The Last FIM Metaverse Extension You Will Ever Need

The third tool in the “The Last of” series is really another option for codeless provisioning (with out having to go to the FIM Service/Portal).  The Last FIM Metaverse Extension You Will Ever Need takes advantage of the configuration of a special MA to determine the initial flows needed to provision a new object.  This is done in two parts.  Here’s how it works. 

The Provisioning Management Agent
You will need to create an MA a special MA of type “Provisioning Management Agent (Insight)”.  This is an ECMA that inspects the configuration of the FIM Synch engine, allowing you to use the UI to define the provisioning rules for the other MAs in the environment.  You will not create run profiles for this MA, it will never be executed in that manner.

First, make sure you install the packaged Provisioning MA and the Insight.FIM.CodelessProvisioning.dll from http://fimmv.codeplex.com. Now, when configuring the MA, the first thing you will need to do (after giving it a name) will be to use the Connectivity tab to enable provisioning.  You can do this by MA and by MA object type.  One nice thing about this set-up, you can selectively turn on and off provisioning with out having to change any of the flow rules defined.  In this example, I have two MAs, the HR MA with one object type of person and a CRM MA with two types, person and group:

I have enabled provisioning for person objects in the HR MA and then clicked Next. Then, I clicked Next on the Configure Partitions and Hierarchies tab, we will be using the default values.

On the Object Types tab, you will see a list of Management Agents.  In essence, what this page is asking you is which MAs you want to define provisioning rules for.  At a minimum you will want to select the MAs that have at least item selected from the Connection tab. In this case I am going to define provisioning rules for the HR MA, which I have enabled for provisioning.  Additionally, I could define rules for the CRM MA if I plan on enabling it at some point in the future:

On the next tab, you will want to select the attributes that you are going to define initial flows for.  At a minimum you will need to check the attribute “Anchor”.  I have selected a few of the basic attributes I want to set during provisioning:

Next is the Anchors tab, leave the default values (Anchor attribute = Anchor) and click Next.

You should now be on the Configure Connector Filter tab, the provisioning code currently does not use this tab, but that could be a useful enhancement in the future.  Leave the filters blank and click Next.

Ditto with the Join and Project Rules, these won’t be used, leave them blank and click Next.

Now comes the interesting tab.  On the Attribute Flow section, define the flows that you want as your initial flows as Export flows for the MA and object type.  For example, if I want the ID, DisplayName, Email, FirstName and LastName set on a new HR MA person when the object is provisioned, I will define an Export flows for each of those:

Currently, only direct and constant flows are supported.  Although I am working on adding Advanced flows via the same mechanism as The Last FIM Management Agent Rules Extension You Will Ever Need in which the C# code that defines the advanced flow is placed directly in the Flow rule name.  Click Next when done defining the flow rules.

Click Next through the Deprovisioning and Extensions tab (you may need to provide a dll for the Rules extension name, you can simply use the Insight.FIM.CodelessProvisioning.dll).    That’s it!  You should now see your new Provisioning MA in the Sync client.  Don’t create more than one of these, currently only the first Provisioning MA found will be used.

Unfortunately, should you rename one of the MAs configured, you will need to update the schema of the Provisioning MA and then redefine the flow rules.

The Metaverse Extension
Okay, now all you need to do get this working is set the Metaverse Rules Extension to use Insight.FIM.CodelessProvisioning.dll and enable it:

Here’s what happens next.  When the provisioning code runs, it will go and look for a Provisioning MA.  It will then transverse the configuration of the MA to determine which objects to create and which flows to apply.  In this example, the provisioning code will see that I need to provision a new HR MA object of type person and set the ID, DisplayName, Email, FirstName and LastName on the object using the flow rules I defined.

Its an interesting concept and provides a well known UI to set up codeless provisioning without the overhead of the FIM Service. 

Let me know what you think!

FIM PCNS And A Lack of Trust

If you read through the FIM documentation for setting up PCNS, you will find that either FIM and PCNS need to be in the same forest or be part of a forest trust. From http://technet.microsoft.com/en-us/library/cc720594(v=ws.10).aspx:

Forest trusts are only required if PCNS and ILM 2007 are located in different forests. If this is the case, a forest-level trust must be established. This is required for Kerberos mutual authentication for the ILM 2007 server to accept the request from a remote forest host.

This can become extremely limiting, especially if both forests do not have the proper forest and domain levels.  Theoretically, however, it’s possible to make Kerberos work over an External Trust (http://blogs.technet.com/b/activedirectoryua/archive/2010/08/04/conditions-for-kerberos-to-be-used-over-an-external-trust.aspx).  With an External Trust, we don’t have any of the same forest functional level restrictions, opening up PCNS as a viable option for more customers.  I would love to know if anyone has been able to get PCNS working in this configuration.  In the mean time, I will have to set up a lab and try it out.  I will report back on the results and let you know!

TEC 2011

For those of you who were able to make it to my presentation at TEC 2011 (State side), I promised a blog entry going into some more technical detail on the Ensynch Accelerated SQL XMA (coming soon).  If you are interested in the slides I presented you can get them here.  Jeremy also had another suggestion that I will be trying out, so keep an eye out, I will let you know how it goes!

File Based Management Agents In MIIS/ILM/FIM

I had a recent need to really compare the capabilities of each of the file based Management Agents in FIM.  Can you name all five? Don't worry, I won't leave you hanging, they are:

• Attribute-value pair text file
• Delimited text file
• Directory Services Markup Language (DSML) 2.0
• Fixed-width text file
• LDAP Data Interchange Format (LDIF)

Here are some of the things that they can and can't do (this is for you Joe) and just for kicks, I also added in the SQL MA. If you are using one of these file types in an Extensible Management Agent (XMA), the following still applies: 

	Multi-valued Attributes	Attribute Level Updates 1	Multi-valued Level Attribute Updates 2
Attribute-value pair	YES	NO	NO
Delimited	YES 3	NO	NO
DSML	YES	NO 4	NO
Fixed-width	YES 3	NO	NO
LDIF	YES	YES	ON IMPORT ONLY 5
SQL MA	YES	YES	NO 6

Okay, now for the caveats (can’t get away without some of those):

1. An Attribute Level Update implies that a delta import can contain only the attribute that has changed (along with the other required columns, like the type of change and the anchor)
   
   So, here’s what that might look like.  Suppose I have a user with the following attributes:
   

   	ID:	12345
   	Name:	Sarah
   	Status:	Active
   	Phone:	555-123-4567

                                        
   If Sarah’s phone number changes to 555-987-6543, I can simply tell FIM something like: 

   	ID:	12345
   	Type Of Change:	Update
   	Phone:	555-987-6543

   
   This has the advantage of giving FIM less work to do to determine what has changed on the records being imported and greatly speeds up delta imports. 
    
2. A Multi-valued Level Attribute Update supports adding and deleting specific values from a multi-valued attribute
    
   Let’s take another look at Sara’s record:
   

   	ID:	12345
   	Name:	Sarah
   	Status:	Active
   	Phone:	555-123-4567
   	Phone:	555-456-7890

                                         
   Now, Sarah has two Phone numbers, or a single attribute with multiple values. With multi-value level attribute update support, we can do things like add a new phone number to the list, delete a phone number from the list or update a phone number (in essence by doing an add of the new value and then a delete of the old one):

   	ID:	12345
   	Type Of Change:	Add
   	Phone:	555-987-6543

   
   Without this support, the source system would be required to do a “replace” action and provide FIM with all of the current values at the time of import which FIM will use to override all the values that it has for that attribute.  So if we start with Sarah’s record as listed just above and add the phone number 555-987-6543 and remove the phone number 555-123-4567, we would have to pass:
   

   	ID:	12345
   	Type Of Change:	Replace
   	Phone:	555-987-6543
   	Phone:	555-4567-7890

   
   As with attribute level updates, multi-valued level attribute update can greatly reduce the amount of work that FIM needs to accomplish.  To illustrate, just imagine applying this scenario to attributes like member on an AD group that can have thousands of values.
    
3. Using a multi-valued attribute in a delimited or fixed-width file requires the use of a header on the import file
   
   So for a comma delimited file this would look like: 
                                          ID, NAME, PHONE, PHONE, PHONE
                                          12345, Sarah, 555-123-4567, 555-987-6543, 555-456-7890
   
   This would import a record for Sarah with three attributes - ID, NAME and PHONE, the last of which will have three values. A fixed width file would work the same way.
    
4. While the DSML specifications themselves can actually handle attribute level updates using the addRequest, delRequest and modifyRequest operations, FIM only implements the ability to import a SearchResultEntry element which must contain all of the attributes on the object
   
   Just a side note for those that might be curious, you can actually place the addRequest, delRequest and modifyRequest nodes in the DSML file.  FIM will be able to parse the file and it wont cause any errors, however these elements are completely ignored and aren’t processed by FIM.  I also tried sending a DSML delta to FIM with just the attribute that changed and a change type of “modify”, and I suppose not surprisingly, the object in the connector space was updated so that it only had the one attribute I specified,  all the other attributes originally on the object were removed. Had any of these attributes been defined as required, this update would have failed.
    
5. While you can import an update to a specific value in a multi-valued attribute, if you were to export this same change to an LDIF file, it will come through as a replace operation containing all values now present on the attribute
    
6. While the SQL MA does not support updates to a specific value on a multi-valued attribute out of the box, I hear rumor that some customizations can be done to make this happen

Small Bug Found in MIIS/ILM/FIM Identity Manager UI….

Okay, so it’s so small its hardly worth mentioning.  However, if you happen to run into the error “no-start-file-open” when running an import/export step or see the following message when trying to browse to your files while configuring the import step, you may be a victim of this issue.

The problem occurs when you have given your MA a name that ends in one or more periods (“.”).  While this is considered legal by the Identity Manager UI (FYI - Identity Manager will not allow periods at the beginning of the MA Name), the periods will get stripped off of the MaData folder automatically by Windows.  In my test case I named my MA “ma ,, test – with __special ,, characters – ..”, a bit excessive I know, but hey, I was testing.  However, my MaData folder actually turned out like:

You can see why ILM could then have a problem finding the files specified in the run profile since its using the MA Name to determine the file path (i.e. its looking for it in D:\Program Files\Microsoft Identity Integration Server\MAData\ma ,, test – with __special ,, characters – ..\).  Further proof that this is the case can be found in the Event Viewer:

The fix?  Simply open the MA properties in Identity Manager, remove any periods from the end of the MA name and it should begin working as expected.

Using Maexport To Import a Management Agent

Ever happen to see this little tidbit in the documentation for Identity Manager:

You can find it under the heading Import a Management Agent from a File, and well, don’t believe it for a second!  Its currently not possible to import a Management Agent into Identity Manager using a command line tool.  For now, you will have to continue to use the UI.

The Missing ILM Extension

While recently browsing the Microsoft.Metadirectory services namespace for ILM I discovered a new extension that I had not seen before. In addition to the 6 that I was familiar with:

• IMAExtensibleCallExport
• IMAExtensibleFileExport
• IMAExtensibleFileImport
• IMAPasswordManagement
• IMASynchronization
• IMVSynchronization

There was a 7th that I had never hear of, the IMACalloutExtension. Curious, I began to investigate. The Extension implements the following methods:

public void BeginExportToCd(string connectTo, string user, string domain, string password)
{
}

public void EndExportToCd()
{
}

public void BeforeExportEntryToCd(string deltaEntryXml, string[] changedAttributes)
{
}

public void AfterExportEntryToCd(byte[] origAnchor, string origDN, string origDeltaEntryXml, byte[] newAnchor, string newDN, string failedDeltaEntryXml, string errorMessage)
{
}

The only documentation that I could find was within the interface definition itself. It appears that this extension was to be implemented using a new Management Agent of type "Callout" (or something similar) and gives the developer the ability to take action both before and after each entry export action, which could be extremely helpful. I haven't been able to find a roadmap for this feature, but it appears to be something we can look forward to in the future!

Cannot connect to MMS WMI Service

Having trouble with the WMI service for MIIS/ILM? Try running the following commands at a command prompt:

1. regsvr32 "C:\Program Files\Microsoft Identity Integration Server\Bin\mmswmi.dll"
   
2. mofcomp -N:root\MicrosoftIdentityIntegrationServer "C:\Program Files\Microsoft Identity Integration Server\Bin\mmswmi.mof"
   

This will re-register the libraries with the OS. Give the WMI call another try, if you continue to have problems with an Access Denied error…

1. Open the Component Services Console in the Administrative Tools Folder.
   
2. Navigate to Console Root, Computers, My Computer, DCOM Config and then Microsoft Metadirectory Services.
   
3. Right click on the application entry and select Properties.
   
4. Go to the security tab and alter any security necessary.
   
5. Click OK on the Application Properties page and close out the Component Services and Computer Management Consoles.

A Small MIIStake

Okay, so to be fair the issue is actually with ILM (Version 3.3.118.0). In the previous version, MIIS 3.2.559.0, I would frequently run MAs from the Operations tab, like so... From the Operations tab, right click on the MA run of interest, and select the Run… option:

The resulting Run Management Agent window would then pre-populate the Management agent drop-down box and the Run profile list box with the same values as the original operation selected. Simply click OK and the selected run would be restarted (which makes it really easy to re-run a particular profile):

Now if you attempt to do follow this same procedure in ILM…

The drop down menu is not automatically set to the MA selected. If you are used to being able to simply click the OK button from this dialog, you may inadvertently run the wrong MA. In fact you can see where I ran an ADAM MA by accident in the middle of the test MA series of runs:

So the bad news, for those of you using the current version of ILM, get use to using the drop-down menu to select the MA you want to run. The good news… this is a planned fix in a future hotfix! Not sure which one, or when. Anyone out there know?