The new Puttyq.com

Check out the post from Mark [FIM PM] regarding the release of FIM 2010 R2 RC.

http://blogs.technet.com/b/server-cloud/archive/2011/11/23/forefront-identity-manager-2010-r2-release-candidate-now-available.aspx

The past few weeks have seen a lot of hussle and bussle in the industry with the Microsoft “certain asset” acquisition of BHold. Although the move to expand the offering of the Microsoft platform is a positive one in my mind, it has left a lot of people confused and raised many questions. I have been working with a customer on a long term identity management strategy and this announcement has cast quite a bit of uncertainty over the process (in terms of cost, development effort in a specific direction and ultimately platform choice).

I do not think that the acquiring of platform enhancements is a bad idea – I welcome it – but at present there is no roadmap and clear strategy for the integration of these features into the platform (not that we know what these features are yet). At the same time there is the FIM 2010 R2 release that is currently in the pipeline. In this release we see some welcome features, including the addition of FIM 2010 reporting (which is crucial). My concern is how this direction architecturally will align with possible acquired potions from BHold.

For now at least based in my discussions there is no clear answers to most of these questions. It is clear that at present the BHold components are not available for sale from either Microsoft or BHold and that these – in my opinion – will not be available in the FIM 2010 R2 timeframe. (The features within this release cannot be held back to try to accommodate the integration of BHold components).

On the side-line of this sits vendors like Omada, which have a great offering and have consistently had the ability to execute. In discussions with Omada over the past few weeks it was clear to me that they welcome the BHold component acquisition. I think they would be fools if they did not have a strategy of how to deal with this and although there is not clear way forward for the FIM 2010 + BHold components – this has not stopped them from pushing their components forward. They have also committed to keep their Microsoft FIM 2010 strategy 100% focussed and to support all their existing customers. Their vision seems set to provide quality add-on modules for the FIM 2010 platform which enables advanced business scenarios. The BHold platform enhancements seems to only lift their vision to embrace this change and continue to build on top of it. They are so confident that they have value to add that they have said they will not lock customers into their platform should they wish to convert – this says something to me about their confidence in their products.

I know I sound very pro-Omada at the moment and it not my intention to blow marketing vapour up anyone’s nostrils – so let’s have a look at why I am existed about the Omada offerings at the moment.

Solid Offering: Have a look at the list below and then try to dispute two things:

• Omada has a comprehensive and compelling offering
• Omada is committed to the Microsoft platform

As recent as yesterday they launched a new offering; the Omada Workflow Builder for FIM 2010. Read more about that in this post.

Omada Modules for FIM 2010 include:

• Omada Identity Suite for FIM 2010
• Omada Compliance Attestation Manager for FIM 2010
• Omada Compliance Reporting Center for FIM 2010
• Omada SharePoint Governance Manager
• Omada Workflow Builder for FIM 2010 (BRAND NEW)

Track Record: Omada has been around for a while and have been developing on the Microsoft IdAM platforms for several years. As a FIM-guy I sometimes might agree with some approaches or disagree – but the output from their development team has consistently proven to me that they have insight into the platform and they are committed to finding new ways of extending the boundaries of what FIM 2010 can do. An example of this is their latest version of the Compliance Reporting Center and now the Workflow Builder which is beautifully integrated into the FIM 2010 portal.

Industry Case Studies: Omada has over the years have some great deployments. They will be able to provide the references and case studies in this regard.

Awards: Being awarded the Worldwide Security and Identity partner of year 3 times in 4 years also says a lot about what the partner has done for customers as well Microsoft and their platform.

Ok – enough – I am starting to sounds like a marketing manager again. It is simple in my mind – until Microsoft has clear a strategy (publically announced to it’s customer and partners) for the BHold components; including timelines for deployment and licensing implications; my identity and access management practice will continue to push Omada products as the premier source of value-add components to the FIM 2010 platform.

I do congratulate BHold on their acquisition by Microsoft and I do not feel that my opinions about their past counts anything at present (since I have not been active in the deployment of BHold solutions). The challenge is clear for the Microsoft / BHold future – execute, execute, execute + deliver.

Yesterday saw the release of Omada’s brand new component for business process management within Microsoft FIM 2010 platform. See the official link press release here.

For my view on the current Microsoft / Omada / BHold discussion see the following posts:

• Microsoft and BHold (initial thoughts)
• Microsoft Identity Management, BHold and Omada

The exciting news for this post however is the brand new workflow builder aptly called Omada Workflow Builder for FIM 2010. Something that has impressed me a lot of the last few releases from Omada is the level of integration they seek with the seamless adding of their modules into the FIM 2010 portal. This has always been one my biggest comments/complaints to all the ISV vendors of FIM components. The last few releases have started to address this concern of mine – and the new workflow builder looks right on the money.

Subsequent to the announcement I had the privilege to get an inside look at some of the new features and they seem straight forward (at least from the surface – I have not been able to play with these myself). Again the obvious plus point was the integration into the FIM 2010 portal. Until I have developed business processes in this tool I will reserve comment – but I have included some very nice looking screenshots.

This component again show Omada’s commitment to developing solutions on top of the FIM 2010 platform. In my view this makes the platform more will rounded and sends a clear message of intent to customers and Microsoft that Omada is not going anywhere.

Portal front page view of business process initiation: The new workflow builder integrates seamlessly on the FIM 2010 front-end as with all the current Omada modules for FIM 2010.

Requesting access to resources: The further enhancement is the seamless integration of the workflow process windows into the FIM 2010 portal through FIM 2010 RCDC’s. Below is screenshots of a resource request process being initiated as well as an approver taking action on the request.

Approval task example

Just how flexible and simple the development of these new workflow tasks are – that remains to be seem. I hope to get a view on that soon. Something I further liked about the solution is that the standard process workflow instances are exposed in standard reports under the existing Omada Compliance Center for FIM 2010 for reporting purposes.

If you do not know already – Microsoft has acquired certain assets from BHOLD. Check out the link below for some initial information as well as the Gartner commentary on their blog.

Microsoft Pathways BHold Site

BHold wins Microsoft lottery (Gartner)

I understand and to an extent agree with Ian (Gartner) on the identity management lottery between vendors like Voelcker, BHold and Omada (even IdentityForge) and some of these recent acquisitions; but I am sceptical about exactly what features will be released when –  with regards to the BHold + Microsoft deal. The number of customers embarking on more advanced identity management roadmaps over the past few years have no doubt been putting pressure on Microsoft to evolve in this sector – but like the timeframe, licensing model and feature set will no doubt have a great impact on the way Microsoft positions this acquired features – while it would have a impact on the current ISV’s building solution on top of the FIM platform.

One thing is sure – interesting times awaits.

Forefront Identity Manager 2010 ECMA 2.0 Beta and Forefront Identity Manager 2010 R2 is now available on a public beta.

https://connect.microsoft.com/site433/SelfNomination.aspx?ProgramID=6639&pageType=1

The beta includes the latest version of:

- FIM 2010 R2

- Outlook Add-on for Office 2010

- FIM 2010 ECMA 2 (formally EZMA)

For customers wanting to use the Office 2010 add-on, this component is available under a supplemental license agreement for use in product. Please read the terms carefully and complete the survey on Connect to accept the licensing terms.

Today sees the release of a huge amount of updates for FIM 2010 spanning across all of the product components. This release (Build 4.0.3573.2) sees the official release of the Password Self-Service updates previously released as hotfixes.

There is over 30 updates, fixes and new features – check them all out at http://support.microsoft.com/kb/2417774

The above KB article only refers to the updates that are made as part of this latest update, but all previous updates are rolled into this one. For a complete list of all the updates since release, refer to the various other listed KB’s. (Thx Brjann)

http://support.microsoft.com/kb/2272389
http://support.microsoft.com/kb/2028634
http://support.microsoft.com/kb/978864

One of the components in the deployment of FIM 2010 SSPR is the client roll-out of the Add-ins and Extensions for FIM 2010. There are a few ways of achieving this but the following is a simple batch file that will detect the client OS version and deploy the appropriate components.

Thank you to Craig Eldridge for the script.

if %PROCESSOR_ARCHITECTURE% == AMD64 goto AMD64
if %PROCESSOR_ARCHITECTURE% == x86 goto x86
GOTO EXIT
:AMD64
msiexec /i \\servername\sharename\FIM\addins\x64\Add-insetc.msi /quiet ADDLOCAL=PasswordClient RMS_LOCATION=<portal server> PORTAL_LOCATION=<portal server> PORTAL_PREFIX=https SITELOCK_DOMAIN="<servername>/<FQDN Name>" /log fim.log goto EXIT
86
msiexec /i \\servername\sharename\FIM\addins\x86\Add-insetc.msi /quiet ADDLOCAL=PasswordClient RMS_LOCATION=<portal server> PORTAL_LOCATION=<portal server> PORTAL_PREFIX=https SITELOCK_DOMAIN="<servername>/<FQDN Name>" /log fim.log
goto EXIT
:EXIT

Check out the following additional resource for more information on the options available with the unattended installation. TechNet – Unattended Installation of FIM 2010

To troubleshooting the client installation you can check the “fim.log” that was created and search for   “Return Value 3” which signifies a Windows Installer Error.

One last thing: The script above would install the client components and force a restart of the client machine. To ignore the restart you can add the “/norestart” option just before of after the “/quite” option.

There has been a lot of discussion traffic relating to the branding and customization of the FIM 2010 Self Service Password Reset (SSPR) client components. Customer request the ability to change the picture, text and general branding. At present this is not possible, but we have discussed this with the product team and it has been logged as a request. In the meantime however Thomans Vuylsteke and Anthony Ho have highlighted a option that is currently available in any build higher than 4.0.3558.2.

By adding the registry key below to the client machine that has  the Add-ins and Extensions for Password Reset installed you can enable a message at the bottom of the client that can provide privacy policy information from a URL during the registration process.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Forefront Identity Manager\2010\Extensions\GatePlugins\45C4D8BB-D34C-453d-8346-C9061A2A1E4C
• New String (Reg_SZ) with the following name: PrivacyLink
• The value for the entry: http://webserver-name/policy
I know this will not give you the logo you wanted, but it will assist certain customers with potential auditing requirements.

If you are in the process of setting up FIM 2010 Certificate Manager or CLM 2007 there is two very important tasks that need to be completed in order to get imports from your Certificate Management MA to work.

1. Ensure the username and password in the management agent is properly formatted. It should be specified as DOMAIN\User.
2. The ConnectTo variable should be set to the URL of the CM portal. (http://server/certificatemanagement)
3. Ensure that the account used within the CM Management Agent has access to all the profile templates within the organization. These can be checked under the “Active Directory Sites and Services – Services – Public Key Services – Profile Templates” If you cannot see the Services node be sure to select “Show Services Node” under the View options.
4. Verify that you have configured the CM web.config to allow the CM Management to access the service. In order to do this, add the statement below to the CM web.config.
5. Choose the correct authetication method under the management agent additional properties. (Set ‘authType’ to either ‘Negotiate’ or NTLM’)

Read more…

I have recently been editing some RCDC and came across this error again. There are a few references on the web, but I thought I would add a quick note about it.

Requestor: urn:uuid:7fb2b853-24f0-4498-9534-4e10589723c4
Microsoft.ResourceManagement: Microsoft.ResourceManagement.WebServices.Exceptions.InvalidRepresentationException: Exception of type ‘Microsoft.ResourceManagement.WebServices.Exceptions.InvalidRepresentationException’ was thrown.
   at Microsoft.ResourceManagement.Utilities.ExceptionManager.ThrowException(Exception exception)
   at Microsoft.ResourceManagement.Data.Exception.DataAccessExceptionManager.ThrowException(SqlException innerException)
   at Microsoft.ResourceManagement.Data.DataAccess.ProcessRequest(RequestType request)
   at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.ProcessInputRequest(RequestType request)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction(RequestType request)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction[ResponseBodyType](RequestType request)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request, Guid requestIdentifier, Object redispatchSingleInstanceKey, Boolean isRedispatch)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request)
   at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Create(Message request)

The error generally only occurs when you have been messing with either one of two things, the RCDC or the schema of an object / attribute / binding. The error basically states that there is a disconnect between what you RCDC is trying to create / update and what is available in the schema. You would have to retrace your steps a little to find the actual problem since I cannot advise you what is happening in your environment, but at least I hope this points you in the right direction.