Forefront Identity Manager 2010 (RC0) – Things I encountered that may help you

I’ve been tasked to deploy this wonderful package and I ran into some interested issues on the install.  This is still in the RC stage, so I would expect some glitches, but here’s some things I ran across.  Maybe it will save somebody else a few bottles of Bufferin 😉

First off, there is NO IMPORT USER WIZARD!  In ILM you’ll have to learn all about Synching up with Management agents.   FIM2010 is an incredibly powerful product.  I equate it to being a LOT like Biztalk Server.  It can have as simple a task as doing password resets and handing off some user management to HR.  It can be so powerful to sync up various foreign directory systems like Lotus Notes, Active Directory and SQL.

Do NOT install the Feature Pack giving you Certificate Lifecycle Manager and Identity Lifecycle Manager on the same server.   I found when CLM went onto the server it changes the settings dramatically and kills your ability to use the Sharepoint site.   I found a few workarounds that if I accessed the server with a different alias in DNS I could validate.  But the better solution was to use a separate server.

The CA must be installed on an Enterprise edition of the server to get the needed Certificates.

I found the CA should be on the same server as CLM.

When installing CLM in Server 2008 or 2008 R2 for that matter, the installer does not recognize the newer platform properly (yet) and as such has no proper clue what to do with UAC.   Run a cmd.exe as an Administrator, and run the MSI and Installers from there.  You’ll find it goes a lot more smoothly.

The built in templates for Smart Cards in CLM.   You’ll have to make a new one of course but make sure you add in your CA to it of course.  In addition make sure you add in (as available certificates) both CA Certificates for Smartcard Logins into the Template.  And of course into your CA.  Or you’ll wonder why the Smartcard doesn’t work so well.

Don’t try putting the Card reader/writer on the Server.  It won’t work.  It’s not meant to.  The whole process will run on a workstation all the way to Windows 7 RC1.  Make sure in both the ILM web site and the CLM website  they are under your “TRUSTED SITES”.

If you are accessing any of the sites with a 64bit version of Windows you HAVE to use the 64 based browser.

READ THE README NOTES!  This is product in development and there are a lot of little bits to be done by hand.

You may have issues validating the CLM site.  It’s Kerberos based.  If you’re Kerberos isn’t quite up to snuff, you may have to disable that in Authentication under IIS7.  Not recommended but it DOES work.

I recommend if you’re trying things out, don’t go fully automatic Server assigned PINs.  Mine kept failing until I switched to User defined.  Reason?  The card may not recognize the complexity of the PIN code and it generates a weird “Makes no sense” error when it happens.

When you need to compile the DLL for ObjectSidString, the source code is older than the compiler.   The solution is A) get a real Developer to compile it and supply him with lunch or B) download Visual C# 2008 Express and compile with that.  It wasn’t that difficult really.  And I’m not a Dev.

When you’re editing your Management Agents, you might find you get an 0x8 something or other permissions error.   I found Exporting the agents first to an XML file saves you a lot of time later when you say “AIAIGHAGH” and have to delete and restart again.

In the documentation, when they say “Fabrikam.com” they don’t always mean the REAL domain name, they are sometimes referencing the “Set Name”.   The documentation is getting better but it needs more work.   But that doesn’t mean you won’t figure it out.

There is NO stock Management agent installed for ILM.  You’ll have to make one yourself.   I drawn out (as best I could) a pretty ok relationship between AD / the Metaverse / ILM to help get things to match up.    Hope this helps somebody.

Active Directory Names Metaverse Names ILM Directory Names
     
sAMAccountName AccountName AccountName
  AD-UserCannotChangePassword AD-UserCannotChangePassword
streetAddress Address Address
assistant Assistant Assistant
     
  AuthNWFLockedOut AuthNWFLockedOut
  AuthNWFRegistered AuthNWFRegistered
l City City
company Company Company
  CostCenter CostCenter
  CostCenterName CostCenterName
co Country Country
  Creator Creator
  DeletedTime DeletedTime
department Department Department
description Description Description
  DetectedRulesList DetectedRulesList
displayName DisplayName DisplayName
  Domain Domain
mail Email Email
  EmployeeEndDate EmployeeEndDate
employeeID EmployeeID EmployeeID
  EmployeeStartDate EmployeeStartDate
employeeType EmployeeType EmployeeType
  ExpirationTime ExpirationTime
givenName FirstName FirstName
  IsRASEnabled IsRASEnabled
title JobTitle JobTitle
sn LastName LastName
  LastResetAttemptTime LastResetAttemptTime
  LoginName LoginName
mailNickname MailNickname MailNickname
  Manager Manager
  MiddleName MiddleName
  MobilePhone MobilePhone
objectSid ObjectID ObjectID
  ObjectSID ObjectSID
  ObjectType ObjectType
facsimileTelephoneNumber OfficeFax OfficeFax
  OfficeLocation OfficeLocation
telephoneNumber OfficePhone OfficePhone
    Owner
photo Photo Photo
postalCode PostalCode PostalCode
  ProxyAddressCollection ProxyAddressCollection
  Register Register
  RegistrationRequired RegistrationRequired
  ResetPassword ResetPassword
sIDHistory SIDHistory SIDHistory
objectsid objectSidString objectsidstring

I’m working on more details as I can, this honestly is really “Rough notes” but if you’re new to ILM here’s what I ran across.  Also here are some excellent links if you need to know a lot more than I could every provide

The IDA Guys – Identity Management Experts at Microsoft

The Identity Lifecycle Manager TechCenter on Technet

Identity Lifecycle Manager 2 Forums on Microsoft – Need an Answer ? LOOK HERE!

ILM 2 RC0 Multiforest Management 

(Note this entire article assumes TWO separate domains, think one and skip everything referring to the other Domain if you’re working in a single domain Environment)

ILM "2" (Release Candidate) Password Reset and Registration

(This is the walkthrough to get the Password Reset feature setup in ILM2 RC0)

And when you get to the Community area, check out the ILM MVP’s.  These are the absolute EXPERTS on ILM.   They use it in the field.  They have their own blogs which REALLY show you how to get the most out of ILM.

Sean
The Energized Tech

Leave a Reply