The new Puttyq.com

The past few weeks have seen a lot of hussle and bussle in the industry with the Microsoft “certain asset” acquisition of BHold. Although the move to expand the offering of the Microsoft platform is a positive one in my mind, it has left a lot of people confused and raised many questions. I have been working with a customer on a long term identity management strategy and this announcement has cast quite a bit of uncertainty over the process (in terms of cost, development effort in a specific direction and ultimately platform choice).

I do not think that the acquiring of platform enhancements is a bad idea – I welcome it – but at present there is no roadmap and clear strategy for the integration of these features into the platform (not that we know what these features are yet). At the same time there is the FIM 2010 R2 release that is currently in the pipeline. In this release we see some welcome features, including the addition of FIM 2010 reporting (which is crucial). My concern is how this direction architecturally will align with possible acquired potions from BHold.

For now at least based in my discussions there is no clear answers to most of these questions. It is clear that at present the BHold components are not available for sale from either Microsoft or BHold and that these – in my opinion – will not be available in the FIM 2010 R2 timeframe. (The features within this release cannot be held back to try to accommodate the integration of BHold components).

On the side-line of this sits vendors like Omada, which have a great offering and have consistently had the ability to execute. In discussions with Omada over the past few weeks it was clear to me that they welcome the BHold component acquisition. I think they would be fools if they did not have a strategy of how to deal with this and although there is not clear way forward for the FIM 2010 + BHold components – this has not stopped them from pushing their components forward. They have also committed to keep their Microsoft FIM 2010 strategy 100% focussed and to support all their existing customers. Their vision seems set to provide quality add-on modules for the FIM 2010 platform which enables advanced business scenarios. The BHold platform enhancements seems to only lift their vision to embrace this change and continue to build on top of it. They are so confident that they have value to add that they have said they will not lock customers into their platform should they wish to convert – this says something to me about their confidence in their products.

I know I sound very pro-Omada at the moment and it not my intention to blow marketing vapour up anyone’s nostrils – so let’s have a look at why I am existed about the Omada offerings at the moment.

Solid Offering: Have a look at the list below and then try to dispute two things:

• Omada has a comprehensive and compelling offering
• Omada is committed to the Microsoft platform

As recent as yesterday they launched a new offering; the Omada Workflow Builder for FIM 2010. Read more about that in this post.

Omada Modules for FIM 2010 include:

• Omada Identity Suite for FIM 2010
• Omada Compliance Attestation Manager for FIM 2010
• Omada Compliance Reporting Center for FIM 2010
• Omada SharePoint Governance Manager
• Omada Workflow Builder for FIM 2010 (BRAND NEW)

Track Record: Omada has been around for a while and have been developing on the Microsoft IdAM platforms for several years. As a FIM-guy I sometimes might agree with some approaches or disagree – but the output from their development team has consistently proven to me that they have insight into the platform and they are committed to finding new ways of extending the boundaries of what FIM 2010 can do. An example of this is their latest version of the Compliance Reporting Center and now the Workflow Builder which is beautifully integrated into the FIM 2010 portal.

Industry Case Studies: Omada has over the years have some great deployments. They will be able to provide the references and case studies in this regard.

Awards: Being awarded the Worldwide Security and Identity partner of year 3 times in 4 years also says a lot about what the partner has done for customers as well Microsoft and their platform.

Ok – enough – I am starting to sounds like a marketing manager again. It is simple in my mind – until Microsoft has clear a strategy (publically announced to it’s customer and partners) for the BHold components; including timelines for deployment and licensing implications; my identity and access management practice will continue to push Omada products as the premier source of value-add components to the FIM 2010 platform.

I do congratulate BHold on their acquisition by Microsoft and I do not feel that my opinions about their past counts anything at present (since I have not been active in the deployment of BHold solutions). The challenge is clear for the Microsoft / BHold future – execute, execute, execute + deliver.

Yesterday saw the release of Omada’s brand new component for business process management within Microsoft FIM 2010 platform. See the official link press release here.

For my view on the current Microsoft / Omada / BHold discussion see the following posts:

• Microsoft and BHold (initial thoughts)
• Microsoft Identity Management, BHold and Omada

The exciting news for this post however is the brand new workflow builder aptly called Omada Workflow Builder for FIM 2010. Something that has impressed me a lot of the last few releases from Omada is the level of integration they seek with the seamless adding of their modules into the FIM 2010 portal. This has always been one my biggest comments/complaints to all the ISV vendors of FIM components. The last few releases have started to address this concern of mine – and the new workflow builder looks right on the money.

Subsequent to the announcement I had the privilege to get an inside look at some of the new features and they seem straight forward (at least from the surface – I have not been able to play with these myself). Again the obvious plus point was the integration into the FIM 2010 portal. Until I have developed business processes in this tool I will reserve comment – but I have included some very nice looking screenshots.

This component again show Omada’s commitment to developing solutions on top of the FIM 2010 platform. In my view this makes the platform more will rounded and sends a clear message of intent to customers and Microsoft that Omada is not going anywhere.

Portal front page view of business process initiation: The new workflow builder integrates seamlessly on the FIM 2010 front-end as with all the current Omada modules for FIM 2010.

Requesting access to resources: The further enhancement is the seamless integration of the workflow process windows into the FIM 2010 portal through FIM 2010 RCDC’s. Below is screenshots of a resource request process being initiated as well as an approver taking action on the request.

Approval task example

Just how flexible and simple the development of these new workflow tasks are – that remains to be seem. I hope to get a view on that soon. Something I further liked about the solution is that the standard process workflow instances are exposed in standard reports under the existing Omada Compliance Center for FIM 2010 for reporting purposes.

If you are in the process of setting up FIM 2010 Certificate Manager or CLM 2007 there is two very important tasks that need to be completed in order to get imports from your Certificate Management MA to work.

1. Ensure the username and password in the management agent is properly formatted. It should be specified as DOMAIN\User.
2. The ConnectTo variable should be set to the URL of the CM portal. (http://server/certificatemanagement)
3. Ensure that the account used within the CM Management Agent has access to all the profile templates within the organization. These can be checked under the “Active Directory Sites and Services – Services – Public Key Services – Profile Templates” If you cannot see the Services node be sure to select “Show Services Node” under the View options.
4. Verify that you have configured the CM web.config to allow the CM Management to access the service. In order to do this, add the statement below to the CM web.config.
5. Choose the correct authetication method under the management agent additional properties. (Set ‘authType’ to either ‘Negotiate’ or NTLM’)

Read more…

For those countries lucky enough to have wide scale Microsoft BPOS infrastructure (not like South Africa) Carol, one of our Identity Management MVP’s, has done very good work on using ILM / FIM to issue BPOS commands. There are certain things that are possible with connectors like the Outlook Sync MA which works against the same types of mechanism, but the BPOS offering is much wider, so if you wanted to issue custom commands check out her post at http://www.wapshere.com/missmiis/provisioning-bpos-powershell-commands-as-cs-objects.

Nice one Carol.

For any of you that have configured the FIM Self-Service Password Reset, you will know that you need to get the DCOM permission and services accounts just right. Brad Turner, another long time MVP, Karl Mitschke and a few helpers have created a Powershell script to assist.

Check out the article on TechNet or Brad’s Blog or Karl’s Post.

PARAM(
    [string]$Principal = $(throw "`nMissing -Principal DOMAIN\FIM PasswordSet"),
    $Computers = $(throw "`nMissing -Computers (‘fimnode01′,’fimnode02′)"))

# USAGE:
#
# .\Set-FIM-DCOM.ps1 -Principal "DOMAIN\<group or username>" -Computers (‘<server1>’, ‘<server2>’,…)
#
# EXAMPLE:
# .\Set-FIM-DCOM.ps1 -Principal "DOMAIN\FIM PasswordSet" -Computers (‘fimsyncprimary’, ‘fimsyncstandby’)
#
# Inspired by Karl Mitschke’s post:
# http://unlockpowershell.wordpress.com/2009/11/20/script-remote-dcom-wmi-access-for-a-domain-user/

Write-Host "Set-FIM-DCOM – Updates DCOM Permissions for FIM Password Reset"
Write-Host "`tWritten by Brad Turner (bturner@ensynch.com)"
Write-Host "`tBlog: http://www.identitychaos.com"

function get-sid
{
PARAM ($DSIdentity)
$ID = new-object System.Security.Principal.NTAccount($DSIdentity)
return $ID.Translate( [System.Security.Principal.SecurityIdentifier] ).toString()
}

$sid = get-sid $Principal

#MachineLaunchRestriction – Local Launch, Remote Launch, Local Activation, Remote Activation
$DCOMSDDLMachineLaunchRestriction = "A;;CCDCLCSWRP;;;$sid"

#MachineAccessRestriction – Local Access, Remote Access
$DCOMSDDLMachineAccessRestriction = "A;;CCDCLC;;;$sid"

#DefaultLaunchPermission – Local Launch, Remote Launch, Local Activation, Remote Activation
$DCOMSDDLDefaultLaunchPermission = "A;;CCDCLCSWRP;;;$sid"

#DefaultAccessPermision – Local Access, Remote Access
$DCOMSDDLDefaultAccessPermision = "A;;CCDCLC;;;$sid"

#PartialMatch
$DCOMSDDLPartialMatch = "A;;\w+;;;$sid"

foreach ($strcomputer in $computers)
{
write-host "`nWorking on $strcomputer with principal $Principal ($sid):"
# Get the respective binary values of the DCOM registry entries
$Reg = [WMIClass]"\\$strcomputer\root\default:StdRegProv"
$DCOMMachineLaunchRestriction = $Reg.GetBinaryValue(2147483650,"software\microsoft\ole","MachineLaunchRestriction").uValue
$DCOMMachineAccessRestriction = $Reg.GetBinaryValue(2147483650,"software\microsoft\ole","MachineAccessRestriction").uValue
$DCOMDefaultLaunchPermission = $Reg.GetBinaryValue(2147483650,"software\microsoft\ole","DefaultLaunchPermission").uValue
$DCOMDefaultAccessPermission = $Reg.GetBinaryValue(2147483650,"software\microsoft\ole","DefaultAccessPermission").uValue

# Convert the current permissions to SDDL
write-host "`tConverting current permissions to SDDL format…"
$converter = new-object system.management.ManagementClass Win32_SecurityDescriptorHelper
$CurrentDCOMSDDLMachineLaunchRestriction = $converter.BinarySDToSDDL($DCOMMachineLaunchRestriction)
$CurrentDCOMSDDLMachineAccessRestriction = $converter.BinarySDToSDDL($DCOMMachineAccessRestriction)
$CurrentDCOMSDDLDefaultLaunchPermission = $converter.BinarySDToSDDL($DCOMDefaultLaunchPermission)
$CurrentDCOMSDDLDefaultAccessPermission = $converter.BinarySDToSDDL($DCOMDefaultAccessPermission)

# Build the new permissions
write-host "`tBuilding the new permissions…"
if (($CurrentDCOMSDDLMachineLaunchRestriction.SDDL -match $DCOMSDDLPartialMatch) -and ($CurrentDCOMSDDLMachineLaunchRestriction.SDDL -notmatch $DCOMSDDLMachineLaunchRestriction))
{
   $NewDCOMSDDLMachineLaunchRestriction = $CurrentDCOMSDDLMachineLaunchRestriction.SDDL -replace $DCOMSDDLPartialMatch, $DCOMSDDLMachineLaunchRestriction
}
else
{
   $NewDCOMSDDLMachineLaunchRestriction = $CurrentDCOMSDDLMachineLaunchRestriction.SDDL += "(" + $DCOMSDDLMachineLaunchRestriction + ")"
}
if (($CurrentDCOMSDDLMachineAccessRestriction.SDDL -match $DCOMSDDLPartialMatch) -and ($CurrentDCOMSDDLMachineAccessRestriction.SDDL -notmatch $DCOMSDDLMachineAccessRestriction))
{
  $NewDCOMSDDLMachineAccessRestriction = $CurrentDCOMSDDLMachineAccessRestriction.SDDL -replace $DCOMSDDLPartialMatch, $DCOMSDDLMachineLaunchRestriction
}
else
{
   $NewDCOMSDDLMachineAccessRestriction = $CurrentDCOMSDDLMachineAccessRestriction.SDDL += "(" + $DCOMSDDLMachineAccessRestriction + ")"
}

if (($CurrentDCOMSDDLDefaultLaunchPermission.SDDL -match $DCOMSDDLPartialMatch) -and ($CurrentDCOMSDDLDefaultLaunchPermission.SDDL -notmatch $DCOMSDDLDefaultLaunchPermission))
{
   $NewDCOMSDDLDefaultLaunchPermission = $CurrentDCOMSDDLDefaultLaunchPermission.SDDL -replace $DCOMSDDLPartialMatch, $DCOMSDDLDefaultLaunchPermission
}
else
{
   $NewDCOMSDDLDefaultLaunchPermission = $CurrentDCOMSDDLDefaultLaunchPermission.SDDL += "(" + $DCOMSDDLDefaultLaunchPermission + ")"
}

if (($CurrentDCOMSDDLDefaultAccessPermission.SDDL -match $DCOMSDDLPartialMatch) -and ($CurrentDCOMSDDLDefaultAccessPermission.SDDL -notmatch $DCOMSDDLDefaultAccessPermision))
{
   $NewDCOMSDDLDefaultAccessPermission = $CurrentDCOMSDDLDefaultAccessPermission.SDDL -replace $DCOMSDDLPartialMatch, $DCOMSDDLDefaultAccessPermision
}
else
{
   $NewDCOMSDDLDefaultAccessPermission = $CurrentDCOMSDDLDefaultAccessPermission.SDDL += "(" + $DCOMSDDLDefaultAccessPermision + ")"
}

# Convert SDDL back to Binary
write-host "`tConverting SDDL back into binary form…"
$DCOMbinarySDMachineLaunchRestriction = $converter.SDDLToBinarySD($NewDCOMSDDLMachineLaunchRestriction)
$DCOMconvertedPermissionsMachineLaunchRestriction = ,$DCOMbinarySDMachineLaunchRestriction.BinarySD

$DCOMbinarySDMachineAccessRestriction = $converter.SDDLToBinarySD($NewDCOMSDDLMachineAccessRestriction)
$DCOMconvertedPermissionsMachineAccessRestriction = ,$DCOMbinarySDMachineAccessRestriction.BinarySD

$DCOMbinarySDDefaultLaunchPermission = $converter.SDDLToBinarySD($NewDCOMSDDLDefaultLaunchPermission)
$DCOMconvertedPermissionDefaultLaunchPermission = ,$DCOMbinarySDDefaultLaunchPermission.BinarySD

$DCOMbinarySDDefaultAccessPermission = $converter.SDDLToBinarySD($NewDCOMSDDLDefaultAccessPermission)
$DCOMconvertedPermissionsDefaultAccessPermission = ,$DCOMbinarySDDefaultAccessPermission.BinarySD

# Apply the changes
write-host "`tApplying changes…"
if ($CurrentDCOMSDDLMachineLaunchRestriction.SDDL -match $DCOMSDDLMachineLaunchRestriction)
{
   write-host "`t`tCurrent MachineLaunchRestriction matches desired value."
}
else
{
   $result = $Reg.SetBinaryValue(2147483650,"software\microsoft\ole","MachineLaunchRestriction", $DCOMbinarySDMachineLaunchRestriction.binarySD)
   if($result.ReturnValue=’0′){write-host "  Applied MachineLaunchRestricition complete."}
}

if ($CurrentDCOMSDDLMachineAccessRestriction.SDDL -match $DCOMSDDLMachineAccessRestriction)
{
   write-host "`t`tCurrent MachineAccessRestriction matches desired value."
}
else
{
   $result = $Reg.SetBinaryValue(2147483650,"software\microsoft\ole","MachineAccessRestriction", $DCOMbinarySDMachineAccessRestriction.binarySD)
   if($result.ReturnValue=’0′){write-host "  Applied MachineAccessRestricition complete."}
}

if ($CurrentDCOMSDDLDefaultLaunchPermission.SDDL -match $DCOMSDDLDefaultLaunchPermission)
{
   write-host "`t`tCurrent DefaultLaunchPermission matches desired value."
}
else
{
   $result = $Reg.SetBinaryValue(2147483650,"software\microsoft\ole","DefaultLaunchPermission", $DCOMbinarySDDefaultLaunchPermission.binarySD)
   if($result.ReturnValue=’0′){write-host "  Applied DefaultLaunchPermission complete."}
}

if ($CurrentDCOMSDDLDefaultAccessPermission.SDDL -match $DCOMSDDLDefaultAccessPermision)
{
   write-host "`t`tCurrent DefaultAccessPermission matches desired value."
}
else
{
   $result = $Reg.SetBinaryValue(2147483650,"software\microsoft\ole","DefaultAccessPermission", $DCOMbinarySDDefaultAccessPermission.binarySD)
   if($result.ReturnValue=’0′){write-host "  Applied DefaultAccessPermission complete."}

}
}
#———————————————————————————————————-
trap
{
$exMessage = $_.Exception.Message
if($exMessage.StartsWith("L:"))
{write-host "`n" $exMessage.substring(2) "`n" -foregroundcolor white -backgroundcolor darkblue}
else {write-host "`nError: " $exMessage "`n" -foregroundcolor white -backgroundcolor darkred}
Exit
}
#———————————————————————————————————-

I have been having trouble getting Update 1 for FIM 2010 installed on a development environment over the past weekend. I kept on getting a rollback error when trying to install the Portal update. After turning on MSI error logging and going through various actions I found a workaround this morning and thought I would share in case anyone else came across the problem.

The Portal update kept on giving me a generic Windows Update error as listed below.

Installation Failure: Windows failed to install the following update with error 0×80070643: Forefront Identity Manager 2010 Service and Portal Update (KB978864).

After turning on the MSI Installer logging I found the following errors – but could not go anything to resolve them.

MSI (s) (80:48) [23:07:41:731]: Final Patch Application Order:
MSI (s) (80:48) [23:07:41:731]: {824DC559-9C52-4A2E-B1C9-6AF6931DD582} – C:\Users\ADMINI~1\AppData\Local\Temp\2\IXP000.TMP\FIMService_KB978864.msp
DEBUG: Error 2746:  Transform VL.1 invalid for package C:\Windows\Installer\259751.msi. Expected product {ECEE9162-0670-46A8-A39F-2DBE5384538E}, found product {64CF0564-BD45-41BF-B5B4-CB866444C008}.
1: 2746 2: VL.1 3: C:\Windows\Installer\259751.msi 4: {ECEE9162-0670-46A8-A39F-2DBE5384538E} 5: {64CF0564-BD45-41BF-B5B4-CB866444C008}
DEBUG: Error 2746:  Transform EVAL.2 invalid for package C:\Windows\Installer\259751.msi. Expected product {2AF4AEAF-C1EA-4670-8BA4-9FB0C74F02AE}, found product {64CF0564-BD45-41BF-B5B4-CB866444C008}.
1: 2746 2: EVAL.2 3: C:\Windows\Installer\259751.msi 4: {2AF4AEAF-C1EA-4670-8BA4-9FB0C74F02AE} 5: {64CF0564-BD45-41BF-B5B4-CB866444C008}
DEBUG: Error 2746:  Transform ISVR.3 invalid for package C:\Windows\Installer\259751.msi. Expected product {4E992D60-BD0B-4F9C-93D7-246675023E72}, found product {64CF0564-BD45-41BF-B5B4-CB866444C008}.
1: 2746 2: ISVR.3 3: C:\Windows\Installer\259751.msi 4: {4E992D60-BD0B-4F9C-93D7-246675023E72} 5: {64CF0564-BD45-41BF-B5B4-CB866444C008}
DEBUG: Error 2746:  Transform NFR.5 invalid for package C:\Windows\Installer\259751.msi. Expected product {322CD829-6D7C-45B1-B92F-CF9CFBDF26CA}, found product {64CF0564-BD45-41BF-B5B4-CB866444C008}.
1: 2746 2: NFR.5 3: C:\Windows\Installer\259751.msi 4: {322CD829-6D7C-45B1-B92F-CF9CFBDF26CA} 5: {64CF0564-BD45-41BF-B5B4-CB866444C008}
DEBUG: Error 2746:  Transform SPLA.6 invalid for package C:\Windows\Installer\259751.msi. Expected product {49966941-CA40-40F0-8159-248FB7E5C3F7}, found product {64CF0564-BD45-41BF-B5B4-CB866444C008}.
1: 2746 2: SPLA.6 3: C:\Windows\Installer\259751.msi 4: {49966941-CA40-40F0-8159-248FB7E5C3F7} 5: {64CF0564-BD45-41BF-B5B4-CB866444C008}

DEBUG: Error 2769:  Custom Action ValidateSyncAccount did not close 1 MSIHANDLEs.
The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 2769. The arguments are: ValidateSyncAccount, 1,

Eventually after trying a lot of things – I reran the FIM Portal setup and completed a repair. After the repair completed successfully the patch installed perfectly. Not sure what was wrong – but I thought I would save someone else a bit of trouble.

In the ILM days updates on information regarding the product we few and far between. With the release of FIM 2010 (Forefront Identity Manager 2010) Microsoft has taken steps to fix that previous oversight.

Keeping tabs on all this can however be a challenge. Kudos to Peter Geelen for adding this to the TechNet Wiki. This will provide a comprehensive list of available resources.

http://social.technet.microsoft.com/wiki/contents/articles/current-forefront-identity-manager-resources.aspx

Forefront Identity Manager 2010 has been released.

Check out this link for a evaluation download.

FIM 2010 RC1 Update 3 has been released.

The RC1 Update 3 release of Forefront Identity Manager 2010 (FIM) is available today here on Connect. This is the final pre-release of the product before RTM.

FIM RC1 has been released… Download it here .

This download contains the Microsoft® Forefront™ Identity Manager (FIM) 2010 RC1 client and server components, Group Policy templates and language packages.
FIM 2010 offers a comprehensive solution for managing identities, credentials, and identity-based access policies across heterogeneous environments. Users can create their own security and email distribution groups and decide who to include in those groups. They can reset their passwords without calling their help desk. IT Pros can use FIM to manage certificates and smart cards. FIM embeds self-help tools in Outlook so users can manage routine aspects of identity and access. FIM also gives IT professionals rich administrative tools and enhanced automation, and delivers .NET and Web Services–based extensibility for developers.