Monday, November 15, 2010

Connection Strings in the FIM CM Lab Documents

The procedure in the FIM CM lab document for creating the connection string is really neat, but it did not work for me because FIM CM not like the resulting connection string. 
In the "FIM Certificate Management" logs in Event Viewer I got an Error followed by a useful warning.

The same issue applies to both documents:

In short:

The FIM CM Exit Module does not like the "provider" keyword, so just omit it from the connection string and voila!

Error Detail:

"2010-11-03 05:42:21.07 -07" "Microsoft.Clm.ExitModule.CertExit" "Void RegisterCA()" "" "NT AUTHORITY\SYSTEM" 0x00000BFC 0x00000001
[DatabaseConnection] configuration setting is not configured correctly. Use FIM CM Exit Module settings dialog to set it to a valid value.

Warning Detail:

1) Exception Information
*********************************************
Exception Type: System.ArgumentException
Message: Keyword not supported: 'provider'.
ParamName: NULL
Data: System.Collections.ListDictionaryInternal
TargetSite: System.Data.Common.NameValuePair ParseInternal(System.Collections.Hashtable, System.String, Boolean, System.Collections.Hashtable, Boolean)
HelpLink: NULL
Source: System.Data

Posting PowerShell Snippets Using Windows Live Writer

Lately I’ve been trying to find the best method of posting PowerShell snippets using LiveWriter.  So far the best method I’ve found is a script from PowerShell guru Lee Holmes.

The only tricks to it are:

  1. Run the script from PowerShell ISE (instead of the command prompt)
  2. Use ‘Paste Special’ in Windows Live Writer (by default it removes the formatting)

Thanks to Lee my blog should start looking just a little bit prettier!

Tuesday, November 09, 2010

ILM Sync Engine Configuration PowerShell Commandlet Update

ILM (the precursor to FIM) has had some PowerShell coverage for a while now, allowing the automation of configuration for ADMA and XMA management agent types.
The cmdlets don’t ship with the product as they do in FIM.  They can be downloaded here:
Identity Lifecycle Manager 2007 FP1 Sync Engine Configuration PowerShell Commandlets
Until recently there were three cmdlets available, but with a recent update they have added another cmdlet that allows you to toggle the provisioning extension.
PS C:\> Add-PSSnapin MIIS.MA.Config
PS C:\> Get-Command -Module MIIS.MA.Config
CommandType     Name
-----------     ----
Cmdlet          Import-MIISServerConfig
Cmdlet          Set-MIISADMAConfiguration
Cmdlet          Set-MIISExtMAConfiguration
Cmdlet          Set-ProvisioningRulesExtension
Here’s the contents from the cmdlet help to illustrate how the cmdlet is used:
--------------  Example 1 --------------
C:\PS>Set-ProvisioningRulesExtension true
This command will enable the provisioning rules extension.
Note: The provisioning rules extension assembly must be specified.

--------------  Example 2 --------------
C:\PS>Set-ProvisioningRulesExtension false
This command will disable the provisioning rules extension.
The cmdlet is toggling the checkbox for “Enable Provisioning Rules Extension”, as shown below.  It accepts a String instead of a Boolean, but specifying anything other than ‘true’ or ‘false’ results in an error.

Thursday, November 04, 2010

TechNet Guide for Building a FIM CM Lab

Pretty good timing, given that I’m posting on CM lately… Microsoft just posted a lab guide for demonstrating FIM CM 2010.

Test Lab Guide: Demonstrate FIM CM 2010

If you’re looking to learn more about FIM CM then this will be a great resource in addition to all the other FIM CM documentation available on TechNet.

Use the FIM CM Provision API from PowerShell

In my previous example I showed how to call the CM MA’s proxy from PowerShell for the purposes of CM MA troubleshooting.

In this example I show how to use PowerShell to call the CM Provision API.

The Provision API is the main extensibility point into FIM Certificate Management.  It offers an API for the following:

  • Working with Profile Templates (shown below)
  • Working with Requests
  • Permission Operations
  • Working with Profiles and Certificates

There are a number of scenarios where it makes sense to use the CM Management Agent, but in some cases it is overkill.  If a small piece of functionality can be accomplished using just the Provision API then it probably makes sense to just use code/script against the Provision API, as shown in the sample below.

.NET Remoting

FIM CM employs .NET Remoting, and the bulk of the sample script is dedicated to setting up the .NET Remoting connection to the FIM CM server.  It’s only the last two lines of the script that do anything fun really.

This is supposed to be easier with the ‘New-WebServiceProxy’ cmdlet in PowerShell V2 but I haven’t had any luck with it yet.

Enabling the Provision API in the CM Service

The Provision API is not enabled by default.  The CM web.config file needs to be modified before you can access the Provision API.  Follow the instructions here to make the web.config file modification.  Specifically you want to following the instructions under “Server Configuration”.

The Sample

###

### Load the CLM Provision Assembly, and the .NET Remoting Assembly

###

[reflection.Assembly]::LoadFrom("C:\Program Files\Microsoft Forefront Identity Manager\2010\Certificate Management\web\bin\Microsoft.Clm.Provision.dll")

[reflection.Assembly]::LoadFrom("C:\Windows\Microsoft.NET\Framework\v2.0.50727\System.Runtime.Remoting.dll")

 

###

### Set up the remoting infrastructure

###

$clmUrl = "http://localhost/certificatemanagement/remoterequests3.rem"

$binaryClientFormatterSinkProvider = new-object System.Runtime.Remoting.Channels.BinaryClientFormatterSinkProvider

$httpClientChannel = New-Object System.Runtime.Remoting.Channels.Http.HttpClientChannel("ClmHttpChannel", $binaryClientFormatterSinkProvider)

[System.Runtime.Remoting.Channels.ChannelServices]::RegisterChannel($httpClientChannel, $true)

[System.Runtime.Remoting.RemotingConfiguration]::RegisterWellKnownClientType([Microsoft.Clm.Provision.FindOperationsByCulture], $clmUrl)

 

$FindOperationsByCulture = New-Object Microsoft.Clm.Provision.FindOperationsByCulture

$channelProperties = [System.Runtime.Remoting.Channels.ChannelServices]::GetChannelSinkProperties($FindOperationsByCulture)

$clmUri = [System.Runtime.Remoting.RemotingServices]::Marshal($FindOperationsByCulture).URI

 

###

### Supply the credentials for connecting to CLM

###

$networkCredentials = New-Object System.Net.NetworkCredential("administrator",'hoofhearted',"icemelted")

$credentialCache = New-Object System.Net.CredentialCache

$credentialCache.Add($clmUri,'ntlm',$networkCredentials)

$channelProperties.credentials = [System.Net.CredentialCache]$credentialCache

 

###

### Get the Profile Templates

###

$profileTemplates = $FindOperationsByCulture.FindAllProfileTemplates([System.Globalization.CultureInfo]::InvariantCulture,[System.Globalization.CultureInfo]::InvariantCulture)

 

$profileTemplates | ft DisplayName

Output from the above script should look like this:

DisplayName                                                    
-----------                              
FIM CM Sample Profile Template                             
FIM CM Sample Smart Card Logon Profile Template 

Wednesday, November 03, 2010

Certificate Management MA Troubleshooting

Working on a new CM MA at the moment, so of course am using PowerShell to verify connectivity from the Sync box to the CM box.  This is the quick little script that mimics what the CM MA does when it connects to the CM service:

###

### Load the CLM MA Proxy Assembly, and the .NET Remoting Assembly

###

[reflection.Assembly]::LoadFrom("C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Bin\Microsoft.Clm.ClmMaProxy.dll")

[reflection.Assembly]::LoadFrom("C:\Windows\Microsoft.NET\Framework\v2.0.50727\System.Runtime.Remoting.dll")

 

###

### Set up the remoting infrastructure

###

$clmUrl = "http://localhost/certificatemanagement/clmManagementAgent.rem"

$binaryClientFormatterSinkProvider = new-object System.Runtime.Remoting.Channels.BinaryClientFormatterSinkProvider

$httpClientChannel = New-Object System.Runtime.Remoting.Channels.Http.HttpClientChannel("ClmHttpChannel", $binaryClientFormatterSinkProvider)

[System.Runtime.Remoting.Channels.ChannelServices]::RegisterChannel($httpClientChannel, $true)

[System.Runtime.Remoting.RemotingConfiguration]::RegisterWellKnownClientType([ExtensibleWfMA.ClmMaProxy], $clmUrl)

$clmMaProxy = New-Object ExtensibleWfMA.ClmMaProxy

$channelProperties = [System.Runtime.Remoting.Channels.ChannelServices]::GetChannelSinkProperties($clmMaProxy)

 

 

###

### Supply the credentials for connecting to CLM

###

$clmUri = [System.Runtime.Remoting.RemotingServices]::Marshal($clmMaProxy).URI

$networkCredentials = New-Object System.Net.NetworkCredential("administrator",’hoofhearted’,"icemelted")

$credentialCache = New-Object System.Net.CredentialCache

$credentialCache.Add($clmUri,'ntlm',$networkCredentials)

$channelProperties.credentials = [System.Net.CredentialCache]$credentialCache

 

###

### Call the ConnectionTest method

###

$clmMaProxy.ConnectionTest()

The commands in the above script use .NET Remoting to connect to the ClmMaProxy which sits on the CM server.  Everything but the last line is setting up the .NET Remoting infrastructure, then finally the last line calls a method “ConnectionTest()” on the ClmMaProxy to uh, test the connection.

If all is good I expect it to return “True”, otherwise an error from the CM service.

Tuesday, November 02, 2010

Starting work on a New FIM MA for Certificate Management

Been thinking about doing this for a couple years now, so finally getting a start and should have something to post in a couple weeks.

The idea is to create a new MA and post it to CodePlex for people that want to integrate FIM CM with the FIM Service and the FIM Sync Engine.

Both FIM CM and the FIM Service have workflow engines.  In the FIM Service we have Management Policy Rules, and in FIM Certificate Management we have Profile Templates.  Before FIM the only integration story was really to create a management agent, which was of course delivered in ILM 2007.  Now with FIM we have the opportunity for even more integration, which I hope to facilitate with this effort.

My development environment (building it now) will have the following machines:

DC – Windows Server 2008 R2 x64 DC and CertSrv

CM – Windows Server 2008 R2 X64 with SQL and FIM CM

FIM – Windows Server 2008 R2 x64 with SQL and FIM Service and Portal

SYNC – Windows Server 2008 R2 x64 with SQL and FIM Sync

At the moment I’m not planning on building or testing this with ILM 2007 FP1 unless I get a lot of feedback to do so.

Simple Reporting in FIM 2010 with SSRS

I’ve been working on an extension to SQL Server Reporting Services (SSRS) to facilitate simple reporting of data in the FIM 2010 service.

SSRS provides the Data Processing Extension interface which allows other data sources to feed data into reports.  This little extension acts as a gateway to the features and functionality of SSRS.  In other words, it helps close the feature gap in FIM since FIM 2010 does not ship with any reporting functionality yet the FIM service itself tends to contain mountains of identity data that customers tend to want to report on.  FIM requires SQL Server anyhow, so why not use a little bit more of that box?

So far I’ve been using the FIM Data Processing Extension (FIM DPE) to produce reports of data in the FIM Service, but also to address some of the shortcomings of the FIM notifications.  For example, with SSRS data-driven subscriptions you can use the FIM DPE to deliver notifications based on events, or just on a schedule.  And instead of using FIM email templates you can use the SSRS report designers to produce the notifications.

This effort in no way attempts to replace what partners such as Quest, Omada and bHold have in their offerings.  I consider this a low cost DIY approach to FIM reporting.  If you have the data you need in the FIM Service and are willing to design your reports using the SSRS report designers (they are pretty easy to use) then this project is worth exploring (and contributing feedback to!).  If you are in the market for a full featured partner solution to FIM then of course skip this project and go right into evaluating the other solutions.

At the moment the code is posted to CodePlex.  A release isn’t carved out yet since I want to add more documentation and instrumentation.  In the interim, feel free to poke at the code, give it a run, and provide feedback and code reviews!