July 2011 - Posts

FIM - Management Agent Creation Error–Index was out of range
28 July 11 10:19 AM | forefrontsecurity | with no comments

Hi All,

Last week, I have encountered a strange issue with a multi Active Directory Domain Management Agent. This management agent was created initially to import users from a specific domain in a multi domain forest. All was working fine, and we wanted to add an other domain in the import flow.

We decided to create an temporary MA, to test the import. The validation of the MA failed with this error :

Index was out of range. Must be non-negative and less than the size of the collection. Parameter name: index

We made a network trace with Wireshark, and see that at the end of the creation, there is an ldap search :


The answer is :


Finally, we discover that an Exchange Schema Update was done in the forest (in order to create some ExtensionAttribute), but no DomainPrep. That’s why there was no msExchOrganizationContainer in the Configuration Partition.

The final solution was to manually create some fake object in the Configuration Partition.

Published by Olivier DETILLEUX

Management Policy Rules and portal Security
22 July 11 10:45 AM | forefrontsecurity | with no comments

As you might now, security and permissions are set on the forefront portal through MPRs.

Those MPR will determine which user or which set has what right on what resource!

This is a quick post giving you a few hints on how to work with these.

In my previous post I briefly explained to you how to use MPRs to allow a group of people to change values of others,

I will now show you how to user MPR to grant access for a Set of users to a portal Resource.

Suppose that like me you created a new search scope Called Custom Search Scope, and you would like to show this search scope to a set of privileged users, here is how you do it:

First of all this is my search Scope:


The keyword here is the main input you will need, in your usage keywords type some custom word, I put my name there.

Finish up creating you search scope and save it.

Next step is to create a set that represent your resource.

I called my set Custom Search Scope and as you can see in my search filter I chose search scope and looked for my custom search scope by looking for the keyword I added earlier to it.


Now create a set containing the users you want to give permission to, I’ll skip this step as it is simple enough.

Let’s go to the MPR that will control my search scopes’ display:


Set the requestor to be the group you wish to give permission to

The operation is a simple read and of course Grants permission because it’s a portal security issue.

And finally in your target resource:


Your target resource is the custom search scope set you created earlier.

Note tat you can play with permissions the same way with all of the portal’s resources which is pretty cool.


Published By Hicham Bardawil

User Creation Approval Workflow Part 3
21 July 11 03:48 PM | forefrontsecurity | with no comments

You now would like to add a search filter that will show you all of the users that need to be approved.

This is done by creating a new search scope:clip_image002

The usage keyword defines the place where the new search scope is displayed

Putting the “person” value in there will display this search scope in the Users context


The search definition will allow you to define your search parameters my parameters allow me to search for users that are active or that are not approved to export


That and a small IISRESET and you’ll have your new search scope ready to go !


Published By Hicham Bardawil

User Creation Approval Workflow Part 2
21 July 11 03:45 PM | forefrontsecurity | with no comments

Now let’s see how to deal with the approval workflow:

First of all you have to set the value of this attribute to your negative value so that you can later create a search scope that will show all of the users that need to be approved.

And you must do this to newly created users in the portal only:

To do that, in you user creation Workflow (from your source sql DB) add a function evaluator activity and tell it to set your value to “No”


Then, create you user sets for users that are not approved and another user set for users that are approved.

The sets must be criteria based and the criteria must be the value of your approval attribute.

And the last step is to create your transition MPRs that will activate the workflow when your users transition from the unapproved User set to the approved user Set.

And you now have an approval workflow for your user creation.

You might also add to you user creation workflow a notification action informing the admins that there are new users that need to be approved.

In my case I have to create an approval workflow for user disabling also but you get the idea J pretty flexible once you get the hang of it !

Published By Hicham Bardawil

User Creation Approval Workflow Part 1
21 July 11 03:42 PM | forefrontsecurity | with no comments

Let’s take an example where you have an SQL DB containing the source users and you would like to export them to an active directory domain.

And you have client that would like to approve that users must be created in Active directory before the export takes place.

FIM does not allow you to have approval workflows for user creation.

The best way I found to do it was to add to the user object in the FIM portal an approve for export dropdown menu . users will only be exported to AD when the value of this new attribute is set to “yes”. And this is how it was done:

First you need to create the new attribute in the FIM, Schema Management menu.


Create a new attribute as a Boolean or a string depending on the number of values you wich to propose to the User.

I chose Boolean and Forced the User choice by using this validation string pattern “^(yes|no)?$”

Once the attribute is created link it to the user object.


And add permissions to this attribute in:

a. Administrator and non-administrator filter permissions

b. Administrators can read and update Users MPR

You now which to display this object in the user properties:

This is how I displayed my two new attributes


As you can see, I created a new tab ad added my new attributes to it.

This is done by changing the RCDC (resource control display configuration) of the Configuration for User Editing.

Just export the current configuration


You’ll get and XML file edit it by adding the link to the attributes you want to add and import it back to the portal.

Here is what my new tab and attributes look like in xml

<my:Grouping my:Name="ADStatus" my:Caption="Status in AD" my:Description="Confirm User Creation or User Disable in ADROOT" my:Enabled="true" my:Visible="true">

<my:Control my:Name="EmployeeStatus" my:TypeName="UocLabel" my:Caption="{Binding Source=schema, Path=EmployeeStatus.DisplayName}" my:Description="{Binding Source=schema, Path=EmployeeStatus.Description}" my:RightsLevel="{Binding Source=rights, Path=EmployeeStatus}">


<my:Property my:Name="Required" my:Value="{Binding Source=schema, Path=EmployeeStatus.Required}"/>

<my:Property my:Name="Text" my:Value="{Binding Source=object, Path=EmployeeStatus, Mode=TwoWay}"/>



<my:Control my:Name="ApprovedforExport" my:TypeName="UocDropDownList" my:Caption="{Binding Source=schema, Path=ApprovedforExport.DisplayName}" my:Description="{Binding Source=schema, Path=ApprovedforExport.Description}" my:RightsLevel="{Binding Source=rights, Path=ApprovedforExport}">


<my:Property my:Name="ValuePath" my:Value="Value"/>

<my:Property my:Name="CaptionPath" my:Value="Caption"/>

<my:Property my:Name="HintPath" my:Value="Hint"/>

<my:Property my:Name="ItemSource" my:Value="{Binding Source=schema, Path=ApprovedforExport.LocalizedAllowedValues}"/>

<my:Property my:Name="SelectedValue" my:Value="{Binding Source=object, Path=ApprovedforExport, Mode=TwoWay}"/>



<my:Control my:Name="disableinad" my:TypeName="UocDropDownList" my:Caption="{Binding Source=schema, Path=disableinad.DisplayName}" my:Description="{Binding Source=schema, Path=disableinad.Description}" my:RightsLevel="{Binding Source=rights, Path=disableinad}">


<my:Property my:Name="ValuePath" my:Value="Value"/>

<my:Property my:Name="CaptionPath" my:Value="Caption"/>

<my:Property my:Name="HintPath" my:Value="Hint"/>

<my:Property my:Name="ItemSource" my:Value="{Binding Source=schema, Path=disableinad.LocalizedAllowedValues}"/>

<my:Property my:Name="SelectedValue" my:Value="{Binding Source=object, Path=disableinad, Mode=TwoWay}"/>




A grouping is the TAB and then under this grouping you add the control (as in attribute) that you which to display.

Annnd you’re done, of course you now have to create the workflow to deal with this approval process which I will show you in my next part


Published By Hicham Bardawil

Allowing a group of users to administer specific user attributes in FIM
21 July 11 03:38 PM | forefrontsecurity | with no comments


I’ve recently had to deal with a lot of FIM issues I now have finally found the time to share with you some of the things I learned, hope this helps:

So you want to allow a group of users to be able to edit a specific user attribute for all the other users in the portal.

MPR will allow you to do that but before even getting to that point note that in your import attribute flows remember that FIM users the ObjectSID user attribute to control access to the portal so you need to sync this attribute otherwise you’ll have the famous service not available error screen:


Then you can create a user set to which you add the users that will administer the portal and set this attribute

Either enable the User management: Users can read selected attributes of other users MPR and configure it as pleases you or create another one and set the values (remember to check the grant permission checkbox)


If like me you had to add a new attribute to the schema and attach it to the user object remember to set in you RCDC the my:RightsLevel" section in the field definition as per this example

<my:Control my:Name="EmployeeType" my:TypeName="UocDropDownList" my:Caption="{Binding Source=schema, Path=EmployeeType.DisplayName}" my:Description="{Binding Source=schema, Path=EmployeeType.Description}" my:RightsLevel="{Binding Source=rights, Path=EmployeeType}">


Published By Hicham Bardawil

Toutes nos félicitations au MVP Microsoft 2011!
03 July 11 10:58 AM | forefrontsecurity | with no comments

Bonjour à tous,

Un rapide post pour vous annoncer que cette année et pour la première fois, je suis nommé MVP Forefront. Un grand merci aux personnes qui ont soutenu ma candidature, tant chez Micosoft que chez mes collègues MVP.

Je vais continuer à travers ce blog et la communauté à vous faire partager mon expérience autour des technos Forefront entre autre.


Hi all,

A quick post to announce that I’ve been awarded the title of MVP on Forefront. I’m really glad to join the crew this year. Thank you to all the people that have supported my candidacy.

Published by Olivier DETILLEUX

Filed under: , , ,

This Blog


    We talk about Forefront Unified Access Gateway, Web SSO, DirectAccess, Threat Management Gateway, Identity Manager and other Forefront Technologies. Also, some post about Active Directory and other Identity and Access technos.