FIM / ILM Best Practices (Forefront Identity Manager)

FIM 2010 R2 released today to MSDN

2012-06-01T19:29:00.000-07:00

Look what just turned up on the MSDN list of downloads:

Along with FIM 2010 R2 it looks like the BHOLD Suite is available too! Although you can see that it appears to be a separate download.

I don’t know when the retail version will be available.

TEC 2012 Summary

2012-05-02T21:10:00.001-07:00

Wow TEC 2012 is already over and I am already back home. What a week!

The venue was great. San Diego is always a great place to be, cool yet not too cold. Right on the bay. Great hotel. The Marriot Marquis and Marinas has an awesome pool – went for a great swim on Monday night. Tuesday morning I really enjoyed a jog on the Boardwalk. I ran up to the USS Midway. Tons of other attractions right nearby.

The sessions were very good. Unfortunately, I couldn’t attend all of the sessions I wanted to attend. I had a few conference calls and sometimes they were at the same time.

The keynote by Uday Hegde was quite good – he covered how Windows 8 (Windows Server 2012) will extend the File Classification Infrastructure type technology to permissions. We will be able to do claims based permissions on files! Pretty cool. Deployment of AD will become simpler – less running around to different machines to run prep this and prep that.

I skipped Adam and Ken’s session on Reporting with FIM R2. I am sure it was excellent and very similar to what they showed us at MVP summit (that and a con call meant I wasn’t there). I also had to pass on Jeremy’s session on SCIM, which was also at the same hour as Laura Hunter’s session on Protection at MSFT.

In the afternoon I conducted the showdown between Classic and Declarative and had a great time, but was wishing I could have split in two and attended Brian Desmond’s session on Office 365 prep to see if he has come up with a different way to solve the issues.

I then yielded the stage to Carol Wapshere for the Sync Service migration toolkit – looking forward to those scripts.

Then a con call interrupted my attendance.

The Meet the experts was fun, I got to meet a lot of folks that came over to get a copy of the book signed. Signing books is still a bit of a surreal experience (today we gave Anil Desai a ride to the airport – he wrote one of the first Windows books I read).

The Party was on the terrace and it was a bit breezy but quite fun with pool tables and a woman wearing dress with a table, yes a table. Bob Bobel of Quest told me that she was a party crasher. Well she certainly was a conversation piece.

Tuesday morning I caught Craig Martin’s session on PowerShell and SSRS to do reporting from FIM. It is brilliant work, however Craig keeps insisting on calling SSRS, scissors! I keep telling him to not to run (PowerShell) with Scissors (SSRS)

After lunch I saw Lutz deliver his session on BYOD and the cloud. Then we prepped for his Wed sessions.

Lutz attended several of the RMS related sessions and said they were very sparsely attended.

Tuesday night I attended the reception for a brief bit and then slipped out to dinner with a relative that lives nearby.

Wednesday, I was about to slip into Bob Bradley’s session on self-healing FIM, when I saw him sit down to breakfast. So after discovering that his session got changed to 9:45 he and I got to talking. That’s a fellow with head full of bright ideas.

Then I attended Lutz’s session on PKI housekeeping. Good job Lutz! I gave him a slide promoting the book, and he told his audience that he was leveraging that for an upgrade to business class on his next flight

Man I was hoping to see Eric Huebner’s session on manipulating data in FIM. Similar to the showdown but come at it from a very different angle, instead of arguing which is better, he discussed some of the performance considerations of one vs. the other and I understand that he even discussed “Request Splitting” in FIM 2010 R2 – allows you to have child requests that do go through the full pipeline and are subject to approval requests!

Then I went to Ehaib Isaac’s session – already blogged a lot about that one. One more mention. Ehaib mentioned he is working on his master’s degree but then showed us a slide of Jobs, Gates, and other billionaire college dropouts. In general more education is correlated with higher pay, although there a few exceptions. Great job!

The lunch on Wednesday had a great dessert! Fortunately I resisted the temptation to have seconds. Phew!

Two people at my lunch table won in the drawing. It was cool to be near two such lucky people!

RCDC Replacement

2012-05-02T12:08:00.001-07:00

FIM User Interface Implementation: Replace the rigid RCDC with a customizable UI
Speaker: Eihab Isaac

Eihab delivered a very well-reasoned presentation on the pros and cons of replacing some of the forms, especially the create person (user) form. Excellent demo showing creating multiple requests for creating the user as well as requests for additional attributes, and application access. Great session.

FIM Reporting Craig Martin style

2012-05-01T12:10:00.001-07:00

Craig’s session is on how to get data out from the FIM Service and FIM Sync with PowerShell and displaying it with SSRS, which he has dubbed Scissors!

Ok Craig we get it! You have even persuaded me that PowerShell is important! I have started writing scripts. SQL Server of course is still important.

Key is to hook up a pipeline from PowerShell to pass into his custom SSRS PowerShell Data Processing Extension (DPE). Craig uses export-clixml and import-clixml to serialize data before it is expired from the FIM system.

One thing he does point it is that you can’t use the Report Builder, you must use BIDS to create your reports, because DPE’s are not supported with Report Builder

Overall Craig does an excellent job of reusing the tools and capabilities for other areas to show us some really useful stuff with FIM.

Migrating from ILM to FIM

2012-05-01T11:04:00.001-07:00

Carol Wapshere delivered an excellent session yesterday at TEC 2012 on the thought process for migrating from MIIS/ILM to FIM.

I loved the incisive logic to focus on the main issue being solved: getting the customer onto supported software (getting the MIIS database off SQL 2000, getting off MIIS/ILM). Avoid the temptation to try and fix everything else at the same time. She had a great list of gotchas. Even more impressive were her discovery scripts designed to analyze the existing implementations and her rubric for estimating the work.

Look what I found in the news

2012-05-01T07:40:00.001-07:00

I didn’t even know that Identity and Access Management (IAM) workers had a union!

Of course, imagine my disappointment to learn that it is International Association of Machinists and Aerospace Workers union.

SharePoint 2010 User Profile Synchronization Service

2012-05-01T01:52:00.001-07:00

The SharePoint 2010 User Profile Synchronization Service is really FIM 2010 pre-packaged in a very special way. Need evidence? Look at the tables in User Profile Service Application_SyncDB

See how it has mms_connectorspace, mms_cs_link etc. Those are table commonly found in the FIM sync database. See the attributeInternal, the BindingInternal, all of the Membership* tables those are all part of the FIM Service database. So interestingly enough they have both FIM Service and FIM sync merged into a single DB.

FIM 2010 R2 Showdown: Classic vs. Declarative

2012-04-30T15:39:00.001-07:00

Well I delivered my session FIM 2010 R2 Showdown: Classic vs. Declarative. During lunch they changed the location. But the room was packed by 5 min after I began (guessing about 45-50 people). Many familiar faces.

We had a rollicking good time. I presented how things worked with Classic and Declarative presented some findings and asked for other opinions. Boy did I receive them.

My basic conclusion is that Declarative can reduce the code used and in turn improve the maintainability of the FIM implementation.

Some folks agreed. Some few misguided folks disagreed . I did take a bunch of ribbing from many who prefer the code.

We had lots of fun sharing opinions. I think all can agree that the Declarative Sync Rules give us a lot of promise for doing things without code and in a several ways falls short. Where we differ is how that affects the way we implement FIM. Some ignore the sync rules and do everything Classic. However, some of us try to use the Sync Rules for everything possible and the classic code only when needed.

One thing is certain, the product is definitely heading in the direction of more and more declarative capabilities.

Picking a mobile phone plan: AT&T

2012-04-27T17:00:00.001-07:00

I am currently a Sprint customer, and I am in the process of considering a replacement. So I analyzed AT&T’s plans. I found some interesting things:

They have three individual plans that don’t include long distance to Canada but do include US long distance.

min	cost	$/min	Over $/min	Min over to break even with next plan	Rollover	Weekend min
450	$ 39.99	$ 0.089	0.45	44	yes	5000
900	$ 59.99	$ 0.067	0.4	25	yes	unlimited
Unlimited	$69.99				n/a	unlimited

They include unlimited calls to other AT&T mobile customers. For $8.99/mo more you can get early nights and weekends.

The first interesting thing to notice is that on the 450 min plan if you will go 45 min over per month it is cost effective to go with the 900 plan. So if you will do 495 min/mo then the 900 min plan is better.

The next thing is that if you go 25 min over the 900 min plan it is more cost effective to do the Unlimited plan.

The most interesting thing is that if you are on the 900 plan and thinking about spending the extra $8.99 per month for earlier nights and weekends (7 pm instead of 9pm) why not spend $1.00 more per month to have all day be a night and weekend (since you have unlimited minutes).

Phoenix area part-time MBA program comparisons at public universities

2012-04-27T16:45:00.001-07:00

Even though I already have the MBA from Eller College at the U of A I recently put together the following analysis for a friend comparing the MBA options in Phoenix from U of A and ASU.

	Eller College of Management (University of Arizona) Evening	Eller College of Management (University of Arizona) Executive	WP Carey School of Business (ASU) Professional Evening	WP Carey School of Business (ASU) Professional Weekend	ASU Executive
Length and Start Date	20-22 months: January to August	16 months: August to early November	21 months, August start date	19 months, January start start date	21 months, August start date
Locations	Scottsdale, Arizona and Tucson, Arizona	Scottsdale, Arizona	Tempe Campus North Scottsdale	Tempe Campus	Tempe Campus
Cost	$40,000*	$56,000*	$51,600 - $60,300	$52,300 - $58,600	$76,600
Times	Classes meet one night per week from 4 p.m. to 10 p.m., plus initial residential session a 10-day international trip	Classes meet Fri. 8 a.m. to 5:30 p.m. and Sat. 8 a.m. to 5:30 p.m. every other week + a full-week session a 10-day international trip	Classes meet two nights a week from 6 p.m. to 10 p.m. Electives offered on Saturdays, online or at international locations	Classes meet every other weekend (Friday from 4:30 - 9:00 p.m. and Saturday 8:00 a.m. - 5:00 p.m. Core courses consist of 60% classroom learning and 40% online learning Electives offered online or at international locations	Classes meet every two weeks on Friday and Saturday

*— includes books and course materials, weekly dinner and meals, and hotel accommodations for residential portion of program; does not include international trip expenses or admission and enrollment fees

http://ellermba.arizona.edu/choose/

http://wpcarey.asu.edu/mba/evening/why-WPC/comparison.cfm

For cost compare

U of Phoenix is about $30k+

Thunderbird’s Exec MBA :

Tuition for the 2011-2013 Executive MBA-US program is $88,700 USD. Tuition is charged in a series of installments over the course of the program.

Opening Edit instead of view from a uocListView

2012-04-27T06:57:00.001-07:00

When using the uocListView control in the FIM RCDC you can have it return a list of objects. However when you open them, they also open for viewing, not editing.

The key to this is to add a button control inside the uocListView control. You then specify the redirectURL property for the button. Additionally ShowActionBar must be true, ItemClickBehavior must be ModelessDialog (which is the default). Enable Selection must also be true.

I examined the Policy Explorer to figure this out.

Here is an example that I first posted on the forum:

<my:Control my:Name="RequestViewCompleted" my:TypeName="UocListView" my:Caption="All Completed Role Requests" my:ExpandArea="true" my:RightsLevel="{Binding Source=rights, Path=Owner}">

<my:Buttons>

<my:Button my:Name="Edit" my:Caption="Edit" my:ImageUrl="/_layouts/images/MSILM2/details.png" my:ClickBehavior="ModalDialog" my:EnableMode="OnlyOne" my:RedirectUrl="../customized/EditCustomizedObject.aspx" />

</my:Buttons>

<my:Properties> <my:Property my:Name="EmptyResultText" my:Value="There are no role requests for this role." />

<my:Property my:Name="PageSize" my:Value="5" />

<my:Property my:Name="SearchControlAutoPostback" my:Value="true" />

<my:Property my:Name="SearchOnLoad" my:Value="true" />

<my:Property my:Name="ShowTitleBar" my:Value="true" /> <my:Property my:Name="ShowActionBar" my:Value="true" />

<my:Property my:Name="ShowPreview" my:Value="false" />

<my:Property my:Name="ShowSearchControl" my:Value="true" />

<my:Property my:Name="EnableSelection" my:Value="true" />

<my:Property my:Name="SingleSelection" my:Value="true" />

<my:Property my:Name="ItemClickBehavior" my:Value="ModelessDialog" />

<my:Property my:Name="UsageKeywords" my:Value="RoleRequestCompleted"/>

</my:Properties>

</my:Control>

FIM DB Sizing Calculator

2012-04-25T23:32:00.001-07:00

FIM has two databases (well three if we count the FIM Certificate Management service):

FIMService
FIMSynchronizationService

Here is a calculator in excel that you can download and use to calculate how big to make your databases.

In my experience the FIMService database size depends mostly on how many request objects are in the database.

The FIM Sync Database depends mostly on how much run history details (step object details) you generate and keep.

Let me know how you like it. Remember this is to give you a range and help you with your first order approximation. I tried to carefully spell out all of my assumptions (even taking a Goldilocks approach with High, Low and Probable assumptions) and make them accessible in separate cells, while still trying to preserve the simplicity of how many users, how many groups, how many MA’s dealing with each.

I have tried to make it accurate to my experience. However if you find an outright error or find that it doesn’t match your existing setup let me know.

Darth Vader – Project Manager Part 2

2012-04-24T11:27:00.001-07:00

Have you ever wondered what it would be like to be on a project that was managed by Darth Vader?

In Part 1 I analyzed the good side of his skills. In Part 2 I tried to find the bad but I only find more good.

Once more thanks to George Lucas for inventing Star Wars and thanks again my co-workers for not utilizing Darth Vader's style.

More Good

Characteristic	Example	Comments
He promotes from within, and holds people accountable	[Darth Vader has just learned of Admiral Ozzel's big blunder, and activates a viewscreen] Admiral Ozzel: [appearing onscreen with Captain Piett] Lord Vader, the fleet has moved out of lightspeed and we're preparing to... [Ozzel stops, and suddenly begins to choke, clutching at his throat] Darth Vader: You have failed me for the last time, Admiral. Captain Piett? Captain Piett: Yes, my lord? Darth Vader: Make ready to land our troops beyond their energy field, and deploy the fleet, so that nothing gets off the system. [beside Piett, Admiral Ozzel utters one last strangled gasp, and falls over dead] Darth Vader: You are in command now, Admiral Piett. Admiral Piett: Thank you, Lord Vader.	Promoting from within can be a good thing, however, Vader’s method of creating openings is a bit suspect. Perhaps he should have studied Crucial Confrontations. He could have learned more appropriate ways to hold subordinates accountable. He clearly didn’t know how to “confront with safety.” He should have prepared by mastering his own stories, then privately confronted him, described the gap in expectations, trying to motivate while lowering barriers. That might have gone a little more like this Darth Vader: Admiral Ozzel, come see me on my ship. Admiral Ozzel: Right away Lord Vader. [Ozzel arrives on Vader’s ship] Darth Vader: Admiral Ozzel, I detect a disturbing pattern of failures. Today, you emerged from lightspeed close enough to the planet for the Rebels to detect our fleet. As a result surprise was lost. On the following previous occasions I noticed similar results. [Vader realizing that many failures result from a lack of ability and/or motivation, asks questions to try and find out which factors are involved.] Did you plan for surprise, as I requested? [If yes then it is an ability issue, if no then motivation, he wasn’t motivated to obey.]
He can motivate the workers	[Darth Vader steps out of his shuttle on the Death Star.] Moff Jerjerrod: Welcome, Lord Vader. This is an unexpected pleasure. We are honored by your presence. Darth Vader: You may dispense with the pleasantries, Commander. I am here to put you back on schedule. Jerjerrod: I assure you, Lord Vader, my men are working as fast they can. Vader: Perhaps I can find new ways to motivate them. Jerjerrod: I tell you that this station will be operational as planned. Vader: The Emperor does not share your optimistic appraisal of the situation. Jerjerrod: But he asks the impossible! I need more men! Vader: Then perhaps you can tell him yourself when he arrives. Jerjerrod: [alarmed] The Emperor's coming here? Vader: That is correct, Commander, and he is most displeased with your apparent lack of progress. Jerjerrod: We shall double our efforts. Vader: I hope so, Commander, for your sake. The Emperor is not as forgiving as I am.	Wow Vader certainly doesn’t subscribe to Patrick Lencioni’s philosophy of building enough trust on your team to allow someone to feel vulnerable. In this instance Vader is more of the project sponsor and Moff Jerjerrod is the PM. Moff Jerjerrod is clearly operating in a culture of fear and refuses to reveal bad estimates of the situation. So he is clearly using avoiding to hide the truth. Avoiding is a form of Silence. When we feel threatened in a conversation we tend to move towards silence or violence depending upon our natural tendencies as well as the power dynamics of the relationships involved. One of the two of them needs to recognize that safety is definitely at risk in this conversation, well Jerjerrod’s life too. They need to make it safe. How you do so depends on whether you are working at cross purposes or one of you is feeling not respected. Another factor is why. So in this case it doesn’t seem to be respect so much as not having the same purpose. Is it a result of a misunderstanding or do they genuinely want different things? Jerjerrod’s purpose in this conversation seems to be to not get in trouble, lose his job, his life and get his family exiled to Tatooine. His strategy in the conversation is to avoid the conversation with “pleasantries”, then a desperate confession followed by an overly “optimistic appraisal of the situation,” another desperate confession, and finally a somewhat fatalistic acceptance of the impossible deadline. Vader’s purpose is to get the Death Star operational on the Emperor’s deadline. His strategy is to make veiled threats. Although coming from a 6 ft. plus Sith Lord who has choked several co-workers to death with a slight movement of his fingers, the threat is not so veiled. They need to invent mutual purpose. Jerjerrod: Lord Vader we seem to have some different strategies, but I think we both want the same thing: to get the Death Star operational without working people so hard that they make errors that can result in tragic mistakes later on, such as leaving an exhaust port unprotected that could lead to a chain reaction and destroy the death star. Do you agree or do you see a different goal? Vader: The power to destroy the Death Star is insignificant compared to the power of the force. Ahem sorry, I was compelled to get that out there. Yes I believe that is the goal. [Vader and Jerjerrod retire to a conference room to discuss the PERT and GANTT charts and see what they can do]

Quotes from the Star Wars movies, found on:

http://www.imdb.com/title/tt0076759/quotes

http://www.imdb.com/character/ch0000005/quotes

http://en.wikiquote.org/wiki/Star_Wars_Episode_VI:_Return_of_the_Jedi

Nothing new under the sun

2012-04-24T09:48:00.001-07:00

Just a few weeks ago I was discussing with my team how Cloud computing bore a lot of similarities to outsourcing of Data Processing back in the height of the mainframe era. Just this morning I saw the following on Dave Kearns blog “While it’s true that there is really nothing new under the sun – “cloud computing,” for example, has remarkable similarities to datacenter computing from the ‘60s and ‘70s – it’s also true that there is always a different way to look at data, facts, or technology which can give insights into better ways to conduct business.”

Back in the 1990’s my father had founded a software company to help organizations manage their Local Area Networks. During that time he said that the LAN market was paralleling many of the trends that had occurred in the mainframe world. Ever since then I have found instructive to study those trends.

Kearns, makes several points among them, then in talking about cloud apps, “people were still having the same discussion that they’d had 10 years ago – only the names were different,” now arguing about datacenter vs. the cloud and previously it was Linux vs. Windows. Instead, he says we should “pick the right application or service – that one that best fills our need. Choosing the platform first is like choosing a restaurant because of the color of the plates they use.” Pretty funny, however I disagree (at least partially). For one thing, even in eating the plate does matter. The plate size more so than color. According to Change Anything: The New Science of Personal Success (page 114) “plate size [has] an enormous impact on how much it [takes] .. to get equally full.”

While I agree that the business needs need to be considered first, platform must also be considered. Just as the plate size can make a big difference for someone trying to manage their weight, so too can platform make a big difference to someone trying to manage their data security.

What does “no commitment” really mean?

2012-04-23T21:35:00.001-07:00

I recently received a mailer for YouFit Health Clubs, offering me “$1 down, $10 month with no commitment” for a club they opened near my house (limited to the first 125 to sign up).

Sounds good, but following the principle of caveat emptor (buyer beware), I always read the fine print. According to the “Billing for Monthly Dues” agreement you may “discontinue your Month-to-Month membership you may do so at any time with a payment of a twenty-five (25) dollar processing fee.”

You also agree that “monthly dues are subject to a $5.00 per month increase of dues if EFT payment is stopped or changed.” Sounds like even changing the account I use would result in the increase.

Hmm. That sounds like this no-commitment includes a commitment. Although it sounds reasonable, I wouldn’t call the arrangement “no commitment.” Perhaps they meant that compared to some other gyms there is virtually no commitment.

This serves as an important reminder to fully understand your commitments and customer requirements.

It is important to verify customer statements, like “all employees get AD accounts.” They may commit that this is the truth but their commitment may turn out to have some “no commitment” buried in the fine print.

You must dig deeper for the other shoe – so it can drop. There is always an exception, even to this rule about exceptions. For example, “all employees get AD accounts, except employees below grade 12.” Watch out for the exception to the exception “Except when the employees below grade 12 get approval from their manager. Unless someday their manager revokes their AD account.”

So will this “no commitment” gym get a commitment out of me? Perhaps, after all as a married man I am not afraid of commitment. Although I might be afraid of “no commitment.”

Vol 1 -- 1000 copies! -- 29% off

2012-02-29T12:01:00.001-07:00

A few weeks ago FIM Best Practices Volume 1 has surpassed 1000 copies! In honor of that achievement and Leap Day use the following code to get 29% off LEAPYEAR305

FIM 2010 -- Update Rollup 2 4.0.3606.2

2012-02-28T09:32:00.001-07:00

FIM 2010 Update Rollup 2 is now available. Download from here

Before blindly applying this update it is critical that you read the release notes, as XMA's or ECMA's may not run after the update. If you changed the MIISServer.exe.config file to tweak the FIM MA performance the update won't replace your file. So you have to make some updates to it by hand. This is documented in the release notes.

There are lots of fixes, my most favorite is that they have rolled back the change I mentioned [ranted about] in a previous blog post: What the %_ is the deal with wildcards in FIM Queries in the latest hotfix?

My next favorite new feature and this one alone will get a separate blog entry, is the release of the ECMA 2.0 (information available on the beta and RC of the ECMA 2.0 here).

A few sync engine crash issues have been fixed.

Support for writing rules extensions in .NET 4.

Update to the update: Do not run the stored procedure mentioned below, it can result in incorrect set query results.

Update: The KB article was updated today and the item dealing with this stored procedure mentioned below has been removed. You should know that this stored procedure is intended to solve a specific performance problem and should only be implemented with guidance from PSS. You should also know that running it is a one-way trip i.e. the only way to undo it is to restore the FIMService database from backup.

Another key item that once more underscores the need to read the release notes, is a fix for the FIM Service dealing with large criteria based sets and groups. In order to take advantage of this performance enhancement it is necessary to run a stored procedure (EXECUTE [fim].[EnableSetPartitioningAndTabularFunctions]) by hand. Based on the name I expect that this procedure is doing some table partitioning, more on that when I get a chance to take a look. (Please see the update above)

Darth Vader – Project Manager Part 1

2012-02-14T20:28:00.001-07:00

Have you ever wondered what it would be like to be on a project that was managed by Darth Vader?

Let’s analyze the good side of his skills.

But before we do a little housekeeping:

I would like to thank my George Lucas for inventing such wonderful characters and a wonderful story, that has entertained me and so many others, many many times. I would also like to thank my co-workers for not utilizing Darth Vader's style.

The Good

Characteristic

Example

Comments

He vigorously defends projects he is leading

Admiral Motti: Any attack made by the Rebels against this station would be a useless gesture, no matter what technical data they have obtained. This station is now the ultimate power in the universe! I suggest we use it!
Darth Vader: Don't be too proud of this technological terror you've constructed. The ability to destroy a planet is insignificant next to the potential of the Force.

Admiral Motti: Don't try to frighten us with your sorcerous ways, Lord Vader. Your sad devotion to that ancient Jedi religion has not helped you conjure up the stolen data tapes, or given you enough clairvoyance to find the rebels' hidden fortress...
[Vader makes a pinching motion and Motti starts choking]
Darth Vader: I find your lack of faith disturbing

Well maybe ignoring problems and attacking or counterattacking individuals with verbal violence or force violence isn’t such a good thing.

After Vader’s attempt to bring him down a peg, Admiral Motti wasn’t feeling safe enough to remain in dialogue, so he counterattacked with labeling (“sorcerous”) and attacking (“sad devotion”).

I wonder if Crucial Conversations training could have helped.

So Vader escalates. Instead he should have recognized “uh-oh things are getting heated, hmm I am not feeling safe, but before I use the force to choke him, I should ask myself what do really want (long-term) out of this conversation? I want a team that can help me crush the rebellion to protect the empire that I kind of thought I would rule someday.” Next he needed to recognize that Admiral Motti was feeling unsafe, what is the evidence? The labeling and attacking. Then he needed to restore safety. Well was it mutual purpose or respect at risk? Respect. Vader’s dismissive comment about the Death Star really irked his would-be minion, I mean co-worker. In this case a clarification of intent using contrasting would be useful.
E.g.
”Admiral, my earlier comment was not intended as a personal attack on your engineering abilities nor on your creation. I did want to caution us all about the dangers of overconfidence. I agree that the Death Star is powerful , so too is the Force. Imagine what we can do wielding them together.”

He focuses on results

Darth Vader: Yes, Admiral?
Admiral Piett: Our ships have sighted the Millennium Falcon, Lord. But it has entered an asteroid field and we can not risk...
Darth Vader: [interupting] Asteroids do not concern me, Admiral. I want that ship, not excuses.

If only Vader could have learned to look he could have realized that Piett wasn’t feeling safe. As evidenced by Piett falling out of dialogue into silence. Oh wait that was his intention.

How could the recently promoted Piett handle this? He believes and with some degree of reasonability that he faces a choice between speaking up and losing his life. Is this a sucker’s choice? Is there a way he can speak up and save his life too? Probably. One key thing you learn about Crucial Conversations is about picking what conversation to have and preparing for it.

He should probably take this up at a different time, and discuss the whole pattern of killing subordinates.

”Hey, uh, Lord Vader?”
”Yes, Admiral?”
”I was wondering if I could discuss some ideas I have about helping us be an effective rebellion crushing team. Would it be ok if we spent some time discussing this?”
<<In this way Admiral Piett is establishing a mutual purpose and is asking permission to broach the topic which is very powerful in being able to get to dialogue>>
”Proceed, Admiral.”
”I don’t want to say your not an effective leader in the empire. I do want to discuss how to we can be more effective as a team.”
<<Proactive Contrasting>>
So I have noticed that my predecessor made a mistake in coming out of hyperspace too close to the planet. Then you used the force to kill him. I have observed that some of the fleet officers and myself have become more hesitant in our actions for fear of suffering similar consequences. It appears that you might have reacted in anger, not intending to have a debilitating effect on the fleet staff. It might cause us to hesitate when we need to be bold or be afraid to tell you about a critical problem until it is too late to solve it. How do you see it?”
<< This way Piett starts with the facts, tells his interpretation of the facts and asks how Vader sees it, but he does so with tentative language and in a way that encourages testing.>>

”That is most unfortunate Admiral Piett.”
[Darth raises his hand making the choking motion with his fingers, but then pauses]
Vader mutters to himself, “Wait I have always wondered why I am surrounded by incompetence, perhaps this my opportunity to understand.”

…

Well I think Luke was right, there was good in him still.

It is so sad. Had Vader and the rest of the staff been able to remain in dialogue they might have been able to recognize their problems, and work together to solve them. In short they could have “crushed the rebellion once and for all”

Quotes from the Star Wars movies, found on:

http://www.imdb.com/title/tt0076759/quotes

http://www.imdb.com/character/ch0000005/quotes

http://en.wikiquote.org/wiki/Star_Wars_Episode_VI:_Return_of_the_Jedi

FIM R2 Showdown -- Classic vs. Declarative

2012-01-25T10:43:00.001-07:00

Come join me at The Experts Conference 2012 in San Diego April 29 - May2 where I will be presenting:

FIM R2 Showdown — Classic vs. Declarative
Speaker: David Lundell

Is there room enough for both in this town? FIM 2010 R2 has two ways of accomplishing many tasks: Classic and Declarative. Attend this showdown to learn when to saddle up Classic vs. when to saddle up with Declarative Sync Rules and why. Dissenting opinions politely welcomed — join the controversy! Discussion will take into account performance, ease of implementation and maintainability.

My colleague Lutz Mueller-Hipper has been selected to present three sessions:

Data Loss Prevention with RMS: 2012 the Year of RMS
Speaker: Lutz Mueller-Hipper

In this session we talk about the reasons for RMS and the battle against PKI. RMS is growing up, so let’s see what we got with Mac Office, for unsupported documents formats and automatic data classification tools. We will also cover what is new with RMS in Windows 8 and RMS in the Cloud.

EZ PKI and PKI Housekeeping
Speaker: Lutz Mueller-Hipper

It is time to use PKI to simplify computer management, and this session will go over design recommendations and security aspects for scenarios with Wifi and VPN. Don’t just do it, do it right, and see why and how. The second part of this session will discuss user certificates in the wild, how to publish them securely with AD LDS and what needs to be done for housekeeping in Active Directory for PKI.

Public/Private Cloud Application Security and Single Sign On with BYOD –
Tear Down the Walls
Speaker: Lutz Mueller-Hipper

The IT business is moving rapidly to cloud based solutions. Want to know what that means to the traditional network infrastructure and how you can run an open but secured network? The session will look at all those things from an application level and authentication in enterprises with classic SSO and federation.

For all of the Directory and Identity Abstracts

Property Sets for Permissions in AD and AD LDS

2011-12-26T12:46:00.001-07:00

A while back I needed to set up Property Sets in AD LDS for granting of permissions to many of the attributes on the person object all at once, as I reviewed the Technet documentation on AD Property Sets I realized that it doesn’t tell you what object type property sets are, nor does it tell you how to create a property set, nor does it tell you how to assign an attribute to a property set. The MSDN documentation on Property Sets lets you see which attributes where included in which property sets in the different versions of AD, and it hints that property sets are part of Control Access Rights. Finally there is some more MSDN documentation on Control Access Rights that starts to spell it out:

For defining property sets, to enable controlling access to a subset of an object's attributes, rather than just to the individual attributes. Using the standard access rights, a single ACE can grant or deny access to all of an object's attributes or to a single attribute. Control access rights provide a way for a single ACE to control access to a set of attributes. For example, the user class supports the Personal-Information property set that includes attributes such as street address and telephone number. Property set rights are created on controlAccessRight objects by setting the validAccesses attribute to contain both the ACTR_DS_READ_PROP (16) and the ACTRL_DS_WRITE_PROP (32) access rights.

This illustrates the first goal of my post: property sets exist in AD as controlAccessRight objects. But still doesn’t tell us where in the AD do they live. In fact they live in the CN=Extended-Rights container inside the Configuration partition(not the schema):

Digging deeper into the MSDN docs on Creating Control Access Rights illustrates how you link attributes to a property set:

If you define a control access right for a property set, use the rightsGUID of the controlAccessRight object to identify the properties in the set. Every property is defined by an attributeSchema object in the Active Directory schema. The attributeSecurityGUID property of an attributeSchema object identifies the property set, if any, that the property belongs to. Be aware that the attributeSecurityGUID property is single-valued and stores the GUID in binary format (octet string syntax).

Another goal of this post is to help by making this a little more visual.When you create a property set, you must first generate a GUID and place in the rightsGUID attribute on the controlAccessRights object. To assign an attribute to a property set you need to place this same GUID in the attributeSecurityGUID attribute on the attributeSchema object (in the Schema partition). Remember an attribute can only belong to one property set.

Take a look at the following

Instructions on how to assign permissions to someone using a Property Set

For information on how to get the GUIDs into the right forms see my post

GUIDs to Octets, GUIDs to Base64 strings and back again

2011-12-26T12:45:00.001-07:00

Suppose I generate a GUID of 8c4ac332-975f-4717-ad7b-ba4a4e968fff by running the following PowerShell Command line

[system.guid]::newguid()

Don’t worry if your GUID is from mine it should be! If it isn’t let me know because I think I’ll partner with you for the lottery (aka a tax on the mathematically impaired).

Some attributes (like the attributeSecurityGUID) when edited through ADSI Edit require you to convert the GUID to octet string (for little endian systems – Intel processors are little endian): 32c34a8c5f971747ad7bba4a4e968fff

Which you can do with this one line of PowerShell script

[System.String]::Join('',(( new-object system.guid('8c4ac332-975f-4717-ad7b-ba4a4e968fff') ).ToByteArray() | ForEach-Object { $_.ToString('x2') } ) )

Then if you want to put this in an LDIF file you must base64 encode the value

so that it looks like: MsNKjF+XF0ete7pKTpaP/w==

You can do that with this one line of PowerShell

[System.Convert]::ToBase64String((new-Object system.Guid("8c4ac332-975f-4717-ad7b-ba4a4e968fff")).ToByteArray())

To convert from the Base64 string to the GUID use this line of PowerShell:

new-Object -TypeName System.Guid -ArgumentList(, ( ([System.Convert]::FromBase64String("MsNKjF+XF0ete7pKTpaP/w==")) ) )

FYI – I chose to express all of these in PowerShell as opposed to C# as many readers are not C# developers and I still wanted to give all the ability to do these transforms without the complexity of compiling code or downloading an executable.

Thanks to John Geitzen whose reply to someone else’s question helped me see how to make the correct call to be able to pass the array as a whole parameter to the guid constructor instead of it getting splatted.

Thanks to Poshololic whose comment on this post showed how to do the Guid to Octet conversion in one line.

Referenced by Other works and Sale at Lulu

2011-11-28T07:07:00.001-07:00

I was pleasantly surprised today to find three other books, referencing FIM Best Practices Volume 1, which because of a Lulu Sale you can get at 25% off until 12/14/2011 Coupon Code: BUYMYBOOK305 Coupon expires December 14, 2011 $50 Max Savings. Of course today only 30% off, CYBERMONDAY305.

All three have an identical blurb about FIM and reference FIM Best Practices Volume 1 as additional material.

Title	Author
User Provisioning: High-impact Strategies - What You Need to Know: Definitions, Adoptions, Impact, Benefits, Maturity, Vendors	Kevin Roebuck (Jun 7, 2011)
Excerpt - Page 138: "... TechNet Wiki [7] FIM Best Practices Volume 1: Introduction ..."
Run Book Automation: What you Need to Know For IT Operations Management	by Michael Johnson (May 3, 2011)
Excerpt - Page 74: "... Microsoft TechNet Wiki [7] FIM Best Practices Volume 1 ..."
Federated Id management: High-impact Strategies - What You Need to Know: Definitions, Adoptions, Impact, Benefits, Maturity, Vendors	by Kevin Roebuck (Jun 7, 2011)
Excerpt - Page 148: "... TechNet Wiki [7] FIM Best Practices Volume 1: Introduction ..."

Although the blurb lists the license for FIM as Shareware. I hadn’t thought that FIM would fit the definition of Shareware.

All three appear to start with an introductory paper, and the contain a compilation of articles on various related technologies.

FIM exam 70-158 is now live oh and I passed

2011-11-22T07:03:00.001-07:00

Exam 70-158: TS: Forefront Identity Manager 2010, Configuring is now live according to the MSL web site. I also received an email indicating that I passed the beta.

What the %_ is the deal with wildcards in FIM Queries in the latest hotfix?

2011-11-16T10:38:00.001-07:00

Ok I am not actually swearing, nor are those substitute words, rather % and _ are two characters that until hotfix rollup package (build 4.0.3594.2) could be used to perform some much needed and cool searches for sets, search scopes, groups and 3rd party client queries against FIM. Such as querying for the presence of string attributes.

I am sure what happened is that someone created a resource with an underscore in the name and then couldn’t search for it. So the fix. However it wasn’t broken. We need this functionality. Furthermore, simply enclosing the wildcard character in [] would cause it to be evaluated as a literal.

The secret, as I previously blogged, is that FIM takes what you type in (on some searches) and passes it as the right hand parameter of the T-SQL LIKE operator. Ergo, whatever wildcards you can do with LIKE you can do here. Was this a form of SQL injection? Perhaps, but I tested it for other kinds of SQL injection, such as adding a single quote and other commands, and those don’t work. So it wasn’t a vulnerability, but a feature. Undocumented? Sure, but needed.

Using Wildcard Characters As Literals

You can use the wildcard pattern matching characters as literal characters. To use a wildcard character as a literal character, enclose the wildcard character in brackets. The following table shows several examples of using the LIKE keyword and the [ ] wildcard characters

The problem with this hotfix is that it destroys our ability to build sets and queries that test for presence of values in string attributes. This will break many of the implementations of FIM that I and my team have done. We need a mechanism for detecting nulls in the attributes in the FIM Service database so that we can create sets based on the presence or absence of attributes.

Some might say that we can use DRE’s to accomplish this too, but the calculation of sets of objects that have DRE is non-trivial requiring the creation of an Outbound Sync Rule, the creation of a set of DRE objects, and then another set of objects whose DRL has members in the first set. But worst of all this only applies to attributes in the connector space and their matching attribute in the Metaverse and requires a few syncs and I cannot apply this approach to attributes that exist only in the FIM Service, but not in the Metaverse.

Another alternative would be to create an IsPresent function in the XPath queries, but please ensure that it works on all attribute types.

Preference of fixes (in decreasing order of desirability):

1) We can still use the wildcards in the queries, but have a way to escape them and get an IsPresent function, in other words roll back this portion of the fix and teach/document how to have the wildcards treated as literals.

2) If we can’t do that then I would prefer to see an IsPresent function in the XPath

3) If we can’t do that still use the wildcards in the queries, but have a way to escape them

Official text from hotfix rollup package (build 4.0.3594.2):

Issue 2

Revised the FIM "Query and Sets" features to correctly treat percent signs, underscores, and opening brackets as literals instead of as SQL wildcard characters.
The approved character sets for strings that are used in FIM attribute values are defined in the attribute and binding schema in the FIM service. The syntax for representing an XPath filter is documented on MSDN in the following "FIM XPath Filter Dialect" article:

http://msdn.microsoft.com/en-us/library/ee652287.aspx ( http://msdn.microsoft.com/en-us/library/ee652287.aspx)

Some customers may have included characters that SQL defines as query wildcard characters, such as the percent character, in FIM searches and Set filters. In this case, the customers intended FIM to treat the characters as SQL wildcard characters. This is not a documented or supported feature of the product. In some cases, customers may be able to achieve the intended functionality by removing the wildcard and by using a “contains” query/filter instead.
Existing Set resources that have filters that contain SQL wildcard characters may not continue to function as the filters functioned before this hotfix was applied. Also, a filter that contains wildcard characters and that continued to function as expected after the hotfix was applied may function differently if the administrator later updates the filter definition.
Customers who used characters that SQL defined as query wildcard characters must check and revise their Set filters either before or after they upgrade to this hotfix. Customers should consider the impact of Set membership changes on Set transition MPRs. And, customers may want to temporarily disable MPRs or update workflow definitions while they change their Set filters to avoid unintentionally triggering provisioning or deprovisioning operations during Set definition maintenance.

FIM 2010 hotfix available (4.0.3594.2)

2011-11-16T10:22:00.001-07:00

Microsoft has released a new hotfix (kb 2520954) at the end of October with some key fixes in it as well as one item that I will blog about next that prevents me from loading this on most implementations, until it is addressed.

Highlights

Component	Official Description	Comments
Workflow Engine (FIM Service)	Assume that you perform an operation that accesses the SQL database when the Microsoft SQL Server connection pooling feature is enabled in the FIM server. For example, you run a query or a request. If the operation times out for any reason, a future operation on the same thread may fail until that thread is removed from the SQL connection pool. An error message that resembles the following is displayed in the FIM Service Application event log, in the RequestStatusDetails property for a request, or in the WorkflowStatusDetails property of a workflow instance: Cannot enlist in the transaction because a local transaction is in progress on the connection. Additionally, the time stamp is the same as the time when the operation fails.	An operation on a thread that make a sql call that times out poisons the thread and all future operations on the thread fail. This could have lead to other problems that were hard to reproduce. Kudos on this one
Sync Engine	An ExpectedRulesEntry (ERE) object is associated to a child synchronization rule of a Metaverse object. If the ERE object has a Remove action, deprovisioning of the object is also being triggered. Then, the behavior causes the deletion of the Metaverse object	Much needed fix to ensure that deprovisioning doesn’t fire incorrecltly.
	Fixes many "Export not reimported" errors that might occur because of errors in SQL.	Hallelujah – we see a fair amount of those. Would like to see more detail on that one
	Improves the performance of all Sync Engine operations. Note This change involves an extensive upgrade to the sync database. This upgrade can take lots of time, depending on your hardware. A progress bar is displayed during the database upgrade.	Ok plan for a long time for your update. Be sure to back it up. This also sounds like a future blog article, to look a little deeper as to the changes.
	Feature 2 The FIM 2010 Active Directory Management Agent (AD MA) does not honor the preferred domain controller list when passwords are exported. This is an issue for customers who require password changes to flow to a specific set of domain controllers. This hotfix rollup package changes the AD MA to use the preferred domain controller list first. If the preferred domain controller list does not exist, the domain controller locator service will identify a domain controller for password export operations. Additionally, you can still force password operations to use the primary domain controller by setting the following registry subkey: Subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FIMSynchronizationService\Parameters\PerMAInstance\<MA_name> Value: UsePDCForPasswordOperations (REG_DWORD, 1 = True, 0 = False) This hotfix rollup package also updates the AD MA so that a trust relationship with the configured Active Directory forest is not required to export passwords to that forest.	This will be very helpful in large environments. Prior to this all password operations on FIM were targeting the PDC Emulator, which incidentally introduced a single point of failure. I also applaud the elimination of the need for the trust to do password exports!
	Feature 3 Adds the ability to filter objects before they are imported into the AD MA connector space.	Another big win for large environments where we need to ignore large portions of the domain!
Sets and Query (FIM Service)	Fixes an issue that would sometimes cause incorrect Set calculations. This resulted in lots of set corrections. Also revised the Sets Correction job so that it does not change special sets that are maintained by another system maintenance job.	Thank you!
FIM MA	Fixes an issue in which the FIM synchronization service configuration for synchronization rules and codeless provisioning was not correctly written to the FIM Service database.	Seen this one. Glad to have a fix.
FIM Service	Fixes an issue in which unexpected data in the FIM Service database could result in the FIM MA causing the Synchronization service to fail during import, and a stopped-server error occurred.	Seen this one too.
	Issue 4 Some ExpectedRuleEntry objects and DetectedRuleEntry objects in FIM 2010 can become "orphaned" over time. When a DetectedRuleEntry object is not referenced in the DetectedRulesList of any object in the system, that object is determined to be orphaned. Similarly, when an ExpectedRuleEntry object is not referenced in the ExpectedRulesList of any object in the system, that object is also determined to be orphaned.	Once more thank you.