Wednesday, August 7, 2013

Stagger your FIM SSPR end user roll out

Lots of people are now using FIM for their end user self-service password reset requirements.  One of the challenges to rolling this out to the user population is how can you roll this out in phases.  Because what you don't want is come Monday morning have all your users be guided to the registration page and have the FIM server fall over.

So here's some options:
1. Stagger out the roll out of the client extensions.  Depending on how well you can roll this out by department or section, this might be a challenge for you.  Typically once the end user has the client extensions installed then during next logon the client will talk to the FIM Service to see if they need to register.  If you roll out the extensions to your entire user population then you could have a headache that morning.

2. If you opt not to roll the client out then it should be easy enough to send emails to user segments with the Registration link in there.

3. Though not documented after testing it a bit I found another option to stagger out your roll out.  You can deploy the client extensions to all your users at an earlier time.  Then when you're ready, you can just add users to the Password Reset Users set in the FIM Portal.  If the user is not part of the set they won't be directed to the registration page.  Another thing to keep in mind, if users that aren't in the set try to register they'll get a 'Not Authorized' error.

You may decide just to create an AD group to keep it simple then synchronize that group to the above set.  That way your admins continue to deal with what's typically familiar with them.

Tuesday, July 23, 2013

FIM Client Service not starting?

I installed FIM client extensions on a Win 7 box.  All seemed to go well, until the very end when the service was starting.  It never did, ugh.

Not much on this, except make sure the Network Service account had the correct perms on the machine.config file.  But which one?  There's four, so I gave it full perms on all four; a security violation? ahhh this was a dev environment anyways.  That didn't fix the problem, so what's next. 

I did realize the client box was a VM and pretty slow, so I changed the service time-out from 30 seconds (default) to 60 seconds. here's the blog on that one, if you want to try it yourself. This just caused the slow failure to go even slower... Strike 2.

After thinking about it, I remembered in the past having issues with services not starting if there was no internet connection.  This was true - my dev environment had no internet connection, so I went back and found some notes on this topic.  But then I also remembered there was an IE trick I learned from a buddy (thanks Frank Drewes!)  the idea is to just turn off CRL checking directly in IE.  This was straight-forward and easy to do. Caveat:  not really the best for a permanent solution as this is a per user setting.  So if this client reboots it'll probably time out again.  But if this works then you solved the mystery!



After doing this the service started right up.  Time for a beer.





Hopefully this'll help out others in the same boat.

Wednesday, January 30, 2013

BHold's New Connector in SP1

As I mentioned in my last post, Microsoft announced the release of FIM R2 SP1 and with that BHold's new bits too.  Something that was sorely lacking with the BHold solution was a dedicated connector between BHold Core and FIM Sync.  This latest release offers the first look at this new connector.

If you go to Microsoft's TechNet Site here to can try it yourself.  I did this last week and found a few issues with the instructions.

The biggest problem deals with the provisioning of OU containers in BHold. When you finish the lab all the OU containers stay under the root.  This is due to not having the reference of the parent containers correct.  The lab uses a SQL database as a source of the OU containers.  But the premise of using a string value of the parent attribute is incorrect, instead is should be a reference value.   I'm don't give out all the details, but most of you can figure it out from here.

Once you fix that AND make sure you also bring over the root container so that the references work all the way up, then it should be smooth sailing.   If you need any help just email me.

Thursday, January 10, 2013

FIM 2010 R2 SP1 has been released!

I heard this at the IdM Summit in Redmond put on by Oxford Computer Group - just got back yesterday.  Nice summit by the way, the usual suspects were there as well as some new faces.
Anyways, it was announced that SP1 bits have been released, and with that the SP1 bits for BHold too.  Very cool, one of the biggest steps forward with the BHold product is the replacement of the FIM Management Agent for BHold.  BHold now takes full advantage of the ECMA2 connector technology in FIM 2010 R2 and with that replaces the BFPC and BFSS services also. As the summit was winding down, I sat down and spent some time with Rob de Jong, Senior PM at Microsoft for BHold, understanding SP1 - but do keep in mind this is a Service Pack - lots of fixes.  The sync engine got a tune up also increasing its sync speed by another 20% 
To get the latest bits you need to have an MSDN or select license, and the documentation won't be out for some time after that... like a few weeks.

One last thing: would like to send a special thank you to Matt Flynn for driving around yesterday.  Matt, I owe you at least the parking fee, if not some beers!