Thursday, 31 December 2015
Wednesday, 30 September 2015
IntroIf you ever had the pleasure of installing one or multiple language packs in FIM, you know that not everything is covered. The question and answer gate is a good example and is very visible to the end user. This blog post discusses how you can localize such a configuration and shows how it is possible to automate this task using powershell.
Friday, 17 July 2015
IntroOnce in a while you will come across very complex business requirements while implementing FIM in a large environment. These requirements often require a classic architecture (with VB or C# extensions), but can create very messy code that is hard to maintain. This article does not start another discussion on whether or not you should (try to) use 100% declarative (codeless) or a classic architecture when implementing such large scenarios. A good article on this topic: codeless architecture and when you are not able to use declarative configuration. Instead, this article will focus on how you should implement a proper classic architecture, in a way that is performant, readable, agile and easy to maintain.
Tuesday, 17 March 2015
IntroRSA is a well-known cryptosystem using assymetric encryption. It performs encryption using a public key, decryption using a private key. The private key should be protected. The most efficient way of managing these keys in a Windows environment is by using certificates. To protect the private key, you should make it not exportable. This way the private key is only available on the machine it is being used.
Friday, 13 March 2015
IntroOne of the great features of FIM is that it is relatively easy to plugin custom functionality. You can extend the synchronization engine by developing rules extension and you can add custom workflows to the FIM portal. Rules extensions run under the FIM synchronization service account, workflows under the FIM service service account. This article describes an approach to enable communication to external systems (eg Exchange). Because you typically do not grant a service account rights to Microsoft Exchange, you need the ability to run part of your code using different credentials.
Encrypt passwordYou do not want to have passwords in clear text in configuration files or source code. That is where encryption comes into play. Encryption can be handled in a myriad of different ways. The method described here uses powershell cmdlets, which keeps it quite simple and understandable.
Thursday, 12 March 2015
IntroI described in previous posts how I developed a windows service to schedule FIM. The configuration of this scheduler consists of XML files. Because it is not straightforward to ensure you have a consistent configuration that satisfies your needs, I developed an interface to help with the configuration. The tool itself is built using the WPF framework (.NET 4.5) and has following requirements:
- Path of the folder containing scheduler configuration files, including at least the following:
- Path of the folder containg a server export of the FIM Synchronization Engine
Tuesday, 24 February 2015
IntroFIM allows you to filter objects on import through filters in the connector configuration. The same functionality is not available on export. There are two methods available to provision a selected set of objects to a target system through synchronization rules. This article shortly describes these two mechanisms and also describes a third using provisioning code.
Synchronization RulesSynchronization rules allow codeless provisioning. It also allows you control over the population of objects you want to create in a certain target system.
Sunday, 25 January 2015
IntroThis article describes and documents an SSPR setup between two AD forests with a one-way trust. FIM is deployed in the internal domain is4u.be. Users from the domain dmz.be are being imported and managed by FIM. There is a one-way incoming trust on the dmz.be domain. All prerequisites from the password reset deployment guide are already satisfied.
DMZ connector configurationSSPR requires that the DMZ connector service account has local logon rights on the FIM synchronization server. If the service account is from the DMZ domain, a two-way trust is required to allow this setting. Since this is not a valid option in this scenario, a service account from the IS4U domain needs to be delegated the proper rights on the DMZ domain. This includes at least the following:
- Replicating directory access
- Reset password