Friday, October 25, 2013

Windows Management Framework 4.0 is now available!

Party time!  WMF 4.0 (PowerShell 4.0) RTM is available now, including all of the Desired State Configuration stuff I’ve been blabbing about.  It even runs on older versions of Windows, so you don’t need to upgrade to Server 2012 R2 to get all the PowerShell goodness.

Thursday, October 24, 2013

PowerShell ISE Snippets for DSC

Just noticed we get DSC snippets in PowerShell ISE.  Cool!

Until now I had just been copying the existing DSC resources that ship with Windows, since they are just script modules so you can get right in there and poach away.

Monday, October 21, 2013

Desired State Configuration in Windows Server 2012 R2 PowerShell

The videos from TechEd are available online, and this one is a great explanation and demonstration of DSC:

Desired State Configuration in Windows Server 2012 R2 PowerShell

I’ve been toying a lot with DSC lately and believe it will be a great tool to handle FIM configuration automation (think Continuous Deployment for FIM).  This would be a good session to watch if you find that I’m talking too much about DSC and you want to start from square one.

Some highlights from the session:

  • Monad Manifesto – pretty cool that they set out their plan way back in 2002 and are still executing against it.  Doesn’t sound very agile (though I bet they are) but it sure helps with platform adoption to see such a plan.
  • DSC is a mixture of declarative and imperative, a combination of materials – I find this very interesting since the Sync Engine is going down the same path, although unfortunately not using the PowerShell language.
  • Dependency Graph – DSC resources can depend on other DSC resources, and the Local Configuration Manager (LCM) will just figure it out.  I’ve tried to generate configuration scripts for FIM and the toughest part was getting the dependencies untangled.  With DSC I get to outsource this.  BTW – I just tested this today with FIM Set objects that depend on other Set objects, and it works!
  • Idempotent Configurations – after scripting FIM deployments for a few years I have really wanted a way to make the deployment scripts both smaller and idempotent (make them safe to run multiple times with a consistent result).  DSC solves this problem by separating the intent from the action.
  • System Center VMM Demo – check out the demo at the 42 minute mark.  Cool stuff.

SharePoint 2013 support for Windows Server 2012 R2

Bit of a roadblock in my PowerShell Desired State Configuration experiment for FIM.  I was hoping to get my FIM 1-box running on Windows Server 2012 R2 but unfortunately there is a compatibility problem with SharePoint 2013.

Not a show stopper though, since for this experiment I don’t need the FIM Portal at all (that’s kinda the point).  Guess I’ll just venture ahead using the FIM PowerShell module instead of the FIM Portal.

Thursday, October 17, 2013

The FIM Team User Group - Introduction to FIM Workflow Programming with PowerShell

Had the opportunity to present to the FIM Team User Group on FIM Workflow Programming with PowerShell.  It was a great turnout, thanks to everybody for participating!

View the recording of The FIM Team User Group meeting from 16 October 2013 20:00 GMT.

This meeting was presented by Craig Martin covering Introduction to FIM Workflow Programming with PowerShell - FIM 2010 is a great workflow engine capable of hosting custom workflow activities to perform a multitude of tasks. Those custom workflows are typically written in C# using Windows Workflow Foundation (WF), two tools that present a steep learning curve for the average IT Pro. PowerShell presents a much smaller learning curve, allowing quicker development of FIM workflows using the FIM PowerShell Workflow Activity ( Come see how to get started writing FIM workflows with PowerShell.

The next planned meeting will be presented by David Lundell on Impact of deprecated features. Further details of the meeting will be sent through closer to the event, including Lync Online details and the meeting time in multiple time-zones.

Tuesday, October 15, 2013

Configuring SharePoint 2013 for the Forefront Identity Manager 2010 R2 Service Pack 1 Portal

Very nice article by Spencer Harbar on automating the configuration of SharePoint Foundation 2013 for use with the FIM Portal:

Configuring SharePoint 2013 for the Forefront Identity Manager 2010 R2 Service Pack 1 Portal

This was one of the last pieces in my VM automation for FIM 2010 on Windows Server 2012.  Had it all automated for FIM 2010 on Windows Server 2008 R2 but the SharePoint challenge made me put this on the back burner until now.  Waiting long enough seems to have worked, thanks to Spencer.

Monday, October 14, 2013

PowerShell Tools for Visual Studio

If you do a lot of work with PowerShell scripts and use TFS Source Control to manage them, then you need this awesome tool from Adam Driscoll (PowerShell MVP):

PowerShell Tools for Visual Studio

Simple to install, just find it in the Visual Studio Gallery.

Wednesday, October 09, 2013

FIM ValueViolatesUniqueness Error with ObjectSID

The FIM Service is smart enough to protect the ObjectSID attribute from duplication, but what happens if you land there by accident and need to replace the ObjectSID attribute?  The first challenge is finding the offender because it isn’t easy (at least for me) to search on ObjectSID because the PowerShell cmdlet Export-FimConfig doesn’t support it.  If you try that cmdlet with this filter “/Person[ObjectSID='OHMYHOOFHEARTEDmmmmm==']” then you will get an error like this: “The endpoint could not dispatch the request”.

You can however remove the ObjectSID attribute if you manage to find the offending object, like this:


### Set ObjectSID to NULL


New-FimImportObject -ObjectType Person -State Put -AnchorPairs @{AccountName='hoofhearted'} -Changes @{

    ObjectSID = ''

} -ApplyNow


The challenge is, the second time you try that you’ll get this error:


Import-FIMConfig : Failure when making web service call.

SourceObjectID = 00000000-0000-0000-0000-000000000000

Error = The web service client has encountered the following class of error: ValueViolatesUniqueness

Details: AttributeName: ObjectSID


Additional Text Details: The specified attribute value must be unique for this Resource Type.


My guess is that FIM is caching the ObjectSID attribute values somewhere, and when you set it to ‘’ it is caching that value so you can’t use it again.

The workaround is to instead use a GUID (fairly random and safe to use).  You can do that like this:



### Set ObjectSID to a GUID


New-FimImportObject -ObjectType Person -State Put -AnchorPairs @{AccountName='hoofhearted'} -Changes @{

    ObjectSID = [System.Convert]::ToBase64String([Guid]::NewGuid().ToByteArray())



Tuesday, October 08, 2013

A hotfix rollup package (build 4.1.3469.0) is available for Forefront Identity Manager 2010 R2

The hotfix can be downloaded here.

There’s two fixes I’m happy about in this hotfix:

FIM Service
Issue 1
In some rare scenarios in which the Exchange server FIM Service tries to poll approval response email messages, an "ErrorInternalServerTransientError" error is returned. In these scenarios, the FIM Service throws an exception.
After you apply this update, you can configure a retry by setting the following values in the configuration file:


I hit this issue when using the Email OTP Gate.  The gate worked great, but when our mail servers got cranky the FIM Requests would fail with Access-Denied because the gate failed to send the email the first time.  This fix makes the gate behave more like the Email Notification Activity, whereby it will retry the email instead of failing.

FIM Synchronization Service
Issue 9

When the Set-MIISADMAConfiguration cmdlet is used in a multidomain environment, a corrupted configuration may occur.

Today this is the best option for automating FIM Sync configuration, so any improvement to FIM Sync PowerShell coverage is a big benefit for automation geeks.

Monday, October 07, 2013

What's Next for IT Pros?

Read an interesting article recently:

What's Next for IT Pros?

There is a really good comment from DrewTX near the bottom of the page that likens Microsoft’s behaviour to evolutionary transition.  In short; Microsoft is evolving, and so should IT Pros if they want to remain relevant/employed. 

We can witness this trend with the FIM product and its roadmap.  FIM hasn’t had much roadmap love lately, even when Microsoft is investing in identity by buying companies such as PhoneFactor.  We have not seen FIM Self-Service Password Reset extended to include phone authentication, but we have seen PhoneFactor quickly turn into Azure Multi-Factor Authentication (a service you can subscribe to) and we’ve also seen Multi-Factor Authentication turn into a feature for Azure AD accounts (so anybody with Office 365 could turn it on).  What I’m seeing mirrors the message I get from Microsoft, that they are investing heavily in the cloud and that doesn’t leave much left for the roadmaps of software products that get installed on-premises.

I totally agree with DrewTX when he says:

I say embrace the cloud; see it as an opportunity rather than a threat.

At the end of the day, we will still have software development and systems integration work to do, no matter where the systems run.