Thursday, August 28, 2014

Find FIM Approval Actions

We recently had to move the FIM Service to a new computer.  FIM Approval objects are stamped with an EndpointAddress, which is constructed with details from the FIM Service configuration file (Microsoft.ResourceManagement.Service.exe.config).  If care is not taken with the configuration file, then pending Approval objects from before the move will not be actionable (users will not be able to approve/deny).

To check that Approvals are working, you can use an XPath query looking for Approvals created before the server move and Requests targeting those Approvals after the server move.  The query looks like this:

 

 

###

### Find Approvals acted on since a certain date

###

Export-FimConfig -OnlyBaseResources -Custom "/Request

[

    TargetObjectType = 'Approval'

    and

    CreatedTime >= '2014-08-27T23:00:00'

]/Target

[

    CreatedTime <= '2014-08-27T23:00:00'

]

"

 

That query will return the Approval objects, so you will be able to determine what action the user took, and if there were issues.

To output the Request objects instead of the Approval objects, use this filter:

 

 

"/Request

[

    TargetObjectType = 'Approval'

    and

    CreatedTime >= '2014-08-27T23:15:00'

    and

    Target = /Approval

    [

        CreatedTime <= '2014-08-27T23:15:00'

    ]

]

"

 

 

 

Tuesday, August 19, 2014

Testing the FIM Service Ports

Recently I was debugging FIM client application communicating with the FIM Service web service endpoints.  There is a cmdlet in PowerShell 4.0 that makes quick work of this, Test-NetConnection.

Here’s how to use it to test if FIM is responding:

Test-NetConnection -ComputerName myFimServer -Port 5725 -InformationLevel Detailed

Test-NetConnection -ComputerName myFimServer -Port 5726 -InformationLevel Detailed

 

That’s it.  That cmdlet does its job quite well an will tell you if the FIM Service is responding on its web service endpoint ports.

Wednesday, August 13, 2014

Generating Custom Resources for PowerShell Desired State Configuration

Creating an initial custom DSC resource is well documented on TechNet but it can be tedious if you have to do a lot of them.  Tooling is available to help automate this:

Resource Designer Tool – A walkthrough writing a DSC resource

Here’s a sample for using the Resource Designer Tool:

New-xDscResource -Name cFimService_ManagementPolicyRule -Property @(

    ### General

    New-xDscResourceProperty -Name DisplayName -Type String -Attribute Key

    New-xDscResourceProperty -Name Description -Type String -Attribute Write

    New-xDscResourceProperty -Name Enabled -Type Boolean -Attribute Write

    ### Requestors and Operations

    New-xDscResourceProperty -Name RequestorSet -Type String -Attribute Write

    New-xDscResourceProperty -Name RelativeToResourceAttributeName -Type String -Attribute Write

    New-xDscResourceProperty -Name RequestType -Type String[] -Attribute Write

    New-xDscResourceProperty -Name GrantPermission -Type Boolean -Attribute Write

    New-xDscResourceProperty -Name TransitionIn -Type Boolean -Attribute Write

    New-xDscResourceProperty -Name TransitionOut -Type Boolean -Attribute Write

    New-xDscResourceProperty -Name Request -Type Boolean -Attribute Write

    ### Target Resources

    New-xDscResourceProperty -Name ResourceSetBeforeRequest -Type String -Attribute Write

    New-xDscResourceProperty -Name ResourceSetAfterRequest -Type String -Attribute Write

    New-xDscResourceProperty -Name ResourceAttributeNames -Type String[] -Attribute Write

    ### Policy Workflows

    New-xDscResourceProperty -Name AuthenticationWorkflowDefinition -Type String[] -Attribute Write

    New-xDscResourceProperty -Name AuthorizationWorkflowDefinition -Type String[] -Attribute Write

    New-xDscResourceProperty -Name ActionWorkflowDefinition -Type String[] -Attribute Write

    ### Common FIM DSc Properties

    New-xDscResourceProperty -Name Credential -Type PSCredential -Attribute Write

    New-xDscResourceProperty -Name Ensure -Type String -Attribute Write -ValidateSet "Present", "Absent"

)  -Path 'C:\Program Files\WindowsPowerShell\Modules\FimPowerShellModule'   

 

When the command runs it generates the MOF file, and also the .PSM1 file complete with all the parameters to match the schema you’ve specified.  Pretty handy.

I got a little carried away once I got comfortable with the tool, and started to generate custom DSC resources for all sorts of things.  One experiment I did was to create a FIM DSC Resource that was generic and included every attribute in the FIM Service schema (there were 236 attributes).  This would have been very handy if it’d worked, but instead I found a limit to the MOF file size.  It might be a bug, but it feels like a gentle nudge towards better DSC resource design (use less attributes per resource).