Tuesday, September 20, 2011

Ensynch Joins Insight!

We are very excited about the union of Insight and Ensynch and the benefits that it will bring to our clients. Both companies are focused on helping our clients find innovative, cost effective solutions to address business needs. Bringing Ensynch into the Insight organization will offer clients more robust software services, particularly around Microsoft Enterprise Agreements, as well as improved services delivery, enhanced virtualization and cloud capabilities and solution-focused approach to software sales. This acquisition will further simplify our clients’ ability to acquire, procure, implement and manage IT solutions across their technology environment.

For more information, read the press release here, visit www.insight.com or www.ensynch.com, or contact me with any questions.

Wednesday, July 27, 2011

FIM 2010 and Language Types

Recently, while working with James we had to support synchronization of identity data that used language types/codes.   Here’s a little background…

Directories that support RFC 3866 (in this case Sun One) allow you to specify the language of an attribute’s value.  Here’s a simple example, say your company has a presence in the States and in Germany and you want to be able to store the user’s title “Software products” in both English and German, you can do that like this:

title;lang-en: Software products
title;lang-de: Softwareprodukte

Now, FIM will support reading these attributes out of the directory and storing them into the CS, up to a point.  If you were to import this attribute, what you would get is a single multi-valued title attribute with both values, at which point you have lost all of the language information:

XMA Import


In order to preserve this information, we ended up writing our own XMA to bring in the attribute with its language type as an attribute in its own right.  So using the DirectoryServices (or DirectoryServices.Protocols, if you prefer) namespace we were able to access the directory and retrieve the full name of the attribute, we then wrote this out to our file so that FIM would see them as different items. (If you end up writing your XMA using the LDIF file format, like we did, you will have to actually transform the attribute name on the way out to the file to remove/replace the “;” or you will continue to have the issue above!)

XMA with Language Code Support


We can now flow these attributes with the language information intact to other downstream systems.

Tuesday, July 26, 2011

XMA Creation Feature

So recently while creating some XMAs for FIM 2010 I noticed that while the initial creation page looked like this:

XMA Initial Creation

When I opened the XMA after it was created I got:

XMA After Creation

“One of these things is not like the others….”  Even though I didn’t select the checkbox for the “Run this management agent in a separate process” option, the FIM Sync Engine created it that way.  It will remember the setting from this point in, but if you forget, this can make attaching the debugger and stepping into your code a little more difficult.  (Just as any FYI, I usually do turn this feature on when I am running the XMA in a QA/Production environment to minimize the chance that I could bring done the main sync miiserver process).  This only appears to be an issue the XMA, I haven’t noticed this issue with any of the other MA types.

Wednesday, June 15, 2011

Exchange Room Resources

Recently while trying to provision Room Resource Mailboxes via FIM, or more specifically I was setting their Access Booking Policies via the Set-CalendarProcessing command in a PowerShell Workflow, I received the following error:

The values for ResourceMake, ResourceModel, and ResourceType must be included in the ResourceProperties collection.

You may also see this error if you try to open the object in the Exchange Management Console and try to save it. 

Upon further inspection, the issue appeared because the msExchResourceSearchProperties attribute didn’t contain the resource type, in this case “Room”, anywhere in the multi-valued list.  After manually adding this value to the existing list, this issue was resolved.  Since we are getting this list from user input in the portal, a more permanent solution will involve adding a Workflow to ensure that “Room” appears in this list when we add/update it in the portal.

Thursday, May 26, 2011

TEC 2011

For those of you who were able to make it to my presentation at TEC 2011 (State side), I promised a blog entry going into some more technical detail on the Ensynch Accelerated SQL XMA (coming soon).  If you are interested in the slides I presented you can get them here.  Jeremy also had another suggestion that I will be trying out, so keep an eye out, I will let you know how it goes!

Wednesday, May 25, 2011

Custom Attributes in a Function Evaluator Workflow Activity (or lack there of)

Okay, so as some of you have found out if you bind a custom attribute to a custom resource in FIM, those attributes don’t show up in the Function Evaluator Workflow Activity drop-downs here:

 image

or here:

image

There are two ways to go about fixing this, you can bind the custom property to a “known” resource type, like user.  Or you can skip the lookup and go ahead and reference them anyway using the CustomExpression option.  This will mean hand typing the attribute name into the Destination and Custom Expression fields, but it will keep your bindings cleaner:

image

Friday, April 22, 2011

File Based Management Agents In MIIS/ILM/FIM

I had a recent need to really compare the capabilities of each of the file based Management Agents in FIM.  Can you name all five? Don't worry, I won't leave you hanging, they are:

  • Attribute-value pair text file
  • Delimited text file
  • Directory Services Markup Language (DSML) 2.0
  • Fixed-width text file
  • LDAP Data Interchange Format (LDIF)

Here are some of the things that they can and can't do (this is for you Joe) and just for kicks, I also added in the SQL MA. If you are using one of these file types in an Extensible Management Agent (XMA), the following still applies: 

 

Multi-valued Attributes

Attribute Level Updates 1

Multi-valued Level Attribute Updates 2

Attribute-value pair

YES

NO

NO

Delimited

YES 3

NO

NO

DSML

YES

NO 4

NO

Fixed-width

YES 3

NO

NO

LDIF

YES

YES

ON IMPORT ONLY 5

SQL MA

YES

YES

NO 6



Okay, now for the caveats (can’t get away without some of those):

  1. An Attribute Level Update implies that a delta import can contain only the attribute that has changed (along with the other required columns, like the type of change and the anchor)

    So, here’s what that might look like.  Suppose I have a user with the following attributes:
      ID: 12345
      Name: Sarah
      Status: Active
      Phone: 555-123-4567
                                         
    If Sarah’s phone number changes to 555-987-6543, I can simply tell FIM something like: 
      ID: 12345 
      Type Of Change: Update
      Phone: 555-987-6543

    This has the advantage of giving FIM less work to do to determine what has changed on the records being imported and greatly speeds up delta imports. 
     
  2. A Multi-valued Level Attribute Update supports adding and deleting specific values from a multi-valued attribute
     
    Let’s take another look at Sara’s record:
      ID: 12345 
      Name: Sarah 
      Status: Active 
      Phone: 555-123-4567
      Phone: 555-456-7890
                                          
    Now, Sarah has two Phone numbers, or a single attribute with multiple values. With multi-value level attribute update support, we can do things like add a new phone number to the list, delete a phone number from the list or update a phone number (in essence by doing an add of the new value and then a delete of the old one):
      ID: 12345 
      Type Of Change: Add
      Phone: 555-987-6543

    Without this support, the source system would be required to do a “replace” action and provide FIM with all of the current values at the time of import which FIM will use to override all the values that it has for that attribute.  So if we start with Sarah’s record as listed just above and add the phone number 555-987-6543 and remove the phone number 555-123-4567, we would have to pass:
      ID: 12345 
      Type Of Change: Replace
      Phone: 555-987-6543
      Phone: 555-4567-7890

    As with attribute level updates, multi-valued level attribute update can greatly reduce the amount of work that FIM needs to accomplish.  To illustrate, just imagine applying this scenario to attributes like member on an AD group that can have thousands of values.
     
  3. Using a multi-valued attribute in a delimited or fixed-width file requires the use of a header on the import file

    So for a comma delimited file this would look like: 
                                           ID, NAME, PHONE, PHONE, PHONE
                                           12345, Sarah, 555-123-4567, 555-987-6543, 555-456-7890

    This would import a record for Sarah with three attributes - ID, NAME and PHONE, the last of which will have three values. A fixed width file would work the same way.
     
  4. While the DSML specifications themselves can actually handle attribute level updates using the addRequest, delRequest and modifyRequest operations, FIM only implements the ability to import a SearchResultEntry element which must contain all of the attributes on the object

    Just a side note for those that might be curious, you can actually place the addRequest, delRequest and modifyRequest nodes in the DSML file.  FIM will be able to parse the file and it wont cause any errors, however these elements are completely ignored and aren’t processed by FIM.  I also tried sending a DSML delta to FIM with just the attribute that changed and a change type of “modify”, and I suppose not surprisingly, the object in the connector space was updated so that it only had the one attribute I specified,  all the other attributes originally on the object were removed. Had any of these attributes been defined as required, this update would have failed.
     
  5. While you can import an update to a specific value in a multi-valued attribute, if you were to export this same change to an LDIF file, it will come through as a replace operation containing all values now present on the attribute
     
  6. While the SQL MA does not support updates to a specific value on a multi-valued attribute out of the box, I hear rumor that some customizations can be done to make this happen

Small Bug Found in MIIS/ILM/FIM Identity Manager UI….

Okay, so it’s so small its hardly worth mentioning.  However, if you happen to run into the error “no-start-file-open” when running an import/export step or see the following message when trying to browse to your files while configuring the import step, you may be a victim of this issue.

UIErrorMessage

The problem occurs when you have given your MA a name that ends in one or more periods (“.”).  While this is considered legal by the Identity Manager UI (FYI - Identity Manager will not allow periods at the beginning of the MA Name), the periods will get stripped off of the MaData folder automatically by Windows.  In my test case I named my MA “ma ,, test – with __special ,, characters – ..”, a bit excessive I know, but hey, I was testing.  However, my MaData folder actually turned out like:

AddressBar

You can see why ILM could then have a problem finding the files specified in the run profile since its using the MA Name to determine the file path (i.e. its looking for it in D:\Program Files\Microsoft Identity Integration Server\MAData\ma ,, test – with __special ,, characters – ..\).  Further proof that this is the case can be found in the Event Viewer:

EventViewer

The fix?  Simply open the MA properties in Identity Manager, remove any periods from the end of the MA name and it should begin working as expected.

Thursday, April 21, 2011

Using Maexport To Import a Management Agent

Ever happen to see this little tidbit in the documentation for Identity Manager:

Maexport

You can find it under the heading Import a Management Agent from a File, and well, don’t believe it for a second!  Its currently not possible to import a Management Agent into Identity Manager using a command line tool.  For now, you will have to continue to use the UI.