FIMSpecialist

Author: RossDCurrie

  • What is FIM Best Practice?

    I was having a conversation with some other FIM Consultants recently about a particular site I’d been working on, and the attempts I’d made at enforcing FIM Best Practice. At this, one of them asked me, “Well, what do you consider to be FIM Best Practice?”.

    My answer to him at the time was, “Well, in this particular site, Best Practice is whatever I say it is.”

    Realising that my answer sounded a little abrupt, I hastened to clarify that it wasn’t so much that “What Ross says goes”, but that in lieu of formally published best practices from Microsoft, my understanding of what constitutes best practice in FIM is the culmination of my experience. As such, what I consider to be best practice may not align with what others believe.

    When I talk about “culmination of my experience”, I’m really talking about several key things:
    1) My own experience at deploying solutions as a FIM Consultant and learning the software inside-out
    2) The “way of doing things” that was taught to me in the companies I’ve worked for, and by the people I’ve worked with
    3) The knowledge that’s shared by the FIM community contributors through blogs, Technet Forum posts, conferences, etc.

    I’ve seen several people try to clarify FIM Best Practices, such as Dave Lundell with his aptly book, FIM Best Practices and blog of the same name, or with my former colleague, Carol Wapshere’s recent series of posts on her blog. But, we have to remember that even these are based on their own experiences architecting and deploying FIM solutions, rather than a published Microsoft standard.

    Another former colleague of mine, Bob Bradley, recently questioned whether FIM Best Practice was just a pipe dream, and proposed the notion that best practice could only be achieved through “community-conscious consultants collaborating to establish a peer-moderated knowledge base which is continually revisited, questioned and steadily improved over time.” I think that’s a noble notion, but perhaps not a practical one – and Bob even observes this this is his Utopia.

    While Microsoft certainly encourages community contribution, even going so far as to only award its coveted MVP status to experts that make an active community contribution, organisations can sometimes be critical of consultants seen to be giving away too much intellectual property, or too much of their time away, for free. And many experts may have no interest in giving up their time contributing to the community.

    When it comes to FIM, if you want to follow Best Practice, then you need to not only follow what’s the current trend is in the community, but also be willing to give back to it with your own practices – and to be prepared to have your “way of doing things” challenged by others working in the field, just as you should challenge theirs, and add new “ways of doing things” of your own into the community knowledge base.

  • An error occurred while enumerating the filter ‘/group[DisplayedOwner=’XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX’]’

    Seems to be the week for silly errors. I was working on a custom workflow activity today, where I want to retrieve any group that has a particular DisplayedOwner, but kept getting the following error when the workflow was trying to use the Enumerate Resources Activity to search for a group :

    System.InvalidOperationException: An error occurred while enumerating the filter ‘/group[DisplayedOwner=’XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX’]’. —> Microsoft.ResourceManagement.WorkflowDataExchangeException: System.InvalidOperationException: Schema retrieval failed.

    The issue here is that the Xpath filter is actually case sensitive and “group” is not the same as “Group”, which is what the resource type is actually called. It was a simple matter to create a test set using the filter ‘/group[DisplayedOwner=’XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX’]’.

    What was not so silly, however, is that the ‘group’ value was specified as part of a workflow configuration – the particular WF being executed could take a number of different object types as a configurable parameter in the Workflow Activity configuration. To fix this, all I had to do is change my ‘group’ parameter to ‘Group’… however when I did, it somehow got renamed back to ‘group’ – even if I changed it to something else (successfully) and then back again. In other words, my workflow configuration showed my parameter as ‘Group’, but the error above was still being thrown – but if I changed it to ‘Groupd’, the expected error contained ‘Groupd’

    The only way to actually get it to change to a capital ‘G’ was to change the order on the workflow. It was as if that parameter was cached somehow, so there must be something funny going on with the XOML here.

  • Cannot insert duplicate key row in object ‘fim.ObjectValueReference’ with unique index ‘IX_ObjectValueReference_ObjectKey_AttributeKey-Filtered_Multivalued’.

    I was working on a custom workflow activity today that was using the Update Resource activity to update a multivalue field in an object. Unfortunately, the request was coming up as ‘failed’ and in the Event Viewer, I was seeing the following error:

    Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other —> System.Data.SqlClient.SqlException: Reraised Error 50000, Level 14, State 1, Procedure ReRaiseException, Line 37, Message: Reraised Error 50000, Level 14, State 1, Procedure ReRaiseException, Line 37, Message: Reraised Error 2601, Level 14, State 1, Procedure UpdateResource, Line 515, Message: Cannot insert duplicate key row in object ‘fim.ObjectValueReference’ with unique index ‘IX_ObjectValueReference_ObjectKey_AttributeKey-Filtered_Multivalued’. The duplicate key value is (9101, 87654).

    When I investigated the [fim].[UpdateResource] stored procedure and [fim].[ObjectValueReference] in the FIMService database, I could see that 9101 correlated to the object I was trying to update and that 87654 correlated to the multivalue attribute I was trying to update. Next I looked at my code, and it all seemed to be as I expected:

    update parameters insert

     

    Lastly, I looked at my schema.. and sure enough, my attribute wasn’t flagged as multivalue – somewhere in re-creating my schema, I’d forgotten to check that box. Deleting and re-creating the attribute and its binding resolved my issue, as well as another issue I had when I was trying to read the attribute back – because clearly you can’t read a list of UniqueIdentifiers from a single-value attribute.

    Silly mistake, so why do I share it here? Because someone out there may Google this error one day, and this might help them.

  • Microsoft Releases SharePoint User Profile, Generic LDAP and PowerShell Connectors to Connect

    On March 28, 2013, Microsoft put out Release Candidates for several new FIM Synchronization Service Connectors, including:

    • SharePoint User Profile Connector
    • Generic LDAP Connector for Open LDAP
    • PowerShell Connector

    The Release Candidate downloads are available via Microsoft Connect, along with the necessary upgrades to the FIM Sync Service, a technical reference for the SharePoint/LDAP connectors and some sample scripts (primarily SharePoint-related) for PowerShell

    These three connectors are probably three of the most-demanded connectors, and candidates for custom connectors, so it’s good to see Microsoft taking a proactive approach in developing these.

    Note that the connectors are still in Release Candidate only, so you shouldn’t be installing them in production environment yet.

  • OCG Releases Splunk for FIM

    If you’re not familiar with Splunk (I wasn’t), it’s essentially an Enterprise monitoring and reporting tool that produces reports based on data generated by IT systems. According to the Splunk website, “it’s the easy, fast and resilient way to collect, analyze and secure the massive streams of machine data generated by all your IT systems and technology infrastructure.” If you can see how this might be used in a FIM context, then you’re not alone, because Oxford Computer Group have just released the Splunk for FIM App.

    Announced on LinkedIn over the Easter Weekend by Sjef Van Leeuwen (Lead Software Developer at OCG), the Splunk for FIM app not only provides a dashboard for monitoring FIM operations, but also includes historic user and group data – allowing you to look at a group or user at a given point in time

    I haven’t installed Splunk yet, but plan to do so in the coming weeks and will add my review to the appropriate page in my FIM Tools section once I’ve had a chance to take a real look at it.

  • More Redmond Identity 2014 Details

    Oxford Computer Group sent out an e-mail this past Friday, informing alumni that their early-bird alumni special had been extended from March 31 until April 15. In addition, there was a bit more information in the e-mail about the conference:

    The Summit is a multi-year journey to understand both emerging identity technologies and implementation best practices. For 2014, we’ll have a two-track conference for the technical and business minded people.

    The technical track, “Window into Microsoft Identity & Access Engineering,” will present deep dives into Microsoft’s Identity stack and discuss new and upcoming product releases. We’ll answer the question “where is Microsoft Identity Management going?”

    Using customer case studies, the business-focused track, “Identity Management Solutions,” will explore how scenarios and use cases are being addressed through technologies from Microsoft and their partner ecosystem. From on-premise to cloud. So, bring your manager.

    Topics in both tracks will cover Azure AD, FIM 2010 R2, Role-Based Access Control (BHOLD Suite), AD FS, RMS and partner solutions.

    We’re anticipating another roster full of excellent and respected speakers from Microsoft, partners, and customers, and we’re pulling together a panel of industry luminaries.

    More information about the event can be found on the event website. I’ll definitely be going, so you should too. The Redmond Identity Access & Knowledge Summit 2014 will take place at Microsoft Headquarters in Seattle, from January 7-9 2014.

  • New FIM Tool: FIMDelta

    While reinstalling FIM Portal in our development environment, one of my colleagues was working on some XSLTs to parse the changes.xml file produced during FIM Portal migration and produce a summary that would allow us to cull out any schema elements and policies that we didn’t want to reintroduce to our ‘clean’ development environment.

    A few days into it, we saw a post by Carol Wapshere on her MissMIIS blog about a new FIM Tool that had been released by Alexey Skalozub, called FIMDelta.

    FIMDelta basically allows you to do exactly what we were trying to achieve. It parses changes.xml, presents the changes in a summary and allows you to selectively include and exclude changes to create a new changes.xml.

    Incredibly handy, we included a review in our FIM Tools section that details the application and several uses you could put it to.

    Fortunately, we’ll still be able to use the XSLTs my colleague developed, as the output is something that is nice for documentation (something FIMDelta doesn’t provide).

  • I’m going to Redmond Identity, Access, and Directory Knowledge Summit 2014!

    A few weeks back, I blogged that OCG had announced the dates for Redmond Identity, Access and Directory Summit 2014 as Jan7-9 again next year. Well, today I bought my ticket to go.

    It looks like OCG have taken on board feedback that some of the attendees last year provided, as rumours tell that there may be two separate streams with next year’s conference – one, a technical side for those people who want all the raw, juicy detail about implementing FIM (complete with lots of tips and tricks, no doubt!); the second stream taking more of a business approach – how your organisation can use FIM; case studies to show real world scenarios and of course the strategic direction of Identity and the Microsoft FIM product suite. Yet to be confirmed, this is all rumour at this point!

    Of course, I look at it from a strictly FIM point of view – RedmondIdentity2014 will also add Directory into the mix, so it will be interesting to see how big things become given the demise of TEC.

  • FIM 2010 R2 SP1: What happened to [debug].[DeleteOrphanedRulesByType]?

    After recently upgrading a development environment from FIM 2010 to FIM 2010 R2 SP1, I decided to clear all objects out of the FIM Portal to give myself a clean development environment.

    So first, I ran various PowerShell scripts to clear out the users and groups (making sure not to delete my administrator users). Then, I did a Full Import on the FIM MA – at which point I realised I had a whole heap of orphaned EREs.

    “Not to worry”, I said, “I’ll just go and run [debug].[DeleteOrphanedRulesByType]”. This handy SQL Stored Procedure appeared on the FIMService database in FIM 2010 build 4.0.3594.2:

     

    Issue 4

    Some ExpectedRuleEntry objects and DetectedRuleEntry objects in FIM 2010 can become “orphaned” over time. When aDetectedRuleEntry object is not referenced in the DetectedRulesList of any object in the system, that object is determined to be orphaned. Similarly, when an ExpectedRuleEntry object is not referenced in the ExpectedRulesList of any object in the system, that object is also determined to be orphaned.

    These orphaned objects have no functional impact on FIM. However, over time, these orphaned objects can cause a decrease in performance for both FIM operations and Sync operations that are related to FIM, such as import or export by using the FIM MA.

    A pruning stored procedure, [debug].[DeleteOrphanedRulesByType], was added to the [debug] namespace of the FimService database. This stored procedure must be run separately for the DetectedRuleEntry object and the ExpectedRuleEntry object. The stored procedure also has a “reportOnly” mode, and this mode can be used to determine the presence and number of orphaned DetectedRuleEntry and ExpectedRuleEntry objects in the system.

    The @ruleType parameter expects one of the following well-known values:

    • N’Detected’ for DetectedRuleEntry objects
    • N’Expected’ for ExpectedRuleEntry objects

    To determine the number of orphaned objects in the system, run the stored procedure in “reportOnly” mode as follows.

        DECLARE
    @deletedRulesFound BIT;
    EXEC [debug].[DeleteOrphanedRulesByType] @ruleType=N'CHANGE_ME', @reportOnly=1, @deletedRulesFound=@deletedRulesFound OUTPUT;

    To loop through and actually delete orphaned objects in the system, run the stored procedure as follows. @deletionLimit=1000 instructs the procedure to stop when it has deleted 1,000 objects. If there are more than 1,000 orphaned objects in the system, either run the procedure multiple times (recommended) or increase the deletionLimit value.

        DECLARE 
       @deletedRulesFound  BIT,
       @startDateTime      DATETIME,
       @endDateTime        DATETIME;
    SELECT @deletedRulesFound = -1;         
    WHILE @deletedRulesFound <> 0
    BEGIN
        SELECT @startDateTime  = CURRENT_TIMESTAMP;
        EXEC [debug].[DeleteOrphanedRulesByType] @ruleType=N'CHANGE_ME', @deletionLimit=1000, @reportOnly=0, @deletedRulesFound=@deletedRulesFound OUTPUT;
        SELECT @endDateTime    = CURRENT_TIMESTAMP;
        SELECT @startDateTime AS [StartTime], @endDateTime AS [EndTime], @deletedRulesFound AS [WereDeletedRulesFound];
    END

     

    But now it’s gone, along with some of the other stored procedures which it referenced. So, where did it go?

    In the meantime, there are a few options available to me:

    1. Create a set called “Orphaned EREs” and attach a “Delete object” custom workflow activity to a transition-in MPR related to that set. This is a solution originally put forward on the FIM Technet Forums by Bob Bradley  (a colleague of mine at the time) back in 2010, prior to the release of FIM 2010 build 4.0.3594.2.
    2. Use the [debug].[PurgeObjectsOfType] stored procedure to delete all the EREs in the system. As this is a development environment, and I’ve already cleared out the objects, this is viable. I would not use this solution in a production environment.

    So, away we went with option number 2… of course, now I’m getting “Stopped-Server” when I try to do a Full Import on the FIM MA from the FIM Sync Service. Note to self… never go against one of Bob’s suggestions! Next time I will definitely be going the Set/MPR/WF route.

  • FIM Hotfix Rollup 4.0.3684.2 Available

    On March 19, 2013, Microsoft released FIM Hotfix Rollup 4.0.3684.2 for Microsoft Forefront Identity Manager (FIM) 2010. A minor hotfix, this patch has two specific features:

    • New version (4.0.2.0) of Microsoft.MetadirectoryServicesEx.dll. It is not clear what has changed in the new version of this dll, however it mentions you may need to fix references in your Rules Extension and ECMA projects.
    • Issue fix for FIM Synchronization Service, whereby Exchange configuration options weren’t previously available on the AD MA if FIM doesn’t detect Exchange on the domain

    Paul Williams notes on his blog that the Exchange issue fix is the same issue resolved in FIM R2 build 4.1.3419.0, but applied to FIM 2010.

    This hotfix will install on any version of FIM higher than 4.0.2592.0. Note, this is a FIM 2010 hotfix, not a FIM 2010 R2 hotfix.

    For further information on the changes in this hotfix, refer to KB2819338, where you can also download the hotfix.