Guides and General Information
Requirements
Setup
Tools
Deployment & Migration
Development
Plans & Pricing …
Support …
A knowledge Base has been published this week and gives information about Identity Management versions support for IPv6
Microsoft Identity Management software support for Internet Protocol version 6:
This article explains the support for Internet Protocol version 6 (IPv6) addressing in the following Microsoft identity management products.
- Forefront Identity Manager 2010 (FIM)
- Microsoft Identity Lifecycle Manager 2007 (ILM 2007)
- Microsoft Identity Integration Server 2003 (MIIS 2003)
The following table lists the Internet Protocol version 6 (IPv6) support:
| Forefront Identity Manager 2010 (FIM) | Full IPv6 Support |
| Microsoft Identity Lifecycle Manager 2007 (ILM 2007) | No IPv6 Support |
| Microsoft Identity Integration Server 2003 (MIIS 2003) | No IPv6 Support |
Link to the original article: Microsoft Identity Management software support for Internet Protocol version 6 (KB2698014)
FIM Object Visualizer is a open source tool from CodePlex that helps retrieving FIM configuration in various levels:
- FIM active Metaverse schema configuration
- Attribute flow precedence configuration
- Management Policy Rules
- Synchronization Rules
- Workflows
- FIM Management Agent schema configuration
- Management Agent configuration
- Metaverse Schema
- Replication Configuration
Remark: you must set the execution policy on your FIM server to Unrestricted before and run the tool on it (Set-ExecutionPolicy Unrestricted)
The tool can be downloaded from here
Update Rollup 2 (build 4.0.3606.2) for FIM 2010 is available for download here
The link below I a Technet video that describe how to implement Office 365 Using Dirsync (FIM Synchronization Service) for synchronizing users to the cloud and ADFS for Single Sign-On
Office 365: Planning and Automating …
Another helpful video to understand Identity Management for Office 365
Office 365 Identity Management and Federation
FIM 2010 R2 will include the possibility to use Self-Service Password Reset using OTP (One Time Password)
The following demo will show
- How to include the OTP functionality to the SSPR workflow (and MPR update)
- Full registration process
- Full SSPR process
Now…
There are two kind of OTP activities
- One-Time Password Email Gate
- One-Time Password SMS Gate
These activities are OOB included in the R2 version but have to be first added and configured in the “Password Reset AuthN Workflow” Workflow as follow (I will use the “One-Time Password Email Gate” in this demo):
Workflow
Go to the “Activities” tab in “Password Reset AuthN Workflow” Workflow, click on “add Activity” and select the “One-Time Password Email Gate” activity
Configure the Activity parameters, and “save”
Remark: Look at the registration mode, where there is a possibility to allow user to enter a personal email during the registration step, or not… (will be shown later in this demo)
the updated workflow look like:
Management Policy Rule (MPR)
Update the “Administration: Administrators can read and update Users” MPR. Add the “One-Time Password Email Address” attribute to the “Target Resources”
Note: You can also add the attribute “One-Time Password SMS Gate” (needed for SMS OTP via mobile)
Registration Process
Welcome screen
Enter your current password
Enter your answers
Enter your personal mail address for Email OTP
Done!
Self-Service Password Reset
Here’s the procedure of resetting a password with SSPR and OTP
domain\username screen
fill the correct answers entered in the registration process
Enter the OTP that has been sent to your personal email
Choose a new password
Done!
The RC version of FIM 2010 R2 has been updated yesterday (23/11) in Microsoft Connect for download.
This Release Candidate focuses on the new and improved features included in FIM 2010 R2.
- Reporting
- Web-based Self-Service Password Reset
- Improved performance for the initial load of the FIM database
- Scale and load performance improvements
- Outlook® 2010 support for the FIM add-ins and extensions
- SharePoint® 2010 support
- Improved troubleshooting support
So…
After tens of FIM 2010 Installations and configurations I decided to make tings more automatic for me.
Lucky me, the FIM web service is an open source and can be downloaded from Codeplex at the following link: http://fim2010client.codeplex.com/
The web service also include some very useful examples and show how he can be implemented and consumed to create and update resources…
Lets look on the default configuration of the “Anonymous users can reset their password” MPR
References:
- using Microsoft.ResourceManagement.Client;
- using Microsoft.ResourceManagement.ObjectModel;
- using Microsoft.ResourceManagement.ObjectModel.ResourceTypes;
- using System.Net;
Credentials
- NetworkCredential credentials;
- credentials = CredentialCache.DefaultNetworkCredentials;
Set MPR to enable and change description:
- public void EnableMPRByDisplayName(string MPRDisplayName)
- {
- // This example shows the basic steps to modify a resource.
- using (DefaultClient client = new DefaultClient())
- {
- // set credentials and refresh schema
- client.ClientCredential = this.credentials;
- client.RefreshSchema();
-
- // get the resource object(s) to modify
- foreach (RmResource mpr in client.Enumerate("/ManagementPolicyRule[DisplayName='" + MPRDisplayName + "']"))
- {
- // create the object to track changes to the resource
- RmResourceChanges transaction = new RmResourceChanges(mpr);
-
- try
- {
- transaction.BeginChanges();
- //update the required attribute(s)
- mpr.Description = mpr.Description + " (MPR programmatically set to enable)";
- mpr["Disabled"].Value = false;
- // modify the resource on the server
- client.Put(transaction);
- // the operation succeeded: accept the changes.
- transaction.AcceptChanges();
- // NOTE: after calling AcceptChanges the RmResourceChanges
- // object does not contain any more changes to propagate to the server.
- }
- catch
- {
- // an error occurred, so the resource was not modified;
- // rollback the changes.
- transaction.DiscardChanges();
- throw;
- }
- }
- }
- }
The result:
THIS POSTING IS PROVIDED "AS IS" WITH NO WARRANTIES, AND CONFERS NO RIGHTS
A new hotfix for Forefront Identity Manager 2010 is available since 03/11/2011.
The hotfix build 4.0.3594.2 includes all the previous hotfixes:
2502631 (http://support.microsoft.com/kb/2502631) A hotfix rollup package (build 4.0.3576.2) is available for Forefront Identity Manager 2010
2417774 (http://support.microsoft.com/kb/2417774) A hotfix rollup package (build 4.0.3573.2) is available for Forefront Identity Manager 2010
2272389 (http://support.microsoft.com/kb/2272389 ) A hotfix rollup package (build 4.0.3558.2) is available for Microsoft Forefront Identity Manager (FIM) 2010
2028634 (http://support.microsoft.com/kb/2028634) A hotfix rollup package (build 4.0.3547.2) is available for Microsoft Forefront Identity Manager (FIM) 2010
978864 (http://support.microsoft.com/kb/978864) Update Package 1 for Microsoft Forefront Identity Manager (FIM) 2010
For more information and hotfix download: http://support.microsoft.com/kb/2520954
RSS for FIM 2010 Hotfixes
The MP is available from 31/03/2011.
Please refer to the following link to download the Management Pack and the guide for Forefront Identity Manager 2010:
Forefront Identity Manager 2010 Monitoring Management Pack
The FIM synchronization process (miiserver.exe) stays very high even when there’s no activity on FIM Sync interface.
Solution:
The latest hotfix for FIM 2010 will resolve the problem (KB2028634)
http://support.microsoft.com/kb/2028634
Here’s an extended copy of the presentation of FIM 2010 from the Teched 2010 in Eilat.
Teched 2010 - FIM 2010
I also included the “Workflow Activity Library” code presented for logging workflow (page 32 in the presentation)
The attached code above is based on MSDN documentation How to: Create a Custom Logging Activity and Deploy it to the FIM Portal and is provided “as is” with no warranty.
Microsoft Exchange could not find a certificate that contains the domain name server.domain.local in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default server with a FQDN parameter of server.domain.local. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.
In my case the error came from the "Hub Transport".
Because I can't change the FQDN on the Default receive connector, I changed the port (from 25) and disable the Default receive connector.
Then add receive connector with the same configuration as the default receive connector, where the FQDN is the same as the published certificate (ex. mail.mycompany.com)
First thing is to allow forwarding option on Outlook Live domain:
http://help.outlook.com/en-us/140/dd207270.aspx
Then, create an inbox rule:
http://help.outlook.com/en-us/140/bb899620.aspx
Create a forwarding rule (as a part of creating inbox rule):
More Posts
Next page »