Identity Trench

Favourable FIM Review

noreply@blogger.com (Craig Martin) — Tue, 20 Jul 2010 23:11:00 +0000

If you are trying to sell FIM in your organization it helps to have some good reviews (not that FIM is hard to sell these days!).

This review by InfoWorld is quite favourable.

This API supports the FIM 2010 infrastructure and is not intended to be used directly from your code.

noreply@blogger.com (Craig Martin) — Wed, 14 Jul 2010 22:15:00 +0000

I’m a big fan of RTFM, and found myself a little confused by some of the MSDN documentation for FIM 2010.

If you encounter this:

This API supports the FIM 2010 infrastructure and is not intended to be used directly from your code.

It means the item isn’t officially supported. You’re free to try it of course, and the item is likely used in the product internally but your mileage may vary.

TechNet Showcase Videos on FIM

noreply@blogger.com (Craig Martin) — Sun, 09 May 2010 19:36:00 +0000

Oh my RTFM! A series of FIM How-To videos on TechNet!

We had pretty good documentation when MIIS shipped, or at least I was pretty happy with the Walkthrough Guides. For FIM the doc guys have really stepped up their game, which only makes me worse when dishing out the RTFMs :-|.

Cool video about FIM CM

noreply@blogger.com (Craig Martin) — Sun, 09 May 2010 19:29:00 +0000

Stumbled upon this video about FIM CM today, it is cool to see CM get some attention in the huge FIM RTM splash.

Another Heckuva TEC

noreply@blogger.com (Craig Martin) — Sat, 01 May 2010 20:51:00 +0000

Back from the TEC conference, oddly wishing it was a day or two longer. There’s always so many great people to hang out with to trade stories with.

The Venue

No matter how much money I lose I always have fun in Vegas but this year’s venue was pretty sweet. The hotel was gorgeous, which worked out really well since I didn’t stray far from it.

The Keynote

Opening with a video of the TEC chicken was hilarious, but even funnier was the quip from the audience when Gil announced the challenges to the speakers, “Build FIM with cardboard, duct tape and bailing wire” to which somebody piped up, “Isn’t that what Microsoft did?”. Ouch indeed, but Conrad soon took the stage to introduce himself as the GM after a pretty big re-org. My expectations are pretty high for the next major release, and I am confident they’ve organized in such a way to get there. This will all be fun to track but the reality is that we are going to be very busy deploying FIM, and that subject is what really matters for us in the trenches of identity integration, right?

The Sessions

The conference was small as usual, and for FIM we had two tracks with no repeats which made for some tough choices sometimes. My PowerShell session was so much fun to deliver I gave it another go on the last day.

I missed Fred’s session on FIM Futures, but it will be one of the first ones I look for on YouTube, since everybody seemed to refer to it over and over again.

David Lundell offered up his regular guidance on FIM performance, and had some great tips for solving some of the challenges for the initial loading of the FIM service.

Jeremy Palenchar and Gil had an awesome session that brought back memories of Mission Control. They were able to demonstrate Request parsing whereby they could dig through the Requests in FIM to reproduce every change to an object in the service. This has some huge potential, and one could easily argue that this should have been in the box.

Gil demonstrated the PowerShell cmdlets by Quest built for FIM. These are really cool, and I’ve already been able to use them as a workaround for a bug in the cmdlets shipped by the FIM team. Way to go Gil!

Jeremy Palenchar did another great session, kind of a part 2 to his Speech Server demo last year. This year he demonstrated an Authentication WF with integration to Speech Server for self-service password reset. There were two great things about this session:

1. How cool to see FIM detect an account lockout then react by calling your phone to notify and prompt for a reset, all accomplished by phone?

2. The FIM service is complex and it is easy to get overwhelmed by it. Watching such an elegant demo reminds you that the FIM service can be even more powerful than complex.

Next Up

I was scrambling to put a session together for Wednesday, but I only found out days before that I even had the opportunity. Unfortunately the session wasn’t ready, so it wouldn’t have been fair to any attendees to watch me fake it.

The session topic is something I am quite passionate about, and people I’ve talked to seem to share my passion so next up I am going to propose this session:

Dev Tools for the IT Pro Deploying FIM

Each release of FIM brings increases in complexity and the product shifts focus farther away from the IT Pro into the realm of the Developer. The time has come to embrace this shift by treating FIM deployments like the software developments they really are. This session touches on methodology but stays rooted in fun tools and techniques.

So, would you come to a session like that?

TechNet Virtual Lab for FIM 2010

noreply@blogger.com (Craig Martin) — Tue, 13 Apr 2010 23:08:00 +0000

For those unable to download the big VHD for FIM2010, there is an alternative: a FIM 2010 VM lab hosted by Microsoft. The caveat is plainly stated: they will follow up with a sales call.

FIM Training – So Many Options

noreply@blogger.com (Craig Martin) — Sat, 27 Mar 2010 17:34:00 +0000

SQLSoft has a neat little map of the available FIM training options. It stands to reason there’d be lots of options given the size of FIM product. It is great to see so much training content available, even though I’d prefer to see it broken down into feature areas such as:

FIM Service and Portal
FIM Synchronization
FIM Certificate Management

Of course I expect the lines to blur between these feature areas as they all become even more integrated in future releases, at least according my my personal crystal ball (not any official Microsoft plan of record).

Suppressing Full Sync Warnings with PowerShell

noreply@blogger.com (Craig Martin) — Fri, 19 Mar 2010 07:24:00 +0000

Been browsing over the WMI reference for ILM lately and noticed something I hadn’t seen before:

SuppressFullSyncWarning Method of the MIIS_ManagementAgent Class

This can be especially useful with FIM since the Sync Service gets versioned quite a bit more now that it lives in symbiosis with the FIM Service.

Running this method on the MIIS_ManagementAgent WMI class will suppress those warnings but in the Identity Manager user interface and in the Event Log.

RunHistory Parsing

noreply@blogger.com (Craig Martin) — Fri, 05 Mar 2010 01:52:00 +0000

In writing some scripts to dig out Sync errors lately I ran into a strange bug. On the plus side, I wasn’t able to repro on FIM, just on ILM.

Issue

Running this command will eventually start to return null:

Get-WmiObject -Class MIIS_RunHistory -Namespace root/MicrosoftIdentityIntegrationServer -filter("MaName='MyMA'")

This is strange because the query doesn’t change, but eventually it will just stop working. The cmdlet doesn’t report an error, it just stops returning results. Once this happens the only way I am able to fix it is to restart the ‘Windows Management Infrastructure’ service.

Workaround

Cycling the WMI service is a bit of a pain, so instead I issue the query using the MaGUID:

$ma = Get-WmiObject -Class MIIS_ManagementAgent -Namespace root/MicrosoftIdentityIntegrationServer -Filter("Name='MyMA'")
Get-WmiObject -Class MIIS_RunHistory -Namespace root/MicrosoftIdentityIntegrationServer -filter("MaGuid='" + $ma.guid + "'")

Issuing the query using the MA Guid did not repro the problem. A simple little workaround to a strange little problem.

FIM 2010 RTM’d!

noreply@blogger.com (Craig Martin) — Wed, 03 Mar 2010 04:57:00 +0000

Big day today, FIM 2010 RTM was announced at RSA.

Microsoft® Forefront™ Identity Manager 2010 Evaluation Version

FIM is a very important release as it stands on the shoulders of the sync engine to provide a strong workflow engine along with new UI for both administrators and end users. The sync engine has been an appliance that could largely hide in a datacenter until now. In FIM Microsoft takes advantage of Microsoft Office to expose identity data to end users.

FIM 2010 is a huge leap forward in terms of functionality and extensibility. I’m happy to see RTM, and excited about what Microsoft and partners will build on top of this new platform.

Test Exchange Connectivity

noreply@blogger.com (Craig Martin) — Fri, 05 Feb 2010 21:10:00 +0000

Stumbled upon a really cool Exchange troubleshooting tool. Could be handy when troubleshooting Exchange errors in FIM deployments.

https://www.testexchangeconnectivity.com/

FIM Group Management Competition

noreply@blogger.com (Craig Martin) — Mon, 11 Jan 2010 23:19:00 +0000

Couldn’t resist posting a link to a demo of the group management feature in Exchange 2010. It raises the bar for group management demos at TEC this year.

Microsoft Acquisition of Sentillion

noreply@blogger.com (Craig Martin) — Fri, 11 Dec 2009 03:35:00 +0000

Very interesting, Microsoft intends to buy Sentillion. I worked on a project a few years ago where we used MIIS to sync with Sentillion.

Wonder if this will drive FIM adoption in Healthcare.

UPDATE: Seems like Sentillion integration will make its way into FIM 2010 eventually.

FIM 2010 SDK and IT Pro Docs

noreply@blogger.com (Craig Martin) — Fri, 20 Nov 2009 19:53:00 +0000

FIM 2010 SDK on MSDN
I look in here all the time when trying to figure out the details on how things work in FIM, as well as looking into all the extensibility points. For some reason I wasn't able to find this until just recently.

FIM 2010 IT Pro Docs on TechNet
The IT Pro Docs on TechNet are really useful if you're new to FIM and want to try it out in your own lab. Also handy to sanity checking your lab configurations. The installation guide is especially handy.

Troublshooting Password Resets

noreply@blogger.com (Craig Martin) — Fri, 20 Nov 2009 18:24:00 +0000

FIM Self-Service Password Reset makes use of the FIM Sync Service to deliver the passwords to Active Directory, as described in Anthony Ho's Blog.

When troubleshooting you are probably going to be focusing on different product components:
1. FIM Self-Service Password Reset Client Issues
2. FIM Service Issues
3. FIM Sync Issues

If you've narrowed it down to #3 then it is handy to repro without having to constantly go through the SSPR gates.

To troubleshoot FIM Sync password issues try using PowerShell to call WMI against the ADMA in question. It will quickly tell you what the error is, allowing you to make configuration changes to test different options.

T'here's a WMI script in the MSDN Developer Reference for ILM, but if you look at the bottom of the page there is also a much shorter PowerShell script.

Happy troubleshooting!

TEC 2010 - Got a speaker slot!

noreply@blogger.com (Craig Martin) — Fri, 18 Sep 2009 09:02:00 +0000

I'm honoured to have a speaking opportunity at TEC next year. Hopefully next year I won't lose my voice the night before sessions begin!

Out to Pasture

noreply@blogger.com (Craig Martin) — Fri, 17 Apr 2009 15:55:00 +0000

Some might have noticed (hopefully) that the URL for my blog has changed. The advent of FIM and the passing of the domain name were motivation to change (the URL).

One last gasp though, because I love this logo!

ILM2 Renamed to Forefront Identity Manager 2010

noreply@blogger.com (Craig Martin) — Wed, 15 Apr 2009 20:02:00 +0000

Phew, the cat is out of the bag! MMS --> MIIS --> ILM --> FIM
(Couldn't resist a one-up to Brad's SmartArt)

TEC 2009 Decks Available

noreply@blogger.com (Craig Martin) — Wed, 15 Apr 2009 03:38:00 +0000

FYI - The decks from TEC2009 are available now:
http://jacksonshaw.blogspot.com/2009/04/tec-presentations-now-available.html

YOU Can File HIGH Priority Bugs for ILM2 Too

noreply@blogger.com (Craig Martin) — Mon, 13 Apr 2009 18:51:00 +0000

At TEC I got to chat with somebody from the ILM team and learned something pretty neat. Bugs filed on Connect are not just tossed aside, they actually make it into the ILM team's bug tracking system with high priority. The reasoning is that bugs found while the product is in Release Candidate are customer facing bugs that need high priority.

Enthusiasm here should be tempered, because AFAIK a bug of this priority can still fall victim to "won't fix" unless it has enough support.

The moral of the story is: working with pre-release software is not easy (unless you're running Win7) but if bugs aren't filed then customers and the ILM team lose because those bugs won't get the attention they need.

Exchange Labs MA and Certificate Authentication

noreply@blogger.com (Craig Martin) — Mon, 13 Apr 2009 18:19:00 +0000

Anybody using the Exchange Labs MA may have had a rough time with certificates since the only authentication supported by the MA in R2 was client certificate authentication.

PowerShell is your friend when troubleshooting certificate issues. For example, to verify the existence of the certificate in the correct store you could run this from the PowerShell command line:

Get-ChildItem -path cert:\LocalMachine\Root where {$_.subject -like '*thatschool*'} fl

Output from the command on my computer is:
Subject : E=ed-desk@microsoft.com, CN=sapipartner.com, O=Oxford Computer Group thatschool.org, L=Snohomish, S=WA, C=US
Issuer : CN=Microsoft Secure Server Authority, DC=redmond, DC=corp, DC=microsoft, DC=com
Thumbprint : 49B71EE8925C4028150874C78E8B180E15C75FAD
FriendlyName : Oxford Computer Group thatschool.org
NotBefore : 7/3/2008 7:39:46 AM
NotAfter : 7/3/2009 7:39:46 AM
Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid...}

What does that prove? Well it proves that you've installed the certificate into the correct store so that ELMA can find it. If you still get authentication errors then you've at least ruled this one out.

PowerShell Breakpoints!!!

noreply@blogger.com (Craig Martin) — Tue, 07 Apr 2009 17:42:00 +0000

PowerShell is one of those things that is just too cool. For the longest time I've been writing scripts, and when I run out of road with scripts I would resort to managed code. The debugging environment for managed code is excellent with breakpoints and such, which is why I would tend to favour managed code.

Today while fiddling with a PowerShell script I tried running it in the PowerShell ISE (Integrated Scripting Environment). Had this sneaky little icon been named PowerShell IDE I might have clued in earlier.

Anyhow, running scripts in here gives you the command line feel, but also gives you breakpoints if you want to stop a script mid-stride to analyze the environment and variables.

AWESOME!

Heck of a TEC

noreply@blogger.com (Craig Martin) — Sun, 29 Mar 2009 16:33:00 +0000

Just got back from TEC (OK, I stayed in Vegas longer than I should have). Given the economic turmoil I was worried the sessions would be empty and speakers absent but was very excited to see lots of people and a great crew of speakers. Against the odds Gil, Stella and Christine put on a great show.

The best analogy I have for TEC is the video for "No Rain" from Blind Melon where that funky little bee-girl runs around seeminly confusing the snot out of people as she dances around dressed like a bee in tap shoes. Identity and Access is just like that, we spend all year telling people about it, customers eventually get it, relatives just smile, and spouses do their best, but at TEC we find ourselves surrounded by people speaking the same jargon even if their native language is different, our acronyms are harmonic.

Somewhat absent was the ILM PG, likley constrained by scaled back travel budgets but I missed seeing them all there. Hats off to Andreas and Mark for being on the front lines when the bad news of the ILM delay landed. Those guys had a tough job last week facing all the customers and partners with fear, uncertainty and doubt. Jackson's post on the delay nailed it. This is going to be a tough year for ILM partners but shipping the wrong product would hurt even more.

My TEC 2009 highlights:

losing my voice the night before my sessions started
Craig (not me) getting booted from the casino
pre-con labs running perfectly, and no all-nighters!
I love Vegas, but my wallet tells a different story
great speakers, and recorded sessions so overlaps don't hurt

.NET Remoting with IIS and Kernel Mode Authentication

noreply@blogger.com (Craig Martin) — Fri, 03 Oct 2008 22:44:00 +0000

Working on an XMA lately I ran into an issue trying to use an object with .NET Remoting hosted on IIS7 (Windows Server 2008 x64). Turns out that IIS7 has a feature called Kernel Mode Authentication.

When .NET Remoting is configured to Negotiate the authentication type, it caused an error with the XMA. Turning off Kernel Mode Authentication fixed the problem.

Changing the authentication type probably would have worked too.

ILM 2 Beta3 Metadirectory Services with SQL 2008

noreply@blogger.com (Craig Martin) — Thu, 11 Sep 2008 17:42:00 +0000

Short blog post to note that I'm running SQL Server 2008 in a LAB ENVIRONMENT this week with ILM 2 Beta 3 Metadirectory Services.

I EXPECT THIS IS NOT SUPPORTED YET, so don't try this at home.

I expected the installation's SQL check to stop the installation but to my delight it passed. Haven't hit any snags yet, using the ADMA, some file MAs and an XMA.