Forefront Security at myITForum : FIM 2010

FIM 2010 – Automatically Generate the DisplayName during the creation of a new user in the Portal

forefrontsecurity — Thu, 01 Dec 2011 10:19:16 GMT

Like me, you certainly want to generate automatically the DisplayName or other information during the creation of a user in the Portal. We have FirstName and LastName, why would we fill the DisplayName ?

If you let the DisplayName empty, after the creation you will see your user as (No DisplayName).

Here is a solution.

First, customize you RCDC for User Creation to not display the DisplayName uocTextBox. We don’t need it anymore.

Then before any other workflow, execute an action workflow that will evaluate the value of the DisplayName. It’s very easy :

Create a new workflow, and choose a function evaluator workflow
Provide a name, and specify the attribute you want to populate. In our example : [//Target/DisplayName]
Then create the value using the concatenation of LastName, “ “, FirstName
Save and Launch this workflow with a MPR

That’s it. Now, when a user is created in the Portal, DisplayName is automatically generated. Pretty cool isn’t it ?

Published by Olivier DETILLEUX

Implementing Office 365 in a multi-forest context

forefrontsecurity — Sun, 21 Aug 2011 17:06:01 GMT

Single Sign-On (SSO) is one of the new features brought by Office 365. This relies on the following Microsoft technologies:

The Directory Synchronization tool (DirSync) based on Identity Lifecycle Manager (ILM) 2007 to sync your on-premises directory with Office 365.
Active Directory Federation Services (AD FS) 2.0 to provide authentication between your environment and Office 365.

If the benefits are important, one main limitation still exists: you cannot synchronize multiple forests. To address this scenario, Microsoft recommends to consolidate your forests or to use your primary logon forest only. This requires a deep Active Directory cleanup prior to beginning your Office 365 deployment.

To overcome this issue, I worked with Julien Peigné – Unified Communications Consultant at vNext – to develop a unique approach to sync and federate your forests with Office 365. Here is how it works in 3 main steps:

Consolidation: A new, dedicated forest is created to provide a clean and consolidated directory. This directory will be synced with Office 365 using DirSync.
Synchronization: User accounts are synced between the existing forests and the new resource forest using Forefront Identity Manager (FIM) 2010.
Federation: AD FS 2.0 is setup and configured in each forest to provide a transparent authentication between your environment and Office 365.

The following figure summarizes the solution:

This provides some interesting benefits:

All types of directories: using FIM 2010, we can provide Office 365 accounts to all your users no matter their directory (Active Directory, LDAP, SQL…).
Step-by-step migration: using FIM 2010, we can filter and gradually fund accounts from your existing forests to the new resource one.
Deployment accelerator: there is no need to cleanup your existing directories. Malformed, inactive or disabled accounts can simply be ignored with FIM 2010.
No impact: No change is required on your existing directories. We only sync the attributes that DirSync needs using FIM 2010.

Feel free to contact us for more information about this solution. Please also note that this has not been tested by the Office 365 team and is consequently not supported by Microsoft. However, we tested it and validated it in our test labs at vNext.

Published by Olivier DETILLEUX

FIM - Management Agent Creation Error–Index was out of range

forefrontsecurity — Thu, 28 Jul 2011 08:19:42 GMT

Hi All,

Last week, I have encountered a strange issue with a multi Active Directory Domain Management Agent. This management agent was created initially to import users from a specific domain in a multi domain forest. All was working fine, and we wanted to add an other domain in the import flow.

We decided to create an temporary MA, to test the import. The validation of the MA failed with this error :

We made a network trace with Wireshark, and see that at the end of the creation, there is an ldap search :

The answer is :

Finally, we discover that an Exchange Schema Update was done in the forest (in order to create some ExtensionAttribute), but no DomainPrep. That’s why there was no msExchOrganizationContainer in the Configuration Partition.

The final solution was to manually create some fake object in the Configuration Partition.

Published by Olivier DETILLEUX

Management Policy Rules and portal Security

forefrontsecurity — Fri, 22 Jul 2011 08:45:57 GMT

As you might now, security and permissions are set on the forefront portal through MPRs.

Those MPR will determine which user or which set has what right on what resource!

This is a quick post giving you a few hints on how to work with these.

In my previous post I briefly explained to you how to use MPRs to allow a group of people to change values of others,

I will now show you how to user MPR to grant access for a Set of users to a portal Resource.

Suppose that like me you created a new search scope Called Custom Search Scope, and you would like to show this search scope to a set of privileged users, here is how you do it:

First of all this is my search Scope:

The keyword here is the main input you will need, in your usage keywords type some custom word, I put my name there.

Finish up creating you search scope and save it.

Next step is to create a set that represent your resource.

I called my set Custom Search Scope and as you can see in my search filter I chose search scope and looked for my custom search scope by looking for the keyword I added earlier to it.

Now create a set containing the users you want to give permission to, I’ll skip this step as it is simple enough.

Let’s go to the MPR that will control my search scopes’ display:

Set the requestor to be the group you wish to give permission to

The operation is a simple read and of course Grants permission because it’s a portal security issue.

And finally in your target resource:

Your target resource is the custom search scope set you created earlier.

Note tat you can play with permissions the same way with all of the portal’s resources which is pretty cool.

Cheers

Published By Hicham Bardawil

User Creation Approval Workflow Part 3

forefrontsecurity — Thu, 21 Jul 2011 13:48:11 GMT

You now would like to add a search filter that will show you all of the users that need to be approved.

This is done by creating a new search scope:

The usage keyword defines the place where the new search scope is displayed

Putting the “person” value in there will display this search scope in the Users context

The search definition will allow you to define your search parameters my parameters allow me to search for users that are active or that are not approved to export

That and a small IISRESET and you’ll have your new search scope ready to go !

cheers

Published By Hicham Bardawil

User Creation Approval Workflow Part 2

forefrontsecurity — Thu, 21 Jul 2011 13:45:24 GMT

Now let’s see how to deal with the approval workflow:

First of all you have to set the value of this attribute to your negative value so that you can later create a search scope that will show all of the users that need to be approved.

And you must do this to newly created users in the portal only:

To do that, in you user creation Workflow (from your source sql DB) add a function evaluator activity and tell it to set your value to “No”

Then, create you user sets for users that are not approved and another user set for users that are approved.

The sets must be criteria based and the criteria must be the value of your approval attribute.

And the last step is to create your transition MPRs that will activate the workflow when your users transition from the unapproved User set to the approved user Set.

And you now have an approval workflow for your user creation.

You might also add to you user creation workflow a notification action informing the admins that there are new users that need to be approved.

In my case I have to create an approval workflow for user disabling also but you get the idea J pretty flexible once you get the hang of it !

Published By Hicham Bardawil

User Creation Approval Workflow Part 1

forefrontsecurity — Thu, 21 Jul 2011 13:42:20 GMT

Let’s take an example where you have an SQL DB containing the source users and you would like to export them to an active directory domain.

And you have client that would like to approve that users must be created in Active directory before the export takes place.

FIM does not allow you to have approval workflows for user creation.

The best way I found to do it was to add to the user object in the FIM portal an approve for export dropdown menu . users will only be exported to AD when the value of this new attribute is set to “yes”. And this is how it was done:

First you need to create the new attribute in the FIM, Schema Management menu.

Create a new attribute as a Boolean or a string depending on the number of values you wich to propose to the User.

I chose Boolean and Forced the User choice by using this validation string pattern “^(yes|no)?$”

Once the attribute is created link it to the user object.

And add permissions to this attribute in:

a. Administrator and non-administrator filter permissions

b. Administrators can read and update Users MPR

You now which to display this object in the user properties:

This is how I displayed my two new attributes

As you can see, I created a new tab ad added my new attributes to it.

This is done by changing the RCDC (resource control display configuration) of the Configuration for User Editing.

Just export the current configuration

You’ll get and XML file edit it by adding the link to the attributes you want to add and import it back to the portal.

Here is what my new tab and attributes look like in xml

<my:Grouping my:Name="ADStatus" my:Caption="Status in AD" my:Description="Confirm User Creation or User Disable in ADROOT" my:Enabled="true" my:Visible="true">

<my:Control my:Name="EmployeeStatus" my:TypeName="UocLabel" my:Caption="{Binding Source=schema, Path=EmployeeStatus.DisplayName}" my:Description="{Binding Source=schema, Path=EmployeeStatus.Description}" my:RightsLevel="{Binding Source=rights, Path=EmployeeStatus}">

<my:Properties>

<my:Property my:Name="Required" my:Value="{Binding Source=schema, Path=EmployeeStatus.Required}"/>

<my:Property my:Name="Text" my:Value="{Binding Source=object, Path=EmployeeStatus, Mode=TwoWay}"/>

</my:Properties>

</my:Control>

<my:Control my:Name="ApprovedforExport" my:TypeName="UocDropDownList" my:Caption="{Binding Source=schema, Path=ApprovedforExport.DisplayName}" my:Description="{Binding Source=schema, Path=ApprovedforExport.Description}" my:RightsLevel="{Binding Source=rights, Path=ApprovedforExport}">

<my:Properties>

<my:Property my:Name="ValuePath" my:Value="Value"/>

<my:Property my:Name="CaptionPath" my:Value="Caption"/>

<my:Property my:Name="HintPath" my:Value="Hint"/>

<my:Property my:Name="ItemSource" my:Value="{Binding Source=schema, Path=ApprovedforExport.LocalizedAllowedValues}"/>

<my:Property my:Name="SelectedValue" my:Value="{Binding Source=object, Path=ApprovedforExport, Mode=TwoWay}"/>

</my:Properties>

</my:Control>

<my:Control my:Name="disableinad" my:TypeName="UocDropDownList" my:Caption="{Binding Source=schema, Path=disableinad.DisplayName}" my:Description="{Binding Source=schema, Path=disableinad.Description}" my:RightsLevel="{Binding Source=rights, Path=disableinad}">

<my:Properties>

<my:Property my:Name="ValuePath" my:Value="Value"/>

<my:Property my:Name="CaptionPath" my:Value="Caption"/>

<my:Property my:Name="HintPath" my:Value="Hint"/>

<my:Property my:Name="ItemSource" my:Value="{Binding Source=schema, Path=disableinad.LocalizedAllowedValues}"/>

<my:Property my:Name="SelectedValue" my:Value="{Binding Source=object, Path=disableinad, Mode=TwoWay}"/>

</my:Properties>

</my:Control>

</my:Grouping>

A grouping is the TAB and then under this grouping you add the control (as in attribute) that you which to display.

Annnd you’re done, of course you now have to create the workflow to deal with this approval process which I will show you in my next part

Cheers

Published By Hicham Bardawil

Allowing a group of users to administer specific user attributes in FIM

forefrontsecurity — Thu, 21 Jul 2011 13:38:55 GMT

I’ve recently had to deal with a lot of FIM issues I now have finally found the time to share with you some of the things I learned, hope this helps:

So you want to allow a group of users to be able to edit a specific user attribute for all the other users in the portal.

MPR will allow you to do that but before even getting to that point note that in your import attribute flows remember that FIM users the ObjectSID user attribute to control access to the portal so you need to sync this attribute otherwise you’ll have the famous service not available error screen:

Then you can create a user set to which you add the users that will administer the portal and set this attribute

Either enable the User management: Users can read selected attributes of other users MPR and configure it as pleases you or create another one and set the values (remember to check the grant permission checkbox)

If like me you had to add a new attribute to the schema and attach it to the user object remember to set in you RCDC the my:RightsLevel" section in the field definition as per this example

<my:Control my:Name="EmployeeType" my:TypeName="UocDropDownList" my:Caption="{Binding Source=schema, Path=EmployeeType.DisplayName}" my:Description="{Binding Source=schema, Path=EmployeeType.Description}" my:RightsLevel="{Binding Source=rights, Path=EmployeeType}">

Published By Hicham Bardawil

FIM 2010–Service not available

forefrontsecurity — Wed, 13 Apr 2011 20:20:45 GMT

Hi all,

Just a little note about a common problem after Forefront Identity Manager 2010 installation. During the first access to the portal, you may encountered the following error :

“ Service Not Available – Please contact your help desk or system administrator”

This error appends to me when I access the IdentityManagement using the FDQN of the portal, but not when I use the short name. For my example :

https://fim/identitymanagement works well but https://fim.labiam.corp/identitymanagement returns an error.

After a quick look at the EventViewer on the FIM Server, I can see that there are lots of SharePoint 8214 errors:

2 points to solve this problem :

First, add https://<your fim server fqdn> to the intranet local sites
Second, add https://<your fim server fqdn> to the Intranet URL of the Alternate Access Mappings Configuration

And that’s it. This is one of the main case you can encountered after FIM Installation.

Published by Olivier DETILLEUX

UAG, FIM and an encrypted SQL repository–part 2

forefrontsecurity — Wed, 23 Feb 2011 10:39:56 GMT

Hi all,

In the previous post, we have seen how put an encrypted value in an SQL database with FIM Password Management.

We now want to :

Connect to the SQL database with UAG
Secure this connection
Get the encrypted password
Decrypt the password
Add the password to the user session

Securing the SQL connection

It is necessary to encrypt the sql connection, otherwise we can find the password in the TCP frame. Below is the details of a captured frame :

We can clearly view the password of jkirk user.

To secure the connection, the easiest way is :

Create a server certificate for the SQL server
Put the certification authority certificate in the Trusted Root Certification Container of the UAG server
Activate the Secure Only connection

Create the certificate

Create a server certificate with you private certification authority :

type : server authentication
name : sql server name (or fqdn, depends of what you set in the connection string)

Activate the Secure Only connection

On the SQL server, open the SQL Server Configuration Manager. Edit the Protocols Properties, and set the ForceEncryption to Yes

Restart the SQL connection

Now, you can see that all frame are encrypted.

Getting and decrypting the password with UAG

If you don’t have read the previous post (Publishing internet web site through UAG – part 3), here is the actual postpostvalidate.inc file :

' get lead user

set user_vec = getsessionuservec(g_cookie)

for each user in user_vec.uservec

user_name = user.User

Next

' sql connection

' variable initialization

dim oconn, oRecordSet, scommandText, sconnectionstring

scommandText = “select * from <your database/table name> where leaduser=’” & user_name & “’”

' setting up SQL-connection-string

sconnectionString = “Provider=SQLoLEDB; Data Source=<SQL server Name>\<instance>;Initial catalog=<table>;user ID=<sql user>;Password=<user password>’

' Setting up SQL-connection object

set oConn=Server . createobj ect ( ADODB.connection”)

oconn. connectionString=sconnectionString

' open SQL—connection

oconn. Open

' Send the query to SQL

set oRecordSet = Server, createobject (“ADoDB.recordset”)

oRecordSet. open scommandText, oconn

' add secondary session to the user

if not oRecordSet.EOF then

do while not oRecordSet.EOF

addsessionuser g_cookie,oRecordSet(”appLogon”) ,oRecordSet(”appPassword”) ,oRecordSet(”application”)

oRecordSet. moveNext

loop

end if

Previously, the SQL Database was on the UAG Server. We now want to connect to a remote database. The SQL Connection String is not different, just use your remote server name.

In order to decrypt the encrypted password, it is necessary to open the key. Add the following line in the postpostvalidate.inc file :

‘ open the symmetric key

scommandText = “open symmetric key SSN_KEY_01 decryption by certificate UserRepositoryCertificate”

oRecordSet.open sCommandText, oConn

To get and decrypt the password, change the commandText line :

scommandText = “select appLogon, application, convert('varchar, DecryptByKey(appPasswordEncrypt)) appPasswordDecrypted from <your table name> where leaduser=’” & user_name & “’”

And the addsessionuser is now :

addsessionuser g_cookie, oRecordSet(“appLogon”), oRecordSet(“appPasswordDecrypted”), oRecordSet(“application”)

You can make the same changes in the CustomRepository.inc file.

Published by Olivier DETILLEUX

Synchronize Active Directory Password to an SQL database with FIM and PCNS

forefrontsecurity — Tue, 08 Feb 2011 14:12:44 GMT

Hi,

For the purpose of my “Internet Web Site Publishing Scenario”, I have to find a way to push an Active Directory Password to an SQL Database.

As you know, we cannot read stored passwords in an Active Directory. The only solution, is to catch the password before the encryption. PCNS (Password Change Notification Service), a FIM integrated functionality, can do that for us.

SQL Database Configuration

First, the SQL Configuration. I want to push the passwords in a specific table, for a specific user :

Here is my table :

FIM Installation

Read the article of my colleague, Hicham (http://myitforum.com/cs2/blogs/forefrontsecurity/archive/2010/03/17/forefront-identity-management-2010-installation.aspx) to a complete step by step.

Next, I have created to management agent :

One for Active Directory reading
One for SQL writing

Nothing complicated. Nothing about Password for the moment.

PCNS installation

Active Directory Schema Extension

In order to use PCNS, it is necessary to extend the Active Directory Schema.

On a domain controller, run the following command :

msiexec /I “C:\sources\Forefront Identity Manager\Password Change Notification Service\Password Change Notification Service.msi” SCHEMAONLY=TRUE

This command start the installation

A restart is needed.

After that, create a global security group in Active Directory. Only the password of the members of this group are synchronized.

SPN and PCNS configuration

On the domain controller, launch a cmd window, and run the following command :

setspn –a PCNSCLIENT/<fqdn of your FIM server> <domain>\<FIM service account>

You can view the result with the setspn –L <fim service account> command

Then configure PCNS :

pcnscfg.exe addtarget /N:PCNSCLIENT /A:<fqdn of your FIM server> /S:PCSNSCLIENT/<fqdn of your FIM server> /fi:"”<name of the PCNS Active Directory Group> /f:3

A restart is needed.

FIM Configuration

Now, we have to define the source password repository and the destination.

First, go in FIM and open the options menu. Enable the Password Synchronization functionality.

On the Active Directory MA, edit the properties, and Enable Password Sync Source. Select the SQL MA as a target.

On the SQL MA, edit the properties and Enable Password Management. Edit the settings and disable the secure connection option. For the moment, the connection to the SQL database is unsecure. We will see in an other post how we can enable that, and push encrypt password.

SQL doesn’t have a predefined extension rule for password sync. We have to create our own DLL. Specify a name in the Extension Name (SQLPwdChange.dll for that example).

In the Settings of Connection Information, you can specify an user account, password and domain, that has the right to connect to the SQL database.

Custom SQL Password Extension Rule

A custom password extension rule has the following form :

namespace Miis_PasswordManagement
{
    public class MAPasswordManagement : IMAPasswordManagement
    {
        public MAPasswordManagement // constructor

public void BeginConnectionToServer // start a connection to a server

public void EndConnctionToServer // close the active connection

public ConnectionSecurityLevel // Get the security level for the connection

public void SetPassword // function to set a password

public void changePassword // function to change a password

public void RequireChangePasswordOnNextLogin // force the change of the password at next login

}
}

My custom password extension rule :

MAPasswordManagement

BeginConnectionToServer

EndConnectionToServer

SetPassword

Testing

Now we can test. Try to change or set a password for an existing user in Active Directory. In my Case, for tmosby.

The new password is immediately pushed in the database for my user.

An other test : Create a new user in active directory, and set a password. My new user is tscavo. Set that the user must change jis passworrd Next Login.

In FIM, run an import / sync on the AD MA :

Run an Export to SQL

User is created in SQL.

Open a session with this new user, and change the password. Check that the new password is created in SQL

Troubleshooting

Why my password isn’t synchronized ?

First of all, check that the user is a member of the Security Group allowed to synchronize password.

Then, check the eventlog on the DC. When a password change is detected, a 2100 event in the Application Event Log appears.

Check that the version of PCNS is correct for your Domain Controller architecture (x86 or x64). A miss configuration would cause 6002 events.

If all seems to be ok on the Domain Controller, check on the FIM side. You can trace the PCNS events in the database. Have a look in the mms_tracking_entries_history. You will see all the events. Look for your user, for example “tscavo”. You will see the source and the target event.

If all is ok, the target event should finish with a 0x0 result code.

If there is a problem during the synchronization, a specific result code is generated.

For example, you may encountered 0x80231302 error, related to the server connection (generally generated when secure connection is activated on a target that doesn’t support that).

In a another article, we will see how we can encrypt the communication, the password, and how UAG can read this encrypted password.

Published by Olivier DETILLEUX

New-MoveRequest error during FIM Gal Sync

forefrontsecurity — Thu, 02 Sep 2010 15:57:00 GMT

Today, I have experienced a problem during GAL Sync between an Exchange 2003 and an Exchange 2010 SP1 with Forefront IM 2010

The goal of the GAL Sync is to provision some MailUsers in a resources Forest. MailUsers are linked to user accounts in an accounts Forest.

Below is the synchronisation schema.

In order to create the MailUser, I use this ExchangeUtils commands :

csentry = ExchangeUtils.CreateMailbox(myMailADMA, dn, mailNickname, homeMDB)

then set a targetaddress and add the original ObjectSid as a msExchMasterAccountSid (to link the mailbox). In the end, I have got a “LinkedMailUser”.

Before the SP1 of Exchange, I was able to launch a move request :

New-MoveRequest -identity mailuser@ex2k3exchangeForest.lan -RemoteLegacy -RemoteGlobalCatalog remoteEx2k3GC -RemoteCredential $UserCred -TargetDeliveryDomain resourceForest.lan

But after Exchange 2010 SP1, the same cmd is in error with the following message :

-> Target User ‘xxxxxxxxxxxxxxxx’ already has a primary mailbox.

The problem comes from the HomeMDB attribute. With Exchange 2010 SP1, this attribute must be empty during the New-MoveRequest.

Another solution is to use ExchangeUtils.CreateMailEnabledUser, but that’s an other point : it’s easier for me to use CreateMailbox

Published by Olivier DETILLEUX

Debugging your ILM/MIIS provisioning Code

forefrontsecurity — Thu, 22 Jul 2010 09:08:00 GMT

one of the most useful features you can use to troubleshoot your MIIS provisioning is the Visual Studio Debug.

since everything related to your provisioning is done in your code, it is very useful to follow step by step what’s going on in your code,

this is how its done:

first of all make sure your provisioning Code is not running in a separate process :

same goes for you export and import rule extensions of course.

then go to your visual Studio project configuration manager and make sure you are compiling you code in debug Mode:

to start your debugging attach your code to the MIIServer process

and select a location in your code where you want to set your breakpoint, I like to start at the beginning but you can break at a any location if you are looking for something specific:

now go back to your synchronization service console and select a user you want to test the synchronization process on:

basically a user you just imported

select preview and generate a preview:

and if you did everything right your debugging process will start and visual studio will stop at the breakpoint you specified and you will be able to cycle through your code seeing exactly what happens at every line:

if after you click on generate preview the debug does not work check the following:

You ran your code in debug mode
Check for the debug file generated next to you dll and delete it then recompile
your provisioning or extension attribute dlls are not running in separate processes

hope this helps

Published By Hicham Bardawil