The new Puttyq.com

Check out the post from Mark [FIM PM] regarding the release of FIM 2010 R2 RC.

http://blogs.technet.com/b/server-cloud/archive/2011/11/23/forefront-identity-manager-2010-r2-release-candidate-now-available.aspx

The past few weeks have seen a lot of hussle and bussle in the industry with the Microsoft “certain asset” acquisition of BHold. Although the move to expand the offering of the Microsoft platform is a positive one in my mind, it has left a lot of people confused and raised many questions. I have been working with a customer on a long term identity management strategy and this announcement has cast quite a bit of uncertainty over the process (in terms of cost, development effort in a specific direction and ultimately platform choice).

I do not think that the acquiring of platform enhancements is a bad idea – I welcome it – but at present there is no roadmap and clear strategy for the integration of these features into the platform (not that we know what these features are yet). At the same time there is the FIM 2010 R2 release that is currently in the pipeline. In this release we see some welcome features, including the addition of FIM 2010 reporting (which is crucial). My concern is how this direction architecturally will align with possible acquired potions from BHold.

For now at least based in my discussions there is no clear answers to most of these questions. It is clear that at present the BHold components are not available for sale from either Microsoft or BHold and that these – in my opinion – will not be available in the FIM 2010 R2 timeframe. (The features within this release cannot be held back to try to accommodate the integration of BHold components).

On the side-line of this sits vendors like Omada, which have a great offering and have consistently had the ability to execute. In discussions with Omada over the past few weeks it was clear to me that they welcome the BHold component acquisition. I think they would be fools if they did not have a strategy of how to deal with this and although there is not clear way forward for the FIM 2010 + BHold components – this has not stopped them from pushing their components forward. They have also committed to keep their Microsoft FIM 2010 strategy 100% focussed and to support all their existing customers. Their vision seems set to provide quality add-on modules for the FIM 2010 platform which enables advanced business scenarios. The BHold platform enhancements seems to only lift their vision to embrace this change and continue to build on top of it. They are so confident that they have value to add that they have said they will not lock customers into their platform should they wish to convert – this says something to me about their confidence in their products.

I know I sound very pro-Omada at the moment and it not my intention to blow marketing vapour up anyone’s nostrils – so let’s have a look at why I am existed about the Omada offerings at the moment.

Solid Offering: Have a look at the list below and then try to dispute two things:

• Omada has a comprehensive and compelling offering
• Omada is committed to the Microsoft platform

As recent as yesterday they launched a new offering; the Omada Workflow Builder for FIM 2010. Read more about that in this post.

Omada Modules for FIM 2010 include:

• Omada Identity Suite for FIM 2010
• Omada Compliance Attestation Manager for FIM 2010
• Omada Compliance Reporting Center for FIM 2010
• Omada SharePoint Governance Manager
• Omada Workflow Builder for FIM 2010 (BRAND NEW)

Track Record: Omada has been around for a while and have been developing on the Microsoft IdAM platforms for several years. As a FIM-guy I sometimes might agree with some approaches or disagree – but the output from their development team has consistently proven to me that they have insight into the platform and they are committed to finding new ways of extending the boundaries of what FIM 2010 can do. An example of this is their latest version of the Compliance Reporting Center and now the Workflow Builder which is beautifully integrated into the FIM 2010 portal.

Industry Case Studies: Omada has over the years have some great deployments. They will be able to provide the references and case studies in this regard.

Awards: Being awarded the Worldwide Security and Identity partner of year 3 times in 4 years also says a lot about what the partner has done for customers as well Microsoft and their platform.

Ok – enough – I am starting to sounds like a marketing manager again. It is simple in my mind – until Microsoft has clear a strategy (publically announced to it’s customer and partners) for the BHold components; including timelines for deployment and licensing implications; my identity and access management practice will continue to push Omada products as the premier source of value-add components to the FIM 2010 platform.

I do congratulate BHold on their acquisition by Microsoft and I do not feel that my opinions about their past counts anything at present (since I have not been active in the deployment of BHold solutions). The challenge is clear for the Microsoft / BHold future – execute, execute, execute + deliver.

Yesterday saw the release of Omada’s brand new component for business process management within Microsoft FIM 2010 platform. See the official link press release here.

For my view on the current Microsoft / Omada / BHold discussion see the following posts:

• Microsoft and BHold (initial thoughts)
• Microsoft Identity Management, BHold and Omada

The exciting news for this post however is the brand new workflow builder aptly called Omada Workflow Builder for FIM 2010. Something that has impressed me a lot of the last few releases from Omada is the level of integration they seek with the seamless adding of their modules into the FIM 2010 portal. This has always been one my biggest comments/complaints to all the ISV vendors of FIM components. The last few releases have started to address this concern of mine – and the new workflow builder looks right on the money.

Subsequent to the announcement I had the privilege to get an inside look at some of the new features and they seem straight forward (at least from the surface – I have not been able to play with these myself). Again the obvious plus point was the integration into the FIM 2010 portal. Until I have developed business processes in this tool I will reserve comment – but I have included some very nice looking screenshots.

This component again show Omada’s commitment to developing solutions on top of the FIM 2010 platform. In my view this makes the platform more will rounded and sends a clear message of intent to customers and Microsoft that Omada is not going anywhere.

Portal front page view of business process initiation: The new workflow builder integrates seamlessly on the FIM 2010 front-end as with all the current Omada modules for FIM 2010.

Requesting access to resources: The further enhancement is the seamless integration of the workflow process windows into the FIM 2010 portal through FIM 2010 RCDC’s. Below is screenshots of a resource request process being initiated as well as an approver taking action on the request.

Approval task example

Just how flexible and simple the development of these new workflow tasks are – that remains to be seem. I hope to get a view on that soon. Something I further liked about the solution is that the standard process workflow instances are exposed in standard reports under the existing Omada Compliance Center for FIM 2010 for reporting purposes.

If you do not know already – Microsoft has acquired certain assets from BHOLD. Check out the link below for some initial information as well as the Gartner commentary on their blog.

Microsoft Pathways BHold Site

BHold wins Microsoft lottery (Gartner)

I understand and to an extent agree with Ian (Gartner) on the identity management lottery between vendors like Voelcker, BHold and Omada (even IdentityForge) and some of these recent acquisitions; but I am sceptical about exactly what features will be released when –  with regards to the BHold + Microsoft deal. The number of customers embarking on more advanced identity management roadmaps over the past few years have no doubt been putting pressure on Microsoft to evolve in this sector – but like the timeframe, licensing model and feature set will no doubt have a great impact on the way Microsoft positions this acquired features – while it would have a impact on the current ISV’s building solution on top of the FIM platform.

One thing is sure – interesting times awaits.

It is already time for Tech-Ed 2011. Planning is going ahead to make it a yet another great year. Note this year that Microsoft Tech-Ed and Partner Summit is running concurrently at the Durban ICC. Myself and the team will be there.

Look out for an update out sessions relating to FIM 2010 and FIM 2010 R2 as well as session from the rest of the team.

Forefront Identity Manager 2010 ECMA 2.0 Beta and Forefront Identity Manager 2010 R2 is now available on a public beta.

https://connect.microsoft.com/site433/SelfNomination.aspx?ProgramID=6639&pageType=1

The beta includes the latest version of:

- FIM 2010 R2

- Outlook Add-on for Office 2010

- FIM 2010 ECMA 2 (formally EZMA)

For customers wanting to use the Office 2010 add-on, this component is available under a supplemental license agreement for use in product. Please read the terms carefully and complete the survey on Connect to accept the licensing terms.

Check out this interesting video from the Microsoft UI team about some of the new features coming with Windows “8”.

Also check out: http://www.microsoft.com/presspass/features/2011/jun11/06-01corporatenews.aspx and http://www.buildwindows.com/

Last evening one of my customers experienced a ILM 2007 synchronization error which caused quite a bit of commotion. In the end, the solution was quite simple to implement although the process took a bit of a round about path. Even though we encountered this error in ILM 2007 I am sure it might affect FIM 2010 as well – but since we do not know what caused the error I cannot confirm this at this stage.

The symptom of the problem was visible when running any type of sync on the ILM 2007 sync engine. When an object was synced irrespective of which MA was contributing to the MV object the MA would fail with an “Server-Stopped” error message when completing the referential updates at the end of the MA sync process. Although the MIISServer.exe process itself did not fail the MA reported a “Server-Stopped” and and object exception was presented stating the a full object is required and that delta’s could not be processed.

The engine was running 3.3.1139.02 (ILM 2007 SP1) and even with 3.3.1165.02 applied the error still appeared.

Within the event log we received the following error (which provided some insight).

Log Name:      Application
Source:        MIIServer
Date:          2011/02/20 06:51:58 PM
Event ID:      6401
Task Category: (3)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      xxxxxxxxxxxxxxxx
Description:
The management agent controller encountered an unexpected error.

"ERR: MMS(6972): libutils.cpp(9253): Unusual error code reported 0×80230203
Microsoft Identity Integration Server 3.3.1139.2"
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="MIIServer" />
    <EventID Qualifiers="49152">6401</EventID>
    <Level>2</Level>
    <Task>3</Task>
    <Keywords>0×80000000000000</Keywords>
    <TimeCreated SystemTime="2011-02-20T16:51:58.000Z" />
    <EventRecordID>2684357</EventRecordID>
    <Channel>Application</Channel>
    <Computer>xxxxxxxxxxxxxxxxxxxx</Computer>
    <Security />
  </System>
  <EventData>
    <Data>ERR: MMS(6972): libutils.cpp(9253): Unusual error code reported 0×80230203
Microsoft Identity Integration Server 3.3.1139.2</Data>
  </EventData>
</Event>

Log Name:      Application
Source:        MIIServer
Date:          2011/02/20 06:51:58 PM
Event ID:      6301
Task Category: (3)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      xxxxxxxxxxxxxxxxx
Description:
The server encountered an unexpected error in the synchronization engine:

"BAIL: MMS(6972): syncprocess.cpp(1312): 0×80230203 (Request full update since the connector space cannot accept delta.)
ERR: MMS(6972): syncprocess.cpp(1382): Retry mv terminated unexpectedly with 0×80230203
BAIL: MMS(6972): syncprocess.cpp(567): 0×80230203 (Request full update since the connector space cannot accept delta.)
BAIL: MMS(6972): syncimport.cpp(393): 0×80230203 (Request full update since the connector space cannot accept delta.)
Microsoft Identity Integration Server 3.3.1139.2"
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="MIIServer" />
    <EventID Qualifiers="49152">6301</EventID>
    <Level>2</Level>
   <Task>3</Task>
    <Keywords>0×80000000000000</Keywords>
    <TimeCreated SystemTime="2011-02-20T16:51:58.000Z" />
    <EventRecordID>2684356</EventRecordID>
    <Channel>Application</Channel>
    <Computer>xxxxxxxxxxxxxxxx</Computer>
    <Security />
  </System>
  <EventData>
    <Data>BAIL: MMS(6972): syncprocess.cpp(1312): 0×80230203 (Request full update since the connector space cannot accept delta.)
ERR: MMS(6972): syncprocess.cpp(1382): Retry mv terminated unexpectedly with 0×80230203
BAIL: MMS(6972): syncprocess.cpp(567): 0×80230203 (Request full update since the connector space cannot accept delta.)
BAIL: MMS(6972): syncimport.cpp(393): 0×80230203 (Request full update since the connector space cannot accept delta.)
Microsoft Identity Integration Server 3.3.1139.2</Data>
  </EventData>
</Event>

The error that states that a FULL OBJECTS is required is a known error when working with a file format. This has been around since 2003 with the MIIS 2003 sync engine.

In our case the challenge was that it did not matter how many FULL IMPORTS we did to refresh the connectorspace, the object kept on requesting a full object (and that delta’s are not allowed).

Our first attempt to fix the error involved doing a SQL Profiler trace to find the object causing the error. Once we located the object in the SQL Profiler we found that it is actually the same object that was requesting a FULL OBJECT. We attempted to disconnect this object from the contributing CS in order to get rid of the error but doing a this just gave us the same error (“Request full updates since the connector space cannot accept delta’s”).

In the end our only recourse was to clear the entire connector space. Doing this also gave an error but when clearing the CS this error can be skipped via the deletion process. (See below)

Once the object was deleted from the CS we completed a full import. We used the joiner to Explicitly disconnect the offending object and then ran a Full Sync again to join the contributing object back to the MV objects.

We will now do and figure out what is wrong with this one object and then bring it back into the synchronization process.

Note: Ensure that if you delete a CS there is enough contributed information left on the object for a Full import from the contributing MA to join back up to the MV object. Also ensure you do not remove your MV object when the specific MA is cleared (this might cause much more pain ).

Today sees the release of a huge amount of updates for FIM 2010 spanning across all of the product components. This release (Build 4.0.3573.2) sees the official release of the Password Self-Service updates previously released as hotfixes.

There is over 30 updates, fixes and new features – check them all out at http://support.microsoft.com/kb/2417774

The above KB article only refers to the updates that are made as part of this latest update, but all previous updates are rolled into this one. For a complete list of all the updates since release, refer to the various other listed KB’s. (Thx Brjann)

http://support.microsoft.com/kb/2272389
http://support.microsoft.com/kb/2028634
http://support.microsoft.com/kb/978864

Congrats to the team at Gijima on becoming one of the first companies that have attained the new revised Microsoft Gold Partner Competencies for Identity and Security.

Well done gents and thanks for the hard work!

Check it out at: http://pinpoint.microsoft.com/en-ZA/PartnerDetails.aspx?PartnerId=4295530781