1dent1ty cHa0s

FIM 2010 RC1.1 – Adjusting the Request Object Retention Policy

2009-11-12T12:36:00.001-07:00

Thanks to Henrik Nilsson for this little gem – this is the first thing on your list of things to do after installing FIM 2010 in your test environment. Follow these instructions to adjust how long Request objects will be retained in the system.

System Resource Retention Configuration

This is a special resource type in the portal that allows you to adjust how long request objects linger in the portal. Nothing will clog up your database and fill your drives like millions of request objects sitting around for 30 days (the default). And make no mistake, you will end up with millions of objects in a few short days or weeks depending on the item count you're working with. You find your way here by navigating to Administration/All Resources/System Resource Retention Configuration. Once there you'll see the object we're after:

As you can see from my example, I've already adjusted this to two days from the default of thirty. What you will notice if you click on this object is that you are not allowed to change the value yet! We first have to create a policy that allows members of the Administrators set to modify the value we need.

Creating the Management Policy Rule

Ok, you're going to create a new Management Policy Rule with the following specifications:

Display Name: Administration: Administrators can update system resource retention service objects
Description: Allows members of the Administrators set to adjust the policy for request object retention
Permissions: Grants Permission
Requestors: (Specific Set of Requestors) Administrators
Operation: Modify a single-valued attribute
Target Resource Definition Before/After Request (same): All System Resource Retention Configurations
Resource Attributes: (Select specific attributes) Retention Period in Days

Once you're done, go back and click on the configuration object, now you should be able to adjust the value:

Once you submit the change, all new requests will have a 2-day expiration, whereas any previous requests will have the 30-day default. Observe:

…versus:

Notice that even the request to update the policy is stamped with the new policy. I am on a quest to understand exactly how they expire and if there is anything you can do to speed along old requests. There are a few promising looking stored procedures, but those could be very dangerous to an active system.

FIM 2010 RC1.1 – Customizing the Request Object RCDC

2009-11-11T14:58:00.002-07:00

One of my frustrations is tracing down the target of a request and in some cases, the parent request that caused this request to be generated. The default RCDC doesn't expose these values except within the Advanced View/Extended Attributes tab. Having the Applied Policy tab is great to see what policies this request triggered, but being able to see the target and parent request is essential – so here's how to add it yourself. At the end we'll have two new controls:

Here we see the Target revealed on the Detailed Content tab, we now know we had a Modify operation to a Person object type and the target was Smith, John; we can even click the hyperlink here and go look at the current status of John's object.

Here we see on the Applied Policy tab we've added the link to the Parent Request, also hyperlinked. In this example a Workflow configured for "Run On Policy Update" triggered a series of System Event Requests which we can examine in more detail.

After clicking the link we see the policy that was updated which caused this sequence of events – nifty right?
This should all be by default right? Vote here if you're signed up for the FIM Connect site.
Ok, so how do you do this yourself – it's pretty easy. I would strongly recommend applying the Update 1 packages prior to doing this as any updates has the chance of overwriting any of your customizations. So, I'll show you how to add the sections manually and provide the entire file for your consumption as well.

Warning

When editing RCDC configurations, it's always recommended to Export the current configuration and save it as an Original copy. If you get into trouble you should restore the original version, edit a copy and use the copy to upload.

Adding the Target control to the Detailed Content tab

Insert the new TargetID control between the TargetObjectType and SummaryControl controls like so:

<my:Control my:Name="TargetObjectType" my:TypeName="UocLabel" my:Caption="{Binding Source=schema, Path=TargetObjectType.DisplayName}" my:RightsLevel="{Binding Source=rights, Path=TargetObjectType}">

<my:Properties>

<my:Property my:Name="Text" my:Value="{Binding Source=object, Path=TargetObjectType, Mode=OneWay}"/>

</my:Properties>

</my:Control>

<my:Control my:Name="TargetID" my:TypeName="UocHyperLink" my:Caption="{Binding Source=schema, Path=Target.DisplayName}" my:Description="{Binding Source=schema, Path=Target.Description}" my:RightsLevel="{Binding Source=rights, Path=Target}">

<my:Properties>

<my:Property my:Name="ObjectReference" my:Value="{Binding Source=object, Path=Target, Mode=OneWay}"/>

</my:Properties>

</my:Control>

<my:Control my:Name="SummaryControl" my:TypeName="UocHtmlSummary" my:Caption="%SYMBOL_RequestContentCaption_END%" my:Description="%SYMBOL_RequestContentDescription_END%" my:ExpandArea="true">

<my:Properties>

<my:Property my:Name="ModificationsXml" my:Value="{Binding Source=requestDetails, Path=DeltaXml , Mode=OneWay}"/>

<my:Property my:Name="TransformXsl" my:Value="{Binding Source=RequestDetailTransformXsl, Path=/, Mode=OneWay}"/>

</my:Properties>

</my:Control>

Adding the Parent Request control to the Applied Content tab

Insert the new ParentRequestObj control between the Policy grouping and the PolicyList control like so:

<my:Grouping my:Name="Policy" my:Caption="%SYMBOL_PolicyTabCaption_END%">

<my:Help my:HelpText="%SYMBOL_PolicyTabHelpText_END%" my:Link="cb9dbf88-0045-4e1e-ae3a-a2449ea7095a.htm#bkmk_grouping_Policy"/>

<my:Control my:Name="ParentRequestObj" my:TypeName="UocHyperLink" my:Caption="{Binding Source=schema, Path=ParentRequest.DisplayName}" my:Description="{Binding Source=schema, Path=ParentRequest.Description}" my:RightsLevel="{Binding Source=rights, Path=ParentRequest}">

<my:Properties>

<my:Property my:Name="ObjectReference" my:Value="{Binding Source=object, Path=ParentRequest, Mode=OneWay}"/>

</my:Properties>

</my:Control>

<my:Control my:Name="PolicyList" my:TypeName="UocListView" my:Caption="%SYMBOL_PolicyListCaption_END%" my:Description="%SYMBOL_PolicyListHint_END%" my:ExpandArea="true" my:RightsLevel="{Binding Source=rights, Path=ManagementPolicy}">

<my:Properties>

<my:Property my:Name="ColumnsToDisplay" my:Value="DisplayName,GrantRight,AuthenticationWorkflowDefinition,AuthorizationWorkflowDefinition,ActionWorkflowDefinition"/>

<my:Property my:Name="UsageKeywords" my:Value="ManagementPolicyRule"/>

<my:Property my:Name="ResultObjectType" my:Value="ManagementPolicyRule"/>

<my:Property my:Name="TargetAttribute" my:Value="ManagementPolicy"/>

<my:Property my:Name="SelectedValue" my:Value="{Binding Source=object, Path=ManagementPolicy, Mode=OneWay}"/>

<my:Property my:Name="EmptyResultText" my:Value=""/>

<my:Property my:Name="PageSize" my:Value="10"/>

<my:Property my:Name="ShowActionBar" my:Value="false"/>

<my:Property my:Name="ShowPreview" my:Value="false"/>

<my:Property my:Name="ShowSearchControl" my:Value="false"/>

<my:Property my:Name="ShowTitleBar" my:Value="true"/>

<my:Property my:Name="EnableSelection" my:Value="false"/>

<my:Property my:Name="SingleSelection" my:Value="false"/>

<my:Property my:Name="ItemClickBehavior" my:Value="ModelessDialog"/>

<my:Property my:Name="ReadOnly" my:Value="true"/>

<my:Property my:Name="ListViewItemHandler" my:Value="PolicyItemHandler"/>

</my:Properties>

</my:Control>

</my:Grouping>

Build 2570 (Update 1) Files

Remember to iisreset if you can't wait for the cache to refresh.

FIM 2010 RC1 – Resolving the Duplicate SynchronizationRule RCDC

2009-11-02T17:05:00.001-07:00

In the FIM release notes it advises you to adjust the "Applies to Create" setting for one of two Resource Control Display Configuration (aka OVC) objects that share the same Display Name; however, it doesn't tell you how to determine which one to change. You need to do this IF you are exporting and importing your configuration between systems (the source of yet another topic).

RC1 looks like this by default:

We need it to look like this:

…but how do you know which one to change? Both are set to apply to Create, Edit and View, but only one should be Create while the other should be only Edit and View.

Click the first entry hyperlink and then Export Configuration, when prompted, just click Open, we're not going to change anything
On the definition for the Panel/Grouping control you will see one of two entries:

<my:Control my:Name="caption" my:TypeName="UocCaptionControl" my:ExpandArea="true" my:Caption="{Binding Source=schema, Path=DisplayName}" my:Description="{Binding Source=object, Path=DisplayName}">

For this object, uncheck Applies to Create.

Or…

<my:Control my:Name="caption" my:TypeName="UocCaptionControl" my:ExpandArea="true" my:Caption="%SYMBOL_CreateSyncRuleCaption_END%">

For this object, uncheck Applies to Edit and Applies to View.

That's it!

FIM 2010 RC1 – Portal Time Zone Default

2009-10-30T14:05:00.001-07:00

Here's an easy one, not in the Pacific Time zone? Tired of seeing your requests in GMT –8?

How to Change the Default Portal Time Zone

From the Identity Management Home Page, click the link for Administration
From the Administration page, click the link for Portal Configuration
In the Portal Configuration dialog, click the Extended Attributes tab
Scroll down to the bottom to the Time Zone property – see figure below.
Click the Browse button

In RC1 there is no Search Scope (although you could create one, but that's another post) for Time Zone configuration objects, so you need to:

From the Select an Object browse dialog, click the Search within drop down and select All Resources
In the Search for text box, type in (GMT and then click the search button
Select the Time Zone object from the list and click OK

To complete the configuration you'll either need to wait for the cache to refresh or run an iisreset if you're impatient.

FIM 2010 RC1 – First Impressions, Installation Part 2

2009-10-22T14:01:00.001-07:00

So, ran into several issues trying to get the Portal installed – keep in mind I'm exercising installation options that few use but ones I tend to prefer when deploying our solutions. Let's start with host headers.

Back in RC0 I posted a bug where the installer would fail if a host header was used in WSS. While it was closed "as fixed", it still seems to be an issue if you try and install the portal when the default site collection is running under a host header:

Taking a look at the installation log reveals what looks like hardcoded addresses still:

Error 1722. There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor. Action CheckSharepointWebApporSiteExisting, location: C:\Users\bturner\AppData\Local\Temp\2\MSI3F65.tmp, command: action=IsDefaultWebApplicationOrSiteExisted absoluteURL="http://localhost"

MSI (c) (C4:E8) [15:19:58:400]: Product: Forefront Identity Manager Service and Portal -- Error 1722. There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor. Action CheckSharepointWebApporSiteExisting, location: C:\Users\bturner\AppData\Local\Temp\2\MSI3F65.tmp, command: action=IsDefaultWebApplicationOrSiteExisted absoluteURL=http://localhost

I've done my best to override everything both in the GUI and using the MSI parameters so I know I'm not passing "localhost" anywhere. Backtracking further and removing all of the host headers I can get a bit further now but then run into this one next:

This appears to be linked to an inability to validate the FIM Service account during the installation, resetting the password seems to have resolved this issue for me. I was able to eventually complete the install, and like I said, I chalk much of this up to my incessant tinkering. There was one other error I'd like to see corrected where the installer detects that the WSP solution file has already been deployed and it instructs you to go remove it while it waits for you – not a great experience.

FIM 2010 RC1 – First Impressions, Installation Part 1 - Update

2009-10-22T07:23:00.002-07:00

I reported two errors from my last post and I'm happy to report that the bugs I filed are now both closed – here is the scoop:

RC1 - System.InvalidOperationException occurred in Microsoft.IdentityManagement.FindPrivateKey.exe [3124] – [Closed, as Fixed] this turned out to be a bug fixed post RC1, so while valid it's not entirely new you may still encounter this if you attempt to use your own certificates. For the time being, use the auto-generated certificate.
RC1 - Service and Portal install does not allow for SQL Alias – [Closed, by design] this turned out to be a user configuration issue. Steps to use an SQL Alias on an x64 system are below.

How to Create a Named Pipes SQL Server Alias for use with FIM 2010

There are cases where you may want FIM to communicate with the database server over a specific protocol and not just default to Shared Memory or TCP/IP. There are performance advantages to using Named Pipes when the client and server are on the same box, so here is how you setup an alias for use with Named Pipes. The oh so helpful Microsoft directions are here. My problem stemmed from an assumption I made that the x86 and x64 SQL Native Clients needed to have different aliases. It would be more assuring if I could find something stated to this effect but I haven't found anything yet. Here are my instructions for creating a Named Pipe alias in SQL Server 2008:

Open SQL Server Configuration Manager

Expand SQL Native Client 10.0 Configuration (32bit)
Select Client Protocols, right click and take the Properties

If Named Pipes is under the Disabled Protocols section, select Named Pipes and click the > button to move it over, and use the up arrow button to move it to the top; click OK to continue
Repeat these steps for SQL Native Client 10.0 Configuration
NOTE: "The SQL Native Client 10.0 Configuration" entry is the x64 client
Return to the SQL Native Client 10.0 Configuration (32bit), select Aliases, right click and select New Alias

Use the pull-down for Protocol to select Named Pipes, set the Alias Name to "fim", and the server to "." or "localhost" whichever you prefer; click OK to continue

Repeat these steps for SQL Native Client 10.0 Configuration

I tried creating a 32-bit alias called ILM and a 64-bit alias called FIM and then feeding either one to the installer to see which one it used and it failed on both tries…which tells me it's somehow trying to use both clients or it's some other validation mechanism I'm not fully understanding. If you have a clue, please elucidate!
Now, during the installation when it asks you for the SQL Server, you give it the Alias name, not the server name. To validate this is working, run the following SQL Query:

SELECT  login_name, program_name, host_name, auth_scheme, net_transport, net_packet_size

FROM sys.dm_exec_connections C INNER JOIN sys.dm_exec_sessions S

ON C.session_id=S.session_id

ORDER BY login_name, auth_scheme

You should see something like this:

FIM 2010 RC1 – First Impressions, Installation Part 1

2009-10-13T21:06:00.001-07:00

I'm a stickler for installs and installation related issues, I will spend days working on it…this is day one.

FIM Synchronization Services Installation

No issues that I could see – everything seems to work like it did before and my RC0 install script worked.

FIM Service and Portal Installation

This is where I encountered my errors…but it starts out well enough. Let's start out with the good news first:

Love the fact that you can change the name, probably won't use it much myself, but customers are always asking for this. Also, note that you can re-use indicating an upgrade or re-install. I did expect to be able to specify a SQL Alias here; however, so I think I'm going to file this as a bug.

This interface needs some work, it would be better if it told you what was required on the certificate instead of having to select a certificate, and get an error after clicking Next. From what I can tell you need a certificate with a valid Subject (not sure if it requires Subject Alternative Name) and the Server Authentication assertion (1.3.6.1.5.5.7.3.1), most commonly known as an SSL certificate.

In my case, I selected what I thought was a valid certificate but I did get an error later on into the installation that I think is because of this choice.

Very cool – offer the installer the ability to fix this during the install, excellent work! Now for the bad news…

Sync Service still supports installation against a SQL Alias (to force Named Pipes access for instance) but the Services and Portal installation does not
Questionable whether or not selecting an issued certificate works or not – I got the following error later on during the installation which invoked the JIT debugger:

System.InvalidOperationException occurred in Microsoft.IdentityManagement.FindPrivateKey.exe [3124]

Still indications from my install logs that the installer is not so good about handling existing WSP solutions in SharePoint and recovering from them – these are difficult to clean up I admit

More later once I confirm the certificate issue and reinstall SharePoint on my test server.

A hotfix rollup package (build 3.3.1118.02) is available for Identity Lifecycle Manager 2007 Feature Pack 1

2009-10-11T21:43:00.001-07:00

The 3.3.1118.02 build is available; however, there is a caveat for those of you that have not kept current or are not at build 1087 or better. Pre-1087 you will need to do full uninstall and then download and install the 3.3.1087.2 slipstreamed build before you can apply later patches. This has to do with an invalid system file that was in the original FP1 build (3.3.0118.2). You can get the 1087 build by calling the support line:

http://support.microsoft.com/contactus/?ws=support

This build has fixes for both the Certificate and Synchronization components. If you find the following error while attempting to patch your installation:

Error 25009.The Microsoft Identity Integration Server FP1 setup wizard cannot configure the specified database. Invalid object name 'mms_management_agent'. A required privilege is not held by the client.

…then see the following earlier post on how to fix this:

Issues with SQL Server in a Windows 2008 Domain

The link to hotfix is here:

A hotfix rollup package (build 3.3.1118.02) is available for Identity Lifecycle Manager 2007 Feature Pack 1

Webinar: Accelerate Your Businesses for the Future with Microsoft Geneva (ADFS) and the Cloud

2009-10-07T06:57:00.001-07:00

When:
Wednesday, October 14, 2009
10:30 to 11:30 (PST)
12:30 to 1:30 (CST)
1:30 to 2:30 (EST)

Where:
Web/Online
Live Meeting Information
will be sent to attendees

Presenters:
David Lundell, Identity Management
Practice Leader, Ensynch

Jonathan Sander
IAM and Security Analyst
Quest Software

Webinar: Accelerate Your Businesses for the Future with Microsoft Geneva (ADFS) and the Cloud
Has your organization been considering moving applications to the cloud or using Software as a Service (SaaS) providers? Have you already done it? Have you realized the cost savings?

Have you encountered the difficulties in managing the identities and passwords across the various identities?

Using Microsoft Geneva (ADFS) and Quest Java SSO, and Quest inTrust, you can lower the cost of moving applications to the cloud and to SaaS, which can remove a big hurdle to a key strategic initiative.

I would like to invite you to our latest exclusive "no frills" webinar: "How Microsoft Geneva Streamlines Business," the final part in a Identity Management Webinar Series from Ensynch's Identity Management Practice Director, Frequent Industry Speaker, and Microsoft Identity Management MVP, David Lundell, and Quest Software IAM and Security Analyst, Jonathan Sander. (Previous webinars are available for download here)

This webinar is designed for business leaders, and will present discuss the business value of Microsoft Geneva and the Cloud. Whether identity management within the Cloud and SaaS is a major concern for your organization or if you are simply curious about using Microsoft Geneva as an asset to help your business, this webinar is for you.
Webinar Agenda:
- The Cloud’s little secret: Multiplying identity stores

- High level discussion of The Cloud (Azure, Amazon, SaaS, etc)

- High Level discussion of Geneva (ADFS, WIF)

- The Value of the Cloud

- The hidden Costs of the Cloud

- How Geneva(ADFS) helps lower the cost of the Cloud

- Gaps of the Cloud

- Possible Solutions

- Gaps of Geneva with the cloud

- Possible Solutions from Quest

[Register Now]

Ensynch Hiring SharePoint Talent

2009-10-06T17:48:00.001-07:00

It looks like our Portals and Collaboration (SharePoint) practice is booming and looking for new talent:

Ensynch’s SharePoint business has been booming recently and as such, we are in need of additional highly skilled SharePoint talent. We are looking for folks that have skills in look & feel, infrastructure architecture & design, web part and custom development, etc.

If you think you have what it takes drop me a line and I'll direct you to the people you'll need to talk to. At least one of our top guys is speaking with us on the SharePoint track next year at TEC 2010 as well as delivering a session with our own Chris Calderon entitled "Federated SSO Solutions Using SharePoint 2010".

Download details: FIM 2010 Release Candidate 1

2009-09-30T12:19:00.001-07:00

RC1 of Forefront Identity Manager 2010 is out, go get it!

Download details: FIM 2010 Release Candidate 1

Using PowerShell to Clear ILM Run and Password History

2009-09-30T10:16:00.003-07:00

With our latest implementation running completely Windows Server 2008, SQL Server 2008 in a Windows 2008 Active Directory I've noticed that my old standby of calling the MIIS Resource Kit utility ClearRunHistory no longer works. Despite having the following in place:

Domain service account
Member of the ILM Administrators domain group (our renamed MIISAdmins)
Granted the "Logon as batch" right via policy
Runs fine logged in as the service account interactively

My scheduled task runs fine, but when it executes the utility it fails with a generic "Access Denied" error. So, I've said goodbye to the last of my Resource Kit buddies and hello to PowerShell! I'm now using the following script to clear both the run history and the password history (in the event you are using PCNS).
The script below is parameterized and I borrowed heavily from earlier work by Craig Martin and Markus Vilcinskas. If you pass no parameters it should default to 14 days of history to maintain, otherwise you can pass the value, in days, to the script for each. To call this from your own scheduled task, setup the task to call a CMD file of your creation and add the following:

   1: # Call ClearHistory.ps1 from a CMD file

   2: powershell -nologo -command "& D:\ILMTasks\ClearHistory.ps1 5 10"

Remember that you must always refer to your script with the full path.

ClearHistory.ps1

   1: # Setup the argument parameters and declare defaults

   2: # Default is two weeks of history to retain

   3: param([string]$NumDaysToKeepRunHistory = 14,[string]$NumDaysToKeepPwdHistory = 14)

4:

   5: # Calculate the date to clear runs against

   6: [string]$ClearRunsDate = [DateTime]::Now.AddDays(-$NumDaysToKeepRunHistory).ToUniversalTime()

   7: # Calculate the date to clear password history against

   8: [string]$ClearPwdHistoryDate = [DateTime]::Now.AddDays(-$NumDaysToKeepPwdHistory).ToUniversalTime()

9:

  10: # Get the WMI Object for MIIS_Server

  11: $miiserver = @(get-wmiobject -class "MIIS_SERVER" -namespace "root\MicrosoftIdentityIntegrationServer" -computer ".")

12:

  13: # Clear the Run History

  14: Write-Host "Clearing the Run History prior to (UTC)" $ClearRunsDate

  15: Write-Host "Result: " $miiserver[0].ClearRuns($ClearRunsDate).ReturnValue

  16: #--------------------------------------------------------------------------------------------------------------------

  17:  trap

  18:  {

  19:     Write-Host "`nError: $($_.Exception.Message)`n" -foregroundcolor white -backgroundcolor darkred

  20:  }

  21: #--------------------------------------------------------------------------------------------------------------------

22:

  23: # Clear the Password History

  24: Write-Host "Clearing the Password History prior to (UTC)" $ClearPwdHistoryDate

  25: Write-Host "Result: " $miiserver[0].ClearPasswordHistory($ClearPwdHistoryDate).ReturnValue

  26: #--------------------------------------------------------------------------------------------------------------------

  27:  trap

  28:  {

  29:     Write-Host "`nError: $($_.Exception.Message)`n" -foregroundcolor white -backgroundcolor darkred

  30:  }

  31: #--------------------------------------------------------------------------------------------------------------------

This script is calling the WMI provider and invoking the functions. The API calls for handing the dates formatted as UTC. I have these scripts posted separately in the ILM ScriptBox in the ILM Forum.

Acceptance Testing Confessional

2009-09-08T10:07:00.001-07:00

Our daily morning team meetings for the project I'm currently on have become less team meeting and more confessional now that we're getting close to go-live. This is what a typical morning sounds like now:

Tester 1: Bless me PM for I have tested. I found 4 bugs today. <tester 1 leaves>

PM: <documents the bugs> Very good, hand your results to the developer.

Tester 2: Bless me PM for I have tested. I found 2 bugs today. <tester 2 leaves>

PM: <documents the bugs> Very good, hand your results to the developer.

You get the idea, it was much funnier when I made the observation this morning.

Issues with SQL Server in a Windows 2008 Domain

2009-09-03T19:55:00.001-07:00

Oh boy, where to start, we have been having various issues with SQL applications failing with different security related error messages and we did not see a connection until just today. The two prominent issues we saw were:

Could not apply patches to an ILM 2007 FP1 installation running on SQL Server 2008 with the servers in a Windows 2008 domain/forest, the errors we got were:

Error 25009.The Microsoft Identity Integration Server FP1 setup wizard cannot configure the specified database. Invalid object name 'mms_management_agent'. A required privilege is not held by the client.

MSI (s) (6C!80) [16:34:17:656]: Product: Microsoft Identity Integration Server -- Error 25009.The Microsoft Identity Integration Server FP1 setup wizard cannot configure the specified database. Invalid object name 'mms_management_agent'. A required privilege is not held by the client.

SQL Server Reporting Services report subscriptions were failing to run in the SQL Agent with the following errors:

SQL Server Scheduled Job '52840C4F-5D9F-4CAA-96BE-4C587F655571' (0xBB61E338688B8C459E28A61A6761669D) - Status: Failed - Invoked on: 2009-09-03 17:40:03 - Message: The job failed. Unable to determine if the owner (DEV\svc.ssrs.ilm) of job 52840C4F-5D9F-4CAA-96BE-4C587F655571 has server access (reason: Could not obtain information about Windows NT group/user DEV\svc.ssrs.ilm', error code 0x5. [SQLSTATE 42000] (Error 15404)).

Subsequently, it was this troubleshooting technique using xp_logininfo found by Jaime Martinez that led us to the eventual solution posted by Matticus:

Find the account that you're getting the error on and open up a new query in SQL Management Studio and then run the xp_logininfo command against it – in our case it looked like this:

xp_logininfo 'DEV\svc.ssrs.ilm'

This command generated the following new error:

Msg 15404, Level 16, State 11, Procedure xp_logininfo, Line 62
Could not obtain information about Windows NT group/user DEV\svc.ssrs.ilm', error code 0x5.

As it turns out there is a new built-in security group in Windows Server 2008 domains called BUILTIN\Windows Authorization Access Group. The description on this group reads, "Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects". This somehow causes issues when certain operations require enumeration of a person's group memberships (the computed tokenGroupsGlobalAndUniversal attribute).

Resolution

Add the domain service account for your SQL Server (your SQL Server service account) to the BUILTIN\Windows Authorization Access Group group. You don't need to restart anything, it just starts working from that point forward. What was bizarre is that this also fixed my problem with applying the patches to ILM!

Office 2010 Technical Preview: Unable to Read or Save to SharePoint

2009-09-01T13:38:00.001-07:00

I've been running the Office 2010 Technical Preview for a few weeks now and I really like it…once again. For a time there I was really cursing it due to some issues when reading or writing changes to documents (in this case Office 2007 documents, including OneNote notebooks) stored in our Microsoft Office SharePoint Server 2007 document libraries. I first noticed the issue when attempting to modify a shared OneNote 2007 notebook which, again, is hosted in MOSS 2007 – changes could not be replicated back to the document library and OneNote 2010 would return the following error:

This section contains changes that could not be synced because the
section file was not found. The section may have been moved or
deleted. If OneNote finds the section file later, it will sync the
changes. Alternatively, you can move this section to a new location.
Click here for more information.

I would get a similar problem when using Word 2010 to check out and edit a document hosted in a MOSS 2007 document library; however, in this case it manifested in the Office Synchronization Center failing to upload the modified document. You get a nasty red bar in the Pending Uploads section.

If you're part of the Technical Preview then you can track down these threads and the solutions in microsoft.connect.o2010techprev._general and search for "sharepoint". This problem has affected people in the following conditions it seems:

MOSS 2007 or WSS 3.0 document libraries
Opening files in a document library
Opening local files
Saving files to a document library

Mark Knight of Microsoft posted the workaround as follows:

1. In your LAN settings, check "Use a proxy server for your LAN" (you can
keep "Automatically detect" checked)
2. Assuming you do not require proxy to reach any servers, you can specify
http://fake in the Address field to give it a fake proxy
3. Click Advanced
4. In the Exceptions field, type the wildcard * to manually bypass the fake
proxy for all servers you are trying to reach.
5. OK out of the dialogs to accept the settings and retry opening files from
SharePoint.

The only thing I did differently was in step 2 I used http://127.0.0.1 instead of http://fake since I don't seemingly random hosts. At least in my case, using the above workaround has resolved my issues. If you continue to have issues I would encourage you to post to the newsgroup.

Amazon: XBox 360 Elite with Halo 3 & Fable 2 for $299

2009-08-28T08:16:00.001-07:00

Wow, just saw this in the inbox this morning, just after a night of trying to convince an old friend to pick one up! $299 for the Elite!

Issues when binding to AD LDS (ADAM) userProxy

2009-08-21T18:14:00.001-07:00

aka "Configuring SSL for AD LDS on Windows Server 2008 Server Core"

You may have found your way here because:

you are having issues binding to an ADAM userProxy
you are getting the error "Invalid Credentials Server error: 8009030C: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 202d, v1772 Error 0x8009030C The logon attempt failed" in LDP
you are trying to setup SSL for AD LDS on Windows Server 2008 Server Core

In my case, the solution to the first two problems ended up being the impetus to write the solution for the third bullet above. My problem first began when testing binds to userProxy objects in AD LDS connecting back to an AD 2008 forest. Here was my configuration:

AD LDS running on Windows Server 2008 Standard, Server Core (SP2) (6.0.6002.18005) (~300k objects)
AD DS running on Windows Server 2008 Standard (SP2)
All servers are in the same domain/forest, including the AD LDS servers (domain joined)
userProxy schema loaded into ADAM among others, inetorgperson and custom extensions in use
userProxy objects currently being provisioned via ILM and linked to AD with objectSID (verified)
SSL certificate already assigned to the ADAM server with Server Authentication assertion and fullname
Using LDP to test…

Binding to inetOrgPerson objects in ADAM worked fine, but userProxy binds did not. All attempts to verify that the linked AD account was not locked, disabled, expired with a valid password were validated. Binding against the userProxy with LDP using UPN or DN yielded the following results:

res = ldap_simple_bind_s(ld, 'user@foo.edu', <unavailable>); // v.3

Error <49>: ldap_simple_bind_s() failed: Invalid Credentials

Server error: 8009030C: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 202d, v1772

Error 0x8009030C The logon attempt failed

Further digging in the LDS server's Security Event Log yielded this error:

Log Name:      Security

Source:        Microsoft-Windows-Security-Auditing

Date:          8/21/2009 9:37:36 AM

Event ID:      4776

Task Category: Credential Validation

Level:         Information

Keywords:      Audit Failure

User:          N/A

Computer:      LDSIDI01VDO.foo.intg

Description:

The domain controller attempted to validate the credentials for an account.

Authentication Package:               ADAM_LDSIDI01VDO

Logon Account: CN=user,OU=Employees,OU=Bar,OU=Administration,O=Foo,C=us

Source Workstation:       10.x.x.x:52186

Error Code:         0xc000006d

I posted this issue to a group of Directory Service MVP's and we eventually arrived at a solution; joe of joeware fame rightly pointed out that I was NOT using LDAPS (SSL) to bind to ADAM as the documentation clearly spells out. Kurt Hudson pointed out that the 202d error code was pointing out that SSL was required:

202d is ERROR_DS_CONFIDENTIALITY_REQUIRED (This request requires a secure connection.)

So, first problem solved, if you are binding to AD LDS/ADAM over 389 then you will not be able to test or use userProxy bind redirection back to AD. Therefore, you must enable SSL for your ADAM instance and this is where things got tricky if you are using Server Core. There is a certain lack of documentation as to how to do this in Server Core. With Kurt Hudson's help (Kurt writes documentation for the AD team at Microsoft!) we finally stumbled upon an answer. Here are my high-level notes:

The processes documented here and here are somewhat misleading in that…
You do not have to import the certificate into the ADAM instance or Network Service account as the instructions mention – this side tracked me for hours trying to figure out how to do this with certutil
Finding the files in MachineKeys is not as easy as it sounds

So, assuming you already have a certificate assigned to your server for the full server name, you should be able to follow these steps to enable AD LDS/ADAM for SSL on a Server Core box:

Configuring SSL for AD LDS on Windows Server 2008 Server Core

Step 1: Remote into your ADAM server – you'll have a command prompt
Step 2: Change directory to:
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
Step 3: Where are the files? Try looking for files with the System attribute set:
dir /as
Step 4: Find out which of these files relate to your SSL certificate – run:
certutil –store My
Step 5: Locate the Key Container GUID, this is the file you need for our next operation – run icacls <key container> /grant "NETWORK SERVICE":(R)

HINT: the file will tab-expand!
Step 6: Try your LDP bind against the FQDN of your ADAM sever, remember to set the SSL flag and change the port to 636. Now you should be able to bind to userProxy objects!

Thanks to everyone that pitched in!

Windows 7 Available for Pre-order

2009-07-26T10:59:00.001-07:00

Amazon.com: Microsoft Windows 7 Ultimate: Software

Amazon.com: Microsoft Windows 7 Professional

Windows 7 was released to manufacturing and will be available in stored on October 22nd! You can pre-order your copies now! Many hardware manufacturers are now including vouchers for Windows 7 if you buy a PC today so be sure to get one if you're in the market for a new computer.

Be advised that if you are running any of the prior beta releases (including the Release Candidate) there is no upgrade path – you will need to do a full load. Despite this oversight, I'm floored by the number of Mac enthusiasts that are impressed by Win 7.

Webinar: Transforming SharePoint – Chaos to Order

2009-07-24T23:34:00.001-07:00

The good folks over in our SharePoint practice is putting on a webinar regarding SharePoint governance and taxonomy. Wonder why no one is using that fancy portal of yours?

Webinar: Transforming SharePoint
from Chaos to Order

When:
Thursday, July 30, 2009
10:30 to 11:30 (PST)
12:30 to 1:30 (CST)
1:30 to 2:30 (EST)

Where:
Web/Online
Live Meeting Information
will be sent to attendees

Presenters:
Sean Stecker,
Portals and Collaboration
Practice Director, Ensynch

Jeff Holliday
Solutions Architect, Ensynch

Does your IT team spend too much time administering SharePoint?

Feel like your employees already have too many places to go to get their jobs done, and adding SharePoint just adds another location?

Simply fed up with your SharePoint environment?

If you even considered answering yes to any of these questions, chances are high that your SharePoint environment is in some kind of Chaos.

It’s time to Leave Chaos Behind.

I would like to take this moment to offer you an exclusive invitation to our exciting new informational webinar: "Transforming SharePoint from Chaos to Order.“

Whether your environment already suffers from chaos, or if you are still in the planning stages, the taxonomy and governance of your information architecture is critical to the success of your SharePoint environment.

The webinar will be presented by Ensynch's resident Portals and Collaboration Practice Director, Sean Stecker, alongside Ensynch Solutions Architect, Jeff Holliday.

Webinar Agenda:

Learn how to manage the risk, cost and adoption of your SharePoint environment
Learn how to classify your important business information to meet your needs today and provide scalability for the future
Gain insight on indentifying dependencies between Governance and Taxonomy to ensure a highly functional information architecture
Best Practices Round Table for driving user adoption in SharePoint . (All attendees are invited to participate in this informational discussion. Moderator will field questions)

[Register Now]*
*external registration through Microsoft Partner Events site

Webinar: How Microsoft Geneva Streamlines Business

2009-07-24T08:37:00.001-07:00

Ensynch is proud to present a series of webinars around Microsoft Geneva, now known as the Windows Identity Foundation.

Webinar: How Microsoft Geneva Streamlines Business

When:
Wednesday, July 29, 2009
10:30 to 11:30 (PST)
12:30 to 1:30 (CST)
1:30 to 2:30 (EST)

Where:
Web/Online
Live Meeting Information will be sent to attendees

Presenters:
David Lundell, Identity Management Practice Leader, Ensynch

Jonathan Sander, IAM and Security Analyst, Quest Software

- Learn How to Reap the Benefits of True Web
Single-Sign-On and Federation
Has your organization been forced to deploy one-off solutions to solve login or compliance problems with a newly deployed technology?

Are your employees tired of using multiple logins for all kinds of access needs?

Having trouble managing shared resources users both inside and outside of your organization?

Using open platform identity management solution Microsoft Geneva, you can save money and make your business more efficient today, and also make it more easily scalable for the future.
I would like to invite you to our latest exclusive "no frills" webinar: "How Microsoft Geneva Streamlines Business," the 1st in a 4-part Identity Management Webinar Series from Ensynch's Identity Management Practice Leader and Microsoft Identity Management MVP, David Lundell, and Quest Software IAM and Security Analyst, Jonathan Sander.

This webinar is designed for business leaders, and will present business value propositions for the Microsoft Geneva framework. Whether identity management is a major concern for your organization or if you are simply curious about using Microsoft Geneva as an asset to help your business, this webinar is for you.
Webinar Agenda:
- Yikes! The business pain points of managing lots of identities

- High level discussion of Microsoft Geneva

- Business value of Geneva

- Gaps of the Geneva framework

- Possible solutions to the gaps

- ROI of Geneva versus other Single-Sign-On solutions

- Geneva and the Cloud

- Q & A

Stay Tuned for the other three parts of this webinar series:
A Technical Overview of the Microsoft Geneva Infrastructure
Thursday, August 20, 2009

Using the Microsoft Geneva Framework to Solve
Your Federation Needs
Thursday, September 10, 2009

Accelerate Your Businesses for the Future with Microsoft Geneva and the Cloud
Thursday, October 1, 2009

[Register Now]*
*external registration through Microsoft Partner Events site

Security Squared: Converging Physical and Logical Identities, Hands-On (SecureNet)

2009-07-23T12:27:00.001-07:00

There is another great interview on Security Squared, this one focusing on SecureNet, a new Ensynch partner. The interview can be found here.

In the interview, Sharon J. Watson (interviewer from Security Squared) asks:

SJW: Eric had mentioned earlier he'd read my interview with Dave Hansen over at CA, and Dave really thought Active Directory should not be the authoritative source. He said that put IT in control of creating identities and that to him was a problem. He thought that responsibility should be backed up to HR and its systems.

I'll come back to this in a bit, but first SecureNet's Greg Thornbury has some great responses based on practical experiences:

GT: We've done some deployments where we've pointed to HR systems like Peoplesoft, SAP, things like that. We typically have found, even when we're doing that, a lot of resistance on the part of the end user to allow us to really connect to that production HR system. So when we have done it, we've typically done it through some middle connection or step. A batch process at the end of the day or an instance of that database copied out there that's not running in production.

First comment – this parallels what we see in the IDA deployments we've done. In some cases you can get great interaction with HR (my current customer is one of the rare few that don't mind working very closely with internal IDA) and in others you are a second class citizen and can only see a text file extracted nightly; delta's, forget it! I've even had customers where HR is outsourced so completely that they have no way to get regular automated extracts.

Greg continues with:

A lot of what we do as an integrator is speak to our client and do a lot of listening and find out what is the best authoritative source. In a lot of organizations, you're going to find that answer isn't going to be consistent. We're flexible. We've done it both ways. It's great to connect to HR; that's truly the originating point for a lot of that data. In other cases, it seems like HR doesn't keep up everything from an employee location standpoint the way IT does. In those cases, Active Directory may be the better source. At the end of the day, it's always the end user's decision. We try to help them and consult with them. We can look at different sources, so it doesn't really matter to us as long as it's the authoritative source.

Greg is being kind here to his customers to soften the blow a bit – in practically every case we've found dirty HR data in various forms. This goes back to one of the primary drivers for HR data – payroll. If I'm getting my paycheck and my benefits then I have no reason to talk to anyone at HR unless I want to file a grievance, change my address or change my benefits or deductions. In my experience, the number of companies that have mature HR self-service portals that employees actually use is quite slim. This results in primary identity and departmental information being correct but few are going to update phone number and physical location information here. For instance, my job code might identify me as a developer in Department 200 with a location code of 350, but that information doesn't always coincide with the actual location I reside at. In many cases HR may only care to identify the campus you are at but not the actual building, floor or mail-drop (your mileage varies widely here). What you end up with here is a partial disconnect from what HR cares to track versus what you need for a full PACS/IDA solution; it's an issue of fidelity here.

Greg makes a point earlier here:

But a lot of companies are using contractors now as well. In a lot of cases, the contractors aren't managed inside of Active Directory in the same way employees are managed. Typically we'll have several authoritative sources: one for employees and a separate authoritative source for contractors. We've also got solutions that tie in visitor management systems creating visitor credentials and in that case, you've got even a third authoritative source for where the visitor data comes from.

This is a serious hole in the "use HR only" approach and one we've seen quite regularly as well. Only on rare occasions have we seen businesses actually manage non-employees in HR; this has to do with what drives HR (keep reading). Hooking into multiple data sources means your business rules just became a lot more complex. Using Active Directory as the consolidated identity directory bypasses much of that.

Eric Rohleder adds later:

ER: Another nice part of connecting to Active Directory, since we're talking about physical/logical convergence, is the logical access is usually tied to Active Directory. So you go to Active Directory and deactivate an identity, you know in one step you're going to get physical and logical turned off at the same time.

What Eric is describing here is important, the fact that you have an abstraction layer between what HR says and what logical access is enforcing. If I need to walk an employee out of the building, do I wait for HR to process the paperwork so that the termination date field is populated, or do I just disable their AD account? In reality what happens is the manager makes two calls, one to HR to start the process, and one to the administrators to terminate access immediately. HR is less concerned with updating their database than they are worrying about following all of the complex termination processes in order to avoid any wrongful termination lawsuits. It could take HR days to process the real request, so which would you rather rely on?

HR or AD?

Obviously you can make either work, but which is better? The answer is that it depends. When the question is framed from the point of view of an IDA implementer our answer is always "THE authoritative source, no middle men", so when implementing an ILM solution we want to talk as directly as possible (and as often as possible) to HR; however, that's because we're responsible for all of the business logic that Eric and Greg allude to and we're built for connecting to multiple data sources. We are responsible for building the rules for when and how the AD accounts are created in the first place, therefore, the same question, from a physical security perspective is best answered as "AD", with the proviso that some sort of IDA automation (like ILM/FIM) is responsible for driving identity provisioning and deprovisioning. Once you have a robust process driving the identities then physical access integration becomes possible as it becomes another client of the directory and some very nifty ROI can be achieved by levering the existing investments in IDA. In short, when IDA and PACS work together you can truly realize convergence with a single identity.

What about Directory Chaff?

With any directory you're going to build up a small amount of detritus; orphaned accounts in addition to valid accounts like service accounts, administrator accounts, computer accounts, etc. As Greg points out, there are easy ways to filter out much, if not all of that with SecureNet's solution, but only a good IDA solution is able to keep terminated and inactive users out of the system and if PACS is connected to AD then that investment pays off without any complex business logic changes on the physical security side.

Consider another problem, a recent customer of mine has a requirement that all employees maintain active AD accounts in order for them to come back and access self-service W2 information from HR up to 6 months after termination. In HR, this person is terminated, with a termination date, and a status indicator; however, in AD I can maintain an active account because we've built that business logic into how ILM handles terminated accounts coming from HR. If that requirement changes to 9 months then we have a single very simple change to make within our ILM configuration without any re-coding of flows. Now this presents a small challenge to the "use AD as the source" as you'd now have a terminated person with badge access, right? Nope, enter SecureNet's solutions for RBAC. They have the ability to either map directly against AD group or to build roles based on attributes of a user. In either case, since we control the data present on the user and their group memberships through ILM, we remove the users from any physical security based groups or modify the user attributes such that the derived roles in the PACS system remove badge access while the AD account remains active. What you gain here by using an IDA driven AD is flexibility.

Getting Identity data into your Intelligent Controllers

SecureNet uses a really nifty product for automating the data import from sources like databases, flat files, or AD itself. This is not something I would turn to ILM or another identity provider to attempt to do given the antiquity of the protocols used to communicate with even modern intelligent controllers. The good news here for companies that have Mercury Security (Lenel's On-Guard, Open Options, Honeywell, RS2, Arinc, and Indenticard to name a few) based PACS is that this system is fully compatible with some minor migration efforts required; that means you keep all or most of your hardware (controllers, readers, panels, etc) and just upgrade the software. SecureNet specializes in this sort of physical integration and Ensynch is happy to partner with them to extend their reach on the IDA side. Ensynch just completed an internal conversion of our PACS using SecureNet and are extremely happy with not just the results, but the possibilities of finally converging physical and logical access…and yes, we're using AD as the source!

How Do I Converge?

Contact me and let's talk – we're happy to connect you directly with SecureNet or feel free to contact them directly if you have questions regarding physical security. Ensynch would be happy to help you get ILM/FIM implemented so that SecureNet has the best possible chance in leveraging AD directly.

Quest Software Announces The Expert Conference 2010

2009-07-23T08:11:00.001-07:00

Save the date: April 25th – 28th 2010 in Los Angeles, CA at the JW Marriott!

There will be three tracks next year:

Directory & Identity
Exchange
SharePoint

If you have topics or experiences you'd like to share then I would encourage you to submit sessions through the call for papers. Or, if you'd just rather hawk your product or services and gain some exposure you won't fine a more influential crowd than at TEC so consider becoming a sponsor.

Quest Software Announces The Expert Conference 2010

ILM 2007 FP1 PowerShell Cmdlets

2009-07-22T09:37:00.001-07:00

In my first official day back from vacation after the birth of our daughter Piper, I've noticed that Markus Vilcinskas posted two links for PowerShell enabling existing ILM 2007 FP1 deployments in the following forum thread:

Identity Lifecycle Manager 2007 FP1 Sync Engine Configuration PowerShell Commandlets

I should note that the documentation incorrectly lists this as for ILM "2"; however, Markus assures me that this is intended for ILM 2007 FP1. You will want to be running at least the 3.3.1080.2 (FP1) build before you attempt it (no guarantees this will work with MIIS 2003 SP2). The latest released hotfix rollup as of this posting is 3.3.1101.2:

A hotfix rollup package (build 3.3.1101.2) is available for Identify Lifecycle Manager 2007 Feature Pack 1

Now I finally have a real excuse to learn PowerShell!

MVP Year Four and MCADD

2009-07-01T15:20:00.001-07:00

My notice informing me that I have been graced with the Microsoft MVP award for work in the MIIS/ILM/FIM area came this morning alongside news late yesterday that our three week old daughter Piper tested positive for a genetic disorder called MCADD. So while I'm very excited that I'll remain in close contact with the ILM/FIM Product Group at Microsoft it does mean that our family dynamic will evolve yet again beyond the "new baby" and "big sister/little sister" changes we were already experiencing.

We appreciate all of the support and well wishing from friends and family!

Security Squared: 4 Part Series on Converging Logical-Physical IAM

2009-06-30T15:57:00.001-07:00

Security Squared has a nice four part article on how Identity and Access Management is rapidly converging with Logical-Physical access control systems (PACS). Think about tying your badge access control (perimeter, interior, etc) to your AD account; AD account is disabled and your badge is immediately cut off. These are capabilities Ensynch has recently acquired through a partnership that I hope to see announced very soon. Now you'll be able to completely tie-in access control across all aspects of IT and if you factor in the request management capabilities of FIM 2010 then you can begin to conceptualize a solution that would allow for complete paperless automation (with approvals) of physical access control requests! Combine that with PKI and data protection initiatives (like RMS) and you can begin to realize solutions within everyone's budget – not just the big enterprises.

This isn't some emerging technology, the software and hardware exists today and is fully available, we are only just recently bridging the gulf between IAM and PACS solutions providers to offer a unified and converged solution. Contact me if this interests you.

One Person, One Identity, One Credential: Converging Logical-Physical Identity and Access Management -- Part 1