Microsoft Releases Windows Azure Active Directory Management Agent

For those that missed the announcement last week, Microsoft’s DirSync and FIM Sync teams have released an evaluation version of their new Windows Azure Active Directory Connector.

Available through Microsoft Connect, this replaces the Office 365 connector which was previously available only through Microsoft Consulting Services and select Microsoft partners.

An ECMA2 connector intended to be used when DirSync can’t, Microsoft still recommend using DirSync as the primary option.

This Management Agent is currently in evaluation stage only, however Microsoft is looking for clients that are willing to install it into production as part of their Technology Adoption Program. So, if you’re running FIM and Azure Active Directory in your organisation, this is probably a pretty good opportunity as they are offering production support as part of the TAP. Interested parties can contact Andreas Kjellman at Microsoft.

Any further queries should probably be directed to the Microsoft FIM 2010 Forum post covering the launch of the Windows Azure Active Directory connector that I ripped most of this information from.

Posted in Azure Active Directory, FIM Connectors

Forefront Identity Manager 2010 R2 hotfix rollup 4.1.3451.0 Available

This week, Microsoft has released hotfix rollup 4.1.3451.0 for FIM 2010 R2, which you can download from KB2849119.

This update fixes a few minor issues, detailed in the KB article, which I have kindly provided the summaries for below:

FIM Synchronization Service

Issue 1

Password management operations fail because the path for the cached version of the extension .dll file is too long. This problem also affects the WebService connector that is included in Forefront Identity Manager 2010 R2.

Issue 2

In certain cases in which the Synchronization Service processes ancestors, memory leaks occur.

FIM Certificate Management

Feature 1

This update adds the ability in the SubjectAltName policy to specify the RegisteredID alternate name in the Subject Alternate Name entry when a certificate request is issued.


Issue 1

If you have Microsoft System Center Service Manager 2012 Service Pack 1 (SP1) installed, and you try to run a change-mode installation for FIM Service and Portal, the installation fails.

When you install FIM Reporting on a new server that has Service Manager 2012 SP1 installed, follow these steps:

  1. Install the FIM 2010 R2 SP1 FIMService component. To do this, clear the Reporting check box.

  2. Upgrade the FIMService installation to build 4.1.3451.0.

  3. Run the change-mode installation for the FIMService, and then add Reporting.

Posted in FIM Hotfixes, Service Packs & Updates, FIM System Center Service Manager 2012, FIM2010 R2

FIM Calendar by Alexey Skalozub

I was having a poke around on the web today and just noticed FIM Calendar by Alexey Skalozub, who we had previously highlighted for his fantastic FIM Delta tool.

One of the biggest frustrations that I think many people have with FIM Portal is that features  we’ve come to expect from modern web applications just aren’t there. For example, although even the most basic websites these days can have a date picker on them, FIM Portal forces you to enter a date manually.

But not anymore!

Alexey has created FIM Calendar, which allows you to add familiar jQuery datepickers to the FIM Portal.



Maybe not the most exciting thing that’s going to happen to me today, but still pretty cool!

Check out FIMCalendar on github for more information.

Posted in FIM Calendar, FIM Tools

FIM Reporting Extract, Transform and Load (ETL) process

With the release of FIM 2010 R2, Microsoft introduced reporting capability into Forefront Identity Manager 2010 via the System Center Service Manager (SCSM) Data Warehousing capabilities.

Paul Williams over at Microsoft has just released a great article on the FIM Reporting Extract, Transform and Load (ETL) process within FIM 2010 R2, and it’s well worth a read.

For those that are new to FIM Reporting (all of us!), this is a great overview of how data moves between the FIM Services and the SCSM data warehouse and is helpful if you’re looking at setting up and configuring FIM Reporting.

Posted in FIM Reporting, FIM System Center Service Manager 2012

Microsoft Releases FIM 2010 R2 BHOLD Documentation

With the release of FIM 2010 R2, Microsoft integrated the BHOLD product it had acquired into the FIM 2010 product suite. However, until now there hasn’t been a great deal of documentation available for anyone looking to implement BHOLD. Just recently, it was noted by on Twitter that Microsoft had recently updated its BHOLD documentation:

BHold Core Operations Guide – this “provides administering and managing information for day-to-day operations of Microsoft BHOLD Core”, contains an “Introduction to administering BHOLD Core” that gives a general overview of BHOLD Core, and a more comprehensive “Administering BHOLD Core” guide, which contains detailed tasks and procedures to accomplish BHOLD objectives and strategies.

BHold Attestation Operations Guide – Similar to above, this “provides administering and managing information for initial and day-to-day operations of Microsoft BHOLD Attestation” and contains an “Introduction to administering BHOLD Attestation” as well as an “Administering Microsoft BHOLD Attestation” guide.

FIM 2010 R2 BHOLD Developer Reference – handy for all those developers out there, this contains everything a developer needs to know to connect to BHOLD’s Web service API in  order to create custom applications that can interact with BHOLD (either in .NET or through ASP/VBScript).

The release of this documentation is definitely a huge step forward in the product lifecycle of BHOLD, and makes it a lot more usable for those of us that have to implement it!


Posted in BHOLD, FIM2010 R2

FIM 2010 R2 Hotfix (4.1.3441.0) Available

On April 22, 2013, Microsoft released Hotfix 4.1.3441.0 for Forefront Identity Manager 2010 R2. This hotfix features a number of issue fixes, as well as a couple of new features around the MetadirectoryServicesEx.dll and the ECMA framework. The hotfix can be downloaded here.

Peter Geelen (Microsoft) has updated the FIM 2010 Build Overview wiki article with a summary of the changes in this release:

FIM Sync

  • Issues Fixed
    • AD MA) would stop if there was an issue during Exchange provisioning
    • PCNS, the setting for the password source
    • stopped-ma” error on FIMMA on delta import
    • ECMA2 Connectors empty reference attribute data could crash the Synchronization Service
    • error returned on object during add in ECMA2
    • Schema Refresh on an ECMA2 Connector
    • export-only ECMA2 did not correctly handle errors “The image or delta doesn’t have an anchor.”
    • When several exports are run without a confirming import and not all references could be exported, the Synchronization Service could report a “stopped-server” error.
    • Adding a value to a reference value by using scripted code throws an error “Object reference not set to an instance of an object” because of a regression in FIM 2010 R2 SP1
    • When a custom extension does not return control to the Synchronization Service in time, typically 5 minutes, the Synchronization Service crashes
  • New features
    • The Synchronization Service’s contract DLL MetadirectoryServicesEx is no longer dependent on the FIM Synchronization Service. It is now possible to load an ECMA2 Connector outside the Service which enables the ability to create unit tests for these Connectors in Visual Studio.
    • This release includes ECMA2.2 which has several new features added.


  • Fixed
    • Windows 8 TPM-based virtual smart cards could not be provisioned because of a change in Smart Card Minidriver Specification v.7.
    • The ability to print photos is added by using ID Works.
    • Advanced search in Bulk Client does not work as expected when more than 1,000 results is returned from Active Directory.


  • Fixed
    • If a new password has a string that might violate the ASP.NET request validator such as “<script>”, the operation would fail with the exception “A potentially dangerous Request.Form value was detected from the client”


  • Fixed
    • In a special case after the bhold connector was deleted in the FIM Synchronization Service and re-created, an import would be unable to see all objects in bhold.

Nothing too interesting in this release, unless you were having specific problems. However, the new ECMA 2.2 release is worth checking out, as there is a new “capabilities” page during configuration. According to Microsoft, it is now possible to ask the user for information and connect to the target directory and use that information for the Connector’s capabilities. It will be interesting to see how this can be applied. Increased LDAP DN support has also been added, as well as improved handling of delete/update operations during delta imports.Additional details can be found on the Microsoft Developer Network (MSDN) website for ECMA2.

Posted in FIM Hotfixes, Service Packs & Updates

Unify Solutions run FIM Event Broker 3.1 Webinar

Former employers of mine, Unify Solutions, recently released version 3.1 of their FIM Event Broker product, and ran a launch webinar to showcase the features of this product. If you missed it, they just released it on youtube this morning:

If you’re unfamiliar with FIM Event Broker, it’s essentially an automation tool for the FIM Synchronization Service – but with some smarts. The core premise behind FIM Event Broker seems to be “Event Driven Identity Management” – and when configured properly, it will allow your FIM Sync operations to run in response to events in target systems, rather than on a schedule.

New user added to HR? FIM Event Broker will detect that and run an import. Change made in the FIM Portal? FIM Event Broker will detect that and run an import. Changes in one  system require an export to another target system? FIM Event Broker has that covered too.

Definitely an interesting product, and there’s certainly some benefit in reducing overall throughput time of identity changes, and also the number of operations performed. However, you’d have to assess how much of a benefit having event driven sync operations would have within your organisation, when compared against the regular scheduled approach most people go by. For more information about FIM Event Broker, including how to download a trial, visit the Official Website.

Posted in FIM Event Broker, FIM Resources, FIM Tools, FIM Webinars

FIM2010 R2 SP1 now supported on Azure IaaS (IdMaaS?)

Paul Williams over at Microsoft announced yesterday on his blog that Windows Azure Infrastructure as a Service (IaaS) has now gone into General Availability.

With that release, Paul points to a KB article (KB2721672) that indicates FIM 2010 R2 SP1 is now a supported product on  Windows Azure Virtual Machines.

There are some limitations, and some considerations which need to be made, which Paul discusses, but this is certainly very exciting, as it’s the first time that Microsoft has officially supported FIM in the cloud.

“Identity Management as a Service” (IdmAAS) was something covered at this year’s Redmond Identity Summit, and with FIM in the cloud now becoming a reality, we’re likely to see a lot of knowledge growth in this area over the next few months as it begins to become adopted. Expect to see a lot of lessons learnt by early adopters, especially in the realm of “what not to do”.

Posted in Azure Active Directory, IdMaaS

What is FIM Best Practice?

I was having a conversation with some other FIM Consultants recently about a particular site I’d been working on, and the attempts I’d made at enforcing FIM Best Practice. At this, one of them asked me, “Well, what do you consider to be FIM Best Practice?”.

My answer to him at the time was, “Well, in this particular site, Best Practice is whatever I say it is.”

Realising that my answer sounded a little abrupt, I hastened to clarify that it wasn’t so much that “What Ross says goes”, but that in lieu of formally published best practices from Microsoft, my understanding of what constitutes best practice in FIM is the culmination of my experience. As such, what I consider to be best practice may not align with what others believe.

When I talk about “culmination of my experience”, I’m really talking about several key things:
1) My own experience at deploying solutions as a FIM Consultant and learning the software inside-out
2) The “way of doing things” that was taught to me in the companies I’ve worked for, and by the people I’ve worked with
3) The knowledge that’s shared by the FIM community contributors through blogs, Technet Forum posts, conferences, etc.

I’ve seen several people try to clarify FIM Best Practices, such as Dave Lundell with his aptly book, FIM Best Practices and blog of the same name, or with my former colleague, Carol Wapshere’s recent series of posts on her blog. But, we have to remember that even these are based on their own experiences architecting and deploying FIM solutions, rather than a published Microsoft standard.

Another former colleague of mine, Bob Bradley, recently questioned whether FIM Best Practice was just a pipe dream, and proposed the notion that best practice could only be achieved through “community-conscious consultants collaborating to establish a peer-moderated knowledge base which is continually revisited, questioned and steadily improved over time.” I think that’s a noble notion, but perhaps not a practical one – and Bob even observes this this is his Utopia.

While Microsoft certainly encourages community contribution, even going so far as to only award its coveted MVP status to experts that make an active community contribution, organisations can sometimes be critical of consultants seen to be giving away too much intellectual property, or too much of their time away, for free. And many experts may have no interest in giving up their time contributing to the community.

When it comes to FIM, if you want to follow Best Practice, then you need to not only follow what’s the current trend is in the community, but also be willing to give back to it with your own practices – and to be prepared to have your “way of doing things” challenged by others working in the field, just as you should challenge theirs, and add new “ways of doing things” of your own into the community knowledge base.

Posted in FIM Best Practice

An error occurred while enumerating the filter ‘/group[DisplayedOwner=’XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX’]’

Seems to be the week for silly errors. I was working on a custom workflow activity today, where I want to retrieve any group that has a particular DisplayedOwner, but kept getting the following error when the workflow was trying to use the Enumerate Resources Activity to search for a group :

System.InvalidOperationException: An error occurred while enumerating the filter ‘/group[DisplayedOwner=’XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX’]’. —> Microsoft.ResourceManagement.WorkflowDataExchangeException: System.InvalidOperationException: Schema retrieval failed.

The issue here is that the Xpath filter is actually case sensitive and “group” is not the same as “Group”, which is what the resource type is actually called. It was a simple matter to create a test set using the filter ‘/group[DisplayedOwner=’XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX’]’.

What was not so silly, however, is that the ‘group’ value was specified as part of a workflow configuration – the particular WF being executed could take a number of different object types as a configurable parameter in the Workflow Activity configuration. To fix this, all I had to do is change my ‘group’ parameter to ‘Group’… however when I did, it somehow got renamed back to ‘group’ – even if I changed it to something else (successfully) and then back again. In other words, my workflow configuration showed my parameter as ‘Group’, but the error above was still being thrown – but if I changed it to ‘Groupd’, the expected error contained ‘Groupd’

The only way to actually get it to change to a capital ‘G’ was to change the order on the workflow. It was as if that parameter was cached somehow, so there must be something funny going on with the XOML here.

Posted in FIM Troubleshooting