ILM

#FIM2010 & #MIM2016 Error 25009 fun stuff on #TNWiki

For the FIM Geeks, I’ve submitted some new FIM/MIM 25009 event troubleshooting articles on TechNet Wiki (http://aka.ms/Wiki)

Plus, a page the collects all the 25009 troubleshooting resources, including lots of fun stuff of Tim Macauly.

If you got more of this 25009 fun stuff yourself, feel free to add your articles and add them to the collection page.

Updated: 2020-12-30

#FIM2010 / #MIM2016 not so dead, and what you didn’t hear.

What seemed to be a small note on a MPN blog, landed on LinkedIn and finally got into a pretty… eh how would you name it … disappointing, bizar, vicious, mean, deviant, misunderstood .. nah .. just a wrong direction, has caused quite some confusion.

And looking at the IM and messages I get, it still is.

Let me spoil the clue of the story: Microsoft Identity and Access, FIM, MIM,… IS … ALIVE. VERY MUCH ALIVE. (NOT DEAD)
If you need more detail, continue…

Lots of things have been said and I don’t want to repeat too much stuff, and certainly don’t want to take credit for it.
But let me pick some core components of the discussion and get a few things straight.

Why not refer to the sources first, by chrono. (If you want to have them in a short list all together, quickly read through the post till the end.)

It started here (by Gavriella Schuster on 12 April 2016):

https://blogs.partner.microsoft.com/mpn/microsoft-partner-network-evolution/?ln=en-US

In essence Gavriella discusses MPN (Microsoft Partner Network) competencies and mentions the “The retiring competencies”, which include: “Identity and Access”.
She doesn’t mention any product specifically, but she doesn’t mention either that “Identity and Access” is being moved to the Enterprise Mobility Management (EMM) competency.
This is clearly a cause for confusion, disappointment and misunderstanding.

But if you continue to read her post and check the next paragraph, you’ll see:

  • Interactive MPN Evolution Guide – This NEW interactive tool is your first step to guide your decision process. Use this to explore all of the new paths and options and easily identify which is the best fit for your business.
  • MPN Evolution Page – This is an overview of the changes, including the full list of impacted competencies and timeline.
  • FAQ – We have received feedback from some of your peers in our advisory councils and compiled answers to some of the questions we anticipate you might have. We will continue to build on these as we receive new questions.

 

After a few clicks in the MPN evolution guide, you’ll see that “Identity and Access” is now in the Enterprise Mobility Management (EMM) competency. But it takes a few pages to find out. Right.

Also the MPN Evolution FAQ (downloadable PDF) says:

“Identity and Access Competency

Q) Where can I find more information about Enterprise Mobility Suite and partner opportunities?
A) For Enterprise Mobility Suite information, go here. For competency information, go here.

Q) Where can I find more info around Enterprise Mobility Suite incentives eligibility via the Enterprise Mobility Management Competency?
A) To learn more about EMS Incentives, visit the portal page, here. “

A few days later a post on LinkedIn interpretes the competency change as “It marks the end of MIIS, ILM, FIM, and MIM“.
This opinion/ interpretation ignited a discussion or list of comments that even got vicious and mean if not incorrect. But I’ll leave that to your own interpretation.

But I can certainly advise to read all of it.

One of the key comments is posted by Alex Simons (Director of PM, Microsoft Identity Division): (quote)

“This focus area has just been combined with Mobility as we believe the overall category is merging as part of the shift we are seeing among customers to a modern end-user productivity model which merges Identity, Mobiltiy and Information Protection together to enable workers to get their jobs done wherever they are. So don’t let the merger fool you! We have more engineers working on Identity and Access Managemebt today (600+ across the cloud and on-premises) than we have ever had before at Microsoft!”

Apparently, due to some technical issues, an important comment of David Steadman never got posted to that thread. And probably for that reason, it got disconnected.
But it’s a damn important insider-note or add-on to Alex’ message.

“Identity within Microsoft not Dead!!”

“/../ this is not the end to identity platform. It simply transforming to what customers are demanding, just like MIIS changed and ILM. Merging the assets makes sense, As we have seen with this product and others. If you do not change you will be left behind it is a strategic change that meets the demand of our Azure Customers and On-premise Customers. Also the MIM product group has release a few new additions to MIM CTP4 /../”

“… Because Microsoft is the Identity platform and as this merger of Identity, Mobility and Information Protection continues you will see great add to the story and services.”

A few days later, , posts an interesting reply to the discussion. To jump to his conclusion: “ Success in the cloud is underpinned by a well-engineered Identity and Access infrastructure – and that is usually a hybrid on-premises/cloud infrastructure involving MIM, AD, Azure AD and much more. You can call it what you like, but rumours of its death have been greatly exaggerated.

And to close the discussion, you might want to get up to speed on what Microsoft Identity and Access aka Enterprise Mobility is heading to… with another post by Hugh.
It’s the essence of the whole story: Identity and Acces, now Enterpise mobility is not limited to the ‘identity technology’ anymore: consider”Advanced Threat Analytics, Secure Islands, Adallom, hybrid identity, devices and enterprise mobility management, Microsoft Identity Manager (MIM) including Privileged Access Management (PAM), new features in Microsoft’s Enterprise Mobility Suite, including changes in Azure Active Directory, Rights Management, and Intune… and more.

It’s damn clear that a specialist in Microsoft Identity & Access (eh sorry, Enterprise Mobility), will have plenty of work in the future.

That being said, here’s the short list.

References list of LinkedIn articles:

But that’s not all.
Recheck the Microsoft support lifecycle for the various products and save it for future reference:

 

*EDIT – 13/may/2016 … the discussion continues*
Above was the customer friendly version, as I’ve got quite some queries for details.
So it allows to explain that the pronounced dead essentially was a hoax.

On the FIM/MIM FB group, there was a very pertinent remark by Gil Kirkpatrick which I’m allowed to share here:

I’ve been utterly baffled at the public reaction to all of this… I’ve had probably a dozen people (a Kuppinger-Cole guy for chrissakes) tell me how MSFT has failed to crack the IAM market and how they’ve given up and EOL’d FIM/MIM, and now its a free-for-all and tha datacenter is on fire, and …, well you get the idea. It’s like nobody even bothered to read the announcement, and I don’t know, maybe look up some of the words in the dictionary if they were having trouble understanding it.”

+1

I personally think this is exactly the reason that David, Hugh and others (including me) have been fighting this hoax.

And I’ll not go into the view and recent reports of the market watchers, like Kuppinger-Cole and Gartner on Identity and Access, Identity Governance, .. whatever.
These are valuable if the reports are built on current, solid data.
But if a vendor does not participate in the survey for a year, or two, because their product stack is been overhauled and set ready for the future.. and therefore the ‘product suite’ does not fit to the market watchers categories (so it drops from the reports), it’s no reason to burry a product/vendor.

And certainly if these reports are published one year later… 
Things are moving fast, very fast.

Updated: 2020-12-30

Note-to-self: #FIM2010 Microsoft.MetadirectoryServices.dll vs. Microsoft.MetadirectoryServicesEx.dll

Question: What’s the difference between Microsoft.MetadirectoryServices.dll and Microsoft.MetadirectoryServicesEx.dll?

MIIS/ILM code is using the Microsoft.MetadirectoryServices.dll, while FIM is using Microsoft.MetadirectoryServicesEx.dll.

Can the old DLL be removed from the FIM code extensions, when the new DLL is referenced in code?

Answer:

You should use the Ex.dll when possible. The other DLL is only there in case you have a DLL from MIIS, has lost the sources, and cannot recompile it. The only difference between the two is that Ex is digitally signed and the other is not. When you have changed the references to Ex.dll you will not need the other.

Microsoft announced further details on the #FIM2010 vNext roadmap (now : aka Microsoft Identity Manager)

Sources:

Allow me to rephrase the announcement message, to condense the message. Full message at references mentioned earlier.

 

Today the product group provided an update with further details of the FIM 2010 roadmap.

This is including the approach and the investments they are making to enhance the on-premises, private cloud and hybrid cloud identity management solutions.

(quote) “Forefront Identity Manager helps your organization ensure users have appropriate access corporate information regardless of where it is located—in your datacenter or in the cloud, by providing self-service identity management, automated lifecycle management across heterogeneous platforms, a rich policy framework for enforcing security policies, and detailed audit capabilities.

The approach to the next version of Identity Manager is guided by the following customer feedback and innovation goals:

  • Continue to address risks to critical assets, by enhancing and expanding the available protections for enterprise identity, ensuring the enterprise’s identity infrastructure is resilient to targeted attacks
  • Enable the mobile access scenarios that customers are looking to adopt and manage from a broad range of devices across on-premises and cloud services
  • Connect with Azure Active Directory to integrate with its features and extend the reach of enterprise identity to a range of Software-as-a-Service applications
  • Deliver easy-to-deploy end-to-end scenarios that complement investments in Windows, Office, Microsoft Azure, and Active Directory with end user self-service, delegation and configurable policies

Three major investment areas have been identified for this release of Identity Manager:

  • Hybrid scenarios that leverage cloud-based services delivered in Microsoft Azure, including Multi-Factor Authentication, Azure Active Directory application integration, analytics and reporting
  • Support for the latest platforms and mobile devices with modern user interfaces
  • Improved security with additional controls, analytics and auditing of administrative and privileged user identities and their access to Active Directory, Windows Server and applications

 

As part of the next release, we will also move Identity Manager under the Microsoft brand, so this release will be known as Microsoft Identity Manager.  

More details will be available next month at the TechEd North America 2014 breakout session PCIT-B328, scheduled for May 14th at 5:00 PM US Central time. We will also have more to share and later in the year including timelines for preview programs and the release schedule.

So now #FIM2010 is not FIM any more, it’s MIM.
We need to find a new hash tag, right? #MIM is taken…

Any suggestion? #MIM2015?

 

Note-to-self: the Short URL collection bookmarks
Category Short Url Description
Book http://aka.ms/packtpub_da_troubleshooting Book: Direct Access troubleshooting
Exchange http://aka.ms/mostpopularexch2010wiki Most poplar Exchange 2010 articles on TN Wiki
FIM http://aka.ms/ecmaresourcewiki ECMA Resource Wiki
FIM http://aka.ms/fim_codeplex FIM projects on Codeplex
FIM http://aka.ms/fim_portsrightspermissions FIM Ports, rights and permissions
FIM http://aka.ms/fim2010 https://identityunderground.wordpress.com/
FIM http://aka.ms/msidentitypublicreleases Microsoft’s Identity Software: Public Release Build Versions
FIM http://aka.ms/msidmpublicbuilds Microsoft’s Identity Software: Public Release Build Versions
FIM http://aka.ms/msidmpublicreleases Microsoft’s Identity Software: Public Release Build Versions
FIM http://aka.ms/powershellma PowerShell Management Agent > The IDM explorer
FIM http://aka.ms/understandingfimdeprovisioning Understanding Deprovisioning
FIM http://bit.ly/FIM2010R2-RC FIM 2012 R2 RC
FIM http://bit.ly/FIM2010R2BetaDocs FIM R2 Beta docs
FIM http://bit.ly/pGW4gS FIM Exam
FIM http://bit.ly/FIM2010BetaExam FIM Exam
FIM http://bit.ly/TNEdgeCustomizingFIMPortal FIM Portal customisation
FIM http://bit.ly/CreatingCustomRCDC FIM Creating Custom RCDC
FIM http://bit.ly/FIM2010HotfixRSS FIM Hotfix RSS
FIM http://bit.ly/FIMTags FIM tags
FIM http://bit.ly/FIM2010_slowlink Improve FIM performance over slow link
FIM http://bit.ly/FIM2010Solutions FIM 2010 Solutions from partners
FIM http://bit.ly/FIM2010CustomActivity_WF FIM Custom Activity WF
FIM http://bit.ly/FIM2010SDK FIM 2010 SDK
FIM http://bit.ly/FIM2010Resources FIM 2010 Resources
FIM http://aka.ms/fim2010bpa FIM 2010 Best Practice Analyser
FIM http://aka.ms/fim2010functionsref FIM 2010 Functions Reference
FIM http://aka.ms/fim2010partnermas FIM 2010: Management Agents from Partners
FIM http://aka.ms/fim2010r2bpa FIM 2010 Best Practice Analyser
FIM http://aka.ms/fimblogs FIM 2010 Community, feeds & blogs
FIM http://aka.ms/fimbuild_overview FIM Build Overveiw
FIM http://aka.ms/fimbuilds FIM Build Overveiw
FIM http://aka.ms/fimcmpermissions FIM CM Permisssion
FIM http://aka.ms/fimcommunity FIM Community overview
FIM http://aka.ms/fimcommunity_feeds_blogs FIM Community overview
FIM http://aka.ms/fimfilema FIM File MA
FIM http://aka.ms/fimlpdownload FIM Language Pack download
FIM http://aka.ms/fimma_ln8 FIM Lotus Notes MA
FIM http://aka.ms/fimmaportspermissions FIM Rights, Ports & Permissions
FIM http://aka.ms/fimmas FIM Management Agents
FIM http://aka.ms/fimmasfrompartners FIM Management Agents from partners
FIM http://aka.ms/fimrampup Learning FIM
FIM http://aka.ms/fimresources FIM Resources
FIM http://aka.ms/fimscriptbox FIM Script box
FIM http://aka.ms/fimsecurity FIM Security Setup
FIM http://aka.ms/fimtechoverview FIM Technical Overview
FIM Book http://aka.ms/fim2010r2bestpracticesbook FIM Book
FIM Book http://aka.ms/fim2010r2handbook FIM Book
FIM Book http://aka.ms/fim2010r2handbookshortcuts FIM Book
FIM Book http://aka.ms/fim_r2_best_practices_vol1 FIM Book
FIM Community http://aka.ms/fimteamug FIM Team User Group
FIM Forum http://aka.ms/fimforum FIM Forum on Technet
FIM Forum http://aka.ms/fimforumtn FIM Forum on Technet
FIM Learning http://aka.ms/fim2010rampup Learning FIM
FIM News http://aka.ms/2013fimannouncement 2013 FIM Announcement
FIM Technet http://aka.ms/tnwikiforum FIM 2010 Forum
FIM Wiki http://aka.ms/fim2010resources FIM 2010 Resources
FIM Wiki http://aka.ms/fim2010wiki FIM 2010 Wiki
Forefront http://aka.ms/forefrontroadmap Forefront Roadmap announcement
Forefront http://aka.ms/forefronttechcenter Forefront Tech Center
ILM http://aka.ms/ilm2007gettingstarted ILM Getting Started
Learning http://bit.ly/MS_MVA Microsoft Virtual Academy
PFE http://aka.ms/pfe_wiki Premier Field Engineering at TN Wiki
PFE http://aka.ms/stayoutoftrouble Premier Field Engineering
PKI http://bit.ly/MSPKIBook MS PKI Book
PKI http://bit.ly/CurrentCLMresources Current CLM Resources
Security http://bit.ly/MS_BRS Business Ready Security
Security http://bit.ly/NEAT_Spruce Neat And Spruce at Microsoft
Security http://bit.ly/FBLeak20110510 FB leak
Security http://bit.ly/DownloadBRSTrial Microsoft Business Ready Security Trial Environment
Sharepoint http://aka.ms/sp2010kernelmodeauthn Sharepoint Kernel Mode Authentication
Technet http://aka.ms/fim2010forum FIM Forum on Technet
Visual Studio http://aka.ms/debugextension Extension debugging
Wiki http://aka.ms/fimwiki FIM at Wiki
Wiki http://aka.ms/fixrgb Fix RGB codes to names in HTML
Wiki http://aka.ms/happybirthday_ed Wiki surprise
Wiki http://aka.ms/ninja Wiki Ninja
Wiki http://aka.ms/ninjas Wiki Ninja
Wiki http://aka.ms/notappropriatefortnwiki Wiki guidelines
Wiki http://aka.ms/tnwikibookmarks Wiki Bookmarks
Wiki http://aka.ms/wikitagcloud TechNet Wiki: easy bookmarks to important TNWiki resources
Wiki http://aka.ms/wikitoolbox TN Wiki toolbox
Wiki http://bit.ly/AddTocToYourTNWikiDoc Add TOC to your Wiki article
Wiki Blog http://aka.ms/tnwikiblog TN Wiki Blog
Wiki Blog http://aka.ms/wikiblog TN Wiki blog
Wiki blog http://aka.ms/wikininjablog TN Wiki blog
Wiki Governance http://aka.ms/technetwikicommunitycouncil Wiki Governance
Wiki Governance http://aka.ms/tnwikicouncil Wiki Council
Wiki Governance http://aka.ms/tnwikifeedback Wiki Feedback
Wiki Governance http://aka.ms/wikidevelopment Wiki Governance
Wiki Governance http://aka.ms/wikiguide Wiki Governance
Wiki Governance http://aka.ms/wikininjas Wiki Ninja
Wiki Governance http://aka.ms/wikireputation Wiki Governance
Wiki Governance http://aka.ms/wikuserguidelines_personalisation Wiki Governance

Happy New Year! MVP Identity Lifecycle Manager 2011
MVP award notification
 
Just got the confirmation that I’ve been re-awarded the Microsoft MVP award on Identity Lifecycle Manager, already the 4th year. It’s really a great honor and it’s very much appreciated.
 
First of all I wish to thank all people that supported me to keep up the good work the last year:  the community, the MS Product Group, the Winsec companions, fellow MVPs, my colleagues, William Jansen, Gaby/Jacqueline, … all of you!
 
Special thanks to Markus, Eric Battalio, Ed Price,  for their continued support on the ILM/FIM Forums and Wiki!
Let’s rock for another year!
 
Thank you, Paul, it’s always a pleasure to work with you running the Winsec User Group.
I really appreciate your continued support.
 
And last but not least my wife Katrien: it’s not always easy to live with an IT Security/Community freak like me.  
 
You all made it possible to keep up the good work!
 
READY for ANOTHER YEAR of good work!
 
Thank you!!!

FIMMA vs non-standard MV Schema

(note-to-self)

As you probably know, in ILM the MV schema can be changed easily.
It’s pretty easy to add or remove attributes.

In the past, in some cases, customers had the MV completely removed and rebuilt to only contain (just) the object and attribute definitions needed. Fit to the customer’s standards, without overhead.

In FIM it still is quite easy to manipulate the FIM Sync MV schema at will.
Easy! … at first sight.

NOT! Because the FIMMA doesn’t like it.

If you add the FIMMA after you change the default MV schema, you could run into trouble.
That is, the FIMMA the wizard checks the MV schema (note the Update Schema step).

And if one or more default object definitions are missing, the wizard prompts you to update the schema.
AFAIK, strangely enough the option is not triggered when all default objects are present, even if some default attribute definitions are missing.

You’ll need to click Next> to continue installing the FIMMA.
(“< Back” for previous step, “Cancel” to stop installation…)
So, there’s no option to continue installation without changing the MV, even not partially.
No other way around.

In the demo setup I use for the screenshots, the following objects were removed, because they were not managed by FIM: computer, domain, function, locality, organization, printer, role.

Additionally, the group object had been created manually as “Group” (uppercase “G”).
Same thing for OrganizationalUnit, … and some attributes.

Under “Schema Update Status” the wizard shows the detailed info, like

Reading though the update status, you could encounter different types of messages, like:

/../
Create <missing object name> object…
The attribute <missing attribute name> will be added.

Create <object name> object completed with the following warnings:
The attribute <changd attribute> already exists. It should be  “<default name>” indexable non-indexed, but is  “<changed name>” non-indexable non-indexed.
The attribute Manager already exists. It should be  “manager”, but is  “Manager”.
/../

Apart from automattically adding missing attributes, the wizard also duplicates attributes that already exist to match the object. So it restores the link between the attribute and object.
But it does NOT change the attribute type. 

Just an example, if you completely removed the ‘street’ attribute from all objects, the wizard will add it again as String(indexable) and map it to the appropriate objects.

BUT, if you created the attribute ‘STREET’ (as Binary (non indexable)), you’ll get a notice the attribute ‘STREET’ already exists, although is should be ‘street’… And again the wizard maps ‘STREET’ to the default objects where it is supposed to be linked.

Conclusion, better avoid this annoyance and loss of time (spent deleting MV objects), so:
– Don’t delete default object definitions
– Stick as much as possible to the standard FIM Sync MV Schema.
– Don’t re-add default objects or attributes that have even the slightest difference in naming (change in uppercase/lowercase) or type definition

If you need additional attributes
– add non-default object types (like ‘Identity’ for people or persons)
– by preference, add custom attributes to to the existing object types

If you really would like to clean up the MV or really need to set it your way:
– first add the FIMMA, then change the MV
– keep it in mind when you need to restore the FIM config for whatever reason (eg moving from DEV > Accept > production)

And leave the synchronizationRule, expectedRuleEntry, detectedRuleEntry in place, they are needed for the core FIM system functionality

ILM GALSync with hub-and-spoke architecture
In case you wish to implement a hub-and-spoke infrastructure for your Global Address List Sync with ILM/FIM, you need to tune the original setup.
 
Hub-and-spoke means one master GAL domain which communicates with slave domains, without direct provisioning between slave domains.
 
For ease of use, I’ve put the logic in one function.
In the GALMV.vb file you need to create a private function:
        Private Function shouldprovision( _
        ByVal currentMVentry As MVEntry, _
        ByVal mANAme As String) As Boolean
            Const masterDomain As String = "g1.local" ‘like msOriginatingForest format
            Const masterMAName As String = "GALSYNC1" ‘MA NAME
            Dim IsHub As Boolean = currentMVentry(EXCH_ORIGINATING_FOREST).StringValue.Equals(masterDomain)
            Dim IsSpoke As Boolean = (Not mANAme.Equals(masterMAName))
            ‘Provisioning OK if
            ‘- source = hub -> target = spoke
            ‘- source = spoke -> target = hub
            ‘Provisioning NOT OK if
            ‘- source = spoke -> target = spoke
            ‘Sample configuration with Hub: G1, spokes = G2,G3
            ‘Source Target  isHub   IsSpoke ShouldProvision
            ‘GAL1   GAL2    TRUE    TRUE    TRUE
            ‘GAL1   GAL3    TRUE    TRUE    TRUE
            ‘GAL2   GAL1    FALSE   FALSE   TRUE
            ‘GAL2   GAL3    FALSE   TRUE    FALSE
            ‘GAL3   GAL1    FALSE   FALSE   TRUE
            ‘GAL3   GAL2    FALSE   TRUE    FALSE
            ‘The function who matches this is an inverted XOR
            ‘http://en.wikipedia.org/wiki/XNOR_gate
            Return Not (IsSpoke Xor IsHub)
        End Function
 
In the Sub Provision, add a call to the ShouldProvision function, like
            /../
             For i = 0 To galMAs.Length – 1
                MA = mventry.ConnectedMAs(galMAs(i).MAName)
                If 0 = MA.Connectors.Count Then
                    ‘
                    ‘ If there were no connectors, then we are going to add one
                    ‘
                    If shouldprovision(mventry, galMAs(i).MAName) Then _
                    AddOrRenameConnector(MA, galMAs(i), mventry)
            /../

ILM quick solution: getting attribute data from a referenced object

(draft, still under investigation…)

Some background information:

When ILM directly imports a reference attribute (CS>MV), it tries to maintain the reference, using the technique of referential integrity.

ILM automatically translates the link between the 2 objects (user > manager) from CS to Metaverse.

The MV object does not have a DN, but an ObjectGUID.

ILM translates the reference from CS DN to MV GUID.

A small example:

clip_image002

In MV the reference is translated to:

clip_image004

So you can’t use the CSEntry.DN value to search the metaverse directly.

Neither can you search the connector space in extension code. There is no FindMVentries equivalent for the connector space.

Also, you can’t access a MVEntry reference attribute .

More information:

How to get reference object in provisioning

Reference values not accessible on MV objects

This import flow code will fail:

Public Sub MapAttributesForImport( _

 ByVal FlowRuleName As String, _

 ByVal csentry As CSEntry, _

 ByVal mventry As MVEntry) _

 Implements IMASynchronization.MapAttributesForImport

 

 Select Case FlowRuleName

  Case "cd.user:manager->mv.user:department"

   ‘can’t search in connector space

   ‘trying to search metaverse

   If mventry("manager").IsPresent Then

    Dim findResultList() As MVEntry = _

     Utils.FindMVEntries("ObjectGUID", mventry("manager").Value.ToString, 1)

 

    If findResultList.Length > 0 Then

     Dim firstMVEntryFound As MVEntry = findResultList(0)

     mventry("department").Value = firstMVEntryFound("department").Value.ToString

    End If

   End If

  Case Else

   Throw New EntryPointNotImplementedException()

 End Select

End Sub

Error message:”System.InvalidOperationException: Unable to access attribute manager. Reference values not accessible on MV objects.”

clip_image006

So we need another approach.

We need some (non-referential) link to the manager, to be able to search the MV.

To document this post I was using an AD MA.
The only link between the user and manager in AD is still a reference (by DN) and you can’t change that.

(There is no other attribute linking them…)

As an example :

clip_image008

But you can store the DN as string value in an additional attribute like “ADdn” (string).

So: flow the CS <DN> into the MV.

clip_image009

(Or another ‘simple’ attribute if you have one to link to the manager…)

Next create a import flow rule to import an attribute from a referenced object:

clip_image011

 

Public Sub MapAttributesForImport( _

ByVal FlowRuleName As String, _

ByVal userCSEntry As CSEntry, _

ByVal userMVEntry As MVEntry) _

Implements IMASynchronization.MapAttributesForImport

 Select Case FlowRuleName

 Case "cd.user:manager->mv.user:department"

 

  ‘simple sample code block to flow managers department into MV

  ‘can be made more complex to flow only when user is manager

  If userCSEntry("department").IsPresent Then

   userMVEntry("department").Value = userCSEntry("department").Value

  End If

 

   ‘code block to flow manager’s department in user’s department

  If userCSEntry("manager").IsPresent Then

   ‘search for the manager

   Dim findManagerResultList() As MVEntry = _

    Utils.FindMVEntries("ADdn", userCSEntry("manager").Value.ToString, 1)

   If findManagerResultList.Length > 0 Then

    ‘get first entry

    Dim mvManagerFound As MVEntry = findManagerResultList(0)

 

    ‘if department filled, flow it

    If mvManagerFound("department").IsPresent Then

     userMVEntry("department").Value = mvManagerFound("department").Value

    End If

   End If

  End If

 Case Else

  Throw New EntryPointNotImplementedException()

 End Select

End Sub

 

Look at this example

clip_image012

clip_image013

First sync the manager to have the department attribute available:

(Eg preview > Commit preview, like shown below)

clip_image015

Next sync the user:

preview > Commit preview, like shown below

clip_image017

The user department has now been filled with the Manager’s department.

 

This is one of the possibilities to solve the issue, alternative and/or options might exist…

I’ll keep you updated when found.

Installing ILM password application on Windows 2008

When installing the ILM password management application on a Windows 2008 server, you might run into trouble with the IIS_WPG group.

As of Windows 2008 (IIS7), the IIS_WPG group does not exist anymore.
Windows 2008 uses another group IIS_IUSRS for the purpose of supporting the IIS application pools.

If you want to know more about this, check these links:

I found a work-around, but there is no guarantee whatever, I don’t know if it’s supported or not.
Proceed at your own risk.

The setup files are on the ILM 2007 CD/image (%CDDRIVE%\MIIS\Password Management)

When installing the application, by running the MSI, the wizard asks for the credentials of the application pool account to install.

image1

But when you have filled in the credentials of the service account (created previously), you might run into this error message.

“Could not add the user account to IIS_WPG group. Check user account name and domain name.”

 image2

After a few attempts, changing the credentials, changing the PasswordSet Group name, … still no luck…

It appears that :

– the PasswordSet group must be a “Domain Local” security group (No global or universal)

– the IIS_WPG group must be created as “Domain local”.

Next I got the message that the user account was invalid.
Nothing to bypass this time, except for entering the administrator user name.

image3

The install succeeded.

 image14 

REMARK: this is just a confirmation that the application was installed.
I cannot confirm yet that is actually works. (To be tested later)

 

But:

  • – Windows 2008 uses IIS_IUSRS as security group for IIS services
  • – The admin account has been added to the application pool

First of all: make sure that the service account you wish to use has proper permissions and rights (like running as a service)

You’ll find the documentation of that on the net, for sure.

Add the service account to the IIS_WPG group (for this example : DEMO\PWDMGMT_SVC).

 image4

Also : aAdd the service account to the MIISPasswordSet group (for this example : DEMO\PWDMGMT_SVC).

 image5

Next, the application pool for the password management application has been installed with the admin account.
Open the IIS management console and look for the PasswordAppPool.

 image6

Check the advanced properties and change the account to the service account (do not forget the domain prefix).

 image7

Now you need to change the groups, because:

– Windows 2008 uses IIS_IUSRS as security group for IIS services

– MIISPasswordSet group should be Domain global, AFAIK

– A domain local group cannot be added to AD domain local group, should be domain global or universal (IIS_WPG –> IIS_IUSRS)

 

Nice feature of WIndows 2008 is : you can change the group scope (domain local <-> universal <-> domain global )

Check the properties of the MIISPasswordSet group.

It’s a domain local

 image8

Switch the group scope to universal en click apply.

 image9

It should now show all group scope option available.

 image10

Switch the group scope option to global.

 image11

 

Same thing for the IIS_WPG group, switch it to “domain global”, as shown below.

 image12

Next, add the IIS_WPG group to the IIS_IUSRS.

 image13

If you cannot browse the application, check the event viewer.

Check for an ASP.NEt error like

“A request mapped to aspnet_isapi.dll was made within an application pool running in Integrated .NET mode. 

Aspnet_isapi.dll can only be used when running in Classic .NET mode. 

Please either specify preCondition="ISAPImode" on the handler mapping to make it run only in application pools running in Classic .NET mode, or move the application to another application pool running in Classic .NET mode in order to use this handler mapping.”,

If you get this error, you might need to switch the IIS application pool ’Managed pipeline mode’ to Classic (instead of integrated).

image