Puttyq.com

While busy looking into a strange error on Exchange 2010 provisioning this week I learned something again. While trying to export a new user to Active Directory (with Exchange 2010) mailbox provisioning I received the following error message.

The description for Event ID 0 from source FIMSynchronizationService cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

There is an error in Exch2010Extension AfterExportEntryToCd() function when exporting an object with DN CN=SMokgele,OU=Users,OU=Windmill,OU=SIML Business Units,DC=corp,DC=simlds,DC=com.

Type: Microsoft.MetadirectoryServices.ExtensionException

Message:

**** ERROR ****

Property RoleAssignmentPolicy can’t be set on this object because it requires the object to have version 0.10 (14.0.100.0) or later. The object’s current version is 0.0 (6.5.6500.0).

**** END ERROR ****

Stack Trace:    at Exch2010Extension.Exch2010ExtensionClass.AfterExportEntryToCd(Byte[] origAnchor, String origDN, String origDeltaEntryXml, Byte[] newAnchor, String newDN, String failedDeltaEntryXml, String errorMessage) the message resource is present but the message is not found in the string/message table

Incorrect value: CN=ExchServer,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN= Company,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=corp,DC=simlds,DC=com

Correct value: /o=Company/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=ExchServer

The past few weeks have seen a lot of hussle and bussle in the industry with the Microsoft “certain asset” acquisition of BHold. Although the move to expand the offering of the Microsoft platform is a positive one in my mind, it has left a lot of people confused and raised many questions. I have been working with a customer on a long term identity management strategy and this announcement has cast quite a bit of uncertainty over the process (in terms of cost, development effort in a specific direction and ultimately platform choice).

I do not think that the acquiring of platform enhancements is a bad idea – I welcome it – but at present there is no roadmap and clear strategy for the integration of these features into the platform (not that we know what these features are yet). At the same time there is the FIM 2010 R2 release that is currently in the pipeline. In this release we see some welcome features, including the addition of FIM 2010 reporting (which is crucial). My concern is how this direction architecturally will align with possible acquired potions from BHold.

For now at least based in my discussions there is no clear answers to most of these questions. It is clear that at present the BHold components are not available for sale from either Microsoft or BHold and that these – in my opinion – will not be available in the FIM 2010 R2 timeframe. (The features within this release cannot be held back to try to accommodate the integration of BHold components).

Read more…

Yesterday saw the release of Omada’s brand new component for business process management within Microsoft FIM 2010 platform. See the official link press release here.

For my view on the current Microsoft / Omada / BHold discussion see the following posts:

• Microsoft and BHold (initial thoughts)
• Microsoft Identity Management, BHold and Omada

The exciting news for this post however is the brand new workflow builder aptly called Omada Workflow Builder for FIM 2010. Something that has impressed me a lot of the last few releases from Omada is the level of integration they seek with the seamless adding of their modules into the FIM 2010 portal. This has always been one my biggest comments/complaints to all the ISV vendors of FIM components. The last few releases have started to address this concern of mine – and the new workflow builder looks right on the money.

Subsequent to the announcement I had the privilege to get an inside look at some of the new features and they seem straight forward (at least from the surface – I have not been able to play with these myself). Again the obvious plus point was the integration into the FIM 2010 portal. Until I have developed business processes in this tool I will reserve comment – but I have included some very nice looking screenshots.

Read more…

If you are in the process of setting up FIM 2010 Certificate Manager or CLM 2007 there is two very important tasks that need to be completed in order to get imports from your Certificate Management MA to work.

1. Ensure the username and password in the management agent is properly formatted. It should be specified as DOMAIN\User.
2. The ConnectTo variable should be set to the URL of the CM portal. (http://server/certificatemanagement)
3. Ensure that the account used within the CM Management Agent has access to all the profile templates within the organization. These can be checked under the “Active Directory Sites and Services – Services – Public Key Services – Profile Templates” If you cannot see the Services node be sure to select “Show Services Node” under the View options.
4. Verify that you have configured the CM web.config to allow the CM Management to access the service. In order to do this, add the statement below to the CM web.config.
5. Choose the correct authetication method under the management agent additional properties. (Set ‘authType’ to either ‘Negotiate’ or NTLM’)

Read more…

For those countries lucky enough to have wide scale Microsoft BPOS infrastructure (not like South Africa) Carol, one of our Identity Management MVP’s, has done very good work on using ILM / FIM to issue BPOS commands. There are certain things that are possible with connectors like the Outlook Sync MA which works against the same types of mechanism, but the BPOS offering is much wider, so if you wanted to issue custom commands check out her post at http://www.wapshere.com/missmiis/provisioning-bpos-powershell-commands-as-cs-objects.

Nice one Carol.

For any of you that have configured the FIM Self-Service Password Reset, you will know that you need to get the DCOM permission and services accounts just right. Brad Turner, another long time MVP, Karl Mitschke and a few helpers have created a Powershell script to assist.

Check out the article on TechNet or Brad’s Blog or Karl’s Post.

PARAM(
    [string]$Principal = $(throw "`nMissing -Principal DOMAIN\FIM PasswordSet"),
    $Computers = $(throw "`nMissing -Computers (‘fimnode01′,’fimnode02′)"))

# USAGE:
#
# .\Set-FIM-DCOM.ps1 -Principal "DOMAIN\<group or username>" -Computers (‘<server1>’, ‘<server2>’,…)
#
# EXAMPLE:
# .\Set-FIM-DCOM.ps1 -Principal "DOMAIN\FIM PasswordSet" -Computers (‘fimsyncprimary’, ‘fimsyncstandby’)
#
# Inspired by Karl Mitschke’s post:
# http://unlockpowershell.wordpress.com/2009/11/20/script-remote-dcom-wmi-access-for-a-domain-user/

Write-Host "Set-FIM-DCOM – Updates DCOM Permissions for FIM Password Reset"
Write-Host "`tWritten by Brad Turner (bturner@ensynch.com)"
Write-Host "`tBlog: http://www.identitychaos.com"

function get-sid
{
PARAM ($DSIdentity)
$ID = new-object System.Security.Principal.NTAccount($DSIdentity)
return $ID.Translate( [System.Security.Principal.SecurityIdentifier] ).toString()
}

$sid = get-sid $Principal

#MachineLaunchRestriction – Local Launch, Remote Launch, Local Activation, Remote Activation
$DCOMSDDLMachineLaunchRestriction = "A;;CCDCLCSWRP;;;$sid"

#MachineAccessRestriction – Local Access, Remote Access
$DCOMSDDLMachineAccessRestriction = "A;;CCDCLC;;;$sid"

#DefaultLaunchPermission – Local Launch, Remote Launch, Local Activation, Remote Activation
$DCOMSDDLDefaultLaunchPermission = "A;;CCDCLCSWRP;;;$sid"

#DefaultAccessPermision – Local Access, Remote Access
$DCOMSDDLDefaultAccessPermision = "A;;CCDCLC;;;$sid"

#PartialMatch
$DCOMSDDLPartialMatch = "A;;\w+;;;$sid"

foreach ($strcomputer in $computers)
{
write-host "`nWorking on $strcomputer with principal $Principal ($sid):"
# Get the respective binary values of the DCOM registry entries
$Reg = [WMIClass]"\\$strcomputer\root\default:StdRegProv"
$DCOMMachineLaunchRestriction = $Reg.GetBinaryValue(2147483650,"software\microsoft\ole","MachineLaunchRestriction").uValue
$DCOMMachineAccessRestriction = $Reg.GetBinaryValue(2147483650,"software\microsoft\ole","MachineAccessRestriction").uValue
$DCOMDefaultLaunchPermission = $Reg.GetBinaryValue(2147483650,"software\microsoft\ole","DefaultLaunchPermission").uValue
$DCOMDefaultAccessPermission = $Reg.GetBinaryValue(2147483650,"software\microsoft\ole","DefaultAccessPermission").uValue

# Convert the current permissions to SDDL
write-host "`tConverting current permissions to SDDL format…"
$converter = new-object system.management.ManagementClass Win32_SecurityDescriptorHelper
$CurrentDCOMSDDLMachineLaunchRestriction = $converter.BinarySDToSDDL($DCOMMachineLaunchRestriction)
$CurrentDCOMSDDLMachineAccessRestriction = $converter.BinarySDToSDDL($DCOMMachineAccessRestriction)
$CurrentDCOMSDDLDefaultLaunchPermission = $converter.BinarySDToSDDL($DCOMDefaultLaunchPermission)
$CurrentDCOMSDDLDefaultAccessPermission = $converter.BinarySDToSDDL($DCOMDefaultAccessPermission)

# Build the new permissions
write-host "`tBuilding the new permissions…"
if (($CurrentDCOMSDDLMachineLaunchRestriction.SDDL -match $DCOMSDDLPartialMatch) -and ($CurrentDCOMSDDLMachineLaunchRestriction.SDDL -notmatch $DCOMSDDLMachineLaunchRestriction))
{
   $NewDCOMSDDLMachineLaunchRestriction = $CurrentDCOMSDDLMachineLaunchRestriction.SDDL -replace $DCOMSDDLPartialMatch, $DCOMSDDLMachineLaunchRestriction
}
else
{
   $NewDCOMSDDLMachineLaunchRestriction = $CurrentDCOMSDDLMachineLaunchRestriction.SDDL += "(" + $DCOMSDDLMachineLaunchRestriction + ")"
}
if (($CurrentDCOMSDDLMachineAccessRestriction.SDDL -match $DCOMSDDLPartialMatch) -and ($CurrentDCOMSDDLMachineAccessRestriction.SDDL -notmatch $DCOMSDDLMachineAccessRestriction))
{
  $NewDCOMSDDLMachineAccessRestriction = $CurrentDCOMSDDLMachineAccessRestriction.SDDL -replace $DCOMSDDLPartialMatch, $DCOMSDDLMachineLaunchRestriction
}
else
{
   $NewDCOMSDDLMachineAccessRestriction = $CurrentDCOMSDDLMachineAccessRestriction.SDDL += "(" + $DCOMSDDLMachineAccessRestriction + ")"
}

if (($CurrentDCOMSDDLDefaultLaunchPermission.SDDL -match $DCOMSDDLPartialMatch) -and ($CurrentDCOMSDDLDefaultLaunchPermission.SDDL -notmatch $DCOMSDDLDefaultLaunchPermission))
{
   $NewDCOMSDDLDefaultLaunchPermission = $CurrentDCOMSDDLDefaultLaunchPermission.SDDL -replace $DCOMSDDLPartialMatch, $DCOMSDDLDefaultLaunchPermission
}
else
{
   $NewDCOMSDDLDefaultLaunchPermission = $CurrentDCOMSDDLDefaultLaunchPermission.SDDL += "(" + $DCOMSDDLDefaultLaunchPermission + ")"
}

if (($CurrentDCOMSDDLDefaultAccessPermission.SDDL -match $DCOMSDDLPartialMatch) -and ($CurrentDCOMSDDLDefaultAccessPermission.SDDL -notmatch $DCOMSDDLDefaultAccessPermision))
{
   $NewDCOMSDDLDefaultAccessPermission = $CurrentDCOMSDDLDefaultAccessPermission.SDDL -replace $DCOMSDDLPartialMatch, $DCOMSDDLDefaultAccessPermision
}
else
{
   $NewDCOMSDDLDefaultAccessPermission = $CurrentDCOMSDDLDefaultAccessPermission.SDDL += "(" + $DCOMSDDLDefaultAccessPermision + ")"
}

# Convert SDDL back to Binary
write-host "`tConverting SDDL back into binary form…"
$DCOMbinarySDMachineLaunchRestriction = $converter.SDDLToBinarySD($NewDCOMSDDLMachineLaunchRestriction)
$DCOMconvertedPermissionsMachineLaunchRestriction = ,$DCOMbinarySDMachineLaunchRestriction.BinarySD

$DCOMbinarySDMachineAccessRestriction = $converter.SDDLToBinarySD($NewDCOMSDDLMachineAccessRestriction)
$DCOMconvertedPermissionsMachineAccessRestriction = ,$DCOMbinarySDMachineAccessRestriction.BinarySD

$DCOMbinarySDDefaultLaunchPermission = $converter.SDDLToBinarySD($NewDCOMSDDLDefaultLaunchPermission)
$DCOMconvertedPermissionDefaultLaunchPermission = ,$DCOMbinarySDDefaultLaunchPermission.BinarySD

$DCOMbinarySDDefaultAccessPermission = $converter.SDDLToBinarySD($NewDCOMSDDLDefaultAccessPermission)
$DCOMconvertedPermissionsDefaultAccessPermission = ,$DCOMbinarySDDefaultAccessPermission.BinarySD

# Apply the changes
write-host "`tApplying changes…"
if ($CurrentDCOMSDDLMachineLaunchRestriction.SDDL -match $DCOMSDDLMachineLaunchRestriction)
{
   write-host "`t`tCurrent MachineLaunchRestriction matches desired value."
}
else
{
   $result = $Reg.SetBinaryValue(2147483650,"software\microsoft\ole","MachineLaunchRestriction", $DCOMbinarySDMachineLaunchRestriction.binarySD)
   if($result.ReturnValue=’0′){write-host "  Applied MachineLaunchRestricition complete."}
}

if ($CurrentDCOMSDDLMachineAccessRestriction.SDDL -match $DCOMSDDLMachineAccessRestriction)
{
   write-host "`t`tCurrent MachineAccessRestriction matches desired value."
}
else
{
   $result = $Reg.SetBinaryValue(2147483650,"software\microsoft\ole","MachineAccessRestriction", $DCOMbinarySDMachineAccessRestriction.binarySD)
   if($result.ReturnValue=’0′){write-host "  Applied MachineAccessRestricition complete."}
}

if ($CurrentDCOMSDDLDefaultLaunchPermission.SDDL -match $DCOMSDDLDefaultLaunchPermission)
{
   write-host "`t`tCurrent DefaultLaunchPermission matches desired value."
}
else
{
   $result = $Reg.SetBinaryValue(2147483650,"software\microsoft\ole","DefaultLaunchPermission", $DCOMbinarySDDefaultLaunchPermission.binarySD)
   if($result.ReturnValue=’0′){write-host "  Applied DefaultLaunchPermission complete."}
}

if ($CurrentDCOMSDDLDefaultAccessPermission.SDDL -match $DCOMSDDLDefaultAccessPermision)
{
   write-host "`t`tCurrent DefaultAccessPermission matches desired value."
}
else
{
   $result = $Reg.SetBinaryValue(2147483650,"software\microsoft\ole","DefaultAccessPermission", $DCOMbinarySDDefaultAccessPermission.binarySD)
   if($result.ReturnValue=’0′){write-host "  Applied DefaultAccessPermission complete."}

}
}
#———————————————————————————————————-
trap
{
$exMessage = $_.Exception.Message
if($exMessage.StartsWith("L:"))
{write-host "`n" $exMessage.substring(2) "`n" -foregroundcolor white -backgroundcolor darkblue}
else {write-host "`nError: " $exMessage "`n" -foregroundcolor white -backgroundcolor darkred}
Exit
}
#———————————————————————————————————-

I have been having trouble getting Update 1 for FIM 2010 installed on a development environment over the past weekend. I kept on getting a rollback error when trying to install the Portal update. After turning on MSI error logging and going through various actions I found a workaround this morning and thought I would share in case anyone else came across the problem.

The Portal update kept on giving me a generic Windows Update error as listed below.

Installation Failure: Windows failed to install the following update with error 0×80070643: Forefront Identity Manager 2010 Service and Portal Update (KB978864).

After turning on the MSI Installer logging I found the following errors – but could not go anything to resolve them.

MSI (s) (80:48) [23:07:41:731]: Final Patch Application Order:
MSI (s) (80:48) [23:07:41:731]: {824DC559-9C52-4A2E-B1C9-6AF6931DD582} – C:\Users\ADMINI~1\AppData\Local\Temp\2\IXP000.TMP\FIMService_KB978864.msp
DEBUG: Error 2746:  Transform VL.1 invalid for package C:\Windows\Installer\259751.msi. Expected product {ECEE9162-0670-46A8-A39F-2DBE5384538E}, found product {64CF0564-BD45-41BF-B5B4-CB866444C008}.
1: 2746 2: VL.1 3: C:\Windows\Installer\259751.msi 4: {ECEE9162-0670-46A8-A39F-2DBE5384538E} 5: {64CF0564-BD45-41BF-B5B4-CB866444C008}
DEBUG: Error 2746:  Transform EVAL.2 invalid for package C:\Windows\Installer\259751.msi. Expected product {2AF4AEAF-C1EA-4670-8BA4-9FB0C74F02AE}, found product {64CF0564-BD45-41BF-B5B4-CB866444C008}.
1: 2746 2: EVAL.2 3: C:\Windows\Installer\259751.msi 4: {2AF4AEAF-C1EA-4670-8BA4-9FB0C74F02AE} 5: {64CF0564-BD45-41BF-B5B4-CB866444C008}
DEBUG: Error 2746:  Transform ISVR.3 invalid for package C:\Windows\Installer\259751.msi. Expected product {4E992D60-BD0B-4F9C-93D7-246675023E72}, found product {64CF0564-BD45-41BF-B5B4-CB866444C008}.
1: 2746 2: ISVR.3 3: C:\Windows\Installer\259751.msi 4: {4E992D60-BD0B-4F9C-93D7-246675023E72} 5: {64CF0564-BD45-41BF-B5B4-CB866444C008}
DEBUG: Error 2746:  Transform NFR.5 invalid for package C:\Windows\Installer\259751.msi. Expected product {322CD829-6D7C-45B1-B92F-CF9CFBDF26CA}, found product {64CF0564-BD45-41BF-B5B4-CB866444C008}.
1: 2746 2: NFR.5 3: C:\Windows\Installer\259751.msi 4: {322CD829-6D7C-45B1-B92F-CF9CFBDF26CA} 5: {64CF0564-BD45-41BF-B5B4-CB866444C008}
DEBUG: Error 2746:  Transform SPLA.6 invalid for package C:\Windows\Installer\259751.msi. Expected product {49966941-CA40-40F0-8159-248FB7E5C3F7}, found product {64CF0564-BD45-41BF-B5B4-CB866444C008}.
1: 2746 2: SPLA.6 3: C:\Windows\Installer\259751.msi 4: {49966941-CA40-40F0-8159-248FB7E5C3F7} 5: {64CF0564-BD45-41BF-B5B4-CB866444C008}

DEBUG: Error 2769:  Custom Action ValidateSyncAccount did not close 1 MSIHANDLEs.
The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 2769. The arguments are: ValidateSyncAccount, 1,

Eventually after trying a lot of things – I reran the FIM Portal setup and completed a repair. After the repair completed successfully the patch installed perfectly. Not sure what was wrong – but I thought I would save someone else a bit of trouble.

In the ILM days updates on information regarding the product we few and far between. With the release of FIM 2010 (Forefront Identity Manager 2010) Microsoft has taken steps to fix that previous oversight.

Keeping tabs on all this can however be a challenge. Kudos to Peter Geelen for adding this to the TechNet Wiki. This will provide a comprehensive list of available resources.

http://social.technet.microsoft.com/wiki/contents/articles/current-forefront-identity-manager-resources.aspx

Forefront Identity Manager 2010 has been released.

Check out this link for a evaluation download.

FIM 2010 RC1 Update 3 has been released.

The RC1 Update 3 release of Forefront Identity Manager 2010 (FIM) is available today here on Connect. This is the final pre-release of the product before RTM.