Tuesday, 30 August 2016

MIM2016 Troubleshooting: MIM Portal Performance Issue


After experiencing a decrease in MIM portal responsiveness after installation, I checked the server resources to see following memory consumption: task manager

Friday, 26 February 2016

FIM2010: Selective Import Attribute Flow


Although FIM allows you to filter objects on import in the connector configuration, it does not allow you to filter attribute values for a certain population. An example use case could be: "Import all mobile numbers from HR, but not the mobile numbers for person X, Y and Z". Reason for this could be that the X, Y and Z's numbers should not occur in the global address list or some other system where they can be viewed by others.

This problem can be solved by manipulating the import attribute flow. Simply block the value of the mobile number for these people to flow to the metaverse. To complete this solution, make sure "allow null on export" is enabled on all export attribute flows for mobile. Also, if it is possible for people to update their mobile number in data sources other than HR, make sure there is an import attribute flow from these sources to prevent data loss. Alternatively, it can be solved by manipulating all export attribute flows for mobile numbers. Because this would have an impact on possible future export attribute flows for mobile, the import approach seems the way to go.

Thursday, 31 December 2015

FIM2010: Outbound System Scoping Filter Syntax


FIM 2010 R2 was the first version that brings outbound system scoping filters into the synchronization rule. I decided to use this feature during a migration from FIM 2010 to eliminate some worfklows, sets and policy rules. This would reduce complexity and make the synchronization configuration more comprehensible. scopingFilter Instead of searching for the workflow that adds the sync rule, the MPR that triggers the workflow and then going to the set definition of the target population of the MPR, you can just examine the outbound scoping filter of the sync rule itself.

Wednesday, 30 September 2015

FIM2010: Localize Self Service Password Reset


If you ever had the pleasure of installing one or multiple language packs in FIM, you know that not everything is covered. The question and answer gate is a good example and is very visible to the end user. This blog post discusses how you can localize such a configuration and shows how it is possible to automate this task using powershell.

Friday, 17 July 2015

FIM2010: Writing Advanced Attribute Flows


Once in a while you will come across very complex business requirements while implementing FIM in a large environment. These requirements often require a classic architecture (with VB or C# extensions), but can create very messy code that is hard to maintain. This article does not start another discussion on whether or not you should (try to) use 100% declarative (codeless) or a classic architecture when implementing such large scenarios. A good article on this topic: codeless architecture and when you are not able to use declarative configuration. Instead, this article will focus on how you should implement a proper classic architecture, in a way that is performant, readable, agile and easy to maintain.

Tuesday, 17 March 2015

Visual C#: RSA encryption using certificate


RSA is a well-known cryptosystem using assymetric encryption. It performs encryption using a public key, decryption using a private key. The private key should be protected. The most efficient way of managing these keys in a Windows environment is by using certificates. To protect the private key, you should make it not exportable. This way the private key is only available on the machine it is being used.

Friday, 13 March 2015

FIM2010: Protect passwords in configuration files


One of the great features of FIM is that it is relatively easy to plugin custom functionality. You can extend the synchronization engine by developing rules extension and you can add custom workflows to the FIM portal. Rules extensions run under the FIM synchronization service account, workflows under the FIM service service account. This article describes an approach to enable communication to external systems (eg Exchange). Because you typically do not grant a service account rights to Microsoft Exchange, you need the ability to run part of your code using different credentials.

Encrypt password

You do not want to have passwords in clear text in configuration files or source code. That is where encryption comes into play. Encryption can be handled in a myriad of different ways. The method described here uses powershell cmdlets, which keeps it quite simple and understandable.