1dent1ty cHa0s

ILM 2007 FP1 - Service Pack 1 (build 3.3.1139.2) is available

2010-01-28T06:00:00.001-07:00

The first official Service Pack (MIIS SP3 if you're keeping score) for ILM 2007 FP1 has been released. Brjann Brekkan reports the following:

This update sets a new base line for future coming updates to ILM with much easier deployment of such updates. The biggest and most important update in this Services Pack is that we now support provisioning of mailboxes on Exchange 2010.

The AD Management Agent now has a drop down box to choose Exchange Server 2010 or 2007. With Exchange 2010 provisioning there MA uses Remote Powershell to connect to the Exchange Server so no need to have the Exchange admin tools installed on the ILM machine.

In addition I made the following notes:

The SP is, of course, cumulative, so if you've only deployed some of the hotfix rollups in the past you will be completely covered when you move to SP1.
In order to utilize the Exchange 2010 provisioning support you will need to upgrade to PowerShell 2.0 to support PowerShell Remoting capabilities. This removes the requirement of having Exchange Admin tools installed locally for Exchange 2010 provisioning, but it is unclear whether or not this extends to Exchange 2007 provisioning.
You must use the ExchangeUtils.CreateMailbox method while populating the msExchHomeServerName attribute (used by Exchange 2010) to invoke the provisioning of Exchange Mailboxes; it is unclear whether or not using any of the previous tricks will still work.

You can find the Service Pack here:

KB977791 - ILM 2007 FP1 Service Pack 1 (build 3.3.1139.2)

FIM 2010 – Contributing datetime values to the FIM Web Service

2010-01-14T16:56:00.005-07:00

Had to wrap my brain around this one just recently – the FIM web service requires that you submit any datetime attributes with a very specific format with absolutely no wiggle room. This presents somewhat of a challenge when you are sourcing datetime values from multiple sources like MS SQL, Oracle and LDAP directories like AD/AD LDS.

When writing to the FIM web service the date needs to appear in this ISO 8601 format:

yyyy-MM-ddTHH:mm:ss.fff

For example:

2009-11-06T07:00:00.000

Now, there is no magic SQL or .NET function I've found that gets you precisely the format you need so you have to do some manipulation yourself in order to get it to export properly. While we're here, let's look at some additional caveats regarding dates with FIM:

If the value is coming from the Synchronization Service (MIIS/ILM) then it needs to originate as a string data type – there are no datetime types in the metaverse, so you will find yourself converting datetime values to string types.
The portal expects the time to be in UTC (GMT or Zulu) time, so you need to adjust the time to your own time zone before submitting it otherwise the portal will adjust it when presenting it to you through the portal. For instance, we're in the special Arizona (MST/GMT-7) time zone, so to adjust a midnight timestamp I have to add 7 hours and then the FIM portal will display it to me as midnight.
The web service requires the fractional seconds component to be present (true as of RC1 Update 2) – if you don't submit the fractional seconds it will reject it.
The web service requires precisely three digits of fractional precision to be specified; however, SQL itself is only so precise. You can generally submit the first two digits but you should zero the third if you require fractional precision, otherwise, zero all three (.000). If you don't get the precision correct, you will end up with confirming export errors since the third digit will shift.
You can't specify timezone or any 'z' components

.NET Conversion

To do this in .NET you can adapt the following code into a handy function:

DateTime dtFileTime = DateTime.FromFileTime(csentry[strSourceAttribute].IntegerValue);
// Convert to UTC, format string using custom format similiar to round trip "o" format
// NOTE: SQL's precision for fractional time makes storage and confirmation of anything more than two digits problematic
//      It's better to simply enforce .000 for fractional time here since it's not absolutely critical
mventry[strDestinationAttribute].Value = dtFileTime.ToUniversalTime().ToString("yyyy'-'MM'-'dd'T'HH':'mm':'ss'.000'");

This does the timezone conversion for you and then formats the string exactly the way you need it.

TSQL Conversion

To do the conversion in TSQL it's a bit more difficult as I can't seem to find any functions that will automatically adjust the timezone for you. In any case, the approach is similar:

SELECT
--source attribute is already datetime/datetime2
[DATE_OF_HIRE] = CONVERT(nvarchar(30), DATEADD(hour, 7, [DATE_OF_HIRE]) , 126) + '.000'
--source attribute needs to be converted to datetime2
,[TERMINATION_DATE] = CONVERT(nvarchar(30), DATEADD(hour, 7, CAST([TERMINATION_DATE] AS datetime2(7))), 126) + '.000'
FROM tMyHRSource

Here I'm arbitrarily adding the 7 hour timezone shift and then applying the 126 format which gets us very close; we only need to add on the .000 for the fractional seconds.

Anyone who has worked with me on projects know I prefer doing my data manipulation prior to doing any imports to the Synchronization Service so I love the SQL approach and I apply this transform so that my dates appear in the connector space already in the proper format. When this is coming from a sources like AD you don't have that luxury so you need to apply this in a rules extension.

FIM 2010 – Final bugs for 2009

2009-12-31T10:25:00.001-07:00

On this, the last day of 2009 I find myself posting two additional bugs on Connect (please vote up if you feel you are impacted):

RC1 – Updates cannot be slipstreamed into base install

This issue relates to deploying additional Service instances after you've patched your existing installation beyond build 2560 (RC1). If you need to recover an instance of the FIM Service, or you simply want to scale-out your deployment by adding additional services on new systems you have to install the base RC1 MSI package. When doing so, if you install against the existing database it will fail since it's been upgraded. You now have two options:

1. Backup and Detach the patched database, taking all Service instances offline, install 2560 and then patch followed by restoring the original database, or

2. Install the new service against a dummy db, patch, and then point to the original db

Using the first option results in a clean install but is hardly an option in a production deployment since you need to take all of the services offline incurring an outage. The second option incurs no outage but leads to the second bug…this bug describes how it's currently not possible to slipstream updates into the base install.

I really like the way WSS 3.0's installer handles cumulative updates and service packs – you just copy them into the Updates folder of the extracted install and it will apply them during the installation automatically.

RC1.2 – Service & Portal Repair does not fix FIM_* SQL Jobs

This bug is caused when you choose option 2 above – when you specify a new dummy db (FIMServiceDelMe for example) during the new service install, the installation modifies the FIM_* SQL jobs and points them to the new database. When you run repair and point the install back to the original db it does not update the jobs with the original database. If you find yourself in this condition, just edit the steps of each job and reselect the original database.

In either case, I think it's critical to be able to slipstream updates.

I was also able to confirm this bug:

RDP: Post import – Case sensitivity is not changing by CustomExpression or Portal change

In my case I was just exporting updates to the title attribute to the portal that contained case changes. The exports would complete, but the confirming delta and even full imports would result in the exported-change-not-reimported error. According to the notes, this is not planned to be fixed by RTM, so vote this up if you feel it's important.

FIM 2010 – Large Delta Imports on the FIM MA

2009-12-28T16:27:00.001-07:00

Well, chalk this one up to either an aspect of delta imports I just never noticed before or something specific to the way the FIM MA pages through large objects. Remember that the FIM MA is interacting with the FIM web service and then parsing the XML objects into connector space objects. So, what happens if you get a REALLY big group?

In the picture above we see the results of a Delta Import, but notice that the connector space GUID's are repeated. This is the FIM MA paging through a really large member attribute. I wasn't able to ascertain how many additions each entry represented, but I was able to watch the total count of members increase after each new object was added.

Needless to say, it's NOT a good idea when building groups to leave the default "all eligible objects" filter clause in with the intention to correct it later. :)

My next question is whether or not it's possible or advantageous to change whatever paging value the FIM MA is using.

FIM 2010 RC1 – contains() gone but not forgotten

2009-12-11T11:16:00.001-07:00

Back in ILM 2 RC0 we had the use of the contains() function both from the Filter Builder control and from direct filter xoml modification in both Sets and Groups. In FIM 2010 RC1 and later this important function was removed – most likely due to issues surrounding it's stability and performance. If there is one thing I've become most understanding of is how features will get dropped if they jeopardize the ship date of a product and as the FIM team cannot afford any additional slippages, I can see why they may have dropped contains() from the list of supported functions. If you search through the Connect portal you'll find a number of bugs attributed it's use or misuse but I digress.

Having the ability to use such a powerful function is severely missed, and not just by my immediate customers. If you concur, then please vote for the reinstatement of the contains() function:

https://connect.microsoft.com/site433/feedback/ViewFeedback.aspx?FeedbackID=519852

Darryl Russi's Blog : Service Partitions - Multiple Middle Tiers, Request & Workflow Processing

2009-11-23T08:01:00.001-07:00

This was already picked up elsewhere whilst I was out on vacation but I still had to add my "way cool" for the extra detail. Thanks Darryl!

With RC1 Update 1 we can start to see some of the dedication the product group has been talking about over the past year to ensure greater scalability in large environments. With the new service partitions it allows you to rollout portals focused at specific user segments which addresses portal response issues that were rampant before. Addressing the performance perception from end users is critical and should not be undervalued as there is nothing that will sink a project quicker than poor reception from your user community. Terms like "sluggish", "slow", or phrases like "it timed out when I tried to do x" makes it quickly through management and all of the sudden your big investment is cast aside.

Mark my words, features like this will drive better long term adoption and uptake in enterprises.

The next bottleneck to address then becomes the single SQL Server instance which all of the service partitions run against; however, I doubt this will be addressed in this version of the product. Perhaps the ILM "3" candidate (still in early planning stages) will seek to address this by adding capabilities to partition the FIM Service Database as well. Until then, you need to scale UP your SQL Server investment for FIM 2010 Service Database.

Darryl Russi's Blog : Service Partitions - Multiple Middle Tiers, Request & Workflow Processing

FIM 2010 RC1.1 – Adjusting the Request Object Retention Policy

2009-11-12T12:36:00.001-07:00

Thanks to Henrik Nilsson for this little gem – this is the first thing on your list of things to do after installing FIM 2010 in your test environment. Follow these instructions to adjust how long Request objects will be retained in the system.

System Resource Retention Configuration

This is a special resource type in the portal that allows you to adjust how long request objects linger in the portal. Nothing will clog up your database and fill your drives like millions of request objects sitting around for 30 days (the default). And make no mistake, you will end up with millions of objects in a few short days or weeks depending on the item count you're working with. You find your way here by navigating to Administration/All Resources/System Resource Retention Configuration. Once there you'll see the object we're after:

As you can see from my example, I've already adjusted this to two days from the default of thirty. What you will notice if you click on this object is that you are not allowed to change the value yet! We first have to create a policy that allows members of the Administrators set to modify the value we need.

Creating the Management Policy Rule

Ok, you're going to create a new Management Policy Rule with the following specifications:

Display Name: Administration: Administrators can update system resource retention service objects
Description: Allows members of the Administrators set to adjust the policy for request object retention
Permissions: Grants Permission
Requestors: (Specific Set of Requestors) Administrators
Operation: Modify a single-valued attribute
Target Resource Definition Before/After Request (same): All System Resource Retention Configurations
Resource Attributes: (Select specific attributes) Retention Period in Days

Once you're done, go back and click on the configuration object, now you should be able to adjust the value:

Once you submit the change, all new requests will have a 2-day expiration, whereas any previous requests will have the 30-day default. Observe:

…versus:

Notice that even the request to update the policy is stamped with the new policy. I am on a quest to understand exactly how they expire and if there is anything you can do to speed along old requests. There are a few promising looking stored procedures, but those could be very dangerous to an active system.

FIM 2010 RC1.1 – Customizing the Request Object RCDC

2009-11-11T14:58:00.002-07:00

One of my frustrations is tracing down the target of a request and in some cases, the parent request that caused this request to be generated. The default RCDC doesn't expose these values except within the Advanced View/Extended Attributes tab. Having the Applied Policy tab is great to see what policies this request triggered, but being able to see the target and parent request is essential – so here's how to add it yourself. At the end we'll have two new controls:

Here we see the Target revealed on the Detailed Content tab, we now know we had a Modify operation to a Person object type and the target was Smith, John; we can even click the hyperlink here and go look at the current status of John's object.

Here we see on the Applied Policy tab we've added the link to the Parent Request, also hyperlinked. In this example a Workflow configured for "Run On Policy Update" triggered a series of System Event Requests which we can examine in more detail.

After clicking the link we see the policy that was updated which caused this sequence of events – nifty right?
This should all be by default right? Vote here if you're signed up for the FIM Connect site.
Ok, so how do you do this yourself – it's pretty easy. I would strongly recommend applying the Update 1 packages prior to doing this as any updates has the chance of overwriting any of your customizations. So, I'll show you how to add the sections manually and provide the entire file for your consumption as well.

Warning

When editing RCDC configurations, it's always recommended to Export the current configuration and save it as an Original copy. If you get into trouble you should restore the original version, edit a copy and use the copy to upload.

Adding the Target control to the Detailed Content tab

Insert the new TargetID control between the TargetObjectType and SummaryControl controls like so:

<my:Control my:Name="TargetObjectType" my:TypeName="UocLabel" my:Caption="{Binding Source=schema, Path=TargetObjectType.DisplayName}" my:RightsLevel="{Binding Source=rights, Path=TargetObjectType}">

<my:Properties>

<my:Property my:Name="Text" my:Value="{Binding Source=object, Path=TargetObjectType, Mode=OneWay}"/>

</my:Properties>

</my:Control>

<my:Control my:Name="TargetID" my:TypeName="UocHyperLink" my:Caption="{Binding Source=schema, Path=Target.DisplayName}" my:Description="{Binding Source=schema, Path=Target.Description}" my:RightsLevel="{Binding Source=rights, Path=Target}">

<my:Properties>

<my:Property my:Name="ObjectReference" my:Value="{Binding Source=object, Path=Target, Mode=OneWay}"/>

</my:Properties>

</my:Control>

<my:Control my:Name="SummaryControl" my:TypeName="UocHtmlSummary" my:Caption="%SYMBOL_RequestContentCaption_END%" my:Description="%SYMBOL_RequestContentDescription_END%" my:ExpandArea="true">

<my:Properties>

<my:Property my:Name="ModificationsXml" my:Value="{Binding Source=requestDetails, Path=DeltaXml , Mode=OneWay}"/>

<my:Property my:Name="TransformXsl" my:Value="{Binding Source=RequestDetailTransformXsl, Path=/, Mode=OneWay}"/>

</my:Properties>

</my:Control>

Adding the Parent Request control to the Applied Content tab

Insert the new ParentRequestObj control between the Policy grouping and the PolicyList control like so:

<my:Grouping my:Name="Policy" my:Caption="%SYMBOL_PolicyTabCaption_END%">

<my:Help my:HelpText="%SYMBOL_PolicyTabHelpText_END%" my:Link="cb9dbf88-0045-4e1e-ae3a-a2449ea7095a.htm#bkmk_grouping_Policy"/>

<my:Control my:Name="ParentRequestObj" my:TypeName="UocHyperLink" my:Caption="{Binding Source=schema, Path=ParentRequest.DisplayName}" my:Description="{Binding Source=schema, Path=ParentRequest.Description}" my:RightsLevel="{Binding Source=rights, Path=ParentRequest}">

<my:Properties>

<my:Property my:Name="ObjectReference" my:Value="{Binding Source=object, Path=ParentRequest, Mode=OneWay}"/>

</my:Properties>

</my:Control>

<my:Control my:Name="PolicyList" my:TypeName="UocListView" my:Caption="%SYMBOL_PolicyListCaption_END%" my:Description="%SYMBOL_PolicyListHint_END%" my:ExpandArea="true" my:RightsLevel="{Binding Source=rights, Path=ManagementPolicy}">

<my:Properties>

<my:Property my:Name="ColumnsToDisplay" my:Value="DisplayName,GrantRight,AuthenticationWorkflowDefinition,AuthorizationWorkflowDefinition,ActionWorkflowDefinition"/>

<my:Property my:Name="UsageKeywords" my:Value="ManagementPolicyRule"/>

<my:Property my:Name="ResultObjectType" my:Value="ManagementPolicyRule"/>

<my:Property my:Name="TargetAttribute" my:Value="ManagementPolicy"/>

<my:Property my:Name="SelectedValue" my:Value="{Binding Source=object, Path=ManagementPolicy, Mode=OneWay}"/>

<my:Property my:Name="EmptyResultText" my:Value=""/>

<my:Property my:Name="PageSize" my:Value="10"/>

<my:Property my:Name="ShowActionBar" my:Value="false"/>

<my:Property my:Name="ShowPreview" my:Value="false"/>

<my:Property my:Name="ShowSearchControl" my:Value="false"/>

<my:Property my:Name="ShowTitleBar" my:Value="true"/>

<my:Property my:Name="EnableSelection" my:Value="false"/>

<my:Property my:Name="SingleSelection" my:Value="false"/>

<my:Property my:Name="ItemClickBehavior" my:Value="ModelessDialog"/>

<my:Property my:Name="ReadOnly" my:Value="true"/>

<my:Property my:Name="ListViewItemHandler" my:Value="PolicyItemHandler"/>

</my:Properties>

</my:Control>

</my:Grouping>

Build 2570 (Update 1) Files

Remember to iisreset if you can't wait for the cache to refresh.

FIM 2010 RC1 – Resolving the Duplicate SynchronizationRule RCDC

2009-11-02T17:05:00.001-07:00

In the FIM release notes it advises you to adjust the "Applies to Create" setting for one of two Resource Control Display Configuration (aka OVC) objects that share the same Display Name; however, it doesn't tell you how to determine which one to change. You need to do this IF you are exporting and importing your configuration between systems (the source of yet another topic).

RC1 looks like this by default:

We need it to look like this:

…but how do you know which one to change? Both are set to apply to Create, Edit and View, but only one should be Create while the other should be only Edit and View.

Click the first entry hyperlink and then Export Configuration, when prompted, just click Open, we're not going to change anything
On the definition for the Panel/Grouping control you will see one of two entries:

<my:Control my:Name="caption" my:TypeName="UocCaptionControl" my:ExpandArea="true" my:Caption="{Binding Source=schema, Path=DisplayName}" my:Description="{Binding Source=object, Path=DisplayName}">

For this object, uncheck Applies to Create.

Or…

<my:Control my:Name="caption" my:TypeName="UocCaptionControl" my:ExpandArea="true" my:Caption="%SYMBOL_CreateSyncRuleCaption_END%">

For this object, uncheck Applies to Edit and Applies to View.

That's it!

FIM 2010 RC1 – Portal Time Zone Default

2009-10-30T14:05:00.001-07:00

Here's an easy one, not in the Pacific Time zone? Tired of seeing your requests in GMT –8?

How to Change the Default Portal Time Zone

From the Identity Management Home Page, click the link for Administration
From the Administration page, click the link for Portal Configuration
In the Portal Configuration dialog, click the Extended Attributes tab
Scroll down to the bottom to the Time Zone property – see figure below.
Click the Browse button

In RC1 there is no Search Scope (although you could create one, but that's another post) for Time Zone configuration objects, so you need to:

From the Select an Object browse dialog, click the Search within drop down and select All Resources
In the Search for text box, type in (GMT and then click the search button
Select the Time Zone object from the list and click OK

To complete the configuration you'll either need to wait for the cache to refresh or run an iisreset if you're impatient.

FIM 2010 RC1 – First Impressions, Installation Part 2

2009-10-22T14:01:00.001-07:00

So, ran into several issues trying to get the Portal installed – keep in mind I'm exercising installation options that few use but ones I tend to prefer when deploying our solutions. Let's start with host headers.

Back in RC0 I posted a bug where the installer would fail if a host header was used in WSS. While it was closed "as fixed", it still seems to be an issue if you try and install the portal when the default site collection is running under a host header:

Taking a look at the installation log reveals what looks like hardcoded addresses still:

Error 1722. There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor. Action CheckSharepointWebApporSiteExisting, location: C:\Users\bturner\AppData\Local\Temp\2\MSI3F65.tmp, command: action=IsDefaultWebApplicationOrSiteExisted absoluteURL="http://localhost"

MSI (c) (C4:E8) [15:19:58:400]: Product: Forefront Identity Manager Service and Portal -- Error 1722. There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor. Action CheckSharepointWebApporSiteExisting, location: C:\Users\bturner\AppData\Local\Temp\2\MSI3F65.tmp, command: action=IsDefaultWebApplicationOrSiteExisted absoluteURL=http://localhost

I've done my best to override everything both in the GUI and using the MSI parameters so I know I'm not passing "localhost" anywhere. Backtracking further and removing all of the host headers I can get a bit further now but then run into this one next:

This appears to be linked to an inability to validate the FIM Service account during the installation, resetting the password seems to have resolved this issue for me. I was able to eventually complete the install, and like I said, I chalk much of this up to my incessant tinkering. There was one other error I'd like to see corrected where the installer detects that the WSP solution file has already been deployed and it instructs you to go remove it while it waits for you – not a great experience.

FIM 2010 RC1 – First Impressions, Installation Part 1 - Update

2009-10-22T07:23:00.002-07:00

I reported two errors from my last post and I'm happy to report that the bugs I filed are now both closed – here is the scoop:

RC1 - System.InvalidOperationException occurred in Microsoft.IdentityManagement.FindPrivateKey.exe [3124] – [Closed, as Fixed] this turned out to be a bug fixed post RC1, so while valid it's not entirely new you may still encounter this if you attempt to use your own certificates. For the time being, use the auto-generated certificate.
RC1 - Service and Portal install does not allow for SQL Alias – [Closed, by design] this turned out to be a user configuration issue. Steps to use an SQL Alias on an x64 system are below.

How to Create a Named Pipes SQL Server Alias for use with FIM 2010

There are cases where you may want FIM to communicate with the database server over a specific protocol and not just default to Shared Memory or TCP/IP. There are performance advantages to using Named Pipes when the client and server are on the same box, so here is how you setup an alias for use with Named Pipes. The oh so helpful Microsoft directions are here. My problem stemmed from an assumption I made that the x86 and x64 SQL Native Clients needed to have different aliases. It would be more assuring if I could find something stated to this effect but I haven't found anything yet. Here are my instructions for creating a Named Pipe alias in SQL Server 2008:

Open SQL Server Configuration Manager

Expand SQL Native Client 10.0 Configuration (32bit)
Select Client Protocols, right click and take the Properties

If Named Pipes is under the Disabled Protocols section, select Named Pipes and click the > button to move it over, and use the up arrow button to move it to the top; click OK to continue
Repeat these steps for SQL Native Client 10.0 Configuration
NOTE: "The SQL Native Client 10.0 Configuration" entry is the x64 client
Return to the SQL Native Client 10.0 Configuration (32bit), select Aliases, right click and select New Alias

Use the pull-down for Protocol to select Named Pipes, set the Alias Name to "fim", and the server to "." or "localhost" whichever you prefer; click OK to continue

Repeat these steps for SQL Native Client 10.0 Configuration

I tried creating a 32-bit alias called ILM and a 64-bit alias called FIM and then feeding either one to the installer to see which one it used and it failed on both tries…which tells me it's somehow trying to use both clients or it's some other validation mechanism I'm not fully understanding. If you have a clue, please elucidate!
Now, during the installation when it asks you for the SQL Server, you give it the Alias name, not the server name. To validate this is working, run the following SQL Query:

SELECT  login_name, program_name, host_name, auth_scheme, net_transport, net_packet_size

FROM sys.dm_exec_connections C INNER JOIN sys.dm_exec_sessions S

ON C.session_id=S.session_id

ORDER BY login_name, auth_scheme

You should see something like this:

FIM 2010 RC1 – First Impressions, Installation Part 1

2009-10-13T21:06:00.001-07:00

I'm a stickler for installs and installation related issues, I will spend days working on it…this is day one.

FIM Synchronization Services Installation

No issues that I could see – everything seems to work like it did before and my RC0 install script worked.

FIM Service and Portal Installation

This is where I encountered my errors…but it starts out well enough. Let's start out with the good news first:

Love the fact that you can change the name, probably won't use it much myself, but customers are always asking for this. Also, note that you can re-use indicating an upgrade or re-install. I did expect to be able to specify a SQL Alias here; however, so I think I'm going to file this as a bug.

This interface needs some work, it would be better if it told you what was required on the certificate instead of having to select a certificate, and get an error after clicking Next. From what I can tell you need a certificate with a valid Subject (not sure if it requires Subject Alternative Name) and the Server Authentication assertion (1.3.6.1.5.5.7.3.1), most commonly known as an SSL certificate.

In my case, I selected what I thought was a valid certificate but I did get an error later on into the installation that I think is because of this choice.

Very cool – offer the installer the ability to fix this during the install, excellent work! Now for the bad news…

Sync Service still supports installation against a SQL Alias (to force Named Pipes access for instance) but the Services and Portal installation does not
Questionable whether or not selecting an issued certificate works or not – I got the following error later on during the installation which invoked the JIT debugger:

System.InvalidOperationException occurred in Microsoft.IdentityManagement.FindPrivateKey.exe [3124]

Still indications from my install logs that the installer is not so good about handling existing WSP solutions in SharePoint and recovering from them – these are difficult to clean up I admit

More later once I confirm the certificate issue and reinstall SharePoint on my test server.

A hotfix rollup package (build 3.3.1118.02) is available for Identity Lifecycle Manager 2007 Feature Pack 1

2009-10-11T21:43:00.001-07:00

The 3.3.1118.02 build is available; however, there is a caveat for those of you that have not kept current or are not at build 1087 or better. Pre-1087 you will need to do full uninstall and then download and install the 3.3.1087.2 slipstreamed build before you can apply later patches. This has to do with an invalid system file that was in the original FP1 build (3.3.0118.2). You can get the 1087 build by calling the support line:

http://support.microsoft.com/contactus/?ws=support

This build has fixes for both the Certificate and Synchronization components. If you find the following error while attempting to patch your installation:

Error 25009.The Microsoft Identity Integration Server FP1 setup wizard cannot configure the specified database. Invalid object name 'mms_management_agent'. A required privilege is not held by the client.

…then see the following earlier post on how to fix this:

Issues with SQL Server in a Windows 2008 Domain

The link to hotfix is here:

A hotfix rollup package (build 3.3.1118.02) is available for Identity Lifecycle Manager 2007 Feature Pack 1

Webinar: Accelerate Your Businesses for the Future with Microsoft Geneva (ADFS) and the Cloud

2009-10-07T06:57:00.001-07:00

When:
Wednesday, October 14, 2009
10:30 to 11:30 (PST)
12:30 to 1:30 (CST)
1:30 to 2:30 (EST)

Where:
Web/Online
Live Meeting Information
will be sent to attendees

Presenters:
David Lundell, Identity Management
Practice Leader, Ensynch

Jonathan Sander
IAM and Security Analyst
Quest Software

Webinar: Accelerate Your Businesses for the Future with Microsoft Geneva (ADFS) and the Cloud
Has your organization been considering moving applications to the cloud or using Software as a Service (SaaS) providers? Have you already done it? Have you realized the cost savings?

Have you encountered the difficulties in managing the identities and passwords across the various identities?

Using Microsoft Geneva (ADFS) and Quest Java SSO, and Quest inTrust, you can lower the cost of moving applications to the cloud and to SaaS, which can remove a big hurdle to a key strategic initiative.

I would like to invite you to our latest exclusive "no frills" webinar: "How Microsoft Geneva Streamlines Business," the final part in a Identity Management Webinar Series from Ensynch's Identity Management Practice Director, Frequent Industry Speaker, and Microsoft Identity Management MVP, David Lundell, and Quest Software IAM and Security Analyst, Jonathan Sander. (Previous webinars are available for download here)

This webinar is designed for business leaders, and will present discuss the business value of Microsoft Geneva and the Cloud. Whether identity management within the Cloud and SaaS is a major concern for your organization or if you are simply curious about using Microsoft Geneva as an asset to help your business, this webinar is for you.
Webinar Agenda:
- The Cloud’s little secret: Multiplying identity stores

- High level discussion of The Cloud (Azure, Amazon, SaaS, etc)

- High Level discussion of Geneva (ADFS, WIF)

- The Value of the Cloud

- The hidden Costs of the Cloud

- How Geneva(ADFS) helps lower the cost of the Cloud

- Gaps of the Cloud

- Possible Solutions

- Gaps of Geneva with the cloud

- Possible Solutions from Quest

[Register Now]

Ensynch Hiring SharePoint Talent

2009-10-06T17:48:00.001-07:00

It looks like our Portals and Collaboration (SharePoint) practice is booming and looking for new talent:

Ensynch’s SharePoint business has been booming recently and as such, we are in need of additional highly skilled SharePoint talent. We are looking for folks that have skills in look & feel, infrastructure architecture & design, web part and custom development, etc.

If you think you have what it takes drop me a line and I'll direct you to the people you'll need to talk to. At least one of our top guys is speaking with us on the SharePoint track next year at TEC 2010 as well as delivering a session with our own Chris Calderon entitled "Federated SSO Solutions Using SharePoint 2010".

Download details: FIM 2010 Release Candidate 1

2009-09-30T12:19:00.001-07:00

RC1 of Forefront Identity Manager 2010 is out, go get it!

Download details: FIM 2010 Release Candidate 1

Using PowerShell to Clear ILM Run and Password History

2009-09-30T10:16:00.003-07:00

With our latest implementation running completely Windows Server 2008, SQL Server 2008 in a Windows 2008 Active Directory I've noticed that my old standby of calling the MIIS Resource Kit utility ClearRunHistory no longer works. Despite having the following in place:

Domain service account
Member of the ILM Administrators domain group (our renamed MIISAdmins)
Granted the "Logon as batch" right via policy
Runs fine logged in as the service account interactively

My scheduled task runs fine, but when it executes the utility it fails with a generic "Access Denied" error. So, I've said goodbye to the last of my Resource Kit buddies and hello to PowerShell! I'm now using the following script to clear both the run history and the password history (in the event you are using PCNS).
The script below is parameterized and I borrowed heavily from earlier work by Craig Martin and Markus Vilcinskas. If you pass no parameters it should default to 14 days of history to maintain, otherwise you can pass the value, in days, to the script for each. To call this from your own scheduled task, setup the task to call a CMD file of your creation and add the following:

   1: # Call ClearHistory.ps1 from a CMD file

   2: powershell -nologo -command "& D:\ILMTasks\ClearHistory.ps1 5 10"

Remember that you must always refer to your script with the full path.

ClearHistory.ps1

   1: # Setup the argument parameters and declare defaults

   2: # Default is two weeks of history to retain

   3: param([string]$NumDaysToKeepRunHistory = 14,[string]$NumDaysToKeepPwdHistory = 14)

4:

   5: # Calculate the date to clear runs against

   6: [string]$ClearRunsDate = [DateTime]::Now.AddDays(-$NumDaysToKeepRunHistory).ToUniversalTime()

   7: # Calculate the date to clear password history against

   8: [string]$ClearPwdHistoryDate = [DateTime]::Now.AddDays(-$NumDaysToKeepPwdHistory).ToUniversalTime()

9:

  10: # Get the WMI Object for MIIS_Server

  11: $miiserver = @(get-wmiobject -class "MIIS_SERVER" -namespace "root\MicrosoftIdentityIntegrationServer" -computer ".")

12:

  13: # Clear the Run History

  14: Write-Host "Clearing the Run History prior to (UTC)" $ClearRunsDate

  15: Write-Host "Result: " $miiserver[0].ClearRuns($ClearRunsDate).ReturnValue

  16: #--------------------------------------------------------------------------------------------------------------------

  17:  trap

  18:  {

  19:     Write-Host "`nError: $($_.Exception.Message)`n" -foregroundcolor white -backgroundcolor darkred

  20:  }

  21: #--------------------------------------------------------------------------------------------------------------------

22:

  23: # Clear the Password History

  24: Write-Host "Clearing the Password History prior to (UTC)" $ClearPwdHistoryDate

  25: Write-Host "Result: " $miiserver[0].ClearPasswordHistory($ClearPwdHistoryDate).ReturnValue

  26: #--------------------------------------------------------------------------------------------------------------------

  27:  trap

  28:  {

  29:     Write-Host "`nError: $($_.Exception.Message)`n" -foregroundcolor white -backgroundcolor darkred

  30:  }

  31: #--------------------------------------------------------------------------------------------------------------------

This script is calling the WMI provider and invoking the functions. The API calls for handing the dates formatted as UTC. I have these scripts posted separately in the ILM ScriptBox in the ILM Forum.

Acceptance Testing Confessional

2009-09-08T10:07:00.001-07:00

Our daily morning team meetings for the project I'm currently on have become less team meeting and more confessional now that we're getting close to go-live. This is what a typical morning sounds like now:

Tester 1: Bless me PM for I have tested. I found 4 bugs today. <tester 1 leaves>

PM: <documents the bugs> Very good, hand your results to the developer.

Tester 2: Bless me PM for I have tested. I found 2 bugs today. <tester 2 leaves>

PM: <documents the bugs> Very good, hand your results to the developer.

You get the idea, it was much funnier when I made the observation this morning.

Issues with SQL Server in a Windows 2008 Domain

2009-09-03T19:55:00.001-07:00

Oh boy, where to start, we have been having various issues with SQL applications failing with different security related error messages and we did not see a connection until just today. The two prominent issues we saw were:

Could not apply patches to an ILM 2007 FP1 installation running on SQL Server 2008 with the servers in a Windows 2008 domain/forest, the errors we got were:

Error 25009.The Microsoft Identity Integration Server FP1 setup wizard cannot configure the specified database. Invalid object name 'mms_management_agent'. A required privilege is not held by the client.

MSI (s) (6C!80) [16:34:17:656]: Product: Microsoft Identity Integration Server -- Error 25009.The Microsoft Identity Integration Server FP1 setup wizard cannot configure the specified database. Invalid object name 'mms_management_agent'. A required privilege is not held by the client.

SQL Server Reporting Services report subscriptions were failing to run in the SQL Agent with the following errors:

SQL Server Scheduled Job '52840C4F-5D9F-4CAA-96BE-4C587F655571' (0xBB61E338688B8C459E28A61A6761669D) - Status: Failed - Invoked on: 2009-09-03 17:40:03 - Message: The job failed. Unable to determine if the owner (DEV\svc.ssrs.ilm) of job 52840C4F-5D9F-4CAA-96BE-4C587F655571 has server access (reason: Could not obtain information about Windows NT group/user DEV\svc.ssrs.ilm', error code 0x5. [SQLSTATE 42000] (Error 15404)).

Subsequently, it was this troubleshooting technique using xp_logininfo found by Jaime Martinez that led us to the eventual solution posted by Matticus:

Find the account that you're getting the error on and open up a new query in SQL Management Studio and then run the xp_logininfo command against it – in our case it looked like this:

xp_logininfo 'DEV\svc.ssrs.ilm'

This command generated the following new error:

Msg 15404, Level 16, State 11, Procedure xp_logininfo, Line 62
Could not obtain information about Windows NT group/user DEV\svc.ssrs.ilm', error code 0x5.

As it turns out there is a new built-in security group in Windows Server 2008 domains called BUILTIN\Windows Authorization Access Group. The description on this group reads, "Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects". This somehow causes issues when certain operations require enumeration of a person's group memberships (the computed tokenGroupsGlobalAndUniversal attribute).

Resolution

Add the domain service account for your SQL Server (your SQL Server service account) to the BUILTIN\Windows Authorization Access Group group. You don't need to restart anything, it just starts working from that point forward. What was bizarre is that this also fixed my problem with applying the patches to ILM!

Office 2010 Technical Preview: Unable to Read or Save to SharePoint

2009-09-01T13:38:00.001-07:00

I've been running the Office 2010 Technical Preview for a few weeks now and I really like it…once again. For a time there I was really cursing it due to some issues when reading or writing changes to documents (in this case Office 2007 documents, including OneNote notebooks) stored in our Microsoft Office SharePoint Server 2007 document libraries. I first noticed the issue when attempting to modify a shared OneNote 2007 notebook which, again, is hosted in MOSS 2007 – changes could not be replicated back to the document library and OneNote 2010 would return the following error:

This section contains changes that could not be synced because the
section file was not found. The section may have been moved or
deleted. If OneNote finds the section file later, it will sync the
changes. Alternatively, you can move this section to a new location.
Click here for more information.

I would get a similar problem when using Word 2010 to check out and edit a document hosted in a MOSS 2007 document library; however, in this case it manifested in the Office Synchronization Center failing to upload the modified document. You get a nasty red bar in the Pending Uploads section.

If you're part of the Technical Preview then you can track down these threads and the solutions in microsoft.connect.o2010techprev._general and search for "sharepoint". This problem has affected people in the following conditions it seems:

MOSS 2007 or WSS 3.0 document libraries
Opening files in a document library
Opening local files
Saving files to a document library

Mark Knight of Microsoft posted the workaround as follows:

1. In your LAN settings, check "Use a proxy server for your LAN" (you can
keep "Automatically detect" checked)
2. Assuming you do not require proxy to reach any servers, you can specify
http://fake in the Address field to give it a fake proxy
3. Click Advanced
4. In the Exceptions field, type the wildcard * to manually bypass the fake
proxy for all servers you are trying to reach.
5. OK out of the dialogs to accept the settings and retry opening files from
SharePoint.

The only thing I did differently was in step 2 I used http://127.0.0.1 instead of http://fake since I don't seemingly random hosts. At least in my case, using the above workaround has resolved my issues. If you continue to have issues I would encourage you to post to the newsgroup.

Amazon: XBox 360 Elite with Halo 3 & Fable 2 for $299

2009-08-28T08:16:00.001-07:00

Wow, just saw this in the inbox this morning, just after a night of trying to convince an old friend to pick one up! $299 for the Elite!

Issues when binding to AD LDS (ADAM) userProxy

2009-08-21T18:14:00.001-07:00

aka "Configuring SSL for AD LDS on Windows Server 2008 Server Core"

You may have found your way here because:

you are having issues binding to an ADAM userProxy
you are getting the error "Invalid Credentials Server error: 8009030C: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 202d, v1772 Error 0x8009030C The logon attempt failed" in LDP
you are trying to setup SSL for AD LDS on Windows Server 2008 Server Core

In my case, the solution to the first two problems ended up being the impetus to write the solution for the third bullet above. My problem first began when testing binds to userProxy objects in AD LDS connecting back to an AD 2008 forest. Here was my configuration:

AD LDS running on Windows Server 2008 Standard, Server Core (SP2) (6.0.6002.18005) (~300k objects)
AD DS running on Windows Server 2008 Standard (SP2)
All servers are in the same domain/forest, including the AD LDS servers (domain joined)
userProxy schema loaded into ADAM among others, inetorgperson and custom extensions in use
userProxy objects currently being provisioned via ILM and linked to AD with objectSID (verified)
SSL certificate already assigned to the ADAM server with Server Authentication assertion and fullname
Using LDP to test…

Binding to inetOrgPerson objects in ADAM worked fine, but userProxy binds did not. All attempts to verify that the linked AD account was not locked, disabled, expired with a valid password were validated. Binding against the userProxy with LDP using UPN or DN yielded the following results:

res = ldap_simple_bind_s(ld, 'user@foo.edu', <unavailable>); // v.3

Error <49>: ldap_simple_bind_s() failed: Invalid Credentials

Server error: 8009030C: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 202d, v1772

Error 0x8009030C The logon attempt failed

Further digging in the LDS server's Security Event Log yielded this error:

Log Name:      Security

Source:        Microsoft-Windows-Security-Auditing

Date:          8/21/2009 9:37:36 AM

Event ID:      4776

Task Category: Credential Validation

Level:         Information

Keywords:      Audit Failure

User:          N/A

Computer:      LDSIDI01VDO.foo.intg

Description:

The domain controller attempted to validate the credentials for an account.

Authentication Package:               ADAM_LDSIDI01VDO

Logon Account: CN=user,OU=Employees,OU=Bar,OU=Administration,O=Foo,C=us

Source Workstation:       10.x.x.x:52186

Error Code:         0xc000006d

I posted this issue to a group of Directory Service MVP's and we eventually arrived at a solution; joe of joeware fame rightly pointed out that I was NOT using LDAPS (SSL) to bind to ADAM as the documentation clearly spells out. Kurt Hudson pointed out that the 202d error code was pointing out that SSL was required:

202d is ERROR_DS_CONFIDENTIALITY_REQUIRED (This request requires a secure connection.)

So, first problem solved, if you are binding to AD LDS/ADAM over 389 then you will not be able to test or use userProxy bind redirection back to AD. Therefore, you must enable SSL for your ADAM instance and this is where things got tricky if you are using Server Core. There is a certain lack of documentation as to how to do this in Server Core. With Kurt Hudson's help (Kurt writes documentation for the AD team at Microsoft!) we finally stumbled upon an answer. Here are my high-level notes:

The processes documented here and here are somewhat misleading in that…
You do not have to import the certificate into the ADAM instance or Network Service account as the instructions mention – this side tracked me for hours trying to figure out how to do this with certutil
Finding the files in MachineKeys is not as easy as it sounds

So, assuming you already have a certificate assigned to your server for the full server name, you should be able to follow these steps to enable AD LDS/ADAM for SSL on a Server Core box:

Configuring SSL for AD LDS on Windows Server 2008 Server Core

Step 1: Remote into your ADAM server – you'll have a command prompt
Step 2: Change directory to:
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
Step 3: Where are the files? Try looking for files with the System attribute set:
dir /as
Step 4: Find out which of these files relate to your SSL certificate – run:
certutil –store My
Step 5: Locate the Key Container GUID, this is the file you need for our next operation – run icacls <key container> /grant "NETWORK SERVICE":(R)

HINT: the file will tab-expand!
Step 6: Try your LDP bind against the FQDN of your ADAM sever, remember to set the SSL flag and change the port to 636. Now you should be able to bind to userProxy objects!

Thanks to everyone that pitched in!

Windows 7 Available for Pre-order

2009-07-26T10:59:00.001-07:00

Amazon.com: Microsoft Windows 7 Ultimate: Software

Amazon.com: Microsoft Windows 7 Professional

Windows 7 was released to manufacturing and will be available in stored on October 22nd! You can pre-order your copies now! Many hardware manufacturers are now including vouchers for Windows 7 if you buy a PC today so be sure to get one if you're in the market for a new computer.

Be advised that if you are running any of the prior beta releases (including the Release Candidate) there is no upgrade path – you will need to do a full load. Despite this oversight, I'm floored by the number of Mac enthusiasts that are impressed by Win 7.

Webinar: Transforming SharePoint – Chaos to Order

2009-07-24T23:34:00.001-07:00

The good folks over in our SharePoint practice is putting on a webinar regarding SharePoint governance and taxonomy. Wonder why no one is using that fancy portal of yours?

Webinar: Transforming SharePoint
from Chaos to Order

When:
Thursday, July 30, 2009
10:30 to 11:30 (PST)
12:30 to 1:30 (CST)
1:30 to 2:30 (EST)

Where:
Web/Online
Live Meeting Information
will be sent to attendees

Presenters:
Sean Stecker,
Portals and Collaboration
Practice Director, Ensynch

Jeff Holliday
Solutions Architect, Ensynch

Does your IT team spend too much time administering SharePoint?

Feel like your employees already have too many places to go to get their jobs done, and adding SharePoint just adds another location?

Simply fed up with your SharePoint environment?

If you even considered answering yes to any of these questions, chances are high that your SharePoint environment is in some kind of Chaos.

It’s time to Leave Chaos Behind.

I would like to take this moment to offer you an exclusive invitation to our exciting new informational webinar: "Transforming SharePoint from Chaos to Order.“

Whether your environment already suffers from chaos, or if you are still in the planning stages, the taxonomy and governance of your information architecture is critical to the success of your SharePoint environment.

The webinar will be presented by Ensynch's resident Portals and Collaboration Practice Director, Sean Stecker, alongside Ensynch Solutions Architect, Jeff Holliday.

Webinar Agenda:

Learn how to manage the risk, cost and adoption of your SharePoint environment
Learn how to classify your important business information to meet your needs today and provide scalability for the future
Gain insight on indentifying dependencies between Governance and Taxonomy to ensure a highly functional information architecture
Best Practices Round Table for driving user adoption in SharePoint . (All attendees are invited to participate in this informational discussion. Moderator will field questions)

[Register Now]*
*external registration through Microsoft Partner Events site