Note-to-self: Security Compliance Manager 4.0 now available for download!

Sometime you get some silent signals that you have been way too busy…

Like stumbling into an announcement of a tool you evangelise…

Security Compliance Manager 4.0 now available for download!

 

 

 

FIM/MIM Licensing: clarification on the requirement to use CALs

Since the addition of the FIM Service and Portal in FIM 2010, the licensing model changed from a “server only” licensing to “server + CAL” licensing. (NOTE: CAL = Client Access License).

In April 2015 licensing update of FIM/MIM, the server license became virtually free.

The authoritative document that provides you with the full details is the PUR (Products Use Rights) document published by Microsoft.

See my post on the licensing change for all required info: http://aka.ms/LicenseToCAL. It does contain the links to the PUR (in various languages).

You can also check the TechNet Wiki page for the FIM/MIM licensing: http://aka.ms/LicenseToFIM)

 

In short: in general, you do NOT need to buy a FIM/MIM server license anymore, it’s included in the Windows Server license.

Still, keep in mind, some specific situations do require special/additional licenses: check the PUR.

You DO require CALs, which is mentioned by the PUR as:

“A CAL is also required for any person for whom the software issues or manages identity information.”

 

You can acquire FIM CALs via :

  • Forefront Identity Manager 2010 R2 User CAL (device CALs are not available), or
  • Enterprise Mobility Suite User SL, or
  • Microsoft Azure Active Directory Premium

The april 2015 licensing change caused quite some confusion on the CAL requirements (as the FIM/MIM server license became ‘free’…)
One of the important reasons was the following paragraph in the PUR (quote):

“/../

Synchronization Service

A CAL is not required for users only using the Forefront Identity Manager synchronization service. /../”

To rephrase this statement: if you ONLY use the FIM Sync engine, you DO NOT need to buy/acquire any license (you got server license free and CAL not required).

This essentially means that IF you do install the FIM Service (and probably the FIM portal to manage it) and you DO connect the FIM Sync engine to the FIM service via the FIM MA, you DO NEED CALs.

This also applies to BHOLD and FIMCM.

This is how it was phrased by one of the FIM/MIM/AADConnect program managers: “As soon as you have installed the FIM Service MA (or BHOLD or CM) then you have triggered a CAL for everyone in the MV. ” It’s not relevant if the users are in FIM Service or not.

This is also the reason for built-in declarative provisioning (without a need for the FIM Service MA) in Azure AD Connect sync… this puts the FIM/MIM licensing model on the same frequency as the Azure AD connect licensing.

Now, this perfectly answers the question of Henrik on my post on the licensing update.

His question was: “What if you install FIM/MIM Sync and Service, both included in Windows Server licensing but you choose not to add object mappings in FIM/MIM MA for users and groups… This will allow you to import filter based sync rules from FIM/MIM Service.”

The short answer is: you still need to acquire the CAL.

Summary

  • FIM/MIM server license is included in the Windows Server License
  • you DO NEED CALs for FIM/MIM
    • you can purchase CALS or acquire them via EMS/AAD premium/ECS
    • for EVERY person managed
  • 1 EXCEPTION:
    • if you ONLY use the FIM/MIM Sync Engine, you do not need CALs

I hope that this explanation helps you to better understand the FIM/MIM licensing.

Feel free to contact me via any channel if you have any feedback or questions.
Happy licensing!

Note-to-self: quickly checking which #FIM2010 Sync Security groups used

Although, it’s best practices to use AD based security groups to setup your FIM/MIM, this is not always the case in practice.
So, how do you quickly verify which groups have been used to secure your FIM Sync configuration?

On the FIM Synchronization server, open the component services

(samples are taken from a Windows Server 2012, but this also applies to Windows 2008 …)

First, look up and open Component services

1. find component services

Within the Component Services navigate to “Computers > My Computer”, open DCOM Config

2. open DCOM config

It’s very likely that you get the icon view, switch it to detailed view.

3. change view to details

Then look up the Forefront Identity Synchronization Manager configuration item.

4. open FIMSync Service Props

Right click on it, click properties

5. open Security tab - launc and activation

Click the security tab.

And on the “Launch and Activation Permissions” section, click the edit button.

In case you the sections are greyed out, you need to set registry permissions to allow access

Side note

In the Component services console, you might encounter that the security options are greyed out…

Here’s the solution to fix this quickly: http://blogs.msdn.com/b/emeadaxsupport/archive/2010/01/26/unable-to-edit-the-dcom-settings-for-iis-wamreg-admin-service-on-a-windows-server-2008-r2-when-trying-to-configure-kerberos-authentication-for-role-centers.aspx

6. Launch and activation permissions

Now you should see the FIM Sync Security groups configured.

The info will show you (based on the group names) if local or AD groups have been used.

End note on this topic: you can’t change these groups manually.
You need to run the FIM Sync installation wizard in repair mode to fix or change these groups.

The wizard will change the component services, DCOM config, regisgtry and local NTFS permissions to match the groups.

If you would like to do it in a more scripted way, you can use the DCOMPerm code sample, which is included with the Microsoft Windows SDK for Windows 7 and .NET Framework 4.

Sample command:

dcomperm -aa {835BEE60-8731-4159-8BFF-941301D76D05} list

Output

Access permission list for AppID {835BEE60-8731-4159-8BFF-941301D76D05}:

Remote and Local access permitted to CONTOSO\FIMSyncAdmins.
Remote and Local access permitted to CONTOSO\FIMSyncOperators.
Remote and Local access permitted to CONTOSO\FIMSyncJoiners.
Remote and Local access permitted to NT AUTHORITY\SYSTEM.
Remote and Local access permitted to CONTOSO\svcfimsync.
Remote and Local access permitted to CONTOSO\FIMSyncBrowse.
Remote and Local access permitted to CONTOSO\FIMSyncPasswordSet.

#FIM2010 & MIM 2016 licensing model is changing as of 1st of april 2015

Source: http://www.microsoft.com/licensing/products/products.aspx

Download the “Microsoft Product Use Rights (WW, English, April 2015)” document at http://www.microsoftvolumelicensing.com/userights/Downloader.aspx?DocumentId=8488 In short, prior to 1st of april 2015, you required

  • a FIM server license for every FIM server installed and a CAL for every user managed in the FIM Service, or
  • Forefront Identity Manager 2010 R2 External Connector
Functionality Covered by
FIM Server Components (FIM Sync, FIM Services, FIM portal, …) FIM Server SKU
CAL Standalone FIM CAL, or Azure Active Directory Premium (AADP), or Enterprise Mobility Suite (EMS) User, orEnterprise Cloud Suite (ECS) User SL
External Users FIM External Connector license (per server)

After 1st of april 2015:

  • Windows Server license (Standard & Datacenter) will include FIM server entitlement
  • FIM Server 2010 R2 licenses will not be available anymore on the price lists
Functionality Covered by
FIM Server Components (FIM Sync, FIM Services, FIM portal, …) Windows Server license (Standard & Datacenter) will include FIM server entitlement
CAL Standalone (FIM) CAL, or Azure Active Directory Premium (AADP), or Enterprise Mobility Suite (EMS) User, or Enterprise Cloud Suite (ECS) User SL
External Users Windows Connector license

Certificate and Identity Management

  • A CAL is also required for any person for whom the software issues or manages identity information.

Synchronization Service

  • A CAL is not required for users only using the Forefront Identity Manager synchronization service.

From the PUR:

  • External Connector License means a license attached to a Server that permits access to the server software by External Users.
  • External Users means users that are not either your or your Affiliates’ employees, or your or your affiliates’ onsite contractors or onsite agents.
  • CAL means client access license. There are two kinds of CALs: user and device. A user CAL allows access to the server software from any device by one user. A device CAL allows access to the server software from one device by any user.

FIM / MIM is using a user CAL. The FIM server will no longer be sold as a separate license, but instead Windows Server licenses will allow customers to install the FIM Server software. Since FIM users already required a Windows Server CAL or equivalent to access FIM running on Windows Server, no additional Windows Server CALs (or Windows Server External Connector) will be required. Still it’s important to understand that you still need FIM/MIM CALs to manage identities with FIM/MIM (unless you only use the FIM/MIM Sync). Azure Active Directory Premium (AADP) and any suite that contains AADP, including Enterprise Mobility Suite (EMS) and Enterprise Cloud Suite (ECS) or a additive FIM CAL will also entitle users to access FIM. MIM will have the same licensing model. All current FIM customers with active SA on the underlying Windows Server, (since the right to install FIM server is now granted with a Windows Server license), will have rights to upgrade to MIM when it launches. And for my Dutch speaking followers… Tous la même chose:

PS: The FIM licensing page on TechNet Wiki will be updated ASAP (http://aka.ms/LicenseToFIM)

[ADD-ON, Jan 2016]
https://identityunderground.wordpress.com/2016/01/06/fimmim-licensing-clarification-on-the-requirement-to-use-cals/

Bookmark:

Note-to-self: Microsoft Virtual Academy: Identity and Access Management

Source: Microsoft Security Newsletter – February 2015

Microsoft Virtual Academy: Identity and Access Management

Need tips for moving your Active Directory Federation Services (ADFS) workload to Microsoft Azure, the powerful platform leveraged by IT specialists to provide a range of services and tools to end users?

Look no further!

Get expert advice on design, deployment, maintenance, and more so you can smoothly manage the transition of your ADFS workload to Azure. Explore the various forms of identity, and learn to transition the tools that provide identity services into Microsoft Azure. Plus, see how to resolve common issues. “

And in case you didn’t notice there is a lot more interesting security stuff in the Newsletter, like:

  • Security Tip of the Month: Protect Your Highly Sensitive Information
  • Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications

+ more !

Surf to the Microsoft Security Newsletter – February 2015 and … just a suggestion … subscribe to the newsletter.

Note-to-self: free Executive Guide: IT-security en riskmanagement #ZDNet

Source: http://www.zdnet.be/continuity/159407/gratis-executive-guide-it-security-en-riskmanagement

As add-on to their free seminar on businesscontinuity (11/dec) ZDNet offers a free guide on IT-security and riskmanagement.

It offers 10 IT-riskmanagement domains that are often forgotten. The guide also offers a simplified framework on IT Risk management for SMB.

Further more the guide discusses useful topics on risk management, to determine the possible risks and how to implement control mechanisms on insider threats.

Download the executive guide here.