Thursday, November 04, 2010

Use the FIM CM Provision API from PowerShell

In my previous example I showed how to call the CM MA’s proxy from PowerShell for the purposes of CM MA troubleshooting.

In this example I show how to use PowerShell to call the CM Provision API.

The Provision API is the main extensibility point into FIM Certificate Management.  It offers an API for the following:

  • Working with Profile Templates (shown below)
  • Working with Requests
  • Permission Operations
  • Working with Profiles and Certificates

There are a number of scenarios where it makes sense to use the CM Management Agent, but in some cases it is overkill.  If a small piece of functionality can be accomplished using just the Provision API then it probably makes sense to just use code/script against the Provision API, as shown in the sample below.

.NET Remoting

FIM CM employs .NET Remoting, and the bulk of the sample script is dedicated to setting up the .NET Remoting connection to the FIM CM server.  It’s only the last two lines of the script that do anything fun really.

This is supposed to be easier with the ‘New-WebServiceProxy’ cmdlet in PowerShell V2 but I haven’t had any luck with it yet.

Enabling the Provision API in the CM Service

The Provision API is not enabled by default.  The CM web.config file needs to be modified before you can access the Provision API.  Follow the instructions here to make the web.config file modification.  Specifically you want to following the instructions under “Server Configuration”.

The Sample


### Load the CLM Provision Assembly, and the .NET Remoting Assembly


[reflection.Assembly]::LoadFrom("C:\Program Files\Microsoft Forefront Identity Manager\2010\Certificate Management\web\bin\Microsoft.Clm.Provision.dll")




### Set up the remoting infrastructure


$clmUrl = "http://localhost/certificatemanagement/remoterequests3.rem"

$binaryClientFormatterSinkProvider = new-object System.Runtime.Remoting.Channels.BinaryClientFormatterSinkProvider

$httpClientChannel = New-Object System.Runtime.Remoting.Channels.Http.HttpClientChannel("ClmHttpChannel", $binaryClientFormatterSinkProvider)

[System.Runtime.Remoting.Channels.ChannelServices]::RegisterChannel($httpClientChannel, $true)

[System.Runtime.Remoting.RemotingConfiguration]::RegisterWellKnownClientType([Microsoft.Clm.Provision.FindOperationsByCulture], $clmUrl)


$FindOperationsByCulture = New-Object Microsoft.Clm.Provision.FindOperationsByCulture

$channelProperties = [System.Runtime.Remoting.Channels.ChannelServices]::GetChannelSinkProperties($FindOperationsByCulture)

$clmUri = [System.Runtime.Remoting.RemotingServices]::Marshal($FindOperationsByCulture).URI



### Supply the credentials for connecting to CLM


$networkCredentials = New-Object System.Net.NetworkCredential("administrator",'hoofhearted',"icemelted")

$credentialCache = New-Object System.Net.CredentialCache


$channelProperties.credentials = [System.Net.CredentialCache]$credentialCache



### Get the Profile Templates


$profileTemplates = $FindOperationsByCulture.FindAllProfileTemplates([System.Globalization.CultureInfo]::InvariantCulture,[System.Globalization.CultureInfo]::InvariantCulture)


$profileTemplates | ft DisplayName

Output from the above script should look like this:

FIM CM Sample Profile Template                             
FIM CM Sample Smart Card Logon Profile Template 


Unknown said...

Does this work with https and kerberos configuration also? Could you provide some example....

Craig Martin said...

Haven't tried with HTTPS but am pretty sure it'd work, as for Kerberos it too should also work. There is now a new API for CM in MIM 2016 so that is really worth checking out.