Thursday 31 December 2015

FIM2010: Outbound System Scoping Filter Syntax


FIM 2010 R2 was the first version that brings outbound system scoping filters into the synchronization rule. I decided to use this feature during a migration from FIM 2010 to eliminate some worfklows, sets and policy rules. This would reduce complexity and make the synchronization configuration more comprehensible. scopingFilter Instead of searching for the workflow that adds the sync rule, the MPR that triggers the workflow and then going to the set definition of the target population of the MPR, you can just examine the outbound scoping filter of the sync rule itself.

Wednesday 30 September 2015

FIM2010: Localize Self Service Password Reset


If you ever had the pleasure of installing one or multiple language packs in FIM, you know that not everything is covered. The question and answer gate is a good example and is very visible to the end user. This blog post discusses how you can localize such a configuration and shows how it is possible to automate this task using powershell.

Friday 17 July 2015

FIM2010: Writing Advanced Attribute Flows


Once in a while you will come across very complex business requirements while implementing FIM in a large environment. These requirements often require a classic architecture (with VB or C# extensions), but can create very messy code that is hard to maintain. This article does not start another discussion on whether or not you should (try to) use 100% declarative (codeless) or a classic architecture when implementing such large scenarios. A good article on this topic: codeless architecture and when you are not able to use declarative configuration. Instead, this article will focus on how you should implement a proper classic architecture, in a way that is performant, readable, agile and easy to maintain.

Tuesday 17 March 2015

Visual C#: RSA encryption using certificate


RSA is a well-known cryptosystem using assymetric encryption. It performs encryption using a public key, decryption using a private key. The private key should be protected. The most efficient way of managing these keys in a Windows environment is by using certificates. To protect the private key, you should make it not exportable. This way the private key is only available on the machine it is being used.

Friday 13 March 2015

FIM2010: Protect passwords in configuration files


One of the great features of FIM is that it is relatively easy to plugin custom functionality. You can extend the synchronization engine by developing rules extension and you can add custom workflows to the FIM portal. Rules extensions run under the FIM synchronization service account, workflows under the FIM service service account. This article describes an approach to enable communication to external systems (eg Exchange). Because you typically do not grant a service account rights to Microsoft Exchange, you need the ability to run part of your code using different credentials.

Encrypt password

You do not want to have passwords in clear text in configuration files or source code. That is where encryption comes into play. Encryption can be handled in a myriad of different ways. The method described here uses powershell cmdlets, which keeps it quite simple and understandable.

Thursday 12 March 2015

FIM2010: GUI for configuring your scheduler


I described in previous posts how I developed a windows service to schedule FIM. The configuration of this scheduler consists of XML files. Because it is not straightforward to ensure you have a consistent configuration that satisfies your needs, I developed an interface to help with the configuration. The tool itself is built using the WPF framework (.NET 4.5) and has following requirements:
  • Path of the folder containing scheduler configuration files, including at least the following:
    • JobConfiguration.xml
    • job_scheduling_data_2_0.xsd
    • RunConfiguration.xml
    • RunSchedulingData.xsd
  • Path of the folder containg a server export of the FIM Synchronization Engine
gui_browseNote that it is possible to use the tool on any server or workstation. After saving your changes you can transfer the configuration files to your FIM server.

Tuesday 24 February 2015

FIM2010: Filter objects on export


FIM allows you to filter objects on import through filters in the connector configuration. The same functionality is not available on export. There are two methods available to provision a selected set of objects to a target system through synchronization rules. This article shortly describes these two mechanisms and also describes a third using provisioning code.

Synchronization Rules

Synchronization rules allow codeless provisioning. It also allows you control over the population of objects you want to create in a certain target system.

Sunday 25 January 2015

FIM 2010: SSPR with one-way trust


This article describes and documents an SSPR setup between two AD forests with a one-way trust. FIM is deployed in the internal domain Users from the domain are being imported and managed by FIM. There is a one-way incoming trust on the domain. All prerequisites from the password reset deployment guide are already satisfied.

DMZ connector configuration

SSPR requires that the DMZ connector service account has local logon rights on the FIM synchronization server. If the service account is from the DMZ domain, a two-way trust is required to allow this setting. Since this is not a valid option in this scenario, a service account from the IS4U domain needs to be delegated the proper rights on the DMZ domain. This includes at least the following:
  1. Replicating directory access
  2. Reset password