Home » Posts tagged 'FIM 2010'

Tag Archives: FIM 2010

Advertisements

FIM 2010: How to Use PowerShell to Create a CSV of FIM/MIM Metaverse Connections

FIM ScriptBox Item

Table of Contents


Summary

Knowing your Metaverse objects and their corresponding connections is a key to a healthy identity solution. Provisioning, de-provisioning, join rules (or lack thereof), use of the Join tool, and inconsistent data from your source systems can create Metaverse objects that are without needed MA connections.

The Synchronization Manager Tool allows you to pull up each Metaverse object and look at connections in terms of rows:

The information is helpful, but wouldn’t it be great to have the MA listed in columns and look at the entire Metaverse at a global level?  You could create a unique Metaverse attribute for each MA and configure each MA to flow a value into the associated new Metaverse attribute, but sometimes you don’t have that luxury due to lack of Metaverse attribute space, change control, or organizational red tape. Further, you still need to get the data out into a file for analysis.

Listed below are two scripts, a PowerShell script and accompanying SQL script, which will export each Metaverse object and its Management Agent connections in CSV format. Each row is a Metaverse "person" object and the columns are each Management Agent that you want to determine connection status.

I should note that the SQL script is querying the Synchronization Service database directly, therefore you should stop all your MA runs prior to running the script. For added protection, the first two lines of the script are to stop and disable the Synchronization Service. I leave it up to you to enable and start up the service when you are done or you can add it to the script.


Usage

Copy the two scripts to C:\Scripts, and launch PowerShell with credentials that have access to query the FIMSynchronizationService database, then type:

.\export-connectors.ps1

The file connectors.csv should be created and can be opened in Excel for sorting, filtering, and analysis.

Enable and start the FIM Synchronization Service when complete.


Script Code

export-connectors.sql

Modify the variable ma.ma_name with the management agent name as specified in the Synchronization Manager Management Agent tool.

DECLARE @i INT

DECLARE @NumRows INT

DECLARE @ObjID UNIQUEIDENTIFIER

SET @i = 1

SET @NumRows = (SELECT COUNT(*) from mms_metaverse)

IF @NumRows > 0

WHILE (@i <= @NumRows)

BEGIN

SET @ObjID =

(

SELECT object_id FROM

(

SELECT ROW_NUMBER() OVER (order by object_id) as RowNumber, * FROM mms_metaverse

)

AS MetaVerse

WHERE RowNumber = @i

)

SELECT

MAX(CASE WHEN ma.ma_name = ‘HR’ then cs.rdn END) AS "HR System" ,

MAX(CASE WHEN ma.ma_name = ‘AD’ then cs.rdn END) AS "Active Directory" ,

MAX(CASE WHEN ma.ma_name = ‘MIM’ then cs.rdn END) AS "MIM Service"

FROM [FIMSynchronizationService].[dbo].[mms_csmv_link] AS "csmv"

JOIN [FIMSynchronizationService].[dbo].[mms_connectorspace] AS "cs"

ON csmv.cs_object_id = cs.object_id

JOIN [FIMSynchronizationService].[dbo].[mms_management_agent] AS "ma"

ON cs.ma_id = ma.ma_id

WHERE mv_object_id = @ObjID

SET @i = @i + 1

END

export-connectors.ps1

Modify the -ServerInstance with the SQL Server running the FIMSynchronizationService database. If the database is on a SQL instance you would enter Server\Instance.

Stop-Service FIMSynchronizationService

Set-Service FIMSynchronizationService -StartupType "Disabled"

Invoke-Sqlcmd -Database FIMSynchronizationService -ServerInstance SQL_SERVER_NAME_HERE -InputFile C:\Scripts\export-connectors.sql | export-csv -NoTypeInformation C:\Scripts\connectors.csv

note Note

To provide feedback about this article, create a post in the FIM TechNet Forum .

For more FIM related Windows PowerShell scripts, see the FIM ScriptBox

Source: http://social.technet.microsoft.com/wiki/contents/articles/33055.fim-2010-how-to-use-powershell-to-create-a-csv-of-fimmim-metaverse-connections.aspx

Advertisements

Import data from HR to the FIM Portal

In this post I will show how to attach an HR data source to the FIM Sync Service, and then import data about employees into the FIM Portal.

This post assumes you already have FIM installed, and have created the FIM Management Agent.

Create the HR Management Agent

The aim is to create a management agent for your HR data source. In this example I’m using a SQL database, but it could equally be CSV, SAP, Oracle or something else. The product Help tells you how to configure the prerequisites for each of these MA types.

We’re going to use a codeless sync rule to import data, so we don’t need a join or projection rule here.If you’re not using the Portal,you will need to configure this tab – see Creating and Management Agent

If using codeless sync you can also leave the flow rules blank for now, though you may find you need to revisit this tab if you want to created Advnaced flow rules that aren’t currently possible with codeless. Note that it’s fine to use a combination of codeless and coded rules. See Advance Attribute Flow Rules.

Create the Import Sync Rule

Now go into the Portal and open the Synchronization Rules page from under the Administration menu.Create a new Inbound Sync Rule.

The rule matches an external object type with a Metaverse object type, via the selected MA.

On this page we specify how to identify that an object in the external system matches an object in the Metaverse. In this case we’ll use the employeeID, which we will also be flowing from this source.Note I’ve also ticked “Create resource in FIM” which will cause an object to be automatically provisioned into the connector space of the FIM MA, ready to export to the FIM Portal.

Finally we specify our import flow rules, which should be pretty self-explanatory. It’s a good idea to make use of functions such as Trim and ProperCase to make sure that your data comes into the Metaverse in a fairly consistent state.Also be very sure to flow in the identifying attribute you specified in the form above!

If you need extra Metaverse attributes to import your data to then you will have to go back to the Synchronization Service GUI and modify the Metaverse schema.

Configure the Metaverse -> Portal Flows

This is where it gets a bit odd. We’ve created HR -> Metaverse flow rules using a codeless Sync Rule created in the Portal, but to get the data from the Metaverse into the Portal iteslf we actually have to use old-style MA rules.In The Synchronization Service GUI, open the properties of the FIM MA and open the Configure Attribute Flow page.

Add the Export flow rules that will copy data from the Metaverse to the Portal.If you need extra attributes in the Portal for your HR data then see then see this document on the Portal schema. You will need to refresh the schema on the MA, and select the new attributes in the Attributes tab before they will be available for the flow rules.

To avoid permissions problems when your export data to the Portal, check the MPR “Synchronization: Synchronization controls users it synchronizes” and make sure that the account used by the Sync Service has the rights to update all required attributes. It’s easy to just give the Sync Service rights to all user attributes in this MPR, but it depends on your requirements and security rules whether you’d do this.

Create the Run Profiles

Create Import and Sync run profiles for the HR MA. Here I’ve created a single-step “Full Import and Full Sync” run profile.

For the FIM MA I need Import/Sync and Export run profiles.

Finally – Make something happen!

The first job you need to run is the Import/Sync on the FIM MA. In a freshly installed system you should see three objects being projected into the Metaverse. Inspecting these objects shows them to be the Administrator user, the Built-In Synchronization user, and the HR Import Sync Rule we created above.

Now you can Import/Sync the HR MA. You should see objects being projected into the metaverse, and also provisioned as Adds into the FIM MA. If you inspect some of these objects in the Metaverse you should see them populated with attributes from the HR data source.

Finally you are ready to export your HR data to the Portal.Various errors can happen here, and they will mostly be connected to Portal schema (particularly check the Validation tabs in both attribute and binding definitions) or Portal permissions (check MPRs that apply to the Built-In Synchronization accout).But if you see nice “Adds” counting up here then things are good, and you’ll find users defined in the Portal. It may not be quick though – the first load of data into the Portal is not the most performant part of this platform.

Source: http://www.wapshere.com/missmiis/fim-walkthroughs-import-data-from-hr-to-the-fim-portal

Create the FIM MA

After installing FIM, you will need to start configuring the Sync Service so that you can start to get data into and out of the Portal This post shows you how to configure the FIM Management Agent.

When you first run the Synchronization Service you will see pretty much exactly the same thing that users of ILM 2007 and MIIS 2003 will be very familiar with. In fact, to learn about this interface the ILM and MIIS documentation will still be accurate.

One of your first tasks here is to create the FIM Management Agent.On the Management Agent tab click Create and then select the “FIM Service Management Agent” type from the dropdown.

This was pretty easy for me because everything was on the localhost. Otherwise the “Server” is the SQL server name, and the “FIM Service base address” should reference the sharepoint server.The service account is a regular domain account with no special permissions.

I’m planning on managing users so I also select the “Person” object type here. You can come back to this screen any time later to select other object types, including new ones you create in the Portal.

By default all attributes are selected so there’s nothing to do here. Again, you will revisit this page later if you need to synchronize new attributes that you’ve added to the Portal schema.

Here you can block certain objects from being synchronized by the Sync Service. In this example I am blocking the two built-in Portal accounts.

On this page you map the Portal object type to an object type in the Metaverse. See the Metaverse Designer tab in the Sync Service GUI for the configuration of the metaverse schema.

Initially just accept the default attribute flows here. You will be back to this page before long, selecting the attributes you want to appear in the Portal.

Accept the default for now.

Again there should be nothing to configure on this page – just click Finish.

The MA is now created. Your final step is to create Run Profiles, which will actually make the MA do something.My typical list is pictured here – Import, Sync, Full Import and Full Sync, Delta Import and Delta Sync, and Export. Note I also have “Export 1” which is a restricted export that is useful while testing.

For more info about Run Profiles see this post.

What next? We need to get some data into the system

Source: http://www.wapshere.com/missmiis/fim-walkthroughs-create-the-fim-ma

FIM 2010 – Planning and Installation

I’m starting a new series of posts today showing how to build an identity management environment with FIM 2010. A lot of the concepts are covered n the Getting Started documentation, which you should of course read, however I think it’s often useful to see the same information presented in a couple of different ways – here with pictures!

To kick things off by starting at the beginning – Installation.

Planning

FIM Components

When you first run the FIM setup program, you will see a screen with a number of different components to install. For an initial identity management installation you will want to install the Synchronization Service and the Service and Portal.

Following are the major requirements for these components. For a full list see Technet: Hardware and Software Requirements.

  1. Synchronization Service
    • Windows Server 2008/2008r2 Standard x64
    • SQL Server 2008 SP1
      • Database Engine
  2. Service and Portal (which includes Workflows, Codeless Sync Rules and Password Reset)
    • Windows Server 2008/2008r2 Standard x64
    • SQL Server 2008 SP1
      • Database Engine
      • Full-text Indexing
    • Windows Sharepoint Service 3.0
    • Exchange 2007/2010 (see Brad Turner’s post on the subject if you don’t have Exchange, or mine if you have BPOS.)
Servers

If you’re just planning a test environment then the simplest thing is to install everything on the one server. I wouldn’t do it with any less than 4GB of RAM, though 8GB is better. I have run FIM 2010 on virtual machines, both ESX and Hyper-V.

The Preinstallation and Topoloy Configuration document will give you more information if you want to install some components on different servers, or use load-balancing or redundancy features.

Installation

In this example I’m going to show you how to install The Sync Service and the Portal on a single server. For detailed instructions see the official documentation.

Server Config

The server is called “FIM”, has 4GB of RAM and is a member of the domain “mydomain.local” which also includes an Exchange 2007 server. I’ve installed the following:

  • Windows 2008 Standard x64
  • SQL 2008 SP1
  • WSS 3.0 (and I’ve run the Sharepoint Products and Technologies Configuration Wizard from the Administrative Tools menu)
  • Exchange 2007 management tools
Service Accounts

First, create the service accounts in the domain. All accounts are regular users in the domain, and on the FIM server.

  1. Account for the FIM service
    • Mail-enabled
  2. Account for the Sync Service
  3. Account for the FIM Management Agent, which will connect the Sync Service to the Portal.

Install the Sync Service

Now we’re ready to start installing.From the setup splash screen click Install Synchronization Service.

I’ve skipped the initial screens, which are click-Next types. The first one you have to think about is specifying your SQL server. Sometimes you’ll get an error here about the SQL server not being found. This is usually either because your SQL server is the wrong version (minimum 2008 SP1) or because you haven’t properly specified the named instance.

Specify the service account you created for the Sync Service.

The installation creates these local groups for you.It will make it easier to move the Sync Service to another server if you use domin groups.  To do this, create the equivalent domain groups yourself, and then specify them here in the format “domain\group”.

If you have the Windows Firewall enabled then you will need to tick this option.

You will now be prompted to save the keyset for the database. This is needed if you want to transfer to database to another server (it doesn’t actually encryt the database). You should save it somewhere you can find it again, though if the FIM server is available you can export the keyset again any time using miiskmu.exe. (Found in the Microsoft Forestfront Identity Manager/2010/Synchronization Service/bin folder.)The Sync Service should then install.

Install the FIM Service and Portal

Now go back to the splash screen and choose Install Service and Portal.You need to be a bit careful about the acount you use to do this part with, as it will become the builtin Administrator account in the Portal. One idea is to create a “FIM Administrator” account in the domain, make it a local and SQL administrator, and install using that.Click through the first screens. Typically you would just leave this as default settings, unless you were doing an installation split across different servers.

Enter the name of the SQL Server and “FIMService” for the database name.Now I’m just using the local server here, and this screen pre-configures itself with the netbios name of the server rather than “localhost”, so I just leave it that way. If you were using a remote SQL server you would enter the fqdn, or fqdn/NamedInstance.

Enter the name of your email server.Ideally this will be a self-hosted Exchange 2007/2010 server, though you can also use non-Exchange or MSOnline.

It should be fine to use the default here. The certificate is used for internal, and not client, communications.

Now specify the (mail-enabled) account you created for the FIM Service.

Next you specify the account you created for the FIM Management Agent.

Here I’m just using the server name again, but in a production environment I’d probably be specifying some sort of publically acceptable CName, like “identity.mydomain.local”. You can change it later or add extra names, though you have to be careful with the Kerberos stuff.

With the FIM Service running on the WSS server you just reference localhost.

You need to select the first option if you have Windows Firewall enabled. And you definitely need options two and three, otherwise you’ll just be configuring it manually later.

The installation should now complete. To check that it’s working browse http://fimserver/identitymanagement.

Source: http://www.wapshere.com/missmiis/fim-walkthroughs-planning-and-installation

Understanding Kerberos Authentication Setup

FIM 2010: Understanding Kerberos Authentication Setup

This is in fact a double post. I posted this article to the TechNet Wiki for which I originally wrote this article. Link: TechNet Wiki: FIM 2010: Understanding Kerberos Authentication Setup

The goal of this article is to provide some background information regarding the Kerberos related configuration steps of the FIM Portal and FIM Service. The article has been written in such a way so that most of the points can in fact be used for any application requiring Kerberos.

This article will not discuss the various possible FIM Topologies. All information should be valid regardless whether all roles are combined on a single server or split across multiple servers.

Throughout the article a demo domain will be used. The domain which will be referenced as an example is contoso.com (NetBIOS name: CONTOSO).

Table of Content:

  1. Identify Services
  2. Identify Service Identities
  3. Name Services
  4. Configure DNS
  5. Configure Service Principal Names (SPN’s)
  6. Configure IIS for Kerberos
  7. Identify Delegation Requirements
  8. Configure Delegation
  9. Enforce Kerberos (FIM Specific)

1. Identify Services top

Before we can start configuring SPN’s (Service Principal Names) we have to determine what services we want to enable for Kerberos authentication. A typical FIM Portal deployment has the following services:

  • Database for the FIM Service (SQL Service)
  • FIM Service
  • FIM Portal (Windows Sharepoint Services (WSS))

note Note

In the above overview we’re leaving the FIM Synchronization Service and the databases for the WSS aside. They don’t bring any added value to this article.

The following picture provides an overview of these services.

0.Servers

2. Identify Service Identities top

Kerberos is all about authenticating principals to a service. Each principal is represented by an account in AD. This can either be a computer or a user account. Before Kerberos can take place, each service should be represented by an account in AD. Again this can either be a computer or a user account. Therefore it’s important to determine which account represents a given service.

note Note

A typical Windows Service has its identity configured in the Services MMC. A website however has its identity configured in the IIS Management Console (below the Application Pools section)

The list below provides an overview of our services and their associated identities.

  • Database for the FIM Service: the user account running the sqlservr.exe process of the SQL Instance hosting that database
  • FIM Service: the user account running the FIM Service service
  • FIM Portal: Application Pool identity in IIS for the FIM Portal site

This information is displayed in the following picture.

1.ServiceAccounts

3. Name Services top

Besides the principal representing a service, we also need to determine a name to access the service. Choosing names can be rather important when actual people are involved. Check the following examples:

  1. The FIM Service is configured to access its database on SPRDL2FIMSQL01B.contoso.com
  2. Users visit the FIM Portal by browsing to SPRDL3FIMPOR01.contoso.com

The first one is in fact not a problem at all. Nobody will mind that a name, for which IT probably has an explanation, is configured for a service to use. In the second example your users will by no means be able to remember the URL. Something like fimportal.contoso.com is way more feasible.

note Important

Choose your service names carefully and always keep in mind whether end-users will use them.

2.NameServices

In the picture above several client-server communication arrows have been pictured. In our example we will go with the following names to access the services:

  1. Database for the FIM Service: fimsql.contoso.com
  2. FIM Service: fimsvc.contoso.com
  3. FIM Portal: fimportal.contoso.com

note Note

There’s nothing wrong with choosing the actual server name of the SQL server to associate with your SQL service.

4. Configure DNS top

Clients have to be able to resolve the names for these services. We can register these records in DNS. It might seem convenient to use an alias (CNAME) record for some of the services. However this is a bad idea as explained in the following paragraph.

Using a CNAME record would ensure that updating the server its IP has no influence on the service name record. However CNAME records resolve in another way than A records. A client requesting a Kerberos ticket for a given service will ask AD a ticket for whatever the name resolves to. This is how a client will resolve those names:

  • fimsvc.contoso.com (CNAME) -> server01.contoso.com -> IP_of_FIM_Server
  • fimsvc.contoso.com (A) -> IP_of_FIM_Server

In bold the names are shown for which a Kerberos authentication attempt will be performed. In the first example you can clearly see that our client will request a Kerberos ticket for the wrong service as our service is coupled to fimsvc.contoso.com. So things will go wrong. For more information check Kerberos Basic Troubleshooting: Tip 3: SPNS and CNAME Records

note Important

Register A records to ensure the correct service name is used in the Kerberos authentication attempt

5. Configure Service Principal Names (SPN’s) top

So we got a name and an identity for our service. How do we tell AD that these belong together? Ahah! Now we get to the Service Principal Names (SPN’s). Whenever someone wants to use Kerberos to authenticate to a given service, they contact the Key Distribution Centre (KDC) and ask for a service ticket. The KDC is running on each domain controller. It knows which ticket to hand out because the client specified the service it wants a ticket for. The service was in fact specified by its name. More particularly by using the Service Principal Name (SPN).

An SPN is based upon the following format <service>/<fqdn>:<port>

In our example we will execute the following commands:

  • Setspn –S MSSQLsvc/fimsql.contoso.com:1433 sa_sqlsvc
  • Setspn –S MSSQLsvc/fimsql:1433 sa_sqlsvc
  • Setspn –S FIMService/fimsvc.contoso.com sa_fimsvc
  • Setspn –S FIMService/fimsvc sa_fimsvc
  • Setspn –S HTTP/fimportal.contoso.com sa_wss
  • Setspn –S HTTP/fimportal sa_wss

note Important

Never register a given service (<service>/<fqdn>:<port>) on multiple accounts. Whenever multiple accounts are responsible for the same service, AD cannot determine which account to use to hand out the Kerberos service ticket. As such Kerberos authentication breaks. This issue is called Duplicate SPNs. You can do a quick check in your domain for duplicate SPN’s by executing Setspn -X.

note Important

Always register both short and long (domain fqdn) for a service. This will ensure Kerberos is available at all times.

note Important

SQL always requires an SPN of the format MSSQLsvc/<fqdn>:<port>, even when using the default (1433) port. If your port is dynamic you have to configure it to be static or give the SQL Server service account permissions to update its own SPN’s.

note Note

A lot of guides will tell you to use Setspn –A instead of setspn –S. The advantage of using the –S option is that it will check the domain prior to adding the SPN. This will avoid setting duplicate SPNs.

6. Configure IIS for Kerberos top

When the above steps have been implemented, both the FIM Service and SQL will start accepting Kerberos. However IIS is slightly different. In fact skipping this particular step will often break your configuration all together. One of the symptoms when having a bad Kerberos implementation is the following: you type the URL of your website, you get presented with an authentication prompt, and no matter how many times you correctly enter your credentials, you keep getting prompted over and over again.

This issue occurs because by default IIS uses the account of the server to validate service tickets instead of the Application Pool identity. We can force IIS to use the identity of the application pool by configuring this in the applicationHost.config configuration file.

note Important

The applicationHost.config is typically located in c:\windows\system32\inetsrv\config\Remember to take a backup when modifying this file.

The following steps are required to configure Kerberos Authentication to work with a custom Application Pool Identity.

Launch an elevated command prompt and execute the following commands:

  1. cd c:\Windows\System32\inetsrv\config
  2. copy applicationHost.config applicationHost.config.dateOfToday.bak
  3. notepad applicationHost.config

Search for windowsAuthentication enabled="true" if you are below:

<location path="SharePoint - 80">

The above might actually be different in your environment. You need to locate the path of the IIS site which represent your FIM Portal WSS site.

Add useAppPoolCredentials="true" so the line looks like:

<windowsAuthentication enabled="true" useAppPoolCredentials="true">

Save the file and exit notepad

Execute the following command: iisreset

7. Identify Delegation Requirements top

Now that we got Kerberos authentication working for all of the involved services we have to determine whether additional configuration is required. Sometimes it’s obvious that Kerberos delegation has to be configured, sometimes it’s less obvious. Either way, it’s advised to check the product specific documentation to be sure. Kerberos delegation will allow a service to impersonate a visiting user and authenticate to another service as if it were the user himself who visits that service.

From the FIM Installation Guide we know that the following delegation scenarios are required:

  1. FIM Portal to FIM Service
  2. FIM Service to FIM Service

This is explained in the "Establish SPNs for FIM 2010" section of the installation guide.

3.Delegation

8. Configure Delegation top

To allow a given service to delegate to an other service, we have to configure delegation on the service its service account to the delegated service its SPN. Delegation can be configured using Active Directory Users & Computers (ADUC). As explained in the previous section we have to configure the following delegation scenario’s:

For the Portal to be able to delegate to the FIM Service we would have to:

  1. Open ADUC and locate the service account for the Portal (sa_wss)
  2. Open the properties of sa_wss and choose the delegation tab
  3. Check Trust this user for delegation to the specified services only
  4. Check Use Kerberos only
  5. Click Add…
  6. Click users or Computers…
  7. Type the name of your FIM Service service account: sa_fimsvc
  8. Click Check Names and Click Ok
  9. Select the FIMService entry and Click Ok
  10. Click Ok to close the account properties

Some screenshots to aid in the process: FIMService selection screen

4.Deleg_Select

And the resulting Delegation tab for the sa_wss acocunt:

5.Deleg_Configured

For the FIM Service to be able to delegate to the FIM Service we would have to:

  1. Open ADUC and locate the service account for the Portal (sa_fimsvc)
  2. Open the properties of sa_fimsvc and choose the delegation tab
  3. Check Trust this user for delegation to the specified services only
  4. Check Use Kerberos only
  5. Click Add…
  6. Click users or Computers…
  7. Type the name of your FIM Service service account: sa_fimsvc
  8. Click Check Names and Click Ok
  9. Select the FIMService entry and Click Ok
  10. Click Ok to close the account properties

note Note

The delegation tab on a user is only visible when an SPN has been registered for that account.

note Note

The above procedure assumes your domain is in 2003 DFL or higher. Windows 2000 DFL only has unconstrained delegation available.

9. Enforce Kerberos (FIM Specific) top

Optionally you can configure the FIM Portal to only accept Kerberos. This is explained in the FIM Installation Guide  > Installing The FIM 2010 Server Components > Activating The Kerberos Protocol Only (link)

The following steps are required to force Kerberos Authentication for the FIM Portal.

Launch an elevated command prompt and execute the following commands:

  1. cd c:\inetpub\wwwroot\wss\VirtualDirectories\80
  2. copy web.config web.config.dateOfToday.bak
  3. notepad web.config

The above might actually be different in your environment. You need to locate the path of the IIS site which represent your FIM Portal WSS site.

Locate the element

<resourceManagementClient . . . />

Add requireKerberos=”true” so that it reads

<resourceManagementClient requireKerberos="true" . . . />

Save the file and exit notepad

Execute the following command: iisreset

Source: http://setspn.blogspot.com.es/2011/06/fim-2010-understanding-kerberos.html

Password Reset Deployment Guide

Applies To: Forefront Identity Manager 2010

Microsoft® Forefront® Identity Manager (FIM) 2010 includes a password reset and registration feature. By using this feature, users can reset their passwords from the Microsoft Windows® logon screen after they complete a registration process to verify their identities.

What This Document Covers

This document provides instructions to help you to configure the password reset and registration feature by using the FIM Portal. It also provides instructions for testing the configuration by registering for the self-service password reset service and then changing the password on a client computer.

For an overview of FIM 2010 documentation and guidance for using it, see the Documentation Roadmap.

Prerequisite Knowledge

This document assumes that you have a basic understanding of the Windows Internet Explorer® Internet browser and the Windows logon screen.

Audience

The target audience for this document is information technology (IT) planners, consultants, and IT personnel who plan to deploy and use the self-service password reset feature included with FIM 2010.

Time Requirements

The procedures in this document require 45 to 60 minutes to complete.

Scenario Description

Fabrikam, a fictitious corporation, wants its employees to configure and use the password reset feature included with FIM 2010. The current process for resetting a password at Fabrikam requires that the information worker call the help desk to obtain assistance in resetting their password. Fabrikam wants to configure and use the self-service password reset feature included with FIM 2010. By using this tool, the information worker can change their password without calling the helpdesk for assistance.

Also, selected IT professionals within the Fabrikam organization need the ability to unlock users for password reset.

noteNote

The steps in this guide are also presented in the following TechNet video, http://technet.microsoft.com/en-us/edge/using-the-password-reset-deployment-feature-in-forefront-identity-manager-fim-2010.aspx

Testing Environment

To perform the procedures in this document, your testing environment must have the following characteristics:

  • A server that hosts the FIM 2010 server components. This server must actively synchronize the user resources between the FIM database and Active Directory® Domain Services (AD DS).

    noteNote

    For guidance for configuring synchronization with AD DS, see Common Configuration for Getting Started Guides in the FIM documentation.

  • A client computer running the Windows XP Service Pack 2 (SP2), Windows Vista® Enterprise, or Windows 7 32-Bit or 64-Bit operating system hosting the FIM Add-in and Extensions in the same domain as the FIM 2010 server components.

Before You Begin

Ensure that the following actions are taken before you begin the procedures for password reset:

  • User resources are synchronized between AD DS and the FIM 2010 database.
  • If there is a firewall between the server running FIM and the server running AD DS, the following ports must be opened in the firewall between the FIM Synchronization Server and the Active Directory domain controller:
    1. TCP/UDP 135 (RPC EPMapper)
    2. TCP/UDP 389 (LDAP, LDAP Ping)
    3. TCP 636 (LDAP over SSL)
    4. TCP 3268 (GC)
    5. TCP 3269 (GC SSL)
    6. TCP/UDP 53 (DNS)
    7. TCP/UDP 88 (Kerberos)
    8. TCP Dynamic (RPC)
    9. TCP/UDP 464 (Kerberos Change/Set Password)
    10. TCP 445 – (CIFS/ MICROSOFT-DS)
  • To facilitate WMI communication, you will also need to make sure the following ports are open between the server running the FIM Service and the server running the FIM Synchronization Service:
    1. TCP/UDP 135 (RPC EPMapper)
    2. TCP 135 (RPC EPMapper)
    3. TCP 5725
    4. TCP 5726
    5. TCP 5000-5001 Dynamic RPC ports (PCNS)
    6. TCP 57500-57520 Dynamic RPC ports (AD MA)

The following references can be helpful:

  1. Active Directory and Active Directory Domain Services Port Requirements
  2. Active Directory Replication over Firewalls
  3. Network Ports Used by Key Microsoft Server Products
  4. How to Use Portqry to Troubleshoot Active Directory Connectivity Issues
  5. Management Agent Communication Ports, Rights, and Permissions

Implementing the Procedures in This Document

In this document, you configure the FIM 2010 self-service password reset feature by using the FIM Portal. You then test the self-service password reset configuration on a Windows-based client computer.

To implement the procedures in this document, you must complete the following steps in order:

  1. Step 1: Make the FIM 2010 Service account a member of the FIMSyncBrowse and FIMSyncPasswordSet groups
  2. Step 2: Enable password management on the management agent for AD DS on the FIM Synchronization Server
  3. Step 3: Enable FIM 2010 service account privileges in Windows Management Instrumentation on the FIM Synchronization Server
  4. Step 4: Allow Windows Management Instrumentation traffic through the Windows Firewall on the FIM Synchronization Server
  5. Step 5: Enable DCOM for the FIM service account
  6. Step 6: Update the “Password Reset Users Set” in the FIM Portal to ensure it contains all the users you would like to participate in password reset
  7. Step 7: Update the Password reset AuthN workflow in the FIM Portal
  8. Step 8: Enable the Management Policy Rule named “Anonymous users can reset their password”
  9. Step 9: Enable the Management Policy Rule named “Password reset users can read password reset objects”
  10. Step 10: Enable the management policy rule named “Users can create registration objects for themselves”
  11. Step 11: Enable the management policy rule named “Password reset users can update the lockout attribute of themselves”
  12. Step 12: Enable the management policy rule named “User management: Users can read attributes of their own”
  13. Step 13: Enable the management policy rule named “General: Users can read non-administrative configuration resources”

Step 1: Make the FIM 2010 Service account a member of the FIMSyncBrowse and FIMSyncPasswordSet groups
To make the FIM 2010 Service account a member of the FIMSyncBrowse and FIMSyncPasswordSet groups
  1. On the FIM Synchronization Server click Start, then click Administrative Tools, then click Computer Management. Expand Local Users and Groups and click Groups.

  2. Right click the FIMSyncBrowse group, click Add to Group and click OK.

  3. Right click the FIMSyncPasswordSet group and Add to Group and click OK.

  4. Close Computer Management.

  5. Restart the FIM Synchronization Service.

  6. Restart the FIM Service.

Step 2: Enable password management on the management agent for AD DS on the FIM Synchronization Server

You must enable password management on the management agent for Active Directory Domain Services (AD DS). This makes it possible for AD DS to process the password reset requests that it receives.

To enable password management on the management agent for AD DS
  1. On the FIM 2010 Synchronization Server, open the Synchronization Service Manager.

  2. Click the Management Agents tab.

  3. Select the management agent for AD DS.

  4. On the Actions menu, click Properties.

  5. In the Properties window, click Configure Extensions.

  6. Select the Enable password management check box.

To assign rights in AD DS to allow the Active Directory management agent account to reset passwords and unlock accounts
  1. Open Active Directory Users and Computers.

  2. Click View, and then click Advanced Features.

  3. Right-click the organizational unit (OU) that contains the users for password reset, click Properties, and then click the Security tab.

  4. Click Add, enter a name for your account, and then click OK to return to the Security tab.

  5. With the new account highlighted in the Group or user names window, click Advanced.

  6. Select the account that you just created, and then click Edit.

  7. In Apply to, select Descendant User objects.

  8. Apply the following permissions under the Properties tab:

    • Read userAccountControl = Allow
    • Write userAccountControl=Allow
    • Read lockoutTime = Allow
    • Write lockoutTime = Allow
  9. Apply the following permissions under the Object tab:

    • Reset password = Allow
    • Change password = Allow
  10. Grant Replicating Directory Changes permissions for the Active Directory Management service account. You can do that by following the steps in the following article: How to grant the "Replicating Directory Changes" permission for the Microsoft Metadirectory Services ADMA service account.

Step 3: Enable FIM 2010 service account privileges in Windows Management Instrumentation on the FIM Synchronization Server

The FIM 2010 service account must have security access to the namespace and subnamespaces on the FIM 2010 server.

To enable Windows Management Instrumentation namespace and subnamespace privileges
  1. Log on to the FIM Synchronization Server as an administrator.

  2. On the desktop, right-click Computer, and then click Manage.

  3. In Server Manager, double-click Configuration, right-click WMI Control, and then click Properties.

  4. Click the Security tab.

  5. Double-click Root, click CIMV2, and then click Security.

  6. On Security for ROOT\CIMV2, click Add.

  7. On Select Users, Computers, and Groups, in the Enter the object names to select (examples) box, type the FIM 2010 service account name, and then click Check Name.
    When the service account name resolves successfully, it appears underlined.

  8. Click OK.

  9. On Security for ROOT\CIMV2, ensure that Allow in the FIM 2010 service account is selected for Enable Account and Remote Enable.

  10. On Security for ROOT\CIMV2, ensure that the FIM 2010 service account is selected, and then click Advanced.

  11. On Advanced Security Settings for CIMV2, select the FIM 2010 service account, and then click Edit.

  12. On Permission Entry for CIMV2, select This namespace and subnamespaces in the Apply To box.

  13. Click OK.

  14. On Advanced Security Settings for CIMV2, click Apply, and then click OK.

  15. On Security for ROOT\CIMV2, click OK.

  16. On WMI Control Properties, click OK.

  17. Close Server Manager.

Step 4: Allow Windows Management Instrumentation traffic through the Windows Firewall on the FIM Synchronization Server

You must configure the firewall on the FIM 2010 Synchronization Server to allow Windows Management Instrumentation (WMI) traffic to pass through.

To allow WMI traffic through the Windows Firewall
  1. Log on to the FIM 2010 Server as an administrator.

  2. Click Start, and then click Control Panel.

  3. In Control Panel, double-click Windows Firewall.

  4. On Windows Firewall, select Allow a program through Windows Firewall.

  5. On Windows Firewall Settings, under To enable an exception, select its check box, scroll down, and then select the Windows Management Instrumentation (WMI) check box.

  6. Click OK.

  7. Close Windows Firewall.

  8. Close Control Panel.

Step 5: Enable DCOM for the FIM service account

WMI uses DCOM to communicate with the FIM 2010 server. For this to occur, the FIM service account requires access to DCOM on the server running the FIM Synchronization Service. The following steps assume a single-server implementation. That is, the FIM Service and the FIM Synchronization Service are running on the same server. If your environment has the FIM Service and the FIM Synchronization Service running on separate servers, ensure that the permissions for the FIM service account are set on the server that is running the FIM Synchronization Service.

To enable DCOM for the FIM service account
  1. Log on to the server that is running the FIM Synchronization Service as an administrator.

  2. Click Start, click Control Panel, click Administrative Tools, and then click Component Services.

  3. On Component Services, double-click Component Services, and then double-click Computers.

  4. Right-click My Computer, and then click Properties.

  5. On My Computer Properties, click COM Security.

  6. On COM Security, under Access Permissions, click Edit Limits.

  7. On Access Permissions, click Add.

  8. On Select, Users, Computers, and Groups, in the Enter the object names to select (examples) box, type the FIM service account name, and then click Check Name.
    When the service account name resolves successfully, it appears underlined.

  9. Click OK.

  10. On Access Permissions, select the FIM service account. Select the Allow check box for both Local Access and Remote Access.

  11. Click OK.

  12. On COM Security, under Access Permissions, click Edit Default.

  13. On Access Permissions, click Add.

  14. On Select, Users, Computers, and Groups, in the Enter the object names to select (examples) box, type the FIM service account name, and then click Check Name.
    When the service account name resolves successfully, it appears underlined.

  15. Click OK.

  16. On Access Permissions, select the FIM service account. Select the Allow check box for both Local Access and Remote Access.

  17. Click OK.

  18. On COM Security, under Launch and Activation Permissions, click Edit Limits.

  19. On Launch and Activation Permissions, click Add.

  20. On Select, Users, Computers, and Groups, in the Enter the object names to select (examples) box, type the FIM service account name, and then click Check Name.
    When the service account name resolves successfully, it appears underlined.

  21. Click OK.

  22. On Launch and Activation Permissions, select the FIM service account. Select the Allow check boxes for Local Launch, Remote Launch, Local Activation, and Remote Activation.

  23. Click OK.

  24. On COM Security, under Launch and Activation Permissions, click Edit Default.

  25. On Access Permissions, click Add.

  26. On Select, Users, Computers, and Groups, in the Enter the object names to select (examples) box, type the FIM service account name, and then click Check Name.
    When the service account name resolves successfully, it appears as underlined.

  27. Click OK.

  28. On Launch and Activation Permissions, select the FIM service account. Select the Allow check boxes for Local Launch, Remote Launch, Local Activation, and Remote Activation.

  29. Click OK.

  30. On My Computer Properties, click Apply, and then click OK.

  31. Close Component Services.

Step 6: Update the “Password Reset Users Set” in the FIM Portal to ensure it contains all the users you would like to participate in password reset

FIM contains default sets for password reset. Open the Password Reset Users Set in the FIM portal to make sure it contains the users that you would like to participate in password reset.

To update the Password Reset Users Set in the FIM Portal to ensure it contains all the users you want to participate in password reset
  1. Log on to the FIM Portal as Administrator.

  2. From the FIM home page, under Administration, click Sets.

  3. On the Sets page, find the set named Password Reset Users Sets by searching or paging through the list of sets.

  4. On the Criteria-based Members tab, click all resources, and select user from the drop down menu.

  5. Change the criteria to filter the set down the users you would like to have to participate in password reset.

Step 7: Update the Password reset AuthN workflow in the FIM Portal

There is a default workflow in the FIM Portal for password reset that defines the challenges a user must pass before resetting his or her password.

TipTip

An attacker might launch a denial-of-service attack on password reset by purposely failing password reset challenges for multiple users, causing many users to be locked out of password reset. To mitigate this type of attack, you should place the lockout gate after a Question and Answer gate. By configuring the activities in this way, the attacker would need to pass at least one gate before they could try and lock out other users. You could then place an additional Question and Answer gate after the lockout gate for additional security. The sequence would then be as follows:

  1. Password gate
  2. Question and Answer gate
  3. Lockout gate
  4. Question and Answer gate
To update the questions in the Question and Answer activity based on your organization’s preferences and ensure that the lockout gate settings (if applicable) match your organization’s requirements
  1. Log on to the FIM Portal as an administrator.

  2. From the FIM home page, under Administration, click Workflows.

  3. On the Workflows page, search or browse the list of workflows, and then click Password Reset AuthN Workflow.

  4. Click Activities, and then double-click QA Gate.

  5. Under QAGate, click Edit, configure the following steps in the order shown, and then click Save.

    1. Step 1 – Question Settings
      Specify the total number of questions asked and the number of questions that are displayed during the password registrations. Also, configure the number of questions that are required for registration, the number of questions that are randomly presented to the user, and the number of questions that the user must answer correctly.
    2. Step 2 – Enter Questions
      Specify the questions that users must answer to register for self-service password reset, for example, “What is your mother’s maiden name?”
  6. Expand Lockout Gate, click Edit, confirm that the following options match your organization’s preferences, and then click Save.

    Lockout duration after Lockout Threshold is reached (minutes) – Specify the number of minutes that users are locked out of password reset before they are allowed to attempt password reset again.

    Lockout Threshold – number of times the user can fail to complete the workflow – Specify the number of times a user can enter an incorrect answer to the challenge questions before they must wait the specified amount of time as defined in the Lockout duration after Lockout Threshold is reached (minutes) setting.

    Number of times the user can reach the Lockout Threshold before permanent lockout – Specify the number of additional attempts to answer the challenge questions—each separated by the lockout duration time—before the user is permanently locked out of the password reset feature.

  7. Click OK, and then click Submit.

Step 8: Enable the Management Policy Rule named “Anonymous users can reset their password”

So that users can register for password reset, a Management Policy Rule (MPR) must exist that gives users the permissions to read the attributes necessary to register for password reset. This MPR is created by default for FIM 2010, but it is also disabled by default.

To enable the “Anonymous users can reset their password MPR”
  1. Log on to the FIM Portal as an administrator.

  2. On the FIM home page, under Administration, click Management Policy Rules.

  3. On the Management Policy Rules page, search or browse the list of MPRs to locate Anonymous users can reset their password.

  4. Click the display name of the MPR, and on the General Information tab, ensure that the Policy is disabled check box is cleared.

  5. Click OK, and then click Submit.

Step 9: Enable the Management Policy Rule named “Password reset users can read password reset objects”

For users to reset their passwords, the client server that requests the password reset must be able to locate and read the MPR that is associated with the user they are claiming to be.

To enable the “Password reset users set can read password reset objects” MPR
  1. Log on to the FIM Portal as an administrator.

  2. From the FIM home page, under Administration, click Management Policy Rules.

  3. On the Management Policy Rules page, search or browse the list of MPRs to find Password reset users can read password reset objects.

  4. Open the MPR, and, on the General Information tab, ensure that the Policy is disabled check box is cleared.

  5. Click OK, and then click Submit.

Step 10: Enable the management policy rule named “Users can create registration objects for themselves”

For users to register for password reset, an MPR must exist that gives them the permissions to create and modify gate registration resources. A gate registration resource is the resource that stores the registration data in FIM. This MPR has been created by default for FIM 2010, but it is also disabled by default.

To enable the “Users can create registration objects for themselves” MPR
  1. Log on to the FIM Portal as an administrator.

  2. On the FIM home page, under Administration, click Management Policy Rules.

  3. On the Management Policy Rules page, search or browse the list of MPRs to locate Users can create registration objects for themselves.

  4. Open the MPR, and, on the General Information tab, ensure that the Policy is disabled check box is cleared.

  5. Click Next, and then click Submit.

Step 11: Enable the management policy rule named “Password reset users can update the lockout attribute of themselves”

When a user successfully registers or resets his or her password, the lockout count is reset. For that update to happen to the lockout count, the user must have permissions to update it. This MPR grants those permissions.

To enable the “Password Reset Users can update the lockout attribute of themselves” MPR
  1. Log on to the FIM Portal as an administrator.

  2. On the FIM home page, under Administration, click Management Policy Rules.

  3. On the Management Policy Rules page, search or browse the list of MPRs to locate Password Reset Users can update the lockout attribute of themselves.

  4. Open the MPR, and on the General Information tab, ensure that Policy is disabled is cleared.

  5. Click OK, and then click Submit.

Step 12: Enable the management policy rule named “User management: Users can read attributes of their own”
To enable the “User management: Users can read attributes of their own” MPR
  1. Log on to the FIM Portal as an administrator.

  2. On the FIM home page, under Administration, click Management Policy Rules.

  3. On the Management Policy Rules page, search or browse the list of MPRs to locate User Management: Users can read attributes of their own.

  4. Open the MPR, and on the General Information tab, ensure that Policy is disabled is cleared.

  5. Click OK, and then click Submit.

Step 13: Enable the management policy rule named “General: Users can read non-administrative configuration resources”
To enable the “General: Users can read non-administrative configuration resources” MPR
  1. Log on to the FIM Portal as an administrator.

  2. On the FIM home page, under Administration, click Management Policy Rules.

  3. On the Management Policy Rules page, search or browse the list of MPRs to locate General: Users can read non-administrative configuration resources.

  4. Open the MPR, and, on the General Information tab, ensure that the Policy is disabled check box is cleared.

  5. Click OK, and then click Submit.

Enabling the helpdesk to manage users

The following steps are necessary only if you plan to have a support team manage users when they are locked out of password reset. If you are not using this functionality, you can skip to testing the configuration.

Step H1: Create a set of helpdesk users who can unlock users for password resets
To create a set of helpdesk users who can unlock users for password resets
  1. Log on to the FIM Portal as an administrator.

  2. From the FIM home page, under Administration, click Sets.

  3. On the Sets page, click New.

  4. On the General page, enter the following information into the fields:

    1. Display Name: Helpdesk users set.
    2. Description: This set contains helpdesk users who support password resets.
  5. Click Next.

  6. On the Criteria-based Members tab, click all resources, and on the menu, click user. Click Add statement, click <click to select attribute>, and then click Department. Click <click to select value>, and then type support.

    noteNote

    You can filter this by whatever attribute allows you to identify helpdesk users who can assist end users with password reset issues.

  7. Click Finish.

  8. On the Summary tab, click Submit.

Step H2: Create a set of lockout gate registration resources
To create a set of lockout gate registration resources
  1. Log on to the FIM 2010 R2 Portal as an administrator.

  2. On the FIM 2010 R2 home page, under Administration, click Sets.

  3. On the Sets page, click New.

  4. On the General page, enter the following information into the fields listed below:

    1. Display NameLockout gate registration resources.
    2. DescriptionThis set contains all lockout gate registration resources for helpdesk users to unlock a user.
  5. Click Next.

  6. On the Criteria-based Members tab, click all resources, and on the menu, click gate registration. Click Add statement, and then click <click to select attribute> and select Gate Type. Click <click to select value> and enter D1230EF0-C5FA-4473-BE2A-30918B42EA2B.

  7. Click Finish.

  8. On the Summary tab, click Submit.

Step H3: Create an MPR enabling helpdesk users to modify the attributes of lockout gate registrations
To create an MPR enabling helpdesk users to modify the attributes of lockout gate registrations in the set that was created in Step H2
  1. Log on to the FIM Portal as an administrator.

  2. On the FIM home page, under Administration, click Management Policy Rules.

  3. On the Management Policy Rules page, click New.

  4. On the Create Management Policy Rule page, configure the following options:

    • Display Name – Enter a user-defined name for this MPR such as Helpdesk Users can modify Lockout Registration Resources.
    • Description – Enter user-defined text defining a description for this MPR, such as This MPR allows Helpdesk Users to unlock users for password reset.
    • In Type, ensure that Request is selected.
    • In Disabled, ensure that Policy is disabled is not selected.
  5. Click Next.

  6. On the Requestors and Operations tab, configure the following options:

    • Requestors – In Specific Set of Requestors enter the name of the set that you created in Step H1 – Helpdesk Users Set
    • Operation – Select Read Resource and Modify a single-valued attribute.
    • Permissions – Select Grants Permissions.
  7. Click Next.

  8. On the Target Resources tab, in Target Resource Definition Before Request, enter the name of the set from Step H2 (Lockout Gate Registration Resources). Click the validate icon.

  9. In Target Resource Definition After Request, enter the name of the set from Step H2 (Lockout Gate Registration Resources). Click the validate icon.

  10. In Resource Attributes, select All Attributes, and then click Finish.

  11. On the Summary tab, click Submit.

Step H4: Create an MPR that enables helpdesk users to modify the necessary attributes to unlock users

IT professionals who are responsible for unlocking users for password reset need permissions to modify the AuthN Workflow Registered and AuthN Workflow LockedOut attributes.

To create an MPR enabling helpdesk users responsible for unlocking users for password reset to modify attributes
  1. Log on to the FIM Portal as an administrator.

  2. On the FIM home page, under Administration, click Management Policy Rules.

  3. On the Management Policy Rules page, click New.

  4. On the Create Management Policy Rule page, configure the following options:

    • Display Name – Enter a user-defined name for this MPR, such as Helpdesk Users can unlock Password Reset Users Set.
    • Description – Enter user-defined text defining a description for this MPR, such as This MPR allows Helpdesk Users to unlock users for password reset.
    • Type – Select Request.
    • Disabled – Ensure that Policy is disabled is not selected.
  5. Click Next.

  6. On the Requestors and Operations tab, configure the following options:

    • Requestors – Enter the name of the set that you created in Step H1 Helpdesk Users Set.
    • Operation – Select Read Resource and Remove a value from a multivalued attribute.
    • Permissions – Select Grants Permissions.
  7. Click Next.

  8. On the Target Resources tab, in Target Resource Definition Before Request, enter Password Reset Users Set. Click the validate icon.

  9. In Target Resource Definition After Request, enter Password Reset Users Set. Click the validate icon.

  10. In Resource Attributes, select Select specific attributes, and then enter Lockout Gate Registration Data Ids and AuthN Workflow Locked Out. Click the validate icon, and then click Finish.

  11. On the Summary tab, click Submit.

Step H5: Create an MPR enabling helpdesk users to read password reset users

IT professionals who are responsible for unlocking users for password reset need permissions to search for password reset users.

To create an MPR enabling helpdesk users responsible for unlocking users for password reset to search for users
  1. Log on to the FIM Portal as an administrator.

  2. On the FIM home page, under Administration, click Management Policy Rules.

  3. On the Management Policy Rules page, click New.

  4. On the Create Management Policy Rule page, configure the following options:

    • Display Name – Enter a user-defined name for this MPR, such as Helpdesk Users can read Password Reset Users Set.
    • Description – Enter user-defined text defining a description for this MPR, such as This MPR allows Helpdesk Users to view users for password reset.
    • Type – Select Request.
    • Disabled – Ensure that Policy is disabled is not selected.
  5. Click Next.

  6. On the Requestors and Operations tab, configure the following options:

    • Requestors – Enter the name of the set that you created in Step H1 Helpdesk Users Set.
    • Operation – Select Read Resource.
    • Permissions – Select Grants Permissions.
  7. Click Next.

  8. On the Target Resources tab, in Target Resource Definition Before Request, enter the name of the set that identifies password reset users (Password Reset Users Set), and click the validate icon.

  9. Click Next.

  10. In Resource Attributes, select Select specific attributes, and then enter Resource Type and DisplayName. Click the validate icon, and then click Finish.

  11. On the Summary tab, click Submit.

Test the configuration

After configuring the management agent for AD DS and then defining the password reset workflow, you will test the configuration. To test the configuration, you must perform the following steps in the order shown:

  1. Register for a self-service password reset
  2. Reset the password

Register for a self-service password reset

After a user logs on to a client computer, the user must register for a self-service password reset. This enables that user to reset the password without contacting the helpdesk. There are two methods by which users can register for a self-service password reset:

  1. Registration from a client computer
  2. Registration through the Web portal

Registration from a client computer

In this procedure, you will register for a self-service password reset from a client computer.

To register for a self-service password reset
  1. Log on to a client computer with a user account that resides in the set that you created to participate in password reset.

  2. On the FIM Password Reset Registration page, click Next.

  3. Answer the questions that you specified when you created the process for a self-service password reset, click Next, and then click OK.

Registration through the Web portal

In this procedure, you will register for password reset through the Web portal. There are two methods by which to register for password reset through the Web portal. Each method will be outlined in the procedures in this section of the document.

Method 1: To register for a self-service password reset in the portal
  1. Log on to the client computer as any user.

  2. From a client computer, open Internet Explorer, and then navigate to the FIM Portal home page (http://&lt;portal host name>/IdentityManagement).

  3. From the FIM Portal home page, click Register for Password Reset.

  4. Click Register for My Password Management.

  5. Enter the credentials of the user who is logged on, and complete the registration wizard.

Method 2: To register for a self-service password reset in the portal
  1. Log on to the client computer as a user in the password reset set.

  2. From a client computer, open Internet Explorer, and then navigate to the password portal home page (http://&lt;portal host name>/PasswordPortal).

  3. From the FIM Portal home page, in the navigation bar on the left side of the page, click Authentication Workflow Registration.

    noteNote

    Authentication Workflow Registration, by default, is not visible for a regular user. However, a user can go directly to the URL at http://&lt;portal host name>/identitymanagement/aspx/authn/AuthNWFUserRegistration.aspx, to access authentication workflow registration.

  4. On the Authentication Workflow Registration page, select the check box next to the authentication workflow that you modified in Step 6 of this document, and then click Register.

  5. Follow the instructions in the registration wizard.

Reset the password

Now you can reset the user’s password. After you have reset the password, the user can log on to the client computer and the AD DS domain with the new credentials. There are two ways to reset a password:

  1. Reset the password from a client computer
  2. Reset the password in the portal

Reset the password from a client computer

In this procedure, you will reset the user’s password from the logon screen on the client computer.

To reset the password at the logon screen
  1. Log off the client computer.

  2. On the Log On to Windows screen, click the Reset button.

    In the Windows Vista operating system, the Reset command link is located under the box where you enter your password.

  3. On the Authentication Gate page, type the same answers to the questions that you entered when you registered for a self-service password reset, and then click Next.

  4. On the Enter your new password here page, type your new password in the New password and Confirm new password boxes, and then click Reset.

  5. In the Windows logon screen, log on using the new password.

  6. Click Finish.

Reset the password in the portal

To reset the user’s password in the portal, you will perform two tasks:

Allow anonymous access to the password reset portal

In this procedure, you will configure the portal to allow anonymous access to users who need to reset their passwords.

To enable anonymous access to the FIM Password Reset Portal SharePoint application:
  1. Click Start, click Administrative Tools, then run the SharePoint 3.0 Central Administration application.

  2. Click Application Management.

  3. Under Application Security, click Authentication Providers.

  4. On the list of available authentication providers, click Default.

  5. In Anonymous Access enable Enable anonymous access.

  6. Click Save.

To assign permissions on the SharePoint site
  1. Log on to the password portal (http://&lt; portal host name>/PasswordPortal) as an administrator.

  2. On the top-right side of the portal home page, click Site Actions, and then click Site Settings.

  3. Under Users and Permissions, click Advanced Permissions.

  4. On the Permissions page, click Settings, and then select Anonymous Access.

  5. Under Anonymous users can access, select Entire Web site, and then click OK.

Reset the user’s password by using the password reset portal

In this procedure, you will reset the user’s password by using the password reset portal.

To reset the user’s password by using the password reset portal
  1. Log on to the client computer as any user.

  2. From a client computer, open Internet Explorer and navigate to the password portal home page at http://&lt; portal host name>/PasswordPortal.

  3. On the password portal home page, type the user’s user name and domain, and then complete the password reset wizard.

Kiosk Scenario

If you want to enable a scenario in which the users cannot log on to the computer but have to reset their password, you can set up a password reset kiosk. To do that, you create and use a local machine account to log on to the computer. The user will then be able to access the browser without having to log on to the computer.

Unlock a user for the password reset process

A user may have to be unlocked for the password reset process.

There are two lockout thresholds, the temporary lockout threshold and the permanent lockout threshold, as well as a lockout duration period. If the settings are set to Temporary Lockout (number of attempts) = 3, Permanent Lockout (number of attempts)= 2, and Lockout Duration (minutes) = 5, the following behavior occurs:

  • The user is allowed three attempts without any lockout duration.
  • After failing the third attempt, the user is temporarily locked out for the time that is specified in the lockout duration. In this case, the user will be locked out for 5 minutes.
  • After the lockout duration elapses, the user gets three additional attempts without any lockout duration.
  • After failing the third attempt (sixth overall attempt), the user is permanently locked out.
To unlock a user for the password reset process
  1. Log on to the FIM Portal as a user who is in the IT professional set that is designated to unlock users for the password reset process.

  2. On the FIM home page, under Administration, click Unlock Users.

  3. On the Unlock Users page, search for and click the display name of the user who needs to be unlocked from the password reset process.

  4. On the following page, select the user-defined password reset action and authentication processes that you created earlier, and then, if the user needs to be unlocked from the password reset processes, click Unlock User.

  5. On the Unlock User page, click Submit.

  6. On the following page, click OK.

Require reregistration for all users if the questions in the Question and Answer gate are modified or changed

If you change the questions or modify the Questions and Answer gate, click Require Re-registration on the workflow to force all users to reregister for password reset.

Adding an Authentication Workflow to any Create, Update, or Delete Operation

In FIM 2010, you can add an authentication workflow to any create, update, or delete operation, except for approval and deny operations (request management) and schema operations. For example, you might want to require authentication for anyone creating a group. This requires you to perform four tasks:

  1. Create the MPR, which enables users to read the necessary attributes to register for a password reset.
  2. Create any authentication workflow.
  3. Edit the MPR by attaching the authentication workflow to it so that everyone can create a group. For more information on how to edit MPRs, see Introduction to Management Policy Rules in the FIM 2010 documentation.
  4. Test the configuration. In this procedure, you will verify that the users are now required to follow the authentication workflow when creating a group.
    To test the configuration
    1. Log on to the FIM Portal as a user.

    2. Under Distribution Groups, click Create a new DG, and then follow the instructions in the wizard.

    3. After you click Submit, the authentication workflow starts. You must complete the wizard before you can successfully create the group.

Configuring the FIM Portal for Password Reset only

If you are using FIM only for password resets, you can remove the other elements from the FIM home page. For information about how to update the FIM home page, see Introduction to Configuring the FIM Portal in the FIM 2010 documentation.

Using Group Policy to update how often registration is checked

By default, the FIM client checks the end user’s registration status every time he or she logs on to Windows. The frequency setting for how often registration is checked is located in the registry. If you are deploying password reset broadly in your organization, we recommend that you configure FIM 2010 to check periodically, not every time that the user logs on to Windows.

There are two potential locations for the registry key:

  1. HKCU\Software\Policies\Microsoft\Forefront Identity Manager\2010\Extensions
  2. HKCU\Software\Microsoft\Forefront Identity Manager\2010\Extensions

The location under Policies takes precedence. However, the second key, in the second listing above, must be created. It can be an empty key.

The settings are as indicated in the following table.

Name
Type
Data description
Registry location

CacheInterval

Int

Registration status cache duration in days

HKCU\Software\Policies\Microsoft\Forefront Identity Manager\2010\Extensions

HKCU\Software\Microsoft\Forefront Identity Manager\2010\Extensions

MaxOffset

Int

Maximum random offset in days to be added or subtracted to cache interval

HKCU\Software\Policies\Microsoft\Forefront Identity Manager\2010\Extensions

HKCU\Software\Microsoft\Forefront Identity Manager\2010\Extensions

CacheInterval specifies the amount of time in days before the FIM client checks the user’s registration status again. MaxOffset adds or subtracts a random number of days to CacheInterval. The offset exists so that all FIM clients are not checking registration status on the same day. We recommend that you create these settings in the Policies folder.

Site Settings for Internet Explorer 8, 7, and 6

The FIM portal should have the settings in the following table, based on the version of Internet Explorer that the end users are running.

Version
Site setting

Internet Explorer 6

Intranet sites

Internet Explorer 7

Trusted sites

Internet Explorer 8

Intranet sites

Troubleshooting

If you have issues when you set up the self-service password reset, look for the issues in the following list for information about how to resolve the issues.

Password reset configuration
  • In the Process Designer, it not supported to add more than one Question and Answer activity for each authentication workflow
  • If the firewall on the FIM 2010 server is enabled, you must open a range of ports to allow remote procedure call (RPC) communication between the domain controller and the server with FIM 2010. For more information, see the Microsoft Identity Integration Server 2003 Technical Reference(http://go.microsoft.com/fwlink/?LinkId=38680).
  • If the firewall on the server running FIM 2010 is on, the password reset does not work unless you manually unblock TCP ports 5725 and 5726. If necessary, manually unblock TCP ports 5725 and 5726.
  • In the Question and Answer activity settings, the following condition exists:
    • A question should not exceed 100 characters.
  • Changing the mapping for a password reset event from using one AuthN process to using a different AuthN process is not supported in FIM 2010.
Password reset use case
  • Answers to questions should not exceed 255 characters.
Password reset client deployment
  • If a user does not register for a password reset during the initial logon, he or she will be prompted to register during each subsequent logon.
  • If a user wants to reregister for a self-service password reset, follow the procedures in the Registration through the Web portal section of this document.

FAQ

Timeout value for Authentication Activities

By default, AuthN activities timeout after 5 minutes.

Summary

After you complete the procedures in this document, you will have successfully deployed self-service password reset in your environment. With the successful deployment of the self-service password reset feature in FIM 2010, users in your environment will be able to reset their passwords without having to call their helpdesk.

Source: https://technet.microsoft.com/en-us/library/ee534892(v=ws.10).aspx

Introduction to Outbound Synchronization

Applies To: Forefront Identity Manager 2010

In Microsoft® Forefront® Identity Manager (FIM) 2010, you can configure and fine-tune the object and attribute flow between FIM 2010 and the related connected data sources by configuring synchronization rules. There are two different types of synchronization rules in the architectural model of FIM 2010: inbound synchronization rules and outbound synchronization rules. This document provides a detailed introduction to outbound synchronization rules based on a simple lab environment.

For an overview of FIM 2010 documentation and guidance for using it, see the Documentation Roadmap.

Before You Begin

This document assumes that you have already a working instance of FIM 2010 running on a computer. For more information about installing FIM 2010, see the FIM Installation Guide (http://go.microsoft.com/fwlink/?LinkID=165845).

Prerequisite Knowledge

This document assumes that you have a basic understanding of the synchronization process. For more information, see Understanding Data Synchronization with External Systems

For an overview of FIM 2010 documentation and guidance for using it, see the Documentation Roadmap.

Audience

This guide is intended for information technology (IT) professionals who are interested in getting some initial hands-on experience with FIM 2010 outbound synchronization rules in a lab environment.

Scope

The scenario outlined in this document has been simplified to address the requirements of a simple lab environment. The focus is on helping the reader obtain a basic understanding of the technologies. This scenario is not intended for deployment in a production environment.

Time Requirements

The procedures in this document require 90 to 120 minutes for a new user to complete. These time estimates assume that the testing environment is already configured, and they do not include the time required to set up the test environment.

Getting Support

If you have questions regarding the content of this document or if you have general feedback, post a message to the Forefront Identity Manager 2010.

Scenario Description

Fabrikam, a fictitious company, is investigating how to easily deploy and maintain digital identities by using FIM 2010. As part of this investigation, Fabrikam wants to explore the new outbound synchronization rule concept in the corporate lab environment based on a simple scenario. The goal of this scenario is to synchronize one user object that is created manually in FIM 2010 Portal to a file-based connected data source. The required synchronization rule is applied to members of a scenario set. This scenario is representative for cases where FIM 2010 R2 is authoritative for creating users in external systems.

The following illustration outlines this scenario.

3f122fe6-cc50-4bce-8999-305a7007e89a

The following sections describe the scenario design, the scenario preparation, and the scenario steps.

Scenario Design

To implement the simple lab solution in this document, you implement two management agents:

  • Fabrikam FIMMA. This management agent for the FIM 2010 R2 Service contributes the source scenario objects.
  • Fabrikam FileMA. This management agent for the Attribute-value pair text file is the target for the sample user in this document.

The following illustration outlines the logical architecture of this scenario.

44bb2c7f-e267-43a8-97ae-6562e2e7060f

For the outbound synchronization rule, the following conceptual elements are required:

34daaa9d-2a33-4b10-8a81-e8b0a35318de

File Outbound Synchronization Rule—The synchronization rule to manage objects in the Fabrikam FileMA connector space. The following attributes are populated by this synchronization rule:

  • Employee ID
  • Employee Type
  • Last Name
  • Last Name

7fe695f8-0f5a-406c-8650-964f53c245e2

All Contractors—A Set with dynamic membership for all the objects with an EmployeeType attribute of Contractor.

abc6f41f-fcbf-426c-bcfe-126f6ddb752e

File Workflow—The Workflow to invoke the File Outbound Synchronization Rule.

716b3510-4a5e-4b2a-a3ca-7881a2dfe5ab

File Management Policy Rule—The Management Policy Rule (MPR) that is triggered by updates to person objects that invokes the File Workflow.

Testing Environment

The scenario outlined in this document has been developed and tested on a stand-alone computer. On this computer, FIM 2010 is already deployed and the computer is configured to be a domain controller for the Active Directory® forest Fabrikam.com. The name of this domain controller is FabrikamDC1. The following illustration outlines the domain configuration.

7f149bb5-8092-4ff4-9e7e-e02b47291fa7

To perform the procedures in this document, the domain controller has been configured with the following characteristics:

  • Windows Server 2008 or Windows Server 2008 R2 64-bit Standard or Enterprise
  • Microsoft .NET Framework 3.5 Service Pack 1 (SP1)
  • Microsoft SQL Server® 2008 64-bit Standard or Enterprise, Service Pack 1 (SP1) or later
  • Windows SharePoint® Services 3.0 SP1, 64-bit
  • Windows PowerShell™ 1.0
  • FIM 2010

noteNote

A description of the installation of FIM 2010 and the required software components is out of the scope of this document.

For a complete description of the installation process for FIM 2010, see the FIM Installation Guide (http://go.microsoft.com/fwlink/?LinkID=165845).

Scenario Roadmap

The scenario roadmap in this document consists of three main building blocks:

  1. Configuring the scenario. In this section, you create all required scenario components, including the required management agents, run profiles, an outbound synchronization rule, an action process, and a management policy.
  2. Initializing the scenario. In this section, you deploy your initial configuration inside FIM 2010.
  3. Testing the scenario. In this section, you verify the declarative provisioning prerequisites and you deploy one newly created scenario user from the FIM 2010 R2 Service database to the data file that is associated with the Fabrikam FileMA.

Configuring the Scenario

The configuration of the scenario in this document consists of the following building blocks:

  1. Creating the management agents
  2. Creating the run profiles
  3. Creating the outbound synchronization rule
  4. Creating the Workflow
  5. Creating the MPR
  6. Enabling synchronization rule provisioning

The following sections provide detailed instructions for each configuration building block.

Creating the management agents

In this section, you find instructions for creating the two scenario management agents:

  • Fabrikam FileMA
  • Fabrikam FIMMA

The following sections provide detailed instructions for creating these management agents.

Creating the Fabrikam FileMA

The Fabrikam FileMA is a management agent for a delimited text file. To create this management agent, you need a text file that contains the schema information for this management agent.

The following code sample shows the schema for this management agent.

"EmployeeID","EmployeeType","FirstName","LastName"
To create the Fabrikam FileMA
  1. Open Notepad.

  2. From the previous code sample, copy the schema structure and paste it into your new Notepad file.

  3. Save the file as C:\Fabrikam File MA Data.txt.

  4. Open Synchronization Service Manager, and, in the Tools menu, select Management Agents.

  5. To open the Create Management Agent Wizard, in the Actions menu, click Create.

  6. On the Create Management Agent page, provide the following configuration settings, and then click Next:

    • Management agent for: Delimited text file
    • Name: Fabrikam FileMA
  7. On the Select Template Input File page, provide the following configuration settings, and then click Next:

    • Template Input File: C:\Fabrikam File MA Data.txt
    • Code Page: Western Europe (Windows)
  8. On the Delimited Text Format page, provide the following configuration settings, and then click Next:

    • Use first row for header names: selected
    • Delimiter: Comma
    • Text qualifier: “
  9. On the Configure Attributes page, provide the following configuration settings, and then click Next:

    1. To open the Set Anchor dialog box, click Set Anchor.
    2. In the Available attributes list, select Employee ID.
    3. To set Employee ID as the anchor, click Add.
    4. To close the Set Anchor dialog box, click OK.
  10. On the Define Object Types page, click Next.

  11. On the Configure Connector Filter page, click Next.

  12. On the Configure Join and Projection Rules page, click Next.

  13. On the Configure Attributes pages, click Next.

  14. On the Configure Deprovisioning page, click Next.

  15. To create the management agent, on the Configure Extensions page, click Finish.

Creating the FIMMA

The Fabrikam FIMMA is a management agent for FIM 2010 R2 Service Management Agent. To create this management agent, you use the Create Management Agent Wizard.

ImportantImportant

To create the FIM 2010 R2 management agent, you need a separate user account to run it.

To create a user account for the Fabrikam FIMMA
  1. Open Active Directory Users and Computers.

  2. In the directory tree, select Users.

  3. To open the New Object – User dialog box, in the Action menu, click New, and then point to Users.

  4. In the First name text box, type fimma.

  5. In the User logon name text box, type fimma, and then click Next.

  6. In the Password and the Confirm password text boxes, type a password of your choice.

  7. Clear the User must change password at next logon check box.

  8. Select Password never expires, and then click Next.

  9. To create the user account, click Finish.

ImportantImportant

If your server running FIM 2010 R2 is also a domain controller, the account that you use must have the right to log on locally. For more information, see Grant a Member the Right to Log On Locally (http://go.microsoft.com/fwlink/?LinkID=182205).

For more details about the FIM 2010 management agent account, see the FIM Installation Guide (http://go.microsoft.com/fwlink/?LinkId=134023).

To create the Fabrikam FIMMA
  1. Open Synchronization Service Manager and, on the Tools menu, click Management Agents.

  2. To open the Create Management Agent Wizard, on the Actions menu, click Create.

  3. On the Create Management Agent page, provide the following configuration settings, and then click Next:

    • Management agent for: FIM 2010 R2 Service Management Agent
    • Name: Fabrikam FIMMA
  4. On the Connect to Database page, provide the following configuration settings, and then click Next:

    • Server: .
    • Database: FIMService
    • FIM Service base address: http://localhost:5725
    • Authentication mode: Windows-integrated authentication
    • User name: fimma
    • Password: <the accounts’ password>
    • Domain: fabrikam
  5. On the Selected Object Types page, verify that the following object types are selected, and then click Next:

    • ExpectedRuleEntry
    • Person
    • SynchronizationRule
  6. On the Selected Attributes page, verify that all listed attributes are selected, and then click Next.

  7. On the Configure Connector Filter page, click Next.

  8. On the Configure Object Type Mappings, add the following mapping, and then click Next:

    1. In the Data Source Object Type list, select Person.
    2. To open the Mapping dialog box, click Add Mapping.
    3. In the Metaverse object type list, select person.
    4. To close the Mapping dialog box, click OK.
  9. On the Configure Attribute Flow page, apply the following attribute flow mappings, and then click Next:

    Data source attribute

    Metaverse attribute

    DisplayName

    displayName

    EmployeeID

    employeeID

    EmployeeType

    employeeType

    ExpectedRulesList

    expectedRulesList

    FirstName

    firstName

    LastName

    lastName

    1. Select Person as Data source object type.
    2. Select person as Metaverse object type.
    3. Select Direct as Mapping Type.
    4. Select Import as Flow Direction.
    5. For each row in the previous table, complete the following steps:
      1. Select the Data source attribute for that row in the table.
      2. Select the metaverse attribute for that row in the table.
      3. To apply the flow mapping, click New.
  10. On the Configure Deprovisioning page, click Next.

  11. To create the management agent, on the Configure Extensions page, click Finish.

Creating the Run Profiles

This section lists the steps for configuring the scenario run profiles. For the scenario outlined in this document, you configure run profiles for the Fabrikam FileMA and the Fabrikam FIMMA.

Creating run profiles for the Fabrikam FileMA

The following table lists the run profiles for the Fabrikam FileMA:

Profile

Run profile name

Step type

Profile 1

Full Import

Full Import (Stage Only)

Profile 2

Export

Export

To configure the run profiles for the Fabrikam FileMA
  1. On the Tools menu, click Management Agents.

  2. In the Name column, select Fabrikam FileMA.

  3. For each row in the previous table, perform the following steps:

    1. To open the Configure Run Profiles for Fabrikam FileMA dialog box, on the Actions menu, click Configure Run Profiles.
    2. To open the Configure Run Profile dialog box, click New Profile.
    3. On the Profile Name page, select the Step Type for that row in the table, and then click Next.
    4. On the Management Agent Configuration page, provide the following configuration settings, and then click Finish:
      1. Partition: default
      2. Input file name: Fabrikam File MA Data.txt

    ImportantImportant

    Because the data files for the import and the export run profile have not been created yet, you must type the name of the data file in the Input file name text box.

Creating run profiles for the Fabrikam FIMMA

The following table lists the run profiles for the Fabrikam FIMMA:

Profile

Run profile name

Step type

Profile 1

Full Import

Full Import (Stage Only)

Profile 2

Full Synchronization

Full Synchronization

Profile 3

Delta Import

Delta Import (Stage Only)

Profile 4

Delta Synchronization

Delta Synchronization

Profile 5

Export

Export

To configure the run profiles for the Fabrikam FIMMA
  1. On the Tools menu, click Management Agents.

  2. In the Name column, select Fabrikam FIMMA.

  3. For each row in the previous table, perform the following steps:

    1. To open the Configure Run Profiles for Fabrikam FIMMA dialog box, on the Actions menu, click Configure Run Profiles.
    2. To open the Configure Run Profile dialog box, click New Profile.
    3. On the Profile Name page, select the Step Type for that row in the table, and then click Next.
    4. To create the run profile, on the Management Agent Configuration page, click Finish.
Creating the Outbound Synchronization Rule

In this section, you create the required outbound synchronization rule. The following table summarizes the synchronization rule configuration for the scenario in this document.

a9fc7f2d-9adc-4330-88c1-96006d279745

To create the outbound synchronization rule
  1. To open the FIM 2010 R2 Portal, start Internet Explorer, and then navigate to http://localhost/identitymanagement/default.aspx.

  2. To open the Synchronization Rules page, in the Administration bar, click Synchronization Rules.

  3. To open the Create Synchronization Rules Wizard, on the toolbar, click New.

  4. On the General tab, provide the following information, and then click Next:

    • Display Name: FileMA Outbound Synchronization Rule
    • Data Flow Direction: Outbound
  5. On the Scope tab, provide the following information, and then click Next:

    • Metaverse Resource Type: person
    • External System: Fabrikam FileMA
    • External System Resource Type: person
  6. On the Relationship tab, provide the following information, and then click Next:

    1. Relationship Criteria:
      • MetaverseObject:person(Attribute): employeeID
      • ConnectedSystemObject:person(Attribute): Employee ID
    2. Create Resource in External System: selected
  7. On the Workflow Parameters tab, click Next.

  8. On the Outbound Attribute Flow tab, provide the following information, and then click Next:

    Source

    Destination

    employee ID

    EmployeeID

    employee Type

    EmployeeType

    first Name

    FirstName

    last Name

    LastName

    1. For each row in the previous table, perform the following steps:
      1. To open the Flow Definition dialog box, click New Attribute Flow.
      2. On the Source tab, select the attribute for that row in the table.
      3. On the Destination tab, select the attribute shown for that row in the table.
      4. To apply the attribute flow configuration, click OK.
      5. In the Outbound Attribute Flow configuration table, select Initial Flow Only for the following flow:

        employeeID =>Employee ID

      6. To move to the summary page, click Finish.
      7. To submit your request, click Submit.

    The following illustration shows the correct configuration of your export attribute flow rules.

    24f0820f-33e0-4624-95e0-532931ea2218

  9. On the Summary tab, click Submit.

Creating the Workflow

In this section, you create the required workflow. For the scenario in this document, the workflow contains the FileMA outbound synchronization rule for the Add action. The following table summarizes the action process configuration for the scenario in this document.

10bbc932-d703-4726-aea8-a0e47eb9faf7

To create the Workflow
  1. To open the FIM 2010 R2 Portal, open Internet Explorer, and then navigate to http://localhost/identitymanagement/default.aspx.

  2. To open the Workflows page, in the Administration bar, click Workflows.

  3. To open the Create Workflow Wizard, on the toolbar, click New.

  4. On the General tab, provide the following information, and then click Next:

    • Workflow Name: Fabrikam File Workflow
    • Workflow Type: Action
  5. On the Activities tab, provide the following information, and then click Next:

    • In the Activity Picker, select Synchronization Rule Activity, and then click Select.
    • In the Synchronization Rule list, select FileMA Outbound Synchronization Rule.
    • In Action Selection, select Add, and then click Save.
  6. To move to the summary page, click Finish.

  7. On the Summary tab, click Submit.

Creating the MPR

In this section, you create the MPR. The following table summarizes the MPR configuration for the scenario in this document:

d274502f-fe03-4dd0-8a52-15b74ef75635

The objective of the scenario in this document is to provision contractors into the File MA data source. This requires an MPR that is triggered when a resource transitions into the All Contractors set.

To create the MPR
  1. To open the FIM 2010 R2 Portal, open Internet Explorer, and then navigate to http://localhost/identitymanagement/default.aspx.

  2. To open the Management Policy Rules page, in the Administration bar, click Management Policy Rules.

  3. To open the Create Management Policy Rule Wizard, on the toolbar, click New.

  4. On the General tab, provide the following information, and then click Next:

    1. Display Name: Fabrikam File Management Policy Rule people
    2. Type: Set Transition
  5. On the Transition Definition tab, provide the following information, and then click Next:

    1. Transition Set: All Contractors
    2. Transition Type: Transition In
  6. On the Policy Workflows tab, provide the following information, and then click Next:

    1. Action Workflows
      • Selected Objects: Fabrikam File Workflow
  7. On the Summary tab, click Submit.

Enabling Synchronization Rule Provisioning

To enable the configured synchronization rules during a synchronization run, you must enable synchronization rule processing in the Synchronization Service Manager.

To enable Synchronization Rule Provisioning
  1. Open Synchronization Service Manager.

  2. To open the Options dialog box, on the Tools menu, click Options.

  3. Select Enable Synchronization Rule Provisioning.

  4. To close the Options dialog box, click OK.

Initializing the Scenario

The initialization of your scenario consists of the following steps:

  1. Importing data from the FIM 2010 R2 Service database
  2. Initializing the FIM 2010 R2 Synchronization service
  3. Exporting to the FIM 2010 R2 Service database
  4. Confirming the FIM 2010 R2 Service database
Importing data from the FIM Service database

The objective of the full import is to bring the already existing objects, including the newly created synchronization rule, into the connector space of the Fabrikam FIMMA. After a successful full import on the Fabrikam FIMMA, the synchronization statistics report three added objects. The following illustration shows the synchronization statistics for a full import run.

650dff75-4a06-4b50-ac08-1d4b73d2195d

To import data from the FIM Service database
  1. On the Tools menu, click Management Agents.

  2. In the Name column, select Fabrikam FIMMA.

  3. To open the Run Management Agent dialog box, in the Actions menu, click Run.

  4. In the Run profiles list, select Full Import, and then click OK.

By using a connector space search, you can examine the properties of the new objects. Next to the synchronization rule, you also find two additional Person objects to be imported. The objects are representations of the Built-in Synchronization Account and the account you have used to install FIM 2010.

The following illustration shows the result of a connector space search on the Fabrikam FIMMA.

c5fb4ea8-eef4-4a86-810a-7f26fbab41fa

To run a connector space search on the Fabrikam FIMMA
  1. To open the Search Connector Space dialog box, in the Actions menu, click Search Connector Space.

  2. To retrieve a list of the available connector space objects, click Search.

Initializing the FIM Synchronization Service

A full synchronization run is always required when a synchronization rule is updated. You apply updates to these synchronization rules during the configuration of the Fabrikam FIMMA management agent. By design, each FIM 2010 R2 Service management agent has a preconfigured projection rule. During the initial full synchronization run, the three staged connector space objects are projected into the metaverse. The preconfigured export attribute flow rule stages the metaverse object ID for an export in the Fabrikam FIMMA connector space. The following illustration shows the synchronization statistics for a full synchronization run.

7d82cec9-fb43-44cf-adc1-35418dad7ac9

By using the metaverse search, you can examine the properties of the newly projected objects.

To initialize the FIM Synchronization Service
  1. To open the Run Management Agent dialog box, on the Actions menu, click Run.

  2. In the Run profiles list, select Full Synchronization, and then click OK.

By using a metaverse search, you can examine the properties of the newly projected objects.

To run a metaverse search
  1. On the Tools menu, click Metaverse Search.

  2. If necessary, adjust the column settings by selecting the Column Settings link.

  3. To search the metaverse, click Search.

  4. To open the Metaverse Object Properties dialog box, in the Search Results list, select FileMA Outbound Synchronization Rule, and then, on the Actions menu, click Properties.

Exporting data to the FIM Service database

As a result of the FIM 2010 R2 Service database initialization, updates have been staged to the connector space of the FIM 2010 R2 management agent. These pending exports must be pushed out to the FIM 2010 R2 Service database. The following illustration shows the synchronization statistics of a successful export run:

21a4eb0b-4d23-4f19-9d13-b8655a867d13

To export data to the FIM Service database
  1. To open the Run Management Agent dialog box, on the Actions menu, click Run.

  2. In the Run profiles list, select Export, and then click OK.

Confirming the FIM Service database

To complete the initialization sequence, you run a delta import on your Fabrikam FIMMA. The delta import is required to confirm the exported data in the connector space. The following illustration shows the synchronization statistics of a successful confirming import run.

3ce46068-5102-4967-b87a-55eada126ac0

To confirm the FIM Service database
  1. To open the Run Management Agent dialog box, on the Actions menu, click Run.

  2. In the Run profiles list, select Delta Import, and then click OK.

noteNote

At this point, your scenario is fully initialized.

Testing the Scenario

The goal of the scenario in this document is to create one sample user in the data source file that is associated with the Fabrikam FileMA. The complete deployment cycle of a sample user consists of the following building blocks:

  1. Creating the scenario user
  2. Verifying the Declarative Provisioning Preconditions
  3. Deploying the scenario user

The following sections provide instructions for each building block.

Creating the scenario user

In this section, you create the test user for this scenario. The scenario user has the attribute settings in the following table.

Attribute

Value

First Name

Britta

Last Name

Simon

Display Name

Britta Simon

Domain

fabrikam

Employee ID

007

Employee type

Contractor

To create the scenario user
  1. To open the FIM 2010 R2 Portal, open Internet Explorer, and then navigate to http://localhost/identitymanagement/default.aspx.

  2. To open the Users page, on the navigation bar, click Users.

  3. To open the Create User Wizard, on the All Users menu, click New.

  4. On the General tab, provide the following information, and then click Next:

    • First Name: Britta
    • Last Name: Simon
    • Display Name: Britta Simon
    • Domain: fabrikam
  5. On the Work Info tab, provide the following information, and then click Finish:

    • Employee Type: Contractor
    • Employee ID: 7
  6. On the Summary tab, click Submit.

Verifying the Declarative Provisioning Preconditions

In the case of outbound synchronization, there are two prerequisites for provisioning to function properly:

  1. The synchronization rule object must have been projected into the metaverse.
  2. Each affected object must have the ExpectedRulesList attribute values that you want.

Because the synchronization rule has already been projected successfully during the initialization phase of this scenario, you should verify now whether your sample user object satisfies the remaining preconditions for a successful provisioning attempt. The following sections outline the related steps:

  • Verifying the Set membership
  • Verifying the Expected Rules List value
Verifying the Set membership

In this section, you verify that the scenario object is a member of the All Contractors set. The All Contractors set should list Britta Simon as a member of the set, as shown in the following illustration:

e626a0a3-be75-4bad-b015-b211860764af

To verify the Set membership
  1. To open the FIM 2010 R2 Portal, open Internet Explorer, and then navigate to http://localhost/identitymanagement/default.aspx.

  2. To open the Sets page, in the Management Policy Rules section of the navigation bar, click Sets.

  3. To open the All Contractors property page, in the DisplayName list, click All Contractors.

  4. To display the list of calculated members, click the Criteria based Members tab, and then click View Members.

  5. Verify that Britta Simon appears in the list.

ImportantImportant

If this condition is not met, the related management policy is not triggered.

Verifying the Expected Rules List value

The MPR in this scenario is configured to invoke the Fabrikam File Workflow when an object becomes a member of the All Contractors set. Because this condition is satisfied, the object Britta Simon should be added to the scope of the FileMA Outbound Synchronization Rule. You can verify this by checking the Provisioning state of the object. The following illustration shows the Expected Rules List (ERL) setting of Britta Simon.

37316c15-4e43-49c5-a9f2-e1f43bbde322

To verify the Expected Rules List value
  1. To open the FIM 2010 R2 Portal, open Internet Explorer, and then navigate to http://localhost/identitymanagement/default.aspx.

  2. To open the Users page, on the navigation bar, click Users.

  3. To open the object’s configuration dialog box, in the Display Name list, click Britta Simon.

  4. Select the Provisioning tab.

  5. Verify that FileMA Outbound Synchronization Rule appears in the list of Expected Rules List attribute values.

  6. Close the dialog box.

ImportantImportant

At this point, you have verified that the sample user Britta Simon satisfies the Outbound Synchronization Precondition. The object is now ready to be processed by the FIM 2010 R2 Synchronization Service.

Deploying the scenario user

To deploy Britta Simon to the file-based connected data source, perform the following steps:

  1. Import the object into the connector space of the Fabrikam FIMMA.
  2. Synchronize the object inside the FIM 2010 R2 Synchronization Service.
  3. Export the object to the data file of the Fabrikam FileMA.
  4. Confirm the object from the data file of the Fabrikam FileMA.

As soon as all four steps are completed successfully, Britta Simon can be considered to be deployed to the target data source

Importing the scenario user into the FIMMA connector space

To import the scenario user into the FIMMA connector space, you run a delta import run profile. The import statistics for this run reports two added objects:

  • One person object for Britta Simon
  • One ExpectedRuleEntry object that establishes a link between Britta Simon and the FileMA Outbound Synchronization Rule outbound synchronization rule

noteNote

An ExpectedRuleEntry (ERE) object is a specialized object that sits in the middle of an Identity Object -> ERE -> SR construct. Because its purpose is not relevant for an understanding of how outbound synchronization rules are associated with identity objects, a detailed discussion of EREs is outside the scope of this document.

The following illustration shows the synchronization statistics of a successful delta import run.

5f13cd40-007a-4d08-8735-11c10fd96e0d

To import the scenario user into the FIMMA connector space
  1. To open the Run Management Agent dialog box, on the Actions menu, click Run.

  2. In the Run profiles list, select Delta Import, and then click OK.

ImportantImportant

In accordance with best practices for newly staged connector space test objects, verify the actual attribute values in the connector space.

To verify the attribute values, perform the following steps:

  1. To open the Object Details dialog box, in Synchronization Statistics, click the Adds link.
  2. To open the Connector Space Object Details dialog box, in the Distinguished Name list, select the object of interest, and then click Properties.
Synchronizing the scenario user

During the synchronization run, Britta Simon is projected into the metaverse. If a provisioning-related problem occurs during a synchronization run, you should perform a metaverse search for an affected object and verify that the object has a valid value for the expectedRulesList attribute. As mentioned previously in this document, the synchronization engine must have this attribute to apply the correct synchronization rule object to an object. The following illustration shows the metaverse object information for Britta Simon after a successful synchronization run.

319e9cee-9569-4a42-bffb-51c4a7db2b89

In addition to the new user being projected into the metaverse, Britta Simon is also provisioned to the target connector space during the delta synchronization run. The following illustration shows the synchronization statistics of a successful delta synchronization run.

696f885a-7180-481e-86ee-8f3af54168a3

To synchronize the scenario user
  1. To open the Run Management Agent dialog box, on the Actions menu, click Run.

  2. In the Run profiles list, select Delta Synchronization, and then click OK.

ImportantImportant

In accordance with best practices for newly projected metaverse objects, verify the actual attribute values in the metaverse.

To verify the attribute values, you perform the following steps:

  1. On the Tools menu, click Metaverse Search.
  2. If necessary, adjust the Column Settings by selecting the Column Settings link.
  3. To search the metaverse, click Search.
  4. To open the Metaverse Object Properties dialog box, in the Search Results list, select the object of interest, and then on the Actions menu, click Properties.

ImportantImportant

In accordance with best practices for newly provisioned connector space test objects, verify the actual attribute values in the target connector space.

To verify the attribute values, perform the following steps:

  1. On the Tools menu, click Management Agents.
  2. In the Management Agents list, select the affected management agent.
  3. To open the Search Connector Space dialog box, on the Actions menu, click Search Connector Space.
  4. If necessary, adjust the Column Settings by selecting the Column Settings link.
  5. To search the connector space, click the Search button.
  6. To open the Connector Space Object Properties dialog box, in the Search Results list, select the object of interest, and then select Properties.
Exporting the scenario user

Because there is a pending Add staged in the connector space, you can run an export run profile to export the pending object to your data file. The following illustration shows the export statistics after a successful export run.

1fd70a4a-91c9-4bf7-ba24-18f47875a9a9

To export the scenario user to the data file
  1. To open the Run Management Agent dialog box, on the Actions menu, click Run.

  2. In the Run profiles list, select Export, and then click OK.

Confirming the scenario user

As a result of a successful export, Britta Simon has been added to the Fabrikam FileMA data file. The following illustration shows this.

84dd7eff-870c-40b0-ae65-16b426a33872

To complete the deployment cycle for the scenario user, you run a confirming import on the Fabrikam FileMA. The synchronization statistics for this run reports one Add. The following illustration shows an example of this.

075ec5cb-e55d-447c-97ac-176f670ca100

At this point, the outbound synchronization scenario is completed.

Source: https://technet.microsoft.com/en-us/library/ee534904(v=ws.10).aspx