Identity Managed

Custom Attributes in Entra ID -- Decision Tree

david@identitymanaged.com (David) — Wed, 01 Oct 2025 22:41:06 +0000

This article is the eighth in a series about Custom Attributes in Entra ID and will step through the decision tree which I hope will be the definitive guide to which way to store custom data in Entra ID.

Is this custom data intended for Enterprise Applications or Managed Identities (both of which are of the servicePrincipal resource type)?

If “Yes,” then you must use Custom Security Attributes – this is the only way to filter on Applications in Conditional Access Policies

Custom Attributes in Entra ID -- Use Cases

david@identitymanaged.com (David) — Wed, 01 Oct 2025 03:46:51 +0000

This article is the seventh in a series about Custom Attributes in Entra ID and will discuss the use cases of each these approaches. There are seven use cases that have only one solution, three exclusive use cases for Extension Attributes, three exclusive for Custom Security Attributes and one for Directory Extensions.


Use Cases	Extension attributes	Directory Extensions	Schema Extensions	Open Extensions	Custom Security Attributes
Visible on Profile Card	Y (Exclusive)	N	N	N	N
Exchange Dynamic Groups	Y (Exclusive)	N	N	N	N
Group Dynamic Membership Rule	Y	Y	N	N	N
Administrative Unit Dynamic Membership rule	Y	Y	N	N	N
Inbound Cloud Provisioning	Y	Y	N	N	N
Cloud User App Provisioning	Y	Y	N	N	N
User App Provisioning Filtering	Y	Y	N	N	N
On Premise Sync	Y	Y	N	N	N
Cross Tenant Sync	Y	Y	N	N	N
Customized Token Claims	Y	Y	N	N	N**
Entra ID DS	Y	Y	N	N	N
Graph Filterable	Y	Y	Y	N	Y
Azure B2C	Y	Y	N	N	N
External ID Custom User Attributes	N	Y (Exclusive)	N	N	N
Restricted Access/Sensitive Data	N	N	N	N	Y (Exclusive)
Conditional Access Filter on Enterprise Applications	N	N	N	N	Y (Exclusive)
Conditional Access Filter on Devices	Y (Exclusive)	N	N	N	N
Conditional Access Filter on Users and Groups (via Dynamic Group Membership)	Y	Y	N	N	N
UI to manage the customizations	N/A	N*	N	N	Y
Azure ABAC	N	N	N	N	Y (Exclusive)
Lifecycle Workflows: Scope Filter	Y	Y	N	N	Y
Lifecycle Workflows: Trigger Attributes	N	N	N	N	N
Access package assignment Policy	Y	Y	N	N	N

My default answer: use a Directory Extension unless you can’t!

They cover most use cases

Custom Attributes in Entra ID -- Limitations

david@identitymanaged.com (David) — Wed, 01 Oct 2025 02:27:11 +0000

This article is the sixth in a series about Custom Attributes in Entra ID and will discuss the Limitations of each these approaches.


Limitation	Extension attributes	Directory Extensions	Schema Extensions	Open Extensions	Custom Security Attributes
Needs an App to own it	N	Y	Y	N but an App must create it	N
Values Per Resource	15	100	100	2 kb of data	50
Per App	N/A		5 definitions	2 extensions	N/A
Per Tenant	15	Infinte	Infinte	Infinte	500
Schema can be shared	Built in to every tenant	If other tenants install your mult-tenant app	Discoverable Globally	N	N
Can exist on Synced User	Y	Y	Y	Y	Y
Must Manage on Prem for Synced User	Y	N*	N	N	N

*No, except for Directory extensions from the “Tenant Schema Extension App” used by Entra ID Connect Sync and Cloud Sync.

Custom Attributes in Entra ID -- Lifecycle

david@identitymanaged.com (David) — Sat, 27 Sep 2025 00:11:34 +0000

This article is the fifth in a series about Custom Attributes in Entra ID and will discuss the Lifecycle of each of these approaches.


Lifecycle Question	Extension attributes	Directory Extensions	Schema Extensions	Open Extensions	Custom Security Attributes
Has Lifecycle States?	No(always there)	No(there and not there)	Yes (InDevelopment, Available, Deprecated)	No(never there)	Yes(Active,Deactivated)
Can other apps in the same tenant discover the extensions definitions?	Yes (same in every tenant)	Yes	Yes	No defintions to discover	Only with the Attribute Definition roles
Can other apps in same Tenant read the data (If app has read permissions to the resource)?	Yes	Yes	Yes	Yes	Only with Attribute Assignment Roles
Can other apps in same Tenant write the data (If app has write permissions to the resource)?	Yes	Yes	Yes	Yes	Only with Attribute Assignment Roles
Can defintions be shared with or discovered by other tenants?	They already are	If app is Multi-Tenant and gets installed	Once the Schema Extension is in Available State	No	No
Can the extension be deleted?	No	Yes	Only when in the InDevelopment State	N/A (there are no definitions)	No
Can be deactivated or deprecated?	No	No	Yes (deprecated)	No	Yes (deactivated)
Deletion of owning App
What happens to the definitions?	N/A	Deletes the Extensions Definition	Not deleted but no longer updateable	Deleting the Creator app has no impact	N/A
What happens to the definitions in other tenants?	N/A	Nothing – other tenants could not update the definitions anyhow	Nothing – other tenants could not update the definitions anyhow	N/A	N/A
What happens to the data?	N/A	Makes it undiscoverable	All properties and values are still discoverable	Deleting the Creator app has no impact	N/A
What happens to the data in other tenants?	N/A	None	None	N/A	N/A
Can the extension be deleted?	N/A	Yes	Only when in the InDevelopment State	N/A (there are no definitions)	No
What happens to the definitions?	N/A	Deletes the Extensions Definition	Definition deleted and undiscoverable[[1]](#_msocom_1)	N/A	N/A
What happens to the definitions in other tenants?	N/A	Nothing – other tenants could not update the definitions anyhow	N/A (can’t delete when shared)	N/A	N/A
What happens to the data?	N/A	Makes it undiscoverable	Makes it undiscoverable	N/A	N/A
What happens to the data in other tenants?	N/A	Nothing	N/A (can’t delete when shared)	N/A	N/A
Can the extension be deactivated or deprecated?	No	No	Yes (deprecated) extension can no longer be read or modified	No	Yes (deactivated) Can no longer be applied
Effect on other tenants?	N/A	N/A	extension can no longer be read or modified	N/A	N/A
What happens to the data when the Extension is deprecated or deactivated?	N/A	N/A	Can read, update and delete existing property values	N/A	Data is preserved Can no longer be applied to resources
Effect on other tenants?	N/A	N/A	Can read, update and delete existing property values	N/A	N/A
Data in Undiscoverable/Deactivated count against limits	N/A	Yes	Probably	N/A	Yes

Custom Attributes in Entra ID -- Data Types

david@identitymanaged.com (David) — Fri, 26 Sep 2025 23:57:15 +0000

This article is the fourth in a series about Custom Attributes in Entra ID and will discuss the Data Types that each of these approaches can use.


Resource Types	Extension attributes	Directory Extensions	Schema Extensions	Open Extensions	Custom Security Attributes
String	Y	256 characters	Y	Y	64 Characters
Binary	N	Y	Y	N	N
Boolean	N	Y	Y	N	Y
DateTime	N	Y	Y	N	N
Integer	N	Y	Y	N	Y
LargeInteger	N	Y	N	N	N

Multi-valued Attributes	N	Y	N	Y	Y
Strongly Typed	N	Y	Y	N	Y

Going beyond single valued strings

Custom Attributes in Entra ID -- Resource Types

david@identitymanaged.com (David) — Fri, 26 Sep 2025 21:03:55 +0000

This article is the third in a series about Custom Attributes in Entra ID and will discuss the Resource Types that each of these approaches can use.


Resource Types	Extension attributes	Directory Extensions	Schema Extensions	Open Extensions	Custom Security Attributes
servicePrincipal	N	N	N	N	Y
user	Y	Y	Y	Y	Y
device	Y	Y	Y	Y	N
group	N	Y	Y	Y	N
administrative unit	N	Y	Y	N	N
application	N	Y	N	N	N
organization	N	Y	Y	Y	N
contact	N	N	Y	Y	N
event	N	N	Y	Y	N
message	N	N	Y	Y	N
post	N	N	Y	Y	N
todoTask	N	N	N	Y	N
todoTaskList	N	N	N	Y	N

Right away it should be noted that contact resources are personal contacts not the Organization contacts (orgContact) that are maintained by the org’s admins. Contact resources are Outlook Items (or resources) and not directory resources. orgContact is a directory resource type. You can tell because in the doc it says, “Inherits from directoryObject.” In other words contacts are visible for a particular user and not to the organization. Whereas orgContact resources are visible for the entire organization through the Global Address List.

Custom Attributes in Entra ID -- Naming Conventions

david@identitymanaged.com (David) — Fri, 26 Sep 2025 20:20:33 +0000

This article is the second in a series about Custom Attributes in Entra ID and will discuss the Naming Conventions so that you can recognize them when you see them in the wild and understand how uniqueness is enforced and guaranteed.


Names	Name or ID	Example	Notes
Extension attributes	extensionAttribute1 .. extensionAttribute15	extensionAttribute15	The names are already pre-determined
Directory Extensions	extension_ {ApplicationId}_attributeName	extension_ 4b2af6e7f3ac4f598e35c364e0126c6d _MgrLvl	The Application ID or Client ID (not the object ID of the Application)
Schema Extensions	verifiedVanityDomainextensionID OR ext{8-random-alphanumeric-chars}{schema-name}	snappyslackers_coordinates OR extwmo14pts_coordinates	You can choose between using the verified Vanity Domain Name or allowing EntraID to generate a random prefix for you
Open Extensions	ReverseFQDN.extensionName	com.snappyslackers.coordinates	It looks like this is an unenforced convention
Custom Security Attributes	<AttributeSetName_AttributeName>	HR_MgrLvl	Both the AttributeSetName and the AttributeName can be up to 32 Unicode Characters with neither spaces nor specials characters. AttributeName must be unique within its Attribute set, which in turn must be unique within the tenant.

Extension Attributes

You do not get to choose the names of the Extension Attributes as they are predetermined and fixed.

Custom Attributes in Entra ID

david@identitymanaged.com (David) — Fri, 26 Sep 2025 06:41:28 +0000

Microsoft has had a lot of chefs in the Entra ID kitchen baking up solutions to different problems and now we have an array of confusing choices about where to put your data.

This is the first of a series of posts to help you choose the correct one for you and your needs.

While Microsoft’s official documentation provides a fairly handy comparison table it completely leaves out Custom Security Attributes. Overall, I find that there are some gaps, and a couple of contradictions but not a definitive guide to help you know when to use which extension.

Cross Tenant Sync for GalSync?

david@identitymanaged.com (David) — Fri, 04 Apr 2025 22:18:27 +0000

Microsoft Entra ID’s Cross Tenant Sync can sync users from one tenant to another. They will sync as External Members or External Guests. In Exchange Admin they will show as MailUsers.

Just be sure that showInAddressList is synced to be true or better yet carries over the showInAddressList from your source tenant.

GalSync done! Yeah!

Wait a minute! What about Groups? What about contacts? What about internal guests?

NO! They are not supported

MIMWAL Can run PowerShell 3.0 and beyond without PSRemoting or Start-Process!

david@identitymanaged.com (David) — Fri, 07 Jun 2024 17:11:48 +0000

I just discovered that a colleague had several years prior managed to get MIMWAL PowerShell Activity to run Get-ADUser and other commandlets from the Active Directory Module (which requires PowerShell 3.0 or later) without using PowerShell Remoting or starting a new Process with Start-Process.

<Caution> Per Eugene Sergeev

This breaks SSPR AuthN workflows.

</Caution>

So if you aren’t using SSPR through MIM this might be an option for you!

According to the MIMWAL Wiki

SSL v TLS with EntraID Sync and MIM's Generic LDAP Connector

david@identitymanaged.com (David) — Thu, 11 Apr 2024 05:53:35 +0000

Everyone knows that SSL is vulnerable and we should therefore use TLS. What isn’t well understood is the options presented for Binding (authentication) when using the Generic LDAP Connector with AADConnect or the Generic LDAP ECMA 2.x with MIM.

We are presented 5 options:

Anonymous
Basic
Kerberos
SSL
TLS

When we tested we could get the SSL option to work over port 636, and we could get the TLS option to work on port 389 but we couldn’t get the TLS option to work over port 636. Using a protocol analyzer we confirmed that both ways were using TLS 1.2.

What does MIM's StoreChk.exe do?

david@identitymanaged.com (David) — Fri, 29 Mar 2024 00:13:51 +0000

I watched through SQL Profiler to better understand what these checks do, and I found an error with check #10. It says it is “Checking Lineage Guid table for MV objects with invalid MV object ids” but the SQL query it issues is the same as the query for Check # 9 “Checking Lineage Date table for MV objects with invalid MV object ids.” It queries the Lineate Date table instead of the Lineage GUID table like it says.

MIM StoreChk.exe Assumes SQL is Local

david@identitymanaged.com (David) — Thu, 28 Mar 2024 18:55:15 +0000

On occasion you (usually with the help of PSS – Product Support Services) may need to verify the integrity of the MIM Synchronization Service Database. To do this you can use the Store Check tool, StoreChk.exe located in the bin folder under the root of your MIM Synchronization install.

While the storechk tool does read the registry to find the name of the database (almost always is FIMSynchronizationService) it does not read the Server or Instance name registry values in the parameters key of the registry. Instead it defaults to assume that the SQL Server is co-located on the same machine as MIM Sync.

SQL Always On Availability Groups for MIM

david@identitymanaged.com (David) — Tue, 26 Apr 2022 14:31:00 -0700

Image from: https://learn.microsoft.com/en-us/azure/azure-sql/virtual-machines/windows/availability-group-overview

Edited July 2 2022 after reviewing my Facebook discussion with Eugene Sergeev on Microsoft’s product team.

MIM 2016 SP2 (and 4.4.1459.0 or later supports SQL Server Always On Availability Groups (AG))! Yeah!

Ok let’s implement it!

But wait! It won’t give us all we hope for!

Up to the moment distributed backup of the data – yes!
Automatic instant failover – not without a huge caveat!

What do you mean it won’t give us Automatic Instant Failover?

Wanted: Up and coming Cyber Security Professionals

david@identitymanaged.com (David) — Thu, 18 Jun 2020 16:36:00 -0700

Cyber Security – Identity Management Implementer

Secure your identities against the dangers of the Cyber World, automate the repetitive, and empower your users!

Let’s

Shut the front door on the most obvious vector for Cyber-attacks
Reduce the IT department’s compliance burden (SOX, HIPAA, FERPA, GLBA, ISO etc).
Free IT people to do tasks that require more brain power

Automating the drone-like work of managing user identities
Disabling accounts of terminated users

MIM Portal Groups whose displayedOwner isn't among the Owners

david@identitymanaged.com (David) — Wed, 30 Oct 2019 14:15:00 -0700

In the MIM Portal it will create issues if you have a group whose displayedOwner isn’t among the objects in the multivalued reference attribute Owner. Querying this through XPath is just about impossible so here is the SQL query to do it.

SET TRANSACTION ISOLATION LEVEL READ UNCOMMITTED

USE FIMService

SELECT DOwn.*

FROM (

SELECT groupObjID = G.[objectID]

, GroupDisplayName = GAOVS.ValueString

, userDisplayName= UAOVS.ValueString

, UserObjID = U.[objectid]

Latency vs the Cloud

david@identitymanaged.com (David) — Wed, 23 Jan 2019 21:26:00 -0700

“The cloud is so fast! We can spin up servers and services so quickly to extend our environment and then all the users across the globe can access these services, so why does it take so long for you to get our users into the cloud?”

(Latency) x (# of Round Trips)

Most Cloud Identity Management APIs are built so that consumers must retrieve the data one object at a time or load it one object at a time. This means one roundtrip per object. Naturally, a data set in the cloud tends to be farther away than between two servers in the same data center. So the one object at time paradigm that worked ok in the data center works fine in the cloud for very small sets of objects. Once you start loading even moderately sized data sets of objects the additional latency shows up quite harshly. More bandwidth won’t solve the problem.

MIM Open Source Schedulers

david@identitymanaged.com (David) — Mon, 17 Dec 2018 22:25:00 -0700

Your MIM installation is in, the config is done, programming all set and now to automate the running of the Management Agents.

Options? Most people use Windows Task Scheduler with a PowerShell script or VBScript – which works but can get cumbersome to maintain. With my SQL Server background, I often use SQL Server Agent Jobs because it has much better follow up and executing database commands.

Task Scheduler – runs as a windows service

MIM Open Source Schedulers - Comments

david@identitymanaged.com (David) — Mon, 17 Dec 2018 22:25:00 -0700

A friend have point out that my run script was men…

Andas - Apr 0, 2019

A friend have point out that my run script was mentioned in you blog.
Have new version that I have used some time but not update on Github, have done so now.
The new version have some nice more functions, so you may script disconnects and previews.

How to Be an MVP in Life -- Launching Nov 27th

david@identitymanaged.com (David) — Wed, 21 Nov 2018 21:26:00 -0700

We are launching my new book, “How to Be an MVP in Life: Lessons in Living and Leadership from Sports & Tech MVPs” on November 27th. It is available now for Pre-order at Amazon.

Featuring an interview with the 2016 World Series MVP, Ben Zobrist, stories about 2-time Pro-Sports MVPs: Steve Nash, Dale Murphy, Steve Young and Sid the Kid Crosby, as well as interviews with 18 Microsoft MVPs.

More info

Missing the old Directory Experts Conference? Try HIP!

david@identitymanaged.com (David) — Mon, 08 Oct 2018 16:13:00 -0700

On Monday, Nov 5th, and Tuesday the 6th I will be attending and speaking at the Hybrid Identity Protection (HIP) Conference in NYC. On Monday at 4 PM I will be giving an updated version of Top Lessons Learned from Disasters in Identity Management as well as a sneak peek of my new book, How to be an MVP in Life.

I am very excited to attend this conference. Thanks to Darren Mar-Elia and Micky Bresman at Semperis for putting it all together. This should be a lot like the old DEC – Directory Experts Conference since it looks like DEC co-founder Gil Kirkpatrick is heavily involved.

12 time MVP writes book on MVPs

david@identitymanaged.com (David) — Wed, 04 Jul 2018 16:11:00 -0700

Soon I will be adding the 2018-2019 ring onto this trophy. This makes 12 times starting back in 2007.

The MVP program means a lot to me. So I have written a book about MVPs in both tech and sports. It will be coming out soon. I could use your help with the title.

Thanks,
David

http://feeds.feedburner.com/IdentityLifecycleManagerilmBestPractices

European Identity Conference 2018 - Wednesday

david@identitymanaged.com (David) — Thu, 17 May 2018 03:41:00 -0700

Jet lag and other issues caught up with me the next day (Tuesday) and I didn’t attend any sessions :(

One thing I love is that most presentations including keynotes are only 20 min long so even when we get a terrible one – we know it will be over soon. But most of the sessions were good and some were great!

My first Wednesday session was listening to Sebastian Goodrick of SUVA and Dr. Jacek Jonczy discussing how agile methodologies did and didn’t work well with replacing their existing Identity Management system with another one. Hire an agile coach! Recognize that replacing an existing system is often big bang and so you won’t really be pushing out to production, but you can still do sprints.

European Identity Conference 2018 -- Overview and Mon Night

david@identitymanaged.com (David) — Thu, 17 May 2018 03:24:00 -0700

I have spent this week in Munich Germany, where it has been mostly cloudy, lots of rain, and a little thunder.

I have seen a number of familiar faces to those who attended Directory Experts conference: Pamela Dingle, Alex Simons, Alex Weinert, Jackson Shaw, Jonathan Sander, Kim Cameron, and others. Also a lot of faces familiar to those who have attended Cloud Identity Summits: Andrew Hindle, Colin Wallis, Steve Hutchinson, Eve Maler, and Ian Glazer and fellow Microsoft MVP: Naohiro Fujie.

MIM Join and spaces

david@identitymanaged.com (David) — Sat, 05 May 2018 09:58:00 -0700

Working on a customer’s lab and look what I found. They had created (through some other process) two user accounts for the same user, and the samAccountName was nearly identical, just a space, ascii 32, appended to the end of one of the samAccountNames differentiates the two. Apparently, AD allows this.

The account with the space was projected into the Metaverse, and then later in the sync the account without the space attempted to join, and it matched. The join failed because of the ambiguous import flow error. But samAccountName “myuser1” matched samAccountName “myuser1 " already in the metaverse.

Top 10 Lessons from Disasters in Identity Management

david@identitymanaged.com (David) — Thu, 29 Mar 2018 19:28:00 -0700

I will speak at Kuppinger Cole’s European Identity Conference on Top 10 Lessons from Disasters in Identity Management in May in Munich.

With great automation capability comes great responsibility! Come discuss and learn vital lessons gleaned from disasters in Identity Management.

So if you would like your disaster story to be considered for inclusion let me know. I would love to add to the stories.

This will be a fun interactive session.

Identiverse, Cloud Identity Summit

david@identitymanaged.com (David) — Thu, 29 Mar 2018 17:45:00 -0700

Last summer I attended and spoke at the Cloud Identity Summit in Chicago. First big news: it was renamed to Identiverse and 2018 will be in Boston. As a consultant I have limited time to attend conferences and speak. So conferences have to be great. I do love this one, but in the interest of time, I will be skipping it this year in favor of speaking at the European Identity Conference in May 2018 in Munich, Germany.

To Farm or not to Farm Part 2

david@identitymanaged.com (David) — Thu, 29 Mar 2018 17:43:00 -0700

In the original To Farm or Not to Farm post I discussed the pros and cons of setting up FIM on a SharePoint farm or using Stand Alone. Well we now have SharePoint 2016 and it isn’t possible to install Stand Alone, although you can do a single server farm. Also, absolutely everything is virtualized and so we tend to share lots and lots of processing so we can’t really think of a server as having spare cycles, because we share those processors with lots of other VM’s.

SQL Server Management Studio SQL 2016

david@identitymanaged.com (David) — Thu, 29 Mar 2018 16:19:00 -0700

So I went to install SQL 2016 on a server (been using it for a while, I get vm’s on CloudShare where SQL is preinstallled, so first time installing it for myself) – no problem. Hey, where is SQL Management Studio (SSMS)? Well it isn’t include in the 2.6 GB SQL Server ISO. You have to download it separately. 800 MB. All I can say is You’re Welcome!

I get why they did it – they can update SSMS much more often etc.But what a surprise.

SharePoint Foundations 2013 -- Identity Extensions Installation error

david@identitymanaged.com (David) — Thu, 29 Mar 2018 16:09:00 -0700

As you install SharePoint 2013 Foundations pre-reqs if you encounter “Microsoft Identity Extensions Installation error”

and then when you install it manually you might encounter
“Installation of Microsoft Identity Extensions requires Windows Identity Foundation v1.0 to be installed”

Then when you go to install WIF through the Server Manager you realize that it is WIF 3.5 rather than WIF 1.0 and you think hmm… maybe that will work. It will. Take heart.

Finding my groove, again

david@identitymanaged.com (David) — Thu, 29 Mar 2018 16:05:00 -0700

In 2017 and the beginning of 2018 I have had some rough times. The Long and the Short of it is that late last year my mother passed away in the hospital. Then early this year, my father died, probably of a broken heart.

Thanks to many friends from church, our neighborhood, professionally, other Microsoft MVP’s, I have had a lot of support while mourning their temporary absence from my life. Especially, thanks to my wife, kids, siblings, aunts, uncles, and cousins.

SharePoint Foundation 2013 IIS Configuration Error

david@identitymanaged.com (David) — Thu, 29 Mar 2018 15:54:00 -0700

SharePoint is a great product but I wish that FIM and MIM did not use it. In my opinion, it adds unnecessary infrastructure and really complicates the setup, because SharePoint must be installed and configured (and maintained). Leaving that aside, allow me to point out some gotchas that might impede your ability to install this MIM/FIM prerequisite.

First up: if your server has limited access to the Internet you should probably download all of these prerequisites and copy them to the server – because that’s what the SharePoint Installer has to do – it doesn’t include these items.

Speaking at SQL Saturday Tomorrow

david@identitymanaged.com (David) — Fri, 16 Mar 2018 15:14:00 -0700

As most of you know I am regarded as one of the SQL gurus among the Microsoft Identity Management Gurus. For years, in my book and in speaking I have been recommending Ola Hallengren’s SQL Maintenance Solution to help take care of your ILM/FIM/MIM databases. But the SQL Maintenance Plan Wizard has come a long way. Tomorrow morning at 10 AM at Grand Canyon University I will be presenting as part of SQL Saturday #726 a showdown between the SQL Maintenance Plan Wizard and Ola’s solution, discussing when you want to use one vs the other.

Kerberos, FIDO, what's next?

david@identitymanaged.com (David) — Tue, 06 Mar 2018 16:29:00 -0700

In the 1980’s Steve Miller and Clifford Neuman published a new security protocol, called Kerberos, after the mythical three headed dog that guards the gates of Hades.

In 2014 the alliance published the FIDO standard. This exciting standard is enabling a passwordless world (yet to come). For example you can use a small USB device with a key on it to login instead of entering a password. FIDO 2.0 is requiring two-factor, type in a PIN plus your key. Other options exist as well potentially using Smart Phones, or other devices via USB, Bluetooth or NFC.

Open Source: Review of MIMTools

david@identitymanaged.com (David) — Fri, 31 Mar 2017 20:09:00 -0700

JefTek created a niche hybrid tool that tackles a few pieces of the sync and service puzzle in a way that none of the others do.

One noteable one for sync:
Get and Export MIM Deltas to CSV (based on a drop file either stop and drop or the audit log dropped during the export

It is great for setting up SharePoint and the Kerberos authentication to it.

While it doesn’t do all that IS4U-FIM-PowerShell (see my review), does or Lithnext resourcemanagement-powershell or Lithnet-miis-powershell (see my review), or even the he FIM PowerShell Module (see my review), it fills a small niche that none of the rest of them do. This is a solid contribution!

Open Source: Review of FIM 2010 PowerShell Cmdlets

david@identitymanaged.com (David) — Fri, 31 Mar 2017 20:00:00 -0700

Gil Kirkpatrick (a great guy, fellow MVP, who has taught me a lot over the years) created one of the very first, if not the first, PowerShell commandlets libraries to manage FIM/MIM service. It hasn’t had any activity in years, but it served as a great example to get others going.

If you like this simple approach you could check out Adam Weigert’s PowerShell for FIM 2010 (see my review).

I recommend IS4U-FIM-PowerShell (see my review), this is what I use. But I also recommend Lithnext resourcemanagement-powershell (see my review).

Open Source: Review of IS4U-FIM-PowerShell

david@identitymanaged.com (David) — Fri, 31 Mar 2017 19:52:00 -0700

Wim Beck’s IS4U-FIM-PowerShell is a great example of open source, in that he has built on top of the FIM PowerShell Module (see my review). This is what Open Source is about, building upon each other’s contributions to make great stuff!

When I looked at it in Dec 2016 I almost dismissed it since it lacked a wiki, but since then Wim has added a lot of pages. They still lack examples, I plan on pitching in to help out with that by adding some examples to my fork and then asking Wim to pull it in.

Open Source: Review of Lithnet

david@identitymanaged.com (David) — Fri, 31 Mar 2017 19:35:00 -0700

Ryan Newington’s Lithnet consists of several items:

miis-powershell
resourcemanagement-powershell
resourcemanagement-webservice
googleapps-managementagent
acma
“Codeless business rules engine for FIM/MIM”
umare
“Codeless data transform engine for FIM/MIM”

I will only review the items I know

Managing Sync
miis-powershell is amazing it can almost everything you can do through the UI. For example, Clear-FullSyncWarning and it has a great wiki. Gotta have it!

It wraps WMI calls, existing PowerShell modules, executables and sync client UI to interact with FIM/MIM Sync.

Open Source: Review of PowerShell for FIM 2010

david@identitymanaged.com (David) — Fri, 31 Mar 2017 19:15:00 -0700

PowerShell for FIM 2010 by Adam Weigert consists of three parts but I further break the last into two:

Management Agent(MA) and MetaVerse (MV) Extensions that let you run PowerShell scripts as your extensions
A Workflow Activity
A PowerShell module
Managing Sync
Managing Service

Management Agent(MA) and MetaVerse (MV) Extensions
The work done to enable you to write PowerShell scripts to be MA and MV extensions is crazy brilliant. However, I suspect (I haven’t tested) that large installations should shy away from this as compiled C# and VB.NET code tends to run orders of magnitude faster than PowerShell scripts. Perhaps someone else knows a way to make it more comparable in performance. I can see some smaller shops taking advantage of this as they don’t need to worry about performance in the Sync Engine

Open Source: Review of FIM PowerShell Module

david@identitymanaged.com (David) — Fri, 31 Mar 2017 18:52:00 -0700

The FIM PowerShell Module (started by Craig Martin and now updated most frequently by Brian Desmond) is a great set of commandlets that help you to automate Interactions with FIM Service and FIM Sync Service.

Managing Sync
This library is great for automating tests. This library and Ryan Newington’s Lithnet-Miis-PowerShell (see my review on LithNet) are very complimentary. You can retrieve CS Objects, Run History, start an MA.
I found that the most interesting Sync related Cmdlets are the

Speaking at Cloud Identity Summit 2017

david@identitymanaged.com (David) — Wed, 29 Mar 2017 10:20:00 -0700

I am excited to announce that I will be speaking at the Cloud Identity Summit 2017 in Chicago in June.

I will discuss How Identity Management (Employee and Consumer) affects the bottom line.

http://feeds.feedburner.com/IdentityLifecycleManagerilmBestPractices

Is MIM dead? Not yet!

david@identitymanaged.com (David) — Wed, 29 Mar 2017 08:17:00 -0700

From time to time I hear people wonder if MIM is dead.

Why do people ask?

They don’t feel like they have heard a good road map recently
They aren’t seeing the improvements they hoped for
They aren’t paying attention to the actions of the product group

Why do I say it isn’t dead yet?

While the Cloud Identity is the future, we are and will be in hybrid identity for a long time and MIM is Microsoft’s key component to that.

Christmastime FIM/MIM Open Source WF Reviews

david@identitymanaged.com (David) — Sat, 24 Dec 2016 13:39:00 -0700

Over the years since FIM was first beta’d as ILM2 we have seen some cool workflows be released to open source. This is my review of the workflows I can find that are open source. First let me salute everyone who has contributed to the FIM and MIM community with these big undertakings. That said I am trying to give guidance to my readers as to what is the most useful in various situations and so I will make specific recommendations.

MIM 2016 SP1 -- Implications

david@identitymanaged.com (David) — Wed, 19 Oct 2016 04:18:00 -0700

Earlier this month Microsoft released MIM 2016 SP1
But what does this mean for you?

Biggest Implications

Exchange Online (Office365) for the MIM Service
without losing the ability to approve requests from within Outlook, and the requesting of groups within Outlook.
Since lots of orgs are using Office 365 no more embarrassing conversations about these great features you can’t have.
Support for other browsers for MIM Portal
SSPR already supported other browsers but now MIM Portal will support Chrome, Firefox and Safari.

Post Migration Your MIM/FIM Attribute Flow Precedence is Incorrect

david@identitymanaged.com (David) — Mon, 17 Oct 2016 23:53:00 -0700

Have you ever found out that attribute flow precedence is messed up, wrong or otherwise in error just after you followed the steps to migrate your MIM/FIM configuration from Dev to Prod or vice-versa? Well I am finally blogging about a discovery I made. The list of steps (reproduced below from the above link) are incomplete:

Back up the pilot and production environments by using the Backup and Restore procedures.
Export the FIM Service schema configuration.

SharePoint MA -- avoid the noise

david@identitymanaged.com (David) — Tue, 28 Jun 2016 19:47:00 -0700

In using the SharePoint MA from Steve Kean I noticed that some of the fields I imported were coming in with some extra noise or crap at the beginning:

String;#164

All I really wanted was the 164. While I can use the Word function in a sync rule to get past it
Word(strAttribute,2,“2”) I really would prefer to bypass it altogether.

Well thanks to Jermaine Snipe I found why this happens and how to bypass it:
These are calculated columns and they use the concatenate function. Instead use a Text formula for the calculated column. This of course supposes that you can get the SharePoint developer to change it.

Check your inputs -- Save your job!

david@identitymanaged.com (David) — Sat, 06 Feb 2016 15:06:00 -0700

At various times in my 10 years of Identity Management Consulting and 25 years working in the IT industry I have been asked to clean up various messes generated by those before me. Some of those messes involved disk failure or other issues that couldn’t be completely prevented. But some involved automated process that didn’t check their inputs.

If garbage into a computer gives you garbage out, then garbage into an automated process that doesn’t check its inputs gives you a meltdown! Even Disney’s Sorcerer’s Apprentice Fantasia illustrates what can go wrong with an automated process.

FIM Custom Expressions inside Custom Expressions?

david@identitymanaged.com (David) — Mon, 09 Nov 2015 10:16:00 -0700

Recently, I needed to take Longitude and Latitude data that was given to me in the following format and break it into its individual components and then flow it out to AD.
Let’s suppose the data looks like this:

“Point -10.1223 45.945”

I could just use the Left and Right functions to get out the Longitude and Latitude.

The problem was it could also look like this depending on the level of precision:

How many attributes can you have in the Metaverse?

david@identitymanaged.com (David) — Wed, 05 Aug 2015 19:58:00 -0700

Back in 2013 I published 5 posts about the Secrets of the Metaverse:

Parts 1-5:

The third post was about how many attributes you can have in the Metaverse in which I said that the mms_metaverse_lineageguid table limits us to 502 single valued non-reference attributes in the Metaverse. This is still correct but a client told me of a scenario they encountered where the lineageguid table prevented them from getting to over 450 attributes and they encouraged me to blog about how they solved it.

MIM 2016 is now available

david@identitymanaged.com (David) — Tue, 04 Aug 2015 08:12:00 -0700

MIM 2016 is now available

MIM – Microsoft Identity Manager 2016 builds on and replaces Microsoft’s Forefront Identity Manager 2010 R2.

On Microsoft’s site they include an introductory (2 min) video about Hybrid Identity but don’t mistake that for the MIM UI.

So has anything been removed?

No. While the list of deprecated features are still deprecated none of them have been removed from this new version.

So what’s new?

The first thing to call your attention is the focus on Hybrid (Cloud + On Premise) Identity. MIM can still manage on premise but is now even better equipped to work with Microsoft’s Identity Management pieces in the cloud.

Still an MVP but now DS MVP

david@identitymanaged.com (David) — Thu, 02 Jul 2015 14:49:00 -0700

Thanks Scott.

David Lundell - Jul 3, 2015

Thanks Scott.

Still an MVP but now DS MVP

david@identitymanaged.com (David) — Thu, 02 Jul 2015 14:49:00 -0700

I have been awarded the Microsoft Most Valuable Professional for a 9th time. I started off as an MIIS MVP (even though ILM had been released 4 months previous). Then I became an ILM MVP in 2008, then in 2010 it was FIM MVP (or was that 2011). Now with FIM changing to MIM and in an effort to reduce the administrative paperwork the Microsoft MVP team has every time MMS/MIIS/ILM/FIM/MIM changes names all FIM MVPs have become DS (Directory Services) MVPs. ;) Actually, they decided that there was enough overlap and dependency that it made sense to combine them. So now I am a Directory Services MVP

Big Data needs Identity in order to Act

david@identitymanaged.com (David) — Thu, 28 May 2015 16:40:00 -0700

At the 2015 Identity Summit Scott McNeely declared “Big data without Identity is not actionable”

Let’s discuss.

Pulling from Information Week and IBM the Top 6 use cases of Big Data are:
1. Big Data Exploration
2. 360 degree view of customer
3. Information Security and Intelligence
4. Operation Analysis of data from Internet of Things
5. Data warehouse Augmentation/Optimization
6. Big Data Efficiency play (break down silos)

Big Data use case

FIM Sync Flow with ScreenShots and Code snippets

david@identitymanaged.com (David) — Thu, 30 Apr 2015 22:30:00 -0700

Hi, good job! Some info was lost during conversion…

hierbaluisa - Mar 1, 2019

Hi, good job!
Some info was lost during conversion from Visio to PDF. Is it possible to get it complete? Perhaps rotating image or changing scale.
Thanks!

FIM Sync Flow with ScreenShots and Code snippets

david@identitymanaged.com (David) — Thu, 30 Apr 2015 22:30:00 -0700

Years ago Brad Turner and I created a Flow Chart of FIM data flow with Screenshots and Code snippets. Some of the code examples are funny and it still says ILM rather than FIM. It also doesn’t include filter based out bound filter-based sync rules that came with R2. Bearing those things in mind it still provides a good bit of value. Someday I will update it with the latest – until then enjoy.

FIM Hotfix for PCNS to support 2012 R2 DC's

david@identitymanaged.com (David) — Thu, 30 Apr 2015 13:46:00 -0700

With the latest hotfix MSFT now supports running PCNS on Windows Server 2012 R2. FIM still should not be installed on Windows Server 2012 R2 (2012 yes, 2008 R2 yes, 2008 yes). Only PCNS can be installed on Windows Server 2012 R2. The hotfix article has a slight error indicating that it is ok to install FIM Sync Service on 2012 R2 if you have installed the hotfix PCNS on 2012 R2 – not true (the article should get corrected soon). Be warned this update may break ECMA 1 and ECMA 2.0 based MA’s. That is they may not run returning “stopped-extension-dll-load” There are workarounds published in the article.

Movie Review of Home -- or how IDM could have saved the day.

david@identitymanaged.com (David) — Wed, 08 Apr 2015 08:42:00 -0700

Over the weekend I took one of my children to see the new animated film Home starring Jim Parsons, Rihanna, Steve Martin and Jennifer Lopez. A group of technically superior but very cowardly aliens, called the Boov flee from their implacable enemy, the Gorgs, and decide to take over Earth, relocating all of the primitive natives (us) to Australia. Aside from the political commentary of the entire human race being placed in a reservation, the thing that most struck me was how one of the near disasters could have been averted through solid Identity Management Systems. A hapless and lonely Boov, named “Oh” invited his new neighbors to a “warming of house party.” When no one showed, he sought out other acquaintances to invite and sent out an Evite ™ but he accidently did a Send All, which somehow included their implacable enemy. Great hilarity ensues as the evite will take 40 hrs to reach their enemy.

Portable 2nd Monitor for the Surface Pro 3 ( and TwoMonUSB issues)

david@identitymanaged.com (David) — Wed, 11 Mar 2015 09:52:00 -0700

Thanks for the awesome post and the specifications…

John Smith - Jun 4, 2015

Thanks for the awesome post and the specifications.

AOC Portable Monitor

Hi thanlks for a great review. I have bought same AOC monitor but can not get it to work from the USB port on the SP3? It works OK off the MS hub but just flashes with the USB port on the actual SP3 itself. Did you have to install the DisplayLink software and if so which version? Thanks

Portable 2nd Monitor for the Surface Pro 3 ( and TwoMonUSB issues)

david@identitymanaged.com (David) — Wed, 11 Mar 2015 09:52:00 -0700

As a road warrior, often in different settings, I am interested in a 2nd, portable monitor for my Surface Pro 3. So here was my thought process.

I tried to use TwoMonUSB to make my iPad the second monitor. At first it worked quite well. Great idea, a backup device with some apps I don’t have on the surface and I can use it as a second screen. But then my Surface Pro 3 was rebooting randomly during idle times or the screen wouldn’t light up after an idle timeout and then I would have to hard boot it. I was getting a bugcheck almost daily, sometimes multiple times a day. So after Refreshing the PC I decided that the $10 app approach wasn’t going to work. I am not certain that it was TwoMonUSB but it seems the likely candidate.

Escaping an AD Replication Island

david@identitymanaged.com (David) — Sat, 07 Mar 2015 09:07:00 -0700

On a dark and stormy night an Active Directory upgrade was underway, Windows Server 2003 domain controllers decommissioned, consolidated and replaced with Window Server 2008 R2 servers. Suddenly I got a call from those doing the upgrade, “I can’t see some of the new domain controllers on the existing domain controllers, what’s wrong?”

A replication island had been created and several domain controllers were trapped on it. Could we rescue them in time?

Follow up #1 on How does Identity Management Impact the Bottom Line? Selling IDM

david@identitymanaged.com (David) — Mon, 02 Feb 2015 09:01:00 -0700

In my presentation last week at #OCGUS15 The Redmond Summit put on by my friends at OCG, on “How does Identity Management Impact the Bottom Line? Selling IDM” I illustrated how understanding more about Financial statements such as Profit/Loss statements as well as Balance Sheets can be helpful. So here is a link to learn more:

•http://www.investopedia.com/articles/basics/06/financialreporting.asp

Among other things this is helpful to be able to articulate how your projects and programs can impact the bottom line such as how User provisioning/Deprovisioning impacts the Profit and Loss Statement:

Redmond Summit 2015

david@identitymanaged.com (David) — Wed, 28 Jan 2015 14:21:00 -0700

I am looking forward to presenting in an hour or so on “How Identity Management Impacts the bottom line.”

Yesterday I had fun delivering a session on “ADFS vs Password Sync? It depends” This morning Alex Simons of Microsoft revealed a few new things that change some of my advice.

Soon Azure AD can do the location restriction by application for SSO. This potentially eliminates a deal breaker for some people
You can now run Password Sync and ADFS at the same time.

Both of which make it more likely that you will do Password Sync. The second one makes it more likely that you will run both because Password Sync can be a warm standby for failing over from ADFS.

'Twas the night before Christmas

david@identitymanaged.com (David) — Wed, 24 Dec 2014 18:34:00 -0700

‘Twas the night before Christmas, when all through the internet
Not an identity was stirring, not even a Passport .NET
The user accounts requests were submitted with care
Hoping that their access would soon be there

The users were nestled all snug in their beds
While visions of being able to do their jobs danced in their heads
The servers and computers were in sleep mode
Awaiting someone to move a mouse and send the wake up code

Speaking at 2015 Redmond Summit (Jan 27-29 '15)

david@identitymanaged.com (David) — Fri, 12 Dec 2014 13:57:00 -0700

I will be speaking at the 2015 Redmond Summit: Where Identity Meets Enterprise Mobility.
This summit is put on by my friends at Oxford Computer Group.

I will be speaking on Password Sync vs. ADFS. Then the next day I will speak on the Business track about How Identity Management Impacts the Bottom Line.

See you there

January 27-29, 2015 in Redmond, WA on the Microsoft Campus

Join OCG, Microsoft, and industry experts for two and a half days of networking and talks on the latest thinking on identity and enterprise mobility. If you’re overwhelmed by devices, have a hybrid environment, wish to simplify access, or manage identity in an increasingly complex digital world then you won’t want to miss this event. Sessions will assess and look in detail at the largest release of new identity products in Microsoft’s history, including Enterprise Mobility Suite, Intune, Azure Active Directory, Hybrid Identity, and more! Discover how other organizations have tackled the same problems you face through case studies and get technical insight from Microsoft product managers and engineers. Registration is $800 per delegate. Find our more and register!

What AD Attributes are indexed? ANR? Tuple? PowerShell

david@identitymanaged.com (David) — Thu, 04 Dec 2014 11:50:00 -0700

Import-Module ActiveDirectory
Write-Host “Tuple Index Enabled Attributes”
Get-ADObject -SearchBase ((Get-ADRootDSE).schemaNamingContext) -SearchScope OneLevel -LDAPFilter “(searchFlags:1.2.840.113556.1.4.803:=32)” -Property objectClass, name, whenChanged, whenCreated, LDAPDisplayNAme | Out-GridView
Write-Host “ANR Enabled Attributes”
Get-ADObject -SearchBase ((Get-ADRootDSE).schemaNamingContext) -SearchScope OneLevel -LDAPFilter “(searchFlags:1.2.840.113556.1.4.803:=4)” -Property objectClass, name, whenChanged, whenCreated, LDAPDisplayNAme | Out-GridView
Write-Host “Indexed Enabled Attributes”
Get-ADObject -SearchBase ((Get-ADRootDSE).schemaNamingContext) -SearchScope OneLevel -LDAPFilter “(searchFlags:1.2.840.113556.1.4.803:=1)” -Property objectClass, name, whenChanged, whenCreated, LDAPDisplayNAme | Out-GridView

The above script is something I use to quickly look and see what is indexed in an AD environment

SQL Maintenance for FIM and anything other databases

david@identitymanaged.com (David) — Fri, 24 Oct 2014 17:36:00 -0700

An easy way to take care for your FIM databases is to “use Ola Hallengren’s script (http://ola.hallengren.com/scripts/MaintenanceSolution.sql). Download the script, adjust the backup paths and run the script on each instance of SQL Server. It will automatically create several jobs some for maintaining the system databases and some for maintain the user databases. You will need to create schedules for each of the jobs.” – FIM Best Practices Volume 1

I love using Ola script for index maintenance because it is so much smart than the Database Maintenance wizard which wants to spend lots of time rebuilding indexes that only needed to be reorganized and messing with indexes that were just fine or too small to matter. A table with less than 1000 pages is usually too small to matter. Less than 5% fragmentation and why bother. Less than 20% and a reorg will usually solve it. Over 20% and you should usually rebuild.

Mistaken Identity

david@identitymanaged.com (David) — Fri, 03 Oct 2014 12:03:00 -0700

Years ago, I walked into the client site a few months into an Identity Management project, and the PM told me his account had been deactivated by mistake as an employee with the same last name and same first initial was terminated, and they termed his account by mistake.

Ironic.

A few years before that I visited a client whose VP of HR had his account disabled when they let the janitor go. Again same last name but this time the same first name.

Phoenix MVP Roadshow Transform the DataCenter Wed Sept 24 4 PM-8PM

david@identitymanaged.com (David) — Tue, 16 Sep 2014 12:19:00 -0700

I will be presenting on why we want to get to Active Directory based on Windows Server 2012 R2 and how to get there. My fellow MVP’s will be covering the rest of the agenda. I also created an IT clue game to play in small groups where the objective is to figure out who stole the data and how it could have been prevented.

ADUC Common Queries: Days Since Last Logon

david@identitymanaged.com (David) — Tue, 16 Sep 2014 12:08:00 -0700

Recently a client asked me how Active Directory Users and Computers (ADUC) performs the Days Since Last Logon query found in the Find Dialog box’s Common Queries option.

LastLogon is not replicated so to really get it you have to query every single DC. So I was reasonably certain that the query didn’t use LastLogon but rather used the LastLogonTimestamp which was created “to help identify inactive computer and user accounts.” Assuming default settings “the lastLogontimeStamp will be 9-14 days behind the current date.”

Happy Independence Day -- Using PowerShell for Reporting

david@identitymanaged.com (David) — Fri, 04 Jul 2014 15:06:00 -0700

Unfortunately, my Independence day is not free – I am working. Just so happens I need to report on when computer objects are getting migrated to a new AD forest. Day 1 4 Day 2 30 Day 3 25 etc.

Now I could have taken the data and imported it into SQL and then busted out some awesome queries in no time flat. But my buddy Craig Martin, keeps insisting how awesome this PowerShell stuff is. So I decided to give it a try, plus if I can get it to work then it will be faster to run this repeatedly from PowerShell rather than needing to import it into SQL Server. I am actually a big believer in using the right tool for the job. Otherwise you end up blaming the tool for failing you when you should have picked a different tool, one better suited for your task.

8 Time MVP

david@identitymanaged.com (David) — Tue, 01 Jul 2014 08:44:00 -0700

Today I received notification that for the 8th time (2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014) I have been honored by Microsoft as a Microsoft Most Valuable Professional (MVP). According to the MVP web site there are currently 10 Identity Management MVP’s in the world, and only three in North America.

Looking forward to the on-going journey with this product set and wonderful friends I have made along the way, product group members (past and present), MVP’s (past and present), readers (book, blog, twitter) and other Identity Management professionals.

Projects and Heisenberg's Uncertainty Principle

david@identitymanaged.com (David) — Tue, 24 Jun 2014 11:15:00 -0700

Good analogy - I might try that one next time. I&#…

Carol Wapshere - Jul 4, 2014

Good analogy - I might try that one next time. I’ve had a stressful few weeks with a barrage of last-minute solution changes along with demands for documentation inclusive of the changes… A couple of times I’ve had to say “which do you want right now? The changes or the documentation? Because I can only do one thing at a time!”

Projects and Heisenberg's Uncertainty Principle

david@identitymanaged.com (David) — Tue, 24 Jun 2014 11:15:00 -0700

Is it done yet? What’s the status? How much longer? If I get asked these questions too often on a project I take a moment to explain about Heisenberg’s Uncertainty Principle. Which states states that you can’t know both the position and velocity of an electron because in measuring the one you alter the other.

The old saying goes “a watched pot never boils,” especially if you keep sticking a new thermometer into a heating pot of water every two seconds. Observations change the system. Frequent observations can change it even more.

To Farm, or not to Farm, that is the question --

david@identitymanaged.com (David) — Thu, 01 May 2014 12:37:00 -0700

In some environments, like government, having that…

REALHIPHOPINYOURLIFE - May 5, 2014

In some environments, like government, having that local SQL means a whole different security profile…a lot of security groups aren’t going to make a distinction between that local SQL and Full Blown SQL when they scan the system since they use some of the same binaries.

Good comment. So in those environments that could be an extra reason to farm to avoid local SQL and the extra security

To Farm, or not to Farm, that is the question --

david@identitymanaged.com (David) — Thu, 01 May 2014 12:37:00 -0700

Whether ’tis nobler in the mind to suffer
the slings and arrows of outrageous fortune
Or to take Farms against a sea of patches
and by opposing end them? To, die, to sleep –

Today I will be “moderating” the debate about using SharePoint Farms vs. Stand-Alone as the foundation for the FIM Portal. In this corner we have Paul Williams of Microsoft sharing knowledge from his hard fought victories with FIM and painful experiences with Farms. In the other corner we have Spencer Harbar, SharePoint MVP, applying his years of SharePoint expertise to the FIM world providing a definitive guide to installing FIM 2012 R2 SP1 portal on SharePoint 2013.

MIM's the word -- New name for FIM

david@identitymanaged.com (David) — Wed, 30 Apr 2014 14:47:00 -0700

Last week the Product group announced the new name for FIM and MIM’s the word Microsoft Identity Manager.

Of course as a good futurist I had made enough guesses that I got this one right, even though as an honest man I must admit I also had it wrong – Azure is not part of the name.

Fortunately, they didn’t go with APE nor AILMENT, nor MIME, nor MIAMI, nor MICE, nor MAIM, nor WIMP. MIM’s the word!

Mailbag: Learning FIM, SQL and IIS

david@identitymanaged.com (David) — Fri, 18 Apr 2014 17:21:00 -0700

Recently, a reader reached out to me for advice on learning FIM, SQL and IIS. As well as guidance on setting up a lab (more advice on that part in a later post).

First think for a moment about your best learning styles for technology. Do you need to read the concepts and architecture first and then do it? Do you need to watch a video and then read, and then do it? Do you need to try it and then go back and read? Do you need an instructor? Sometimes you have to learn through experimentation. In the early days of ILM 2 Beta there wasn’t much info so we had to experiment. Brad Turner and I spent many days in a lab configuring and trying things out to see what was the best practice.

New name for FIM?

david@identitymanaged.com (David) — Thu, 17 Apr 2014 08:29:00 -0700

Actually it’s MIM (Microsoft Identity Manager)…

Oliver Hanappi - Apr 3, 2014

Actually it’s MIM (Microsoft Identity Manager). See http://blogs.technet.com/b/server-cloud/archive/2014/04/23/forefront-identity-manager-vnext-roadmap-now-microsoft-identity-manager.aspx

Like any good futurist I guessed so many things that one of them was bound to be right http://blog.ilmbestpractices.com/2013/07/the-mvp-7-year-itch.html?m=1

New name for FIM?

david@identitymanaged.com (David) — Thu, 17 Apr 2014 08:29:00 -0700

Did you know that if you subscribe to Azure AD Premium you also get licenses for FIM? Well if that isn’t a hand tipper I don’t know what is. I think we can safely assume the next version of FIM will have Azure in the name. Safe or not I am going speculate that it will.

Azure Identity Manager (AIM) – I would be ok with this
Azure Role Based Access Manager (ARBAM) – Explosive sounding name
Azure Provisioning Engine (APE) – Please no!!
Azure Identity Technology (AIT) – pronounced 8 or aight. Nah.
Azure Identity Sync Lifecycle Engine (AISLE) – Certainly when people walk down the aisle they have an identity changing event.
Azure Identity Lifecycle Management Engine Next Technology (AILMENT). I really hope not we want to cure ailments not install one for you.

Hints of FIM's Future: Azure Active Directory (AAD) Sync

david@identitymanaged.com (David) — Thu, 17 Apr 2014 08:19:00 -0700

For years I have been trying to predict the future of Identity Management, but every time I look in my crystal ball it is just too cloudy to see anything. In fact anytime I look in my crystal ball on just about any technology topic the only thing it shows me are clouds! I was beginning to think it was broken.

But then, yesterday, I watched Andreas Kjellman present at the FIM user group
Andreas unveiled the AADSync, the Azure Active Directory Sync that will replace DirSync to sync from your Active Directory to the cloud. I finally got it! My crystal ball wasn’t broken!

Good RID(ance, I mean issuance)

david@identitymanaged.com (David) — Wed, 16 Apr 2014 08:45:00 -0700

As we know a SID is 12 Bytes long or 96 bits long and is composed of several components, among them the domain identifier and the relative identifier or RID of a particular object. The RID is 30 bits long which means you have approximately 1 billion RIDs. So while you think it is unlikely that you will run out of RIDs, according to http://TechNet.microsoft.com/en-us/library/jj574229.aspx you can encountering this if you have accidentally used scripts or provisioning tools (like FIM) to shoot your self in the foot and create gobs and gobs of users, you let some end-user go out of control creating waaaay too many groups, you increased the RID pool size to be too big, did lots of DC demotion and promotion, cleanups, forest recoveries or invalidated RID pools.

FIM Deprecated Features FIM TEAM user group meeting

david@identitymanaged.com (David) — Wed, 13 Nov 2013 12:41:00 -0700

So in 1 hr and 20 min I will present on

November 13, 2013 21:00 UTC
See when this is in your timezone
David Lundell
Impact of deprecated features.This session will go over various deprecated features that the FIM product group have announced are to be eliminated in future releases, such as XMA v1 (ECMA v1), transaction properties, multi-mastery and equal precedence, with advice on planning for and working around their future absence.

DirSync w/ domain if NetBios and FQDN don't match

david@identitymanaged.com (David) — Fri, 04 Oct 2013 16:14:00 -0700

If one of your AD domains has a NetBios domain name that doesn’t match the leftmost part of your FQDN you need to have the Replicating Directory Changes permission given to your AD MA account. This is documented in a few places including my book. However, DirSync misses this step. Normally, Dirsync does a very good job of installing and configuring everything which you need without needing you to be an expert in FIM, but this is one thing it misses.

Declarative or Bust!

david@identitymanaged.com (David) — Fri, 04 Oct 2013 15:55:00 -0700

I see two challenges: 1. There is not feature pari…

Craig Martin - Oct 3, 2013

I see two challenges:
1. There is not feature parity between the two types of sync rules
2. The imperative support (VBA) in the new sync rules is limited and difficult to debug

My wish is that we had better extensibility in the new sync rules (scrap VBA, or figure out how to improve the extensibility and debugging).

Declarative or Bust!

david@identitymanaged.com (David) — Fri, 04 Oct 2013 15:55:00 -0700

Michael Pearn from down under wrote about his experience trying to use just Declarative Sync Rules

His experience – especially the religious debates are similar to my own. It made me recall my presentation at TEC 2012 the FIM 2010 R2 Showdown: Classic vs. Declarative

The vast majority of old hands at the presentation declared for Classic both before and after the presentation. During the presentation I attempted to view anything you could do without code as declarative whether it came from a sync rule or not, especially if it was a new feature. But the crowd wouldn’t let me claim anything configured in the sync engine as declarative. But in this post only classic code counts as not declarative.

Windows 2012 R2 and Windows 8.1 RTM now on MSDN and Technet

david@identitymanaged.com (David) — Wed, 11 Sep 2013 13:11:00 -0700

One of my fellow MVPs and Insight teammates Alessandro Cardoso (he runs one of our practices down under) announced on his blog that Windows 2012 R2 and Windows 8.1 RTM now on MSDN and Technet.

He goes on to mention the salient points around 2012 R2 for virtualization so I thought I would discuss some of the benefits for Active Directory and ADFS

One key thing is that ADFS on Windows Server 2012 R2 doesn’t require IIS so now it can and should be installed on domain controllers.

MS13-066 causes ADFS 2.0 problems

david@identitymanaged.com (David) — Thu, 15 Aug 2013 08:55:00 -0700

Microsoft put out a release day before yesterday (8/13/13) to fix a security vulnerability in ADFS 2.0

It caused an outage for SSO with Office365 for a customer of ours (they had the servers set to auto update).

http://technet.microsoft.com/en-us/security/bulletin/ms13-066

http://support.microsoft.com/kb/2843639

http://support.microsoft.com/kb/2843638

At the moment we recommend NOT installing these updates.

We saw the following error repeated for every authentication attempt:

Event ID 111 Federation service encountered an error while processing the ws-trust request.

Is the Password dead? Gotta eat what you kill!

david@identitymanaged.com (David) — Mon, 08 Jul 2013 08:45:00 -0700

At last year’s Cloud Identity Summit in Vail I heard a lot about how the password is dead. I expect to hear a lot more this year.

Most of it fit into one of several categories:

Complaints about why passwords should be dead
In other words all of the various problems with passwords – and there are
Schemes to have various applications depend on someone else’s password
While this is helpful it doesn’t kill the password

The MVP 7 year itch

david@identitymanaged.com (David) — Mon, 01 Jul 2013 09:31:00 -0700

Congratz, David…

Søren Granfeldt - Jul 1, 2013

Congratz, David…

The MVP 7 year itch

david@identitymanaged.com (David) — Mon, 01 Jul 2013 09:31:00 -0700

This morning I received an email letting me know that for the 7th time (every year since 2007) I have been honored by Microsoft with the Microsoft Most Valuable Professional (MVP) Award. All 7 times I have received the award for my “outstanding contributions in Forefront Identity Manager technical communities” and its predecessors.

In 2007 despite the product rename Identity Lifecycle Manager (ILM) 2007 the MVP award was for Microsoft Identity Integration Server (MIIS) 2003. By 2008 it was changed to ILM, in 2010 it was changed to FIM.

Implications of Office 365 Password Sync for ADFS (SSO)

david@identitymanaged.com (David) — Wed, 26 Jun 2013 07:18:00 -0700

Nice recap on the implications of Office 365’s…

@binarybrewery - Jun 4, 2013

Nice recap on the implications of Office 365’s Password Sync and why you may still need ADFS.

Implications of Office 365 Password Sync for ADFS (SSO)

david@identitymanaged.com (David) — Wed, 26 Jun 2013 07:18:00 -0700

The article on Password Sync for Office 365 is interesting news and clearly states that Federated users can’t have their password’s synced. In the Community Additions many curious users asked their questions treating it as a forum. Well here are my responses:

If you do Password Sync do you still need ADFS or any other SSO tool that works with Office365?

Password Sync gives you the ability to login to Office365 using the same username and password that you use with your Active Directory. This is usually referred to as Simplified SignOn or Reduced SignOn.

How to get from the Sync-Rule-ID to the Sync Rule Resource ID

david@identitymanaged.com (David) — Wed, 01 May 2013 12:03:00 -0700

Thanks, David. You had the knowledge, answered my …

Unknown - May 3, 2013

Thanks, David. You had the knowledge, answered my forum question and blogged about it as well. Nice work.

PeteA

How to get from the Sync-Rule-ID to the Sync Rule Resource ID

david@identitymanaged.com (David) — Wed, 01 May 2013 12:03:00 -0700

If you are looking at the XML export of the FIM synchronization config and you are trying to track down which sync rule is supplying a particular flow you just need to know which numbers lead you where.

For example:

The key to finding the Sync rule is of course the Sync rule ID. However, this is not the resource ID that I can search for in the FIM Portal. Rather this is the metaverse ID.

FIM Functions Updated, Bitwise Functions

david@identitymanaged.com (David) — Fri, 12 Apr 2013 10:46:00 -0700

In addition to the official reference for functions I thought I would update my examples from back in the ILM 2 Beta days

Function Name

BitAnd

Parameters

mask Type: Integer
flag Type: Integer

Description

BitAnd is a bitwise operation anding mask and flag. So if Flag is the UserAccountControl Attribute in AD and mask is **-3
**(the 64-bit two’s complement of 2) Then the result is that the disable bit (bit 2) is turned off leaving all of the other bits unchanged.

Insight Cloud SSO Solution and FIM Jumpstart offerings

david@identitymanaged.com (David) — Fri, 22 Mar 2013 15:46:00 -0700

I wrote an article for the Insight Newsletter about two of our new offerings.

Solving identity and access management for mid-sized business
By David Lundell, Sr. Manager, Identity and Security Practice
User productivity, IT budgets, and security and compliance all suffer from ineffective identity and access management. Insight has two new packages aimed at helping mid-sized businesses confront these challenges in the age of the cloud. Read more.

http://feeds.feedburner.com/IdentityLifecycleManagerilmBestPractices

Secrets of the Metaverse Part 5

david@identitymanaged.com (David) — Fri, 22 Mar 2013 15:42:00 -0700

Parts 1-5:

First of all the FIM Product group does not support direct modification of the data in any of the FIM databases. Do so can leave your database in a state that is entirely unsupportable.

Secrets of the Metaverse Part 4

david@identitymanaged.com (David) — Mon, 11 Mar 2013 14:44:00 -0700

Parts 1-5:

Has access to the metaverse gotten faster with recent releases? Well I won’t cover everything they have done but two really significant things:

Secrets of the Metaverse Part 3

david@identitymanaged.com (David) — Mon, 18 Feb 2013 05:10:00 -0700

Parts 1-5:

Many times people wonder how many attributes they can create in the Metaverse Designer tool.

The answer is confusing because … it depends.

Secrets of the Metaverse Part 2

david@identitymanaged.com (David) — Fri, 15 Feb 2013 06:16:00 -0700

Parts 1-5:

Where and how is the Metaverse data stored?

Before I get into that I must caution you that modifying data directly will put you in a position that is unsupported by Microsoft. Even querying the data is something of a touchy issue (see Part 5).

Secrets of the Metaverse Part 1

david@identitymanaged.com (David) — Thu, 14 Feb 2013 21:18:00 -0700

Great explanation. This really came in handy for t…

Unknown - Jul 2, 2013

Great explanation. This really came in handy for troubleshooting.

I am so glad it was of use

I am using MV extension to create users in AD from FIM.
Need to flow password to AD which is any Random number say “$random123”
This attribute flows to AD but can be viewed in account preview etc or the attribute value can be seen. How can we flow the password value so that it can not be viewed in metaverse etc by any one like ********** ?

Secrets of the Metaverse Part 1

david@identitymanaged.com (David) — Thu, 14 Feb 2013 21:18:00 -0700

Many FIMsters wonder about the Metaverse and how works, how the data is stored. In this series I will reveal the secrets of the Metaverse. Parts 1-5 (links live but post yet to come)

Forefront Identity Manager 2010 R2 SP1 (and its predecessors) can be classified as a MetaDirectory based Identity Management Solution. A MetaDirectory collects, aggregates, and stores data from various directories and data sources, such as Active Directory and your HR database.
The Metaverse is the heart of FIM’s MetaDirectory. As an implementer of FIM you customize the data model, you decide what object types and attributes you need.

Updated Vote: Top 5 Deprecated Features of FIM 2010 R2 SP1

david@identitymanaged.com (David) — Thu, 14 Feb 2013 10:39:00 -0700

Here is an update on the impact of the newly deprecated features: The big change is that XMA has caught up to Multi-Mastery and is tied for first.

http://feeds.feedburner.com/IdentityLifecycleManagerilmBestPractices

Massive FIM and AD LDS project at DPDHL

david@identitymanaged.com (David) — Thu, 14 Feb 2013 10:26:00 -0700

Watch the presentation that James Booth (who worked with us on the project) and Joe Gasowski (DPDHL) gave at the Redmond Identity Summit 2013 about our project at DHL to replace the DPDHL Sun One Directory and deploy FIM to replace both CriticalPath and a home-grown admin portal.

http://feeds.feedburner.com/IdentityLifecycleManagerilmBestPractices

Voted: Top 5 Deprecated Features of FIM 2010 R2 SP1

david@identitymanaged.com (David) — Tue, 29 Jan 2013 11:15:00 -0700

Looks like ECMA1 deprecation has caught up to the …

Ross - Feb 4, 2013

Looks like ECMA1 deprecation has caught up to the equal precedence issue since you posted this.

I think I’ll start offering some ECMA1->ECMA2 upgrade services. I suppose not everybody has an xMA developer in their back pocket!

Voted: Top 5 Deprecated Features of FIM 2010 R2 SP1

david@identitymanaged.com (David) — Tue, 29 Jan 2013 11:15:00 -0700

I conducted a linkedIn poll to find out what others thought of the features that are deprecated starting in FIM 2010 R2 SP1. For the poll I only listed the ones I put in my top 5 list. With 15 votes and 1 abstention I thought it would be worthwhile to publish the results:

Here we can see the winner:

Multi-mastery/equal precedence (I had this 2nd)
ECMA1 (XMA) (I had this third)

The rest of the FIM 2010 R2 SP1 Deprecations

david@identitymanaged.com (David) — Thu, 17 Jan 2013 11:22:00 -0700

Remember that these features are still here but will be removed in a future version (probably the next major release or the one after)

Feature

Impact

Unselect “allow nulls” for exported values

You need to be more careful to ensure that you aren’t deleting values

Web Service configuration interface

You will no longer be able to send a request to the web service to update the mv-data or ma-data objects in order to configure the sync engine. The article says that we will be able to use PowerShell to configure the sync engine.

Top 5 Deprecated features as of FIM 2010 R2 SP1

david@identitymanaged.com (David) — Wed, 16 Jan 2013 11:28:00 -0700

I have heard that investments in FIM CM are contin…

David Lundell - Jan 2, 2013

I have heard that investments in FIM CM are continuing. So don’t worry about FIM CM disappearing.

Top 5 Deprecated features as of FIM 2010 R2 SP1

david@identitymanaged.com (David) — Wed, 16 Jan 2013 11:28:00 -0700

Yesterday Microsoft published a list of features that have been deprecated in FIM and will be removed from the product at some point in the future. In other words these don’t require immediate action but when the next major release of * Identity Manager (* because we don’t know what the new name will be – see my tweet from last week at the Redmond Identity Summit) emerges those features will likely be gone. So over the next 18-36 months you need to begin working away from these issues.

Top 11 new features of FIM 2010 R2 SP1

david@identitymanaged.com (David) — Tue, 15 Jan 2013 20:25:00 -0700

Hello, Is Fim r2 sp1 support sql server 2012 sp1

Unknown - Mar 2, 2015

Hello,
Is Fim r2 sp1 support sql server 2012 sp1

Top 11 new features of FIM 2010 R2 SP1

david@identitymanaged.com (David) — Tue, 15 Jan 2013 20:25:00 -0700

My comments on What’s new and the release notes for FIM 2010 R2 SP1:

Rank

Feature

Impact

Deferred evaluation of criteria based groups
This setting can be enabled one group at a time. You can also change the default so that as new criteria based groups are created they will be set for Deferred. The default is to calculate group membership twice a day at 2:30 AM and 2:30 PM.

Revisiting GUIDs, Octets and Base64

david@identitymanaged.com (David) — Sun, 02 Dec 2012 20:59:00 -0700

After re-reading my earlier post on this subject I decided I could be clearer.

GUIDs are often used in three different formats:

Representation

Example

Canonical form

8c4ac332-975f-4717-ad7b-ba4a4e968fff

Octet String

32c34a8c5f971747ad7bba4a4e968fff

Base64 Encoded

MsNKjF+XF0ete7pKTpaP/w==

Representation

Comment

Used in

Canonical form

This format stems from the way GUIDs (UUIDs) are generated. Each dash separating the various components. In version one of the UUID specification, the first the last component was the MAC address of the computer that generated the GUID.

5 reasons to be thankful for Identity Management

david@identitymanaged.com (David) — Wed, 21 Nov 2012 15:48:00 -0700

On the eve of Thanksgiving I offer 5 reasons to be thankful for Identity Management (user provisioning, deprovisioning, group and role management, etc.):

What other compliance project can actually have a positive ROI?
1. You get improved compliance (and the ability to show it)
2. You also get better security as accounts are disabled quickly
3. Then you save money through the automation
Identity Management can help support your corporate goals
You can empower users to serve themselves with password resets, group/role requests
It can help keep your organization out of the shame columns in the trade rags
1. We have all read about the disgruntled former employee accessing data.
The joy of automation, the joy of not having to do double data entry!

5 things in Identity Management in 2012 for which I am thankful

FIM Lives! UAG Lives! TMG will not

david@identitymanaged.com (David) — Wed, 12 Sep 2012 20:52:00 -0700

Today Microsoft announced the discontinuing or subsuming of many products in the Forefront line

To be crystal clear Forefront Identity Manager (FIM) and Forefront Unified Access Gateway (UAG) live on as separate products with ongoing investment!

Insert the obligatory Mark Twain quote here. “The rumors of my death have been greatly exaggerated”

Product

Fate

Forefront Identity Manager (FIM)

Lives on. R2 was just released in June

Forefront Unified Access Gateway (UAG)

FIM Best Practices Volume 1 has been updated for R2

david@identitymanaged.com (David) — Tue, 04 Sep 2012 09:13:00 -0700

We have purchased to original copy, are we entitle…

FMustafa - Sep 2, 2012

We have purchased to original copy, are we entitled to get a free upgrade to R2 version??

This comment has been removed by the author.

Any tentative date for print edition

The print edition is already available.

FIM Best Practices Volume 1 has been updated for R2

david@identitymanaged.com (David) — Tue, 04 Sep 2012 09:13:00 -0700

Just this morning I have published the updated for R2 edition of FIM Best Practices Volume 1. Now called FIM R2 Best Practices Volume 1: Introduction, Architecture And Installation Of Forefront Identity Manager 2010 R2. The EBook edition is in color!

Print Edition of FIM R2 Best Practices Volume 1 is still B/W

Go to the lulu.com home page to get a coupon code for 20% off (offer expires 11:59 PM Sept 7 2012).

New version PCNS, new FIM hotfix

david@identitymanaged.com (David) — Thu, 30 Aug 2012 09:59:00 -0700

SO, where (or when !?) can we download that hotfix ?

redarc coder - Nov 2, 2014

SO, where (or when !?) can we download that hotfix ?

So, where (or when !?) can we download that hotfix !?

New version PCNS, new FIM hotfix

david@identitymanaged.com (David) — Thu, 30 Aug 2012 09:59:00 -0700

On Aug 24th Microsoft released a new version of PCNS. Version number 4.1.2515.0.

No release notes are provided with the download. However, this version number matches the version number of the latest FIM R2 hotfix rollup http://support.microsoft.com/kb/2734159 and it does tell us what is fixed:

Assume that you run Password Change Notification Service (PCNS) setup together with the SCHEMAUPDATE=TRUE option and the schema is updated successfully. In this situation, an error message is displayed at the end of the setup process incorrectly.
After this update is installed, the Setup program does not display the error message when the schema update is successful.

How to import the Domain attribute into the FIM Portal Part 2

david@identitymanaged.com (David) — Thu, 16 Aug 2012 13:46:00 -0700

In Part 1 of How to import the Domain attribute into the FIM Portal I provided you the simple technique for the single domain forest, and the technique that works although is a bit unwieldy – that of looking at the first 41 characters of the object’s SID and using a lookup table through nested IIF statements and this doesn’t .

What if there was a simpler way?

What about using the Domain Component option in the attribute flow?

How to import the Domain attribute into the FIM Portal Part 1

david@identitymanaged.com (David) — Thu, 16 Aug 2012 12:47:00 -0700

If you have a single domain forest then you should use a constant flow in your sync rule or advanced attribute flow. If you have a multi-domain forest, then using a constant in the advanced attribute flow won’t work.

You could create multiple inbound sync rules one for each domain with scoping filters and then use a constant. However, this seems like a waste.

You could also follow the guidance provided in article originated by my friend Markus Vilcinskas and maintained by the community http://social.technet.microsoft.com/wiki/contents/articles/648.how-do-i-synchronize-users-from-active-directory-domain-services-to-fim.aspx

Award for Me, Award for Insight

david@identitymanaged.com (David) — Mon, 02 Jul 2012 06:18:00 -0700

Congratulations on your renewal David!

Henrik Nilsson - Jul 1, 2012

Congratulations on your renewal David!

Congratulations!!

Way to go man!

Award for Me, Award for Insight

david@identitymanaged.com (David) — Mon, 02 Jul 2012 06:18:00 -0700

What a good week – Insight was awarded Microsoft Desktop Partner of the Year, and I just received news of my MVP award in the Forefront Identity Management area has been renewed.

The Desktop Partner of the Year is a great accomplishment by our Systems Management and Virtualization practice. This one will be added to all of the awards we won as Ensynch:

As for the MVP, I am always honored. I truly enjoy trying to enhance the FIM community. This marks the 6th time I have received the award (2007, 2008, 2009, 2010, 2011, and 2012). There are so many cool experiences I get to have with the the other FIM MVPs, I treasure them.

FIM 2010 R2 released today to MSDN

david@identitymanaged.com (David) — Fri, 01 Jun 2012 19:29:00 -0700

Look what just turned up on the MSDN list of downloads:

Along with FIM 2010 R2 it looks like the BHOLD Suite is available too! Although you can see that it appears to be a separate download.

I don’t know when the retail version will be available.

http://feeds.feedburner.com/IdentityLifecycleManagerilmBestPractices

TEC 2012 Summary

david@identitymanaged.com (David) — Wed, 02 May 2012 21:10:00 -0700

Thanks David for a great overview of what was disc…

Henrik Nilsson - May 4, 2012

Thanks David for a great overview of what was discussed at TEC this year. I wish I could have attended but way too much work right now but I hope I’ll be able to attend TEC Europe this year (if there’s gonna be any) and US next year.

TEC 2012 Summary

david@identitymanaged.com (David) — Wed, 02 May 2012 21:10:00 -0700

Wow TEC 2012 is already over and I am already back home. What a week!

The venue was great. San Diego is always a great place to be, cool yet not too cold. Right on the bay. Great hotel. The Marriot Marquis and Marinas has an awesome pool – went for a great swim on Monday night. Tuesday morning I really enjoyed a jog on the Boardwalk. I ran up to the USS Midway. Tons of other attractions right nearby.

RCDC Replacement

david@identitymanaged.com (David) — Wed, 02 May 2012 12:08:00 -0700

Is this video posted anywhere? I would love to see…

itswithinmyreach - Jun 2, 2012

Is this video posted anywhere? I would love to see what the cons are. Currently we have a consultant very eager to re-do our UI.

RCDC Replacement

david@identitymanaged.com (David) — Wed, 02 May 2012 12:08:00 -0700

FIM User Interface Implementation: Replace the rigid RCDC with a customizable UI
Speaker: Eihab Isaac

Eihab delivered a very well-reasoned presentation on the pros and cons of replacing some of the forms, especially the create person (user) form. Excellent demo showing creating multiple requests for creating the user as well as requests for additional attributes, and application access. Great session.

http://feeds.feedburner.com/IdentityLifecycleManagerilmBestPractices

FIM Reporting Craig Martin style

david@identitymanaged.com (David) — Tue, 01 May 2012 12:10:00 -0700

Thanks for attending the session, glad you liked i…

Craig Martin - May 2, 2012

Thanks for attending the session, glad you liked it! I had fun talking and running with Scissors.

FIM Reporting Craig Martin style

david@identitymanaged.com (David) — Tue, 01 May 2012 12:10:00 -0700

Craig’s session is on how to get data out from the FIM Service and FIM Sync with PowerShell and displaying it with SSRS, which he has dubbed Scissors!

Ok Craig we get it! You have even persuaded me that PowerShell is important! I have started writing scripts. SQL Server of course is still important.

Key is to hook up a pipeline from PowerShell to pass into his custom SSRS PowerShell Data Processing Extension (DPE). Craig uses export-clixml and import-clixml to serialize data before it is expired from the FIM system.

Migrating from ILM to FIM

david@identitymanaged.com (David) — Tue, 01 May 2012 11:04:00 -0700

Carol Wapshere delivered an excellent session yesterday at TEC 2012 on the thought process for migrating from MIIS/ILM to FIM.

I loved the incisive logic to focus on the main issue being solved: getting the customer onto supported software (getting the MIIS database off SQL 2000, getting off MIIS/ILM). Avoid the temptation to try and fix everything else at the same time. She had a great list of gotchas. Even more impressive were her discovery scripts designed to analyze the existing implementations and her rubric for estimating the work.

Look what I found in the news

david@identitymanaged.com (David) — Tue, 01 May 2012 07:40:00 -0700

I didn’t even know that Identity and Access Management (IAM) workers had a union!

Of course, imagine my disappointment to learn that it is International Association of Machinists and Aerospace Workers union.

http://feeds.feedburner.com/IdentityLifecycleManagerilmBestPractices

SharePoint 2010 User Profile Synchronization Service

david@identitymanaged.com (David) — Tue, 01 May 2012 01:52:00 -0700

Neat indeed. They are at the forefront of FIM aut…

Craig Martin - May 1, 2012

Neat indeed. They are at the forefront of FIM automation, since they use the FIM Service component to automate the FIM Sync service. AFAIK they are the reason this automation functionality exists in the FIM Service at all.

SharePoint 2010 User Profile Synchronization Service

david@identitymanaged.com (David) — Tue, 01 May 2012 01:52:00 -0700

The SharePoint 2010 User Profile Synchronization Service is really FIM 2010 pre-packaged in a very special way. Need evidence? Look at the tables in User Profile Service Application_SyncDB

See how it has mms_connectorspace, mms_cs_link etc. Those are table commonly found in the FIM sync database. See the attributeInternal, the BindingInternal, all of the Membership* tables those are all part of the FIM Service database. So interestingly enough they have both FIM Service and FIM sync merged into a single DB.

FIM 2010 R2 Showdown: Classic vs. Declarative

david@identitymanaged.com (David) — Mon, 30 Apr 2012 15:39:00 -0700

Can you use both declarative and non-declarative a…

yekolo - Aug 4, 2013

Can you use both declarative and non-declarative at the same time? Declarative for some attribute mappings and non declarative for others?

FIM 2010 R2 Showdown: Classic vs. Declarative

david@identitymanaged.com (David) — Mon, 30 Apr 2012 15:39:00 -0700

Well I delivered my session FIM 2010 R2 Showdown: Classic vs. Declarative. During lunch they changed the location. But the room was packed by 5 min after I began (guessing about 45-50 people). Many familiar faces.

We had a rollicking good time. I presented how things worked with Classic and Declarative presented some findings and asked for other opinions. Boy did I receive them.

My basic conclusion is that Declarative can reduce the code used and in turn improve the maintainability of the FIM implementation.

Picking a mobile phone plan: AT&T

david@identitymanaged.com (David) — Fri, 27 Apr 2012 17:00:00 -0700

I am currently a Sprint customer, and I am in the process of considering a replacement. So I analyzed AT&T’s plans. I found some interesting things:

They have three individual plans that don’t include long distance to Canada but do include US long distance.

min

cost

$/min

Over $/min

Min over to break even with next plan

Rollover

Weekend min

450

$ 39.99

$ 0.089

0.45

yes

5000

900

Phoenix area part-time MBA program comparisons at public universities

david@identitymanaged.com (David) — Fri, 27 Apr 2012 16:45:00 -0700

If you want to study for an Master in Business Adm…

way2 college - Apr 3, 2014

If you want to study for an Master in Business Administration (MBA) while still having time for a full time job, the finest way that you could achieve this is to study in an mba distance learning course.

Distance learning is the best mode of education for the professionals and for the people who cannot attend the college regularly.MBA is a postgraduate course and most of the people opt for it if they want to make career in Management and the business Administration.
MBA through distance education in symbiosis

Phoenix area part-time MBA program comparisons at public universities

david@identitymanaged.com (David) — Fri, 27 Apr 2012 16:45:00 -0700

Even though I already have the MBA from Eller College at the U of A I recently put together the following analysis for a friend comparing the MBA options in Phoenix from U of A and ASU.

Eller College of Management

(University of Arizona) Evening

Eller College of Management

(University of Arizona) Executive

WP Carey School of Business (ASU) Professional Evening

WP Carey School of Business (ASU) Professional Weekend

ASU Executive

Opening Edit instead of view from a uocListView

david@identitymanaged.com (David) — Fri, 27 Apr 2012 06:57:00 -0700

When using the uocListView control in the FIM RCDC you can have it return a list of objects. However when you open them, they also open for viewing, not editing.

The key to this is to add a button control inside the uocListView control. You then specify the redirectURL property for the button. Additionally ShowActionBar must be true, ItemClickBehavior must be ModelessDialog (which is the default). Enable Selection must also be true.

FIM DB Sizing Calculator

david@identitymanaged.com (David) — Wed, 25 Apr 2012 23:32:00 -0700

Pretty slick, man!

Craig Martin - May 3, 2012

Pretty slick, man!

Thanks Craig. Glad you like it!

WAY too timely! Thanks Dave!

Thanks, very helpful.

Hi very helpul, do you have something like that for the Reporting data base of FIM (SCSM DW)?

FIM DB Sizing Calculator

david@identitymanaged.com (David) — Wed, 25 Apr 2012 23:32:00 -0700

FIM has two databases (well three if we count the FIM Certificate Management service):

FIMService
FIMSynchronizationService

Here is a calculator in excel that you can download and use to calculate how big to make your databases.

In my experience the FIMService database size depends mostly on how many request objects are in the database.

The FIM Sync Database depends mostly on how much run history details (step object details) you generate and keep.

Darth Vader – Project Manager Part 2

david@identitymanaged.com (David) — Tue, 24 Apr 2012 11:27:00 -0700

Have you ever wondered what it would be like to be on a project that was managed by Darth Vader?

In Part 1 I analyzed the good side of his skills. In Part 2 I tried to find the bad but I only find more good.

Once more thanks to George Lucas for inventing Star Wars and thanks again my co-workers for not utilizing Darth Vader’s style.

More Good

Characteristic

Example

Nothing new under the sun

david@identitymanaged.com (David) — Tue, 24 Apr 2012 09:48:00 -0700

Just a few weeks ago I was discussing with my team how Cloud computing bore a lot of similarities to outsourcing of Data Processing back in the height of the mainframe era. Just this morning I saw the following on Dave Kearns blog “While it’s true that there is really nothing new under the sun – “cloud computing,” for example, has remarkable similarities to datacenter computing from the ‘60s and ‘70s – it’s also true that there is always a different way to look at data, facts, or technology which can give insights into better ways to conduct business.”

What does “no commitment” really mean?

david@identitymanaged.com (David) — Mon, 23 Apr 2012 21:35:00 -0700

I recently received a mailer for YouFit Health Clubs, offering me “$1 down, $10 month with no commitment” for a club they opened near my house (limited to the first 125 to sign up).

Sounds good, but following the principle of caveat emptor (buyer beware), I always read the fine print. According to the “Billing for Monthly Dues” agreement you may “discontinue your Month-to-Month membership you may do so at any time with a payment of a twenty-five (25) dollar processing fee.”

Vol 1 -- 1000 copies! -- 29% off

david@identitymanaged.com (David) — Wed, 29 Feb 2012 12:01:00 -0700

Great news – Any idea when the next volumes will …

Michelle Rutherford - Mar 4, 2012

Great news – Any idea when the next volumes will be out?

Vol 1 -- 1000 copies! -- 29% off

david@identitymanaged.com (David) — Wed, 29 Feb 2012 12:01:00 -0700

A few weeks ago FIM Best Practices Volume 1 has surpassed 1000 copies! In honor of that achievement and Leap Day use the following code to get 29% off LEAPYEAR305

http://feeds.feedburner.com/IdentityLifecycleManagerilmBestPractices

FIM 2010 -- Update Rollup 2 4.0.3606.2

david@identitymanaged.com (David) — Tue, 28 Feb 2012 09:32:00 -0700

FIM 2010 Update Rollup 2 is now available. Download from here

Before blindly applying this update it is critical that you read the release notes, as XMA’s or ECMA’s may not run after the update. If you changed the MIISServer.exe.config file to tweak the FIM MA performance the update won’t replace your file. So you have to make some updates to it by hand. This is documented in the release notes.

There are lots of fixes, my most favorite is that they have rolled back the change I mentioned [ranted about] in a previous blog post: What the %_ is the deal with wildcards in FIM Queries in the latest hotfix?

Darth Vader – Project Manager Part 1

david@identitymanaged.com (David) — Tue, 14 Feb 2012 20:28:00 -0700

Tarah - Mar 2, 2012

This comment has been removed by the author.

Is that course being offered at The Darth Vader School of Project Management?

Part of Lord Vader’s project management style coming soon

Darth Vader – Project Manager Part 1

david@identitymanaged.com (David) — Tue, 14 Feb 2012 20:28:00 -0700

Have you ever wondered what it would be like to be on a project that was managed by Darth Vader?

Let’s analyze the good side of his skills.

But before we do a little housekeeping:

I would like to thank my George Lucas for inventing such wonderful characters and a wonderful story, that has entertained me and so many others, many many times. I would also like to thank my co-workers for not utilizing Darth Vader’s style.

FIM R2 Showdown -- Classic vs. Declarative

david@identitymanaged.com (David) — Wed, 25 Jan 2012 10:43:00 -0700

Come join me at The Experts Conference 2012 in San Diego April 29 - May2 where I will be presenting:

FIM R2 Showdown — Classic vs. Declarative
Speaker: David Lundell

Is there room enough for both in this town? FIM 2010 R2 has two ways of accomplishing many tasks: Classic and Declarative. Attend this showdown to learn when to saddle up Classic vs. when to saddle up with Declarative Sync Rules and why. Dissenting opinions politely welcomed — join the controversy! Discussion will take into account performance, ease of implementation and maintainability.

Property Sets for Permissions in AD and AD LDS

david@identitymanaged.com (David) — Mon, 26 Dec 2011 12:46:00 -0700

It’s very good post! Congratulations! I really enj…

Unknown - Jul 4, 2013

It’s very good post! Congratulations! I really enjoyed to reading your blog. Thanks for share all this information. I’m looking forward your next post

Property Sets for Permissions in AD and AD LDS

david@identitymanaged.com (David) — Mon, 26 Dec 2011 12:46:00 -0700

A while back I needed to set up Property Sets in AD LDS for granting of permissions to many of the attributes on the person object all at once, as I reviewed the Technet documentation on AD Property Sets I realized that it doesn’t tell you what object type property sets are, nor does it tell you how to create a property set, nor does it tell you how to assign an attribute to a property set. The MSDN documentation on Property Sets lets you see which attributes where included in which property sets in the different versions of AD, and it hints that property sets are part of Control Access Rights. Finally there is some more MSDN documentation on Control Access Rights that starts to spell it out:

GUIDs to Octets, GUIDs to Base64 strings and back again

david@identitymanaged.com (David) — Mon, 26 Dec 2011 12:45:00 -0700

not sure if anyone is still looking at this but i …

Unknown - Jan 6, 2015

not sure if anyone is still looking at this but i have a question that seems simple but its puzzling me!
I am trying to follow the instructions to convert a GUID into a string. I have done this:

Which you can do with this one line of PowerShell script

GUIDs to Octets, GUIDs to Base64 strings and back again

david@identitymanaged.com (David) — Mon, 26 Dec 2011 12:45:00 -0700

Suppose I generate a GUID of 8c4ac332-975f-4717-ad7b-ba4a4e968fff by running the following PowerShell Command line

[system.guid]::newguid()

Don’t worry if your GUID is different from mine; it should be! If it isn’t let me know because I think I’ll partner with you for the lottery (aka a tax on the mathematically impaired).

Some attributes (like the attributeSecurityGUID) when edited through ADSI Edit require you to convert the GUID to octet string (for little endian systems – Intel processors are little endian): 32c34a8c5f971747ad7bba4a4e968fff

Referenced by Other works and Sale at Lulu

david@identitymanaged.com (David) — Mon, 28 Nov 2011 07:07:00 -0700

I was pleasantly surprised today to find three other books, referencing FIM Best Practices Volume 1, which because of a Lulu Sale you can get at 25% off until 12/14/2011 Coupon Code: BUYMYBOOK305 Coupon expires December 14, 2011 $50 Max Savings. Of course today only 30% off, CYBERMONDAY305.

All three have an identical blurb about FIM and reference FIM Best Practices Volume 1 as additional material.

Title

Author

User Provisioning: High-impact Strategies - What You Need to Know: Definitions, Adoptions, Impact, Benefits, Maturity, Vendors

FIM exam 70-158 is now live oh and I passed

david@identitymanaged.com (David) — Tue, 22 Nov 2011 07:03:00 -0700

Congrats! This is interesting area -and product …

Savolainen Semi Seniori - May 6, 2012

Congrats!

This is interesting area -and product but suffers from availability of learning materials..

Like i couldn’t find practice tests at all. And im used to study with those MS presss books and their companion CD’s with practice tests.
Sure i do labs in virtual environments too but for me those practice tests give that last confidence that i need to book exam. :)

FIM exam 70-158 is now live oh and I passed

david@identitymanaged.com (David) — Tue, 22 Nov 2011 07:03:00 -0700

Exam 70-158: TS: Forefront Identity Manager 2010, Configuring is now live according to the MSL web site. I also received an email indicating that I passed the beta.

http://feeds.feedburner.com/IdentityLifecycleManagerilmBestPractices

What the %_ is the deal with wildcards in FIM Queries in the latest hotfix?

david@identitymanaged.com (David) — Wed, 16 Nov 2011 10:38:00 -0700

Ok I am not actually swearing, nor are those substitute words, rather % and _ are two characters that until hotfix rollup package (build 4.0.3594.2) could be used to perform some much needed and cool searches for sets, search scopes, groups and 3rd party client queries against FIM. Such as querying for the presence of string attributes.

I am sure what happened is that someone created a resource with an underscore in the name and then couldn’t search for it. So the fix. However it wasn’t broken. We need this functionality. Furthermore, simply enclosing the wildcard character in [] would cause it to be evaluated as a literal.

What the %_ is the deal with wildcards in FIM Queries in the latest hotfix?-Comments

david@identitymanaged.com (David) — Wed, 16 Nov 2011 10:38:00 -0700

David - just came across your post. Others readin…

Anonymous - Jan 1, 2012

David - just came across your post. Others reading it now may wish to follow this thread on the FIM Forum where the issue continues to be discussed at length.
Cheers
Bob
http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/ec15b1d0-3f4c-42fd-a833-3983330be963

10 years on David and your post came in handy just now - learned something new about the [_] thing in xpath statements :) - kudos - just the ticket!
My xpath: “/*[starts-with(DisplayName,’[_]’)]”

FIM 2010 hotfix available (4.0.3594.2)

david@identitymanaged.com (David) — Wed, 16 Nov 2011 10:22:00 -0700

Microsoft has released a new hotfix (kb 2520954) at the end of October with some key fixes in it as well as one item that I will blog about next that prevents me from loading this on most implementations, until it is addressed.

Highlights

Component

Official Description

Comments

Workflow Engine (FIM Service)

Assume that you perform an operation that accesses the SQL database when the Microsoft SQL Server connection pooling feature is enabled in the FIM server. For example, you run a query or a request. If the operation times out for any reason, a future operation on the same thread may fail until that thread is removed from the SQL connection pool. An error message that resembles the following is displayed in the FIM Service Application event log, in the RequestStatusDetails property for a request, or in the WorkflowStatusDetails property of a workflow instance: Cannot enlist in the transaction because a local transaction is in progress on the connection.
Additionally, the time stamp is the same as the time when the operation fails.

TEC 2012 call for papers open for 2 more days

david@identitymanaged.com (David) — Wed, 16 Nov 2011 10:05:00 -0700

The Experts Conference Call for Papers still open until Nov 18th

http://www.theexpertsconference.com/us/2012/submit-a-paper/

For general info: http://www.theexpertsconference.com/us/2012/

I have attended at spoke at this conference since 2007. I love it. It is a great experience and loads of great in-depth technical training by top experts on Directory & Identity, as well as SharePoint, Exchange, Virtualization & Cloud and PowerShell Deep Dive. Also come and learn about the inside joke dealing with the rubber chicken.

Awesome FIM Case Study

david@identitymanaged.com (David) — Wed, 16 Nov 2011 09:54:00 -0700

Is FIM 21010 a much more advanced version of the F…

Craig Martin - Nov 3, 2011

Is FIM 21010 a much more advanced version of the FIM we know today?

Awesome FIM Case Study

david@identitymanaged.com (David) — Wed, 16 Nov 2011 09:54:00 -0700

Microsoft recently published a case study about our work (Ensynch – now Insight) at Grand Canyon University, implementing a FIM 2010 based identity management solution.
The document is available for download directly from http://www.microsoft.com/casestudies/Microsoft-Forefront-Identity-Manager-2010/Grand-Canyon-University/Private-University-Reduces-Identity-Management-Workload-by-320-Hours-per-Month/4000011192

http://feeds.feedburner.com/IdentityLifecycleManagerilmBestPractices

O Blog how I have neglected thee

david@identitymanaged.com (David) — Wed, 16 Nov 2011 09:52:00 -0700

Wow, sorry to hear about the past few months, soun…

Derek A. Hanson - Nov 3, 2011

Wow, sorry to hear about the past few months, sounds like it was pretty rough. Congrats on the acquisition and all the best with your projects.

O Blog how I have neglected thee

david@identitymanaged.com (David) — Wed, 16 Nov 2011 09:52:00 -0700

Ok so I have neglected my blog a bit. You all saw the news that Ensynch is now part of Insight.

Wow the same day we announced the merger (9/19), I was also given word that my uncle and cousin died in a plane crash, that wound up making the regional news.

Later my kids earned their trip to Disneyland, so we took them in early October.

One of our architects had to disengage from a big project (for personal reasons) and I needed to step in and play that role too.

Big news–Insight + Ensynch

david@identitymanaged.com (David) — Fri, 23 Sep 2011 12:40:00 -0700

Insight to acquire Ensynch.
As my colleague Rebecca Croft said:
We are very excited about the union of Insight and Ensynch and the benefits that it will bring to our clients. Both companies are focused on helping our clients find innovative, cost effective solutions to address business needs. Bringing Ensynch into the Insight organization will offer clients more robust software services, particularly around Microsoft Enterprise Agreements, as well as improved services delivery, enhanced virtualization and cloud capabilities and solution-focused approach to software sales. This acquisition will further simplify our clients’ ability to acquire, procure, implement and manage IT solutions across their technology environment.
For more information, read the press release here, visit www.insight.com or www.ensynch.com, or contact me with any questions.

Get 15% off of FIM Best Practices Volume 1

david@identitymanaged.com (David) — Fri, 23 Sep 2011 12:11:00 -0700

Through Sept 26th get 15% of FIM Best Practices Volume 1 at lulu.com

Use the following code at checkout OKTOBERFEST305

http://feeds.feedburner.com/IdentityLifecycleManagerilmBestPractices

Get 20% of FIM Best Practices Volume 1

david@identitymanaged.com (David) — Tue, 06 Sep 2011 05:33:00 -0700

Buy FIM Best Practices Volume 1 in Soft Cover or E-Book

Enter coupon code SEPTEMBER305 at checkout and receive 20% off your order. The maximum savings for this offer is $100. Offer expires on September 9 at 11:59 PM

http://feeds.feedburner.com/IdentityLifecycleManagerilmBestPractices

Calling a stored procedure in an ADFS claims rule

david@identitymanaged.com (David) — Thu, 01 Sep 2011 06:34:00 -0700

After you have setup your SQL Attribute Claims Store in ADFS. If you want to use it and in fact test it you must set up a claims rule that makes use of it. To do this you must create a claim using a custom rule, which allows you to employ the claims rule language.

The following technet entry is a good start as it illustrates how to enter a SQL Query and even a stored procedure.

Troubleshooting SQL Attribute Stores with ADFS

david@identitymanaged.com (David) — Thu, 01 Sep 2011 06:21:00 -0700

Several others have showed how to define SQL attribute stores with ADFS.

Note that when entering the connection string there is no validation or feedback to the administrator. If there is a problem you usually won’t see it until you setup a claims rule that uses it and you get an error. So make certain to carefully build and test your connection string. Remember that if you use integrated authentication to connect to the SQL Server that it will run under the context of your ADFS Service account so you will need to grant your ADFS service account permissions to the SQL Server and Database.

Using FIM Best Practices Volume 1 to study for the FIM exam

david@identitymanaged.com (David) — Thu, 28 Jul 2011 21:45:00 -0700

Took the exam last week, the book was a very helpf…

Anonymous - Aug 3, 2011

Took the exam last week, the book was a very helpful study tool.
Phil

Using FIM Best Practices Volume 1 to study for the FIM exam

david@identitymanaged.com (David) — Thu, 28 Jul 2011 21:45:00 -0700

Ok so info on the exam and its list of items covered is provided here

For fun I thought I would map out the domain objectives to items in the FIM Best Practices Volume 1

The book helps with items in area 1 Planning a FIM Implementation and Installing FIM.

Objective

Chapter

1. Planning a FIM Implementation and Installing FIM

1.1 Plan and design FIM topology

4 and 5

1.2. Install the FIM Service and the FIM Portal.

Beta Exam for FIM available until Aug 4th

david@identitymanaged.com (David) — Thu, 28 Jul 2011 21:17:00 -0700

http://borntolearn.mslearn.net/btl/b/weblog/archive/2011/07/18/forefront-identity-manager-fim-beta-exam-now-available.aspx

Beta exam 71-158_, TS: Forefront Identity Manager 2010, Configuring_

So in a short while we should see some folks who are actually Microsoft Certified Technical Specialists(MCTS) for FIM!

http://feeds.feedburner.com/IdentityLifecycleManagerilmBestPractices

FIM Bug for multi-valued strings that need approval

david@identitymanaged.com (David) — Tue, 28 Jun 2011 09:52:00 -0700

I think I found a bug in FIM Version 4.0.3576.2 take a look:

It appears that when you have a multi-valued string attribute when you add more than 1 value at a time and you need approval to create the object or to update the attribute, the request will fail. In the event log you will see an error (UnwillingToPerformException … CREATE UNIQUE INDEX statement terminated because a duplicate key was found for the object).

SQL Extensible Management Agents That Scale (Rebecca Croft)

david@identitymanaged.com (David) — Thu, 23 Jun 2011 15:27:00 -0700

Rebecca, a fellow Ensynchian, presented at TEC 2011 on the limitations of the standard out of the box SQL Management and how she overcame them by writing a very fast eXtensible Management Agent (XMA).

First attempt use ado.net sql reader to read data (really fast) and write one row at a time to the AVP file (but that gets slow when dealing with large data sets).

Second attempt use the T-SQL “FOR XML” clause to transform the data to XML and then use an XSLT to transform to LDIF.

RCDC Editor

david@identitymanaged.com (David) — Fri, 17 Jun 2011 06:58:00 -0700

As previously discussed the RCDC is a very powerful tool for customizing FIM without writing your own front-end and web client. There are several drawbacks to the RCDC. The worst is that you have to export the RCDC to an xml file, open it up in your favorite XML editor, modify it by hand, load it back into the FIM Portal and then run iisreset. All of which means that mistakes are quite painful, as it can take you several minutes to discover your mistake. Worse if you made more than one change. Ugh!
So thanks to my friends over at OCG there is an RCDC editor. While not perfect it can shave hours off your time to edit RCDC’s.
You get an almost WYSIWYG editor that saves you from making many easy simple mistakes. If I need to tweak something simple I might for go it, but then again I have lots of experience tweaking the RCDC by hand (painful experience). For $775 for a project I can get an editor that makes life much simpler. No brainer!
The UI is good but not perfectly intuitive. I found several “bugs” only to discover that I needed to learn just a bit more about the tool.
You will need to run a PowerShell command to export the FIM Configuration, install the software before you can use it at all. After activating the license you can save the RCDC’s as XML. Then yes you still have to load the RCDC manually and run iisreset. Nonetheless, this is still much easier.
While you are still learning more about what the RCDC can do, this is still an iterative process. Creating an RCDC for a new FIM resource type is now a 2-8 hour job instead of 8-32 hour job.
The Resultant Rights Editor is a nice bonus that allows you to setup scenarios (who is accessing what resource and which attributes to include) so that you can see what control will be visible, and enabled for the different users.

Three complaints (with paraphrased responses from Tools4FIM):

RCDC Requiring another field

david@identitymanaged.com (David) — Tue, 14 Jun 2011 20:30:00 -0700

Ok I just had to blog this.

I created a custom resource type in FIM for resource mailboxes (Room and Equipment) with accompanying RCDC’s. Based on a Boolean attribute I hide or make visible a tab of info about Room resources on the edit and view RCDC’s. (You can’t do that to the create RCDC because the object doesn’t yet exist)

But, I would like to make room number on the Hidden tab to be required when the tab is visible, and not when the tab isn’t. Obviously I can’t do that on the create because the object doesn’t yet exist and so I can’t reference the Boolean attribute. So I just set the required property to true and figured it would work or not. – It does not work. The tab is still hidden until I click finish and then the tab is revealed and it insists on input to the field “The required field cannot be empty”.

FIM 2010 R2 News

david@identitymanaged.com (David) — Mon, 23 May 2011 08:00:00 -0700

At Tech Ed Atlanta Brjann Brekkan and Mark Wahl discussed FIM 2010 R2 in a public forum – so here is a lot of info that is now in the public forum.

Mark covered the new items that will come out in R2:

Web Based Password reset (no need for a domain joined computer, no need to install Password Client no need for Active X, support for Firefox)
Although for integration with the GINA (the login screen) you still need to install the FIM Password Reset Client

Behind the scenes of RoomResources–Custom Properties

david@identitymanaged.com (David) — Mon, 16 May 2011 22:26:00 -0700

While using FIM and PowerShell to manage Exchange 2010 I was following along a wonderful article on resource mailboxes that left me wondering a few things.

Exactly how is the data stored in the msExchResourceDisplay and msExchResourceSearchProperties attributes?
How is it stored with multiple custom properties?
Is manipulating those AD attributes sufficient or is PowerShell storing something in the Exchange Data store?

Here are the answers:

msExchResourceDisplay = “Room,FlatScreenTV” It appears to be a single valued string with commas.

msExchResourceSearchProperties at first blush appears to be a single-valued string with semi-colons, however further examination reveals it to be a multi-valued attribute

RSS feed for FIM Hotfixes

david@identitymanaged.com (David) — Wed, 11 May 2011 12:52:00 -0700

Now you can be informed about FIM 2010 hotfixes through an RSS newsfeed

http://services.social.microsoft.com/feeds/feed/FIM2010_Hotfixes

http://feeds.feedburner.com/IdentityLifecycleManagerilmBestPractices

Using FIM to manage BPOS/Office 365

david@identitymanaged.com (David) — Wed, 20 Apr 2011 10:57:00 -0700

Carol presented a solution to a very thorny problem – how to overcome the lack of delegation in BPOS. In BPOS a user is either an admin or a user. So she used FIM to provide the delegation. Very detailed, very complete solution. She illustrated some of the scripts she has posted on her blog such as http://www.wapshere.com/missmiis/a-script-to-create-sets-and-mprs-from-templates

Well done Carol!

http://feeds.feedburner.com/IdentityLifecycleManagerilmBestPractices

FIM 2010 reporting using SQL Server Reporting Services (Jeremy and Craig)

david@identitymanaged.com (David) — Wed, 20 Apr 2011 10:53:00 -0700

Link to Jeremy and Craig’s solution please?

Sami - Jul 1, 2011

Link to Jeremy and Craig’s solution please?

http://www.identitytrench.com/2010/11/simple-reporting-in-fim-2010-with-ssrs.html

FIM 2010 reporting using SQL Server Reporting Services (Jeremy and Craig)

david@identitymanaged.com (David) — Wed, 20 Apr 2011 10:53:00 -0700

Jeremy and Craig had an interesting shoot out showing off their differing versions of reporting from FIM. Jeremy has an “agent” that he uses to pull the data out of FIM and store it in SQL, after which doing SSRS reports is not terribly difficult. Craig’s approach was to start off by creating a generic SSRS Data Processing extension for PowerShell, and then adjusted to pull data from FIM. Both approaches look very slick. Afterwards they explained how their efforts actually turned out to be quite complimentary. Two thumbs up gentlemen!

Cloud computing single sign-on. Making ADFS work with Google and Salesforce (Nikita Ryumin)

david@identitymanaged.com (David) — Wed, 20 Apr 2011 10:47:00 -0700

This TEC session on the Directory Services track was short but sweet illustrating how to connect ADFS to Google and SalesForce.

http://feeds.feedburner.com/IdentityLifecycleManagerilmBestPractices

Desktop Virtualization and Identity Management

david@identitymanaged.com (David) — Tue, 19 Apr 2011 14:36:00 -0700

Any chance of getting an online version of this talk?

Paul - Apr 2, 2011

Any chance of getting an online version of this talk?

Desktop Virtualization and Identity Management

david@identitymanaged.com (David) — Tue, 19 Apr 2011 14:36:00 -0700

I did a lunch time presentation in partnership with Jonathan Sander. We presented how we can use Quest VWorkspace and Quest One Identity Manager to build a corporate store (we code named it VIPER) to provide a dynamic desktop experience.

http://feeds.feedburner.com/IdentityLifecycleManagerilmBestPractices

Creating Authentication Activities in FIM (Ikrima Elhassan)

david@identitymanaged.com (David) — Tue, 19 Apr 2011 14:32:00 -0700

This session at TEC was quite interesting. Ikrima presented quite a lot of material about how to extend FIM with your own authentication activities, demonstrating a OTP password reset approach.

Code is available at https://github.com/ikrima/Public-Development

http://feeds.feedburner.com/IdentityLifecycleManagerilmBestPractices

Recruiting

david@identitymanaged.com (David) — Tue, 19 Apr 2011 14:30:00 -0700

Hey readers, our Identity Practice at Ensynch is keeping us very busy. We would like to have more Identity consultants as part of our team. Come work with me and the rest of our fantastically talented Identity Team.

We are looking for people with experience in Forefront Identity Manager 2010 and people with experience in ADFS 2.0. We are looking for both Full Time Employees as well as people interested in being contractors for us.

Designing and Implementing RBAC Solutions with FIM 2010 Group Management

david@identitymanaged.com (David) — Mon, 18 Apr 2011 16:33:00 -0700

After I introduced Brad Turner and turned the time over to him, he showed off some really cool FIM extensions to enable RBAC. He even showed how it fits the NIST RBAC definitions even through level 3.

The key design decision was to extend the Set and Group objects. The Set then functions as a role. This allows for both explicit and criteria based membership. A new object type for a Role Membership allows for the user’s membership in a role to expire at an individual time.

FIM Best Practices: Sizing Your FIM Installation

david@identitymanaged.com (David) — Mon, 18 Apr 2011 16:25:00 -0700

I had a lot of fun presenting this session. Largely based on chapter 5 in volume 1 I showed how to decide on your High availability approach, how that impacts your topology choice, and then how to estimate your scale, load, and complexity points. Then based on those factors figure out how big to make your SQL Server that hosts the FIM service database.

In the middle I did enjoy putting in a plug for our Ensynch sponsored green, dishwasher safe water bottles, as I took a drink of my fruit punch Gatorade mix.

Can PXEs Fly? FIM and SCCM Integration (Rob Allen)

david@identitymanaged.com (David) — Mon, 18 Apr 2011 16:16:00 -0700

I was looking forward to this one, but got called away. I hope to look at the slides soon.

http://feeds.feedburner.com/IdentityLifecycleManagerilmBestPractices

Creating Management Agents with the new EZMA (Andreas Kjellman)

david@identitymanaged.com (David) — Mon, 18 Apr 2011 13:00:00 -0700

At TEC 2011, Andreas Kjellman of Microsoft, who “owns” the FIM synchronization engine, showed off the upcoming EZMA framework.

The problem:

The existing eXtensible Management Agent (XMA) does not have a call based import method, we are limited to using GUIDs as the initial anchors, and we don’t have partitions in an XMA.

Solution

EZMA – which, IMO, will actually be a little harder to do than an XMA but will allow the developer to do much more that will make the FIM admin’s life easier.

Files, FIM, and PowerShell (James Booth)

david@identitymanaged.com (David) — Mon, 18 Apr 2011 11:38:00 -0700

James Booth former Microsoft Group Program Manager for MIIS (precursor to FIM) presented on using PowerShell to process files in preparation for consumption by FIM.

James points out that “In the beginning, it was all files.” These call based MA’s are the new kids on the block, also said that at Microsoft in 2000 the philosophy was “XML is the answer, now what is your question?”

James has posted his new commandlets to GitHub https://github.com/jhbooth/LDIF-PowerShell

TEC 2011–FIM Workflows Deep dive

david@identitymanaged.com (David) — Sat, 16 Apr 2011 16:13:00 -0700

I am already in Las Vegas, prepping to assist my fellow Ensynch coworkers, Joe Zamora, and Rebecca Croft as they lead an awesome value packed pre-conference workshop tomorrow (Sunday) morning at 8 AM to 12 PM (noon). Jerry Camel and Brad Turner will also be around to assist.

There are so many good sessions to attend this time here are some of the ones I am looking forward to:

Monday morning gets the FIMsters off to a great start with a choice of two great sessions:

Making Sense of the Cloud

david@identitymanaged.com (David) — Wed, 13 Apr 2011 21:15:00 -0700

National Roadshow Series: 2 High Value Sessions in 1 Business Focused Technology Briefing from Leading Industry Experts at Ensynch and Microsoft

It’s time to make sense of the plethora of rhetoric around the term “Cloud.” It’s time to cut through the hype and figure out how to leverage the latest Dynamic Private Cloud and Public Cloud technologies and provide real value to your business.
Why Attend?
Learn how organizations worldwide are realizing tremendous business value as they begin to migrate portions of their business to securely provide IT as a service through private and public cloud solutions. Unlike many product-focused technology events, this event is focused on business use cases and solutions. You will leave this event having gained real value and perspective that you can immediately apply to your business’s information technology strategy and roadmap.

EBook of Vol 1 is now available

david@identitymanaged.com (David) — Tue, 15 Mar 2011 17:01:00 -0700

After listening to many pleas for an e-book version of FIM Best Practices Volume 1, I have relented and created an e-book version. List price is $22.00 but here is a 10% off discount for the next week to $19.80.

Most of the requests were for speed of delivery, searching, but the one that got me was a request based on eyesight made by Bill Singh. So you can all thank him for there being an e-book of volume 1.

Webinar: Cloud’s Silver Lining: Identity Management

david@identitymanaged.com (David) — Wed, 02 Mar 2011 11:30:00 -0700

Business Insights Webcast:
The Cloud’s Silver Lining: Identity Management

Join Us for an Informative Webcast on the Value of IDA in the Cloud
- Part 2 in a Series of Webcasts from Microsoft FIM MVP David Lundell -

Identity Management is a critical component to realizing the true value of the Cloud.

Solutions from Microsoft including Forefront Identity Manager (FIM), Active Directory Federation Services (AD FS), and Microsoft Forefront Unified Access Gateway (Forefront UAG) allow you to get the most out of your cloud applications (such as Office 365, BPOS, and other Software a Service (SaaS) solutions); while enabling a seamless transition in managing the identities of your users.

FIM Training back—on May 23-26 in Phoenix

david@identitymanaged.com (David) — Mon, 14 Feb 2011 11:36:00 -0700

Last week I taught a group of students 50382A Implementing Forefront Identity Manager 2010, and referenced FIM Best Practices Volume 1 to supplement. It was a great bunch, full of humor. We even had one gentleman fly all the way from Australia to attend my class. I felt quite honored.

Well due to popular demand we are going to run it again May 23-May 26 (M-Th) once more in downtown Phoenix.

Register by emailing FIMTraining@Ensynch.com, providing your contact info, which class and date you want to attend. You will then be contacted to complete the registration. The cost of the course is $1895 USD

Get FIM Training from Author of FIM Best Practices Volume 1

david@identitymanaged.com (David) — Tue, 04 Jan 2011 09:13:00 -0700

Come get FIM training from David Lundell, FIM MVP and author of FIM Best Practices Volume 1.

Register by emailing FIMTraining@Ensynch.com, providing your contact info, which class and date you want to attend. You will then be contacted to complete the registration.

On Feb 8th - Feb 11th in downtown Phoenix (class will start at 8 AM), I will be teaching 50382A Implementing Forefront Identity Manager 2010 and of course adding in lots of valuable information from various FIM implementations that I have performed and supervised. Additionally, material from FIM Best Practices Volume 1 will be referenced during class (bring your copy to class). The cost of the course is $1895 USD.

Amazon–FIM Best Practices Volume 1

david@identitymanaged.com (David) — Thu, 16 Dec 2010 10:02:00 -0700

Apparently one of the Amazon marketplace sellers has decided to list my book on Amazon.

So I am excited that it can now be found on Amazon, but it should be noted that Old Shingled House has marked it up to $49.95 a 99.5% markup. Old Shingled House is buying them through Lulu at the regular rate of $25.00. If you buy it through Amazon or through Lulu, I still get my normal cut, the question is how much you pay. Now lest you think Old Shingled House is being greedy, I did look at what it takes to make the book available on Amazon through the marketplace or by having Lulu place it out there, and there certainly are extra costs. So if you found it through Amazon good. If you found it at Lulu and bought there even better for you.

Buy FIM Vol 1 and Get free ground shipping through Dec 12th

david@identitymanaged.com (David) — Tue, 07 Dec 2010 17:27:00 -0700

From LULU:

Enter coupon code HOLIDAY305 to receive free ground shipping. Shipping address must be within the United States. The maximum savings for this offer is $45. Sorry, but this offer is only valid in US dollars and cannot be applied to previous orders. You can only use this code once per account, and unfortunately you can’t use this coupon in combination with other coupon codes. This great offer expires on December 12, 2010 at 11:59 PM PST, so don’t miss out! While very unlikely, we do reserve the right to change or revoke this offer at anytime, and of course we cannot offer this coupon where it is against the law to do so.

Law of Unintended Consequences

david@identitymanaged.com (David) — Fri, 03 Dec 2010 16:41:00 -0700

Any news on certification paths for IDM?

Derek A. Hanson - Dec 6, 2010

Any news on certification paths for IDM?

Hey Derek,

No news yet. Just my own speculation but I would expect to see an exam covering several Microsoft Identity Technologies emerging sometime next year.

Law of Unintended Consequences

david@identitymanaged.com (David) — Fri, 03 Dec 2010 16:41:00 -0700

In the process of setting up to teach 50382A - Implementing Forefront Identity Manager 2010 in Phoenix, AZ (Feb 8-11 and May 23 – May 26 – registration info to follow in a subsequent post) and looking at other courses in the Microsoft Courseware library I have noticed an interesting trend – most courses have lots of very bland reviews like this:

“Good Course”

“Good one”

“Good content and best practices”

Get 25% off of FIM Best Practices Volume 1 Today only

david@identitymanaged.com (David) — Tue, 30 Nov 2010 13:39:00 -0700

Valid today only through 11:59 PM (EST) and only valid in the US, Lulu is offering 25% off. So you can order FIM Best Practices at 25% off. Enter the following promo code at Checkout: CYBER305

Click here to look at the book: http://www.lulu.com/spotlight/david_lundell

http://feeds.feedburner.com/IdentityLifecycleManagerilmBestPractices

Webinar is available for viewing

david@identitymanaged.com (David) — Sun, 14 Nov 2010 18:35:00 -0700

The webinar on Friday went well. Here it is available for viewing at your pleasure.

http://feeds.feedburner.com/IdentityLifecycleManagerilmBestPractices

Case Study: Real World organizations simplify Identity Management

david@identitymanaged.com (David) — Thu, 11 Nov 2010 16:53:00 -0700

Tomorrow morning at 8 AM PST I will be participating as a speaker in a webinar with Jonathan Sander from Quest.

http://www.brighttalk.com/webcast/22703

Successful identity and access management means different things to different organizations, but in almost every case, it requires complex, time-consuming, and expensive solutions. However, an ever-growing number of organizations have found a new way to achieve their identity and access management objectives simply, inexpensively, and powerfully.

In this webcast, identity and access management experts will discuss how organizations like yours have discovered and are implementing a simplified approach to identity and access management.

TEC 2010 Europe – Sweet German Chocolate!

david@identitymanaged.com (David) — Mon, 18 Oct 2010 14:01:00 -0700

Sounds like a great conference. The Berliners will…

johnkaiser - Nov 2, 2010

Sounds like a great conference. The Berliners will want you back soon with Volume2!

TEC 2010 Europe – Sweet German Chocolate!

david@identitymanaged.com (David) — Mon, 18 Oct 2010 14:01:00 -0700

Overall TEC 2010 Europe in Dusseldorf Germany was pretty cool. I enjoyed the speakers reception on Sunday night and got to meet some folks from the SharePoint side some of whom are even interested in FIM and one of them bought my book!

For the first time I was able to bring my wife along to TEC! We enjoyed some good time in Dusseldorf including seeing Schloss (Palace) Benrather.

Monday we started off with a keynote from Uday Hegde and Mark Wahl on the future of Directory and Identity Technologies. It was mostly an overview and demo of the various MSFT Identity technologies, FIM, RMS, ADFS etc. I did enjoy Mark’s well prepared video demo. He clearly had practiced the timing quite well, explaining as the mouse moved across the screen carrying out his demo.

Details of Errata

david@identitymanaged.com (David) — Wed, 29 Sep 2010 15:29:00 -0700

Here is what the text on page 183 should say (the italicized items are the new or changed bits of text)

Unattended Install of the FIM Client

This is the component that you will perhaps most desperately see the need for unattended install.

Use the following table to help you plan your install as well as to understand the relationship between the UI parameters, the Unattended parameters and where these items are persisted. These items can also be controlled through Group Policy templates that are shipped with the product.

Errata and Updates to FIM Best Practices Volume 1

david@identitymanaged.com (David) — Wed, 29 Sep 2010 07:11:00 -0700

Could you post a complete listing of the correctio…

Keith Crosby - Sep 3, 2010

Could you post a complete listing of the corrections? In particular, the changes around the unattended client install. BTW, great job on Volume 1. I’m, looking forward to Volume 2 (and an eBook version would be great as well).

I love volume 1! Is it too soon to start asking about volume 2 :-)

Errata and Updates to FIM Best Practices Volume 1

david@identitymanaged.com (David) — Wed, 29 Sep 2010 07:11:00 -0700

Thanks to several readers including Freek Berson, for catching a few errors I made while revising after my first round of reviewers.

Changes: in version 1.1 (Sept 28, 2010)

Chapter 1, updated the manager to director card, previously the word director was not visible (page 2)

Manager

Director

Chapter 1 Fixed “Error Missing Reference” in Chapter 1 (page 4) to refer to Figure 1-2 Actual Photo of Smart Card

Fixed client unattended install in Chapter 7: deleted reference to config files and corrected registry references.

Extinguishing Cystic Fibrosis

david@identitymanaged.com (David) — Wed, 15 Sep 2010 09:43:00 -0700

Well, we are on our way towards our goal of $2000, but we need more help (please make a donation).

Refresher:

Every year Ensynch sponsor’s the Ensynch Stairclimb and Firefighter challenge. The purpose of the event is to raise money for research on Cystic Fibrosis. The event is this Saturday, in Phoenix at Arizona Center - 5th Street & Van Buren. This year I am heading up the Stripes team, we have a goal of raising $2000 by this Saturday. Many of our team mates at Ensynch will be climbing stairs. If you live in Phoenix or will be here this Saturday you can participate too (you can climb or come and cheer as part of the no-sweat supporters). Alternatively, you can sponsor one, make a donation in our team’s name. The event also includes cheering on different firefighting teams as they perform their challenges!

Fighting Cystic Fibrosis

david@identitymanaged.com (David) — Mon, 13 Sep 2010 11:24:00 -0700

Default GalSync Connector Filter

david@identitymanaged.com (David) — Tue, 07 Sep 2010 11:35:00 -0700

Hi , If I want to exclude a handful of users fr…

Unknown - Aug 3, 2013

Hi ,

If I want to exclude a handful of users from an OU moving across with the GALSync , am I correct to click on the user datasource object type and do a declared import filter then add their display names equals , will this work ?

Default GalSync Connector Filter

david@identitymanaged.com (David) — Tue, 07 Sep 2010 11:35:00 -0700

Using FIM 2010 RTM Update 1:

The default GalSync Connector Filter is to filter out user objects that are hidden from the addressbook, OR missing the legacyExchangeDN, OR missing both the msExchangeHomeServerName and targetAddress are missing, OR proxyAddresses are missing, OR if it is a Mailbox Plan, Arbitration Mailbox, or Discovery Mailbox.

Consequently, this answers the question are mail-enabled users filtered out by default?

No they are not, as a mail-enabled user will have the target address populated, and none of the other rules will filter it out.

When moving the FIM DB ensure FT Indexing enabled

david@identitymanaged.com (David) — Sat, 04 Sep 2010 06:39:00 -0700

I just found a very intriguing blog post from Thomas Vuylsteke, about a potential danger when moving your FIM Service Database from SQL Server to another: The case of the new attributes that didn’t want to be found

In short there is the potential that when you move the database that it might arrive on the new server with the Full Text Indexing disabled. The way Thomas tumbled to the problem was that he couldn’t search for a new attribute.

TEC Europe – Come hear me speak!

david@identitymanaged.com (David) — Wed, 01 Sep 2010 20:27:00 -0700

I will be presenting at TEC Europe in Dusseldorf Germany Oct 4-6. During my sessions I will give away a copy or two of my book FIM Best Practices Volume 1 .

FIM 2010 Performance Tuning (SQL and more)
Speaker: David Lundell

Learn how to tune FIM 2010 to make it scream. Take a look at the various architectures and what they buy you. Learn how crucial SQL is to FIM performance and what to do about it. You’ll also learn tips for workflows and the FIM web service and receive a crash course in the SQL Server Optimization.

The Book is here! FIM Best Practices Volume 1 is Available

david@identitymanaged.com (David) — Sun, 29 Aug 2010 23:17:00 -0700

Congratulations!! I’ll order it immediately.

Naohiro Fujie - Aug 1, 2010

Congratulations!!
I’ll order it immediately.

Congrats, any chance of an ebook?

Dan,
I considered the e-book route, but at least for the time being decided to go with a printed version. Feel free to lobby and persuade me why an ebook version would be better.

The Book is here! FIM Best Practices Volume 1 is Available

david@identitymanaged.com (David) — Sun, 29 Aug 2010 23:17:00 -0700

To purchase a copy of the book please follow this link.

The best view to present from the lulu site is probably this one: http://www.lulu.com/spotlight/david_lundell as it has the brief description of the book and the author bio.
You also have the ability to preview a few parts of the book
The book came out to be 258 pages from cover to cover, and yes we included an index! By publishing it through Lulu.com (a Print on Demand company) we got to be much more in control of the whole process, and had faster time to market.
Here are some comments from folks that have had access to pre-release copies:

Book update

david@identitymanaged.com (David) — Fri, 20 Aug 2010 18:11:00 -0700

Early last week I sent the book out for review. I have been digesting the excellent feedback I have gotten (thanks to Peter Geelen, Paul Loonen, Andreas Kjellman, and Glenn Zuckerman). Apparently, they liked Brad’s architecture diagrams more than mine (so do I) so I need to update the other architecture diagrams to be like his. They really do look neater. Check out this one on FIM multi-tier with an admin partition:

ADFS v2 Test Report -- Found

david@identitymanaged.com (David) — Fri, 20 Aug 2010 07:58:00 -0700

Something has happened with the project liberty website and most links to it are now broken, including the link to the test results from last year which includes which profiles ADFS v2 passed. So here it is:

http://projectliberty.org/liberty/content/download/4732/32917/file/SAML_3Q09_%20IOP_Test_Event_Final_Report.pdf

ADFS v2 passed: IDP Lite, SP Lite, eGov 1.5

http://feeds.feedburner.com/IdentityLifecycleManagerilmBestPractices

The Book: FIM Best Practices Volume 1

david@identitymanaged.com (David) — Thu, 29 Jul 2010 17:40:00 -0700

Hi David, any update on the availability date?

Unknown - Aug 2, 2010

Hi David, any update on the availability date?

The day it’s out I’ll have my card ready!

Hi David, any news on the book? Hope your back is better!

The book is now available! My back is better too!

The Book: FIM Best Practices Volume 1

david@identitymanaged.com (David) — Thu, 29 Jul 2010 17:40:00 -0700

In two weeks we (Brad Turner is my co-author) will make available for ordering a book on FIM entitled:

FIM Best Practices Volume 1: Introduction, Architecture And Installation Of Forefront Identity Manager 2010

Information on order will be posted here on my blog

This will be the first book on Forefront Identity Manager in English that is not focused on Certificate Management (Brian Komar wrote on book on FIM Certificate Management deployment and two gentlemen from Japan wrote a book on FIM in Japanese as blogged about by fellow MVP, Naohiro Fujie.

Embedding comments in your XPATH Filters

david@identitymanaged.com (David) — Tue, 20 Jul 2010 13:22:00 -0700

One thing I love to do is provide self-documenting code and configurations. Well when I have to customize sets the XPATH filter can get a bit complex so I recently found a way to comment the XPATH Filter in my sets and groups:

/Person[starts-with(DisplayName,’%’)]

By using to enclose my comments and only after the last closing ] of the predicate I can comment on the filter itself.

MVP’d again

david@identitymanaged.com (David) — Fri, 09 Jul 2010 14:27:00 -0700

Congratulations! I hope your continuous writing f…

Naohiro Fujie - Jul 2, 2010

Congratulations!

I hope your continuous writing for exciting articles!

MVP’d again

david@identitymanaged.com (David) — Fri, 09 Jul 2010 14:27:00 -0700

Thanks to the folks at Microsoft for continuing to recognize my contributions to the world of FIM. I awarded MVP for the fourth time.

http://feeds.feedburner.com/IdentityLifecycleManagerilmBestPractices

Finding a Binary Value in the Haystack (FIMService Database)

david@identitymanaged.com (David) — Fri, 09 Jul 2010 14:25:00 -0700

While Query the FIM Service Database at the SQL layer is not supported by Microsoft I had an issue the other day where I couldn’t find what object had a conflicting SID that was preventing the update of another user. I could see in the error detail that it referenced the ObjectSID attribute. So I created this script and replaced the binary value down below with the SID of the object I was looking for.

Technical Overview Whitepaper on FIM released!

david@identitymanaged.com (David) — Wed, 30 Jun 2010 19:28:00 -0700

Technical overview whitepaper on FIM 2010 (download)

Brad and I spent many long hours writing this! Glad to see it come out in the long form. Thanks to the product group for the opportunity and the Brjann, Mark, and Markus for reviewing and editing it.

http://feeds.feedburner.com/IdentityLifecycleManagerilmBestPractices

Ensynch’s Identity Practice -- Finalist for WPC Award

david@identitymanaged.com (David) — Wed, 30 Jun 2010 19:25:00 -0700

Microsoft has honored the efforts of our Identity and Secure Access Management Practice by making us a finalist for 2010 Partner of the Year, Core Infrastructure Solutions, Server Platform, as a result of our work with FIM, ILM, AD, AD FS and AD CS.

http://feeds.feedburner.com/IdentityLifecycleManagerilmBestPractices

Dependent Sync Rules – Disconnection on removal of a dependent Sync Rule

david@identitymanaged.com (David) — Tue, 29 Jun 2010 14:32:00 -0700

Hi David, I have a dependent sync rule and I have…

V - Jul 1, 2013

Hi David,

I have a dependent sync rule and I have confirmed that it will not disconnect the object when the dependent sync rule is removed. However, everytime the dependent sync rule is removed, FIM tries to export a “Provisioning Delete/Add” to AD. Have you experienced this issue? Any tips would be appreciated. Thanks

Dependent Sync Rules – Disconnection on removal of a dependent Sync Rule

david@identitymanaged.com (David) — Tue, 29 Jun 2010 14:32:00 -0700

Recently, I discovered that under certain conditions the removal of a dependent sync rule could cause the disconnection of objects in AD or other connected data sources. So I had to investigate the inner workings of dependent Sync Rules to uncover this mystery and fix it.

FIM allows us to create dependent Sync Rules. First let me explain the what and then a little why. Then allow me to explain a bug that I discovered and how to work around it.

Object reference not set to an instance of an object

david@identitymanaged.com (David) — Sun, 13 Jun 2010 12:00:00 -0700

/Remi - Nov 3, 2010

This comment has been removed by the author.

Hello David! :) Have you got the time to test this in a lab ?
I`am experiencing the same problem. And I`ve tried everything without any luck.

http://social.technet.microsoft.com/Forums/en/ilm2/thread/deae65d0-ede6-4b36-994b-3695d0cc8260

Object reference not set to an instance of an object

david@identitymanaged.com (David) — Sun, 13 Jun 2010 12:00:00 -0700

Lessons learned:

Run the Do a FIM MA account configuration quick test script.
Always refresh the schema of the FIM MA using the real FIM MA Service Account which we usually call svc-FIMMA.

Scenario:

You have just modified the schema of FIM Service by creating a new Boolean attribute and have bound it to the user resource type. You refresh the FIM Schema, select the new attribute setup a direct export attribute flow from the corresponding Boolean metaverse attribute to the FIM MA attribute. You sync and the only pending export is to this attribute, and then when you run the export to FIM MA you get:

FIM Sets, XPATH, finding nulls with Strings

david@identitymanaged.com (David) — Thu, 10 Jun 2010 00:29:00 -0700

Watch out for the latest FIM hotfix. It appears i…

Chris Clayton - Nov 4, 2011

Watch out for the latest FIM hotfix. It appears it will treat the % as a literal rather than a SQL wildcard.

FIM Sets, XPATH, finding nulls with Strings

david@identitymanaged.com (David) — Thu, 10 Jun 2010 00:29:00 -0700

A little while ago I encountered some rather strange behavior of a Set vs. the XPATH query in FIM 2010.

Using the Export-FIMConfig with the -onlyBaseResources -CustomConfig switches I run the following query to see if there are any users without a DisplayName

/Person[not(starts-with(DisplayName,’’))]

It showed 20

So then I created a set, called “~ People with no displayname”, with that as the custom filter. I checked it doesn’t violate any of the limitations listed in the Business Policy Modeling doc (which I must say is a pretty good doc)

Accelerate Your Business Now with Identity Management & Single-Sign-On (SSO)

david@identitymanaged.com (David) — Wed, 09 Jun 2010 21:01:00 -0700

I think they can really help in a lot of ways. Acc…

Karl - Sep 4, 2011

I think they can really help in a lot of ways. Accelerate your business with the help of these factors. Thanks a lot for sharing.

business consultant

Accelerate Your Business Now with Identity Management & Single-Sign-On (SSO)

david@identitymanaged.com (David) — Wed, 09 Jun 2010 21:01:00 -0700

Jun 10, 2010

1:00 p.m. Eastern / 10:00 a.m. Pacific (60 minutes)
To Register follow this link
Christopher Yeich - Editor, Strategic Content - Ziff Davis Enterprise

David Lundell - Identity Management Practice Director, Ensynch | Microsoft Identity Management MVP

Jonathan Sander - IAM and Security Analyst - Quest Software

Has your business experienced identity theft, with unauthorized access to your systems, data, and/or trade secrets?
Have you lost business because your customers and/or employees didn’t have access when needed?
How much time have you wasted in producing compliance/regulatory reports for various auditors?
These are all real-life situations that business and IT leaders like you are experiencing every day. Breaches lead to millions—sometimes billions—in lost monies every year. Additionally, there’s also confusion, frustration, and lost productivity that organizations deal with every day as they fight to manage appropriate access to information and tools that employees, business partners, and customers actually need.
Join Microsoft Identity MVP David Lundell of Ensynch, and Jonathan Sander, IAM and Security Analyst of Quest Software, for a candid presentation that uncovers ways you can protect and accelerate your business—as well as save money—with identity and secure access management (ISAM).
Topics of discussion will include:

Searching an entire database for a Guid or Unique Identifier

david@identitymanaged.com (David) — Tue, 01 Jun 2010 08:47:00 -0700

Searching an entire database for a Guid or Unique Identifier can be a bit of a tricky proposition. However a little bit of using T-SQL to generate T-SQL and viola

DECLARE @GUIDHunted nvarchar(60)
SET @GUIDHunted = ‘0A24EC0C-65EE-4519-89DF-ABD3DD24F7EF’

SELECT *, ‘UNION ALL SELECT ’’’ + s.name + ‘.’ + ao.name + ‘’’, count(*) FROM ’
+ s.name +’.[’ + ao.name + ‘] WHERE ’ + ac.name + ’ = ’’’ + @GuidHunted + ’’’’
FROM sys.all_columns ac
JOIN sys.all_objects ao
ON ac.[object_id] = ao.[object_id]
JOIN sys.schemas s
ON ao.[schema_id] = s.[schema_id]
where user_type_id = 36 – UniqueIdentifier
and s.name != ‘sys’

Restoring your FIM databases to the moment before oops

david@identitymanaged.com (David) — Thu, 20 May 2010 10:04:00 -0700

At the FIM Birds of a Feather (BOF) after a discussion about FIM database backups I was asked to make a blog post to more fully elucidate the benefits of using the full recovery model.

Since Recovery models affect the transaction log you may find it useful to have the following background about transaction logs:

•The Data in tables and indexes are stored in data files not the transaction log

ADFS v.2 shipped

david@identitymanaged.com (David) — Tue, 18 May 2010 15:46:00 -0700

Active Directory Federation Services v2 Ships!

This is awesome stuff – with ADFS v2 we can help you setup SSO with your SaaS vendors.

Here is an example that has been rendered generic.

ADFS 2.0 supports SAML 2.0 (the idp lite profile and rdp lite profile) which opens up many federation doors and WIF allows us to write custom security token services (sts) just in case the idp lite and rdp lite profile support isn’t up to handling the interaction.

TEC Decks Posted!

david@identitymanaged.com (David) — Tue, 18 May 2010 11:34:00 -0700

If you attended TEC you can now get the Slide Decks by registering on TheExpertsCommunity.com

and accessing the following item: TEC 2010 Conference Materials Have Been Posted!

You can find my sessions here:

http://theexpertscommunity.com/item/list/type/session/meta_expert_tag/speaker%3Adavidlundell

Proper Care and Feeding of Your Databases: FIM, ILM, CLM, RMS, SharePoint and OCS

Without proper care and feeding of your databases (FIM Meta Directory Services, FIM Certificate Services, FIM Web Service, RM… continue reading “Proper Care and Feeding of Your Databases: FIM, ILM, CLM, RMS, SharePoint and OCS”

TEC 2010 -- Results

david@identitymanaged.com (David) — Mon, 17 May 2010 15:01:00 -0700

TEC 2010 was a blast. In the Kickoff Gil Kirkpatrick issued several challenges including one to Brad Turner to simulate the workings of the FIM Sync Engine. Eventually we expect to see a video of the final presentation posted to YouTube. In the interim Brad has some nice pictures posted: TEC 2010 – Annual Wook Lee Memorial Challenge for Identity Results

Escape from Prague – Good to go for TEC

david@identitymanaged.com (David) — Fri, 23 Apr 2010 15:20:00 -0700

I went to Prague for a project intending to stay one week, but unfortunately I was delayed an additional week (volcanic ash cloud from Iceland – reread the news if you missed it). While Prague is a beautiful city and I met many wonderful people, the uncertainty of when I would be able to get home weighed heavily on me. I was worried about being separated from my family for weeks? months? More importantly ;) I was worried about getting back for The Experts Conference!

FIM 2010 Technical Overview Published – short version

david@identitymanaged.com (David) — Thu, 08 Apr 2010 22:31:00 -0700

Great job David and crew!

Marc Mac Donell, CISSP - Apr 4, 2010

Great job David and crew!

FIM 2010 Technical Overview Published – short version

david@identitymanaged.com (David) — Thu, 08 Apr 2010 22:31:00 -0700

Microsoft has published a short version of the FIM Technical Overview whitepaper written by David Lundell (me), Brad Turner, Chris Calderon and Joe Zamora. The longer version will come out a bit later. Short version, long version makes me feel kind of like I am figure skating in the Olympics. Thank you to Brjann Brekkan, Mark Wahl, Joe Schulman, Darryl Russi, Jack Kabat and Andreas Kjellman for their support, editing, eluciations on blogs and encouragement on this paper.

FIM Pitfall for old ILM hands

david@identitymanaged.com (David) — Thu, 25 Mar 2010 21:40:00 -0700

In the days of MIIS 2003 and ILM 2007 we usually wrote our provisioning code to provision a new AD account only when the particular metaverse object didn’t already have any connectors in the AD connector space. With FIM your outbound synchronization rule is quite happy to provision another AD account if the existing one it is joined to doesn’t meet the relationship criteria. So I have usually been in the habit of not worrying about extraneous provisioning if I already had an account connected to that metaverse object.

Register for TEC 2010 – hope to see you there

david@identitymanaged.com (David) — Wed, 17 Mar 2010 17:34:00 -0700

Register using this code to get a discount: ATESENSYNC

http://feeds.feedburner.com/IdentityLifecycleManagerilmBestPractices

TEC 2010 – Speaking and Sponsoring

david@identitymanaged.com (David) — Wed, 17 Mar 2010 15:25:00 -0700

I am super excited about speaking at The Experts Conference 2010 (I also spoke at Directory Experts in ‘07, and ‘08 as well as last year’s The Experts Conference).

Register using this code to get a discount: ATESENSYNC

Once more Ensynch is sponsoring TEC but this year we are a gold sponsor for TEC 2010.

Here is the lineup of Ensynch Speakers at The Experts Conference (also see Brad Turner’s take on our new speakers)

FIM Technet Webcasts

david@identitymanaged.com (David) — Tue, 09 Mar 2010 15:36:00 -0700

The FIM product group has some great webcasts coming up on technet

Forefront Identity Manager 2010 has RTM’ed

This first webinar is using many of the slides that I created as part of our engagement to write the FIM 2010 Technical Overview Whitepaper (due out soon). Anyhow it makes me feel cool.

3/9/2010 6 PM Pacific time- TechNet Webcast: Forefront Identity Manager 2010: Technical Overview and Deployment (Level 300)

FIM 2010 RTM Today!

david@identitymanaged.com (David) — Tue, 02 Mar 2010 13:03:00 -0700

Today, March 2, at the RSA conference Microsoft announced the release to manufacturing of Forefront Identity Manager 2010 (FIM, formerly codenamed ILM “2”) with General Availability starting next month.

Download the eval here:

Microsoft® Forefront™ Identity Manager 2010 Evaluation Version

Yeah!

FIM gives us capabilities for User provisioning (and deprovisioning), Group management, Self-Service Password Reset, Password Synchronization, Workflows with Approvals, User profile self-service management, and accomplishing these items through Declarative Provisioning. Yet FIM retains an incredible set of extensibility points, allows customization of the Portal, schema of the objects, managing new systems, custom workflows, custom clients to the FIM web service.

Final Update for FIM RC1 released

david@identitymanaged.com (David) — Mon, 01 Feb 2010 10:40:00 -0700

On Friday the product group released Update 3 for Forefront Identity Manager 2010 RC1 available through connect

https://connect.microsoft.com/site433/Downloads

Major changes as part of Update 3 (my regurgitation and comments from the release notes):

Fewer trips to the FIM Service event log – since the FIM MA export errors will now show up in the Synchronization Service Manager! Hallelujah!
Less need for custom old style code
- Now more than 1 MA can be authoritative for deleting an object (resource)
- New functions for Sync Rules (Declarative Provisioning) – I guess I will have to update my function cheatsheet
  - Null – not certain what they mean by this – null out the value or let another sync rule provide the value.
  - ReplaceString
New type of MPR – Set Transition MPRs vs. request based MPRs
- Run on Policy Update only applies to this type
- All other MPRs are – request based MPRs
- This should easy some of the difficulty in wrapping heads around MPRs.
DBA’s will love these:
- Backups without stopping the FIM Service and now supported!
- SQL Failover Clusters are now supported! (I don’t know if this means that clustering the Synchronization Service is supported)
Prereqs have changed
- Server Components
  - Windows Installer 4.5 is required,
- FIM Service requires SQL 2008 SP 1
- The addin for Outlook now needs Outlook 2007 SP 2

Even the certificate management side got some improvements: Windows Server 2008 R2

FIM Hand on Labs

david@identitymanaged.com (David) — Mon, 01 Feb 2010 01:20:00 -0700

More Hands on Labs for Forefront Identity Manager will be coming up (similar to the one I did in Irvine, CA) – Phoenix April 7th and 8th and then Dallas sometime in May.

http://feeds.feedburner.com/IdentityLifecycleManagerilmBestPractices

FIM RCDC explained in brief

david@identitymanaged.com (David) — Sun, 29 Nov 2009 09:50:00 -0700

In this post I attempt to give you the reader a quick overview of how the FIM RCDC works conceptually. As for the mechanics of modifying the RCDC the nearly complete but growing collection of documents downloadable from MSFT will suffice.

As you will recall FIM is the new abbreviation for ILM, since it has been renamed Forefront Identity Manager, and RCDC is the Resource Control Display Configuration formerly known as the Object Visualization Configuration (OVC). RCDC is the way you custom how FIM displays objects (now called resources) in the portal. Now for English: If you need to change the options and information users see in the FIM portal when they create new users, groups (security or distribution), or edit or view these resources you do it by modifying the RCDC. The RCDC is an XML object, and each resource type (user, group, request, etc) has three: Create, Edit and View. To get a handle on the terms take a look at the figure below:

Answering my FIM RC 1 question

david@identitymanaged.com (David) — Tue, 24 Nov 2009 09:58:00 -0700

Thanks to Darryl Russi for answering my questions in my earlier post An Update to FIM RC1 where I was asked about something I had read in the release notes:

Some of those items raise a few questions, like how to setup a FIM service that only takes requests from the sync service? Do we setup multiple FIM Service instances and then configure the FIM MA to talk to one of them, and not make that one available to web clients?

Identity Synchronization FIM 2010 HOL Irvine California

david@identitymanaged.com (David) — Mon, 23 Nov 2009 17:44:00 -0700

I will be at the Microsoft Technical Center in Irvine on Dec 1 and 2 presenting this HOL with Marvin Tansley of Gemalto.

Identity Synchronization – Hands on Training

Date: December 1-2, 2009

Location: 3 Park Plaza, Suite 1800 Irvine, CA 92614 949-263-3000

Microsoft, Gemalto and Ensynch invite you to a free 2-day training seminar and hands-on-lab on Microsoft’s Forefront Lifecycle Manager (FIM 2010).

Come and learn how FIM 2010 can help you by delivering simplicity, agility and efficiency while increasing security and compliance within your enterprise identity infrastructure.

An Update to FIM RC1

david@identitymanaged.com (David) — Sun, 08 Nov 2009 23:14:00 -0700

Microsoft has posted an update to FIM RC 1, dated Nov 6.

It looks like this update covers pretty much everywhere except Certificate Services (sorry Brian and Paul).

The Release notes included in the download lists the follow improvements:

Query and Sets
Resolved a number of issues that resulted in incorrect dynamic set membership.
Removed support for the use of the != operator with multivalued attributes. Xpath equality expressions on multivalued attributes must use the not() function. For example, the following xpath is not supported: /Group[Owner != /Person]. Instead, use the following xpath: /Group[not(Owner = /Person)]

Identity Management Luncheon NYC

david@identitymanaged.com (David) — Thu, 29 Oct 2009 14:44:00 -0700

I will be speaking at an Identity Management Luncheon in New York City on Nov 12th. I will be speaking on FIM.

Come on down and join me if you can. (Please Register)

**When:Thursday, November 12, 200910:45 AM to 2:00 PM (EST)
Where:
**Del Frisco’s
Double Eagle Steak House
1221 Avenue of the Americas
New York, New York 10020

Come join us at this exclusive luncheon at one of the best steak houses in NYC!

Password Reset?

david@identitymanaged.com (David) — Tue, 06 Oct 2009 20:59:00 -0700

How would you feel if this was the only barrier between the hacker and your data – a single password reset question? Just one!

I won’t tell you who this is since then you’ll just want to go after my data on that site.

Oh well. The barn door won’t be shut until the wolf has gotten into the sheep

http://feeds.feedburner.com/IdentityLifecycleManagerilmBestPractices

Webinar: Accelerate Your Businesses for the Future with Microsoft Geneva (ADFS) and the Cloud

david@identitymanaged.com (David) — Mon, 05 Oct 2009 11:07:00 -0700

Get the rundown on Geneva from Frequent Industry Speaker and Nationally Recognized Microsoft ILM MVP,**
David Lundell**

When:**
Wednesday, October 14, 2009
10:30 to 11:30 (PST)
12:30 to 1:30 (CST)
1:30 to 2:30 (EST)**

Where:
Web/Online
Live Meeting Information
will be sent to attendees

Presenters:
David Lundell,
Identity Management
Practice Leader, Ensynch

Jonathan Sander
IAM and Security Analyst
Quest Software

Webinar: Accelerate Your Businesses for the Future with Microsoft Geneva (ADFS) and the Cloud
Has your organization been considering moving applications to the cloud or using Software as a Service (SaaS) providers? Have you already done it? Have you realized the cost savings?

FIM RC 1 is here – what’s new?

david@identitymanaged.com (David) — Sun, 04 Oct 2009 22:46:00 -0700

FIM RC 1 is here. Microsoft released it on Sept 30th which is the end of Q3 of 2009 which means the ILM/FIM team at Microsoft met their stated deadline announced back in March.

Here is the download:

http://technet.microsoft.com/en-us/evalcenter/cc872861.aspx

What’s new:

Gil Kirkpatrick has a nice post about the differences in the data structure:

Auditing FIM 2010 RC1

Darryl Russi a Sr. Test Lead at Microsoft has started blogging about FIM RC 1 performance:

ILM 2 RC 0 -- Luke, Check the Transaction Log!

david@identitymanaged.com (David) — Fri, 14 Aug 2009 21:16:00 -0700

A few weeks ago I encountered an ASP.NET error when I tried to access http://myilmserver/identitymanagement/

Eventually I went to my SQL Server and discovered that despite having space on the disk and Autogrow turned on the Transaction Log was full and wouldn’t grow anymore.

So if you encounter this error then maybe you too can listen to the force telling you to check the SQL Server Transaction Log for MSILM.

In the event log I saw this:

AD RMS on R2 -- new Federation Features

david@identitymanaged.com (David) — Fri, 14 Aug 2009 21:06:00 -0700

AD RMS on Windows Server 2008 R2 adds a really slick feature blogged about here: Group Expansion for Federated Users

Prior to R2 to issue a use license to a federated user they need to specifically be granted permissions. With Windows Server 2008 R2 you can create a contact matching the external federated user and then place the contact in the group and then they have the same RMS permissions as that group.

At it again -- Geneva Part II

david@identitymanaged.com (David) — Fri, 14 Aug 2009 16:11:00 -0700

Once more we invite you to another Ensynch Identity Management webinar. This is part 2 in our series of 4 on Geneva (ADFS, WIF). This one is going to be led by Chris Calderon one of our ADFS Experts, so naturally this will be filled with excellent technical content. As will Part 3 as it focuses on Windows Identity Foundation.

Webinar Agenda:
- How Geneva provides business value to organizations seeking Single-Sign-On (SSO)?

MVP for the 3rd time

david@identitymanaged.com (David) — Mon, 20 Jul 2009 17:42:00 -0700

Both my colleague Brad Turner and I were renewed for ILM MVP.

I am glad to receive this honor another year.

Congrats to new ILM MVP Marc Mac Donnell

You can see a list of all ILM MVP’s that have chosen to make their profiles public (Marc hasn’t setup his yet).

I just hope I can win the MVP at home!

http://feeds.feedburner.com/IdentityLifecycleManagerilmBestPractices

Webinar: How Microsoft Geneva Streamlines Business

david@identitymanaged.com (David) — Mon, 20 Jul 2009 17:30:00 -0700

When:
Wednesday, July 29, 2009
10:30 to 11:30 (PST)
12:30 to 1:30 (CST)
1:30 to 2:30 (EST)

[Register Now]

Presenters:
David Lundell, ILM MVP
Identity Management
Practice Leader, Ensynch

Jonathan Sander
IAM and Security Analyst
Quest Software

Webinar: How Microsoft Geneva
Streamlines Business

- Learn How to Reap the Benefits of True Web
Single-Sign-On and Federation
Has your organization been forced to deploy one-off solutions to solve login or compliance problems with a newly deployed technology?
Are your employees tired of using multiple logins for all kinds of access needs?
Having trouble managing shared resources users both inside and outside of your organization?
Using open platform identity management solution Microsoft Geneva, you can save money and make your business more efficient today, and also make it more easily scalable for the future.
I would like to invite you to our latest exclusive “no frills” webinar: “How Microsoft Geneva Streamlines Business,” the 1st in a 4-part Identity Management Webinar Series from Ensynch’s Identity Management Practice Leader and Microsoft Identity Management MVP, David Lundell, and Quest Software IAM and Security Analyst, Jonathan Sander.
This webinar is designed for business leaders, and will present business value propositions for the Microsoft Geneva framework. Whether identity management is a major concern for your organization or if you are simply curious about using Microsoft Geneva as an asset to help your business, this webinar is for you.
Webinar Agenda:
- Yikes! The business pain points of managing lots of identities

4th of July -- Independence Day

david@identitymanaged.com (David) — Sun, 05 Jul 2009 22:00:00 -0700

233 years ago, 56 men signed a document and began a labor to give birth to a nation. I am very grateful for their service and for their sacrifices and for each and every soldier, and dutiful civil servant since then. They have afforded me and my family a great many blessings. As well some of my family members have been privileged to serve. One of my grandfathers taught ground school during World War II and the other served in the Army and was stationed in Greenland. I honor their service.

The attributes behind Message Delivery Restrictions

david@identitymanaged.com (David) — Mon, 29 Jun 2009 00:40:00 -0700

Very helpfull!! I was about to block sending email…

Paweł Jarosz - Sep 1, 2010

Very helpfull!! I was about to block sending emails to disabled accounts - not mailbox but accounts - so I can easily and quick retrieve some data from inactive inboxes. The solution is to create an empty group in AD and set the “dLMemSubmitPerms” parameter to accept messages only from that empty group! Amazing and great many thanks! If somebody else has problem here is the link to the forum with whole conversation -> http://wss.pl/frmThread.aspx?tid=98879

The attributes behind Message Delivery Restrictions

david@identitymanaged.com (David) — Mon, 29 Jun 2009 00:40:00 -0700

Do you know what attributes are used to control who can and can’t send to a Distribution List in Exchange 2003 and Exchange 2007? or Does it use a DACL?

Knowing such things is key if you are going to automate distribution list management through .NET programs, or MIIS/ILM/FIM, Quest ARS or any other tool that is talking to LDAP attributes. For Powershell you need a separate list since the names are different.

H30, Geneva Cola, Sitrus and Orange Fizz

david@identitymanaged.com (David) — Wed, 24 Jun 2009 22:23:00 -0700

Back in business school I was a connoisseur of fine commercials. Recently I watched a commercial for Lipton Ice Tea (note I am a teetotaler who doesn’t drink tea) and I have to admire their cleverness in coming up with names for competitor products (see the title) in their “Lipton Tea, I think I love you” commercial. (Lyrics here)

Really the names are clever although the best is the H30 – I just love it, a chemical compound that as far as I can tell can’t exist, but we all know they are making fun of flavored water. Of course I also love ordering water by requesting Di-Hydrogen-Oxide.

Best Practices ILM 2007 Coding Conventions and Habits

david@identitymanaged.com (David) — Mon, 22 Jun 2009 15:31:00 -0700

Thanks for writing this up, David. That’s goo…

matthew gibson - Jun 2, 2009

Thanks for writing this up, David. That’s good information.

Can you explain this point…
I have seen one developer use the flow rule names as a language to processor module to handle 90% of his string manipulation. That certainly cut down on the need for re-coding.

I’m not sure I follow.

Best Practices ILM 2007 Coding Conventions and Habits

david@identitymanaged.com (David) — Mon, 22 Jun 2009 15:31:00 -0700

In response to question in the MMSUG yahoo group I thought I would post the following:

Naming conventions for MV objects and attributes.

Most CS objects and attributes come to us with names – the exception being when we are writing our own views in SQL or Oracle

There are many object types and attributes pre-defined in the metaverse if you use those no need to rename most of them seem to come from the required and suggested attributes for either an X.500 Directory or LDAP Directory.

Desert Code Camp -- SQL, XPath and FIM

david@identitymanaged.com (David) — Fri, 19 Jun 2009 14:57:00 -0700

I just presented 3 sessions at the 2009 Desert Code Camp on Saturday June 13, 2009 at Devry University

Thanks to Devry for hosting it and thanks to Lorin Thwaits of KB Alertz for being the Code Camp Director and to all other volunteers.

Title (and link to Desert Code Camp site)

Abstract

Presentation Link

Comments

I dream in SQL (writing queries)

Learn how to write SQL queries: SELECT statements, JOIN clauses, group by with Practical examples from the realm of Identity Management

To PKI or not to PKI?

david@identitymanaged.com (David) — Tue, 02 Jun 2009 11:12:00 -0700

Hey Dave, I didn’t notice your blog before. Go…

Unknown - Jun 0, 2009

Hey Dave, I didn’t notice your blog before. Good work. Gimme a call… Lets have lunch sometime soon. It would be nice to see you.

justin harris
justin@jwheel.com

To PKI or not to PKI?

david@identitymanaged.com (David) — Tue, 02 Jun 2009 11:12:00 -0700

When should one implement a Public Key Infrastructure and when should one not? Obviously we implement a PKI to solve a problem, usually around security, enabling secure communications with a web server, multi-factor authentication, encryption. A PKI solution can be very versatile, but it comes at a price in setup and maintenance. But what alternatives do we have? Let’s examine each problem in turn

Problem

PKI difficulties

Alternatives

Benefits for Alternatives

The Business Impact of Identity and Access Management with Forefront Identity Manager 2010

david@identitymanaged.com (David) — Fri, 15 May 2009 11:31:00 -0700

It’s nice to know its impact to the business. …

Karl - Sep 4, 2011

It’s nice to know its impact to the business. Thanks a lot for sharing that valuable information.

business consultant

The Business Impact of Identity and Access Management with Forefront Identity Manager 2010

david@identitymanaged.com (David) — Fri, 15 May 2009 11:31:00 -0700

Brad and I are going to cover the value of the whole Identity Management Stack from Microsoft and a few additional pieces from partners.

**When:
Thursday, May 28th
**Where:
Webinar/Online
(Live Meeting links will be
sent to all registrants) (Click Here to RSVP)

Presenters:
David Lundell – Microsoft MVP for ILM, Ensynch Practice Director
Brad Turner – Microsoft MVP for ILM, Ensynch Sr. Technical Architect
**Time:
**9am-10am Pacific/Arizona
10am-11am Mountain
11am-12pm Central
12pm-1pm Eastern

Dealing with the ILM 2 RC 0 Cert in Windows server 2003 domain

david@identitymanaged.com (David) — Wed, 29 Apr 2009 14:54:00 -0700

The Password Reset instructions ask us to use Group Policy to distribute the cert to the clients. This only works in Windows Server 2008 functional level domains. In Windows Server 2003 domains you can automate this using cerutil.exe
The following command will export the cert generated by ILM 2 install to the ilm2cert.cer file in the working directory

certutil -store trustedpeople IdentityLifeCycleManager2 ilm2cert.cer

This command can be used to import the cert from the command line
certutil -f -addstore trustedpeople ilm2cert.cer

Problems with Sync Rules in ILM 2 RC0 (err FIM RC0)?

david@identitymanaged.com (David) — Mon, 20 Apr 2009 18:08:00 -0700

If you will take a look at FIM(ILM) connections sc…

Unknown - Apr 2, 2009

If you will take a look at FIM(ILM) connections schema you will see that ILM MA has a direct SQL connectivity to FIM database (not through web service). As far as I know any change to metaverse schema fires up synchronization of this change to FIM database directly through SQL connection.

Problems with Sync Rules in ILM 2 RC0 (err FIM RC0)?

david@identitymanaged.com (David) — Mon, 20 Apr 2009 18:08:00 -0700

Well I had a problem with a recent install – the Metaverse Object Type Dropdown list was empty!

Turns out the source of this drop down list is the mv-data object type. However my install didn’t have this object. Obviously something was wrong. How does one create this object in the first place? Not directly in the portal. I am not certain when this object is supposed to be created. Install time? First export through the ILM MA? None of these seem to match up based on time stamps. It wasn’t created during install. It was created before the first import of the ILM MA, and the first Export of the ILM MA. It does match the time of the creation of the ILM MA in the Identity Manager tool in the synchronization engine. The object is created by a request generated by the Built In Synchronization Account (BISA) this is the account used by the ILM MA.

Earth Hour -- Mandatory?

david@identitymanaged.com (David) — Mon, 20 Apr 2009 16:45:00 -0700

Just because we didn’t participate in Earth Hour, didn’t mean that our Power company, Salt River Project (SRP) needed to turn off power to the whole neighborhood last night and again this morning ;)

I am all for using our resources wisely. But sometimes I rebel against the symbolic gestures.

I mean if the power company needs an hour off can’t they just schedule downtime like we do with computer systems?

ILM FIM Webinar Custom Workflow -- Joe Zamora

david@identitymanaged.com (David) — Mon, 20 Apr 2009 11:54:00 -0700

Joe Zamora the maintainer of the Ensynch ILM 2 Custom Workflow Walkthrough is our main presenter at our next Webinar this Thursday at 9 AM Pacific. To register click on the image below. The code from our Pre-con workshop is posted on CodePlex Ensynch Custom WF Activities

http://feeds.feedburner.com/IdentityLifecycleManagerilmBestPractices

Install ILM 2 in a SharePoint Farm

david@identitymanaged.com (David) — Thu, 16 Apr 2009 17:40:00 -0700

As I endeavored to install the ILM 2 Portal into a SharePoint farm (WSS 3.0 SP 1) with a remote database I encountered the following problem:

The dreaded Premature Failure during installation.

When I turned on logging for the install and examined the file, I found:

Action 14:55:25: ConfigPortalAnonymousAccess.

CAQuietExec:

CAQuietExec: This operation can be performed only on a computer that is joined to a server farm by users who have permissions in SQL Server to read from the configuration database. To connect this server to the server farm, use the SharePoint Products and Technologies Configuration Wizard, located on the Start menu in Administrative Tools.

What's in name? Forefront Identity Manager 2010

david@identitymanaged.com (David) — Thu, 16 Apr 2009 17:26:00 -0700

In case you haven’t heard Zoomit VIA or rather Microsoft MetaDirectory Services has been renamed yet again, from Microsoft Identity Integration Server 2003 to Identity Lifecycle Manager 2007 to Forefront Identity Manager 2010 or FIM for short. For obvious reasons the L was dropped when the F was added (Forefront + ILM = FILM).

So ILM 2 => FIM 2010

(stole this graphic from Brad Turner’s blog – his Smart Art creations are beautiful – recently I have been studying smart art under his tutelage I hope to soon approach his level of skill)

Ensynch The Place to Be

david@identitymanaged.com (David) — Wed, 15 Apr 2009 07:46:00 -0700

In the last four months two very talented people have joined Ensynch, Chris Calderon, ILM MVP, and Mark Struck.

Chris Calderon of IdentityJunkie.com fame is extremely talented with ILM, AD Federated Services (AD FS) and many other tools.

Mark Struck, is a very talented developer, and experienced implementer of ILM. Even before Mark joined the team he and I collaborated to figure out how to use the ILM 2 web services.

A few excellent Live@edu (Outlook Live) Blogs

david@identitymanaged.com (David) — Tue, 14 Apr 2009 12:35:00 -0700

I have been involved with the Microsoft Live@edu (formerly Windows Live@edu) and the Outlook Live (formerly Exchange Labs) programs for quite sometime.

What a wonderful opportunity for schools to alleviate the cost of hosting email for students and then to be able to offer it to alumni helping provide them with lifelong connection to the university and way to keep their email address from their student days. Maintaining stronger ties leads to more evangelism on the school’s behalf and will lead to more Alumni donations. I would have love have kept my dpl@bigdog.engr.arizona.edu, lundelld@gas.uug.arizona.edu or dlundell@u.arizona.edu accounts. Instead of rediscovering friends on facebook I might never have lost touch with them in the first place.

ILM 2 addons

david@identitymanaged.com (David) — Wed, 25 Mar 2009 14:31:00 -0700

Marvin Tansley of Gemalto demonstrated their add-on to ILM 2 for provisioning One Time Password (OTP) devices using ILM 2, with the goal of minimizing the # of portals that users visit in order to perform self service management. It looks really good, it even accounts for lost device management.

Gil Kirkpatrick of Quest interviewed me on camera to discuss my experiences at the conference. That was fun.

At lunch Gil handed out prizes (we provided a red colored XBox – I guess the red had something to do with Resident Evil). But you had to present to win, and I do mean present – you had to respond within 10 seconds to get your prize.

New Certificate and Identity Blogger on the Loose

david@identitymanaged.com (David) — Wed, 25 Mar 2009 11:34:00 -0700

Marc Mac Donnell has just launched his blog on http://assurancesinidentity.blogspot.com/ and called it Assurances in Identity, and has posted the links to the CLM API documentation and case study about some work he did with MCS UK and CapGemini.

I look forward to many more posts from Mark about some of the wizardry and trick in managing certificates and identities.

http://feeds.feedburner.com/IdentityLifecycleManagerilmBestPractices

MSIT's implementation of ILM 2

david@identitymanaged.com (David) — Wed, 25 Mar 2009 11:30:00 -0700

TEC 2009 continues onto the last day.

Joel Silver spoke on his efforts and plans to implement ILM 2 for Microsoft. He presented a very interesting workflow to show how he addressed the challenge of creating unique email aliases.

Then I listened to Felix as he discussed some of the interesting aspects of LDAP enhancements from around the vendorscape (I think I just made that word up).

http://feeds.feedburner.com/IdentityLifecycleManagerilmBestPractices

TEC 2009

david@identitymanaged.com (David) — Tue, 24 Mar 2009 15:50:00 -0700

Now that our pre-conference workshop on Taming the Chaos – Building a Practical Lifecycle Mgt. Application in the ILM “2” Portal is done

and our (Brad, Chris and me) sessions done: Proper Care & Feeding of ILM, CLM and RMS , Designing an Object Expiration & Reconciliation process in ILM 2 , Rescue Your Identity Metasystem from Chaos (reporting against ILM 2), and ADFS Extensibility, we are all able to relax a little and enjoy everyone else’s sessions.

TEC 2009 -- Ensynch Identity Bus

david@identitymanaged.com (David) — Tue, 24 Mar 2009 15:32:00 -0700

great dinner. ;) identity bus was also an excell…

Unknown - Mar 3, 2009

great dinner. ;) identity bus was also an excellent idea - kudos!

TEC 2009 -- Ensynch Identity Bus

david@identitymanaged.com (David) — Tue, 24 Mar 2009 15:32:00 -0700

Last night Fellow ILM MVP’s Brad Turner, Chris Calderon, Carol Wapshere (pronounced Wap shear and well known as Miss MIIS) and I along with a number of other TEC 2009 attendees rode on the Ensynch Identity Bus to take us from the Green Valley Ranch Resort to the Las Vegas Strip. After a great steak dinner at Smith and Wollansky’s (across from New York New York) a few us of walked the strip hoping to see the fountains at the Bellagio, but alas they shut off at midnight.

Posted: ILM 2 Business Value webinar recording

david@identitymanaged.com (David) — Mon, 16 Mar 2009 11:00:00 -0700

ILM 2 Business Value Webinar Recording

It has actually been posted for some time now, I have just been a bit busy (apology to my readers).

Other items will also get posted here in the column on the right hand side:

http://ensynch.com/pa_ci_identity_and_access_management.aspx

http://feeds.feedburner.com/IdentityLifecycleManagerilmBestPractices

ILM/MIIS Sync Engine Clustering Windows 2008

david@identitymanaged.com (David) — Mon, 16 Mar 2009 10:31:00 -0700

David,

I can’t figure this one out easily s… Anu - Mar 1, 2009

David,

I can’t figure this one out easily since I don’t have a deep knowledge of SQL. I’d appreciate your feedback. I am beginning to understand the different options and implementaions for scaling out SQL HA/DR/automatic failover.

In ILM “2” architecture, with scaling out MIIS and its SQL, can performace improvements and concurrent MA runs be achieved? I think not but I’d like to wrong this time!

ILM/MIIS Sync Engine Clustering Windows 2008

david@identitymanaged.com (David) — Mon, 16 Mar 2009 10:31:00 -0700

First, let me say thank you to Alex Tcherniakhovski for pioneering the way in clustering the MIIS Service or as it is now known the ILM Sync Engine. That blog, presentation and script was an excellent set of work. http://blogs.msdn.com/alextch/archive/2005/12/17/clusteredmiis.aspx

On Windows Server 2008, a few things have changed that break the script that Alex T. provides.

In Windows Server 2003 the cluster services runs as a domain account and as long as the user has access to all nodes, to stop and start services, and as an MIIS Administrator then it should be able to do the trick.

At TEC get on the Ensynch Identity Bus

david@identitymanaged.com (David) — Thu, 12 Mar 2009 00:27:00 -0700

If you are coming to TEC 2009 at the Green Valley Ranch Resort outside of Las Vegas, and want to take a trip to the strip Monday or Tuesday night then you are in luck – Ensynch is sponsoring the Identity Bus – we’ll have some buses that will be running from the Resort to one of the Monorail stops on the strip. Details will be provided at the conference in your handouts. I will riding on the Identity Bus some of the time and hope to see you there!

Netpro DEC -> Quest TEC -- Ensynch's Sessions

david@identitymanaged.com (David) — Wed, 11 Mar 2009 12:09:00 -0700

Back in business school we always studied name changes and rebranding, and this one has been interesting

Last summer NetPro deciding to expand the Directory Experts Conference (DEC) to include an exchange conference and so they re-branded the conference NetPro’s The Experts Conference. Then Quest acquired NetPro, so it became a completely re-branded conference as Quest’s The Expert Conference.

So NetPro DEC became Quest TEC.

Sunday Mar 22nd - Wed Mar 25th in Vegas www.tec2009.com

Another talented Ensynchian joins the blogosphere

david@identitymanaged.com (David) — Thu, 12 Feb 2009 13:21:00 -0700

My colleague Joe Zamora, a talented developer, who has been instrumental in helping us advance our knowledge of custom workflows, has just launched his own blog: CShark.

His first post is on how to “Generate AccountName in ILM2 custom workflow activity” and it came in response to a question in the ILM 2 connect forum entitled: Custom Workflow Activity to Generate samAccountName.

Go Joe Go!

http://feeds.feedburner.com/IdentityLifecycleManagerilmBestPractices

Webinar: Business Impact of ILM 2

david@identitymanaged.com (David) — Mon, 02 Feb 2009 10:52:00 -0700

Thanks to everyone that attended our Technical webinar on ILM 2 an overview and diving into how password reset works.

We are at it again. Only this time we are presenting on the business impact of Identity Management with ILM 2. So invite your decision makers!

http://feeds.feedburner.com/IdentityLifecycleManagerilmBestPractices

What’s new in Identity Lifecycle Manager 2, Ask the experts

david@identitymanaged.com (David) — Mon, 19 Jan 2009 12:19:00 -0700

Brad Turner and I are putting on a webinar on ILM 2.

http://feeds.feedburner.com/IdentityLifecycleManagerilmBestPractices

ILM 2 Functions Explained

david@identitymanaged.com (David) — Tue, 06 Jan 2009 13:08:00 -0700

Excellent post David, thanks for putting this toge…

Brad Turner - Jan 3, 2009

Excellent post David, thanks for putting this together!

To remove bit #2 shouldn’t you use BitAnd(-3,userAccountControl) ?

Paolo is correct in pointing out that the numbers I calculated for masks are wrong. I did 32-bit numbers and tested it back on the 32-bit version of the ILM 2 Beta 3 VM. The calcs should be done using 64-bit as explained here: Using FIM to enable or disable accounts in Active Directory (http://social.technet.microsoft.com/wiki/contents/articles/using-fim-to-enable-or-disable-accounts-in-active-directory.aspx )

ILM 2 Functions Explained

david@identitymanaged.com (David) — Tue, 06 Jan 2009 13:08:00 -0700

Function Name

Parameters

David’s Description

Example

Example Explanation

BitAnd

mask
Type: Integer
flag
Type: Integer

BitAnd is a bitwise operation anding mask and flag. So if Flag is the UserAccountControl Attribute in AD and mask is negative 2147483645 (the two’s complement of 2) Then the result is that the disable bit (bit 2) is turned off leaving all of the other bits unchanged.

BitAnd can be combined with Eq to detect if a bit is set

ILM 2 Functions all in one place

david@identitymanaged.com (David) — Mon, 05 Jan 2009 15:52:00 -0700

I couldn’t find in the ILM 2 RC 0 documentation anyplace that listed all of the functions available to you in sync rules and action workflows so here they are:

Don’t forget about the boolean functions available for use in the IIF function Now you can at a glance see the list of functions, their list of parameters and their official explanations

ILM "2" confirmHumanity="false"

david@identitymanaged.com (David) — Tue, 23 Dec 2008 12:52:00 -0700

With Joe’s permissions I am posting the comment he…

David Lundell - Dec 3, 2008

With Joe’s permissions I am posting the comment he attempted to post earlier:
Apologies for spoiling the fun, but the confirm humanity config setting has no effect in ILM “2”.

This config setting is leftover from the early days of the product when we included Captcha support for AuthN. Setting this to true meant that users would go through a Captcha gate during AuthN, much like I had to do when submitting a comment. We removed that feature early on in ILM and omitted cleaning up the default config file. Today if you want a Captcha gate you would have to add a custom AuthN workflow.

ILM "2" confirmHumanity="false"

david@identitymanaged.com (David) — Tue, 23 Dec 2008 12:52:00 -0700

I was getting ready to try out some of the various installation topologies that may be possible with ILM “2” including: separating the Portal and the Service (definitely possible), having two portals point back to the same service (I think it’s possible), when I came across the most interesting item in the ILM “2” installation guide in the section on Installing the ILM Service and ILM Portal on separate servers. Let’s see if you can spot it too:

Business Problems and their Technical Roots

david@identitymanaged.com (David) — Mon, 22 Dec 2008 17:26:00 -0700

Business Problem

Possible Underlying Business Problem

Cause

Technical Cause

Business launches a strategic initiative late

Employees don’t receive communications that they should

Don’t have email accounts

Aren’t in the right distribution lists

Lack of automated distribution list management and self service fulfillment

Employee can’t fulfill a customer order

Employees don’t have access to resources

Accounts haven’t been provisioned to the systems they need

Aren’t member of the groups or roles they need

Business Problems VS Technical Problems

david@identitymanaged.com (David) — Mon, 22 Dec 2008 17:17:00 -0700

I like how you linked business problems to technic…

William Wagner - Sep 4, 2011

I like how you linked business problems to technical problems. I think they affect each other in a lot of ways. You always need to balance them so you can succeed.

form an llc

Business Problems VS Technical Problems

david@identitymanaged.com (David) — Mon, 22 Dec 2008 17:17:00 -0700

A business problem is when employees can’t execute their job duties in an efficient fashion. In fact sometimes they are unable to complete the tasks at all. Business problems are especially costly when they directly affect customers. These problems can cause cash flowing into the company to be delayed as a customer waits to place an order, or to receive goods (and hence to pay), they can cause revenue to be lost as a customer temporarily takes their business to a competitor or a finds a substitute, sometimes this leads to customers forming new business relationships and loss of all future revenue from that customer. Non-customer affecting business problems may result in higher costs without affecting revenue. For example a problem on the job shop floor causes workers to put in overtime to complete customer jobs on time, raising costs without directly affecting the customer.

Millionaire Next Door and All Your Worth

david@identitymanaged.com (David) — Sat, 06 Dec 2008 04:04:00 -0700

No this post isn’t about my new neighbors, or my new house.

Its about the secret to wealth.

First you buy two copies of the Millionaire Next Door and then you give one to each of your next door neighbors. Suddenly your odds of getting rich will improve.

Ok hopefully that gives you a chuckle. Nonetheless, here is my prescription for improving America’s financial health. While I normally write on the topics of Identity Management and SQL Server, I did also earn an MBA from the Eller College of Business at the University of Arizona, and have done some financial counseling as a volunteer through church. So I have done some deep thinking on these matters.

ILM 2 Web Services Part 1 and 1/2

david@identitymanaged.com (David) — Sat, 06 Dec 2008 03:49:00 -0700

A few days after my post about setting up the ILM 2 Web Service reference Joe Schulman and others from the ILM product group began a new blog designed to fill in the gaps in the knowledge in the community about how to use the web services. So far the blog looks great and is a welcome addition to my knowledge and the communities knowledge base! Great job Joe and Company and thanks for the link to my blog.

Live@edu Partner Airlift and SQL PASS, Flat Tires, and Thanksgiving

david@identitymanaged.com (David) — Sat, 06 Dec 2008 03:49:00 -0700

As for me why no posts since Nov 11th – well, I have attended the Live@edu Partner Airlift in Redmond, SQL PASS, had a flat tire, and enjoyed Thanksgiving. In this post

I attended the Live@edu Partner Airlift in Redmond to see what’s new under the sun for schools and universities. Exchange Labs is now available on a widespread basis (see fellow MVP Almero Steyn’s blog posts on Live@edu and on Exchange Labs) ! Students and alumni can now have school domain based exchange hosted email accounts for life at no cost to their schools. While this program has offered hotmail accounts now you can have hosted exchange accounts. I had a great time at the Airlift, thanks to Michael Wegman, Richard Wakeman, Andy Hoag, Steve Winfield (not Dave Winfield, nor Steve Winwood) and Anna Kinney and everyone else for putting it on.

CSExport -- Getting the ILM Connector Space into SQL

david@identitymanaged.com (David) — Tue, 11 Nov 2008 14:30:00 -0700

How can I query the ILM Connector Space?

“You can’t.” – Yes you can.

“You have to WMI.” – But WMI is limited in what you can query and slow

“You have to use CSExport and then use XML tools.” – that works, but this may be better

The above are various answers you may receive. However, thanks to the power of SQLXML we can issue SQL queries against the ILM Connector Space (after it has been exported using CSExport).

Other interesting changes in ILM RC0

david@identitymanaged.com (David) — Mon, 03 Nov 2008 16:22:00 -0700

From the release Notes:

http://technet.microsoft.com/en-us/library/dd239143.aspx

Announcing Identity Lifecycle Manager “2” Release Candidate

Don’t create a multi-valued boolean attribute – you will have to reinstall the ILM webservice
We can now create a required attribute binding without affecting existing objects!
support for separating the Portal from the database and having multiple portal servers
Enhancements for customizing notification and request emails

a) Request details will be included in the out of the box notifications

ILM 2 RC 0 is here!

david@identitymanaged.com (David) — Mon, 03 Nov 2008 10:56:00 -0700

Identity Lifecycle Manager “2” Release Candidate 0 is released.

ILM ‘2’ Release Candidate (RC)

Improvements at First Glance

No need for “Managed:” to prefix metaverse attributes so that they can be managed by ILM 2 Web Service
Changes to Workflow to make it easier
Install routines improved
The confusing ARP file needed for custom activities has been replaced by an Object in the Data store
SQL 2008 is required

http://feeds.feedburner.com/IdentityLifecycleManagerilmBestPractices

Is ILM 2 RC0 is out? Well the docs are!

david@identitymanaged.com (David) — Sun, 02 Nov 2008 20:16:00 -0700

Most of the online Technet docs now read “ILM “2” (Release Candidate)”

For example check out the new ILM 2 Release Candidate Installation Guide

http://technet.microsoft.com/en-us/library/cc561135.aspx

No more support for SQL 2005 from here on it is all SQL 2008

“SQL Server 2008 64-bit Standard or Enterprise Editions”

Good thing I just got back my score reports on my two SQL 2008 beta exams:

I am now an

MCTS: SQL Server 2008, Implementation and Maintenance

ILM 2 Web Services Part 1 The Service Reference

david@identitymanaged.com (David) — Sat, 01 Nov 2008 10:22:00 -0700

Does ILM open SOAP interfaces native? So that dev…

RobertW - Mar 4, 2009

Does ILM open SOAP interfaces native? So that developers who are simply looking for a .wsdl file to build their client can get up and running quickly.

not exactly you need to use the WCF approach.

ILM 2 Web Services Part 1 The Service Reference

david@identitymanaged.com (David) — Sat, 01 Nov 2008 10:22:00 -0700

Together, Mark Struck of Ipseity Inc and I, have figured out (after much beating of our heads against brick walls) how to use the ILM 2 Enumeration Endpoint to perform some basic reporting. (I figured out how to send the enumeration and get a response and then Mark figured out how to correctly form the pull messages so as to be able to retrieve the actual objects – teamwork at its finest). We would also like to thank Mark Gabarra and Rob Ward for their input.

Under the hood of ILM 2 -- Part 2 Read the WCF Trace!

david@identitymanaged.com (David) — Sat, 01 Nov 2008 10:01:00 -0700

Take a look at Part 1 to enable tracing

To view the log you need to have installed the Windows SDK and then you use the Service Trace Viewer

C:\Program Files\Microsoft SDKs\Windows\v6.0A\Bin\SvcTraceViewer.exe

If the file is over 50 MB you will get the partial loading screen like this one. Try and limited the estimated size, if you open too much it will be very slow. Even 20 MB can be really slow.

Under the hood of ILM 2 -- Part 1 Enable WCF Tracing!

david@identitymanaged.com (David) — Sat, 01 Nov 2008 09:23:00 -0700

Thanks David, for those of you looking for the rig…

Brad Turner - Nov 5, 2008

Thanks David, for those of you looking for the right SDK, you’re likely going to want the most recent version for Server 2008 and .NET 3.5 which can be found here:

http://www.microsoft.com/downloads/details.aspx?FamilyId=F26B1AA4-741A-433A-9BE5-FA919850BDBF&displaylang=en

Under the hood of ILM 2 -- Part 1 Enable WCF Tracing!

david@identitymanaged.com (David) — Sat, 01 Nov 2008 09:23:00 -0700

Want to understand what is happening with your custom ILM 2 workflow? or your calls to the web service?

Try enabling WCF Tracing. By enabling WCF tracing for the Identity Lifecycle Manager Resource Management Service you get to track requests to the webservice. This can help you figure out if your requests are even getting to the webservice.

To enable tracing open the config file:

C:\Program Files\Microsoft Identity Management\Common Services\

Happy Halloween -- It's all about Identity Management

david@identitymanaged.com (David) — Sat, 01 Nov 2008 09:14:00 -0700

Last night as I took my children trick or treating through our neighborhood I thought about Halloween from an Identity Management Perspective:

We provision temporary identities to our children (costumes) that allow them to make a claim when they show up at neighbors’ doors “Trick or Treat (I am wearing costume – the claim; will your grant me access to candy – the resource request)?”

At which point the neighbor will almost invariably give out some candy.

Live ID's are now Open ID's, Geneva supports SAML 2.0

david@identitymanaged.com (David) — Thu, 30 Oct 2008 16:37:00 -0700

At the PDC Microsoft’s Kim Cameron and colleague Bertocci Vittorio announced that Microsoft Live is now an Open Id provider. Additionally, when signing into Live you can use Information Cards (Info Card, Card Space, Geneva Card Space).

They also demonstrated the new Geneva Framework (formerly known as Zermat) – essentially a successor to Windows Server 2008 Active Directory Federation Services, and showed it supporting SAML 2.0 the “protocol” not just SAML 2.0 the token.

The Semi-Automated Install of ILM 2 Beta 3

david@identitymanaged.com (David) — Wed, 22 Oct 2008 21:52:00 -0700

ILM 2 Beta 3 won’t perform a completely automatic quiet install but we can come close. Colleague Brad Turner and I have developed the following approach to the install and the post install tasks.

Brad worked out most of the issues with the ILM 2 Services install itself and then I worked on most of the issues with the post install tasks. I will cover the install of the Metadirectory services first, then the ILM 2 Beta 3 Identity Management Platform Services including its batch files and then discuss the post install tasks and present its related files.

SQL Server Agent should be running or install of ILM 2 Services fails

david@identitymanaged.com (David) — Wed, 22 Oct 2008 20:52:00 -0700

I posted the following to the Community Content Section of the ILM 2 Beta 3 Installation Guide

The SQL Agent Service account must be a sql sysadmin and the SQL Agent Service must be running or during install you may get “error -2147217900

Failed to execute sql string addtemporaleventsjobtoSQLServer” while trying to install ILM 2 Beta 3 Identity Management Platform Services. Apparently, the install routine needs to create a SQL Agent Job and with SQL 2005 the Agent must be running to create a job.

Changing SQL Service Account Passwords for a Cluster

david@identitymanaged.com (David) — Wed, 22 Oct 2008 13:23:00 -0700

Here is an excellent script for changing service account passwords and should work fine as long as you restart the SQL services afterwards.

However the following blog post indicates that more is going on than just a password change:

“never use the plain old Windows Service Control Manager (SCM) to manipulate SQL Services. The SQL Server Configuration Manager does a lot more work in the background to keep security consistent across the installation. "

Installing a Multi-Instance SQL 2005 Cluster

david@identitymanaged.com (David) — Wed, 15 Oct 2008 00:54:00 -0700

Hi, I’m installing SQL Server 2005 in 2 node …

Unknown - Jun 3, 2010

Hi,

I’m installing SQL Server 2005 in 2 node cluster setup and I’m getting the below error:

TITLE: Microsoft SQL Server 2005 Setup
-—————————–

SQL Server Setup has determined that the following account properties are not specified: ‘SQLBROWSERACCOUNT’ . The properties specify the startup account for the services that are installed. To proceed, refer to the template.ini and set the properties to valid account names. If you are specifying a windows user account, you must also specify the password for the account.

Installing a Multi-Instance SQL 2005 Cluster

david@identitymanaged.com (David) — Wed, 15 Oct 2008 00:54:00 -0700

Some of you may run into a problem when installing a multi-instance SQL Server Cluster, in particular when you install the second or third instance in your cluster.

Like this one:

Microsoft SQI Server 2005 Setup
SQL server Setup has determined that the Following account properties are not specified:
‘SQLBROWSERACCOUNT’. The properties specify the startup account for the services that are installed. To proceed, refer to the template.ini and set the properties to valid account names. If you are specifying a windows user account, you must also specify the password for the account.

Projections showing up as Joins?

david@identitymanaged.com (David) — Wed, 08 Oct 2008 14:27:00 -0700

Hi David, I this fast paced growing technology s…

Unknown - Jun 5, 2021

Hi David,

I this fast paced growing technology space, dominating cloud technologies how do you feel about MIM’s future. Give i don’t see Microsoft doing any innovations/upgrade in this arena. Please help me understand.

Thank you,
Durgesh

Projections showing up as Joins?

david@identitymanaged.com (David) — Wed, 08 Oct 2008 14:27:00 -0700

https://connect.microsoft.com/feedback/ViewFeedback.aspx?FeedbackID=373881&SiteID=433

So I found a slight inconsistency when following some of the ILM 2 walk-throughs. When you setup an inbound synch rule that creates objects in ILM the lineage says that the connector space object became a connector through join rules instead of projection rules. Minor bug – but it sure can be confusing.

HR Inbound Sync Rule

General Information

Created Time

8/27/2008 8:10:09 PM

Connected System

ILM 2 Workflow Activity Walkthrough "Awesome"

david@identitymanaged.com (David) — Wed, 24 Sep 2008 17:18:00 -0700

Thanks David, it was a team effort for sure.

Brad Turner - Sep 3, 2008

Thanks David, it was a team effort for sure.

ILM 2 Workflow Activity Walkthrough "Awesome"

david@identitymanaged.com (David) — Wed, 24 Sep 2008 17:18:00 -0700

Paul Divan, a sharp coworker and fellow Solutions Architect at Ensynch has authored an “awesome” whitepaper on custom activities in ILM 2 Workflow using Windows Workflow Foundations. (Brad Turner contributed a bunch, and I made a few contributions as well)

Check out Mark Gabarra’s (part of the MSFT ILM Product Group) “awesome” comments on the whitepaper.

I especially want to thank some of the folks from Microsoft who were so helpful in figuring out some of these pieces and for their general support. Steve Klem, Mark Gabarra, Andreas Kjellman, Markus Vilcinskas, Jeff Staiman, Larry Buerk and Ahmad Abdel-wahed.

a sprinkling of understanding Workflow in ILM 2

david@identitymanaged.com (David) — Tue, 16 Sep 2008 17:48:00 -0700

So by now all of you know that understanding Windows Workflow Foundation is going to be quite helpful in implementing ILM 2.

Having lived 9 of the last 12 months in Redmond, WA, I now understand a lot more about sprinkling

So I thought I would provide a sprinkling of understanding about Windows Workflow Foundation: a categorization of the built in workflows.

Cateory	Activity	Composite	Notes
Conditional	Invoke Web Service
Conditional	Conditional Activity Group
Conditional	IfElse
Conditional	Policy		Akin to a switch statement or Select Case
Conditional	While
Custom	Code
Error	Compensate
Error	Fault Handler
Error	Throw
Flow	Delay
Flow	EventDriven
Flow	Listen	X	2+ event driven
Flow	Parallel	x	2+ sequence for each
Flow	State
Flow	Sequence	X
Flow	SetState
Flow	StateInitialization	X
Flow	Suspend
Flow	Terminate
Flow	Transaction Scope

http://feeds.feedburner.com/IdentityLifecycleManagerilmBestPractices

a sprinkling of understanding Workflow in ILM 2 -- Comment

david@identitymanaged.com (David) — Tue, 16 Sep 2008 17:48:00 -0700

Very nice David, I would also urge readers to chec…

Brad Turner - Sep 3, 2008

Very nice David, I would also urge readers to check out Mark Gabarra’s blog for information relating WF and ILM 2. I also hope that we’ll be able to goad our own Paul Divan into bringing his experiences to the blogosphere!

ILM 2 Beta 3 Bug: Action Process Function Evaluator Activity doesn't work when using only one field

david@identitymanaged.com (David) — Fri, 12 Sep 2008 02:52:00 -0700

Yeah, so this one frustrated me for awhile and if …

Brad Turner - Sep 3, 2008

Yeah, so this one frustrated me for awhile and if you hadn’t discovered this I would have lost even more time!

ILM 2 Beta 3 Bug: Action Process Function Evaluator Activity doesn't work when using only one field

david@identitymanaged.com (David) — Fri, 12 Sep 2008 02:52:00 -0700

ID: 367381

Description

Action Process Function Evaluator Activity doesn’t work when using only one field, but when I concatenate with 2 it works.

Repro Steps

Create an action Process
Add one activity – Function Evaluator
Set a destination to an attribute (like DisplayName) and select only one field in the value – LastName
Then build an MPR to apply to All People (don’t check Grants Permission), Operations: Create and Modify
Requestors: All People
All Attributes
Condition Before All People
Condition After All People
Policy Workflows: Add your Action Process
Then create or modify a user
open the user again and note that it did not work
Then look at search requests, view the request and note the following error: Data at the root level is invalid. Line 1, position 1.

Expanding a Windows Server 2008 System partition on a HyperV Guest

david@identitymanaged.com (David) — Tue, 02 Sep 2008 19:47:00 -0700

Yeah, WOW, not a quick and easy process by any means!

Brad Turner - Sep 3, 2008

Yeah, WOW, not a quick and easy process by any means!

Good Info - Important Note: If you are dealing with a vm guest attached to a Hyper-V Cluster, You’ll need to use Failover Cluster Manager in Administration Tools on one of the Cluster Nodes - After making the change, go to a Command Prompt and enter the following:
diskpart
DISKPART> list
DISKPART> list volume
DISKPART> select volume #
DISKPART> extend
DISKPART> extend filesystem
You’ll need to run extend filesystem on ant 2008+ server regardless if it is in a Cluster or not…

Expanding a Windows Server 2008 System partition on a HyperV Guest

david@identitymanaged.com (David) — Tue, 02 Sep 2008 19:47:00 -0700

While building out some virtual machines for our ILM 2 Beta 3 environment…

We setup a few virtual machines 64 bit Windows Server 2008 SP 1 (since SP 1 is built in to the RTM) running on HyperV. Everything is very slick! Except we only set aside 16 GB for the virtual disk for the system partition. Despite installing SQL, SharePoint, and ILM 2 to another drive the system partition quickly filled up, and didn’t have enough room for Visual Studio (even though I wanted to install it on another partition). All of these programs install a lot of stuff on the system partition no matter what I select. While moving the paging file freed up some space it wasn’t enough.

The Experts Conference (TEC) -- the conference formerly known as DEC (Directory Experts Conference)

david@identitymanaged.com (David) — Tue, 02 Sep 2008 18:16:00 -0700

I am really looking forward to this next year and …

Brad Turner - Sep 3, 2008

I am really looking forward to this next year and can’t wait to showcase what we’ve unearthed as part of our TAP/RDP experience with ILM 2!

The Experts Conference (TEC) -- the conference formerly known as DEC (Directory Experts Conference)

david@identitymanaged.com (David) — Tue, 02 Sep 2008 18:16:00 -0700

Well the results are in! A good number of Ensynchians have been selected to speak at The Experts Conference March 22-25, 2009 just outside of Las Vegas, NV. This will be my third time speaking at this event. They renamed it TEC because Gil Kirkpatrick and Company at Netpro have expanded the event to include a conference on Exchange Server. All three of these sessions were highlighted in the press release

Topic

How to be a pro at Google

david@identitymanaged.com (David) — Thu, 28 Aug 2008 15:07:00 -0700

My friend and coworker, Brad Turner, once joked that if asked what search engine he used he would say “David Lundell”. While I do have a way of phrasing my searches just so, I thought I would point everyone to some great lessons on how to be better at google. I learned about these from a former business associate, Gary Thede, now the President of Boost eLearning.

Check out the following 3 free lessons from Boost eLearning on how to be a pro at googling!

MIIS/ILM Error: System.BadImageFormatException

david@identitymanaged.com (David) — Wed, 20 Aug 2008 17:08:00 -0700

So I had MIIS 2003 SP 1 reporting to me that the format of my GalSync-Extension.dll is invalid. So I tried recompiling it – no luck. Same error. The only MSDN article on this indicated that unmanaged code is being passed to the load method.

Through trial and error we found the solution: stop and start the MicrosoftIdentityIntegrationService. If that doesn’t work try a reboot.

http://feeds.feedburner.com/IdentityLifecycleManagerilmBestPractices

I just got pranked by Laura Hunter

david@identitymanaged.com (David) — Sun, 17 Aug 2008 19:45:00 -0700

Laura Hunter is perpetuating a prank that according to Wikipedia has reached such mainstream acceptance that Youtube pranked all of its visitors on April 1st of this year.

Only Laura has pulled off this prank with such utter geekiness!

You’ll probably need help to solve this one. Try this link

Good one Laura!

No spoilers just some hints and links that may spoil it!

http://feeds.feedburner.com/IdentityLifecycleManagerilmBestPractices

SQL 2008: Processor or Server/CAL

david@identitymanaged.com (David) — Sat, 16 Aug 2008 12:57:00 -0700

Congrats to the SQL Server team for shipping 2008. It looks like a great product. Congrats as well for keeping the licensing costs the same and adding a new option with the web edition.

One question that many still have in mind is how to license SQL server. Processor licensing allows unlimited users and devices, whereas a server license allows unlimited users or devices as long as they have a CAL. Server CAL can be much cheaper than Processor license or it can become much more expensive.

IDM in pop culture

david@identitymanaged.com (David) — Sat, 16 Aug 2008 11:30:00 -0700

Some days I am amazed at how deeply the identity management concepts have penetrated into popular culture:

“Mr Big Stuff, who do you think you are?” clearly relates to an authentication issue or authorization issue.

“Won’t get fooled again” by the WHO is clearly making a reference to a Certificate Revocation List, now that I have revoked your certificate you won’t be authenticated again.

One area where pop culture is still shockingly uninformed still need help is in asset protection. I guess the authors of many forlorn love songs wish they could have used Rights Management Service and issued a use license that did not contain the permission to “Steal my heart” and “Break my heart.”

Love One Note -- hate KB's with unintended consequences

david@identitymanaged.com (David) — Sat, 16 Aug 2008 09:44:00 -0700

I posted this on a newsgroup and a Powerpoint MVP …

David Lundell - Aug 6, 2008

I posted this on a newsgroup and a Powerpoint MVP saved the day. Apparently, Powerpoint relies on the default printer driver to render the text. Since the KB article directed me to make the One Note Printer I created by hand the default print driver I wound up with scrunched text. Once I have his permission I will thank him by name

Love One Note -- hate KB's with unintended consequences

david@identitymanaged.com (David) — Sat, 16 Aug 2008 09:44:00 -0700

I love One Note. Especially on a tablet PC. I can take notes either by typing or writing on the screen, I can sign contracts it is great.

We recently purchased a home. My real estate agent would send me documents, I would print to One Note and then sign them, print to PDF using Primo PDF and send them back.

It was great until Print to One Note stopped working. The Send to One Note 2007 printer was gone. My old Send to One note 2003 (BC) was still there but of course could not work. So I followed a KB article and created the printer by hand, and could not get it to work.

Pending Exports Report in ILM

david@identitymanaged.com (David) — Wed, 30 Jul 2008 14:52:00 -0700

Hopefully this topic will stir up some excitement among those wondering how to query objects in the connector space. The technique I am about to explicate for you works for both exports and imports.

As many of you aware, my colleague and fellow ILM MVP Brad Turner created the community reporting pack for MIIS/ILM some time ago. This is a package of reports written in SQL Server Reporting Services (SSRS).

Scripting / SysAdmin Survey

david@identitymanaged.com (David) — Thu, 10 Jul 2008 10:15:00 -0700

In repsonse to the “tagging” of my friend Laura Hunter I now respond with the answers to these deep mysteries. But first “tagging”? Is this equivalent to the gang tagging? I hope not!

**How old were you when you started using computers?
**I was 4 or 5 when …
What was your first machine?
My Dad brought home an Atari 800 computer – not the game console all though we did have games they just weren’t as cool as the ones on the game console.
What was the first real script you wrote?
For me the breakthrough came when I was 7 or 8 and I was puzzling through a the Atari 800 book on BASIC and I was able to accept the abtract concept of a variable! Years later in 7th grade when I was introduced to algebra I realized that I had already done the hard part – wrap my brain around this concept of a variable!

I like my passwords Plain --in plaintext that is

david@identitymanaged.com (David) — Thu, 03 Jul 2008 16:32:00 -0700

Bug in ILM2 Beta 3 – go vote on MSConnect to register your taste!

Look for Bug ID 354953

Do you like your passwords plain or with encrypted butter?

As for me and my house we will choose the encrypted butter! I mean passwords.

ILM 2 codeless provisioning looks great! You can add complex rules without code and then you can even see these rules as they get synchronized into the ILM synch engine (what we know and love from the MIIS 2003 and ILM 2007 days). But then oops! you can see my default password in plaintext!

Tech Ed -- Lotsa Buzz ILM 2 and CLM

david@identitymanaged.com (David) — Mon, 16 Jun 2008 16:33:00 -0700

On Tuesday Bob Muglia made a big announcement – ILM 2 Beta 3 has been released. While the beta install is only 64 bit on Microsoft Connect you can download the 32-bit Virtual PC. At the ILM 2 booth at Tech Ed the Microsoft ILM Product Group and I were handing them out like crazy.

Thanks to Nima for inviting me to participate at the booth.

Best session I went was by Candy Stark from MS IT. She presented on the smart card deployment at MSFT using CLM.

Tech Ed Anyone?

david@identitymanaged.com (David) — Sun, 01 Jun 2008 21:58:00 -0700

I will be attending Tech-Ed IT-Pro in a little over a week. My employer Ensynch has a booth. I will also be spending some time at the Microsoft ILM Product Group’s booth.

Looking forward to seeing a bunch of folks out there and helping to demonstrate ILM 2 Beta 3! (Once it is released;)

http://feeds.feedburner.com/IdentityLifecycleManagerilmBestPractices

Processing Actions Asynchronously outside of ILM MA's

david@identitymanaged.com (David) — Thu, 15 May 2008 06:25:00 -0700

For years developers have had access to the Microsoft Message Queue (MSMQ) as a way to be able to queue up actions for processing later or on a remote machine. With the release of SQL 2005 back in well 2005, developers with access to SQL 2005 could replace these MSMQ apps with SQL Service Broker Queues (SSB). With ILM 2007 /MIIS 2003 SP 2 supporting SQL 2005 the use of SQL Service Broker Queues became much more accessible to ILM Developers.

SQL Business Intelligence

david@identitymanaged.com (David) — Wed, 14 May 2008 17:37:00 -0700

This evening I attended a nice SQL 2005 BI presentation by Kathrine Lord of Microsoft.
She took the Arizona SQL Server Users Group through a nice tour of a datawarehouse that she built for a call center. (Thanks to Pete Miller of Statera for all these years of running and organizing the AZ SQL Server User’s group).

Her presentation was a quick end to end walkthrough: building cubes, MDX calculations, creation of named sets, Key Performance Indicators (KPI’s) and using the Pivot Tables inside of Excel 2007.

Identity Chaos? Get your Identities Ensynch!

david@identitymanaged.com (David) — Wed, 14 May 2008 10:55:00 -0700

If I post a comment on my own blog does that mean …

David Lundell - May 3, 2008

If I post a comment on my own blog does that mean I am having an Identity Crisis?

Identity Chaos? Get your Identities Ensynch!

david@identitymanaged.com (David) — Wed, 14 May 2008 10:55:00 -0700

I recently joined the Identity Management Practice, as a Solution Architect, at Ensynch Inc, an award winning Microsoft Gold Partner based in Tempe, AZ, with a strong award winning presence in Southern California. In 2006 Ensynch won Microsoft Worldwide Partner Award for Excellence in Active Directory and Identity Management and in 2007 was the only finalist from North America. In fact the only finalist from the Western Hemisphere.

I am especially happy to be working with Brad Turner, fellow ILM MVP and a good friend. I am also excited to work with the creator of the Camel Logic Configurator – Jerry Camel.

The Grand Unified Demo of Identity Management

david@identitymanaged.com (David) — Wed, 07 May 2008 13:57:00 -0700

As I was architecting and assembling the Identity All Up workshop (part of the 2008 Directory Experts Conference see the review by Felix Gaehtgens, an analyst for Kuppinger Cole) designed to expose the attendees (or delegates) to all facets of the Microsoft Identity Access Platform, Lori Craw, from Microsoft referred to this as the “Grand Unified Demo”. I chuckled, instantly catching the reference to the still undiscovered Grand Unified Field theory that eluded Einstein and even today’s theoretical physicists.

Books