I’ve been tasked to deploy this wonderful package and I ran into some interested issues on the install. This is still in the RC stage, so I would expect some glitches, but here’s some things I ran across. Maybe it will save somebody else a few bottles of Bufferin 😉
First off, there is NO IMPORT USER WIZARD! In ILM you’ll have to learn all about Synching up with Management agents. FIM2010 is an incredibly powerful product. I equate it to being a LOT like Biztalk Server. It can have as simple a task as doing password resets and handing off some user management to HR. It can be so powerful to sync up various foreign directory systems like Lotus Notes, Active Directory and SQL.
Do NOT install the Feature Pack giving you Certificate Lifecycle Manager and Identity Lifecycle Manager on the same server. I found when CLM went onto the server it changes the settings dramatically and kills your ability to use the Sharepoint site. I found a few workarounds that if I accessed the server with a different alias in DNS I could validate. But the better solution was to use a separate server.
The CA must be installed on an Enterprise edition of the server to get the needed Certificates.
I found the CA should be on the same server as CLM.
When installing CLM in Server 2008 or 2008 R2 for that matter, the installer does not recognize the newer platform properly (yet) and as such has no proper clue what to do with UAC. Run a cmd.exe as an Administrator, and run the MSI and Installers from there. You’ll find it goes a lot more smoothly.
The built in templates for Smart Cards in CLM. You’ll have to make a new one of course but make sure you add in your CA to it of course. In addition make sure you add in (as available certificates) both CA Certificates for Smartcard Logins into the Template. And of course into your CA. Or you’ll wonder why the Smartcard doesn’t work so well.
Don’t try putting the Card reader/writer on the Server. It won’t work. It’s not meant to. The whole process will run on a workstation all the way to Windows 7 RC1. Make sure in both the ILM web site and the CLM website they are under your “TRUSTED SITES”.
If you are accessing any of the sites with a 64bit version of Windows you HAVE to use the 64 based browser.
READ THE README NOTES! This is product in development and there are a lot of little bits to be done by hand.
You may have issues validating the CLM site. It’s Kerberos based. If you’re Kerberos isn’t quite up to snuff, you may have to disable that in Authentication under IIS7. Not recommended but it DOES work.
I recommend if you’re trying things out, don’t go fully automatic Server assigned PINs. Mine kept failing until I switched to User defined. Reason? The card may not recognize the complexity of the PIN code and it generates a weird “Makes no sense” error when it happens.
When you need to compile the DLL for ObjectSidString, the source code is older than the compiler. The solution is A) get a real Developer to compile it and supply him with lunch or B) download Visual C# 2008 Express and compile with that. It wasn’t that difficult really. And I’m not a Dev.
When you’re editing your Management Agents, you might find you get an 0x8 something or other permissions error. I found Exporting the agents first to an XML file saves you a lot of time later when you say “AIAIGHAGH” and have to delete and restart again.
In the documentation, when they say “Fabrikam.com” they don’t always mean the REAL domain name, they are sometimes referencing the “Set Name”. The documentation is getting better but it needs more work. But that doesn’t mean you won’t figure it out.
There is NO stock Management agent installed for ILM. You’ll have to make one yourself. I drawn out (as best I could) a pretty ok relationship between AD / the Metaverse / ILM to help get things to match up. Hope this helps somebody.
|Active Directory Names||Metaverse Names||ILM Directory Names|
I’m working on more details as I can, this honestly is really “Rough notes” but if you’re new to ILM here’s what I ran across. Also here are some excellent links if you need to know a lot more than I could every provide
(Note this entire article assumes TWO separate domains, think one and skip everything referring to the other Domain if you’re working in a single domain Environment)
(This is the walkthrough to get the Password Reset feature setup in ILM2 RC0)
And when you get to the Community area, check out the ILM MVP’s. These are the absolute EXPERTS on ILM. They use it in the field. They have their own blogs which REALLY show you how to get the most out of ILM.
The Energized Tech