tag:blogger.com,1999:blog-89226874329119297462024-03-19T14:06:47.172-07:00Peter's Identity Vacuum and other MusingsPeter Jalaffhttp://www.blogger.com/profile/07436834279628363231noreply@blogger.comBlogger35125tag:blogger.com,1999:blog-8922687432911929746.post-64142820914267860142016-12-28T05:27:00.000-08:002016-12-28T05:27:38.277-08:00MIM 2016 RCDC Visible tag<br />
Recently I was editing a user edit RCDC for MIM 2016 to allow a field to become visible by setting a Boolean attribute on the user object.<br />
<br />
I originally used this blog for doing FIM work:
<br />
<div style="font-family: Calibri; font-size: 11pt; margin: 0in;">
<a href="https://identityminded.wordpress.com/2011/10/14/fim2010-semi-dynamic-rcdc-operations/">https://identityminded.wordpress.com/2011/10/14/fim2010-semi-dynamic-rcdc-operations/</a> . Quite helpful, but I noticed that it wasn't working anymore in MIM 2016.</div>
<div style="font-family: Calibri; font-size: 11pt; margin: 0in;">
</div>
<div style="font-family: Calibri; font-size: 11pt; margin: 0in;">
The key to this working was in this tag.</div>
<div style="font-family: Calibri; font-size: 11pt; margin: 0in;">
<span style="background: yellow; mso-highlight: yellow;"><span style="background-color: white;">my:Property
my:Name="Required" my:Value="{Binding Source=object,
Path=IsContractor, Mode=TwoWay}"</span></span></div>
<div style="font-family: Calibri; font-size: 11pt; margin: 0in;">
<span style="background: yellow; mso-highlight: yellow;"></span> </div>
<div style="font-family: Calibri; font-size: 11pt; margin: 0in;">
<span style="background: yellow; mso-highlight: yellow;"><span style="background-color: white;"></span></span>But I couldn't get it work as expected. After trying a few different things I finally discovered that you have to put the Visible tag directly in the my:Control tag. So now it should look like this:</div>
<div style="font-family: Calibri; font-size: 11pt; margin: 0in;">
</div>
<div style="font-family: Calibri; font-size: 11pt; margin: 0in;">
</div>
<div style="font-family: Calibri; font-size: 11pt; margin: 0in;">
<span style="mso-spacerun: yes;"> </span>my:Control my:Name="Company"
my:TypeName="UocTextBox" my:Caption="{Binding Source=schema,
Path=Company.DisplayName}" my:Description="{Binding Source=schema,
Path=Company.Description}"<span style="background: yellow; mso-highlight: yellow;"> my:Visible="{Binding Source=object, Path=IsContractor, Mode=TwoWay}</span>"</div>
<div style="font-family: Calibri; font-size: 11pt; margin: 0in;">
</div>
<div style="font-family: Calibri; font-size: 11pt; margin: 0in;">
Now it works like a charm!</div>
<div style="font-family: Calibri; font-size: 11pt; margin: 0in;">
</div>
<div style="font-family: Calibri; font-size: 11pt; margin: 0in;">
<span style="background: yellow; mso-highlight: yellow;"><span style="background-color: white;"></span></span> </div>
Peter Jalaffhttp://www.blogger.com/profile/07436834279628363231noreply@blogger.com3tag:blogger.com,1999:blog-8922687432911929746.post-2328231991681393382016-06-26T12:20:00.002-07:002016-06-26T12:21:35.281-07:00Custom approval workflow causes 'Access Denied' errorRecently I was setting up a MIM environment that does the most basic approval workflows. Have a user create a contractor in the MIM Portal that requires manager approval. After setting everything up I was getting Access Denied error with the following error - 'Object reference not set to an instance of the object'<span style="color: black;"><span style="background-color: white; color: #666666; display: inline; float: none; font-size-adjust: none; font-stretch: normal; font: 15px/25px "arial" , "helvetica" , sans-serif; letter-spacing: normal; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">.</span>.</span> This worked in past FIM deployments so I wasn't sure what the deal was.<br />
<br />
Thanks to Dan Malloy for pointing out this blog <a href="http://blog.predica.pl/fim-2010-authorization-workflow-fails-with-eventid-3/">http://blog.predica.pl/fim-2010-authorization-workflow-fails-with-eventid-3/</a> which fixed the problem.<br />
<br />
FYI if you change an OOB approval workflow, now it becomes custom and it will also change the .NET reference from 3.5 to 4.0 which may cause issues. Switching it back to 3.5 should resolve the issue.Peter Jalaffhttp://www.blogger.com/profile/07436834279628363231noreply@blogger.com0tag:blogger.com,1999:blog-8922687432911929746.post-87444657457612240002016-03-19T12:53:00.000-07:002016-03-19T12:53:09.164-07:00Outlook 2016 and MIM2016 client extension resolvedMy last post I was frustrated I could install the client extensions for MIM2016 on Outlook 2016. Now there's a fix: <span style="font-family: "Times New Roman",serif; font-size: 12pt; mso-ansi-language: EN-US; mso-bidi-language: AR-SA; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin;"><a href="https://support.microsoft.com/en-us/kb/3134725"><span style="color: blue;">https://support.microsoft.com/en-us/kb/3134725</span></a></span><br />
<span style="font-family: "Times New Roman",serif; font-size: 12pt; mso-ansi-language: EN-US; mso-bidi-language: AR-SA; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin;">Thanks to Brian Desmond for pointing this out.</span>Peter Jalaffhttp://www.blogger.com/profile/07436834279628363231noreply@blogger.com0tag:blogger.com,1999:blog-8922687432911929746.post-39041866988815398242016-03-18T15:14:00.002-07:002016-03-19T12:53:46.398-07:00Outlook 2016 and MIM 2016 client extensions.<br />
<br />
Was recently at a client site working on group management. I discovered that the Outlook plug-in for MIM client extension is not supported on Outlook 2016. <br />
<br />
This is not noted anywhere on the MS web site, so now you know. This is a bit disappointing, I'm hoping MS will do something about this soon. I'm going to report it on the MS FIM forum shortly.<br />
<br />
Update: There's a hotfix see next post.Peter Jalaffhttp://www.blogger.com/profile/07436834279628363231noreply@blogger.com0tag:blogger.com,1999:blog-8922687432911929746.post-51200561449700161282015-12-23T07:07:00.000-08:002015-12-23T07:08:24.142-08:00Security for all is goodIt's been discovered that Juniper Networks has been using a flawed encryption for years. Possibly a result of NSA and/or a bug. When it becomes easy for good guys to decrypt information for the sake of national security, it makes it just as easy for bad guys to decrypt. Engineering secure systems without backdoors works for everybody.<br />
<br />
<a href="http://www.wired.com/2015/12/researchers-solve-the-juniper-mystery-and-they-say-its-partially-the-nsas-fault" target="_blank">Juniper backdoor</a><br />
<br />Peter Jalaffhttp://www.blogger.com/profile/07436834279628363231noreply@blogger.com2tag:blogger.com,1999:blog-8922687432911929746.post-45862497459931940312015-12-14T11:37:00.000-08:002015-12-14T11:37:03.755-08:00MIM 2016 and Exchange 2010: no-start-ma during AD exportI've recently been playing around with MIM 2016 and stood up an Exchange 2010 server within the environment. Trying to provision to AD with Exchange functionality has proven difficult. I would get no-start-ma in the MIM Sync console after the AD export.<br />
<br />
When I removed the removed the exchange provisioning functionality in the MA extensions section, the export worked as expected. I was able to prove that I could connect to remote powershell so that didn't seem to be the issue yet I continue having the problem. After googling around I ran across Thomas' blog in setspn.blogspot and found the same thing.<br />
<br />
Resolution: <br />
On the MIM sync server, install .Net 4.6. Install all windows updates (including optional). Reboot - I had to reboot twice as the FIM service wouldn't start the first time. All seems to be working now. Thanks for the info Thomas.Peter Jalaffhttp://www.blogger.com/profile/07436834279628363231noreply@blogger.com0tag:blogger.com,1999:blog-8922687432911929746.post-5173116249304783662015-03-09T09:43:00.001-07:002015-03-09T09:43:45.371-07:00Updating Workday using .NETThe second post here will give you a good start how to update a user who's in Workday. The community had zero examples how to do this, so you should find this helpful.<br />
<br />
Read the earlier post regarding pre-reqs needed to connect to Workday using .NET. This time I'll do it in VB.NET and the below code will update the email address.<br />
<br />
/////////////////////////////<br />
<br />
empId = "12345"<br />
<br />
workerType = "Employee_ID"<br />
<br />
Dim emailValue As String = "jsmtih@company.com"<br />
Dim effectiveDate As Date = Now()<br />
<br />
Dim emailRequest As New Maintain_Contact_Information_for_Person_Event_RequestType()<br />
emailRequest.version = "v22.0"<br />
emailRequest.Add_Only = True<br />
<br />
emailRequest.Maintain_Contact_Information_Data = New Contact_Information_for_Person_Event_DataType()<br />
emailRequest.Maintain_Contact_Information_Data.Worker_Contact_Information_Data = New Contact_Information_DataType()<br />
<br />
<br />
emailRequest.Maintain_Contact_Information_Data.Worker_Contact_Information_Data.Email_Address_Data = New Email_Address_Information_DataType(0) {New Email_Address_Information_DataType()}<br />
<br />
emailRequest.Maintain_Contact_Information_Data.Worker_Reference = New WorkerObjectType()<br />
emailRequest.Maintain_Contact_Information_Data.Worker_Reference.ID = New WorkerObjectIDType(0) {New WorkerObjectIDType()}<br />
emailRequest.Maintain_Contact_Information_Data.Worker_Reference.ID(0).type = workerType<br />
emailRequest.Maintain_Contact_Information_Data.Worker_Reference.ID(0).Value = empId<br />
<br />
emailRequest.Maintain_Contact_Information_Data.Effective_Date = effectiveDate<br />
emailRequest.Maintain_Contact_Information_Data.Effective_DateSpecified = True<br />
<br />
emailRequest.Maintain_Contact_Information_Data.Worker_Contact_Information_Data.Email_Address_Data(0).Email_Address = emailValue<br />
emailRequest.Maintain_Contact_Information_Data.Worker_Contact_Information_Data.Email_Address_Data(0).Usage_Data = New Communication_Method_Usage_Information_DataType(0) {New Communication_Method_Usage_Information_DataType()}<br />
emailRequest.Maintain_Contact_Information_Data.Worker_Contact_Information_Data.Email_Address_Data(0).Usage_Data(0).[Public] = True<br />
<br />
emailRequest.Maintain_Contact_Information_Data.Worker_Contact_Information_Data.Email_Address_Data(0).Usage_Data(0).PublicSpecified = True<br />
<br />
emailRequest.Maintain_Contact_Information_Data.Worker_Contact_Information_Data.Email_Address_Data(0).Usage_Data(0).Type_Data = New Communication_Usage_Type_DataType(0) {New Communication_Usage_Type_DataType()}<br />
emailRequest.Maintain_Contact_Information_Data.Worker_Contact_Information_Data.Email_Address_Data(0).Usage_Data(0).Type_Data(0).Primary = True<br />
<br />
emailRequest.Maintain_Contact_Information_Data.Worker_Contact_Information_Data.Email_Address_Data(0).Usage_Data(0).Type_Data(0).PrimarySpecified = True<br />
<br />
emailRequest.Maintain_Contact_Information_Data.Worker_Contact_Information_Data.Email_Address_Data(0).Usage_Data(0).Type_Data(0).Type_Reference = New Communication_Usage_TypeObjectType()<br />
emailRequest.Maintain_Contact_Information_Data.Worker_Contact_Information_Data.Email_Address_Data(0).Usage_Data(0).Type_Data(0).Type_Reference.ID = New Communication_Usage_TypeObjectIDType(0) {New Communication_Usage_TypeObjectIDType()}<br />
emailRequest.Maintain_Contact_Information_Data.Worker_Contact_Information_Data.Email_Address_Data(0).Usage_Data(0).Type_Data(0).Type_Reference.ID(0).type = "Communication_Usage_Type_ID"<br />
emailRequest.Maintain_Contact_Information_Data.Worker_Contact_Information_Data.Email_Address_Data(0).Usage_Data(0).Type_Data(0).Type_Reference.ID(0).Value = "WORK"<br />
<br />
<br />
<br />
<br />
Dim emailProxy As Human_ResourcesPortClient = CreateHumanResourcesProxy()<br />
<br />
Dim emailResponse As Maintain_Contact_Information_for_Person_Event_ResponseType<br />
<br />
Try<br />
emailResponse = emailProxy.Maintain_Contact_Information(emailRequest)<br />
Console.WriteLine("email update done")<br />
Catch fe As FaultException<br />
If fe.Message.Contains("Invalid ID value.") Then<br />
Try<br />
Console.WriteLine("Email Update ERROR as Employee will try CW")<br />
emailRequest.Maintain_Contact_Information_Data.Worker_Reference.ID(0).type = "Contingent_Worker_ID"<br />
emailResponse = emailProxy.Maintain_Contact_Information(emailRequest)<br />
Console.WriteLine("email update done")<br />
Catch ex As Exception<br />
Console.WriteLine("Email Update ERROR as CW also " + fe.Message)<br />
End Try<br />
<br />
<br />
End If<br />
'Console.WriteLine("Email Update ERROR " + fe.Message)<br />
End Try<br />
<div>
<br /></div>
<div>
///////////////////////////////</div>
<br />
<br />
Notice that in the Try/Catch section, I catch in case the update doesn't work as an Employee then I try again as a Contingent Worker.<br />
<br />
The CreateHumanResourcesProxy function can be found in the earlier post.Peter Jalaffhttp://www.blogger.com/profile/07436834279628363231noreply@blogger.com0tag:blogger.com,1999:blog-8922687432911929746.post-223734001831694802015-03-09T09:29:00.000-07:002015-03-09T09:30:30.837-07:00Reading from Workday using .NETWorkday is a huge HR service and many companies are moving. Trying to figure out how to interact with Workday has been difficult. Mostly because there are so few samples available. Workday has lots of documentation on their API, but because the objects are nested/nested/nested, it make it convoluted to figure out exactly where you need to go. <br />
<br />
So here I'm putting out how to read a user from the Human Resources WSDL.<br />
<br />
Before you can actually get this code to work you have to create reference file using svcutil then modify it because it creates 2 and 3 dimensional arrays. This is a problem with Visual Studio.<br />
See here for the <a href="http://dovetailsoftware.com/hr/gcox/2014/06/13/getting-started-workday-web-services-using-c/" target="_blank">pre-reqs</a> and how to fix the Human_Resources.cs file<br />
<br />
/////////////////////////<br />
empId = "12345";<br />
<br />
var request = new Get_Workers_RequestType { version = "v22.0" };<br />
<br />
var workerId = new WorkerObjectIDType()<br />
{<br />
type = "Employee_ID",<br />
Value = empId<br />
};<br />
<br />
var idTypes = new List<workerobjectidtype> { workerId };</workerobjectidtype><br />
request.Request_References = new Worker_Request_ReferencesType { Worker_Reference = new WorkerObjectType[1] { new WorkerObjectType() } }; <br />
request.Request_References.Worker_Reference[0].ID = idTypes.ToArray();<br />
request.Request_Criteria = new Worker_Request_CriteriaType<br />
{<br />
Exclude_Inactive_Workers = true,<br />
Exclude_Inactive_WorkersSpecified = true<br />
};<br />
<br />
var proxy = CreateHumanResourcesProxy();<br />
<br />
Get_Workers_ResponseType response = null;<br />
try<br />
{<br />
response = proxy.Get_Workers(request);<br />
Console.WriteLine(response.Response_Data.FirstOrDefault());<br />
string first = response.Response_Data.FirstOrDefault().Worker_Data.Personal_Data.Name_Data.Preferred_Name_Data.Name_Detail_Data.First_Name;<br />
string last = response.Response_Data.FirstOrDefault().Worker_Data.Personal_Data.Name_Data.Preferred_Name_Data.Name_Detail_Data.Last_Name;<br />
Console.WriteLine(first + " " + last);<br />
}<br />
catch (FaultException fe)<br />
{<br />
// _logger.LogError("Error occurred invoking GetWorker", fe);<br />
//return null;<br />
Console.WriteLine("error " + fe.Message);<br />
}<br />
<br />
<br />
public static Human_ResourcesPortClient CreateHumanResourcesProxy()<br />
{<br />
SecurityBindingElement sb = SecurityBindingElement.CreateUserNameOverTransportBindingElement();<br />
sb.IncludeTimestamp = false;<br />
const int lim = Int32.MaxValue;<br />
var timeout = TimeSpan.FromMinutes(2);<br />
<br />
var cb = new CustomBinding(<br />
sb,<br />
new TextMessageEncodingBindingElement(MessageVersion.Soap11, Encoding.UTF8)<br />
{<br />
<br />
ReaderQuotas = new System.Xml.XmlDictionaryReaderQuotas<br />
{<br />
MaxDepth = lim,<br />
MaxStringContentLength = lim,<br />
MaxArrayLength = lim,<br />
MaxBytesPerRead = lim,<br />
MaxNameTableCharCount = lim<br />
}<br />
},<br />
new HttpsTransportBindingElement<br />
{<br />
MaxBufferPoolSize = lim,<br />
MaxReceivedMessageSize = lim,<br />
MaxBufferSize = lim,<br />
Realm = string.Empty<br />
})<br />
{<br />
SendTimeout = timeout,<br />
ReceiveTimeout = timeout<br />
};<br />
<br />
var proxy = new Human_ResourcesPortClient(cb, new EndpointAddress("https://wd5-impl-services1.workday.com/ccx/service/<tenant>/Human_Resources/v23.2"));</tenant><br />
<br />
proxy.ClientCredentials.UserName.UserName = "userName@tenant";<br />
proxy.ClientCredentials.UserName.Password = "pass";<br />
return proxy;<br />
}<br />
<br />
/////////////////////////<br />
<br />
Keep in mind this will work with a worktype of Employee. You have to change a few things for a Contingent Worker.<br />
<br />
<br />
<br />Peter Jalaffhttp://www.blogger.com/profile/07436834279628363231noreply@blogger.com0tag:blogger.com,1999:blog-8922687432911929746.post-63716947844124186332015-01-10T18:24:00.001-08:002015-01-10T18:24:21.934-08:00The Project JourneyAs a consultant we try very hard to help set the right expectations of how a project may go. The client and typically us (the consultant) have an undue optimism of trajectory of a project. Together we typically fool ourselves into thinking the project will go as expected, so as we estimate the project we try to hard to paint a rosy picture. That nothing could ever go wrong. Wrong.... <br />
<br />
The longer I do projects the more I try to estimate the way projects typically go. There is always going to be something that you didn't expect. Maybe a requirement was tougher than you expected, maybe the client forgot to mention something, maybe the requirements change. The piece you are depending on to complete a milestone in the project is late. There are a million things are might happen. Things never go as expected. <br />
<br />
As consultants we try to 'be nice' to the client, don't want to scare them, try to be their friend. You want to be their friend, then be honest and help guide them to the end of their journey. Most of the time its not easy, but that's our job. So accept it and try to enjoy the journey! I borrowed this from a friend's Facebook post. A picture says a million words.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqJkcvTDrbNFAydN5-BMKl09XAYRLMy9ke4Djxk2a0UIygRe0p92bGgFKHAA_bkEbK4KHtPoSVEj5cX6AHK4dN6N6E6DqAavQ8KhQO5q6PpPyMtbNnHE8XLK-d4bnf7K3ZGQTmSESPB58o/s1600/TheProject.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqJkcvTDrbNFAydN5-BMKl09XAYRLMy9ke4Djxk2a0UIygRe0p92bGgFKHAA_bkEbK4KHtPoSVEj5cX6AHK4dN6N6E6DqAavQ8KhQO5q6PpPyMtbNnHE8XLK-d4bnf7K3ZGQTmSESPB58o/s1600/TheProject.JPG" height="247" width="320" /></a></div>
Peter Jalaffhttp://www.blogger.com/profile/07436834279628363231noreply@blogger.com1tag:blogger.com,1999:blog-8922687432911929746.post-17580808958296289692014-06-06T11:47:00.002-07:002014-06-06T11:48:20.364-07:00ECMA2 schema and multi-valued attributesHello all,<br />
<br />
I've been working with ECMA2s recently and I've just started to need a multi-valued attribute as part of the object schema.<br />
<br />
Working with this, I had a problem trying to populate this attribute during an Import run.<br />
<br />
Typically dealing with multi-valued attributes strategies in the past involves iterating through each value using a For Each... loop or something similar. The issue I was running into was how to designate the index on the multi-valued attribute. I couldn't find much on the web either.<br />
<br />
For ECMA2 schemas I figured out an easy to populate the attribute. Place the value(s) in a List (of Object) type then you can populate the multi-valued attribute with the List.<br />
<br />
Here's a little code showing what I mean:<br />
<br />
<span style="color: blue; font-family: Consolas; font-size: x-small;"><span style="color: blue; font-family: Consolas; font-size: x-small;"><span style="color: blue; font-family: Consolas; font-size: x-small;">Dim</span></span></span><span style="font-family: Consolas; font-size: x-small;"><span style="font-family: Consolas; font-size: x-small;"> groups </span></span><span style="color: blue; font-family: Consolas; font-size: x-small;"><span style="color: blue; font-family: Consolas; font-size: x-small;"><span style="color: blue; font-family: Consolas; font-size: x-small;">As</span></span></span><span style="font-family: Consolas; font-size: x-small;"><span style="font-family: Consolas; font-size: x-small;"> </span></span><span style="color: #2b91af; font-family: Consolas; font-size: x-small;"><span style="color: #2b91af; font-family: Consolas; font-size: x-small;"><span style="color: #2b91af; font-family: Consolas; font-size: x-small;">List</span></span></span><span style="font-family: Consolas; font-size: x-small;"><span style="font-family: Consolas; font-size: x-small;">(</span></span><span style="color: blue; font-family: Consolas; font-size: x-small;"><span style="color: blue; font-family: Consolas; font-size: x-small;"><span style="color: blue; font-family: Consolas; font-size: x-small;">Of</span></span></span><span style="font-family: Consolas; font-size: x-small;"><span style="font-family: Consolas; font-size: x-small;"> </span></span><span style="color: blue; font-family: Consolas; font-size: x-small;"><span style="color: blue; font-family: Consolas; font-size: x-small;"><span style="color: blue; font-family: Consolas; font-size: x-small;">Object</span></span></span><span style="font-family: Consolas; font-size: x-small;"><span style="font-family: Consolas; font-size: x-small;">) = </span></span><span style="color: blue; font-family: Consolas; font-size: x-small;"><span style="color: blue; font-family: Consolas; font-size: x-small;"><span style="color: blue; font-family: Consolas; font-size: x-small;">New</span></span></span><span style="font-family: Consolas; font-size: x-small;"><span style="font-family: Consolas; font-size: x-small;"> </span></span><span style="color: #2b91af; font-family: Consolas; font-size: x-small;"><span style="color: #2b91af; font-family: Consolas; font-size: x-small;"><span style="color: #2b91af; font-family: Consolas; font-size: x-small;">List</span></span></span><span style="font-family: Consolas; font-size: x-small;"><span style="font-family: Consolas; font-size: x-small;">(</span></span><span style="color: blue; font-family: Consolas; font-size: x-small;"><span style="color: blue; font-family: Consolas; font-size: x-small;"><span style="color: blue; font-family: Consolas; font-size: x-small;">Of</span></span></span><span style="font-family: Consolas; font-size: x-small;"><span style="font-family: Consolas; font-size: x-small;"> </span></span><span style="color: blue; font-family: Consolas; font-size: x-small;"><span style="color: blue; font-family: Consolas; font-size: x-small;"><span style="color: blue; font-family: Consolas; font-size: x-small;">Object</span></span></span><span style="font-family: Consolas; font-size: x-small;"><span style="font-family: Consolas; font-size: x-small;">)</span></span><br />
<span style="font-family: Consolas; font-size: x-small;"><span style="font-family: Consolas; font-size: x-small;">
</span></span><br />
<span style="font-family: Consolas; font-size: x-small;"><span style="font-family: Consolas; font-size: x-small;">'populate groups with values as needed</span></span><br />
<span style="color: blue; font-family: Consolas; font-size: x-small;"><span style="color: blue; font-family: Consolas; font-size: x-small;"><span style="color: blue; font-family: Consolas; font-size: x-small;">
</span></span></span><span style="font-family: Consolas; font-size: x-small;"><span style="font-family: Consolas; font-size: x-small;"></span></span><br />
<span style="font-family: Consolas; font-size: x-small;"><span style="font-family: Consolas; font-size: x-small;"> newCsentry.AttributeChanges.Add(</span></span><span style="color: #2b91af; font-family: Consolas; font-size: x-small;"><span style="color: #2b91af; font-family: Consolas; font-size: x-small;"><span style="color: #2b91af; font-family: Consolas; font-size: x-small;">AttributeChange</span></span></span><span style="font-family: Consolas; font-size: x-small;"><span style="font-family: Consolas; font-size: x-small;">.CreateAttributeAdd(</span></span><span style="color: #a31515; font-family: Consolas; font-size: x-small;"><span style="color: #a31515; font-family: Consolas; font-size: x-small;"><span style="color: #a31515; font-family: Consolas; font-size: x-small;">"groupName"</span></span></span><span style="font-family: Consolas; font-size: x-small;"><span style="font-family: Consolas; font-size: x-small;">, groups))</span></span><br />
<br />
Hope this helps.<br />
-PeterPeter Jalaffhttp://www.blogger.com/profile/07436834279628363231noreply@blogger.com0tag:blogger.com,1999:blog-8922687432911929746.post-36045493066389495262014-03-10T08:18:00.001-07:002014-03-10T08:19:38.085-07:00SharePoint 2013 and BHoldI've upgraded my FIM installation to 2010 R2 SP1 on a demo machine that I've had for a while and re-installed SharePoint to 2013. There are some extra things that need to be done for SP2013 and finally got FIM Portal working as expected. <br />
<br />
After installing BHold I would get this Error that the Service was unavailable with Error 503. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhP6KjD3_VJjDzCyNlD1Uhz6QzkK5uxb_nb_ZccvBLbrYw6XbIQes-dVFreRm0_Zjb87qzaAvlzOjeMeAeH07jq7mJ0MflnRe2OAmXJo6FaJoN7ffKrbmP0UnsUi4Wt4ACTKJ3mhus6W2J8/s1600/503_error.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhP6KjD3_VJjDzCyNlD1Uhz6QzkK5uxb_nb_ZccvBLbrYw6XbIQes-dVFreRm0_Zjb87qzaAvlzOjeMeAeH07jq7mJ0MflnRe2OAmXJo6FaJoN7ffKrbmP0UnsUi4Wt4ACTKJ3mhus6W2J8/s1600/503_error.png" height="63" width="320" /></a></div>
<br />
<br />
After doing some research I discovered that SharePoint 2013 doesn't allow 32 bit apps by default. So the trick is to change a configuration to allow 32 bit apps.<br />
<br />
This can be found here: http://www.stefanjohansson.org/2013/07/how-to-run-a-32-bit-web-application-on-a-sharepoint-2013-server/<br />
<br />
All you really need to do is run a command line at c:\windows\system32\inetsrv. Then execute the following command: appcmd.exe set config -section:system.webServer/globalModules /[name='SPNativeRequestModule'].preCondition:integratedMode,bitness64<br />
<br />
Now BHold should work.Peter Jalaffhttp://www.blogger.com/profile/07436834279628363231noreply@blogger.com0tag:blogger.com,1999:blog-8922687432911929746.post-34425307153735856392014-01-12T14:26:00.001-08:002014-01-12T14:26:16.064-08:00Redmond IDM SummitThanks to Oxford Computer Group and Microsoft for another great IDM Summit held in Redmond last week. <br />
Lots of great presentations, classes and a final panel discussion including IDM world's very own Jackson Shaw. Great speakers were there like: Stuart Kwan & Mark Wahl. Jeremy Palenchar discussed his SSO project with the state of Kentucky. OCG's North American President, Marvin Tansley, discussed pieces of IDM and how they fit together. Other OCG'er discussed ADFS and Cloud technology to name a few. <br />
I was lucky enough to join Microsoft's Rob de Jong to present/demo BHold's attestation feature, we showed how easy it could be to run attestation campaigns. Further we showed how you can use the reporting feature to review attestation progress. Imagine you had an application you wanted to attest to that was not connected to any identity management solution - you could use BHold's reporting feature to hand off a report to the application owner showing those owners that should have permissions revoked. It was great to see the amount of questions and powerful engagement from the audience. This leads me to believe the US public is coming to the conclusion that audit and compliance are becoming more important.<br />
<br />
There were some great after hours events too. We did a tour of three micro-distilleries which was really fantastic!<br />
<br />
Here's more information of the summit in case you missed it. <a href="http://www.oxfordcomputergroup.com/redmond-summit-agenda/">http://www.oxfordcomputergroup.com/redmond-summit-agenda/</a> . If you're interested they mentioned they are doing it again next year around the same time.Peter Jalaffhttp://www.blogger.com/profile/07436834279628363231noreply@blogger.com0tag:blogger.com,1999:blog-8922687432911929746.post-15154239820458240262013-08-07T11:58:00.000-07:002013-08-07T11:58:02.562-07:00Stagger your FIM SSPR end user roll outLots of people are now using FIM for their end user self-service password reset requirements. One of the challenges to rolling this out to the user population is how can you roll this out in phases. Because what you don't want is come Monday morning have all your users be guided to the registration page and have the FIM server fall over.<br />
<br />
So here's some options:<br />
1. Stagger out the roll out of the client extensions. Depending on how well you can roll this out by department or section, this might be a challenge for you. Typically once the end user has the client extensions installed then during next logon the client will talk to the FIM Service to see if they need to register. If you roll out the extensions to your entire user population then you could have a headache that morning.<br />
<br />
2. If you opt not to roll the client out then it should be easy enough to send emails to user segments with the Registration link in there.<br />
<br />
3. Though not documented after testing it a bit I found another option to stagger out your roll out. You can deploy the client extensions to all your users at an earlier time. Then when you're ready, you can just add users to the Password Reset Users set in the FIM Portal. If the user is not part of the set they won't be directed to the registration page. Another thing to keep in mind, if users that aren't in the set try to register they'll get a 'Not Authorized' error.<br />
<br />
You may decide just to create an AD group to keep it simple then synchronize that group to the above set. That way your admins continue to deal with what's typically familiar with them.<br />
<br />
Peter Jalaffhttp://www.blogger.com/profile/07436834279628363231noreply@blogger.com0tag:blogger.com,1999:blog-8922687432911929746.post-12094359838779577472013-07-23T16:16:00.001-07:002013-07-23T16:16:53.455-07:00FIM Client Service not starting?I installed FIM client extensions on a Win 7 box. All seemed to go well, until the very end when the service was starting. It never did, ugh.<br />
<br />
Not much on this, except make sure the Network Service account had the correct perms on the machine.config file. But which one? There's four, so I gave it full perms on all four; a security violation? ahhh this was a dev environment anyways. That didn't fix the problem, so what's next. <br />
<br />
I did realize the client box was a VM and pretty slow, so I changed the service time-out from 30 seconds (default) to 60 seconds. here's the <a href="http://social.technet.microsoft.com/Forums/en-US/853796a7-b446-43de-a9f0-138795f7b42d/fim-2010-r2-fimservice-suddenly-stops-working-wont-start" target="_blank">blog</a> on that one, if you want to try it yourself. This just caused the slow failure to go even slower... Strike 2.<br />
<br />
After thinking about it, I remembered in the past having issues with services not starting if there was no internet connection. This was true - my dev environment had no internet connection, so I went back and found some notes on this <a href="http://social.technet.microsoft.com/wiki/contents/articles/13946.fim-troubleshooting-fim-service-start-up-timeout.aspx" target="_blank">topic.</a> But then I also remembered there was an IE trick I learned from a buddy (thanks Frank Drewes!) the idea is to just turn off CRL checking directly in IE. This was straight-forward and easy to do. Caveat: not really the best for a permanent solution as this is a per user setting. So if this client reboots it'll probably time out again. But if this works then you solved the mystery!<br />
<br />
<br />
<br />
After doing this the service started right up. Time for a beer.<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijzvlJYifjYELsUFyWedd7xOdgTFB3NjO7eVcrMTLn6SOaw8pX8wrpDFk2hGusC-L7WJ4bLH_1KDt_vgicrK5bIDrlZe7ZslV41oj1oeRJewiKm62_lKZjkZtbZJHxRibJEf-1mZLYv8Ac/s1600/IEexplorer1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijzvlJYifjYELsUFyWedd7xOdgTFB3NjO7eVcrMTLn6SOaw8pX8wrpDFk2hGusC-L7WJ4bLH_1KDt_vgicrK5bIDrlZe7ZslV41oj1oeRJewiKm62_lKZjkZtbZJHxRibJEf-1mZLYv8Ac/s320/IEexplorer1.PNG" width="257" /></a></div>
<br />
<br />
Hopefully this'll help out others in the same boat.<br />
Peter Jalaffhttp://www.blogger.com/profile/07436834279628363231noreply@blogger.com0tag:blogger.com,1999:blog-8922687432911929746.post-91357633293202563872013-01-30T08:22:00.002-08:002013-01-30T08:22:52.002-08:00BHold's New Connector in SP1As I mentioned in my last post, Microsoft announced the release of FIM R2 SP1 and with that BHold's new bits too. Something that was sorely lacking with the BHold solution was a dedicated connector between BHold Core and FIM Sync. This latest release offers the first look at this new connector.<br />
<br />
If you go to Microsoft's TechNet Site <a href="http://technet.microsoft.com/en-us/library/jj853085(v=ws.10).aspx" target="_blank">here</a> to can try it yourself. I did this last week and found a few issues with the instructions.<br />
<br />
The biggest problem deals with the provisioning of OU containers in BHold. When you finish the lab all the OU containers stay under the root. This is due to not having the reference of the parent containers correct. The lab uses a SQL database as a source of the OU containers. But the premise of using a string value of the parent attribute is incorrect, instead is should be a reference value. I'm don't give out all the details, but most of you can figure it out from here.<br />
<br />
Once you fix that AND make sure you also bring over the root container so that the references work all the way up, then it should be smooth sailing. If you need any help just email me.<br />
<br />Peter Jalaffhttp://www.blogger.com/profile/07436834279628363231noreply@blogger.com0tag:blogger.com,1999:blog-8922687432911929746.post-27816535020557535582013-01-10T14:13:00.000-08:002013-01-10T14:13:58.370-08:00FIM 2010 R2 SP1 has been released!<br />
<br />
I heard this at the IdM Summit in Redmond put on by Oxford Computer Group - just got back yesterday. Nice summit by the way, the usual suspects were there as well as some new faces.<br />
Anyways, it was announced that SP1 bits have been released, and with that the SP1 bits for BHold too. Very cool, one of the biggest steps forward with the BHold product is the replacement of the FIM Management Agent for BHold. BHold now takes full advantage of the ECMA2 connector technology in FIM 2010 R2 and with that replaces the BFPC and BFSS services also. As the summit was winding down, I sat down and spent some time with Rob de Jong, Senior PM at Microsoft for BHold, understanding SP1 - but do keep in mind this is a Service Pack - lots of fixes. The sync engine got a tune up also increasing its sync speed by another 20% <br />
To get the latest bits you need to have an MSDN or select license, and the documentation won't be out for some time after that... like a few weeks.<br />
<br />
One last thing: would like to send a special thank you to Matt Flynn for driving around yesterday. Matt, I owe you at least the parking fee, if not some beers!Peter Jalaffhttp://www.blogger.com/profile/07436834279628363231noreply@blogger.com1tag:blogger.com,1999:blog-8922687432911929746.post-36451526727527672462012-10-24T20:00:00.004-07:002013-01-30T08:20:12.429-08:00Lotus Notes Provisioning ExperienceSo I was at a client and had to remember how to provision to Lotus Notes. Unfortunately I didn't have a lot of my notes and there's always something new from client to client so some learning was needed.<br />
<br />
Let's start with the address book: this is the target database where users will ultimately be created. Also in Notes terms user objects are called Person documents. So keep that in mind. The default address book is called names.nsf - <br />
<br />
I was given an address book that happened to be down a few levels from the top level. What does this mean? When you log in to the Lotus Notes client, you open the database be first entering the Server value (sometimes called <span style="font-family: "Times New Roman","serif"; font-size: 12pt; mso-ansi-language: EN-US; mso-bidi-language: AR-SA; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin;">Hierarchical server
name)</span> of ServerName/Location/sub-location. This should be given to you by your Notes admin. Then you browse around at this level until you find the name.nsf database, typically. In my case the database was several folders deep, but was called names.nsf. Unfortunately I would keep getting an error when trying to provision the user object to the Notes CS. The error was:<br />
<br />
<span style="color: #1f497d; font-family: "Calibri","sans-serif"; font-size: 11pt; mso-ansi-language: EN-US; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin;">NoCompatiblePartitionFoundException: The
partition filter criteria...</span><br />
<span style="color: #1f497d; font-family: "Calibri","sans-serif"; font-size: 11pt; mso-ansi-language: EN-US; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin;"></span><br />
<span style="color: #1f497d; font-family: "Calibri","sans-serif"; font-size: 11pt; mso-ansi-language: EN-US; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin;"><span style="color: black; font-family: Times New Roman; font-size: small;">The error went away after I was given access to use a top-level database. But the name of that database was not the default names.nsf, which lead me to my next error. When I tried to export this new user I would get:</span></span><br />
<span style="color: #1f497d; font-family: "Calibri","sans-serif"; font-size: 11pt; mso-ansi-language: EN-US; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin;"><span style="color: black; font-family: Times New Roman;"><br />
<span style="font-size: small;">
<span style="color: #0b5394;">Could not create objects in the address book. Primary address book not configured on the Lotus Notes server.</span></span></span></span><br />
Google didn't help much to figure out this error, so I interpreted this to mean that FIM needs to write to the default database(names.nsf) first, then a secondary address book could be configured. When I was finally given rights to export to the names.nsf address book (at the top level) the error went away, and was able to create the user object. Maybe someone else can explain this.<br />
<br />
Also while configuring the MA remember you need to configure the certifiers. What's a certifier you ask? A Notes admin explained it to me like this: the certifier represents the single OU structure like OU=abc,O=local (similar to AD), but it also includes an ID file that goes with it. When I asked why they needed this, I was told it had something to do with security. Oh yea and the ID file has a password too. It's Notes' way of certifying the user created by someone authorized.<br />
<br />
Here's a link to find standard provisioning code: <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/aa965243(v=vs.85).aspx">http://msdn.microsoft.com/en-us/library/windows/desktop/aa965243(v=vs.85).aspx</a><br />
<br />
Provisioning code lesson<br />
csentry("_MMS_IDStoreType").IntegerValue = 1 ' ID File as an attachment - this means it places the ID file in the database (I think)<br />
<br />
if you need to put the id file somewhere then use the following 2 lines.<br />
csentry("_MMS_IDStoreType").IntegerValue = 2 'ID File will be generated then you have to tell it where you want it to go see next line<br />
csentry("_MMS_IDPath").Value = <file location="location">\<filename>.id</file><br />
<br />
<span style="color: #1f497d; font-family: "Calibri","sans-serif"; font-size: 11pt; mso-ansi-language: EN-US; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin;"><span style="color: black; font-family: Times New Roman; font-size: small;"></span></span><br />
<span style="color: #1f497d; font-family: "Calibri","sans-serif"; font-size: 11pt; mso-ansi-language: EN-US; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin;"></span>Peter Jalaffhttp://www.blogger.com/profile/07436834279628363231noreply@blogger.com0tag:blogger.com,1999:blog-8922687432911929746.post-32708997458627957672012-01-30T11:57:00.000-08:002013-01-30T08:20:35.719-08:00Rebuild SQL indexes for dummiesFound this site, it's great.<br /><br /><a href="http://www.ehow.com/how_6375896_rebuild-indexes.html">http://www.ehow.com/how_6375896_rebuild-indexes.html</a>Peter Jalaffhttp://www.blogger.com/profile/07436834279628363231noreply@blogger.com1tag:blogger.com,1999:blog-8922687432911929746.post-17752358602262038862011-10-21T09:51:00.000-07:002013-01-30T08:20:39.170-08:00Reference membership of a set in FIM Portal<p>Sometimes you may want to have a group or set in the FIM portal be calculated from another group or set.</p> <p>Unfortunately, the source can’t be a group, so stop there.  But if it’s a set then you’re OK.  The great thing about sets is that you can have both criteria based and manual users in it. Once you have it in a group export it to AD.  Now you have a solution a group with criteria based and manual users that can be administered from the FIM Portal.</p> <p> </p> <p>  At this point create your target group (or set), go to members tab and do the following:</p> <p><a href="http://lh3.ggpht.com/-xmFaXnB0Upk/TqByjP3iDII/AAAAAAAAADM/HdVg4hR_MWI/s1600-h/image%25255B3%25255D.png"><img style="background-image: none; border-right-width: 0px; padding-left: 0px; padding-right: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px; padding-top: 0px" title="image" border="0" alt="image" src="http://lh3.ggpht.com/-8viuecW3dFI/TqByjll4FrI/AAAAAAAAADU/km36Cv2WQTw/image_thumb%25255B1%25255D.png?imgmax=800" width="407" height="266" /></a></p> <p>By choosing ResourceID ‘in’ <source set> it’ll do the trick.</p> <p>Of course you could always go back the XPath filter, something like this:  /Person[ObjectID = /Group[DisplayName = 'sourceSet']/ComputedMember, but why when you can use the GUI.</p> Peter Jalaffhttp://www.blogger.com/profile/07436834279628363231noreply@blogger.com0tag:blogger.com,1999:blog-8922687432911929746.post-34721540008280605792011-10-20T12:29:00.001-07:002013-01-30T08:21:07.734-08:00How to export AD LDS schema<p>Working for a client I needed to stand up an LDAP client and create a new class and attributes.  It was about 35 new attributes and take take a while when you have to do each one manually.  Now it’s time to move it to QA.  There ain’t a whole lot out there for exporting LDAP schema and of course the old LDIFE was giving me grief.  So after more searching I stumbled on a TechNet article and there it was.</p> <p>It’s already installed if you set up ADLDS.  Look in \windows\ADAM it’s called ADSchemaAnalyzer.  I think it’s purpose is to compare different schema, but it also exports them to LDIF – Sweet!</p> <p>First ‘load target schema’, then ‘load base schema’  I don’t know why, I didn’t have time to find out.  Then walk the tree and you’ll see all the object classes and attributes.  Now if you created an object class and new attributes just for that object, just select the new object class and the attributes will come along automatically.</p> <p><a href="http://lh6.ggpht.com/-vAIO5vS272U/TqB2iWaMiTI/AAAAAAAAADc/EK06v_qZ0sQ/s1600-h/image%25255B2%25255D.png"><img style="background-image: none; border-bottom: 0px; border-left: 0px; margin: 0px; padding-left: 0px; padding-right: 0px; display: inline; border-top: 0px; border-right: 0px; padding-top: 0px" title="image" border="0" alt="image" src="http://lh6.ggpht.com/-QzYUkW7f9J0/TqB2iivLRdI/AAAAAAAAADk/nYuw2zDJxk4/image_thumb.png?imgmax=800" width="159" height="115" /></a></p> <p>Now Create LDIF file and away you go.  Very awesome!</p> Peter Jalaffhttp://www.blogger.com/profile/07436834279628363231noreply@blogger.com0tag:blogger.com,1999:blog-8922687432911929746.post-76378514536462380832011-09-07T20:53:00.001-07:002011-09-07T20:53:54.904-07:00Hmm. Windows Live Writer<p> </p> <p>So I’m trying out this new program called Windows Live Writer, I guess the idea is to use this little application that will then upload the content to the blog site??</p> <p><img style="border-bottom-style: none; border-right-style: none; border-top-style: none; border-left-style: none" class="wlEmoticon wlEmoticon-berightback" alt="Be right back" src="http://lh6.ggpht.com/-jht0y0qi-a4/Tmg8Rsi3wkI/AAAAAAAAADA/0omliCtUQMU/wlEmoticon-berightback%25255B2%25255D.png?imgmax=800" /><a href="http://lh4.ggpht.com/-5XvY5KU1RZo/Tmg8TCErdlI/AAAAAAAAADE/IvGZoMgASUQ/s1600-h/11-09-01%252520Frank%252520Rodgers%252520012%25255B3%25255D.jpg"><img style="background-image: none; border-right-width: 0px; padding-left: 0px; padding-right: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px; padding-top: 0px" title="11-09-01 Frank Rodgers 012" border="0" alt="11-09-01 Frank Rodgers 012" src="http://lh3.ggpht.com/-UunpV-DuQH8/Tmg8USUFypI/AAAAAAAAADI/GdWuBJqMH4w/11-09-01%252520Frank%252520Rodgers%252520012_thumb.jpg?imgmax=800" width="244" height="184" /></a>  </p> <p>Recently went to visit a old fraternity buddy on mine.  Haven’t seen (or heard from him) in 19 years.  Wow time really flies.  Luckily he found me in LinkedIn.  It was great visiting with him.</p> Peter Jalaffhttp://www.blogger.com/profile/07436834279628363231noreply@blogger.com0tag:blogger.com,1999:blog-8922687432911929746.post-17108923426521263612011-08-29T18:42:00.000-07:002013-01-30T08:21:14.357-08:00FIM RCDC ToolI'm sure most of you by now have had the chance to see how great the FIM Portal is. I remember when I first saw it; I couldn't believe how slick the interface looked. I thought, what a great place for a User Directory! How many times have clients asked for an interface that offered the ability to view employees, and even a place where employees can update some of their own information.
<br />
<br />To this day, I still feel this is one of the best selling points for the FIM Portal. However, clients are always looking to customize those pages and offer up possible attributes that aren't out of the box. FIM doeslet you extend the schema and then you can add those attributes to pages, or RCDCs, so those new attributes come through. Good stuff until you actually see what it looks like to edit the RCDC. As the song goes, 'Could make a grown man cry...'
<br />
<br />The way the RCDC looks and behaves is all done through XML and hence an xml file; an ugly, unforgiving and complicated file. After you play around with it for a while, you might finally figure out how it works. Unfortunately all it takes is a single typo and FIM barfs by not rendering the page and offers no explanation as to why it doesn't like what you did. Then it's a matter of going back over and over and over just to figure out what you did wrong. I've spent hours working on these just making small changes each time to make sure it works. Unfortunately, it consumes a lot of time, especially if you're a consultant and it starts burning too many hours on the project. You wonder what was Microsoft thinking when they put FIM together and fell short on some easy way to manipulate these pages! Microsoft, always the king of wizards configurations and WYSIWYG GUI.
<br />
<br />Recently I discovered a tool, that does just that! It's a WYSIWYG tool that lets you manipulate RCDCs by dragging attributes around the page, and to other tabs. In addition, it offers easy to use wizards to add new attributes or tabs, or change the properties of existing attributes. After exporting the full FIM configuration, you load it into the tool, called RCDC Editor, and it loads the RCDC configuration and renders the page just like it was the FIM Portal.
<br />
<br />
<br />
<br /><p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0ePAX5oJT2ec9hf5dmg85dLjFpENInyLA5sthEgYm2ZlBbvfJSHEhYQCh0WnEFvgKigHwKZVuAEB1WVuk503e28h9X35EHZ76ulS1Pfsr_quCDzcUbenw_MjTprkULZOFi5pDnDjKfx50/s1600/rcdc1.png"><img style="TEXT-ALIGN: center; MARGIN: 0px auto 10px; WIDTH: 320px; DISPLAY: block; HEIGHT: 167px; CURSOR: hand" id="BLOGGER_PHOTO_ID_5646460028699381618" border="0" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0ePAX5oJT2ec9hf5dmg85dLjFpENInyLA5sthEgYm2ZlBbvfJSHEhYQCh0WnEFvgKigHwKZVuAEB1WVuk503e28h9X35EHZ76ulS1Pfsr_quCDzcUbenw_MjTprkULZOFi5pDnDjKfx50/s320/rcdc1.png" /></a>
<br />
<br />
<br />Now you can move things around anyway you wish. Once you're finished, you save the project and it creates the needed xml file to be imported back to FIM. Run IISreset and that's it, you're done! Imagine sitting there with your client and decided together exactly what they'd like to see in the FIM Portal.
<br />
<br />All the controls that are available in FIM are available through the RCDC Editor like: TextBox, Label, Check Box, Radio Button, etc. When adding new controls, the creators have tried to guide you in the right direction by pre-populating certain properties that you will probably want, this in turn makes using the tool that much easier and reduces the risk that the RCDC won't work. For example, let's say you created a new user attribute in the FIM database called 'User Laptop #', using the RCDC editor you click on Add New Control and you are offered a list of attributes that aren't currently used in the RCDC. You find 'User Laptop #' and click it, then decide what sort of control you want. Whether it's TextBox or MultiValue Control, etc, it immediately populates the control with what you might typically want, like Caption to be User Laptop #, and the Control Value to come from the FIM Database and from that actual attribute.
<br />
<br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitbkX314x-PQA36XwXKiA0m8Ve8obbsl_v0SwrhXxF6k8U7Vx6nGsNhN5ijJaX_oVYBsEkBVqkbY3aW9Rhyf6I9aNpgKRIwbgGJCL3jzOF5LU_5xo5x_K07eRE0SwvLq5ZiRL-WC54eQp2/s1600/rcdc3.png"><img style="MARGIN: 0px 10px 10px 0px; WIDTH: 297px; FLOAT: left; HEIGHT: 149px; CURSOR: hand" id="BLOGGER_PHOTO_ID_5646460513269754034" border="0" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitbkX314x-PQA36XwXKiA0m8Ve8obbsl_v0SwrhXxF6k8U7Vx6nGsNhN5ijJaX_oVYBsEkBVqkbY3aW9Rhyf6I9aNpgKRIwbgGJCL3jzOF5LU_5xo5x_K07eRE0SwvLq5ZiRL-WC54eQp2/s320/rcdc3.png" /></a>
<br />
<br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaG_pOTUfLtJ514IC5KnChvs7tDJ2ytYx38TfbYhA8WjvXZfiRGqWy6b4Zbb3Atw3kxxnSCX388G-6aFbBU8jzA1SFeOAxsN7GUAZfu3HR-Gw4VVaKdIlrhDIERFU3-_zgos8U3MTK6zsl/s1600/rcdc3.png"><img style="MARGIN: 0px 0px 10px 10px; WIDTH: 307px; FLOAT: right; HEIGHT: 158px; CURSOR: hand" id="BLOGGER_PHOTO_ID_5646461460830187490" border="0" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaG_pOTUfLtJ514IC5KnChvs7tDJ2ytYx38TfbYhA8WjvXZfiRGqWy6b4Zbb3Atw3kxxnSCX388G-6aFbBU8jzA1SFeOAxsN7GUAZfu3HR-Gw4VVaKdIlrhDIERFU3-_zgos8U3MTK6zsl/s320/rcdc3.png" /></a>
<br />
<br />
<br />
<br />
<br /></p>
<br /><p></p>
<br /><p>
<br />Now that being said, it does have an advanced option that will allow you to change any attribute property you want. Of course at this point you're on your own whether it'll work on not. The tool will let you enter any sort of information or gibberish, at that point.
<br />
<br />Check it out, you can find it on www.tools4fim.com. You can download and play around with it, but until you buy a license, you can't save any of your work.
<br />
<br />One final trick up this tool's sleeve is the Resultant Rights Evaluator. This is a nifty way of querying FIM and lets you see who will, and will not have rights to certain RCDC attributes. You want to know who can see or modify attributes in the RCDC. You define the requestor and the target and it'll return whether that requestor can Create, Delete, Modify or Read, it's very granular. I'll talk more about this piece of the tool next time. </p>Peter Jalaffhttp://www.blogger.com/profile/07436834279628363231noreply@blogger.com3tag:blogger.com,1999:blog-8922687432911929746.post-82346656096922314442011-08-26T06:14:00.000-07:002013-01-30T08:21:32.523-08:00OpenLDAP and password syncRecently at a client's site and they wanted to flow passwords from AD to their OpenLDAP directory.
<br />
<br />Went out to SourceForge and downloaded their latest OpenLDAP XMA which can be found here: <a href="http://sourceforge.net/projects/openldap-xma/">http://sourceforge.net/projects/openldap-xma/</a>. Very impressed with it's packaging, just run the MSI installer and puts everything where it needs to be. Even includes some handy user guides. For the most part you configure according to the guides and it works. Except if you want to do password sync. Instead you get a warning 6901: The password extension does not implement the entry point.
<br />
<br />This will explain what you need to do to get the password sync functionality working. After cruising around I finally found an entry in the sourceforce forum where Randy Weimer mentions an error with password sync that he had to add some missing code. But this was May of 2010 (over a year ago), I'm sure this has been fixed - but it smells the same. Unfortunately it is the same issue. So here's what you have to do.
<br />
<br />1. download the code from Sourceforge which is not an intuitive task. Luckily Carrol explains it nicely here: <a href="http://www.wapshere.com/missmiis/compiling-the-openldap-xma-to-use-with-fim-2010">http://www.wapshere.com/missmiis/compiling-the-openldap-xma-to-use-with-fim-2010</a> Though it seems when you read her post there was no nice msi installer like there is now. But you can figure out how to get the latest code: Read Get the Right Source Code section.
<br />
<br />Now I did the rest on my laptop (without FIM installed).
<br />2. Open up the solution OpenLDAPXMA.sln in Visual Studio and choose the PasswordExtension.cs. Search for the following phrase
<br />
<br /><strong>ConnectionSecurityLevel GetConnectionSecurityLevel</strong>
<br />
<br />You'll find the function really doesn't do anything. so you'll need to comment out the throw statement and add a return statement within the function like this:
<br />
<br /><em>return ConnectionSecurityLevel.Secure;</em>
<br />
<br />See below for Randy's entry and the code.
<br />
<br />3 Add the missing reference.
<br />Since I was using my laptop, I needed to copy the Microsoft.MetadirectoryServicesEx.dll file from the FIM server over to my laptop. You can find it at ..\Microsoft Forefront Indentity Manager\2010\Synchronization Service\Bin\Assemblies\ folder.
<br />Then add it as a reference. Build the whole solution. Which by the way is just one file called OpenLDAPXMA.dll. There is no extra password DLL file as the user guide mentions.
<br />
<br />4. Put the newly compiled dll in the \extensions\ folder and that's it. All should work.
<br />
<br />If by chance you don't want to do through all this just contact me at my hotmail account (pjalaff).
<br />
<br />I want to give full credit to Carroll Wapshere - who has save me more times than I want to admit, and to Randy Weimer who figure'd out this bug. If anything this blog puts both pieces together.
<br />
<br />
<br />
<br />Randy's original post: <a href="http://sourceforge.net/tracker/?func=detail&aid=2996718&group_id=196847&atid=959098">http://sourceforge.net/tracker/?func=detail&aid=2996718&group_id=196847&atid=959098</a>
<br />
<br />
<br />Peter Jalaffhttp://www.blogger.com/profile/07436834279628363231noreply@blogger.com0tag:blogger.com,1999:blog-8922687432911929746.post-91874916456810197392011-04-17T19:41:00.000-07:002011-04-17T19:49:23.961-07:00troubleshooting EREs and provisioningJust a quick note. I was having some problem with codeless provisioning and couldn't figure it out. the ERE was pending, it was being imported, the user object was reference. searching through the internet, I found this little gem. <a href="http://setspn.blogspot.com/2010/11/fim-troubleshooting-codeless.html">http://setspn.blogspot.com/2010/11/fim-troubleshooting-codeless.html</a> Finally I figured out my FIM MA was the culprit. The AIF for the ERE attribute was missing from the user object . Added it back in and viola, all is well.Peter Jalaffhttp://www.blogger.com/profile/07436834279628363231noreply@blogger.com0tag:blogger.com,1999:blog-8922687432911929746.post-34111488007126894152010-06-22T11:24:00.000-07:002010-06-22T11:33:29.607-07:00Security QuestionsSo now that I'm doing FIM, I must do all the new things FIM offers. Before it was just attribute synchronization. Now its web design, workflow, self service password reset to name a few. OK its fun learning new stuff.<br /><br />Right now I'm dealing with password reset and I've run across a new challenge: what else do you ask besides 'What's your mother's maiden name?' ugg.. so I check my own bank website, it had some good questions. Checking the googlesphere doesn't reveal much. Then one of my colleagues, Tom, mentioned to go to <a href="http://www.goodsecurityquestions.com/">www.goodsecurityquestions.com</a> . This is a great place to get started and understand good from bad questions, it also a some great examples too.<br />Enjoy!Peter Jalaffhttp://www.blogger.com/profile/07436834279628363231noreply@blogger.com0