puttyq.com

Interoperability

Description: The Microsoft MVPs from South-Africa invite you to come and discuss the world of interoperability in the development environment, exploring how we can integrate and interoperate with other technologies. The event will allow you to explore new ideas and solutions, collaborating with Microsoft Consultants, Community Leads and Microsoft Most Valuable Professionals (MVPs) from South-Africa who will be giving an independent and vendor agnostic view. The objective is to become INTEROPaware and INTEROPable, proving that Interoperability is no longer a technology, but a mindset problem … creating one happy technology family.

 Date / Time:

• June 10th, 2008

 Venue:

• Microsoft Corporate Hill
• William Nicol
• Brayston

Audience:

• Software architects
• Developers

 Sponsors: 

• Microsoft DPE 
• Microsoft MVP PM
• Microsoft MVPs
• SA Architect
• BB&D     

Session include topics on:

1. Interoperability using Microsoft WCF and Linux Mono
2. Interoperability using BizTalk as an Enterprise Service Bus
3. Integrated development environment using TFS 2008, TeamPrise and Java
4. Microsoft Technologies Interoperability Improvements for PHP

Register:

• http://www.microsoft.com/southafrica/events/gauteng.mspx

In the previous post we quickly explored some of the helpful properties available in the Utils Class (as part of the

Microsoft.MetaDirectory Namespace). In this post we will quickly explore Utils.TransactionProperties.

The TransactionProperties provides you a method of communicating between various extensions. This is sometimes required to pass information to an extension that does not have access to the required information, or to store data that might change during the current object synchronization.

An example of this is when rules are triggered on objects based on their location. Thus, if a user is within the “OU=disabled users” then ignore the EAF (export attribute flow) rules associated with this object. In cases where a user is disabled, hidden from the address book and given a new description (but only if the user is NOT in the disabled user OU), this can be helpful. Remember that provisioning (connector evaluation) is processes before attribute flows. Because of this a user could be correctly moved to the disabled users OU, but then EAF rules will be ignored.

Have a look at the following EAF that hides a user from the address book (GAL), if the user is NOT in the disabled users OU and the user is “terminated” according to HR. In this case the current user location is evaluated, thus if the provisioning code moved the user, this evaluation will be “false” and the user will be moved but not hidden from the address book.

Case “cd.user:msExchHideFromAddressLists<-mv.person:employeeStatus”
   ‘ Hide person from addressbook if ‘Terminated’
   If Not Utilities.inDisabledStructure(csentry.DN.Parent.ToString, settings.DisabledOU) AndAlso_
             mventry(“employeeStatus”).Value = “Terminated” Then
                    csentry(“msExchHideFromAddressLists”).BooleanValue = True
   End If

In order to pass the ‘original’ OU location from the MV Provision sub to our EAF in the MA extension we can use a transaction property.

1) Store the OU location before moving the object

‘Select the current Active Directory csObject and store the object parent in a 
‘Transaction Property called “csentryDNParent”
csentry = ADMA.Connectors.ByIndex(0)
Utils.TransactionProperties.Add(“csentryDNParent”, csentry.DN.Parent.ToString)

2) Change our EAF that hides the user from the address book

By using the original OU location we will evaluate if the user should be hidden.

Case “cd.user:msExchHideFromAddressLists<-mv.person:employeeStatus”
   ‘ Hide person from addressbook if ‘Terminated’
   Dim orgOU as String = Utils.TransactionProperties(“csentryDNParent”).ToString
   If Not Utilities.inDisabledStructure(orgOU, settings.DisabledOU) AndAlso_
             mventry(“employeeStatus”).Value = “Terminated” Then
                    csentry(“msExchHideFromAddressLists”).BooleanValue = True
   End If

One final best practice when using transaction properties is to make sure that the property you are trying to access is actually in the collection you are accessing, as to avoid exceptions. This is very simple to do.

If Utils.TransactionProperties.Contains(“csentryDNParent”) Then
   Dim orgOU as String = Utils.TransactionProperties(“csentryDNParent”).ToString
   ….
   ‘Do Stuff
   ….
End If

When working with LDAP sources, this is synonymous with working with DN’s. Distinguished Names (DN) identify a user’s CN (Common Name) as well as their hierarchical position in the directory. If we look at the following example below I will explain the various important LDAP attributes:

 dn: cn=John Becker,dc=Contoso,dc=com
 cn: John Becker
 givenName: John
 sn: Becker
 mail: john@contoso.com
 manager: cn=Sam Louis,dc=Contoso,dc=com

In the example the DN is the name of the entry; it’s not an attribute nor part of the entry. The DN forms the unique anchor for a LDAP object. No two users can have duplicate DN’s. The RDN or Relative Distinguished Name in this examples is “CN=John Becker” and “DC=Contoso,dc=com” is the DN of the parent object, where DC denotes the Domain Component. In this example the following entries are merely attributes which are not required. The CN is the user’s common name, “mail” the e-mail address and SN the surname.

It is possible for two users to have identical CN and RDN values as long as these RDN values do not exist within the same parent DN. Thus “CN=Al,OU=users,dc=net” and “CN=Al,OU=otherUsers,dc=net” are both valued users. Additionally (at least in the Active Directory world) there are two additional unique identifiers; the sAMAccountName and the UserPrincipleName. There can be no duplication of sAMAccountName or UPN within the same domain.

Determine a user’s RDN (Relative Distinguished Name)

A simple way of determining a user’s RDN is to use an Advanced Flow rule and selecting a ‘Distinguished Name’ rule. This GUI settings (under the Attribute Flow Rule configuration of the MA) allows you to set a numerical value in order to flow a DN component to another data source. The numerical value is used as such:

“CN=John Lowden,OU=users,DC=Contoso,DC=com”

1: “John Lowden”

2: “users”

3: Contoso

4: com

Retrieving a object’s RDN

In order to retrieve an object RDN, ILM provides an simple method. Find the LDAP (connectorspace object) csobject and use the RDN property.

‘Find the current LDAP object based on the current MV object being processed
Dim LdapMA as ConnectedMA = mventry.ConnectedMAs(“LDAP Source”)
csentry = adMA.Connectors.ByIndex(0)

‘Select the object RDN
Dim RDN as String = csentry.RDN

‘Select the object DN
Dim DN as String = csentry.DN.Tostring

Retrieving an object’s Domain Component

One way of retrieving an object DC (domain component) is to use a simple combination of the csentry.DN property and the ’substring’ function. We first retrieve the object DN and then search for a substring matching our domain component.

Dim MA As ConnectedMA = mventry.ConnectedMAs(“AngloCoal”)
Dim DN As String = MA.AngloCoalAD.Connectors.ByIndex(0).DN.ToString
Dim ObjectDC As String = DN.Substring(MA.Connectors.ByIndex(0).DN.ToString.IndexOf(“DC=”)).ToLower

If ObjectDC = “dc=test,dc=com” Then
…
‘ do something
…
End If

Moving an object by modifying its DN

There are always a requirements to modify or at least identify a users hierarchical position. These are mostly linked to moving users with the LDAP hierarchy when the accounts is disabled or there is a change to entitlement. ILM provides a few ways of simply and quickly determining and changing these location.

Thus, in order to change a user’s RDN or OU/CN location you will need to change the object’s DN. Based on the previous examples this is now a simple process. Have a look at the examples below:

‘Move a user to a new OU location while keeping the same RDN
Dim adMA As ConnectedMA = mventry.ConnectedMAs(“LDAP Source”)
Dim csentry As csentry = adMA.Connectors.ByIndex(0)
Dim RDN As String = csentry.RDN
Dim NewOU As String = “OU=test,DC=test,DC=com”
Dim changeLocation As String = adMA.EscapeDNComponent(RDN).Concat(NewLocation)
csentry.DN = changeLocation

As I mentioned a while ago, the Microsoft Forums where migrated from the old newsgroup based communities to the revised web based forums. These where originally run on telligent but it now appears as if Microsoft is in a test phase for their new custom created community environments.

At present the general public can ‘play’ on the new forums in an effort to test and finalise the production deployment. Subsequently all the existing forums will be migrated to the new environment. An example of the new forum can be found at: http://forums.technet.microsoft.com/

Over the past few months since Ray Ozzie has joined Microsoft, a huge amount of resources and time have been invested in the deployment of various Internet-based services, most bundled under the Microsoft Live offering. Over this period a fair amount of pressure has been exerted on the various product groups to come up with service-based offering of their products that would fir into this Live-framework. Some of the product groups that have been first to introduce services include the Office Product team with the Microsoft Office Live Workspace as well as the Exchange team with Exchange Labs.

If you check out the description of the service on the Exchange Labs web site you will find:

What is Exchange Labs?
Exchange Labs is a new program from the Microsoft Exchange team, advancing the way we deliver next-generation e-mail and unified communications capabilities. Partnering with the Windows Live @ edu offering, Exchange Labs gives students and alumni access to Exchange-based e-mail: 5 GB mailboxes, secure e-mail, a shared address book, calendars and more! To get up and running with Exchange Labs, see Getting Started with Exchange Labs.

At present there are still quite a few things that have to be finalised about the offering, but if we where to compare the Exchange Labs and Hotmail based services with each other, the picture would look something like this. (1)

(1)

Please note that as always this post is subject to the standard puttyq.com disclaimer.

(2)

To make sure that Exchange Control Panel functions correctly, verify the following settings on all supported Web browsers:

• The Web browser must allow session cookies. Session cookies are also known as transient cookies.
• The Web browser must have JavaScript enabled.
• The Web browser must allow new windows to be opened. Pop-up blocker settings in the Web browser or third-party pop-up blocker applications may prevent the Web browser from opening new windows.

Since the initial release of MIIS 2003 we used to have the Utils Class within the Microsoft.MetaDirectoryServices namespace. It is however quite interesting to see that very few clients use these handy methods and properties (kindly provided to us by the product team). In the following few posts I’ll try to explore and explain some of these handy given’s; today… two of my simple favourite properties found in the Utils Class.

ExtensionsDirectory
Data type: String
Access type: Read-only - Static (Shared). - Retrieves the path of the extensions directory.

Notes: I am a big fan of using configuration files to parameterise my assemblies. (P.S - not a suggestion, a rule!). In most cases I tend to place my config file with all my assemblies in the ‘extensions’ folder ebudy. Most of the time I use a XML file, thus using the “ExtensionDirectory” property makes it simple to locate and load my config file, since I only need to know it’s name.

Example: 

Dim settings As New RulesExtensionSettings(Utils.ExtensionDirectory & “\MIIS Parameters.xml”)

InPreviewMode
Data type: Boolean
Access type: Read-only - Static (Shared). - Determines if the current operation is running in preview mode.

One of the problems you might have with previews is if you (against recommended best practice) have implemented some sort of external update, like a database update. A simple way to get around this is to determine if you are in preview mode before you execute these transaction / updates.

Example: 

If Not Utils.InPreviewMode = True Then
   ‘ Do your thing
End If

I will try to make some additional posts later to explore the Utils.MA, Utils.TransactionProperties and Utils.WorkingDirectory properties.

Over the past few years Microsoft Most Valued Professional award has gained a lot more industry exposure, but in recent months some changes have been introduced in order to make the MVP award’s more relevant.

“Historically, the MVP Award Program has been structured to align an MVP directly with a single product, which defined the MVP relationship with Microsoft during their Award year.  The number of MVPs awarded and the number of technologies being supported  has grown; both MVPs and product groups have expressed frustration with this limitation and a desire to connect with each other outside of these boundaries.  With many Microsoft products having increased interoperability and dependencies, such engagements are not just desired, but required.  One of many examples, there is a real need for SharePoint Server MVPs to interact with SQL and Forefront Product Groups and MVPs.  [The re-categorization process is the] … first step towards creating a framework to enable these and other scenarios that will better align the program with our mission and Microsoft’s business priorities with regard to support communities.”

The first sign of the new MVP categories can now be seen on the MVP Global web site. For a complete list of all

the new MVP award categories check out the Microsoft MVP Awardees web site. You will see there is a new “Identity Lifecycle Manage

ment (ILM)” category grouped under “Identity & Access”.

For an complete list of you ILM MVP’s check out: Identity and Access: Identity Lifecycle Manager

For more information regarding the MVP program and it’s benefits please visit https://mvp.support.microsoft.com

During the past month I had a quick requirement to enable encrypted pass management transactions to IBM Directory Server. As such port 636 (SSL) traffic was required. If you check the ILM 2007 help file regarding this you will find the following:

I received a “Server down” error when trying to connect to a server or run a management agent.

Cause: The Microsoft Identity Integration Server 2003 service account does not have the CA Certificate installed. Even though your SSL bind may be successful, the management agent runs in the context of the Microsoft Identity Integration Server 2003 service account, and may fail without the CA Certificate installed.

Solution: Install the CA Certificate on the Microsoft Identity Integration Server 2003 service account.

 

If you are however using a non-trusted root cert you will have to import this to the server as well. As such I thought I’d drop a quick guide How-to: SSL for IBM Directory Server.

1. Get an export of you companies self-signed CA cert
2. Import this cert into the Local Computer Certificate store (Trust Root Certificates) (Automatic process)

Import the certificate into the Microsoft Identity Integration Server service account’s ‘Trusted Root Certificate Store’.

• Open the MMC and add the Certificates snap-in
• Add the Certificates snap-in for a local Service account and Select the ‘Microsoft Identity Integration Server’ account

• Add you Root CA to the ‘Trusted Root’ container

• Done! This should allow you to use SSL to connect to your LDAP instance of IBM DS as well as use secure connections for password resets.

A few months ago I was contacted by a client who have developed some strange email routing problems between two GALSync partners. For quite a while this issue caused intermittent mail flow problems between the two parties. After we figured out what the root cause of the problem was I decided to share just in case a search engine hit and this article could solve your problem.

Clients in the one client organization (Company S) where getting SMTP error when trying to mail users in their partner company (Company L). This was something that was intermittently reported and made diagnosis of the problem difficult. The first assumption was that the GALSync was in some way creating corrupt contacts in the Company S directory, which was causing the problem. Comparison of the source and destination data did prove this to be wrong. Still however certain users would get the following message when trying to mail users in Company L.

The message could not be delivered because the recipient’s destination email system is unknown or invalid. Please check the address and try again, or contact your system administrator to verify connectivity to the email system of the recipient.

As a first step the user object in Company L was made an explicit disconnector in the GALSync (to get rid of the contact in Company S), to try to test if the contact had anything to go with the problem. I was confident that this was an Exchange issue and wanted to prove that it would most likely still not work since the error pointed to some kind of name resolution issue. To my dismay the email from the affect Company S user immediately when though to the user in Company L.

I went back to the drawing board, but no matter what I tried it did appear that the GALSync contact was the common factor in every test. It was not until a few weeks later that a specific support call came in with additional information, that we eventually found out what the problem was.

Two different users within the Company S network sent mail to a user in Company L. Both using the GAL (with the GALSync contacts). One users mail went thought successfully and the other’s bounced with the error message above. For the first time it was apparent that the issue was not the GALSync contact but indeed the exchange implementation at Company S. The answer regarding the problem only became apparent when I investigated the operation of GALSync again.

GALSync Step-by-Step

- A user is created in Company L and is imported into the GALSync. As part of the import the user’s legacyExchangeDN is imported. This gets used to create an X500 address for the Company L org in the proxyAddresses of the contact created in Company S.

- As you can see from the export attribute flow below, the legacyExchangeDN is never exported to a contact. Under normal operations, the destination org’s (Company S) exchange environment stamps the contact with a legacyExchangeDN. This legacyExchangeDN which contains the organizational details for the destination exchange org is imported into GALSync and based on this a second X500 entry is created in the contact’s proxyAddresses attribute.

- Under most circumstances this would not be a train smash in a small exchange environment; but for companies with multiple exchange servers which have to internally route mail to gateways for the organization this becomes a problem.

For more information regarding benefits, qualification and enrolment for Live @ Edu, please see the following links:

1. Windows Live @ Edu Demo: http://imagine-wl.com/Education/Demo/edu.html
2. Enrolment and program benefits: http://imagine-wl.com/education/en-us/Benefits/

From http://imagine-wl.com

Hosted E-mail

Allows users to preview e-mails without loading a new page each time, drag and drop messages into folders and power through their inbox. Learn more

Instant Messaging

Communication on campus has never been so seamless. Users can create study groups with multiple IM users and share documents and other personal files over the Internet. Learn more

Blogging

Students, alumni, faculty, clubs and departments can connect in their own space to share information, photos, blogs and more. Learn more

Mobile

Is your university always on-the-go? Those in the program can manage their inbox, chat, find locations and receive alerts – all from their mobile phone. Learn more

Alerts

Those enrolled in the program can stay current with spam-filtered info alerts from MSN. They’ll get info on their PC through Messenger, e-mail or their mobile device. Learn more

Privacy & Security

The Windows Live @ edu Program offers anti-virus protection tools and junk e-mail filters to help protect against viruses and unwanted e-mail. Learn more