Puttyq.com

FIM RC1 has been released… Download it here .

This download contains the Microsoft® Forefront™ Identity Manager (FIM) 2010 RC1 client and server components, Group Policy templates and language packages.
FIM 2010 offers a comprehensive solution for managing identities, credentials, and identity-based access policies across heterogeneous environments. Users can create their own security and email distribution groups and decide who to include in those groups. They can reset their passwords without calling their help desk. IT Pros can use FIM to manage certificates and smart cards. FIM embeds self-help tools in Outlook so users can manage routine aspects of identity and access. FIM also gives IT professionals rich administrative tools and enhanced automation, and delivers .NET and Web Services–based extensibility for developers.

The past few weeks saw the running of the annual TechDays and DevDays road shows in Durban, Johannesburg and Cape Town. As part of these conferences a session relating to Microsoft Identity Lifecycle Manager “2” was held to introduce the IT professional audience to the need for identity management.

Following the discussion and demonstrations several attendees requested a copy of the simple PowerPoint deck. As such, feel free to download the deck from my public SkyDrive.

It has been unofficial, but since there has been an announcement at TEC 2009 (Thx Carol), the following can officially / unofficially be confirmed. See Carol’s post below.

Note that there will be a RC1 release later this year, but there will most likely not be any support for this.

I’m at TEC 2009 in Las Vegas at the moment, and it was officially announced by Microsoft today that the release date for ILM 2 is now Q1 2010, as opposed to the previously publicised date of “any day now”. We should be getting an RC1 version in Q3 this year.

I asked if there were any technical reasons for this, hoping to hear of some impressive new development that they figured they couldn’t go to market without – but the answer was no, the features list is set. Why the long delay then? There was something about needing more real-world testing, and the need to develop scenario guidelines (I suppose that means walkthroughs), but that was the only explanation.

There is apparently some way you can get a pre-release license from Microsoft if you’re really determined to go ahead with ILM 2 in production, but I expect most organisations will not accept this, putting ILM 2 well and truly off the cards for 2009.

UPDATE: It appears that Microsoft has removed the link to this download….

I said it before – I’ll say it again… Get the litware demo domain for ILM “2” and play with it.

In order to get an pre-configured Hyper-V-based demo image of ILM “2” RC0, please visit http://www.microsoft.com/downloads/details.aspx?FamilyID=7117B168-E71D-47CC-9739-35F1A68A5E43&DisplayLang=en

This download consists of a Hyper-V based virtual hard disk image that contains a pre-installed demonstration version of Identity Lifecycle Manager "2" (ILM "2"). The image includes all components needed to experience the full integration of ILM "2" with Active Directory, Microsoft Exchange Server 2007 and Microsoft Outlook 2007.
For those who just want to evaluate ILM “2” RC visit http://www.microsoft.com/downloads/details.aspx?familyid=17489612-95F4-4DD5-A050-5DA4B5D06B86&displaylang=en for a download of around 80Mb. Take note of the following requirements though:

Supported Operating Systems: Windows Server 2008; Windows Vista Service Pack 1; Windows XP Service Pack 3

Server components

- Microsoft Windows Server 2008
- Microsoft SQL Server 2008
- Microsoft SQL Server 2008 hotfix, KB958611
- Microsoft Exchange Server 2007*

Client components

- Microsoft Windows Vista SP1
- Microsoft Windows XP SP3
- Microsoft Office Outlook 2007*

*Required for end-user self-service integrated with Office. Office and Exchange are not required for end-user self-service experiences in the ILM “2” web portal.

At present there are various community forums/newsgroups that you can use to get quality support for ILM 2007 and above. At present these consist of:

• the official “MIIS – TechNet Forum”
• the Yahoo user group “MMSUG”
• and the retired “MIIS/IIFP Newsgroup”

The MMSUG user group was founded in Sept 2000 when support was still given for MMS. The group later adopted to include MIIS and most recently ILM 2007 discussions. This group is loved by many because of it’s simple email based communications as well as it’s large membership (2800+). The one major drawback of this group is the fact that it is hosted on Yahoo Groups; as ILM 2007 is a Microsoft product…. (you figure it out). As a result of this no Microsoft product team member post to this forum.

Microsoft did however create it’s own newsgroup a few years ago as well, but this had some problems as well. The most frustrating problem with the old NNTP solution is that content is only kept for a few days (30 if I’m not mistaken). As such Microsoft launched the TechNet forums last year (with MIIS getting it’s own little spot). Advantages of the new forums include:

• Simple interface (No clients to configure / install)
• Microsoft product team interaction
• Searchable / indexed content (Google, MSN, Yahoo…they all turn up forum stuff in searches)
• Answer tagging. (To find related content)
• Persistent content. Information is kept for seven years—not 30 days.
• Passport authentication. 
• Visual Studio 2005 integration.
• RSS feeds

One of the major points counting against the current MIIS TechNet forum is its lack of email integration (that MMSUG has), as such there are still members of the community the use MMSUG and the MIIS Newsgroup.

(Apart from these points several people get to these other mechanism through simple web search engine queries as well)

It is however the recommendation of Microsoft (and myself) that community member use the MIIS TechNet forums for you support questions. This gives you a way of interacting with skills MIIS MVP’s as well as the product team themselves (who regularly monitor the forum).

Apart from the various community forums there as also been quite a few interesting ILM related websites (from MVP’s of the community). Some of the most interesting ones are listed in my blog roll, but I would like to mention a few of them again:

• MIISExperts
• Craig Martin’s – Identity Trench
• Brad Turner’s – identitychaos.com
• Joe Stepongzi’s – microsoftidm.com
• Identity Management – Alex Tcherniakhovski
• Carol’s – MissMIIS
• Chris Calderon’s – IdentityJunkie.com
• David Lundell – ILM Best Practices

There are many other sites offering great ILM 2007 related reading, if you’d like to share some of these drop me a line at almeroATputtyqDOTcom.

Updated: Many organisations and customers often express their requirement to effectively report on  information contained within the ILM database (MicrosoftIdentityIntegrationServer). Although I would never recommend that direct database access is used for this there are some cases in which information must be pulled from the ILM database itself.

However, since ILM assumes that the MIISServer.exe process has got exclusive access to the database; locking issues could cause you problems. (ILM will generate exceptions when locking occurs.)

In an effort to overcome this, one solution is to read ‘dirty’ data from the SQL database. In this way you run the risk of not having completely accurate information, but you mitigate your risk of causing locking issues.

The following post is a revisit for my original post regarding the use of the SQL hint ‘WITH NOLOCK’.

In an follow-on post I will try to give an example of how simple reporting could be done (as mentioned below), but for now this will serve as the pre-requisite to querying the MicrosoftIdentityIntegrationServer database.

Original Post:

The SQL hint ‘NOLOCK’:

NOLOCK
Using NOLOCK politely asks SQL Server to ignore locks and read directly from the tables. This means you completely circumvent the lock system, which is a major performance and scalability improvement. However, you also completely circumvent the lock system, which means your code is living dangerously. You might read the not-necessarily-valid uncommitted modifications of a running transaction. This is a calculated risk.

Within the MIIS/ILM database, the NOLOCK hint is not used for performance reasons but rather for safe MIIS/ILM operations. It is recommended that the NOLOCK hint is used so that your queries does not lock any data that MIIS/ILM might need during processing thus causing MIIS/ILM to fail or generate errors. Keep in mind that ILM assumes that it has total database control.

So where do you use it…

SELECT        object_id
FROM            mms_metaverse WITH (nolock)
WHERE        (employeeID = @EMPID)

An additional recommendation is that you offset your reporting requirements to an external database. By provisioning all the records within the Metaverse into an external database, most of your reporting requirements can be satisfied without querying the Metaverse directly. This does however have limitations around connector / disconnector reporting.

 

With the release of ILM “2” imminent, organisations will need to re-evaluate the requirements for the deployment / migration / upgrading of their current ILM 2007 infrastructure to ILM “2”. With this in mind it is interesting to see some of the new requirements for ILM “2”.

Some important aspects to note is the requirement for:

·         a x64 operating system

·         Windows SharePoint Services

·         .NET Framework 3.5

Please take the time to review these requirements (and the official release notes to mitigate simple installation related issues).

Required Hardware

The server(s) hosting the ILM “2″ server components must meet the following hardware requirements:

·         A x64 capable processor

·         2 gigabytes (GB) of available hard disk drive space

·         2 gigabytes (GB) or more of RAM

Required Software

Each server hosting the different ILM “2″ server-side components has a different software requirement. Below, you will find the software requirements for each of the ILM “2″ server-side components. If you decide to install all of the server-side components on one server, you must install the software requirements for each of the ILM “2″ server-side components on that server. There are however a whole host of deployment options:

Each of the main components:

·         ILM Service

·         ILM Synchronization Service

·         ILM Portal

·         ILM Password Portal

·         SQL Server 2008 database for the ILM Service

·         SQL Server 2008 database for the ILM Synchronization Service

may be installed separately or in combination on individual servers. Additionally, the ILM Service and the ILM Portal can be scaled out to multiple servers. For more information, see Network Load Balancing and SharePoint Server farm architecture.

ILM Synchronization Service Software Requirements

The server hosting the ILM Synchronization Service must have the following prerequisite software installed:

·         Windows Server 2008 64-bit Standard or Enterprise Editions.

Important: When you install Windows Server 2008, do not install Windows Server 2008 Terminal Services. If you install Terminal Services, the ILM “2″ server components do not install.

·         SQL Server 2008 64-bit Standard or Enterprise Editions.

·         Microsoft Visual Studio 2008

·         Windows Powershell 1.0

·         Exchange 2007 SP1 Management Console

Note: Exchange 2007 SP1 Management Tools is required to fully provision Exchange Server 2007 mailboxes, contacts, and groups that are created by the ILM Synchronization Service. You will receive an extension-dll-exception error if you attempt to synchronize these objects to Active Directory without the Exchange 2007 SP1 Management Console installed. Please also ensure that at least Exchange 2007 SP1 Rollup 4 is installed on the ILM and Exchange server.

ILM Service Software Requirements

The server hosting the ILM Service must have the following software installed:

·         Windows Server 2008 64-bit Standard or Enterprise Editions.

·         SQL Server 2008 64-bit Standard or Enterprise Editions.

·         Web Server (IIS)

·         Note: The Web Server (IIS) can be installed from the Server Role interface included with Windows Server 2008. The following options must be installed when you install the Web Server (IIS) role:

o   Common HTTP Features

o   Static Content

o   Default Document

o   Directory Browsing

o   HTTP Errors

o   HTTP Redirection

o   Application Development

o   ASP.NET

o   .NET Extensibility

o   ISAPI Extensions

o   ISAPI Filters

o   Health and Diagnostics

o   HTTP Logging

o   Request Monitor

o   Tracing

o   Basic Authentication

o   Windows Authentication

o   Request Filtering

o   Static Content Compression

o   IIS 6 Management Compatibility

o   IIS 6 WMI Compatibility

o   IIS 6 WMI Compatibility

o   IIS 6 Metabase Compatibility

·         Microsoft .NET 3.0 Features

·         Note: Microsoft .NET Framework 3.0 Features can be installed from the Features options interface included with Windows Server 2008.

·         Microsoft .NET 3.5 SP1 Framework

ILM Portal and Password Portal Software Requirements

The server(s) hosting the ILM Portal and Password Portal must have the following software installed:
If you decide to install the ILM Portal and Password Portal software on different servers, the software perquisites for both servers are the same.

·         Windows Server 2008 64-bit Standard or Enterprise Editions
When you install Windows Server 2008, do not install Windows Server 2008 Terminal Services. If you install Terminal Services, the ILM “2″ server components do not install.

·         Web Server (IIS) (Windows Server 2008  – Web Server (IIS) role with following options:)

o   Common HTTP Features

o   Static Content

o   Default Document

o   Directory Browsing

o   HTTP Errors

o   HTTP Redirection

o   Application Development

o   ASP.NET

o   .NET Extensibility

o   ISAPI Extensions

o   ISAPI Filters

o   Health and Diagnostics

o   HTTP Logging

o   Request Monitor

o   Tracing

o   Basic Authentication

o   Windows Authentication

o   Request Filtering

o   Static Content Compression

o   IIS 6 Management Compatibility

o   IIS 6 WMI Compatibility

o   IIS 6 WMI Compatibility

o   IIS 6 Metabase Compatibility

·         Microsoft .NET Framework 3.0 Features (Windows Server 2008 feature)

·         Microsoft .NET 3.5 SP1 Framework (http://go.microsoft.com/fwlink/?LinkId=129538.)

·         Windows SharePoint Services 3.0 SP1 (http://go.microsoft.com/fwlink/?LinkID=105802.)
For this release of ILM “2″, the ILM Portal does not install in a SharePoint farm topology.

ILM Client Components Software Requirements

The client computers that host the ILM “2″ client-side components must meet the following software requirements:

·         Windows XP Professional SP3, 32bit or Windows Vista Enterprise SP1, 32 or 64bit

·         Windows Installer 3.1 or later (http://go.microsoft.com/fwlink/?LinkID=62933)

·         Microsoft .NET Framework 3.5 SP1 (http://go.microsoft.com/fwlink/?LinkId=129538)

·         Microsoft Office Outlook 2007

·         Microsoft Forms .NET 2.0 Programmability Support (This software is an add-in feature of Microsoft Office 2007.)

·         Smart Tag .NET Programmability Support for Microsoft Office 2007 (This software is an add-in feature of Microsoft Office 2007.)