Microsoft Forefront Identity Manager 2010 R2 Handbook

Table of Contents

Microsoft Forefront Identity Manager 2010 R2 Handbook

Credits

About the Author

About the Reviewers

www.PacktPub.com

Support files, eBooks, discount offers and more

Why Subscribe?

Free Access for Packt account holders

Instant Updates on New Packt Books

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Downloading the example code

Errata

Piracy

Questions

1. The Story in this Book

The Company

The challenges

Provisioning of users

Identity lifecycle procedures

Highly Privileged Accounts (HPA)

Password management

Traceability

The solutions

Implement FIM 2010 R2

Start using smart cards

Implement federation

The environment

Moving forward

Summary

2. Overview of FIM 2010 R2

The history of FIM 2010 R2

FIM Synchronization Service (FIM Sync)

Management Agents

Non-declarative vs. declarative synchronization

Password synchronization

FIM Service Management Agent

FIM Service

Request pipeline

FIM Service Management Agent

Management Policy Rules (MPRs)

FIM Portal

Self Service Password Reset (SSPR)

FIM Reporting

FIM Certificate Management (FIM CM)

Certificate Management portal

Licensing

Summary

3. Installation

Development versus production

Capacity planning

Separating roles

Databases

FIM features

Hardware

Installation order

Prerequisites

Databases

Collation and languages

SQL aliases

FIM-Dev

SQL

SCSM

Web servers

FIM Portal

FIM Password Reset

FIM Certificate Management

Service accounts

Kerberos configuration

SETSPN

Delegation

System Center Service Manager Console

Installation

FIM Synchronization Service

FIM Service and FIM Portal

FIM Password Reset portal

FIM Certificate Management

SCSM management

SCSM Data Warehouse

Post-installation configuration

Granting FIM Service access to FIM Sync

Securing the FIM Service mailbox

Disabling indexing in SharePoint

Redirecting to IdentityManagement

Enforcing Kerberos

Editing binding in IIS for FIM Password sites

Registering SCSM Manager in Data Warehouse

FIM post-install scripts for Data Warehouse

Summary

4. Basic Configuration

Creating Management Agents

Active Directory

Least privileged

Directory replication

Password reset

Creating AD MA

HR (SQL Server)

Creating SQL MA

Run profiles

Single or Multi step

Schema management

FIM Sync versus FIM Service schema

Object deletion in MV

Modifying FIM Service schema

FIM Service MA

Creating the FIM Service MA

Creating run profiles

First import

Filtering accounts

Initial load versus scheduled runs

Moving configuration from development to production

Maintenance mode for production

Disabling maintenance mode

Exporting FIM Synchronization Service settings

Exporting FIM Service settings

Exporting the FIM Service schema

Exporting the FIM Service policy

Generating the difference files

Generating the schema difference

Generating the policy difference

Importing to production

Importing custom code

Importing the Service schema difference

Importing the Synchronization Service settings

Importing the FIM Service policy

PowerShell scripts

Summary

5. User Management

Modifying MPRs for user management

Configuring sets for user management

Inbound synchronization rules

Outbound synchronization rules

Outbound synchronization policy

Outbound system scoping filter

Detected rule entry

Provisioning

Non-declarative provisioning

Managing users in a phone system

Managing users in Active Directory

userAccountControl

Provision users to Active Directory

Synchronization rule

Set

Workflow

MPR

Inbound synchronization from AD

Temporal Sets

Self-service using the FIM portal

Managers can see direct reports

Users can manage their own attributes

Managing Exchange

Exchange 2007

Exchange 2010

Synchronization rule for Exchange

Mailbox users

Mail-enabled users

Summary

6. Group Management

Group scope and types

Active Directory

FIM

Type

Scope

Member Selection

Manual

Manager-based

Criteria-based

Installing client add-ins

Add-ins and extensions

Modifying MPRs for group management

Creating and managing distribution groups

Importing groups from HR

FIM Service and Metaverse

Managing groups in AD

Security groups

Distribution groups

Synchronization rule

Set

Workflow

MPR

Summary

7. Self-service Password Reset

Anonymous request

QA versus OTP

Enabling password management in AD

Allowing FIM Service to set passwords

Configuring FIM Service

Security context

Password Reset Users Set

Password Reset AuthN workflow

Configuring the QA gate

The OTP gate

Require re-registration

SSPR MPRs

The user experience

Summary

8. Using FIM to Manage Office 365 and Other Cloud Identities

Overview of Office 365

DirSync

Federation

PowerShell or Custom MA

Using UAG and FIM to get OTP for Office 365

Summary

9. Reporting

Verifying the SCSM setup

Synchronizing data from FIM to SCSM

Default reports

The SCSM ETL process

Looking at reports

Allowing users to read reports

Modifying the reports

Summary

10. FIM Portal Customization

Components of the UI

Portal Configuration

Navigation Bar Resource

Search scopes

Usage Keyword

Search Definition

Results

Creating your own search scope

Filter Permissions

RCDC

Summary

11. Customizing Data Transformations

Our options

PowerShell

Classic rules extensions

SSIS

Workflow activities

Extensible Connectivity Management Agent

Managing Lync

Provision Lync Users

Managing multivalued attributes

Selective deprovisioning

The case with the strange roles

Summary

12. Issuing Smart Cards

Our scenario

Assurance level

Extending the schema

The configuration wizard

Create service accounts

Create certificate templates for FIM CM service accounts

FIM CM User Agent certificate template

FIM CM Enrollment Agent certificate template

FIM CM Key Recovery Agent certificate template

Enable the templates

Require SSL on the CM portal

Kerberos again!

Install SQL Client Tools Connectivity

Run the wizard

Backup certificates

Rerunning the wizard

The accounts

The database

Configuring the FIM CM Update Service

Database permissions

Configuring the CA

Installing FIM CM CA files

Configuring Policy Module

Installing the FIM CM client

FIM CM permissions

Service Connection Point

Users and groups

Certificate Template

Profile Template object

Profile Template settings

Allowing managers to issue certificates for consultants

Creating a Profile Template for consultant Smart Cards

Configuring permissions for consultant Smart Cards

John enrolls a Smart Card

RDP using Smart Cards

CM Management Agent

Summary

13. Troubleshooting

Reminder

Troubleshooting

Kerberos

Connected Data Sources

FIM Sync

FIM Service

Request errors

Sync errors

Reporting

FIM CM

Agent certificates

CA

FIM clients

Backup and restore

FIM Sync

FIM Service and Portal

FIM CM

Source code

Summary

A. Afterword

Index

Microsoft Forefront Identity Manager 2010 R2 Handbook

Microsoft Forefront Identity Manager 2010 R2 Handbook

Copyright © 2012 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

First published: August 2012

Production Reference: 1170812

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham B3 2PB, UK.

ISBN 978-1-849685-36-8

www.packtpub.com

Cover Image by Priyal Bhiwandkar (<priyal.bhiwandkar@yahoo.in>)

Credits

Author

Kent Nordström

Reviewers

Peter Geelen

Henrik Nilsson

Acquisition Editor

Dhwani Devater

Lead Technical Editor

Pramila Balan

Technical Editors

Veronica Fernandes

Merin Jose

Naheed Shaikh

Copy Editors

Brandt D'Mello

Insiya Morbiwala

Project Coordinator

Sai Gamare

Proofreader

Aaron Nash

Indexer

Tejal Daruwale

Graphics

Manu Joseph

Valentina D'Silva

Production Coordinator

Arvindkumar Gupta

Cover Work

Arvindkumar Gupta

About the Author

Kent Nordström wrote his first lines of code in the late 70s, so he's been working with IT for quite some time now. When Microsoft released its Windows 2000 operating system, he started a close relationship with them, which has continued ever since.

For many years now, Kent has been working part-time as a Sub-contractor to Microsoft Consulting Services, and has been doing many of the implementations of FIM and its predecessors for multinational companies and large organizations in Sweden. Apart from FIM, Kent is also well known within the community for his knowledge about Forefront TMG, Forefront UAG, and PKI. Find out more by visiting his blog at http://konab.com.

I would like to thank my family for their patience during the many evenings and weekends I have spent writing this book.

I would also like to thank Peter Geelen and Henrik Nilsson for taking the time to review my writing. Your feedback has been invaluable!

About the Reviewers

Peter Geelen is CISSP, CISA, MCT (Microsoft Certified Trainer), MCSE:Security, and MCSA:Security, ITIL & PRINCE2 foundation certified.

Peter has been working with ICT since 1997, with a solid base on the Microsoft Windows server platform, running IT and network projects with MS server management and network support, advanced troubleshooting, presales, and enterprise architecture.

Since 2005, he has also been working as a consultant in Security, Identity, and Access Management, delivering Microsoft product support for server and enterprise platforms, such as Windows server, SQL Server, Directory Services, MS Identity Integration Server, MS Identity Lifecycle Manager, Forefront Identity Manager 2010, Omada Identity Manager, PKI, TMG, IAG/UAG, ADFS, and other IDM systems; and single sign-on and security solutions, including Sentillion expreSSO and Vergence product suite, Identity Forge solutions, and BHOLD.

Peter is co-founder of Winsec.be, the Belgian Microsoft Security User Group (http://www.winsec.be). He has been awarded the MVP award for Identity Lifecycle Manager (now MVP Forefront Identity Manager) four times, since 2008.

He is currently working as a Premier Field Engineer, FIM and Security, at Microsoft. Peter blogs at http://blog.identityunderground.be. You may also catch him on LinkedIn, at http://be.linkedin.com/in/pgeelen.

Peter has also reviewed FIM Best Practices Volume 1: Introduction, Architecture And Installation Of Forefront Identity Manager 2010, by David Lundell (http://www.lulu.com/shop/david-lundell/fim-best-practices-volume-1-introduction-architecture-and-installation-of-forefront-identity-manager-2010/ebook/product-18334749.html).

Henrik Nilsson has been working with Forefront Identity Manager and its predecessors since 2006. Before that he had been working in the IT industry since 1997, mainly as a developer of Microsoft products. In 2010, Henrik was awarded the Microsoft Most Valuable Award for spreading his knowledge about FIM in the community.

Henrik works at Cortego as a consultant within the IDA area using Microsoft products. Cortego is a Swedish consulting company working explicitly with Identity and Access Management.

I wish to thank my girlfriend Amanda, who coped with me not only while I was reviewing this book, but also during the times that I spent on the Identity and Access Management topic, which not only is my job but also my main interest.

www.PacktPub.com

Support files, eBooks, discount offers and more

You might want to visit www.PacktPub.com for support files and downloads related to your book.

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at for more details.

At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.

http://PacktLib.PacktPub.com

Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library. Here, you can access, read and search across Packt's entire library of books.

Why Subscribe?

Fully searchable across every book published by Packt

Copy and paste, print and bookmark content

On demand and accessible via web browser

Free Access for Packt account holders

If you have an account with Packt at www.PacktPub.com, you can use this to access PacktLib today and view nine entirely free books. Simply use your login credentials for immediate access.

Instant Updates on New Packt Books

Get notified! Find out when new books are published by following @PacktEnterprise on Twitter, or the Packt Enterprise Facebook page.

Preface

Microsoft's Forefront Identity Manager simplifies enterprise Identity Management for end users by automating admin tasks and integrating the infrastructure of an enterprise with strong authentication systems.

The Microsoft Forefront Identity Manager 2010 R2 Handbook is an in-depth guide to Identity Management. You will learn how to manage users and groups, and implement self-service parts. This book also covers basic Certificate Management and troubleshooting.

Throughout the book we will follow a fictional case study. You will see how to implement IM and also set up Smart Card logon for strong administrative accounts within Active Directory. You will learn to implement all the features of FIM 2010 R2. You will see how to install a complete FIM 2010 R2 infrastructure, including both test and production environments. You will be introduced to Self-Service management of both users and groups. FIM Reports to audit the identity management lifecycle are also discussed in detail.

With the Microsoft Forefront Identity Manager 2010 R2 Handbook you will be able to implement and manage FIM 2010 R2 almost effortlessly.

What this book covers

Chapter 1, The Story in this Book: In this chapter, the author gives a short description of a fictive company, which he uses throughout the book as an example.

He also discusses some of the Identity Management-related challenges faced by the fictive company, solutions to these challenges, and the company's IT system infrastructure.

Chapter 2, Overview of FIM 2010 R2: In this chapter, the author gives an overview of the history of FIM 2010 R2, FIM Synchronization Service, FIM Service, FIM Portal, FIM Reporting, FIM Certificate Management, and licensing.

Chapter 3, Installation: In this chapter, we discuss the prerequisites for installing different components of FIM 2010 R2, see how to actually install the components, and look at a few post-installation steps to get it working.

Chapter 4, Basic Configuration: In this chapter, we discuss some of the basic configurations we need to look at, no matter how our environment looks or how we plan to use FIM 2010 R2. We focus on the initial configuration of FIM Synchronization Service and FIM Service, specifically topics such as creating Management Agents, schema management, FIM Service Management Agents, initial load versus scheduled runs, and moving configurations from the development to the production environment.

If you have an environment already set up, this chapter can act as a guide for you to verify that you have not missed any important steps that will cause your FIM environment to not work properly.

Chapter 5, User Management: User management is the primary goal for most FIM deployments. Synchronizing user information between different Management Agents, and managing user provisioning/deprovisioning is often the first thing we focus on in our FIM deployment.

In this chapter, we discuss how user management is set up in FIM Service and FIM Synchronization Service. We also discuss how to manage users in Active Directory, Microsoft Exchange, a fictive phone system, and how to enable users to do some self-service.

Chapter 6, Group Management: Once you have User Management in place, it is usually time to start looking at Group Management. In this chapter, we will look at the different group scopes and types in AD and FIM, how to manage groups using the Outlook add-in, and synchronizing groups between HR, AD, and FIM.

Chapter 7, Self-service Password Reset: In this chapter, we look at the Self-service Password Reset (SSPR) feature, which allows users to reset their own passwords if they have forgotten them.

We discuss how to enable password management in AD, allow FIM Service to set a password, and configure FIM Service. We also discuss the user experience of the Self-service Password Reset feature.

Chapter 8, Using FIM to Manage Office 365 and Other Cloud Identities: In this chapter, we see how FIM 2010 R2 might fit into the puzzle of managing Office 365 identities and also how FIM might play a role in Identity Federation scenarios.

Chapter 9, Reporting: One of the new features in FIM 2010 R2 is built-in Reporting support. In this chapter, we discuss how to verify the System Center Service Manager 2010 (SCSM) setup, the default reports that are automatically installed, and the SCSM ETL process. We look at the methods to check/verify and modify reports.

Chapter 10, FIM Portal Customization: In this chapter, we take a quick look at the components of the FIM Portal UI. We discuss how to modify the basic FIM Portal UI, and how to customize search scopes and forms.

Chapter 11, Customizing Data Transformations: In this chapter, we will discuss the overall need and options for data transformation and selective deprovisioning. We also look at an example of managing Microsoft Lync, and a case with strange roles.

Chapter 12, Issuing Smart Cards: In this chapter, we will take a look at how we can use FIM CM to issue Smart Cards. You will see how FIM CM adds a lot of functionality and security to the process of managing the complete lifecycle of your Smart Cards.

Chapter 13, Troubleshooting: In this chapter, we discuss how to go about troubleshooting issues, depending on where we see the failure and the type of failure. We also see how to perform backup and restore the various parts of FIM.

What you need for this book

In the book we install and configure a complete FIM 2010 R2 environment. In this book, all the installations and servers use the following operating system:

Microsoft Windows Server 2008 R2 SP1 Enterprise Edition

.NET Framework 3.5.1

The required software is as follows:

Microsoft Forefront Identity Manager 2010 R2

Microsoft SQL Server 2008 R2 SP1

Microsoft Visual Studio 2008 SP1

Microsoft SharePoint Foundation 2010

Microsoft System Center Service Manager 2010

Apart from the software required to get FIM 2010 R2 up and running, the following software is also used or referred to in the book:

Microsoft DirSync x64; this software is used to synchronize data with Office 365.

Microsoft Active Directory Federation Services 2.0.

Granfeldt PowerShell Management Agent 2.0 is used to demonstrate extensible connectivity. More info on this can be found at http://aka.ms/PowerShellMA.

Who this book is for

If you are implementing and managing FIM 2010 R2 in your business, then this book is for you. You will need to have a basic understanding of Microsoft-based infrastructure using Active Directory. If you are new to Forefront Identity Management, the case-study approach of this book will help you understand the concepts and implement them.

Conventions

In this book, you will find a number of styles of text that distinguish between different kinds of information. Here are some examples of these styles, and an explanation of their meaning.

Code words in text are shown as follows: The public domain used by The Company is company.com; this is also the primary email domain used.

A block of code is set as follows:

Clm.SigningCertificate.Hash value=1F9AA53D5D15C17969ACA0A5C1FD102C61978E25 />

New terms and important words are shown in bold. Words that you see on the screen, in menus or dialog boxes for example, appear in the text like this: Open up the Security tab in the domain..

Note

Warnings or important notes appear in a box like this.

Tip

Tips and tricks appear like this.

Reader feedback

Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or may have disliked. Reader feedback is important for us to develop titles that you really get the most out of.

To send us general feedback, simply send an e-mail to <feedback@packtpub.com>, and mention the book title through the subject of your message.

If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide on www.packtpub.com/authors.

Customer support

Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.

Downloading the example code

You can download the example code files for all Packt books you have purchased from your account at http://www.packtpub.com. If you purchased this book elsewhere, you can visit http://www.packtpub.com/support and register to have the files e-mailed directly to you.

Errata

Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code—we would be grateful if you would report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/support, selecting your book, clicking on the errata submission form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded to our website, or added to any list of existing errata, under the Errata section of that title.

Piracy

Piracy of copyright material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works, in any form, on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.

Please contact us at <copyright@packtpub.com> with a link to the suspected pirated material.

We appreciate your help in protecting our authors, and our ability to bring you valuable content.

Questions

You can contact us at <questions@packtpub.com> if you are having a problem with any aspect of the book, and we will do our best to address it.

Chapter 1. The Story in this Book

Microsoft Forefront Identity Manager 2010 R2 (FIM 2010 R2) is a tool that helps you with Identity Management. As you might know or are able to guess, Identity Management is, for the most part, process-oriented rather than technology-oriented. In order to be able to explain some concepts within this area, I have chosen to write this book using a fictive company as an example.

In this chapter, I will give you a description of this company and will talk about:

The challenges

The solutions

The environment

The Company

The name of my fictive company is The Company. The Company is neither small nor big. I will not give you any numbers on the size of this company because I do not want you to take my example setup as being optimized for a company of a particular size.

As with many other companies, The Company tries to keep up with modern techniques within their IT infrastructure. They are a big fan of Microsoft and live by the following principle:

If Microsoft has a product that can do it, let's try that one first.

The concept of cloud computing is still somewhat fuzzy to them, and they do not yet know how or when they will be using it. They do understand that in the near future this technology will be an important factor for them, so they have decided that, for every new system or function that needs to be implemented, they will take cloud computing into account.

The challenges

During a recent inventory of the systems and functions that the The Company's IT department supported, a number of challenges were detected. We will now have a look at some of the Identity Management (IdM)-related challenges that were detected.

Provisioning of users

Within The Company, they discovered that it can take up to one week before a new employee or contractor is properly assigned their role and provisioned to the different systems required by them to do their job.

The Company would like for this to not take more than a few hours.

Identity lifecycle procedures

A number of issues were detected in lifecycle management of identities.

Changes in roles took way too long. Access based on old roles continued even after people were moved to a new function or changed their job. Termination and disabling of identities was also out of control. They found that accounts of users who had left the company more than six months ago were still active.

After a security review, they found out that a consultant working with the HR system still had access using VPN and an active administrative account within the HR system. The access should have been disabled about six months ago, when the upgrade project was completed. They also found that the consultant who the company engaged to help out during the upgrade, didn't even work for the firm any more.

What The Company would like is not only a way of defining policies about identity management, but also a tool that enforces it