1dent1ty cHa0s

MVP Year Four and MCADD

2009-07-01T15:20:00.001-07:00

My notice informing me that I have been graced with the Microsoft MVP award for work in the MIIS/ILM/FIM area came this morning alongside news late yesterday that our three week old daughter Piper tested positive for a genetic disorder called MCADD. So while I'm very excited that I'll remain in close contact with the ILM/FIM Product Group at Microsoft it does mean that our family dynamic will evolve yet again beyond the "new baby" and "big sister/little sister" changes we were already experiencing.

We appreciate all of the support and well wishing from friends and family!

Security Squared: 4 Part Series on Converging Logical-Physical IAM

2009-06-30T15:57:00.001-07:00

Security Squared has a nice four part article on how Identity and Access Management is rapidly converging with Logical-Physical access control systems (PACS). Think about tying your badge access control (perimeter, interior, etc) to your AD account; AD account is disabled and your badge is immediately cut off. These are capabilities Ensynch has recently acquired through a partnership that I hope to see announced very soon. Now you'll be able to completely tie-in access control across all aspects of IT and if you factor in the request management capabilities of FIM 2010 then you can begin to conceptualize a solution that would allow for complete paperless automation (with approvals) of physical access control requests! Combine that with PKI and data protection initiatives (like RMS) and you can begin to realize solutions within everyone's budget – not just the big enterprises.

This isn't some emerging technology, the software and hardware exists today and is fully available, we are only just recently bridging the gulf between IAM and PACS solutions providers to offer a unified and converged solution. Contact me if this interests you.

One Person, One Identity, One Credential: Converging Logical-Physical Identity and Access Management -- Part 1

Delta Processing Order for custom LDIF

2009-06-29T17:44:00.001-07:00

Just a reminder when you are building your own custom Delta processing rig for your XMAs and you're using LDIF – the order in which you list the updates in your LDIF file is important. Consider this, you get a MODIFY request for record 10 but you don't have the ADD entry until farther down in the file. What you get is the 'need-full-object' exception during the discovery (Import) phase.

So, when building your own custom delta processing rig, make sure you group the records prior to writing them to the LDIF file like so:

Adds
Deletes
Modifies or Attribute Modifies (for ALCN)

My colleague Jerry Camel had already done this properly in some of our LDIF conversion libraries but this cropped up again when we were generating the LDIF from a table where the deltas had already been calculated for us by the data owners (good data owners!). A quick 'group by' clause in the SQL and you should be good to go! It just so happens that if you're using "ADD", "DELETE", "MODIFY", and "MOD-ATTR" as your delta status values then a straight ORDER BY clause will put them in the correct order since they are already ordered properly alphabetically.

System.Threading.ThreadAbortException and XMA Timeouts

2009-06-25T23:47:00.001-07:00

Rebecca and I were able to troubleshoot this error after a bit of head scratching:

The extensible extension returned an unsupported error in MIIS.
The stack trace is:
"System.Threading.ThreadAbortException: Thread was being aborted.
   at SNINativeMethodWrapper.SNIPacketGetConnection(IntPtr packet)
   at System.Data.SqlClient.TdsParserStateObject.ProcessSniPacket(IntPtr packet, UInt32 error)
   at System.Data.SqlClient.TdsParserStateObject.ReadSni(DbAsyncResult asyncResult, TdsParserStateObject stateObj)
   at System.Data.SqlClient.TdsParserStateObject.ReadNetworkPacket()
   at System.Data.SqlClient.TdsParserStateObject.ReadBuffer()
   at System.Data.SqlClient.TdsParserStateObject.ReadByte()
   at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
   at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString)
   at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async)
   at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, DbAsyncResult result)
   at System.Data.SqlClient.SqlCommand.InternalExecuteNonQuery(DbAsyncResult result, String methodName, Boolean sendToPipe)
   at System.Data.SqlClient.SqlCommand.ExecuteNonQuery()
   at XMA_HR.XMA_HR.Microsoft.MetadirectoryServices.IMAExtensibleFileImport.GenerateImportFile(String fileName, String connectTo, String user, String password, ConfigParameterCollection configParameters, Boolean fFullImport, TypeDescriptionCollection types, String& customData) in D:\ILM.Extensions\XMA_HR\XMA_HR.cs:line 102
Microsoft Identity Integration Server 3.3.1106.2"

This error hadn't manifested in development but popped up immediately after transitioning to our integration/QA environment. There were no timeouts that we could find anywhere in our connect strings or XMA code and the stored procedures the XMA was calling ran perfectly fine on their own but when called from the XMA it would bomb after several minutes. The culprit turned out to be a timeout masquerading as something else:

In the Run Profile UI for the Full Import step, the Timeout setting here looks like it is associated with the input file generation process and the successful processing of a full import. My take on this just from looking at the UI is that 90 seconds after my Full Import process has successfully completed the ldif file will be deleted. However, this setting seems to have other subtle effects on the timing of the import file generation process beyond what is advertised and does not appear to be related to when the file gets deleted at all.

To get around this issue, set the timeout to zero (0) – the file is still deleted after the successful import but there is just no timeout for the process.

It's always PKI…

2009-06-18T11:38:00.001-07:00

Sage advice from one Mrs. Laura Hunter…back during prep for TEC 2009 I was playing devils advocate to a problem she was having with ADFS that turned out (on a hunch) to be an issue caused from using the version 3 templates in her 2008 CA. Last week Rebecca Croft and I ran into a completely separate issue when trying to use a certificate to encrypt and decrypt data in an XML file that turned out to be related to the same root cause.

Reb talks about the problem she encountered in more detail in her blog:

http://www.apollojack.com/2009/06/invalid-provider-type-specified.html

CShark: Introducing the FIM Query Tool

2009-06-09T11:37:00.001-07:00

If you are working on an ILM2/FIM TAP, RDP or just kicking it around in the lab, you will want to use this handy little tool to test queries against the web service! Joe also provides a link to the source code project on CodePlex!

Why am I the only one not working on a FIM project! :(

CShark: Introducing the FIM Query Tool

Paleoidentology

2009-06-04T07:44:00.001-07:00

Paleoidentology - the study or practice of uncovering long dead fossilized identities stinking up your nice pristine directory

DCOM Error 10016 and SharePoint

2009-06-03T10:25:00.001-07:00

I am posting this here since we occasionally come across this error in ILM/FIM and may be new to ILM implementers if you are not experienced with installing SharePoint. This error occurs because the IIS WAMReg Admin DCOM Server doesn't have Local Activation permissions.

Log Name: System

Source: Microsoft-Windows-DistributedCOM

Date: 9/4/2008 9:14:44 AM

Event ID: 10016

Task Category: None

Level: Error

Keywords: Classic

User: INFO\svc.wssfarm

Computer: ens-ilm01.ENSYNCH.INFO

Description:

The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID

{61738644-F196-11D0-9953-00C04FD919C1}

to the user INFO\svc.wssfarm SID (S-1-5-21-4163591863-704607480-62112183-1115) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

Add the Local WSS_ADMIN_WPG and WSS_WPG groups and make sure that the Local Activation permission is checked for both. If you are using separate accounts for the Farm and the main Site Collection then the Farm account (svc.wssfarm in my case) will only be in the WSS_ADMIN_WPG group.

The Experts Community: Ten Free TEC 2009 Session Recordings

2009-05-25T16:42:00.001-07:00

Another first this year was the launching of a new "expert community site" – The Experts Community. You will find most DEC/TEC regulars on the site answering questions or collaborating and now you can find ten of the US TEC 2009 session recordings (audio and slides) plus the US Keynote and the infamous Wook Lee Memorial Challenge posted online. Among the free sessions posted is my session on Designing an Expiration and Reconciliation Process in ILM 2 – see below.

Designing an Expiration and Reconciliation Process in ILM 2

Community - The Experts Conference

OCS 2007 R2: Ask the Experts Webinar

2009-05-19T08:24:00.001-07:00

Sorry for the late notice, but if you happen to be involved with OCS and are looking for information on the new R2 release please check out our webinar :

When:
Wednesday, May 20th

Time:
10am-11am Pacific/Arizona
11am-12pm Mountain
12pm-1pm Central
1pm-2pm Eastern

Where:
Webinar/Online
(LiveMeeting links will be
sent to all registrants)

Presenters:
Jake Ballecer - Practice Director, Unified Communications
Joel Gillis - Solutions Architect, Unified Communications

Webinar: Simplify Your Unified Communications with OCS R2 - Ask the Experts!

Undoubtedly you've been hearing a lot in the marketplace about Unified Communications. You've probably even seen a demo or two. You're invited to join Ensynch for an informational webinar where we'll summarize how Unified Communications has changed things for Ensynch and our clients and we'll spell out what's new with the release of Office Communications Server 2007 R2.

Unified Communications is no longer a "nice to have". It is becoming critical for top-performing companies. The latest technologies, including Exchange 2007, Live Meeting 2007, and OCS 2007 R2, are helping companies drive productivity and bottom-line results while dramatically reducing the operating costs of travel, telecom and IT. We think the results our clients are seeing are significant and we want you to understand your communications alternatives.

In particular, Office Communications Server 2007 R2 delivers functionality that benefits your organization in the following ways:

Immediate reduction in telephony and conferencing costs
Reduced costs for voicemail management
Lower IT infrastructure and administration costs
Improved user and team productivity
Shorter sales cycles and improved customer service

Webinar Agenda

OCS R2 Overview
How OCS R2 impacts enterprise communications and what are the relevant infrastructure changes.
Enterprise Voice
Learn how to take advantage of the VoIP capabilities in OCS 2007 R2.
Audio/Video/Web Conferencing
See how OCS 2007 R2 integrates audio, video, and Web conferencing to drive business efficiencies.
Enterprise Instant Messaging and Presence
Find out how rich presence and instant messaging functionality in OCS 2007 R2 allows real-time text-based communication, which helps to reduce turnaround time and increase productivity.
Mobility
See how Office Communicator Mobile 2007 R2 extends users’ work identity, as well as IM presence information, to mobile devices, giving users real-time communications capabilities anywhere.
Q&A

Designing Effective Schema Extensions for Active Directory, References

2009-05-13T21:39:00.001-07:00

I recently had to do another very painful round of custom AD schema extensions and the following are invaluable.

Reference

You should also take a look at the following previous posts on the subject:

If you can find Guido's presentation it is certainly worth it and is the best treatise I've read on the subject for sure.

Forefront Identity Manager: Business Impact of Identity and Access Management Webinar

2009-05-13T21:29:00.001-07:00


When: Thursday, May 28th Where: Webinar/Online (Live Meeting links will be sent to all registrants) Presenters: David Lundell – Microsoft MVP for ILM, Ensynch Practice Director Brad Turner – Microsoft MVP for ILM, Ensynch Sr. Technical Architect Time: 9am-10am Pacific/Arizona 10am-11am Mountain 11am-12pm Central 12pm-1pm Eastern *Convert time zone

(RSVP Below)

Webinar: The Business Impact of Identity
and Access Management with Forefront Identity Manager 2010 (formerly ILM "2")

You’re invited to attend an informational webinar showcasing the business benefits associated of Identity and Access Management with the newly named Microsoft Forefront Identity Manager 2010 (Formerly ILM "2").

This webinar is designed for Business and Technology Decision-makers interested in reducing operational costs while increasing security, compliance and overall operational efficiency. If you're interested in how Identity and Access Management solutions can impact business results, this webinar is for you.

Ensynch is proud of our world-class Identity and Access Management practice, boasting 3 Microsoft MVPs (out of only a handful world-wide). This team’s efforts have earned Ensynch back-to-back Microsoft Worldwide Partner Awards for Identity Management in 2007 and 2006. Take advantage of this opportunity to learn from their vast enterprise and mid-market experience in incorporating Best Practices to deliver heightened business results.

Agenda:
The Business Value of Microsoft’s Identity Management Stack

Evaluate the business challenges, the cost and the opportunities for savings with Identity Management

IDA with Forefront Identity Manager 2010 (ILM 2)

Maintaining existing ILM 2007 deployments

Strong Authentication

Certificate Services

Quest Defender

Sharing with Partners and Customers

Active Directory Federation Services /Geneva

Reducing the need to provision Accounts for Partners

Speedier disabling of access for Partner/Customer’s Accounts

Implications with cloud based applications

Information Protection (now that you’re sharing your documents, how do you protect them)

Active Directory Rights Management Services

Add-ons

Register Now

Identity Management Crisis | Cool feature using the RegexReplaceActivity

2009-04-30T09:55:00.003-07:00

Henrik has a nice breakdown of his RegexReplaceActivity demonstrating how you can use it to do virtually any transform – as long as you can plug in the right RegEx expression. It just so happens that there is a new O'Reilly book available for pre-order called the Regular Expressions Cookbook. Are you excited? You should be!

Amazon.com: Regular Expressions Cookbook

The book is authored by Jan Goyvaerts of EditPad and RegexBuddy fame, both of which are tools I use and can highly recommend. You can find additional help on Regular Expressions with the following links:

Identity Management Crisis Cool feature using the RegexReplaceActivity

ILM ADMA cd-error (8235): A referral was returned from the server

2009-04-28T16:27:00.001-07:00

If you happen to come across this when exporting to a Windows Server 2008 Active Directory:

…then you may be running into a situation whereby the ADMA has inadvertently selected an RODC to export to. Since this DC is, by definition, Read Only, the DC is returning a referral which it appears is not chased by the current ADMA (2007 FP1). To resolve this you have a few options:

Remove the RODC from the site the ILM server is in – obviously this entails having quite a bit of say in the site design for AD which you may not have, but it is a valid request; in most situations ILM should be in a well connected data center close to the information and so you probably shouldn't have RODC's in this particular site. If the ILM server is part of an AD Site object that contains an RODC and you're allowing the ADMA to select the DC automatically then you always run the chance that you'll get this DC as part of one of your Export runs. You should even avoid Reading from it just in case you're relying on seeing attributes that are purposefully filtered from replicating to the RODCs.
Configure the ADMA to use a specific set of preferred domain controllers – easily done but you lose any "self-healing" ability in the event a DC is standing in for site coverage in the event of a failure. This is a normal process of AD Site coverage that you should leverage in your ADMA designs so I would say that even though this is the easiest solution, it is by no means the one I would jump to straight away. I tend to reserve this option for when I know I have to talk to a specific DC through a firewall; however, this solution is applicable here.

My cursory inquiries have not revealed any bugs filed for this so I think I'll open the case to get it on the radar. If you've logged the bug already, please let me know.

ILM Disk Latency SSRS Report – Sneak Peak

2009-04-27T18:26:00.001-07:00

So, as part of my never-ending quest to find predictive elements for ILM performance, I've been working on a new dashboard-like report to replace an older "Disk Analysis" report you may have seen in the old Community Report Pack. Take a look at this:

This is one attempt to correlate slow transaction performance to disk latency and the IOPS for a given block size. This is a screen shot of an SIS import on one of our DEV servers performing a Full Import of 2.36 million records (33 columns) in about 7.43 hours. I won't know whether or not that is fast or not until we get to test the same load in QA and PROD given they have radically different disk subsystems.

Has anyone else done a load of this size that they would care to share their results for?

Forefront Identity Manager: Custom Workflow Webinar and WF Source Released

2009-04-18T08:33:00.001-07:00

If you're testing workflow in ILM "2" RC0 today or are interested in whatever it takes for the creation of workflow in the new Forefront Identity Manager 2010 then you'll want to attend our next webinar on April 23rd. This will be developer centric so you'll want to already be familiar with .NET development to some extent.

In addition, Joe will be walking through some of our most recent WF activity releases – you can find them here on CodePlex.

Forefront: Identity Manager

2009-04-16T11:55:00.001-07:00

So, it’s official now – Microsoft released today the official branding of ILM “2” to Forefront Identity Manager 2010 (FIM). FIM will embody what we now know of a ILM “2” and the current release for ILM 2007 FP1 will remain as-is. So for the history buffs:

We tried to lobby for Forefront Identity Lifecycle Manager, but FILM was less palatable I guess.

Forefront: Identity Manager

Cortego ILM 2 Workflow Activity Library

2009-04-15T11:02:00.001-07:00

I wanted to take a quick minute to do a shout out to Henrik Nilsson and his Identity Management Crisis blog – Henrik has done some killer Workflow activities for ILM “2”. The branding and care he’s taken into crafting the UI really goes a long way towards presenting a professional looking product. Most impressive are the RegEx Replace and Unique Name activities, both of which I can see myself using in the future!

Kudo’s to Henrik and Cortego for publishing the code and activities here!

Cortego ILM 2 Workflow Activity Library

TEC 2009: Final Thoughts (Sunday)

2009-04-15T06:50:00.001-07:00

Whew…its been stated many times but you really can’t appreciate exactly how much work goes into putting on a conference like TEC from the hosting, sponsor, and speaker perspectives; it is quite exhausting to create a virtual community for a few short days and then tear it down again. Once again, I was happy to be part of such a successful venture.

Pre-con Workshop: Building a Practical Lifecycle Mgt. Application on the ILM “2” Portal

This was my first attempt at building an actual training course – my earlier forays weren’t much more than an elongated PPT presentation but I really have to thank David Lundell for giving me the structure and support I needed to write the content. Without the framework he crafted it certainly would have been a dismal failure. As it turns out, I was mostly happy with the way the session went. We had our share of typos and missing steps in the lab guides but they were minor. The only real disappointing point of the session was the final lab – I completely omitted an entire MPR which made our finale fall pretty flat since you really couldn’t see the final result of the Owner Rollup Activity work its magic. If you were in my session the following day you got to see this actually working, so I apologize; I am still aiming to update the lab guide and send out updated copies to all attendees.

We received a mix of reviews, mostly positive but some constructive feedback which I was happy to receive. I designed the lab guides to appeal to both the novice and the expert by prefacing each section with a “I already know how to do this, just tell me what it is supposed to look like” table or figure. If you needed the step-by-step version, it was provided as well so I was hoping that you could “choose your own adventure” and ease some of the tedium. However, if you’ve worked with ILM “2” object creation it is the very definition of tedium slugging through the clicks and submits. My final lesson learned here is that I needed some advanced content or exploration instructions at the end of each lab to keep the expert user engaged. Unfortunately, the only way to get around the tedium is to wait until the PowerShell interface is released in RC1.

TEC 2009: Pre-con Workshop Prep

2009-03-22T00:17:00.001-07:00

Well, we made it through the gauntlet today and got all of the VMs deployed without incident. I owe thanks to Kevin James and Chris Calderon for helping out on the Hyper-V and PowerShell side of the house. Chris single handedly deployed all of our VMs with a little scripting magic while our SQL guru David Lundell built our SQL restoration scripts to aide our delegates in moving between the labs smoothly; no Hyper-V snapshots here, just SQL backups of the MSILM database in various states!

Tomorrow we will lend our moral support to what I’m sure will be a stellar exposition on ADFS by OCG’s Laura Hunter during the morning pre-con workshop. Our session will follow after lunch!

Laura wouldn’t talk to me until she got through the final two parts of the Battlestar Gallactica finale (best Sci-Fi ending ever!) so we watched that on the projector while the VMs were deploying.

TEC Pre-con workshop: Building a Practical Lifecycle Mgt. Application on the ILM “2” Portal

2009-03-18T22:27:00.001-07:00

If you haven’t already signed up for our pre-con workshop then for shame! We are putting the finishing touches on it now and I can tell you that its chocked full of goodies. Joe Zamora is leaving source code for three custom workflows on the box:

Generate OID Activity – demonstrates how to use the public web service client published by Joe Schulman to query for objects and then use the UpdateResource activity
Update Attribute Activity – our replacement for the Function Evaluator which lets you do the basic stuff you need against //Target including date math! More examples of using the UpdateResource building block activity.
Owner Rollup Activity – very cool, not only does this demonstrate binding the FilterBuilder control in your workflow but does some nice recursion to enforce that the value of a specified reference attribute meets the criteria in the filter.

We will be extending ILM “2” and demonstrating how to leverage the request framework to build your own applications so that they can not only take advantage of basic approvals but lifecycle management as well.

What are you waiting for, register now!

CShark: Add a FilterBuilder Control to an ActivitySettingsPart - Part 1

2009-03-17T15:27:00.001-07:00

I’ve been doing quite a lot of hyping of the work that Joe Zamora has done with our WF activities for ILM 2 and we’ve received very positive feedback. We’ve also received quite a bit of feedback requesting code and examples for one of our activities that uses the FilterBuilder control inside of the WF. This requires some special wiring of the ActivitySettingsPart which Joe goes into more detail here – very cool stuff so check it out!

CShark: Add a FilterBuilder Control to an ActivitySettingsPart - Part 1

Apollo Jack: Hit or MIIS

2009-03-12T11:10:00.001-07:00

So, another one of our super-devs, Rebecca Croft, went and started a blog (Apollo Jack) without telling me thinking she could remain under the radar. :) Rebecca and I are currently working an ILM project together so I’ll probably twist her arm a bit for some more ILM posts.

Check out her deep dive on what Join rule extensions are doing under the hood in SQL!

Apollo Jack: Hit or MIIS

I’m a PC and an MVP!

2009-03-06T16:25:00.001-07:00

MVP "I'm a PC" Video

I had an incredible time at this year’s MVP Summit – see for yourself!

2009 MVP Summit Bound

2009-02-27T00:09:00.001-07:00

Well, travel plans are done – I’m bound for the 2009 MVP Summit this coming Sunday. I’ll be staying at the Westin this year and rooming with friend and colleague David Lundell; I think we’ll be the only ILM MVPs in attendance. :(

On Tuesday we will be hosting the following breakout session on the Directory Services track:

Directory Services: A Lap Around ILM 2 (BR561)
Tuesday, March 3rd, 9:00 – 10:30, Building/Room: 43/Adams