FIM Reporting Extract, Transform and Load (ETL) process

Posted on May 10, 2013 by Ross Currie No Comments ↓

With the release of FIM 2010 R2, Microsoft introduced reporting capability into Forefront Identity Manager 2010 via the System Center Service Manager (SCSM) Data Warehousing capabilities.

Paul Williams over at Microsoft has just released a great article on the FIM Reporting Extract, Transform and Load (ETL) process within FIM 2010 R2, and it’s well worth a read.

For those that are new to FIM Reporting (all of us!), this is a great overview of how data moves between the FIM Services and the SCSM data warehouse and is helpful if you’re looking at setting up and configuring FIM Reporting.

Posted in FIM Reporting, FIM System Center Service Manager 2012

Microsoft Releases FIM 2010 R2 BHOLD Documentation

Posted on May 10, 2013 by Ross Currie No Comments ↓

With the release of FIM 2010 R2, Microsoft integrated the BHOLD product it had acquired into the FIM 2010 product suite. However, until now there hasn’t been a great deal of documentation available for anyone looking to implement BHOLD. Just recently, it was noted by on Twitter that Microsoft had recently updated its BHOLD documentation:

BHold Core Operations Guide - this “provides administering and managing information for day-to-day operations of Microsoft BHOLD Core”, contains an “Introduction to administering BHOLD Core” that gives a general overview of BHOLD Core, and a more comprehensive “Administering BHOLD Core” guide, which contains detailed tasks and procedures to accomplish BHOLD objectives and strategies.

BHold Attestation Operations Guide - Similar to above, this “provides administering and managing information for initial and day-to-day operations of Microsoft BHOLD Attestation” and contains an “Introduction to administering BHOLD Attestation” as well as an “Administering Microsoft BHOLD Attestation” guide.

FIM 2010 R2 BHOLD Developer Reference - handy for all those developers out there, this contains everything a developer needs to know to connect to BHOLD’s Web service API in  order to create custom applications that can interact with BHOLD (either in .NET or through ASP/VBScript).

The release of this documentation is definitely a huge step forward in the product lifecycle of BHOLD, and makes it a lot more usable for those of us that have to implement it!

 

Posted in BHOLD, FIM2010 R2

FIM 2010 R2 Hotfix (4.1.3441.0) Available

Posted on May 2, 2013 by Ross Currie No Comments ↓

On April 22, 2013, Microsoft released Hotfix 4.1.3441.0 for Forefront Identity Manager 2010 R2. This hotfix features a number of issue fixes, as well as a couple of new features around the MetadirectoryServicesEx.dll and the ECMA framework. The hotfix can be downloaded here.

Peter Geelen (Microsoft) has updated the FIM 2010 Build Overview wiki article with a summary of the changes in this release:

FIM Sync

  • Issues Fixed
    • AD MA) would stop if there was an issue during Exchange provisioning
    • PCNS, the setting for the password source
    • stopped-ma” error on FIMMA on delta import
    • ECMA2 Connectors empty reference attribute data could crash the Synchronization Service
    • error returned on object during add in ECMA2
    • Schema Refresh on an ECMA2 Connector
    • export-only ECMA2 did not correctly handle errors “The image or delta doesn’t have an anchor.”
    • When several exports are run without a confirming import and not all references could be exported, the Synchronization Service could report a “stopped-server” error.
    • Adding a value to a reference value by using scripted code throws an error “Object reference not set to an instance of an object” because of a regression in FIM 2010 R2 SP1
    • When a custom extension does not return control to the Synchronization Service in time, typically 5 minutes, the Synchronization Service crashes
  • New features
    • The Synchronization Service’s contract DLL MetadirectoryServicesEx is no longer dependent on the FIM Synchronization Service. It is now possible to load an ECMA2 Connector outside the Service which enables the ability to create unit tests for these Connectors in Visual Studio.
    • This release includes ECMA2.2 which has several new features added.

FIMCM

  • Fixed
    • Windows 8 TPM-based virtual smart cards could not be provisioned because of a change in Smart Card Minidriver Specification v.7.
    • The ability to print photos is added by using ID Works.
    • Advanced search in Bulk Client does not work as expected when more than 1,000 results is returned from Active Directory.

SSPR

  • Fixed
    • If a new password has a string that might violate the ASP.NET request validator such as “<script>”, the operation would fail with the exception “A potentially dangerous Request.Form value was detected from the client”

BHOLD

  • Fixed
    • In a special case after the bhold connector was deleted in the FIM Synchronization Service and re-created, an import would be unable to see all objects in bhold.

Nothing too interesting in this release, unless you were having specific problems. However, the new ECMA 2.2 release is worth checking out, as there is a new “capabilities” page during configuration. According to Microsoft, it is now possible to ask the user for information and connect to the target directory and use that information for the Connector’s capabilities. It will be interesting to see how this can be applied. Increased LDAP DN support has also been added, as well as improved handling of delete/update operations during delta imports.Additional details can be found on the Microsoft Developer Network (MSDN) website for ECMA2.

Posted in FIM Hotfixes, Service Packs & Updates

Unify Solutions run FIM Event Broker 3.1 Webinar

Posted on May 2, 2013 by Ross Currie No Comments ↓

Former employers of mine, Unify Solutions, recently released version 3.1 of their FIM Event Broker product, and ran a launch webinar to showcase the features of this product. If you missed it, they just released it on youtube this morning:

If you’re unfamiliar with FIM Event Broker, it’s essentially an automation tool for the FIM Synchronization Service – but with some smarts. The core premise behind FIM Event Broker seems to be “Event Driven Identity Management” – and when configured properly, it will allow your FIM Sync operations to run in response to events in target systems, rather than on a schedule.

New user added to HR? FIM Event Broker will detect that and run an import. Change made in the FIM Portal? FIM Event Broker will detect that and run an import. Changes in one  system require an export to another target system? FIM Event Broker has that covered too.

Definitely an interesting product, and there’s certainly some benefit in reducing overall throughput time of identity changes, and also the number of operations performed. However, you’d have to assess how much of a benefit having event driven sync operations would have within your organisation, when compared against the regular scheduled approach most people go by. For more information about FIM Event Broker, including how to download a trial, visit the Official Website.

Posted in FIM Event Broker, FIM Resources, FIM Tools, FIM Webinars

FIM2010 R2 SP1 now supported on Azure IaaS (IdMaaS?)

Posted on April 17, 2013 by Ross Currie No Comments ↓

Paul Williams over at Microsoft announced yesterday on his blog that Windows Azure Infrastructure as a Service (IaaS) has now gone into General Availability.

With that release, Paul points to a KB article (KB2721672) that indicates FIM 2010 R2 SP1 is now a supported product on  Windows Azure Virtual Machines.

There are some limitations, and some considerations which need to be made, which Paul discusses, but this is certainly very exciting, as it’s the first time that Microsoft has officially supported FIM in the cloud.

“Identity Management as a Service” (IdmAAS) was something covered at this year’s Redmond Identity Summit, and with FIM in the cloud now becoming a reality, we’re likely to see a lot of knowledge growth in this area over the next few months as it begins to become adopted. Expect to see a lot of lessons learnt by early adopters, especially in the realm of “what not to do”.

Posted in Azure Active Directory, IdMaaS

What is FIM Best Practice?

Posted on April 17, 2013 by Ross Currie No Comments ↓

I was having a conversation with some other FIM Consultants recently about a particular site I’d been working on, and the attempts I’d made at enforcing FIM Best Practice. At this, one of them asked me, “Well, what do you consider to be FIM Best Practice?”.

My answer to him at the time was, “Well, in this particular site, Best Practice is whatever I say it is.”

Realising that my answer sounded a little abrupt, I hastened to clarify that it wasn’t so much that “What Ross says goes”, but that in lieu of formally published best practices from Microsoft, my understanding of what constitutes best practice in FIM is the culmination of my experience. As such, what I consider to be best practice may not align with what others believe.

When I talk about “culmination of my experience”, I’m really talking about several key things:
1) My own experience at deploying solutions as a FIM Consultant and learning the software inside-out
2) The “way of doing things” that was taught to me in the companies I’ve worked for, and by the people I’ve worked with
3) The knowledge that’s shared by the FIM community contributors through blogs, Technet Forum posts, conferences, etc.

I’ve seen several people try to clarify FIM Best Practices, such as Dave Lundell with his aptly book, FIM Best Practices and blog of the same name, or with my former colleague, Carol Wapshere’s recent series of posts on her blog. But, we have to remember that even these are based on their own experiences architecting and deploying FIM solutions, rather than a published Microsoft standard.

Another former colleague of mine, Bob Bradley, recently questioned whether FIM Best Practice was just a pipe dream, and proposed the notion that best practice could only be achieved through “community-conscious consultants collaborating to establish a peer-moderated knowledge base which is continually revisited, questioned and steadily improved over time.” I think that’s a noble notion, but perhaps not a practical one – and Bob even observes this this is his Utopia.

While Microsoft certainly encourages community contribution, even going so far as to only award its coveted MVP status to experts that make an active community contribution, organisations can sometimes be critical of consultants seen to be giving away too much intellectual property, or too much of their time away, for free. And many experts may have no interest in giving up their time contributing to the community.

When it comes to FIM, if you want to follow Best Practice, then you need to not only follow what’s the current trend is in the community, but also be willing to give back to it with your own practices – and to be prepared to have your “way of doing things” challenged by others working in the field, just as you should challenge theirs, and add new “ways of doing things” of your own into the community knowledge base.

Posted in FIM Best Practice

An error occurred while enumerating the filter ‘/group[DisplayedOwner='XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX']‘

Posted on April 11, 2013 by Ross Currie No Comments ↓

Seems to be the week for silly errors. I was working on a custom workflow activity today, where I want to retrieve any group that has a particular DisplayedOwner, but kept getting the following error when the workflow was trying to use the Enumerate Resources Activity to search for a group :

System.InvalidOperationException: An error occurred while enumerating the filter ‘/group[DisplayedOwner='XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX']‘. —> Microsoft.ResourceManagement.WorkflowDataExchangeException: System.InvalidOperationException: Schema retrieval failed.

The issue here is that the Xpath filter is actually case sensitive and “group” is not the same as “Group”, which is what the resource type is actually called. It was a simple matter to create a test set using the filter ’/group[DisplayedOwner='XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX']‘.

What was not so silly, however, is that the ‘group’ value was specified as part of a workflow configuration – the particular WF being executed could take a number of different object types as a configurable parameter in the Workflow Activity configuration. To fix this, all I had to do is change my ‘group’ parameter to ‘Group’… however when I did, it somehow got renamed back to ‘group’ – even if I changed it to something else (successfully) and then back again. In other words, my workflow configuration showed my parameter as ‘Group’, but the error above was still being thrown – but if I changed it to ‘Groupd’, the expected error contained ‘Groupd’

The only way to actually get it to change to a capital ‘G’ was to change the order on the workflow. It was as if that parameter was cached somehow, so there must be something funny going on with the XOML here.

Posted in FIM Troubleshooting

Cannot insert duplicate key row in object ‘fim.ObjectValueReference’ with unique index ‘IX_ObjectValueReference_ObjectKey_AttributeKey-Filtered_Multivalued’.

Posted on April 9, 2013 by Ross Currie No Comments ↓

I was working on a custom workflow activity today that was using the Update Resource activity to update a multivalue field in an object. Unfortunately, the request was coming up as ‘failed’ and in the Event Viewer, I was seeing the following error:

Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other —> System.Data.SqlClient.SqlException: Reraised Error 50000, Level 14, State 1, Procedure ReRaiseException, Line 37, Message: Reraised Error 50000, Level 14, State 1, Procedure ReRaiseException, Line 37, Message: Reraised Error 2601, Level 14, State 1, Procedure UpdateResource, Line 515, Message: Cannot insert duplicate key row in object ‘fim.ObjectValueReference’ with unique index ‘IX_ObjectValueReference_ObjectKey_AttributeKey-Filtered_Multivalued’. The duplicate key value is (9101, 87654).

When I investigated the [fim].[UpdateResource] stored procedure and [fim].[ObjectValueReference] in the FIMService database, I could see that 9101 correlated to the object I was trying to update and that 87654 correlated to the multivalue attribute I was trying to update. Next I looked at my code, and it all seemed to be as I expected:

update parameters insert

 

Lastly, I looked at my schema.. and sure enough, my attribute wasn’t flagged as multivalue – somewhere in re-creating my schema, I’d forgotten to check that box. Deleting and re-creating the attribute and its binding resolved my issue, as well as another issue I had when I was trying to read the attribute back – because clearly you can’t read a list of UniqueIdentifiers from a single-value attribute.

Silly mistake, so why do I share it here? Because someone out there may Google this error one day, and this might help them.

Posted in FIM Troubleshooting

Microsoft Releases SharePoint User Profile, Generic LDAP and PowerShell Connectors to Connect

Posted on April 1, 2013 by Ross Currie No Comments ↓

On March 28, 2013, Microsoft put out Release Candidates for several new FIM Synchronization Service Connectors, including:

  • SharePoint User Profile Connector
  • Generic LDAP Connector for Open LDAP
  • PowerShell Connector

The Release Candidate downloads are available via Microsoft Connect, along with the necessary upgrades to the FIM Sync Service, a technical reference for the SharePoint/LDAP connectors and some sample scripts (primarily SharePoint-related) for PowerShell

These three connectors are probably three of the most-demanded connectors, and candidates for custom connectors, so it’s good to see Microsoft taking a proactive approach in developing these.

Note that the connectors are still in Release Candidate only, so you shouldn’t be installing them in production environment yet.

Posted in ECMA2, FIM Connectors, FIM Hotfixes, Service Packs & Updates, FIM Release Candidates, FIM Resources, FIM xMA

OCG Releases Splunk for FIM

Posted on April 1, 2013 by Ross Currie No Comments ↓

If you’re not familiar with Splunk (I wasn’t), it’s essentially an Enterprise monitoring and reporting tool that produces reports based on data generated by IT systems. According to the Splunk website, “it’s the easy, fast and resilient way to collect, analyze and secure the massive streams of machine data generated by all your IT systems and technology infrastructure.” If you can see how this might be used in a FIM context, then you’re not alone, because Oxford Computer Group have just released the Splunk for FIM App.

Announced on LinkedIn over the Easter Weekend by Sjef Van Leeuwen (Lead Software Developer at OCG), the Splunk for FIM app not only provides a dashboard for monitoring FIM operations, but also includes historic user and group data – allowing you to look at a group or user at a given point in time

I haven’t installed Splunk yet, but plan to do so in the coming weeks and will add my review to the appropriate page in my FIM Tools section once I’ve had a chance to take a real look at it.

Posted in FIM Resources, FIM Tools