Tag: FIM

QA Gate Improved in FIM 2010 R2

Posted on by

Customers using the Self-Service Password Reset feature of FIM 2010 have reported some concerns that users do not answer the “security” questions seriously. They might answer “A” for all questions for example, just to get rid of being required to register for SSPR. In R2 this behaviour can be prevented!

Look at the screenshot below from FIM 2010 R2 RC released yesterday.

QA Gate in FIM 2010 R2

QA Gate in FIM 2010 R2

In the new QA gate you can force the users to not having the same answers to two questions and also define a regular expression that the answers need to satisfy.

In my opinion this will increase the number of users who will answer the questions seriously!

Troubleshooting in FIM 2010 R2

Posted on by

Anyone working with FIM today have at some point been forced to do some troubleshooting. In FIM 2010 R2 troubleshooting is made much easier. Let me show you an example.

In current version of FIM when ever an error occured while processing a request we would see the following screen.

FIM 2010 - Error Message

FIM 2010 - Error Message

It doesn’t give much of a hint on what went wrong. In FIM 2010 R2 error messages has been enhanced throughout the whole product to make error tracking easier.

If we look at the new error message I get in FIM 2010 R2 it looks something like this.

FIM 2010 R2 - Error Message

FIM 2010 R2 - Error Message

Take a special note to the Correlation Id that is introduced in FIM 2010 R2. This Id will be found also in Event Viewer if you need to drill down and find the correlated error event. If the error comes from a custom workflow you have designed it will show the error message thrown by your code.

If the FIM Portal is used for self-service of some kind you will also appreciate the copy to clipboard and send email functionality the user will get directly from the error screen.

This is just one example on how the R2 release of FIM 2010 will make your life, as FIM admin, easier.

FIM training 6-8/12

Posted on by

I have made room in my calendar and will be delivering FIM training in Stockholm, Sweden 6-8/12. The training will be at Labcenter. Please go to http://www.labcenter.se/lab/2105 and register. If you have trouble understanding how to register on this Swedish site please email sales@labcenter.se.

It’s a 3 day course as described in Mastering Forefront IM. Since FIM training is not that common I have decided that this session will be open for international attendees, therefor I will deliver in English if non-Swedish students attend.

The course is a variant of the training I have delivered for Microsoft, Partner Readiness in Sweden and Norway.

Hurry up and register before the seats are taken!

Reporting in FIM 2010 R2

Posted on by

One of the greatest new features we will get in the R2 release of FIM 2010 is the new built-in reporting capabilities. In ILM and current version on FIM, customers were forced to buy 3:rd party addons to get some useful reports, in FIM R2 it’s finally built-in.

The reporting feature uses the datawarehouse function in System Center Service Manager, and the FIM license will allow you to install and use that feature of SCSM without any extra license costs.

There are two types of reports, “Membership Change Reports” and “Object History Reports” out-of-the-box. But since the data is stored SCSM’s DB and you also can extend what is stored, cu’s can make custom reports if they like.

Membership Change Reports

In these reports you will be able to see how group and set membership have changed and who made and/or approved the change.

Membership Change Report Example

Membership Change Report Example

Object History Reports

In these reports we can se changes to objects and key attributes over time.

Object History Report Example

Object History Report Example

As you can see these reports will together give you a very good historical view and traceability on your identity management.

If I look at my customers running FIM 2010 today, the new reporting features of R2 will be the main reason for them to hurry on and make the upgrade when R2 gets released.

FIM 2010 R2 – Nice news!

Posted on by

MS have just released some info on the upcoming R2 release of FIM 2010.

It looks like we will not have a solid release-date yet and I guess all changes are subject to change.

From the news they presented I find the following worth mentioning.

  • Web based password reset:
    Password reset from non-domain joined computers using only a browser.
    Both registration and reset portals available.
    QA gate can be filtered using security context, giving different QA gates if you come from extranet.
    Request Context added as request attribute to show wich context was used (extranet/intranet).
    No Active-X or similar required, pure browser wizard.
    Still QA gate is the only authn built-in.
    [Update 2011-05-18] At a session @TechEd today MS announced support for OTP as well.
  • Reporting:
    Historical data stored in System Center Service Manager data warehouse.
    Several out-of-box reports available.
    Changes of security groups is one great example.
    User history is another, showing the complete history of a user.
    This is a great R2 add-on! My cu’s will love this.
    You can filter what is moved to the data warehouse.
    The sync engine is not used to export the data from FIM DB to data warehouse.
    Scheduled Powershell is used to move data out and reports in.
    NO System Center Service Manager license is required if this is your only use of it!
  • Enhanced MA connectivity:
    Exstensible MA will support some new features like “Full Export”.
    New SAP, Oracle ERP and Lotus Notes MA using the new API.
    No “Full Export” for standard MA’s.
  • Enhanced Management:
    We will get FIM Best Practice Analyzer.
    Enhanced diagnostic and error messages.
    FIM Portal will work on Sharepoint 2010.

It looks like R2 will add some really nice features. I will now register for the CEP program and will report back here in my blog as soon as there are any news.

Migrating CLM to FIM CM

Posted on by

How to upgrade/migrate from CLM to FIM is totally undocumented by Microsoft. In this article I will tell you what I have learned about this process during my latest customer projects.

First of all we need to state a fact.
There is no way to upgrade from CLM to FIM, you migrate!
This official answer can be read at the FIM FAQ. “Upgrading from CLM to FIM CM is not supported because CLM Feature Pack (FP1) is supported only on 32-bit platforms and FIM CM is only supported on 64-bit platforms. You can export the CLM 2007 database and re-use it in a new FIM CM deployment

The Process
The basic steps involved in the migration are as follows, later in this article i will tell you the details involved in each step.

  • Move the CLM DB to a new FIM supported SQL
  • Upgrade the DB to FIM Schema
  • Install FIM
  • Run the configuration wizard in FIM and use existing DB and Certs
  • Migrate certificates used by CLM services, to FIM
  • Migrate configuration from CLM to FIM
  • Upgrade the CA modules to FIM version
  • Configure CA modules

One thing we need to remember is the fact that CLM and FIM CM basically are the same. And both use the same permission and configuration modell described in the picture below.

FIM CM Permissions

FIM CM Permissions

The permissions are in detail described in Configuring FIM CM Groups, Templates, and Permissions. If we re-use the Service Accounts used by CLM in our FIM CM setup we will be able to re-use the configuration as well in great parts.

Let us now look at the different steps involved and some details around them as well.

Move the CLM DB to a new FIM supported SQL
This is a task for the DB admin. Backup the CLM database using standard SQL backup methods and then restore the Database on a 64-bit SQL 2008, supported by FIM CM.
If you have FIM 2010 Update 1 (build 4.0.3531.2), SQL 2008 R2 is also supported.
I would suggest that you use the same name on the Database as you did before, to minimize the configuration changes required during the migration.

Uppgrade the DB to FIM Schema
On the FIM CM installation media in the folder Certificate Managementx64Upgrade you will find the scripts required to upgrade the database. You run the upgrade.bat with the “new” SQL servername as parameter. Please note that this command needs to be executed on a machine where SQL client software (osql) is installed.

Install FIM
Before you can start the installation you need to make sure the machine has the required prerequisites as described in Installation Requirements, basically the only important stuff is in the section Prepare IIS 7 for FIM CM. We also need to make sure the CLMService account has the correct rights both locally and on the DB. This is described in Configuring the FIM CM Service.

Usually FIM CM setup is split-up to at least 3 servers. FIM CM, SQL and CA. This also gives you some trouble with KCD (Kerberos Constrained Delegation). First of all you need to disable Kernel-mode authentication in IIS, to make sure that FIM CM can use it’s service accounts the way we want them to.

IIS 7 Kernel mode Authentication

IIS 7 Kernel mode Authentication

 To disable Kernel-mode authentication open the IIS manager and navigate to Default Website. Select Authentication (it’s in the IIS section) in the middle pane, and select Advanced Settings in the taskbar on the right side.Uncheck Enable Kernel-mode authentication

Installing FIM is no problem, the only setting during the setup you might need to think about is the name of the Virtual Folder in IIS.

FIM CM VirtualFolder

FIM CM VirtualFolder

 By choosing the old name, CLM, instead of the default CertificateManagement, user favorites and systems pointing to the CLM folder will not need to be changed. For that reason you might also consider re-using the old DNS alias and point it to the new FIM CM server, if not you will also need to check your SPN’s and re-check all KCD settings.

Run the configuration wizard in FIM and use existing DB and Certs
Make sure you upgraded the DB before you run the configuration wizard. The wizard is basically the same as the one in CLM and i will only point out some places in the wizard where you need to pay extra attention.

FIM Configuration Wizard DB Name

FIM Configuration Wizard DB Name

 The Database name should be CLM since we are reusing the old database.

FIM Config Wizard Custom Agent Accounts

FIM Config Wizard Custom Agent Accounts

 When specifying agent accounts UNCHECK Use the FIM CM default settings and click Custom Accounts… button.

FIM Config Wizard Agents Account Settings

FIM Config Wizard Agents Account Settings

 For each agent account configure the username and password and CHECK Use an existing user

FIM Config Wizard Certificates

FIM Config Wizard Certificates

 Since we will re-use the same accounts and certifcates. CHECK Create and configure certificates manually.

FIM Config Wizard Use Existing DB

FIM Config Wizard Use Existing DB

 At the end of the wizard you should be notified that the database already exists. Make sure you answer YES to use the existing DB.

Migrate certificates used by CLM services, to FIM
You need to migrate the certificates used by CLM service accounts to the new FIM CM Server.

The 3 accounts you need to migrate the certificates for are listed below. If you have changed the accounts used in your CLM deployment you need to adjust to that.

  • CLMKRAgent
  • CLMEnrollAgent
  • CLMAgent.

Export the certificates to pfx files from CLM and then log on as each service account and import the certificates into the personal store. Don’t forget the private keys during export/import.

Migrate configuration from CLM to FIM
There are multiple configurations you need to migrate.

First you have the SCP (Service Connection Point) created by the configuration wizard. Check the permissions you have on the old SCP and configure the new SCP with the same settings.

Then you have the config-files. One approach might be to copy all config files from the old CLM to FIM, but I have in my cases migrated the settings in the files instead, since there is no support statement from Microsoft to copy it. This means taking the time to compare the files and copy the changes. In a simple setup the only config file you need to look at is the web.config. In my customer cases I have found that the following keys of the web.config file might have changes.

  • Clm.MaxRecords
  • Clm.Report.MaxRecords
  • Clm.ValidSigningCertificates.Hashes
  • Clm.EnrollAgent.Certificate.Hash
  • Clm.SmartCard.ExchangeCertificate.Hash
  • Clm.RequestSecurity.Flags
  • Clm.RequestSecurity.Groups

Since we are re-using the accounts and the database we do not need to make any changes to certificate templates, profile templates or management policies.

Upgrade the CA modules to FIM version
Before we can start using FIM CM we need to upgrade the CA module on the issuing CA used by CLM. Depending on the OS used by the CA you might need to add .NET Framework 3.5 SP1 before installing the FIM CM CA module.

During the upgrade, the CA module will “loose” it’s settings, so before you run the setup make sure you know the settings you would like to use for database connection string and signing certificate.

Configure CA modules

FIM CA Module Signing Certificate

FIM CA Module Signing Certificate

 Two setting are required to be added for the FIM CM CA module before you can use it. First it is the database connection string in the Exit Module and then it is the signing certificate in the Policy Module.

Hopefully this article has made it a little bit easier for you to understand the steps involved in migrating from CLM to FIM CM. If you have anything to add to this guide please comment.