Disclaimer: The opinions expressed on this blog is a personal opinion and and do not express the opinion of my employer, Microsoft, Winsec or any other party.

Microsoft announced further details on the #FIM2010 vNext roadmap (now : aka Microsoft Identity Manager)

Wed 23 Apr 2014 Leave a comment


Allow me to rephrase the announcement message, to condense the message. Full message at references mentioned earlier.


Today the product group provided an update with further details of the FIM 2010 roadmap.

This is including the approach and the investments they are making to enhance the on-premises, private cloud and hybrid cloud identity management solutions.

(quote) “Forefront Identity Manager helps your organization ensure users have appropriate access corporate information regardless of where it is located—in your datacenter or in the cloud, by providing self-service identity management, automated lifecycle management across heterogeneous platforms, a rich policy framework for enforcing security policies, and detailed audit capabilities.

The approach to the next version of Identity Manager is guided by the following customer feedback and innovation goals:

  • Continue to address risks to critical assets, by enhancing and expanding the available protections for enterprise identity, ensuring the enterprise’s identity infrastructure is resilient to targeted attacks
  • Enable the mobile access scenarios that customers are looking to adopt and manage from a broad range of devices across on-premises and cloud services
  • Connect with Azure Active Directory to integrate with its features and extend the reach of enterprise identity to a range of Software-as-a-Service applications
  • Deliver easy-to-deploy end-to-end scenarios that complement investments in Windows, Office, Microsoft Azure, and Active Directory with end user self-service, delegation and configurable policies

Three major investment areas have been identified for this release of Identity Manager:

  • Hybrid scenarios that leverage cloud-based services delivered in Microsoft Azure, including Multi-Factor Authentication, Azure Active Directory application integration, analytics and reporting
  • Support for the latest platforms and mobile devices with modern user interfaces
  • Improved security with additional controls, analytics and auditing of administrative and privileged user identities and their access to Active Directory, Windows Server and applications


As part of the next release, we will also move Identity Manager under the Microsoft brand, so this release will be known as Microsoft Identity Manager.  

More details will be available next month at the TechEd North America 2014 breakout session PCIT-B328, scheduled for May 14th at 5:00 PM US Central time. We will also have more to share and later in the year including timelines for preview programs and the release schedule.

So now #FIM2010 is not FIM any more, it’s MIM.
We need to find a new hash tag, right? #MIM is taken…

Any suggestion? #MIM2015?


New Azure AD Sync (#AADSync) documentation set launched on #TNWiki

Sat 19 Apr 2014 Leave a comment

Markus just launched a fresh new set of documents on the new Azure AD Sync (AADSync) tool on TechNet Wiki.

You can find them at this short link: http://aka.ms/AADSync


Check them out and bookmark the short link.

A hotfix rollup package (build 4.1.3510.0) is available for #FIM2010 R2

Fri 18 Apr 2014 Leave a comment

Source: http://support.microsoft.com/kb/2934816/en-us

Below are the issues fixed or added, full detail available in KB article above

Issues that are fixed or features that are added in this update

This update fixes the following issues or adds the following features that were not previously documented in the Microsoft Knowledge Base.

FIM Service and Portal

Issue 1

If a FIMService instance loses connection to the FIMService database, it can may stop processing FIM Service MA export requests. This results in failed FIM Service MA exports with a run status of “stopped-server.” Additionally, the following exception is logged in the Forefront Identity Manager event log:

System.Data: System.InvalidOperationException: The requested operation cannot be completed because the connection has been broken.

Issue 2

You use a multivalue attribute in a dynamic set. This dynamic set is used in a Transition Out management policy rule. If two or more elements are removed from the attribute in a single request, and if of the elements triggers the Transition-Out MPR, the request fails, and you receive the following exception:

Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other —> System.Data.SqlClient.SqlException: Reraised Error 2627, Level 14, State 1, Procedure DoEvaluateRequestInner, Line 1073, Message: Violation of PRIMARY KEY constraint ‘PK__#1B54B73__5330D0771D3CFFB1′. Cannot insert duplicate key in object ‘dbo.@transitionOutApplicableRuleBuffer’.

Issue 3

When an export run in the FIM Service MA includes updates to the Filter attribute of multiple dynamic groups, a “failed-modification-via-web-services” exception can be returned. When you review the details of the exception that is returned, you see that an SQL Deadlock occurred.

FIM Synchronization Service

Issue 1

In the Active Directory management agent, changes to a multivalue attribute such as proxyAddresses are not synchronized to the metaverse in the following scenario:

  1. A change to proxyAddresses is exported to the Active Directory for User1.
  2. A second change is made to proxyAddresses outside the synchronization service.
  3. A Delta Import run profile is run to confirm the exported changes.


Issue 2

If an exception is thrown by the management agent’s password extension during password synchronization, the password interface at which the exception was thrown is discarded. This can cause high processor usage on the computer that is hosting the FIM Synchronization Service when the computer processes password synchronization to multiple management agents.

After you apply this update, exceptions of type PasswordPolicyException and PasswordIllFormedException no longer discard the password interface. This enables the interface to be reused for another password operation to the connected data source.


Issue 1

If a regular expression policy rule is applied for an ABA role, all applied ABA roles are stuck in the pending state for the users and are never assigned.

Issue 2

If a user has an ABA role, and if you try to change a user attribute that is not related to the ABA role, all ABA roles are again marked for policy validation. Additionally, assigned permissions are removed and assigned back.

Issue 3

When you have more than 500 permissions in BHOLD and search permissions on the Supervised Permissions tab of Default Supervisor Role, no results are returned, and you are returned to the previous page.

Issue 4

When you configure an attribute-based role assignment for a role and then you try to click the Show Impact link in the policies section of a role, you receive the following error message:

Object reference not set to an instance of an object

Issue 5

The SP1 build does not let you re-create a permission that was removed from BHOLD earlier.

Issue 6

When you try to change and save a user without changing the end date, you receive the following error message:

Invalid date format

Issue 7

When you try to move an organization unit in the BHOLD Core Portal, you receive the following warning message:

Session ID missing: The Session ID is not found in URL. You can continue working using the menu at the left

Issue 8

The “User by Role” report cannot be generated after the limit of 50,000 users is reached. Additionally, you receive an “Out of memory” exception.

Issue 9

In the BHOLD Self-Service Portal, the role information screen under the Role Requests-Current Roles tab displays no role descriptions or permission details.

Issue 10

When you log on as a typical end-user in the BHOLD Service Portal, the “My Roles” screen is displayed as an empty page even though the user is assigned with both “active” and “proposed” roles.

Issue 11

The BHOLD – Access Management agent cannot perform full imports because of an SQL time-out issue that occurs when there is a load of more than 50,000 to 100,000 users.

Issue 12

BHOLD cannot add permissions to a user by using the BHOLD Connector after these permissions are denied.

Issue 13

When a steward in the BHOLD Attestation portal has multiple resources to attest and is working on approving or denying permissions for one user, other permissions for a different user are changed in the user interface.

Categories: FIM, Hotfix, Microsoft, Security

FIM News: the Microsoft Hybrid identity management (#FIM2010)

Thu 17 Apr 2014 Leave a comment

Today Andreas Kjellman presented an updated FIM roadmap on the FIM Team User group.
Register and keep an eye on http://thefimteam.com/fim-team-user-group/, as the recording will be published shortly.

Also just a few days ago the new Hybrid Identity website went live (http://www.microsoft.com/en-us/server-cloud/solutions/identity-management.aspx).

The updated website contains the Hybrid Identity White Paper (http://aka.ms/hybrididentitywp)

Microsoft’s approach to identity spans on-premises and the cloud, creating a single user identity for authentication and authorization to all resources, regardless of location.
Also check the Hybrid Identity Datasheet (http://aka.ms/hybrididentityds)

There is a new product “AADSync” to make onboarding to AAD and Office 365 for multi-forest a lot easier. It will also support advanced DirSync scenarios. It is building on FIM2010R2 and DirSync.

The preview is available on Connect. (http://connect.microsoft.com/directory).

Documentation can be found at: http://www.aadsync.com/

There will be more information later in the year about Preview programs and deeper technical information.

There is more news to come, just keep an eye on the Server & Cloud Blog (http://blogs.technet.com/b/server-cloud/)

Also note that the new AADSync tool is referred as Microsoft Azure Active Directory Sync Services (AADSync), as Windows Azure is rebranded to Microsoft Azure

Note-to-self: the Short URL collection bookmarks

Thu 10 Apr 2014 Leave a comment
Category Short Url Description
Book http://aka.ms/packtpub_da_troubleshooting Book: Direct Access troubleshooting
Exchange http://aka.ms/mostpopularexch2010wiki Most poplar Exchange 2010 articles on TN Wiki
FIM http://aka.ms/ecmaresourcewiki ECMA Resource Wiki
FIM http://aka.ms/fim_codeplex FIM projects on Codeplex
FIM http://aka.ms/fim_portsrightspermissions FIM Ports, rights and permissions
FIM http://aka.ms/fim2010 http://identityunderground.wordpress.com/
FIM http://aka.ms/msidentitypublicreleases Microsoft’s Identity Software: Public Release Build Versions
FIM http://aka.ms/msidmpublicbuilds Microsoft’s Identity Software: Public Release Build Versions
FIM http://aka.ms/msidmpublicreleases Microsoft’s Identity Software: Public Release Build Versions
FIM http://aka.ms/powershellma PowerShell Management Agent > The IDM explorer
FIM http://aka.ms/understandingfimdeprovisioning Understanding Deprovisioning
FIM http://bit.ly/FIM2010R2-RC FIM 2012 R2 RC
FIM http://bit.ly/FIM2010R2BetaDocs FIM R2 Beta docs
FIM http://bit.ly/pGW4gS FIM Exam
FIM http://bit.ly/FIM2010BetaExam FIM Exam
FIM http://bit.ly/TNEdgeCustomizingFIMPortal FIM Portal customisation
FIM http://bit.ly/CreatingCustomRCDC FIM Creating Custom RCDC
FIM http://bit.ly/FIM2010HotfixRSS FIM Hotfix RSS
FIM http://bit.ly/FIMTags FIM tags
FIM http://bit.ly/FIM2010_slowlink Improve FIM performance over slow link
FIM http://bit.ly/FIM2010Solutions FIM 2010 Solutions from partners
FIM http://bit.ly/FIM2010CustomActivity_WF FIM Custom Activity WF
FIM http://bit.ly/FIM2010SDK FIM 2010 SDK
FIM http://bit.ly/FIM2010Resources FIM 2010 Resources
FIM http://aka.ms/fim2010bpa FIM 2010 Best Practice Analyser
FIM http://aka.ms/fim2010functionsref FIM 2010 Functions Reference
FIM http://aka.ms/fim2010partnermas FIM 2010: Management Agents from Partners
FIM http://aka.ms/fim2010r2bpa FIM 2010 Best Practice Analyser
FIM http://aka.ms/fimblogs FIM 2010 Community, feeds & blogs
FIM http://aka.ms/fimbuild_overview FIM Build Overveiw
FIM http://aka.ms/fimbuilds FIM Build Overveiw
FIM http://aka.ms/fimcmpermissions FIM CM Permisssion
FIM http://aka.ms/fimcommunity FIM Community overview
FIM http://aka.ms/fimcommunity_feeds_blogs FIM Community overview
FIM http://aka.ms/fimfilema FIM File MA
FIM http://aka.ms/fimlpdownload FIM Language Pack download
FIM http://aka.ms/fimma_ln8 FIM Lotus Notes MA
FIM http://aka.ms/fimmaportspermissions FIM Rights, Ports & Permissions
FIM http://aka.ms/fimmas FIM Management Agents
FIM http://aka.ms/fimmasfrompartners FIM Management Agents from partners
FIM http://aka.ms/fimrampup Learning FIM
FIM http://aka.ms/fimresources FIM Resources
FIM http://aka.ms/fimscriptbox FIM Script box
FIM http://aka.ms/fimsecurity FIM Security Setup
FIM http://aka.ms/fimtechoverview FIM Technical Overview
FIM Book http://aka.ms/fim2010r2bestpracticesbook FIM Book
FIM Book http://aka.ms/fim2010r2handbook FIM Book
FIM Book http://aka.ms/fim2010r2handbookshortcuts FIM Book
FIM Book http://aka.ms/fim_r2_best_practices_vol1 FIM Book
FIM Community http://aka.ms/fimteamug FIM Team User Group
FIM Forum http://aka.ms/fimforum FIM Forum on Technet
FIM Forum http://aka.ms/fimforumtn FIM Forum on Technet
FIM Learning http://aka.ms/fim2010rampup Learning FIM
FIM News http://aka.ms/2013fimannouncement 2013 FIM Announcement
FIM Technet http://aka.ms/tnwikiforum FIM 2010 Forum
FIM Wiki http://aka.ms/fim2010resources FIM 2010 Resources
FIM Wiki http://aka.ms/fim2010wiki FIM 2010 Wiki
Forefront http://aka.ms/forefrontroadmap Forefront Roadmap announcement
Forefront http://aka.ms/forefronttechcenter Forefront Tech Center
ILM http://aka.ms/ilm2007gettingstarted ILM Getting Started
Learning http://bit.ly/MS_MVA Microsoft Virtual Academy
PFE http://aka.ms/pfe_wiki Premier Field Engineering at TN Wiki
PFE http://aka.ms/stayoutoftrouble Premier Field Engineering
PKI http://bit.ly/MSPKIBook MS PKI Book
PKI http://bit.ly/CurrentCLMresources Current CLM Resources
Security http://bit.ly/MS_BRS Business Ready Security
Security http://bit.ly/NEAT_Spruce Neat And Spruce at Microsoft
Security http://bit.ly/FBLeak20110510 FB leak
Security http://bit.ly/DownloadBRSTrial Microsoft Business Ready Security Trial Environment
Sharepoint http://aka.ms/sp2010kernelmodeauthn Sharepoint Kernel Mode Authentication
Technet http://aka.ms/fim2010forum FIM Forum on Technet
Visual Studio http://aka.ms/debugextension Extension debugging
Wiki http://aka.ms/fimwiki FIM at Wiki
Wiki http://aka.ms/fixrgb Fix RGB codes to names in HTML
Wiki http://aka.ms/happybirthday_ed Wiki surprise
Wiki http://aka.ms/ninja Wiki Ninja
Wiki http://aka.ms/ninjas Wiki Ninja
Wiki http://aka.ms/notappropriatefortnwiki Wiki guidelines
Wiki http://aka.ms/tnwikibookmarks Wiki Bookmarks
Wiki http://aka.ms/wikitagcloud TechNet Wiki: easy bookmarks to important TNWiki resources
Wiki http://aka.ms/wikitoolbox TN Wiki toolbox
Wiki http://bit.ly/AddTocToYourTNWikiDoc Add TOC to your Wiki article
Wiki Blog http://aka.ms/tnwikiblog TN Wiki Blog
Wiki Blog http://aka.ms/wikiblog TN Wiki blog
Wiki blog http://aka.ms/wikininjablog TN Wiki blog
Wiki Governance http://aka.ms/technetwikicommunitycouncil Wiki Governance
Wiki Governance http://aka.ms/tnwikicouncil Wiki Council
Wiki Governance http://aka.ms/tnwikifeedback Wiki Feedback
Wiki Governance http://aka.ms/wikidevelopment Wiki Governance
Wiki Governance http://aka.ms/wikiguide Wiki Governance
Wiki Governance http://aka.ms/wikininjas Wiki Ninja
Wiki Governance http://aka.ms/wikireputation Wiki Governance
Wiki Governance http://aka.ms/wikuserguidelines_personalisation Wiki Governance

Note-to-self: Security Advisory 2868725: Recommendation to disable RC4

Tue 8 Apr 2014 Leave a comment

Source: http://blogs.technet.com/b/srd/archive/2013/11/12/security-advisory-2868725-recommendation-to-disable-rc4.aspx


In light of recent research into practical attacks on biases in the RC4 stream cipher, Microsoft is recommending that customers enable TLS1.2 in their services and take steps to retire and deprecate RC4 as used in their TLS implementations.

Microsoft recommends TLS1.2 with AES-GCM as a more secure alternative which will provide similar performance.

See also:

TechNet Blogs » Security Research & Defense : http://blogs.technet.com/b/srd/

And other interesting reading material referenced in the blog:




Note-to-self: #FIM2010 Language packs downloads (RTM/R2/R2 SP1)

Mon 31 Mar 2014 Leave a comment

Microsoft® Forefront® Identity Manager 2010 R2 SP1 Language Packs

Note: These language packs are only for use with FIM 2010 R2 SP1.

The respective FIM 2010 R2 SP1 client or server components must first be installed before installing their language packs. >
See the FIM 2010 TechNet library* for specific requirements of those components.


For the FIM 2010 R2 language packs, see the download at


For the FIM 2010 language packs, see the download at



*As a refresher: Hardware and Software Requirements, http://technet.microsoft.com/en-us/library/hh332708(v=ws.10).aspx


Get every new post delivered to your Inbox.

Join 47 other followers