fim-2010 « WordPress.com Tag Feed

FIM Troubleshooting Collection

Peter Geelen — Sat, 19 Feb 2011 14:36:18 +0000

One of the goals of the FIM product teams is to enable the FIM community to contribute to our troubleshooting documentation set.

To do so, Microsoft has started to migrate the core troubleshooting content into the TechNet Wiki platform.
They will still track the available articles in the Troubleshooting FIM 2010 Roadmap on the FIM TechCenter.

To simplify the process of writing and posting FIM troubleshooting articles, Markus has posted a TechNet Wiki article that includes some guidelines.
Please feel free to add on to this article if you can think of additional tips and tricks.

Feedback is always welcome!

Please feel free to spread the word as appropriate.

Implementing FIM 2010 Certificate Management (Part 4)

Dmitrii — Fri, 04 Feb 2011 05:01:13 +0000

This is the fourth and final installment in a four part series showing how to implement FIM 2010 Certificate Management solution. You can watch the previous three parts by going to each presentation:

If you wonder what is the final result of this specific implementation then please watch demonstration showing how to do manual certificate enrollment via FIM 2010 CM.

Todays demonstration covers the following tasks:

Configure Service Connection Point Permissions
Delegate Profile Template Permissions
Configure Permissions on Certificate Sponsor
Create SSL Profile Template
Configure Profile Details
Configure Enroll Policy
Configure Revoke Policy
Define Permissions on the SSL Profile Template
Request Certificate for FIM CM Portal
Fixing FIM 2010 CM Configuration (AES and CSP)
Request Certificate again
Installation of issued Certificate on the FIM 2010 CM
Set SPN for the new URL
Final test of the new Portal

For better experience please watch it in Full screen and enable HD.

FIMMA vs non-standard MV Schema

Peter Geelen — Thu, 03 Feb 2011 20:05:37 +0000

(note-to-self)

As you probably know, in ILM the MV schema can be changed easily.
It’s pretty easy to add or remove attributes.

In the past, in some cases, customers had the MV completely removed and rebuilt to only contain (just) the object and attribute definitions needed. Fit to the customer’s standards, without overhead.

In FIM it still is quite easy to manipulate the FIM Sync MV schema at will.
Easy! … at first sight.

NOT! Because the FIMMA doesn’t like it.

If you add the FIMMA after you change the default MV schema, you could run into trouble.
That is, the FIMMA the wizard checks the MV schema (note the Update Schema step).

And if one or more default object definitions are missing, the wizard prompts you to update the schema.
AFAIK, strangely enough the option is not triggered when all default objects are present, even if some default attribute definitions are missing.

You’ll need to click Next> to continue installing the FIMMA.
(“< Back” for previous step, “Cancel” to stop installation…)
So, there’s no option to continue installation without changing the MV, even not partially.
No other way around.

In the demo setup I use for the screenshots, the following objects were removed, because they were not managed by FIM: computer, domain, function, locality, organization, printer, role.

Additionally, the group object had been created manually as “Group” (uppercase “G”).
Same thing for OrganizationalUnit, … and some attributes.

Under “Schema Update Status” the wizard shows the detailed info, like

Reading though the update status, you could encounter different types of messages, like:

/../
Create <missing object name> object…
The attribute <missing attribute name> will be added.
…
Create <object name> object completed with the following warnings:
The attribute <changd attribute> already exists. It should be “<default name>” indexable non-indexed, but is “<changed name>” non-indexable non-indexed.
The attribute Manager already exists. It should be “manager”, but is “Manager”.
/../

Apart from automattically adding missing attributes, the wizard also duplicates attributes that already exist to match the object. So it restores the link between the attribute and object.
But it does NOT change the attribute type.

Just an example, if you completely removed the ‘street’ attribute from all objects, the wizard will add it again as String(indexable) and map it to the appropriate objects.

BUT, if you created the attribute ‘STREET’ (as Binary (non indexable)), you’ll get a notice the attribute ‘STREET’ already exists, although is should be ‘street’… And again the wizard maps ‘STREET’ to the default objects where it is supposed to be linked.

Conclusion, better avoid this annoyance and loss of time (spent deleting MV objects), so:
- Don’t delete default object definitions
- Stick as much as possible to the standard FIM Sync MV Schema.
- Don’t re-add default objects or attributes that have even the slightest difference in naming (change in uppercase/lowercase) or type definition

If you need additional attributes
- add non-default object types (like ‘Identity’ for people or persons)
- by preference, add custom attributes to to the existing object types

If you really would like to clean up the MV or really need to set it your way:
- first add the FIMMA, then change the MV
- keep it in mind when you need to restore the FIM config for whatever reason (eg moving from DEV > Accept > production)

And leave the synchronizationRule, expectedRuleEntry, detectedRuleEntry in place, they are needed for the core FIM system functionality

Implementing FIM 2010 Certificate Management (Part 3)

Dmitrii — Thu, 03 Feb 2011 19:00:55 +0000

This is the third installment in a four part series showing how to implement FIM 2010 Certificate Management solution. You can watch the first part of this series by going to the “Implementing FIM 2010 Certificate Management (Part 1)” and the second part at “Implementing FIM 2010 Certificate Management (Part 2)”. If you wonder what is the final result of this specific implementation then please watch demonstration showing how to do manual certificate enrollment via FIM 2010 CM.

Todays demonstration covers the following tasks:

Installation of FIM 2010 CM CA modules on the Issuing CA
Configuration of Exit Module
Check that CA is registered in SQL
Configuration of FIM 2010 CM Policy Module with CLM Agent Thumbprint
Enable Constrained Delegation for the FIM 2010 CM Computer Account
Enable Constrained Delegation for clmWebPool account
Adding Subject Module and SubjectAltName Module on CA
Configure SSL Templates
Configure Subject Policy Module
Configure SubjectAltName Policy Module

For better experience please watch it in Full screen and enable HD.

Implementing FIM 2010 Certificate Management (Part 2)

Dmitrii — Thu, 03 Feb 2011 00:08:12 +0000

This is the second installment in a four part series showing how to implement FIM 2010 Certificate Management solution. You can watch the first part of this series by going to the “Implementing FIM 2010 Certificate Management (Part 1)”. If you wonder what is the final result of this specific implementation then please watch demonstration showing how to do manual certificate enrollment via FIM 2010 CM.

Todays demonstration covers the following tasks:

Performing Initial Configuration via FIM 2010 CM Configuration Wizard
Designating pre-enrolled Agent Certificates in the FIM 2010 CM web.config file
Disable Kernel mode Authentication in IIS
Create Accounts for Issuing CA in FIM 2010 CM SQL database
Open Firewall on the FIM 2010 CM for SQL Communication

For better user experience please watch this in Full screen and in HD.

Implementing FIM 2010 Certificate Management (Part 1)

Dmitrii — Tue, 01 Feb 2011 15:54:15 +0000

Did you have a chance to watch demonstration on how to use FIM 2010 CM for manual certificate issuance? If not, you can watch it here.

If you are interested to learn how I configured FIM 2010 CM environment to be able to provide shown functionality then start watching the following demonstration. I broke down entire implementation into four parts and here is the first part of the series. Parts 2-4 are coming in the near future.

In this demonstration we will do the following tasks to prepare environment for FIM 2010 CM installation:

Modify AD Schema with FIM 2010 CM extensions
Create Required Accounts and Groups
Create Certificate Templates for FIM 2010 CM Agents
SQL Installation
Installation of IIS and disabling SSL 2.0
Installation of SMTP Service
FIM 2010 CM software installation
Enable Logon Locally for Agent Accounts
Deployment of Agent Certificates on the FIM 2010 CM Server

Please watch this video in Full screen and in HD for higher quality and better user experience. Let me know if you have any questions.

Manual Certificate Enrollment via FIM 2010 Certificate Management

Dmitrii — Sat, 29 Jan 2011 19:29:41 +0000

This video demonstration shows how to use FIM 2010 Certificate Management to request and issue an SSL certificate. The solution shown in this demo is created to satisfy the following requirements:

SSL certificates must be approved by RA Manager.
Simplify the enrollment process and remove guessing from the subscriber.
Certificate Subject name must be in Geopolitical format, such as: cn=hostname, ou=devices, o=adatum, c=us
SubjectAltName extension must have actual name(s) for the URL the cert will be used for.
SubjectAltName must also include subscriber e-mail address.

Please watch this video in Full screen and in HD for higher quality and better user experience. Let me know if you have any questions.

If you would like to know how to build solution shown in this demonstration then stay tuned, because I’m going to show you in step-step video demonstration how to do just that.

FIM 2010 - Joining Data From Another MA

Dmitrii — Wed, 26 Jan 2011 16:26:46 +0000

This video demonstration is another installment in the “Implementing FIM 2010”. It shows how to configure a Management Agent (MA) for joining and then do some breadcrumb of the dirty data. You can watch all video demonstration in the “Implementing FIM 2010” by going to my “Implementing FIM 2010” video channel.

Please watch this video in Full screen and in HD for higher quality and better user experience. Let me know if you have any questions.

FIM 2010–Importing and Synchronizing Data

Dmitrii — Thu, 20 Jan 2011 21:47:07 +0000

This is a the second lab from the Implementing Forefront Identity Manager 2010 training. Before watching this demonstration it might be helpful to watch prior demonstrations, but not required.

In this demonstration we are going to perform the following tasks:

Connect to an HR data source and import identity data
- Create an MA to connect to the HR SQL database
- Create and Run Some Profiles
Examine the Metaverse
- Search the metaverse and establish that the data has been projected
- Create a search filter clause
- Select which Columns to see
- View the Search Results
- Index the employeeID attribute
Importing Changes
- Modify the HR Data and import it into FIM

Please watch this video in Full screen and in HD for higher quality and better user experience. Let me know if you have any questions.

The FIM Experience–Exercise 4

Dmitrii — Thu, 20 Jan 2011 21:46:00 +0000

This is a continuation of the first lab from the Implementing Forefront Identity Manager 2010 training. Before watching this demonstration it might be helpful to watch the prior two demonstrations, but not required.

In this demonstration we are going to perform the following tasks:

Log on to Windows as a Contractor employee and reset his password via FIM 2010 Password management
Use Microsoft Office Outlook 2007 to join a group and edit personal details
Log on as HR employee and see how different permissions being applied

Please watch this video in Full screen and in HD for higher quality and better user experience. Let me know if you have any questions.

The FIM Experience–Exercise 2 and 3–Video Demonstration

Dmitrii — Thu, 20 Jan 2011 21:44:38 +0000

This is a continuation of the first lab from the Implementing Forefront Identity Manager 2010 training. You can watch the first part of the lab here.

In this demonstration we are going to perform the following tasks:

Add new users and examine group memberships

Add full-time employee
Add a contractor

Examine how groups are managed

Criteria-based groups
Manager-based groups
Manual groups

Please watch this video in Full screen and in HD for higher quality and better user experience. Let me know if you have any questions.

The FIM Experience–Exercise 1

Dmitrii — Thu, 20 Jan 2011 21:40:43 +0000

Here is the recording of the first lab exercise from the Implementing Forefront Identity Manager 2010 training.

In this exercise we are going to edit user identity data and observe the effect on other connected systems.

Please watch this video in Full screen and in HD for higher quality and better user experience. Let me know if you have any questions.

Forefront Identity Manager 2010: Best Identity and Access Management Product

Domagoj Pernar — Thu, 30 Dec 2010 11:53:08 +0000

Just a quick and short post about Forefront Identity Manager. Anyway, it’s really nice to see that Forefront Identity Manager 2010 (ex. Identity Lifecycle Manager) won the gold award by Information Security Magazine in identity and access management category.

Quote:

“Despite a large field of battle-tested competitors, Microsoft’s legacy identity product narrowly surpassed IBM for our No.1 ranking. Identity Lifecycle Manager 2007, which was replaced in March by Forefront Identity Manager 2010, features identity synchronization, user provisioning, and management of certificates and smartcards; it requires Windows Server 2003 or 2008 and SQL Server. Readers gave it solid marks across the board, particularly for ease of use, integration with associated products and comprehensive and flexible reports. “

Cheers to Forefront Identity Manager!

Metaverse Router 1.1

Dmitry — Thu, 21 Oct 2010 21:14:20 +0000

I have updated Metaverse Router code on CodePlex. One bug was fixed “XML Tag Capitalization”; minor but nasty little bug that was throwing exceptions during initialization of the provisioning modules. I have also updated the solution and project to Visual Studio 2010 with WIX 3.5 for an MSI building purposes.

Can ILM 2007 / FIM 2010 pull users from an SQL database?

csolarz — Tue, 12 Oct 2010 16:26:44 +0000

Bob from this week’s 6426 class posed the following question. I have some users who access multiple SQL databases, can ILM or FIM automate password changes across them?

I grabbed the information from the Understanding Forefront Identity Manager 2010 white paper which is accessible via the link. Here are a few choice excerpts

Heterogeneous identity synchronization & consistency. FIM 2010 delivers integration with a broad range of network operating systems, e-mail, database, directory, application, and flat-file access. FIM 2010 supports connectors for Active Directory, Novell, Sun, IBM, Lotus Notes, Microsoft Exchange Server, Oracle databases, Microsoft SQL Server™ databases, SAP and others. This provides organizations with the power to connect and synchronize the plethora of disparate sources of identity information in their company—in most cases without the need to install software of any kind on the target systems. Since in some cases it might be necessary to connect to custom or legacy applications unique to a specific organization, FIM 2010 extensible agent capabilities enables companies to integrate and manage identities for these applications through developing custom agents in the Microsoft Visual Studio® development environments.

Simplified sign-on by synchronizing passwords across systems. Importantly, FIM 2010 provides a simplified sign-on experience through its identity synchronization capabilities, delivering the ability to synchronize passwords across heterogeneous systems.

Chasing the new feature

Dmitry — Mon, 04 Oct 2010 20:34:00 +0000

Chasing new Feature

As FIM 2010 product wanders into the wild, inevitably more and more Identity Management professionals are working on the projects where they have to make design decisions regarding FIM’s implementation. With an addition of an "App Store" (The Web Portal) programmers are presented with much wider variety of available options. In the last few months I have been seeing, in my opinion, dangerous trend of "chasing the new feature" of the product in favor of more traditional design. Let’s step back and take a look at options that have been available to IdM professionals before FIM 2010 timeframe. I think that clear understanding of features and definition of goals should help an IT professional with identification of appropriate tool(s) to do the job.

Old Times

Since 2003 to 2010 customization of MIIS/ILM-based solution would entail you to write specialized .NET code. There were few predefined places in the product where you could plug your custom code. Most commonly used interface exposed by sync engine was and still is Microsoft.MetadirectoryServices.IMASynchronization;
That interface implementation would provide a programmer with an array of options to control behavior of objects that are coming from a connected directory (including advanced filtering, joining and projection), as well as similar functionality during the export; you could also express your business logic to create new entries in data-sources in the provisioning module(s). So from the year of 2003 to the year of 2010 life of MIIS/ILM professional was relatively easy (or at least well defined and outlined). Once you’ve fully understood the sequence of events and places you can affect the data, you are in the good place. At that point design of the right solution was a matter of properly aligning business requirements and the Sync Engine capabilities: synchronization and provisioning.

Standing by established methodology

Since its conception the Sync Engine was and still is a "state-based" solution, meaning that when we are working in the framework of Sync Engine we are not looking at transactions of objects in each connected data-source, but rather operating with the last-known-state of an entire directory. That rule is an important one to learn and fully embrace. I would argue that most computer systems are not "state-based" and most programming models are based on the assumption that you are working with a transaction. I have seen several projects that I was hired to fix, that were written by seasoned programmers. There were no errors in the code, as such, but rather design/architecture errors deriving from the fact that programmers didn’t take into account the fact that they have been working with state-based system. When "transaction" model is applied to the Sync Engine, it produces rather adverse results. State-base system relies on all of the data being present in the system at the moment when each individual attribute of an individual object is processed. When data is not available a programmer would, naturally, reach-out to an external data-source and access the data suitable for that object. And THAT is a design problem from Sync Engine stand point.
So why the external lookup is so bad, one would ask?

Don’t think outside of the box

Unlike your job interview in the early to mid-90s, when you practically had to say "I am thinking outside of the box" in your resume to be hired (that and an ability to spell word ‘Java’), designing well performing Sync Engine solution was and still is – making sure that you are fitting all data you want to access inside of the box. The Sync Engine box that is. The key word to remember here is "convergence". Data should ‘converge’ when it is fully synchronized and satisfies all business rules/requirements plugged-in into the system. Meaning that all business rules are satisfied and system has no pending changes for the object in question. Therefore having all data "in the box" will make your solution perform better, to be less complex and more manageable.
However unachievable, and "against the grain" some design decision might appear to be, you still should consider every possible option to avoid breaking the rule of "no external calls". So YOU should think outside of the box to make sure that your BOX left to think inside of itself.
Allow me to provide an example. Several years ago I was working on the project where we had to use Unique ID system. This unique ID system was responsible for distributing uniformly formatted IDs to ANY system in the enterprise, regardless of the platform, ownership or any other factor. The ID could be distributed to a system account, an employee, a contractor or an intern. Certain subset of users might never qualify to have an ID in Sync-Engine-managed system, yet they could have an ID in other systems and therefore would have a record in the Unique ID system. The only attributes that system have had exposed to us are ID, isAvaialbe, DateOfAssignment
When I came aboard, on that project, the solution for this "problem" was an external call to the Unique ID system out from Import Attribute Flow in HR Management Agent to get next available ID and mark it as "reserved".
The first problem we have encountered with that design is "orphaned" IDs. Somehow we have "reserved" lots of IDs that have not been actually used by anybody. Troubleshooting revealed that when and if the object would fail to be provisioned, for whichever reason, Sync Engine would faithfully roll-back the transaction, however it would never release the ID that was used during Import Attribute Flow, therefore all consecutive runs will request yet another ID and another and another; as you can guess we have had plenty of "orphaned" IDs at that moment.
I have also seen number of "let’s call out and check for uniqueness" blocks of code within provisioning logic. That kind of practice generally slows down the system to the crawl due to the fact that every synchronization cycle would require system to call-out for every object that passing through the pipe.
If you are still not convinced the most commonly used "trick" of external call is a creation of home directories for roaming profiles. Sync Engine doesn’t come with management agent that would make a file system calls to physically create a "directory" object on the file system. I am not sure why that is, but I suspect that it have something to do with the fact that Microsoft doesn’t use roaming profiles internally. So every time your client asks you to create a directory – you make an external call during export operation. What is the harm is that? Consider following questions: a) Are you creating very first directory on that share? B) What happens with that directory during user de-provisioning? C) What happens if you’ll delete connector space and have to re-provision objects?
As you can see — if you are not managing (really managing) the directory, the record, the row, the ID, or whatever that is you are calling out for – you can’t guarantee convergence of the data, and therefore your solution have greater chance to fail or perform poorly under stress or during disaster (exactly at the time when you would want system to perform as reliably and as fast as possible)

Applying existing patterns on FIM portal

In my IdM 101 presentations to the clients I was often calling the ability to use code in Sync Engine "product’s greatest strength and product’s greatest weakness". With introduction of ‘The Portal’ that statement is more true than ever.
By contrast with the Sync Engine The Portal is a transaction-based system. It is "married" with the state-based Sync Engine by means of "special" management agent that is not quite the same as other management agents. Sync Engine is a delivery vehicle for The Portal and integral part of the product.
In the past few month I have observed a trend of using Portal for operations that is should not be used, in my honest opinion. I was talking with one of consultants in Europe and have heard that instead of trying to create an object with the Sync Engine (as it should be done for all managed objects), "we had one of our guys to write us a Workflow that would call Power Shell that would just create the object on the system for us". Frankly, that particular conversation generated the blog entry you are reading.
I believe that the problem comes with perception that "Hey! I am transaction-based! I can do whatever I want to do. And by the way – look, I can stick my code in this new place called "workflow". Exciting!"… And that is true statement. Portal provides more places to "stick" your custom code than Sync Engine dreamed of. You have several types of workflows, UI, etc. So what is the problem with that?
The problem is that we need to keep in mind that we are implementing an Identity Management solution(s), and not the chasing the most adventures way of creating new software. I am sure it’s cool to write a Workflow in .NET 4.0 with Visual Studio 2010 which will call PowerShell 2.0 which will user WinRM 2 to perform some wonderful operation right after user clicked the submit button. In fact it could be very well justified thing to do, but one should not forget about the data convergence paradigm.
Making external calls form portal is no deferent than making an external calls form the Sync Engine. Yes you can do it, but should you? Discarding previously accumulated knowledge and experience from your MIIS/ILM days is careless. Yes, your toolbox has expanded; your ability to execute some tasks right after your user clicks the submit button doesn’t change your goal to achieve seamless management of identity; the best way to do it is to make sure that your data is fully managed. Your design patterns should follow that rule and find best possible solution(s); even if it is not using trendiest technologies of this month.
Sync Engine is the most mature part of the product; it is a delivery system for your managed objects. There is no shame in using it to the fullest possible extent. Don’t flirt with your data – own it. That might culminate in you writing an extensible management agent, creation of new Metaverse object type, analyzing expected rule entry object of FIM, or configuration of an additional out-of-the-box management agent instance(s) to bring an object/attribute into the realm of managed identity. The overhead in time that you might spend upfront in doing so will pay-off during update of the system, during disaster recovery scenarios or troubleshooting.

How to decide which tool/method to use

The rules that I’ve discerned for myself in the last two years of working with FIM are simple. They are based on two assertions:
a) Portal is a customer-facing workflow-driven application.
b) Sync Engine is the delivery vehicle.
Do I need to persistently manage the object at all times (disaster recovery included) – it’s a Sync Engine’s job
Do I need to make a decision on whether to allow or deny access to a particular user request — it’s a Portal’s job
And ‘yes’, there are plenty of "gray areas" and ‘no’ there is no definitive answer for every solution, nevertheless these rules helped me in navigating through the architectural decision making process.

I hope this "speaking out loud" entry will help you too

Auxiliary MA alternative

Dmitry — Wed, 04 Aug 2010 21:22:55 +0000

Auxiliary MA alternative

Recently I have published a Metaverse Router project on CodePlex. This project allows MIIS/ILM/FIM Synchronization engine to operate with discrete provisioning modules vs. monolithic provisioning DLL that would serve dissimilar connected directories.

As one of the benefits of Metaverse Router you can enable/disable ‘scripted’ provisioning in your Sync Engine without actually modifying server configuration. It is also possible to enable and disable provisioning of individual modules, if you wish.

During work with one client of mine it dawned on me that this provisioning disablement could be performed in mid-run of the synchronization cycle. Why is this important?

If you are familiar with a concept of Auxiliary MA you know that Sync Engine could have a configuration challenge preventing object to be provisioned into one of the systems due to an existing object with an identical distinguished name being present in that system. The proposed solution is called Auxiliary Management Agent. Auxiliary MA is a basic text (or any other default type) management agent, which depends on the sequence of synchronization execution and allows provisioning code to execute successfully by provisioning an "auxiliary" object first, which would allow (pre)existing object to join to the Metaverse; thereafter auxiliary CSEntry ‘self-destroys’ when it is no longer needed. I encourage digging MSDN for more information. Auxiliary MA can be conceptually ‘dry’…

Nevertheless, having an additional MA and introducing additional provisioning code is not something I would like to do, when it can be avoided. So to resolve mentioned above provisioning issue without introduction of an additional MA we can simply disable provisioning in the Metaverse Router with the script during the run of the Sync Engine. Disabled provisioning will allow for projection and joining processess to happen without provisioning code being executed at first, which in return will solve the "auxiliary" problem. Thereafter your script could re-enable provisioning and voila – no Auxiliary MA needed.

I will be working on VB and PowerShell scripts to complement Metaverse Router on CodePlex

Happy coding!

Forefront Identity Manager 2010 Visio Stencils

dshimo — Wed, 30 Jun 2010 13:05:25 +0000

Forefront Identity Manager 2010 Visio Stencils

dshimo — Wed, 30 Jun 2010 10:45:00 +0000

Hey, it's me again.

I'm very glad to share with you the release of the Forefront Identity Manager 2010 Visio Stencils.

It's one of the things that I have been expecting to improve my documentations.

Download here

I apologize for my English.

Olá a todos!!

Gostaria de compartilhar com todos, com exclusividade o tao esperado Forefront Identity Manager 2010 Visio Stencils.

Com certeza era um dos itens que faltava para deixar as documentacoes mais profissionais.

Download Aqui

Diego

FIM 2010 – Password Reset failing

rskalitzky — Thu, 17 Jun 2010 23:16:00 +0000

digg_url = “http://idamd.blogspot.com/2010/06/fim-2010-password-reset-failing.html”;digg_title = “FIM 2010 – Password Reset failing”;digg_bgcolor = “#F6F6F6″;digg_skin = “normal”;digg_url = undefined;digg_title = undefined;digg_bgcolor = undefined;digg_skin = undefined;

ISSUE:

Ok… So you have brought up your Forefront Identity Management 2010 environment, configured policies, got password reset working and life is good. Then down the road you of course make performance, configuration changes or tweaks to the environment, MAs, etc… One day you initiate (or user) a password reset via a workstation “reset password” link, pass through the gate questions without any problems, enter the new password and submit. Then to your surprise are presented with a not so intuitive error. Wait… this worked before WTH is going on.

You do some digging, check for events on the server running the password reset and discover a slue of the following events under “Forefront Identity Manager” event node.

EventID: 3
Source: Microsoft.ResourceManagement
Details: "PWReset activity could not connect to the directory"

After banging my head on the concrete, I recalled changes made to the environment and when, then matched them up to the last time Password Reset worked. I recalled a change made to the AD MA in order to work around the Excessive CPU Utilization on the Synchronization Server, which was to set the ADMA to “Run in a separate process..”. If you set the AD MA to run in a separate process, password reset fails.

SOLUTION:

Make sure the AD MA is NOT enabled to “Run in a separate process”, and then restart the Forefront Identity Manager Synchronization Server Service (miisserver.exe). Try another password reset and BAM, it works.

So what fixed one issue apparently damaged/disrupted another. Until the fix for FIM 2010 is available, determine what is more important to you… a pegged processor on the Synchronization Server or Password Reset working. I’ll leave that up to you.

Automating installation of custom FIM workflow assemblies during development cycle

Dmitry — Thu, 17 Jun 2010 17:52:52 +0000

Last night I was chatting with my ex-co-worker, who just dived-in the world of FIM development. He have had several questions about workflow development for FIM. I have pointed him to my FTE Owner Requirement workflow mentioned before in this blog, and published on CodePlex to serve as an example of FIM workflow for people who are starting out FIM coding.

One of the things that I found annoying, and therefore worth automating is the "deployment" of your activity on the system. When you are working on workflow, and especially when your workflow has a visualization (Admin UX) class, you need to do many routine "moves" before you can successfully attach to the process for debugging. So after your DLL is compiled you need to

Remove previously GACed library form Global Assembly List
GAC your new assembly
Copy assembly to "Portal" folder (along with your symbol’s file)
Restart FIM Service
Restart IIS (if you are writing Admin UX, and not using XOML)

In my book, this counts as tedious routine, especially when you need to do this time and time again over the development cycle.

So, I’ve wrote rather basic CMD file to automate this routine. It is parameterize to allow multiple DLLs to be deployed with the same script. Script uses GACUtils.exe to work with Global Assembly Cache. Utility comes with .NET SDK, I think, and uses dependency library – msvcr71.dll. To simplify everybody’s life I’ll include both in this ZIP file.

As an alternative you might want to consider "converting" this script logic to be a post-compilation job in Visual Studio. Personally, I have found that adding this script as post-build operation is a little bit time-prohibitive, since restarting FIM and IIS services takes some time, however you might want to think about it.

It is worth mentioning that if you are intending to leave your activity behind you might want to make your administrator’s life easier by writing an MSI package that would deploy your custom activity on the production FIM portal. Even though this post provides simple command-line script to deploy your activity during development cycle, mentioned above FTE Owner Requirement activity on CodePlex contains WIX installer project that will reliably deploy your activity on any FIM 2010 portal without you explaning where to place your DLL, how to GAC it and else you need to do with it.

Happy coding!

FIM 2010: Approval email “This request cannot be approved or rejected…”

rskalitzky — Wed, 16 Jun 2010 01:55:00 +0000

digg_url = “http://idamd.blogspot.com/2010/06/fim-2010-approval-email-this-request.html”;digg_title = “FIM 2010: Approval email “This request cannot be approved or rejected…””;digg_bgcolor = “#F6F6F6″;digg_skin = “normal”;digg_url = undefined;digg_title = undefined;digg_bgcolor = undefined;digg_skin = undefined;

Issue:

Within a Distribution Group an approval workflow and email is generated, when you open Outlook as the approver you receive the error message below and the approve/reject buttons are dimmed

"This request cannot be approved or rejected for the following reason(s): The sender (FIM Service Component User) is not an authorized sender of approval requests. Contact your system administrator for assistance."

Cause:

The FIM service account email address entered during the FIM Extensions and Add-ins install/configure process was not correct. In my case when this was encountered, I entered the email address correctly for the FIMService account; however Exchange created a different PrimarySMTP address for the account, and set other as a secondary. This caused the error.

Solution:

On the machine with the FIM Extensions and Add-ins installed, perform a “Change” on the installation.

Program and Features > Forefront Identity Manager Add-ins and Extensions > Change

During the change, enter the correct email address assigned to the FIM Service account.

Hopefully you discover this before deploying company wide. If not, you can always make the change via Group Policy, or other Desktop management solution.

MA Attributes not listed in FIM Sync Rule

rskalitzky — Thu, 03 Jun 2010 21:49:00 +0000

digg_url = “http://idamd.blogspot.com/2010/06/ma-attributes-not-listed-in-fim-sync.html”;digg_title = “MA Attributes not listed in FIM Sync Rule”;digg_bgcolor = “#F6F6F6″;digg_skin = “normal”;digg_url = undefined;digg_title = undefined;digg_bgcolor = undefined;digg_skin = undefined;

Ran into an issue with FIM 2010 (RTM), where custom or added attributes to Management Agents were not showing up in the list of available attributes when creating/editing a Synchronization Rule. The event on the synchronization server is listed below:

Log Name:      Application
Source:        FIMSynchronizationService
Date:          11/29/2009 11:26:25 AM
Event ID:      6331
Task Category: MA Extension
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      fimserver.mydomain.local
Description:
A update on the configuration of a MA or MV failed to replicate to a target connector directory that is capable of storing MA/MV configurations. As a result, the MA/MV configuration data in this connector directory is not up to date. Please correct the condition that causes the error, and triggers a resync by updating the password information of the target MA.
Additional information:
Error Code: 0×80230709
Error Message: (The extension operation aborted due to an internal error in FIM Synchronization Service.)
Operation: Update MV
Name of the MA to replicate:

I exhausted all effort into try and get the attributes to show in the synchronization rule(s), and I even attempted to repair/reconfigure the FIM service and FIM Sync service installation.

Combing through the forums, I noticed a few others experienced the same issue. Two possible solutions existed… 1 was to repair/reconfigure the install, and the other was to completely uninstall, reinstall and rebuild. Sorry to say that the first option did not work, but the completely uninstalling and reinstalling did work.

Now, I never got down to the true underlying reason for this hickup, so hopefully you dont experience this after investing a ton of time into building sync rules, etc. During the reinstall I chose to create a new FIM Database, so I am not sure if restoring the existing FIM Database would surface the same issue. All I know is that restoring the MA Configurations was ok.

The images below reference attributes present in the MA, Metaverse, etc. and they dont exist in the Synchronization Rule attribute list

.Metaverse (Person Object Attributes)

Export Attribute Flow: FIMMA

Schema Management: Attribute / Bindings

Filter Permissions

Synchronization Rule:
Destination (No mDBUseDefaults)

Synchronization Rule:

Source (No mDBUseDefaults)

Event Logs on Synchronization Server: