Saturday, December 25, 2010

A bit annoyed...

I just hate when someone tries to force something on me; Adobe is doing that right now. Now, I just wanted their Reader, which is fine software, by the way. But there was no way around getting some Adobe Download Manager from their website, hmmm. I don't need a download manager, since I'm not on a 33 Kbit modem and haven't been for a while.

So I decided to try their ftp site - and woopti, it worked; just went to ftp://ftp.adobe.com/pub/adobe/reader/win/ and got me the plain version of Adobe Reader X without any add-ons being forced on me; not that I know of yet.

Shame on you, Adobe...

(sorry that this blog entry was not FIM related, but I just had to get this out of my system)

Merry Christmas.

Thursday, November 18, 2010

Small hotfix released

Great to see that there is attention on the FIM 2010 product. A small hotfix has been released a few days ago. However small it may be, it definitely has some good things, namely the support for password history (see KB2443871) and of course a few other bugfixes.

I haven't had time to check out whether the bug with regards to casing in flows have been fixed and is included. There is nothing in the release notes stating this, but one could hope. I'm keeping my fingers crossed for this for my testing with the next days.

You can find the hotfix here.

Wednesday, November 17, 2010

Foreign characters in strings

I have been finish a couple of custom workflows for FIM 2010 lately and have had some troubles with my national characters (almost always a big problem being Danish :-))

The problem was that when I passed a string with danish characters (or might even be non-default characters for that matter), the result looked strange in the portal. I wanted to use the UpdateResourceActivity activity to set a DisplayName and passed a string as a value with my name, but I ended up with a strange result in the portal -

Result: S#248;ren Granfeldt
Expected result: Søren Granfeldt

Some nice guys helped me out though (see forum thread here, if you're interested). I found the solution to be that you, for some strange reason, need to HtmlDecode your string; so I do this using the following lines -

OutputValue = System.Web.HttpUtility.HtmlDecode(this.ResolvedExpression);

Hope that this helps other non-english custom workflow coding guys (and girls)...

Monday, November 15, 2010

Custom Workflow for Propercasing

Just finishing up my custom workflow for propercasing text in a workflow for FIM 2010. Below you can see a screenshot of the workflow.

The main purpose of the workflow is to take an input string (could be some FIM 2010 grammar like [//Target/FirstName] [//Target/LastName]) and apply the casing rules specified in the workflow to do propercasing like turning CHRIS O'DONNEL into Chris O'Donnel. The reason why I'm doing this workflow is that I have a lot of customers that use a mainframe for hosting users (HR system) and many of the old mainframe systems will only allow letters in capital - and that doesn't look nice when flowed into Active Directory. Also, just taking the first letter and capitalizing this and lowercasing the rest won't do the trick for a guy like Chris O'Donnell and therefore the workflow has some custom settings for handling this.

The 'Destination' should be either the Target attribute, i.e. [//Target/DisplayName] or a workflow parameter, i.e. [//WorkflowData/ProperlyCasedName].
You're able to specify words that should always be in lowercase, prefixes that will uppercase the following letter and words that should always be in a certain fixed case, like MHz.


If you would like to give it a test run and I'd very much appreciate some feedback for finalizing it. I'll make the released version available as soon as I get some feedback and finish the final testing. If you would like a version, please send me an mail and I'll send you the binaries in a .ZIP-file.

To have the workflow available in the FIM Portal, please follow the section 'Building the Assembly and Loading it into the FIM Portal' in this TechNet article (find it almost at the end of the article).

When creating the new Activity Information Configuration, you'll need this information for the configuration -

Activity Name: Inceptio.FIM.Activities.ConvertToPropercaseActivity
Assembly Name: Inceptio.FIM.Activities, Version=1.0.0.0, Culture=neutral, PublicKeyToken=fbba0d5fa1bd8867
Type Name: Inceptio.FIM.Activities.WebUIs.ConvertToPropercaseActivitySettingsPart


I use the following small script for putting the .DLL's into the GAC -

gacutil /i "Inceptio.FIM.Activities.dll"
gacutil /i "Inceptio.FIM.Activities.BuildingBlocks.dll"

Let me know, if you have any problems and I look forward to hear your feedback. Give it a run...


Monday, October 25, 2010

Custom Workflow for looking up a value

Just finished my custom workflow for looking up a value in the FIM portal. I find this workflow interesting because you often have to populate values on users based on some other attribute. This workflow has many interesting features, i.e. you could lookup a OU for the user based on the department and have the list of OU's be maintained in the FIM Portal it self - or as the example shows below, you could have a list of "pretty names" for your cost centers and populate the CostCenter attribute based on a CostCenterId flowed from i.e. the HR system.



Parameters are -

XPathFilter: The Lookup filter for getting the value, i.e. /Person[starts-with(AccountName, 'D')]; if your query returns more than one result, the value from the first result will be used
Attribute Name: The name of the attribute that you want to get the value from (for now only single-value attributes is supported (and tested); go ahead and try with multi values if you dare...
Destination: This is where you want to put the found/extracted value

How do I get the software? If you want to be a beta tester, please let me know (send me an email) and I'll get the workflow software to you.

Please let me know, if you have any problems with the workflow or any feature request.

Well-known GUIDS in FIM 2010

Writing custom workflows and doing other stuff in FIM 2010, you will at some point need one or more of the well-know GUIDS that is part in FIM 2010. Luckily, Brad Turner, did at short and to the point post with these.

I've put these in my FIM library and use them extensively (see below)

public static Guid BuiltInSynchronizationAccount = new Guid("fb89aefa-5ea1-47f1-8890-abe7797d6497");
public static Guid FIMServiceAccount = new Guid("e05d1f1b-3d5e-4014-baa6-94dee7d68c89");
public static Guid Anonymous = new Guid("b0b36673-d43b-4cfa-a7a2-aff14fd90522");

Sunday, October 3, 2010

Who did what when?

Just for my own reference - Joe Zamora did a great post on using the FIM Query Tool; see the details here

Friday, August 20, 2010

You didn't miss this update, did you?

Many of you may already have this one, but I'm just logging it here, so that I have a good link to send to my customers - and hopefully some other FIM 2010 lost souls outthere can make use of these as well.

The FIM 2010 Update 1 can be found at http://catalog.update.microsoft.com/v7/site/search.aspx?q=kb978864

And there is a good thread on whats included in the update at http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/b21e08a5-d2be-4bf1-a53f-248b5a9cc6e3

Are you documenting FIM 2010 setup?

If you're actually doing documentation of FIM 2010 chances are that you'll be using Visio for some of the documentation with regards to i.e. workflows.

If you're using Visio, you want to take a look at Brad Turner's stencils for FIM 2010. Get them here.

Great job, Brad...

Monday, August 9, 2010

Want to create your own custom workflow in FIM 2010?

If you're interested in creating your own workflow activity for FIM 2010, you should definitely check out this link. It's an excellent walk-through that'll get you started. To see the walk-through visit this link

FIM 2010 Housekeeping

One issue that is always going to be present is the cleaning of your requests in FIM - like your Run History in the Synchronization Service. Brad Turner did a good blog on this based on input from Henrik Nilsson.

You really should read this in order to keep your SQL administrators happy... and the performance of FIM good.

Monday, July 19, 2010

Available Management Agents

Great post from Brjann Brekkan (http://blogs.technet.com/b/identitymanagement/archive/2010/07/17/fim-management-agents-from-partners.aspx) listing currently available Management Agents for FIM. That hard part is choosen the right partner for delivering the Management Agent to you - an since there are many partners supplying the "same" type of Management Agent, my guess would be to choose one that you feel comfortable with and that may have provided you with good service in the past - but hey, my guess is as good as yours.

Good luck choosen - and let me know if there is an MA that you might be missing; I may have it "in stock" or be prepared to write it for you...

Friday, April 16, 2010

Installing Password Reset Client

Did a proof of concept a little while ago at a customer. We needed to install the password reset client and this was done quickly.
When asked to enter the FIM server name, the server name was prefix with 'http://' as the documentation says. The installation program accepted this and we continued on our quest to reset some passwords.
However, when trying to enroll a user, we kept getting a error message saying "An error occurred. If this continues please contact your system administrator".
We double-checked MPRs, ports, firewalls and everything. Even tried out Fiddler to check for network traffic and found nothing interesting. Finally, checked registry and sure enough, a strange URL had been written to the address value during installation to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Forefront Identity Manager\2010\Extensions\Intranet. The value said http://http//servername:5725/ instead of http://servername:5725/

Once we changed this, we were in business. Some lesson learned, ONLY specify the servername during installation, do not prefix with http og https. If you are on x64 machine, also change the corresponding settings in the 32-bit registry hive. Remember to restart FIMPasswordReset service after that.

Hopefully, Microsoft catches this and does some input validation in upcoming service packs.

Thursday, March 25, 2010

Changing trial version to valid version

A customer of mine asked me if they could turn the trial version of FIM 2010 into a valid version if and when they decided to move on from a Proof of Concept workshop.

Now, during installation of the trial version, you are not presented with the option to enter a product key nor is there anywhere that you can enter a product key after installation (not that I've found anyway). I asked my "colleagues" in the forum the question and they provided some good answers. Simultaneously, I asked through my channels at Microsoft and got an answer that hopefully you'll found useful as well.

The Microsoft answer was: "There are two components which will timeout, the FIM Synchronization Service and FIM Certificate Management. The key is in included in the installation so you move from Eval to VL is by uninstalling Eval and install VL media. The configuration is stored in the database(s) so you do not lose any information in the upgrade. As usual, take a backup before you start and make sure you have a copy of the encryption keys for Sync."

See the thread in the forum here - http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/b0764edf-95ff-4b4a-89a9-47ef4dce9d45

So go ahead, make appropriate backups of data and encryption keys and turn your trial into the real deal after purchasing a valid license.

I did this in our environment this evening and now I'll have to wait for 158 days to see if there is a hidden "gem" in the FIM Portal that someone didn't tell me about. I'll post an update if there are any news in the matter.

Have fun...

Saturday, March 20, 2010

Features of a Home Directory Management Agent?

I'm currently working on a Management Agent for provisioning and deprovisioning home directories (and other directories) for users in ILM / FIM environments. I do a lot of Proof of Concepts and a typical scenario is home folder handling. Therefore I'm working on building a generic homefolder MA that rocks and is highly customizable. Some basic features currently are -
  1. Create and apply ACLS for user
  2. Move / rename based on, i.e. sAMAccountName
  3. Deletion / removal
I'd very much like some additional feature that you see customers may need in the real world. I'll make the MA generally available for testing / PoC's when I'm done.

Tuesday, March 16, 2010

Move object in Active Directory by flowing dn

I had some trouble moving user objects in Active Directory by flowing a new distinguished name (DN) by using Outbound Synchronization Rule to my AD Management Agent. All my attribute flow where working just fine, it was just the moves / renames that wasn't getting through. I had a hard time figuring out the error.

Turned out that one of the attributes that I used for concatenating the new DN had no value (null) and this "broke" the entire concatenation of the string for the new DN without leaving any errors / trace.

Anyway, lesson learned and stored on this blog for future use :-) - see thread in forum here http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/5c5b8c29-658b-4bf1-91b0-0f972a6f8384

Tuesday, March 9, 2010

Outbound Synchronization Rules not getting applied

I was struggling with my Outbound Synchronization Rules not getting applied for user in my Active Directory, but they were getting applied for my groups. And sometimes you just can't see the forest for the trees.

On my FIM MA I didn't import the ExpectedRulesList attribute to the metaverse, so how would FIM know which attributes to synchronize..

Gods of IdM - please forgive me for this stupid mistake; lesson learned ... doublecheck your flow to and from the FIM Portal if you're using codeless provisioning.

Monday, March 8, 2010

Uniqueness check

Came across this post to check for uniqueness of i.e. sAMAccountName / username (http://blogs.dirteam.com/blogs/jorge/archive/2009/12/10/checking-uniqueness-of-an-attribute-in-fim-2010-during-the-create-process.aspx)

Great post..!

Bug in FIM 2010?

Update on this:
Just an update on this; word has it that there is a hotfix being tested right now and it should be released by the end of January 2011.
------
I may have found a bug in FIM 2010. I'm synchronizing usernames from my HR system all in uppercase, however one of my users have been previuosly created through the FIM portal with a lowercase username / accountname. Now when I export the uppercase username to FIM, I get an Export Statistic that says that it went okay. However, doing a confirming import, I get the lowercase username back resulting in an exported change not reimported error? I've doublechecked my rules for any function or similar that might affect this but didn't find any. And now I'm seing this with an email address that have been changed from mixed case to all lowercase.

Have anyone else tried this and got an 'exported-change-not-reimported'?

I'll try to go through my usual "inside" channels and report this possible error.

Saturday, March 6, 2010

Scheduling FIM 2010 without MASequencer

UPDATE: Check out the MARunScheduler for FIM (get it here)

I don't know about you, but I've been unable to find an MASequencer for 64-bit. Therefore, for now, I've decided to use VBScript for scheduling my Synchronization Service runs. I've made a little "framework" below.

Remember to replace the guid's within the WMI select statements with your own MA guid's

'FIMCycle.vbs'

Set Service = GetObject("winmgmts:{authenticationLevel=PktPrivacy}!root/MicrosoftIdentityIntegrationServer")

Set FIM = Service.ExecQuery("select * from MIIS_ManagementAgent where Guid = '{2B299011-65BA-4DD5-9A59-9BAF8A5C5332}'")
Set AD = Service.ExecQuery("select * from MIIS_ManagementAgent where Guid = '{B906936E-742D-4551-8C07-2FE4B72C4795}'")
Set HR = Service.ExecQuery("select * from MIIS_ManagementAgent where Guid = '{9CA3F96C-300A-4EFB-8246-89EDBC4047E5}'")

' main processing
ClearRuns(1)
Run HR, "Full Import and Full Sync"
Run FIM, "Delta Import and Delta Sync"
Run AD, "Delta Import and Delta Sync"

Run FIM, "Export"

'allow for FIM to do some processing
Wait 5


Run FIM, "Delta Import and Delta Sync"
Run HR, "Export"
Run AD, "Export"

Sub Wait(Seconds)
  WScript.Echo "Waiting " & Seconds & " seconds..."
  WScript.Sleep(Seconds*1000)
End Sub

Sub Run(MASet, Profile)
  For Each MA In MASet
    WScript.Echo "Running " + MA.name + ".Execute('" & Profile & "')..."
    WScript.Echo "Run completed with result: " + MA.Execute(Profile)
  Next
End Sub
Sub ClearRuns(DaysAgo)

  Set Server = Service.Get("MIIS_Server.Name='localhost'")
  DeleteDate = FormatDateTime(Now()-DaysAgo, 2)
  WScript.Echo "Deleting Run Histories from " & DeleteDate
  WScript.Echo "Result: " & Server.ClearRuns(DeleteDate)
End Sub

Thursday, March 4, 2010

Exporting EmployeeStartDate to FIM 2010 Portal

Little documented is the date format of the EmployeeStartDate and the EmployeeEndDate in Forefront Identity Manager 2010.

If you look into the date format of the attributes of a user in the portal it self, it'll tell you that the format is M/d/yyyy hh:mm tt. Feeding the FIM MA this format will make it "sick".

The correct format would be to se the builtin function DateTimeFormat in the Inbound Synchronization Rule and use the function DateTimeFormat, so that the end result would be:

DateTimeFormat(HireDate,"yyyy-MM-ddTHH:mm:ss.000")

Here is a screenshot with an Inbound Flow Rule from a live installation doing just that (or close to, as I want a specific time stamp to go into the portal, but you should get the idea) -


This will convert a SQL DateTime attribute (HireDate) to the format the FIM portal wants it in.