The new Puttyq.com

One of the components in the deployment of FIM 2010 SSPR is the client roll-out of the Add-ins and Extensions for FIM 2010. There are a few ways of achieving this but the following is a simple batch file that will detect the client OS version and deploy the appropriate components.

Thank you to Craig Eldridge for the script.

if %PROCESSOR_ARCHITECTURE% == AMD64 goto AMD64
if %PROCESSOR_ARCHITECTURE% == x86 goto x86
GOTO EXIT
:AMD64
msiexec /i \\servername\sharename\FIM\addins\x64\Add-insetc.msi /quiet ADDLOCAL=PasswordClient RMS_LOCATION=<portal server> PORTAL_LOCATION=<portal server> PORTAL_PREFIX=https SITELOCK_DOMAIN="<servername>/<FQDN Name>" /log fim.log goto EXIT
86
msiexec /i \\servername\sharename\FIM\addins\x86\Add-insetc.msi /quiet ADDLOCAL=PasswordClient RMS_LOCATION=<portal server> PORTAL_LOCATION=<portal server> PORTAL_PREFIX=https SITELOCK_DOMAIN="<servername>/<FQDN Name>" /log fim.log
goto EXIT
:EXIT

Check out the following additional resource for more information on the options available with the unattended installation. TechNet – Unattended Installation of FIM 2010

To troubleshooting the client installation you can check the “fim.log” that was created and search for   “Return Value 3” which signifies a Windows Installer Error.

One last thing: The script above would install the client components and force a restart of the client machine. To ignore the restart you can add the “/norestart” option just before of after the “/quite” option.

There has been a lot of discussion traffic relating to the branding and customization of the FIM 2010 Self Service Password Reset (SSPR) client components. Customer request the ability to change the picture, text and general branding. At present this is not possible, but we have discussed this with the product team and it has been logged as a request. In the meantime however Thomans Vuylsteke and Anthony Ho have highlighted a option that is currently available in any build higher than 4.0.3558.2.

By adding the registry key below to the client machine that has  the Add-ins and Extensions for Password Reset installed you can enable a message at the bottom of the client that can provide privacy policy information from a URL during the registration process.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Forefront Identity Manager\2010\Extensions\GatePlugins\45C4D8BB-D34C-453d-8346-C9061A2A1E4C
• New String (Reg_SZ) with the following name: PrivacyLink
• The value for the entry: http://webserver-name/policy
I know this will not give you the logo you wanted, but it will assist certain customers with potential auditing requirements.

These days there is a high focus on cloud technologies and hosted services. I came across this article and steaming session that discusses how MSIT Operations deployed and manage the Microsoft.com infrastructure. When you consider the following statistics there are lessons to be learned here:

• The site generates more than 1.2 billion hits per day
• 57 million unique Internet Protocol (IP) addresses
• 200 million daily page views
• averages 30,000 Hypertext Transfer Protocol (HTTP) requests per second
• average of 750,000 concurrent client connections

To add this this impressive feat Microsoft.com’s Keynote rating have been impeccable, achieving over 99.8 for the last 5 consecutive years and 99.9 for the last two.

Check out this Microsoft IT Showcase at: Download details Maintaining High Availability for Microsoft.com

There are a number of sessions being presented at Tech-Ed this year by various of my fellow business managers or team members. Have a look at the list below to a list of all the available titles and topics being addressed this year.

Hope to see you there! Be sure to drop by the MVP lounge and Gijima stand to say “Hi”!.

 

Speaker	Focus Area	Sessions
Almero Steyn	Identity Management	· Realising the “Art of Possible” · Microsoft Forefront Identity Manager 2010: In Production · Identity and Access Management: Deploying Microsoft Forefront Identity Manager 2010 Certificate Management · Identity and Access Management: Managing Active Directory Using Microsoft Forefront Identity Manager · Microsoft Forefront Identity Manager 2010 Deep Dive
Jacques Mostert	Systems Management	· Realising the “Art of Possible” · Microsoft System Center Configuration Manager 2007: Overview · Microsoft System Center Operations Manager 2007 R2: Service Levels, Reports, Dashboards, Report Authoring, and More! · What’s New Since the Release of Microsoft System Center Operations Manager 2007 R2
Jacques Swanepoel	Identity Management	· All you need to know about Microsoft Live @ Edu
Jayesh Mowjee	Security	· Realising the “Art of Possible” · Secure Messaging: Microsoft Forefront Protection 2010 for Exchange Server · Business Ready Security: Protecting Endpoints from Advanced Threats with Microsoft’s Secure Endpoint Solution · Secure Collaboration: Microsoft Forefront Protection 2010 for SharePoint Deep Dive
Leonard Rawbone	Architecture	· Realising the “Art of Possible”
Simon Martyn	Virtualisation	· Realising the “Art of Possible” · Windows Server 2008 R2 Hyper-V Performance Analysis: How You Can Get the Most Out of Hyper-V · Dynamic Datacenter \ Cloud Services with Microsoft Virtualization

Only a few days to go till we kick off Tech-Ed 2010. Come join me for the sessions listed below. If you do not get time to attend one of the sessions, feel free to drop by the Gijima stand, the MVP lounge or at “Ask the Expert”.

Looking forward to seeing you there.

• Monday 18th 2010 – 9:15 to 10:15
• Room C4
• Session Code: SEC 301
• Session Title: Microsoft Forefront Identity Manager 2010: In Production
• Abstract: Microsoft Forefront Identity Manager (FIM) includes many rich integration and self-service features across multiple platforms. Deploying and troubleshooting FIM requires broad knowledge of technologies such as Active Directory, SharePoint, Exchange, SQL, Windows Communication Foundation, Workflow Foundation, and ILM 2007. In this session we walk you through how to deploy and manage FIM in production by showing common troubleshooting approaches, migrating configuration, and common resolutions. The session is appropriate for attendees who plan to configure or administer FIM both in-house and on behalf of customers.

 

• Tuesday 19th 2010 – 10:45 to 11:45
• Room D5
• Session Code: SEC 310
• Session Title: Identity and Access Management: Deploying Microsoft Forefront Identity Manager 2010 Certificate Management
• Abstract: This session takes an under the hood look at a migration of from a proprietary smart card management system to FIM 2010 Certificate Management, by evaluating Microsoft IT’s internal deployment as an example. The session describes Microsoft’s PKI deployment, highlights the challenges faced with the previous smart card management system and Microsoft’s plans for their FIM CM deployment. The session will provide real world examples of how FIM CM is utilised and what lessons can be learned when looking at the deployment of smartcard and certificate management within your own environment.

 

• Tuesday 19th 2010 – 14:30 to 15:30
• Room A3
• Session Code: SEC 311
• Session Title: Identity and Access Management: Managing Active Directory Using Microsoft Forefront Identity Manager
• Abstract: Don’t miss the chance to see demos and understand how Microsoft Forefront Identity Manager (FIM) can be used to manage objects in Active Directory (AD). We walk through importing objects from Active Directory whilst delegating management of users and groups. You learn that there is more to the story than self-service group management and self-service password reset as we also look at how to tie together group policy with FIM as well as automating management of role-based security groups. You should walk away from this session with a warm feeling that there is a great solution out there that can increase data quality and consistency in Active Directory for applications using the identity information and that there are ways to empower end users as well as delegated administrators to take care of day to day tasks in Active Directory.

 

• Tuesday 19th 2010 – 17:15 to 18:15
• Room C1Session Code: WTB 338
• Session Title: Microsoft Forefront Identity Manager 2010 Deep Dive
• Abstract: The Microsoft FIM 2010 deep dive sessions explores the next generation Microsoft identity management platform as part of fundamental paradigm shift in identity management as an enabler for a dynamic information technology organisation. The session dives into platform customisation and potential ISV solution that enhances the FIM 2010 platform

Hey there guys and gals, it’s time for Tech-Ed 2010 again. This year will be bigger and better that the year before. We are currently busy putting the final touches on sessions, stands and activities. If you have not booked your place yet, do so at:

Homepage = http://www.teched.co.za

Register Now = https://secure.mseventssa.co.za/teched2010/booking/default.aspx

 

I have been working with identity and access management technologies to a few years now and in this time I have had the opportunity to work on a multitude of projects aimed at the deployment of these technologies. Over this period I have noticed that there are certain things that makes a project work and invariably there are things that set you up for failure from the start. In order to try and help prompt successful identity management deployments I thought I would give you my “Top 10 Reasons Identity Management Projects Fail”.

 

One: No clear goal or problem statement – We all know this, but somehow we miss this sometimes. Over the years the customer projects that have had the greatest success have been the ones that know exactly what they wanted to achieve. There is great phrase that states the “Clarity is power” and if you understand what you want to achieve you find ways to get it done – plus you notice when you are getting off track. I think there are three main reasons to embark on a identity management project: security – operational efficiency – governance / compliance.

Tip: Get clear on the problem – Get clear on the goal

 

Two: Sponsorship -  One to the quickest ways to make any integration project such as an identity management project fail is to have the wrong level of sponsorship for the project. Generally when a project is driven from an IT department alone and it requires deep integration into systems such as payroll there are challenges in getting all parties to agree on the need for the project (or the proposed timelines, cost, effort, etc). Making sure you have the right level of executive sponsorship for your initiative, that understand the need and the goal, makes it easier to get all parties to help in the effort.

Tip: Make sure you get the right level of sponsorship for your project.

 

Three: Most technology and business decision makes don’t know what IDM is – thought the field of identity management has been around for many years it had not been all that accessible for adoption within the broader market (due to many reasons) and as such there has historically been very people that could effectively articulate the technical and business benefits to get large scale project going. Because of this there are a lot of half baked ideas / truths about what identity management is. I have always found the best way to educate people about what these technologies can do is to show them.

Tip: Make sure to showcase the technology solving the business problem and at the same time educating your company on the solution.

 

Four: Skills, Skills, Skills – Irrespective of the vendor solution finding the right individual to deploy the solution and more challenging, to maintain it post deployment has proven to be a big stumbling block in the deployment of identity management technologies.

Tip: Find the right partner or skilled consultant to assist in the deployment and training of your onsite resources

 

Five: Perceived Cost of Ownership – When customers embark on any technology project they often do a cost-benefit analysis to determine if the project is a good idea. Whether this is a formal process or someone just looking a total thinking “What am I getting for all this money again?”; the process does take place. Since identity management in many cases enhances something that already exists this is sometimes a hard sell to someone that does not have a clear picture of the problems (or you have not effectively shown that correct people the correct problem). When objectively looking at identity management technologies compared to many distributed infrastructure deployments like Exchange the cost is actually quite low, but when you put professional services, support, client access licenses and number of system to integrate together it does become quite expensive sometimes. The trick here is, business decision makes know they need email… you need to find a problem or benefit so big that they will now know they need identity management.

Tip: When cost alone is enough to stop you deployment you need to find a bigger carrot or stick

 

Six: Going big made you go home – Numerous times I have been involved on projects or heard of projects that failed due to this little principle. Many times customers look into identity management, see the potential and then go ballistic. They try to deploy complete company wide role based access, mapped into payroll and integrated into all company systems. This approach has many problems in my opinion. either you plan forever trying to map every role in HR to every access permission in the company OR you deploy forever trying to get every system to speak to every other system OR both of the above. Usually this makes people loose interest and the momentum you started with is lost.

Tip: Find a balance for a first phase deployment between value shown and timelines in which you deliver. This way you will proven value quickly

 

Seven: Manage change – We techies love our technology, but every now and then we have to deal with business users… right. When looking at the new wave of identity management product on the market today, almost all of then have a user front-end of some sort. Due to this the identity management engine is no longer a process hidden in the corner of the datacentre, but it becomes a integral part of many users day to day jobs. Since we now have interaction with users of the solution it is imperative for identity management projects to contain some form of change management to the technology consumers. IT projects have been quite bad with this in the past, but we must change that going forward.

Tip: Make sure people know what changes are coming and how this will change the way they work today

 

Eight: Poor planning – Every project we do irrespective of technology has certain risks, but through planning many of these can be addressed. These risks can be mitigated quite easily in my mind by taking some of the previous tips to heart and having an effective project management process. By knowing the goal, having the business buy-in, understanding the cost, managing the scope and communicating change we set ourselves up for success. The things that remain are timeline, scope and budget management.

Tip: Apply good project management principles to your identity management project (together with the tips above)

 

Nine: Unmanaged expectations – The fact that this is only mentioned at number nine should not be an indication of the importance of this point. I think this is a invaluable lesson for every part of our lives not just in running a successful project. The age old picture below paints the picture perfectly. Look at the picture long and hard and make sure you see this the next time you chat to a project team member.

Tip: Make sure after every meeting, discussion, email, chat and document exchange that everyone is on the same page – expecting the same thing for the outcome

 

 

Ten: Identity is given the wrong priority – The final point here is a little but of a rant regarding companies having a mistaken view of how important identity and the effective management of identity is to their business. Identity in business today is everything. If you wanted to given people permission to something you would need to know “who” you want to give “what” and indeed “when” and for what “reason”. Without effectively knowing who is who in the realm of your organization you know thing. When we manage out staff, student, vendor, contractor, alumni, partner, administrator, etc identities well we enable business to be more secure while being highly dynamic and agile at the same time.

Tip: Spread the word – Without effectively managing our identities within the corporate environment every piece of IT infrastructure you spend millions on is reduced to just pieces of tin.

If you are in the process of setting up FIM 2010 Certificate Manager or CLM 2007 there is two very important tasks that need to be completed in order to get imports from your Certificate Management MA to work.

1. Ensure the username and password in the management agent is properly formatted. It should be specified as DOMAIN\User.
2. The ConnectTo variable should be set to the URL of the CM portal. (http://server/certificatemanagement)
3. Ensure that the account used within the CM Management Agent has access to all the profile templates within the organization. These can be checked under the “Active Directory Sites and Services – Services – Public Key Services – Profile Templates” If you cannot see the Services node be sure to select “Show Services Node” under the View options.
4. Verify that you have configured the CM web.config to allow the CM Management to access the service. In order to do this, add the statement below to the CM web.config.
5. Choose the correct authetication method under the management agent additional properties. (Set ‘authType’ to either ‘Negotiate’ or NTLM’)

Read more…

I have recently been editing some RCDC and came across this error again. There are a few references on the web, but I thought I would add a quick note about it.

Requestor: urn:uuid:7fb2b853-24f0-4498-9534-4e10589723c4
Microsoft.ResourceManagement: Microsoft.ResourceManagement.WebServices.Exceptions.InvalidRepresentationException: Exception of type ‘Microsoft.ResourceManagement.WebServices.Exceptions.InvalidRepresentationException’ was thrown.
   at Microsoft.ResourceManagement.Utilities.ExceptionManager.ThrowException(Exception exception)
   at Microsoft.ResourceManagement.Data.Exception.DataAccessExceptionManager.ThrowException(SqlException innerException)
   at Microsoft.ResourceManagement.Data.DataAccess.ProcessRequest(RequestType request)
   at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.ProcessInputRequest(RequestType request)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction(RequestType request)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction[ResponseBodyType](RequestType request)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request, Guid requestIdentifier, Object redispatchSingleInstanceKey, Boolean isRedispatch)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request)
   at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Create(Message request)

The error generally only occurs when you have been messing with either one of two things, the RCDC or the schema of an object / attribute / binding. The error basically states that there is a disconnect between what you RCDC is trying to create / update and what is available in the schema. You would have to retrace your steps a little to find the actual problem since I cannot advise you what is happening in your environment, but at least I hope this points you in the right direction.

For those countries lucky enough to have wide scale Microsoft BPOS infrastructure (not like South Africa) Carol, one of our Identity Management MVP’s, has done very good work on using ILM / FIM to issue BPOS commands. There are certain things that are possible with connectors like the Outlook Sync MA which works against the same types of mechanism, but the BPOS offering is much wider, so if you wanted to issue custom commands check out her post at http://www.wapshere.com/missmiis/provisioning-bpos-powershell-commands-as-cs-objects.

Nice one Carol.