be fulfilled either because the process supported by paper or a help desk ticket doesn't move efficiently. Requests may be fulfilled incorrectly, or inconsistently because the fulfillment is not automated and/or checklists don't exist or aren't followed.

Hence good managers look for ways to provide a knowledge of expectations and the sufficient tools and materials for their employees to do their jobs. I believe you'll agree that one of those great tools is ILM "2"

Labels: , , ,

Saturday, December 6, 2008

ILM 2 Web Services Part 1 and 1/2

A few days after my post about setting up the ILM 2 Web Service reference Joe Schulman and others from the ILM product group began a new blog designed to fill in the gaps in the knowledge in the community about how to use the web services. So far the blog looks great and is a welcome addition to my knowledge and the communities knowledge base! Great job Joe and Company and thanks for the link to my blog.

Identity Management Extensibility

I recommend starting out by reading the intro post as it gives a great overview of what to expect.

Also check out the code samples online at MSDN

Shortly I will be getting back to more technical posts.

Labels: , , , ,

Live@edu Partner Airlift and SQL PASS, Flat Tires, and Thanksgiving

As for me why no posts since Nov 11th -- well, I have attended the Live@edu Partner Airlift in Redmond, SQL PASS, had a flat tire, and enjoyed Thanksgiving. In this post

I attended the Live@edu Partner Airlift in Redmond to see what's new under the sun for schools and universities. Exchange Labs is now available on a widespread basis (see fellow MVP Almero Steyn's blog posts on Live@edu and on Exchange Labs) ! Students and alumni can now have school domain based exchange hosted email accounts for life at no cost to their schools. While this program has offered hotmail accounts now you can have hosted exchange accounts. I had a great time at the Airlift, thanks to Michael Wegman, Richard Wakeman, Andy Hoag, Steve Winfield (not Dave Winfield, nor Steve Winwood) and Anna Kinney and everyone else for putting it on.

I was privileged enough to attend SQL PASS for the first time. This year was in Seattle. So that meant two straight weeks in the Puget Sound area. It was fun to return and visit, see old friends, see my old house (where we lived for 9 months), see some beautiful wet countryside, experience more of downtown Seattle, but I sure was glad to get back to the warmth of the Arizona Sun! I did sneak my wife up for the weekend in between events and we did some of the tourist events we didn't have the chance to do while living there. We ate dinner at the space needle, took a cruise in the bay, saw some glass blowing, rode the monorail and visited pikes place fish market (the famous one featured in Fish! as well as the other two lesser known fish markets).

200811151323_00361  I took this photo on the cruise.


I greatly enjoyed SQL PASS, making and renewing acquaintances with many of the SQL Server MVP's. Thanks for letting me hang out and participate in all of the SQL MVP stuff without feeling like too much of an outsider! Saw lots of great sessions. Unfortunately I had to exit early from Gail Shaw's Dirty Dozen presentation on the twelve things not to do in your SQL code, but it seemed like it was going quite well.

After returning from Seattle we discovered that our 1 yr old Honda Odyssey had a flat. Out came the jack. Ouch went the back! But at least it prompted me to look at my other car and realize that I needed two new tires (an ounce of prevention is worth a pound of cure)!

I would like to remember this Thanksgiving as relaxing, fun, filled with family and friends and this year I can ;)

Labels: , , , ,

Saturday, November 1, 2008

ILM 2 Web Services Part 1 The Service Reference

Together, Mark Struck of Ipseity Inc and I, have figured out (after much beating of our heads against brick walls) how to use the ILM 2 Enumeration Endpoint to perform some basic reporting. (I figured out how to send the enumeration and get a response and then Mark figured out how to correctly form the pull messages so as to be able to retrieve the actual objects -- teamwork at its finest). We would also like to thank Mark Gabarra and Rob Ward for their input.

Here are some lessons we learned:

First lesson: the SDK provided with ILM 2 Beta 3 is incomplete and in some cases misleading. (Just one of those areas that hasn't been well documented yet)

Second lesson: Reading the WS-Enumeration specification is like drinking from a firehouse.

Third lesson: Case matters when specifying the endpoint.

Today's post will show you how to setup the Service Reference.

Type in http://localhost:526/ResourceManagementService/MEX/

The case of the url is important. R M S must be capitals and so must MEX.

The name you type in for name space is important as it is the name you will use in your code.

I recommend replacing the ServiceReference1 that you see in the figure with ILM_RMS.


After you click Go it shows you the various services available and operations for each service. The Search Service is the one we will want.


Once you click OK you see the following show up under service reference:


An enumeration.wsdl file is generated and your app.config file will also be populated with lots of settings such as this one.

   <binding name="ServiceMultipleTokenBinding_Search" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"
allowCookies="false" contextProtectionLevel="Sign">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Message">
<transport clientCredentialType="Windows" proxyCredentialType="None"
realm="" />
<message clientCredentialType="Windows" negotiateServiceCredential="true"
algorithmSuite="Default" establishSecurityContext="false" />

You can also generate this info through a command line approach using the svcutil.exe utility.

Then in your code you make use of it like this as you see in my code:

Dim scReporting As ILM_RMS.SearchClient 
scReporting = New ILM_RMS.SearchClient("ServiceMultipleTokenBinding_Search")

See how to use the Namespace that you setup when you made the service reference, and how you need  use the binding name setup in the app.config file. Instead of using the settings in the config file you can use a programmatic approach to setting up the bindings. Look at the example from Mark Struck's C# code:

WSHttpContextBinding wsBinding = new WSHttpContextBinding(); 
// Cannot use WSHttpBinding since it does not allow you to Sign the EnumerationContext element
// WsHttpContextBinding provides a property called ContextProtectionLevel which defaults to Sign, which is
// what is needed to communicate with the web service when the action is Pull.
// WsHttpBinding will work if you are just calling the web service with the Enumerate action.
//WSHttpBinding wsBinding = new WSHttpBinding();

// Set binding properties
wsBinding.ReceiveTimeout = new TimeSpan( 0, 5, 0);
wsBinding.SendTimeout = new TimeSpan( 0, 5, 0);
wsBinding.Security.Mode = SecurityMode.Message;
wsBinding.Security.Message.EstablishSecurityContext = false;
wsBinding.Security.Message.NegotiateServiceCredential = true;
wsBinding.Security.Message.ClientCredentialType = MessageCredentialType.Windows;
wsBinding.Security.Message.AlgorithmSuite = System.ServiceModel.Security.SecurityAlgorithmSuite.Default;

// Create EndpointAddress object and create the SearchClient object with the binding and endpointaddress objects
EndpointAddress ep = new EndpointAddress(ILMSERVICE_URI_ENUMERATION);
SearchClient searchClient = new SearchClient(wsBinding, ep);

Labels: , , , ,