Wednesday, February 28, 2007

Stuck on ConfigParameters

The XMA comes with this really cool thing, configuration parameters. The ability to store (and encrpyt) configuration data on the MA is a great feature that am constantly on the verge of abusing. You can store anything in there, and easily dig it out when the MA runs to control the MA behaviour.

Often I've wished the MV had the same functionality, as well as every other MA type besides the XMA. Yes I know that I can write an XML file and put that in the Extensions folder, or I can use the registry or something else, but I want to be able to use the MA to store my configuration data.

As it turns out you can kinda do this with some trickery. The story goes something like this:
1. Add your config parameters to your XMA
2. On Import, write code to dig out the configParameters
3. Use the configParameters to create a fake object and inject it into your import file
4. Modify the MA schema to include your new fake object

At this point you should be able to run an Import on your MA and see the fancy new object in the CS.

5. On the Initialize function in the MA or MV extensions, use WMI to find your fake object
6. Get the attributes of your fake object (the config parameters) by looking at the hologram on the CS object.

Not for the faint of heart:
You can get really inventive and get access to real objects instead of attr:value pairs if you serialize an object into the value on Import, then deserialize it after you read it out of the hologram.

Wednesday, February 21, 2007

Enrolling for Smart Cards with CLM Beta 2

Let me preface this by admitting my "CLM noob" status, and that I am going to make some very dumb mistakes on my learning curve with CLM. Hopefully documenting them here will make somebody else look smart, or reduce the number of goats sacrificed on their way to becoming CLM gurus.

CLM installs with two sample Profile Templates:
  • CLM Sample Profile Template
  • CLM Sample Smart Card Logon Profile Template
In CLM a profile template is analogous to an LDAP object class. Profiles in CLM are instantiated according to the policies of the Profile Template. These policies are easily viewed and configured with the CLM UI.

The CLM Sample Profile Template is a great way to start playing with software certs. It is easy to start with because you don't require any smart cards or smart card readers (which tend to also be writers BTW).

The CLM Sample Smart Card Logon Profile Template is much more entertaining, because it writes certificates onto smart cards (as the name implies, but which I found hard to believe during my troubleshooting). This is especially exciting if you have a USB smart card reader with lights. Nothing makes demos fun like flashing lights and something you can physically show people ;-)

Anyhow, I was trying all night to enroll a test user for a new permanent smart card using the smart card template mentioned above. No matter what I tried I couldn't seem to get the certs written to the card. Each time I tried I got an error message saying something about PKCS#11:
"PKCS#11 smart card self-service control error: PKCS11 Error: Failed to load PKCS11 module"
This made no sense to me because I was trying to use Base CSP. My mistake was to spend hours trying to figure out a CLM Client issue. the CLM Client can be tricky to install, but if you have these three steps done you are not likley to hit CLM Client problems:
1. Install the Base CSP (Windows-KB909520-v1.000-x86-ENU.exe for my XP machine)
2. Install the Mini-drivers (Cardmod_x86.msi)
3. Install the CLM Client (comes on the CLM media)

After running out of ideas I decided to check the Profile Template and right away saw that it was not configured to use Base CSP, so when it was trying to deal with the smart card it didn't use Base CSP, but other drivers that were not on my system, and probably weren't supported by my card. I changed the profile template to use Base CSP and poof, it worked.

If you find yourself spending hours trying to solve a CLM Client problem, don't forget to have a look at the server. If you want to make changes to Profile Templates, I suggest copying the templates instead of modifying the existing ones so you can back out of your troubleshooting changes.

Thanks to Brian Komar for helping me figure this out!

Friday, February 16, 2007

MIIS Workflow Using SharePoint and InfoPath

This is a really cool blog post by Alex (one heckuva smart MIIS guy). It shows how you could use SharePoint and InfoPath to do workflow with MIIS.

The digital signing ability on the forms is especially cool as it improves the workflow security.

Thursday, February 15, 2007

CLM is Coming in ILM 2007, Are You Ready?

MMS deployments required many goat sacrifices until MIIS came along. We've had quite a while to master MIIS so goats are no longer required. Watching participation in the MIS forum is great because where there used to be only a handful of metadirectory gurus, we have loads!

What happens with the CLM side of ILM 2007? Clearly we've mastered the MIIS side but is CLM just a new feature?

CLM is the tip of the PKI iceberg, and it comes with ILM 2007. If you're looking to master ILM 2007 then I suggest some PKI homework to cover the CLM side of things. There is a CLM course in the works but I don't know when it will be released or when it will get scheduled. In the meantime, a good place to start is:

Friday, February 09, 2007

Affirmation of Microsoft's Identity Plans

The big ILM announcements by Microsoft this week are starting to settle in and draw responses. This one is complimentary and well written (as always in that newsletter):

It begs the demonstration of execution. The ILM 2 and ILM 2007 demos are a great start. I'm looking forward to getting my hands on the ILM 2 stuff, and I'm really looking forward to seeing more execution on Microsoft's strategy.

Wednesday, February 07, 2007

ILM 2007! Just Add Canadians

ILM 2007 was announced at RSA yesterday, and it is going to be a pretty big wave to ride. On the surface it could be confused with just two CDs in a box, but it is much more. The MIIS team (originally from Zoomit) joined forces with the formerly-known-as-CLM team (another Canuck identity management company, Alacris). So it is something big in terms of marketing AND engineering. Pretty exciting stuff, along with the new pricing, new reach into stronger authentication, etc, etc.

For MIIS folks convinced they've learned all there is to know about sync, welcome to the next learning curve! Woo-hoo! New toys!

Saturday, February 03, 2007

CLM Beta 2 - Provision API

Certificate Lifecycle Manager (CLM) is the result of Microsoft's aquisition of another Canuck identity (oxymoron?) company. The product promises to make PKI easier, especially when it comes to smart cards. Desktops and laptops seem to be increasingly coming with smart card readers, so this could really hook up, eh?

Anyhow, CLM exposes a Provision API to automate parts of their system. I've been playing with it lately so will start to post some of the experiences here. The documeation is a bit rough but at least it exists. Actually I've already been told to RTFM, and yes, I deserved it.